Installing an auto renewal mechanism failed

Help
1

Installing an auto renewal mechanism failed.
I was testing to see if auto renewal come with my Cert and if not, install an auto renew mechanism. Below is the output from the initial test and following that the output from the auto renew method I used.

My domain is:
thecarusomethod.com
My web server is (include version):
Wordpress 5.8.1
The operating system my web server runs on is (include version):
Server running PHP version: 7.4.24. MySQL version: 10.5.12-MariaDB
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

============
I ran this command:
sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/thecarusomethod.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for thecarusomethod.com
Performing the following challenges:
http-01 challenge for thecarusomethod.com
Cleaning up challenges
Failed to renew certificate thecarusomethod.com with error: Problem binding to port 80: Could not bind to IPv4 or IPv6.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/thecarusomethod.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

=========

[root@ip-172-31-24-254 ~]$SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}'); echo "0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

[root@ip-172-31-24-254 ~]$sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/thecarusomethod.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for thecarusomethod.com
Performing the following challenges:
http-01 challenge for thecarusomethod.com
Cleaning up challenges
Failed to renew certificate thecarusomethod.com with error: Problem binding to port 80: Could not bind to IPv4 or IPv6.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/thecarusomethod.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

1 Like
2

@mike44pt I've moved your post in its own thread. Most if the time you want to have your own thread for your own problem.

Anyway, your problem isn't with installing an auto renew mechanism such as cronjob or a systemd timer (which was the first thing that came to my mind when I read the first part of your post), but more with renewal in the first place. You should fix the renewal process first before you should concentrate on the installation of an auto renewal mechanism.

I see you're using the standalone authenticator plugin, which requires TCP port 80 to be free so it can be used by certbot. However, TCP port 80 is not free. It's probably in use by your (unknown) webserver.

Is there a specific reason why you used the standalone authenticator plugin to begin with?

2 Likes
3

It sounds like you originally setup certbot in standalone mode, but have since installed a webserver and now your renewals are failing.
[because certbot can no longer use standalone mode]

If so, then you would need to change the authentication method to include the newly installed webserver.
Either:

  • by including the websever as the authentication method directly and having certbot try to work with it:
    a) -a --apache
    b) -a --nginx
    [if you use any other webserver, then don't try these two options]

  • by having certbot ignore the webserver and place the challenge request file in the expected location.
    Use --webroot -w /path/to/your/domain/root to tell certbot where the webserver serves content for this site.

webroot is probably the simpler and better choice.
In any case, do continue using --dry-run until all testing has been concluded :slight_smile:

3 Likes
4

An engineer at AWS helped me with this precess and chose the authenticator plugin. He was very gracious to help and admitted he was not familiar but tried his best. I was able to renew the Cert 2 days ago using this procedure he prepared:

  1. become a root:
    sudo -i

  2. stop webserver:
    systemctl stop nginx

  3. Renew the certification:
    certbot renew

  4. After successful renewal, restart server:
    systemctl start nginx

Is there a better way to set up Certbot?
Thanks

1 Like
5

Thanks rg305
As I just explained to Osiris I have been able to renew but have to stop nginx first, as it was installed first but "we" did not know how to work around that.

I asked Osiris if there is a workaround and you provided that. Thank you.
It look like * by having certbot ignore the webserver and place the challenge request file in the expected location.
Use --webroot -w /path/to/your/domain/root to tell certbot where the webserver serves content for this site.

'webroot` is probably the simpler and better choice."

Mike

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.