Nginx, Docker won't autorenew

My domain is: listm.humanmicrobes.org

I'm using this tutorial Setting up listmonk, an open-source newsletter & mailing list manager - Yasoob Khalid

I have to run sudo bash ./init-letsencrypt.sh again every time to get it to renew. So I figured it must be some issue in the docker-compose.yml file.

I also tried SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}'); echo "0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null per User Guide — Certbot 2.6.0 documentation. But that didn't work either.

I tried typing in the renew command manually /bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;' and got an access error:

The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmpamhpwmlr/log or re-run Certbot with -v for more details.
/bin/sh: 1: wait: Illegal number: 2586308{!}

I redid it with sudo: sudo /bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;' and got this error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/bin/sh: 1: wait: Illegal number: 2586486{!}
Saving debug log to /var/log/letsencrypt/letsencrypt.log

I think the way you have threads permanently lock after 30 days is a really bad idea. It means we can't comment in relevant threads found via search. Forcing us to make duplicate threads for similar issues. IE: I think commenting in [Tutorial] How to Automate Let's Encrypt using Docker and Nginx would be more appropriate than making this new thread.

Were you able to check the docker logs of the certbot container?

The $$ is docker-compose escaping syntax which evaluates to $. If you want to run the command by hand, then reduce it to a single $.

Necro'ing threads from 5 years ago is something we want to avoid on this forum. Creating a new thread avoids confusing mixed conversations and avoids notifying the original posters, who are probably long gone and no longer interested.

For /var/log/letsencrypt/letsencrypt.log it just says:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-05-12 19:23:27,226:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2023-05-12 19:23:27,226:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-05-12 19:23:27,227:DEBUG:certbot._internal.renewal:no renewal failures
2023-05-12 19:23:27,702:DEBUG:certbot._internal.main:certbot version: 1.21.0
2023-05-12 19:23:27,703:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-05-12 19:23:27,703:DEBUG:certbot._internal.main:Arguments: []
2023-05-12 19:23:27,703:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-05-12 19:23:27,711:DEBUG:certbot._internal.log:Root logging level set at 30
2023-05-12 19:23:27,712:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-05-12 19:23:27,713:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2023-05-12 19:23:27,713:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-05-12 19:23:27,713:DEBUG:certbot._internal.renewal:no renewal failures
2023-05-12 19:23:28,175:DEBUG:certbot._internal.main:certbot version: 1.21.0
2023-05-12 19:23:28,175:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-05-12 19:23:28,175:DEBUG:certbot._internal.main:Arguments: []
2023-05-12 19:23:28,175:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-05-12 19:23:28,183:DEBUG:certbot._internal.log:Root logging level set at 30
2023-05-12 19:23:28,184:DEBUG:certbot._internal.display.obj:Notifying user: 

I edited the command as you suggested: sudo /bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait ${!}; done;' and now it just says:

sudo /bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait ${!}; done;'
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The log says:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-05-13 00:47:38,029:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2023-05-13 00:47:38,029:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-05-13 00:47:38,029:DEBUG:certbot._internal.renewal:no renewal failures

If you don't have any older logs, then there's not much to go on. You're not currently in need of a certificate renewal, so Certbot does nothing.

You can try certbot renew --dry-run instead of certbot renew to see what would happen on a real renewal run.

I've been receiving emails about my cert running out. This happened before and I let it run out to see if it was just a bug but it's not. The SSL did run out and I had to run sudo bash ./init-letsencrypt.sh again.

There are older logs but they're similar. https://clbin.com/ia2hB

I ran sudo /bin/sh -c 'trap exit TERM; while :; do certbot renew --dry-run; sleep 12h & wait ${!}; done;' and I get:

sudo /bin/sh -c 'trap exit TERM; while :; do certbot renew --dry-run; sleep 12h & wait ${!}; done;'
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No simulated renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This means that Certbot can't find any certificates to renew, which probably means that the contents of your Docker volume (./data/certbot/conf/renewal/*.conf) was deleted at some point.

Based on the timestamps in the log you linked and the fact that Certbot never even attempted any renewals, I can't think of any other explanation.

There is a file in there /data/certbot/conf/renewal/listm.humanmicrobes.org.conf. Size 684, last modified 2023/02/18, permissions -rw-r--r-- owner/group root root.

Contents:

# renew_before_expiry = 30 days
version = 2.0.0
archive_dir = /etc/letsencrypt/archive/listm.humanmicrobes.org
cert = /etc/letsencrypt/live/listm.humanmicrobes.org/cert.pem
privkey = /etc/letsencrypt/live/listm.humanmicrobes.org/privkey.pem
chain = /etc/letsencrypt/live/listm.humanmicrobes.org/chain.pem
fullchain = /etc/letsencrypt/live/listm.humanmicrobes.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 8--------censored--------------0
rsa_key_size = 4096
authenticator = webroot
webroot_path = /var/www/certbot,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
listm.humanmicrobes.org = /var/www/certbot

Are you running the command inside the certbot container? If the volume is mounted correctly and that file exists, then certbot renew --dry-run should try to renew the certificate.

Are you running the command inside the certbot container?

I'm not sure what that means. cd to the certbot folder then run the command? I just tried that with the same result.

ubuntu@listm:~$ cd data
ubuntu@listm:~/data$ ls
certbot  nginx
ubuntu@listm:~/data$ cd certbot
ubuntu@listm:~/data/certbot$ sudo /bin/sh -c 'trap exit TERM; while :; do certbot renew --dry-run; sleep 12h & wait ${!}; done;'
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No simulated renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Are you running a containerized system [like: Docker]?

Yes. Per the title, and the link I shared that has the guide I've used to set up everything: Setting up listmonk, an open-source newsletter & mailing list manager - Yasoob Khalid

Then I am confused by your misunderstanding of:

Are you the admin of the Docker system?

Yes I'm the admin but I'm a novice. I used various guides to get set up. For example, I deduce that the command I'm running is incorrect, and the proper one probably starts with docker-compose, but I wouldn't know what the proper command is.

Then you need to acquaint yourself with Docker; And how to run commands within its' containers.
The container that handles the certificates is within where you need to do your troubleshooting.
Anywhere else might as well be done from ... my system [which has zero access to yours].

FYI [in my book] these terms contradict each other:

You are either an admin or you are not.
Fear not though; We were all novices [once (or thrice)].

I have the keys to the airplane!
Doesn't make anyone "the pilot" by default.

Ah. I looked up some basic docker commands like you suggested 25 Basic Docker Commands for Beginners - Codeopolis

and ran sudo docker container ls and it didn't list certbot. So I ran sudo docker start certbot and it shows it running now. So that was probably it.

Yep, I ran sudo docker logs certbot -t and it shows it was renewed!

That's a start!
I mean two starts!!
"I looked up some basic docker commands like you suggested"
"...and it shows it running now."

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.