The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot

sudo certbot renew --standalone

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/apihub.trusthub.in.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for apihub.trusthub.in
Failed to renew certificate apihub.trusthub.in with error: Could not bind TCP port 9100 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/apihub.trusthub.in/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

And now the nginx won't start.:

sudo service nginx status
× nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: en> Active: failed (Result: exit-code) since Sun 2024-03-24 18:14:22 IST; 8s ago
Docs: man:nginx(8)
Process: 7555 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process > Process: 7556 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code> CPU: 44ms

not sure why it even try to bind port 9100:
sudo certbot renew --standalone --http-01-port=80

sudo certbot renew --standalone --http-01-port=80

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/apihub.trusthub.in.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for apihub.trusthub.in
Failed to renew certificate apihub.trusthub.in with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/apihub.trusthub.in/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Do you want to see once again the nginx conf file????

did you stop nginx?

yes, actually it's not working

image1009×306 12.5 KB

let's see which using port 80
netstat -tulpn | grep :80
currently some webserver is running on that but we don't know what it is

:I have to sleep now

It cut off, what was right of that?
Anyway what to do later:
Free port 80
Get a cert by standalone
Bring back nginx

Can you show using sudo? It should show the app using the port then

sudo netstat -tulpn | grep :80

How to free port 80?

We shouldn't need to free port 80 to use standalone. We should be able to use your running nginx that is already using port 80.

Although, I think the Certbot plugin may have caused nginx to get in a bad state. nginx must always be running before using Certbot --nginx otherwise Certbot starts nginx but in a way that is not compatible with systemd. That is probably why your nginx shows it cannot bind to port 80.

The easiest fix for that is just to restart your server.

Also, what version of Certbot are you on? Please show

sudo certbot --version

And please show this file

/etc/letsencrypt/renewal/apihub.trusthub.in.conf

Output:

certbot 2.9.0

/etc/letsencrypt/renewal/apihub.trusthub.in.conf

Output:

 renew_before_expiry = 30 days
version = 2.8.0
archive_dir = /etc/letsencrypt/archive/apihub.trusthub.in
cert = /etc/letsencrypt/live/apihub.trusthub.in/cert.pem
privkey = /etc/letsencrypt/live/apihub.trusthub.in/privkey.pem
chain = /etc/letsencrypt/live/apihub.trusthub.in/chain.pem
fullchain = /etc/letsencrypt/live/apihub.trusthub.in/fullchain.pem

 Options used in the renewal process
[renewalparams]
account = ccb62e4232e14c6a97bb31aa24fbc7a0
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
http01_port = 9100

That line is why your renewal is failing. Certbot is setting up the nginx server block that is listening on port 9100 for the ACME Challenge response.

But, it looks like you now have a server block on the default port 80 ready for that. I don't even see the port 9100 handled in that nginx config. I see you proxy to that but this nginx isn't handling that port.

I guess the question is which system should be handling the certbot renew? The nginx conf you are showing us or a different system.

What kind of server is handling port 9100?

9100 port is my api (register and login API)

3000 port is my domain (Where my domain loads)

What do u suggest me to do?

Use port 3000 instead of port 9100?

Use port 80, externally anyway. The http-01 challenge uses and requires port 80.

"I have encountered the same problem as you. Have you solved it? If so, could you tell me how you solved it?"

@milesli The same error messages often are caused by different things. Please start a new thread and answer the questions on the form you will be shown. That will give the group better info to help you.

@milesli, although your logic to ask for the solution to your similar problem here makes some sense... [I too would like some definite conclusion to this problem]...
Seeing that 27 days have passed since the previous post makes me think that you might get a quicker response/solution by opening your own topic.
Doing both can only help expedite things.