Não consigo renovar o certificado

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: test.megatest.com.br

I ran this command: certbot -q renew

It produced this output:

Attempting to renew cert (test.megatest.com.br) from /etc/letsencrypt/renewal/test.megatest.com.br.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/test.megatest.com.br/fullchain.pem (failure)

My web server is (include version): apache2

The operating system my web server runs on is (include version): Debian 4.9.168-1+deb9u5

My hosting provider, if applicable, is: registro.br

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like
2

Can you post the rest of Certbot’s output, and the contents of /etc/letsencrypt/renewal/test.megatest.com.br.conf?

1 Like
3

renew_before_expiry = 30 days

version = 0.28.0
archive_dir = /etc/letsencrypt/archive/test.megatest.com.br
cert = /etc/letsencrypt/live/test.megatest.com.br/cert.pem
privkey = /etc/letsencrypt/live/test.megatest.com.br/privkey.pem
chain = /etc/letsencrypt/live/test.megatest.com.br/chain.pem
fullchain = /etc/letsencrypt/live/test.megatest.com.br/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 9c1a3354efad618826cf6f987fa336cb
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = standalone
installer = apache

1 Like
4

This would require you to shutdown the apache server first.

As shown by error message:

1 Like
5

Try:
sudo systemctl stop apache2
./certbot renew
sudo systemctl start apache2

2 Likes
6

thanks bro, its work !

2 Likes
7

Now you need to automate it.

1 Like
8

----how do I do that ?

9

First check for any existing renewal jobs:
Show output of these commands:

crontab -l
sudo crontab -u root -l
sudo systemctl list-timers

1 Like
10

results:

root@teste:~# crontab -l
no crontab for root
root@teste:~# crontab -u root -l
no crontab for root
root@teste:~# systemctl list-timers
NEXT LEFT LAST PASSED
Wed 2019-11-27 17:39:00 -02 6min left Wed 2019-11-27 17:09:03 -02 23min ag
Wed 2019-11-27 18:00:39 -02 28min left Wed 2019-11-27 17:01:06 -02 31min ag
Wed 2019-11-27 23:11:44 -02 5h 39min left Wed 2019-11-27 00:03:03 -02 17h ago
Thu 2019-11-28 02:43:03 -02 9h left Wed 2019-11-27 08:32:27 -02 8h ago
Thu 2019-11-28 06:51:11 -02 13h left Wed 2019-11-27 06:31:00 -02 11h ago
Thu 2019-11-28 10:12:50 -02 16h left Wed 2019-11-27 10:12:50 -02 7h ago

6 timers listed.
Pass --all to see loaded but inactive timers, too.

1 Like
11

There should be more output to the right.
Otherwise try:
systemctl list-timers | grep cert

1 Like
12

The output should be like this:

sudo systemctl list-timers
NEXT                         LEFT          LAST                         PASSED       UNIT                         ACTIVATES
Wed 2019-11-27 19:30:16 UTC  39s left      Wed 2019-11-27 14:47:37 UTC  4h 41min ago apt-daily.timer              apt-daily.service
Wed 2019-11-27 22:04:12 UTC  2h 34min left Wed 2019-11-27 03:14:37 UTC  16h ago      motd-news.timer              motd-news.service
Thu 2019-11-28 02:27:46 UTC  6h left       Wed 2019-11-27 18:30:37 UTC  58min ago    certbot.timer                certbot.service
Thu 2019-11-28 06:33:45 UTC  11h left      Wed 2019-11-27 06:18:09 UTC  13h ago      apt-daily-upgrade.timer      apt-daily-upgrade.service
Thu 2019-11-28 16:28:25 UTC  20h left      Wed 2019-11-27 16:28:25 UTC  3h 1min ago  systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2019-12-02 00:00:00 UTC  4 days left   Mon 2019-11-25 00:00:09 UTC  2 days ago   fstrim.timer                 fstrim.service
1 Like
13

root@teste:~# systemctl list-timers | grep cert
Wed 2019-11-27 23:11:44 -02 5h 1min left Wed 2019-11-27 00:03:03 -02 18h ago certbot.timer certbot.service

1 Like
14

OK so there is already a certbot job to renew.

Please show files:
/lib/systemd/system/certbot.timer
/lib/systemd/system/certbot.service

1 Like
15

/lib/systemd/system/certbot.timer

[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=--* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target

/lib/systemd/system/certbot.service

[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true

16

Ok, you do have a job that tries to renew.

But now we have to make this:

do these 3 steps:

For that we can use hooks.
First we try to create a working single statement and then we update the timer job.

So, lets try it (in testing system) this way:
image
with this command string:

/usr/bin/certbot -q renew --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2" --dry-run
17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.