Renew failures on an instance that is running wordpress using apache2

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot renew
It produced this output:

Processing /etc/letsencrypt/renewal/api.datalingosolutions.com.conf

Renewing an existing certificate for api.datalingosolutions.com
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Failed to renew certificate api.datalingosolutions.com with error: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

My web server is (include version):
Apache/2.4.52 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 22.04.1
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.10.0

here is the situation:
3 months ago when I created the certificate, I used apache2 server. Since then, I started using my instance to host my website using the wordpress. I have lauched wordpress in a docker and it is using apache2 that listens to 80. Probably, that is the reason I am getting the error:
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80

How do I go about with this situation?

  1. Shut off wordpress briefly and renew it then again restart the wordpress? that means I lost auto-renew
  2. Have another Apache2 instance listening on a different port and use that for renewal?
    Or is there any other way?
2

Hello @jay.mojnidar, welcome back. :slightly_smiling_face:

I don't have any solutions, but to jump start other (I know these will be asked).

Show the output of each

  • sudo apachectl -t -D DUMP_VHOSTS
  • sudo netstat -pant | grep -E ':443|:80' | grep -i listen
    Use sudo ss -pant ... if you don't have netstat
2 Likes
3

See below.

$sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443                  dev.bigdots.xyz (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server ip-10-0-0-127.ap-south-1.compute.internal (/etc/apache2/sites-enabled/000-default-le-ssl.conf:40)
         port 80 namevhost ip-10-0-0-127.ap-south-1.compute.internal (/etc/apache2/sites-enabled/000-default-le-ssl.conf:40)
         port 80 namevhost ip-10-0-0-127.ap-south-1.compute.internal (/etc/apache2/sites-enabled/000-default.conf:1)
$ sudo ss  -pant | grep -E ':443|:80' | grep -i listen
LISTEN 0      4096         0.0.0.0:8080       0.0.0.0:*     users:(("docker-proxy",pid=2333,fd=4))                 
LISTEN 0      4096         0.0.0.0:80         0.0.0.0:*     users:(("docker-proxy",pid=3322,fd=4))                 
LISTEN 0      4096         0.0.0.0:443        0.0.0.0:*     users:(("docker-proxy",pid=3302,fd=4))                 
LISTEN 0      4096            [::]:8080          [::]:*     users:(("docker-proxy",pid=2339,fd=4))                 
LISTEN 0      4096            [::]:80            [::]:*     users:(("docker-proxy",pid=3327,fd=4))                 
LISTEN 0      4096            [::]:443           [::]:*     users:(("docker-proxy",pid=3307,fd=4))

Note: dev.bigdtos.xyz is my another domain. Some other instance is using that. This AWS instance was earlier cloned from there. I would like to remove that from this instance, too.

2 Likes
4

Where are you going to run the ACME client?

  • Inside a Docker container?
    OR
  • Outside all Docker containers?
3 Likes
5

I am not sure if I get your question correct. Here is my setup:
I have 5 docker containers running on this host machine. One of them is Wordpress.
My host port 80 and 443 are mapped to a docker container running the wordpress. I want to run the certbot on my host so that it can generate and store the certificate in one place. Then, I mount director to my wordpress docker and other external facing docker containers so that they call can be available on https.

1 Like
6

Well that is problematic.
Docker is using port 80 for the wordpress site.
Now the host system needs to run the ACME client on port 80.
Your design won't work.

1 Like
7

Understood. I need to bring down the Wordpress, renew it, and restart the Wordpress. Can be automated too :sweat_smile:. This will result in brief outage of our website powered by Wordpress. But, I wanted to know if there is any other option like making the apache2 for certbot to listen on a different port than 80. So, that the brief interruption on the website will not be there.

8

You could use a reverse proxy to handle both types of requests:

  • the ACME challenge requests:
    handle them locally

  • the requests to the wordpress site(s):
    proxy to the Docker container OR redirect them to HTTPS

2 Likes
9

In order for the revers proxy to work, I need to have Apache 2 running on the host. Is that correct? Currently, Apache2 is running inside the Wordpress Docker.

10

There is also the DNS-01 challenge which does not require the use of HTTP or port 80.

2 Likes
11

Thanks for bringing that up. DNS-01 needs changes to txt entries and making it automated needs more engineering. Will check this option at the appropriate time!
Regards

3 Likes
12

I had to take action as my certs were about to expire. I have a script now. I am bringing down the Wordpress, renew the certs and bring the Wordpress back up. Whole script causes about 4 seconds of our website downtime.
Thanks for guiding me here! Great community!!

1 Like
13

If you can separate HTTP from HTTPS, you won't need to bring down the HTTPS sites [only HTTP].

3 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.