Nginx starts during cert renewal process, causing errors


#1

Whtn I’m trying to execute ‘certbot renew --dry-run’ for ALL domains the following happens:

  1. nginx stoppes via pre_hook
  2. the certificate renews successfully
  3. somehow nginx starts
  4. the next domain says ‘Pre-hook command already run, skipping: service nginx stop’
  5. the error occures: ‘an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6… Skipping.’

The file ‘/var/run/nginx.pid’ exists when nginx is running.

I tried:

  1. removing pre- and post- hooks.
  2. stopping nginx manually

So, I beleive, something goes wrong: nginx either should not start during the renewal of the first certificate,
or it should stop after that renewal, or the second pre-hook should stop it again.

Here are my config files (currently there are 2 of them):

# renew_before_expiry = 30 days
version = 0.21.1
archive_dir = /etc/letsencrypt/archive/***.***
cert = /etc/letsencrypt/live/***.***/cert.pem
privkey = /etc/letsencrypt/live/***.***/privkey.pem
chain = /etc/letsencrypt/live/***.***/chain.pem
fullchain = /etc/letsencrypt/live/***.***/fullchain.pem   
# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = nginx
pre_hook = service nginx stop
post_hook = service nginx start
account = ***

Here is complete console output:

#certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/DOMAIN1.COM.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer nginx
Running pre-hook command: service nginx stop
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for DOMAIN1.COM
Waiting for verification...
Cleaning up challenges
nginx: [error] open() "/var/run/nginx.pid" failed (2: No such file or directory)

-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/DOMAIN1.COM/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/DOMAIN2.COM.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer nginx
Pre-hook command already run, skipping: service nginx stop
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for DOMAIN2.COM
Cleaning up challenges
Attempting to renew cert (DOMAIN2.COM) from /etc/letsencrypt/renewal/DOMAIN2.COM.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/DOMAIN2.COM/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/DOMAIN1.COM/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/DOMAIN2.COM/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
Running post-hook command: service nginx start
Hook command "service nginx start" returned error code 1
1 renew failure(s), 0 parse failure(s)

#2

Can you check this comment to see if it explains things: https://github.com/certbot/certbot/issues/5486#issuecomment-363970559 ?

Standalone is kind of a dodgy thing to do in production in my opinion. If you really want to use it, I would instead tell Certbot to run standalone on a different port via the --http-01-port flag, and tell nginx to proxy_pass requests destined for /.well-known/acme-challenge. to Certbot’s standalone port.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.