How to using certbot-auto to auto-renew in a server where port 80 was already used?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: springwood.me

I ran this command: certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/springwood.me.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for springwood.me
Failed to renew certificate springwood.me with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/springwood.me/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): OpenLiteSpeed 1.7.16

The operating system my web server runs on is (include version): CentOS 7.9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.31.0

The following is my description

The 80 port of my server is already used.

If I manually turn off the existing server on port 80, then it runs OK.

However I hope it can automatically run without manually turning on/off the existing server. Currently certbot has installed a timer on my system.

# systemctl list-timers      
NEXT                         LEFT          LAST                         PASSED  UNIT                         ACTIVATES
Mon 2022-10-31 14:34:03 JST  5h 10min left Sun 2022-10-30 14:34:03 JST  18h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2022-10-31 14:41:00 JST  5h 17min left Mon 2022-10-31 00:56:13 JST  8h ago  snap.certbot.renew.timer     snap.certbot.renew.service

2 timers listed.

What should I do to modify the timer script?

If you already have something listening on port 80, usually that "something" would be a web server--and in that case, you'd want to have that web server handle the challenge files. Your best bet would be to reissue the cert in webroot mode, rather than in standalone mode.

4 Likes

Yes, it's a web server using port 80.

Do you mean that I need to re-run certbot certonly --webroot again and then the auto-renew script would automatically using the new webroot mode? Currently the issued SSL is valid and would be expired in three months later.

Yes, that's what I'm suggesting.

3 Likes

What is running on port 80? [Lightspeed?]
Is that on this same system? [very likely]

Possible problem found:

Name:      springwood.me
Addresses: 2403:3a00:202:1110:49:212:146:143
           49.212.146.143

HTTP via IPv4 and IPv6 do NOT respond identically:

curl -Ii4 http://springwood.me/
HTTP/1.1 301 Moved Permanently
date: Fri, 04 Nov 2022 04:06:44 GMT
server: LiteSpeed
location: https://springwood.me/
connection: Keep-Alive

curl -Ii6 http://springwood.me/
curl: (56) Recv failure: Connection reset by peer
3 Likes

My website mainly use https (port 443)

But it need a redirection from http to https (80 -> 443), therefore port 80 is also needed.

As to ipv6, currently I'm using a network without ipv6 so I cannot test it now. I'll test it sometime later.

I run certbot certonly --webroot and it succeeded.

# certbot certonly --webroot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): springwood.me
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/springwood.me.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for springwood.me

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/springwood.me/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/springwood.me/privkey.pem
This certificate expires on 2023-02-02.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Then I tried certbot renew --dry-run but it fails with a different error

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/springwood.me.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for springwood.me
Failed to renew certificate springwood.me with error: Missing command line flag or config entry for this setting:
Input the webroot for springwood.me:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/springwood.me/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Finally I've solved the issue.

When running certbot certonly --webroot on an existing domain, the webroot directory must be added, such as
certbot certonly --webroot -w /var/www/html/

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.