To renew certificate must stop any service using port 443?

Hi,

I have a Let’s Encrypt certificate to secure my web service. My web service runs on port 443, but it seems like the renewal process also needs to use port 443.

To me this looks like you have to stop the web app using your certificate to renew the certificate.

Is this right?

Can you provide more details on how you got the certificate? Try filling out this form, which should have shown when you tried to make a new post:

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Sure, I got the certificate by running the commands here. Additionally, see below for the other questions (although I am not sure why you need to know all this to answer whether or not certbot renew needs solo access to port 443 which would mean taking down an app using that port.

My domain is: api.nightwalker.clothing

I ran this command: sudo certbot renew

It produced this output: Something about an application (my webserver) using port 443 which was needed to renew the certificate itself

My web server is (include version): Node.js 7.0

The operating system my web server runs on is (include version): Ubuntu 16

My hosting provider, if applicable, is: Amazon AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The page you linked doesn’t have any commands, but I’ll take a guess. I see you’re using certbot, so I’ll guess that you used the “standalone” method to get the certificates initially. When you use this method, certbot configures itself to run on port 80 or 443 to handle authentication. If you want to keep using that method, you will need to stop the web server temporarily while certbot runs.

There are other methods you can use with certbot like webroot, apache, or nginx that will work with the web server running, but they do require certain types of configuration to authenticate properly. If you want to try switching to one of those methods, we can try to assist with that.

Ah yes, I did use the “standalone” method as it seemed to be the simplest.

Can you point me to some way to renew where I will not have to stop my webserver each time?

Try using:
-webroot -w /path/to/api.nightwalker.clothing/files
or something along those lines…

A lot depends on how you are configured. The webroot method is often the easiest, as you just have to make sure that a specific path can be accessed on the website for verification. The other options are apache or nginx modules, which require that you are running one of those servers and have your host definitions in individual files.

You can read about the various verification plugins here. Go ahead and pick what you think would work best for your configuration and let’s do some tests to see if it’ll work out for you.

Thanks. Unfortunately my webserver is just an API, it doesn’t serve static files. It looks like that precludes me from using the webroot method (if I understand the documentation enough). Is this correct?

Yes, unless you can also configure something on your system to serve static files at specific paths (using the same port 80).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.