My certificate is already expired even though
I ran these commands:
sudo certbot renew
sudo certbot renew --dry-run
It produced this output:
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for piacademy.co.uk
Cleaning up challenges
Attempting to renew cert (piacademy.co.uk) from /etc/letsencrypt/renewal/piacademy.co.uk.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/piacademy.co.uk/fullchain.pem (failure)
My web server is (include version): Apache 2
The operating system my web server runs on is (include version): Linux
My hosting provider, if applicable, is: Digitalocean
I can login to a root shell on my machine (yes or no, or I don’t know): Yes, can log in.
Please help, should I create a new certificate or should I run any other commands?
Thank you.
you use the standalone authenticator. So certbot tries to create a new webserver. But you have a running webserver. So you must stop this webserver. Or - better - use the apache plugin.
Thank you so much @JuergenAuer
I got this message Congratulations, all renewals succeeded. The following certs have been renewed:
I was sure that i will get the reply immediately and your are the best and this is the best community.
I actually setup the auto renewal, but not sure why it did not worked, can you pls help me in setting up cronjob or please point out to me a right article for apache.
There should already be a cronjob for cert renewals (we can check that - see below).
But it failed because the initial setup was using a "standalone" server:
So it tried to do that same process on this renewal...
But you are now running a web server.
That setting should now have been updated for it to use --apache in any future renewals. grep installer /etc/letsencrypt/renewal/*.conf
Let me address that piece by piece: 0 1 1 */2 *
Is that once a week? once every two weeks?
I would just run it once a day: 0 1 * * *
cd /usr/local/letsencrypt && ./letsencrypt-auto
I think that can be called directly (but its' merely cosmetic preference): /usr/local/letsencrypt/letsencrypt-auto
certonly
This will only get/renew a cert.
It will not update any sym links and such - which may cause problems.
I would remove that.
--apache --renew-by-default --apache
Can be just: --renew --apache
-d piacademy.co.uk >> /var/log/piacademy.co.uk-renew.log 2>&1
This will only renew the one domain.
Unless you never plan on adding more domains...
That should not specify any specific domain to renew (which will attempt to renew all certs).
And you can send that output to /var/log/all.domains.renew.log (or any name you choose).
I would also include a post deploy hook to restart apache in the event any cert is actually renewed. --deploy-hook 'service apache restart'
So, all in all, something more like this:
0 1 * * * cd /usr/local/letsencrypt && ./letsencrypt-auto --renew --apache --deploy-hook 'service apache restart' >> /var/log/piacademy.co.uk-renew.log 2>&1
Of course you need to test that and ensure it works
