Problem in renewing expired certificate


#1

My domain is: https://piacademy.co.uk/

My certificate is already expired even though
I ran these commands:

  1. sudo certbot renew
  2. sudo certbot renew --dry-run

It produced this output:
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for piacademy.co.uk
Cleaning up challenges
Attempting to renew cert (piacademy.co.uk) from /etc/letsencrypt/renewal/piacademy.co.uk.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/piacademy.co.uk/fullchain.pem (failure)

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: Digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes, can log in.

Please help, should I create a new certificate or should I run any other commands?
Thank you.


#2

Hi @dineshsunny

you use the standalone authenticator. So certbot tries to create a new webserver. But you have a running webserver. So you must stop this webserver. Or - better - use the apache plugin.

sudo certbot renew --apache

#3

Thank you so much @JuergenAuer
I got this message
Congratulations, all renewals succeeded. The following certs have been renewed:

I was sure that i will get the reply immediately and your are the best and this is the best community.

I actually setup the auto renewal, but not sure why it did not worked, can you pls help me in setting up cronjob or please point out to me a right article for apache.

Thanks again.


#4

There should already be a cronjob for cert renewals (we can check that - see below).
But it failed because the initial setup was using a “standalone” server:

So it tried to do that same process on this renewal…
But you are now running a web server.
That setting should now have been updated for it to use --apache in any future renewals.
grep installer /etc/letsencrypt/renewal/*.conf

Please show:
sudo crontab -l


#5

As @rg305 wrote: This was a problem of the standalone - option (ok with the first certificate, may be a problem with renew). So check your files under

/etc/letsencrypt/renewal

if there is apache as authenticator used, not standalone. Your certificate is valide 2019-01-29, so check begin 2019, if it is renewed.


#6

I ran these commands, and output shown below. now the installer has been set to apache itself.

installer = apache

0 1 1 */2 * cd /usr/local/letsencrypt && ./letsencrypt-auto certonly --apache --renew-by-default --apache -d piacademy.co.uk >> /var/log/piacademy.co.uk-renew.log 2>&1

Please suggest me any changes I would require to do.
Thank you.


#7

Let me address that piece by piece:
0 1 1 */2 *
Is that once a week? once every two weeks?
I would just run it once a day:
0 1 * * *

cd /usr/local/letsencrypt && ./letsencrypt-auto
I think that can be called directly (but its’ merely cosmetic preference):
/usr/local/letsencrypt/letsencrypt-auto

certonly
This will only get/renew a cert.
It will not update any sym links and such - which may cause problems.
I would remove that.

--apache --renew-by-default --apache
Can be just:
--renew --apache

-d piacademy.co.uk >> /var/log/piacademy.co.uk-renew.log 2>&1
This will only renew the one domain.
Unless you never plan on adding more domains…
That should not specify any specific domain to renew (which will attempt to renew all certs).
And you can send that output to /var/log/all.domains.renew.log (or any name you choose).

I would also include a post deploy hook to restart apache in the event any cert is actually renewed.
--deploy-hook 'service apache restart'

So, all in all, something more like this:
0 1 * * * cd /usr/local/letsencrypt && ./letsencrypt-auto --renew --apache --deploy-hook ‘service apache restart’ >> /var/log/piacademy.co.uk-renew.log 2>&1

Of course you need to test that and ensure it works :slight_smile: