Unable to auto renew LetsEncrypt Certificate for 4 years due to Nginx running

Help
22

It looks like Apache is managing a Wordpress install for your main site. Does that sound right?

And, for some reason nginx is redirecting HTTP requests on port 80 to Apache on port 8080.

I think the best way forward is for Apache to handle HTTP and HTTPS (ports 80 and 443). We would need to reconfigure Certbot so that Apache uses the certs it creates.
Right now it is using some other copy of a Let's Encrypt cert.

I suppose you could leave nginx handling port 80 but we still need to update Apache to use the certs created by Certbot.

Just one last note about the "port 80 binding" problem. When using the --nginx plugin you should (must) have nginx running beforehand. If nginx is not already running Certbot tries to start it but on modern systems it uses a wrong method and creates this port 80 bind error.

So, there is quite a lot to sort out here and more than I care to help with (at least today). This is a server setup and configuration problem and not so much a Let's Encrypt cert issue.

4 Likes
23

It is standard in HestiaCP. Apache runs bound to the loopback interface and some alternate ports on the main IP (which I hadn't looked at and now that I have, it seems odd). Nginx runs as a proxy in front of it.

HestiaCP used to offer Nginx, Apache, and both, but now only offers Nginx or Nginx and Apache.

4 Likes
24

But the ss command shows Apache on port 443 and nginx on 80. Is that still indicative of HestiaCP?

4 Likes
25

Nope, and I didn't notice the interleaved ports in the reply because I habitually scroll past all console output that isn't wrapped in </> Preformatted text. (No offense intended, @BilboBaggins.)

This is where you will find apache2 and nginx listening on a stock HestiaCP instance.

sudo ss -lanpt|grep -i "apache\|nginx"
LISTEN 0      511                         192.168.0.100:443                                  0.0.0.0:*     users:(("nginx",pid=907795,fd=13),("nginx",pid=907794,fd=13),("nginx",pid=1168,fd=13))                              
LISTEN 0      511                         192.168.0.100:80                                   0.0.0.0:*     users:(("nginx",pid=907795,fd=12),("nginx",pid=907794,fd=12),("nginx",pid=1168,fd=12))                              
LISTEN 0      511                         192.168.0.100:8443                                 0.0.0.0:*     users:(("apache2",pid=907668,fd=4),("apache2",pid=907667,fd=4),("apache2",pid=907661,fd=4),("apache2",pid=476,fd=4))
LISTEN 0      511                               0.0.0.0:2083                                 0.0.0.0:*     users:(("hestia-nginx",pid=488,fd=6),("hestia-nginx",pid=486,fd=6))                                                 
LISTEN 0      511                             127.0.0.1:8081                                 0.0.0.0:*     users:(("apache2",pid=907668,fd=3),("apache2",pid=907667,fd=3),("apache2",pid=907661,fd=3),("apache2",pid=476,fd=3))
LISTEN 0      511                             127.0.0.1:8084                                 0.0.0.0:*     users:(("nginx",pid=907795,fd=14),("nginx",pid=907794,fd=14),("nginx",pid=1168,fd=14))                              
LISTEN 0      511                         192.168.0.100:8080                                 0.0.0.0:*     users:(("apache2",pid=907668,fd=5),("apache2",pid=907667,fd=5),("apache2",pid=907661,fd=5),("apache2",pid=476,fd=5))
4 Likes
26

@rg305 Hi I wanted to ask if you knew what I needed to do next. Thank you for all your help so far, its been very supportive.

2 Likes
28

Those are an indication that two different programs are trying to use the same port [at the same time].

You need to review their configs to understand what has gone wrong.
Only one of them should be assigned to use port 80.

Based on that output, it would seem that nginx is assigned port 80.
But then the error message is that nginx can't use port 80.
So...
Either:

  • something else had port 80 [momentarily blocking nginx from it]
  • nginx was already running and it was blocking itself [when it ran twice]
5 Likes
29

Which can easily happen if nginx is not running before using certbot --nginx or certbot certonly --nginx

5 Likes
30

@BilboBaggins I see your Apache/Wordpress system is now using the latest cert you got so that is progress.

But, nginx is not running so anyone using HTTP:// for your domain will not get redirected to HTTPS://. Depending on their browser they may get a connection failure. Modern Chrome (and Edge) probably won't care and just use the HTTPS connection but other browsers may not. My Firefox on Ubuntu shows a connection failure with HTTP.

Without nginx running your Certbot renewal using that plugin will likely create problems such as the binding error to port 80.

Are you using nginx for anything other than HTTP (port 80)? I see some other server blocks but do you rely on them? If not, enabling port 80 on Apache and then switching the Certbot renewals to use Apache instead is the way to go. Then you can just permanently disable nginx.

4 Likes
31

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.