Recently I had received a couple of reminder email for a bunch of domains
for all I thought I had established the automatic certbot renweal mechanism.
Now the email said my certificates were expiring on Feb 11th, 22.
The version of my client is
certbot 0.31.0
Ubuntu 18.04.6
Did you replace your certificates?
If not, renewals might be failing. Run certbot certificates and see when they expire.
They all expire 2022-02-11 it says.
The date stamp in /etc/letsencrypt/archives/domain.org/*.pem is Nov 13 (2021)
ok, run certbot renew --dry-run and paste the output here.
use ```` on the line before pasting and the line after pasting.
Before I now post the lengthy output of that command, I can state that it says in the first place, that I have an apache problem, and I must admit, I was trying to marry haproxy with tomcat recently and somehow I got stuck in the configuration process.
I thought one could do the certbot renewal without apache/port 80
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.kukulies.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for imap.kukulies.org
http-01 challenge for mail.kukulies.org
http-01 challenge for smtp.kukulies.org
http-01 challenge for www.kukulies.org
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
AH00112: Warning: DocumentRoot [/var/lib/tomcat7/webapps/ROOT] does not exist
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Unable to restart apache using ['apache2ctl', 'graceful']
Cleaning up challenges
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
You can without apache, not without port 80, but certbot must be told to do so. If you have no webserver running on port 80, you can try with certbot renew --dry-run --standalone and certbot will spin up a webserver just for the challenges.
If it works, you can remove --dry-run but make sure to leave port 80 open and not to run servers there, or to switch certbot back to using apache when you do (or to use --standalone on another port and reverse proxy requests for .well-known/acme-challenges back to certbot from whatever is serving port 80)
"leave port 80 open and not to run servers there" ?
You mean, leave it open through the firewall but not running a server.
It looks like the dry-run now worked:
l.txt (3.1 KB)
Ah, no, it didn't, or?
Not completely. There is something on your port 80. If it's haproxy, you should configure it to reverse proxy to certbot. Kinda like
certbot renew --dry-run --standalone --http-01-port 23782
and then tell haproxy to send any request for /.well-known/acme-challenges to port 23782 (arbitrary, but it's CERTB on a phone keyboard)
Ah, I noticed, I had port 80 closed in the firewall rules.
l1.txt (2.8 KB)
Looks better now. Should I try a real renew?
It looks the same. One fail, two successes.
Ah. apache2 -k graceful was still running from previous attempts.
apache2ctl stop got them stopped. Now I have nothing running on port 80.
netstat -an | grep :80' ' is empty.
Now running certbot renew --dry-run --standalone
still results in that error.
l1.txt (2.8 KB)
Looks like someone is starting apache2. Wouldn't certbot be using snapd?
Systemctl maybe?
If you want to use apache2 you can use apache2 (--apache instead of --standalone). Or you can make the same reverse proxy trick using apache.
It looks like it works, using apache.
Just make sure not to break it and if you switch port 80 listener make sure certbot can be reached (with either --standalone or --webroot)
I bet that has something to do with it.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.