Moving certs to new server, certbot error

I have some domain certs that are signed by letsencrypt. My server was very old and and I had to run not just certbot-auto but an old version of it. Lately that has been failing as unsupported. But luckily and surprisingly my certificates seem to be renewed and will last till April.

I've just moved the server over for these domains, and copied the old /etc/letsencrypt to the new server. Going to the sites in their new location gives me a nice padlock and "Verified by: Let's Encrypt" as on the old server.

Now I have a recent OS I can run certbot. I installed it from the Debian repository and am aware of your warnings about version compatibility. I'll go to snaps if I must, but prefer use the latest Debian package while it seems to work.

But, it isn't working!

Running "certbot renew --dry-run" gives
Attempting to renew cert (www.notjustcamden.uk) from /etc/letsencrypt/renewal/www.notjustcamden.uk.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.

I see that /etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/113ab11b4babf5d10bbb556f82c79ae5/meta.json

contains a ref to the old server domain in the creation_host key and I wonder if this is the reason. Clearly this is not an editable file and any change to the server domain must be done elsewhere.

So my question is, what is the format of the certbot command I should cron to check for auto-renewal, and do I need to reconfigure anything to make it work?

Sorry if this has been asked before, I couldn't find a match in the help forum.

I'm using Apache2 under Debian. Cert domain notjustcamden.uk on server domain grepnik.default.grepnik.uk0.bigv.io

Thanks in advance!

1 Like

Hi @grepnerd

if you have the problem "binding to port 80", looks like your config file uses --standalone instead of the running webserver.

What's the content of that file?

2 Likes

Thanks Juergen

/etc/letsencrypt/renewal/www.notjustcamden.uk.conf contains

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/www.notjustcamden.uk
cert = /etc/letsencrypt/live/www.notjustcamden.uk/cert.pem
privkey = /etc/letsencrypt/live/www.notjustcamden.uk/privkey.pem
chain = /etc/letsencrypt/live/www.notjustcamden.uk/chain.pem
fullchain = /etc/letsencrypt/live/www.notjustcamden.uk/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = standalone
account = 2bdeaac335f15b0515eb136fa21a904c
server = https://acme-v02.api.letsencrypt.org/directory
renew_hook = "echo RENEWED "

1 Like

There you see the problem.

Change that

or use it correct.

3 Likes

Thank you Juergen. I'd been using standalone on the old server, needing to stop the webserver while it ran. Presumably my old installation didn't have the apache plugin.

Now changed authenticator = standalone to authenticator = apache and all works!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.