Use renewal hooks

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: theorb.net

I ran this command: certbot -v certonly --standalone -d a.ns.theorb.net,a.mx.hostisimo.com,b.ns.theorb.net,hostisimo.com,theorb.net,www.hostisimo.com,www.theorb.net

It produced this output: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.
(END)

My web server is (include version): apache 2.4.57 (Debian)

The operating system my web server runs on is (include version): Debian 12 bookworm

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0

I can't figure out how to use the pre and post renewal-hooks. I tried putting the name of the start and stop scripts in post and pre, I've tried soft links to the scripts in /usr/local/sbin but they are ignored. Note that the deploy script does get run.

I've successfully renewed my certs but I have to use "webserver-stop;renewal-command;webserver-start" manually. How do I tell certbot to run those pre and post scripts so the entire process is automatic?

Thank you

1 Like

Welcome @oldDog

Do you really need a script as the pre and post hook? Would using the Apache stop and start commands be enough? I didn't try it with Apache but below stops / starts nginx using just systemctl command. I am sure apache commands would work the same. And the service or similar commands would work too.

sudo certbot certonly --standalone -d test.example.com \
   --pre-hook 'systemctl stop nginx' --post-hook 'systemctl start nginx'

(\ for formatting)

If need a script, make sure the shell the script runs in is as expected. Test with 'echo' and such in the script first to ensure script runs at all. Then add the stop / start once proven. Sometimes if run these from cron they are different shell than command prompt.

2 Likes

Thanks Mike.

That's what was in the scripts. I didn't know I could inline the
commands as arguments to the hooks.

Appreciate the rapid response.

2 Likes

scripts?
Are you following a guide?
[if so, which?]

Why?
I mean: Why can't you use the webserver to authenticate via HTTP-01?
[why stop a perfectly good webserver, only to start another one]

2 Likes

I.e.: use the --webroot plugin.

See User Guide — Certbot 2.11.0 documentation for more info.

2 Likes

They would also need to have Apache or something respond to port 80 for all of the domain names in the cert. That isn't true today but they are getting a cert for all those names using stand alone. If they don't mind a short downtime every 60 days that might be nicer than having to adjust their server setup.

See the .mx or a.ns names for example. Those even use a different public IP so I'm not sure how the standalone even works but apparently it does

1 Like

A "global catch-all" would do the trick.

  • direct all ACME challenge requests to a specific folder/location
  • redirect all other requests to HTTPS

That would make it easy to use --webroot for all names [present and future].
[as long as the HTTP requests can reach this box]

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.