Nextcloud running apache certbot renew fails connection refused

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:kjfact.communicationsystems.ca

I ran this command:certbot renew (from shell in nextcloud jail)

It produced this output:Introduction to manual pages: man man
FreeBSD directory layout: man hier

Edit /etc/motd to change this login announcement.
root@nc-new:~ # certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing
/usr/local/etc/letsencrypt/renewal/kjfact.communicationsystems.ca.conf


Cert is due for renewal, auto-renewing...
Unable to read ssl_module file; not disabling session tickets.
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kjfact.communicationsystems.ca
Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).

Unable to restart apache using ['apachectl', 'graceful']
Cleaning up challenges
Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).

Unable to restart apache using ['apachectl', 'graceful']
Encountered exception during recovery:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/certbot_apache/_internal/configurator.py", line 2419, in _reload
util.run_script(self.option("restart_cmd"))
File "/usr/local/lib/python3.7/site-packages/certbot/util.py", line 115, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 70, in handle_authorizations
resps = self.auth.perform(achalls)
File "/usr/local/lib/python3.7/site-packages/certbot_apache/_internal/configurator.py", line 2516, in perform
self.restart()
File "/usr/local/lib/python3.7/site-packages/certbot_apache/_internal/configurator.py", line 2410, in restart
self._reload()
File "/usr/local/lib/python3.7/site-packages/certbot_apache/_internal/configurator.py", line 2437, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/certbot_apache/_internal/configurator.py", line 2419, in _reload
util.run_script(self.option("restart_cmd"))
File "/usr/local/lib/python3.7/site-packages/certbot/util.py", line 115, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/certbot/_internal/error_handler.py", line 125, in _call_registered
self.funcs-1
File "/usr/local/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 243, in _cleanup_challenges
self.auth.cleanup(achalls)
File "/usr/local/lib/python3.7/site-packages/certbot_apache/_internal/configurator.py", line 2540, in cleanup
self.restart()
File "/usr/local/lib/python3.7/site-packages/certbot_apache/_internal/configurator.py", line 2410, in restart
self._reload()
File "/usr/local/lib/python3.7/site-packages/certbot_apache/_internal/configurator.py", line 2437, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).

Attempting to renew cert (kjfact.communicationsystems.ca) from /usr/local/etc/letsencrypt/renewal/kjfact.communicationsystems.ca.conf produced an unexpected error: Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).

. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/kjfact.communicationsystems.ca/fullchain.pem (failure)

My web server is (include version):apache 2.4.56

The operating system my web server runs on is (include version):freebsd 13.2-Release-p9

My hosting provider, if applicable, is:self hosted

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.8.0

I'm new to this. The person that normally handles these things is not available to help so it's left up to me.

The certificate, which was supposed to auto renew but it did not and my efforts at doing a manual renewal have failed dismally.

The certificate is for a Nextcloud instance that is running in a jail on a TrueNAS server. I have access to the shell of the jail and the server itself.

Any help would be greatly appreciated.

Thank you.

I have no BSD experience. But: is apache running? In the same jail? did certbot renew ever work?

Would it make sense to use --webroot instead of --apache and then use --deploy-hook?

2 Likes

Apache appears to be running.

Certbot renew brought out some errors but most importantly, it said the apache would not restart gracefully. I'm assuming that this means the process of renewal is done with apache not running.

I'd have to try with --webroot and --deploy-hook so I could do that and then have more information.

At the moment, I'm thinking that the easiest way for me to do this might just be to spin up a new jail/container and start from fresh. As long as I can import the data, I'll be okay with that route.

I'll update accordingly.

Even if so it can't be reached on default HTTP or HTTPS ports (80 and 443).

The Let's Debug test site tests HTTP and SSL Labs tests HTTPS. Both fail to reach your system.
Let's Debug site
SSL Labs test result for your domain

And this indicates a failing Apache. What does this do?

apachectl graceful

That needs to work from the same environ as you run Certbot (when using --apache plugin like you are)

I don't know anything specific to Nextcloud or TrueNAS. The above need to work I just don't know how you do that on that platform.

You last got a cert on Nov11. It should have renewed early Jan (after 60 days). So, something has changed on your system since Nov11

2 Likes

Turns out that there was an update of PHP in the Nextcloud Jail which conflicted with the Nextcloud update and so we basically ended up with a loop.

Moved Nextcloud to an LXC on a different machine and moved forward from there.

Sometimes it's not worth digging to deep when you can recreate the wheel - we were able to import the data.

Thanks for all your help.

2 Likes