Unable to do my first certificate renewal using certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: topoi.pooq.com

I ran this command: cron runs certbot for me, automatically.

It produced this output:
Date: Tue, 16 Apr 2024 10:20:46 -0400 (EDT)
From: Cron Daemon root@topoi.pooq.com
To: root@topoi.pooq.com
Subject: Cron root@notlookedfor test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep
int(rand(43200))' && certbot -q renew

Failed to renew certificate topoi.pooq.com with error: Problem binding to port 80: Could not bind to IPv4 or IPv6.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/topoi.pooq.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My web server is (include version):

The operating system my web server runs on is (include version): Linux Devuan chimaera

My hosting provider, if applicable, is: myself, on the very machine I'm having trouble on.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

I have no difficulty reaching port 80 of the server from another machine, either inside or outside my LAN.
Let's debug informs me:
All OK!

OK

No issues were found with topoi.pooq.com. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

-- hendrik

Hello @hendrikboom3, welcome to the Let's Encrypt community.

More just supplemental information.

This is the web server Server: lighttpd/1.4.59

$ curl -Ii http://topoi.pooq.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 341
Date: Sat, 20 Apr 2024 02:03:52 GMT
Server: lighttpd/1.4.59

FYI - Port 443 is filtered

$ nmap -Pn -p80,443 topoi.pooq.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-20 02:04 UTC
Nmap scan report for topoi.pooq.com (69.165.131.134)
Host is up (0.96s latency).

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds

Please show the renewal config file:
/etc/letsencrypt/renewal/topoi.pooq.com.conf ?

I believe this is the same as it was when I registered my site months ago.

hendrik@notlookedfor:~$ cat /etc/letsencrypt/renewal/topoi.pooq.com.conf
# renew_before_expiry = 30 days
version = 1.12.0
archive_dir = /etc/letsencrypt/archive/topoi.pooq.com
cert = /etc/letsencrypt/live/topoi.pooq.com/cert.pem
privkey = /etc/letsencrypt/live/topoi.pooq.com/privkey.pem
chain = /etc/letsencrypt/live/topoi.pooq.com/chain.pem
fullchain = /etc/letsencrypt/live/topoi.pooq.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fe85acd10dd3633fbeb66be44f8afb5e
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
hendrik@notlookedfor:~

The standalone method requires exclusive use of port 80. When you first got your cert no other service was using that port so it worked.

But, now your lighttpd server is using that port.

You need to stop lighttpd before renewal and start it after. Ideally using Certbot's pre-hook and post-hook options.

Or, change to the webroot method and use the active lighttpd to respond to the challenge.

Either method requires running Certbot using a different set of options to reset the renewal profile.

Let us know if you need help re-running Certbot. And, if so, which method you want to use (stopping/starting lighttpd or using webroot).

Stoppoing and restarting lightppd did the trick. Thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.