py39-certbot-2.6.0,1
1 view
Skip to first unread message
Doug Hardie
Nov 16, 2023, 4:34:38 PM11/16/23
to ques...@freebsd.org
I have been using py39-certbot-2.6.0,1 for sometime now without any issues. However, earlier this month it started generating errors:
Renewing an existing certificate for sermon-archive.info and 5 more domains
Failed to renew certificate sermon-archive.info with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.
Huh? Of course there is a web server there. That's why I need a certificate. Anyone know how to fix this issue, or should I switch to some other LetsEncrypt client? Thanks,
-- Doug
TIM KELLERS
Nov 16, 2023, 4:59:48 PM11/16/23
to ques...@freebsd.org
I use that certbot, too, and I just do an apachectl stop before "certbot renew." I also have to stop the pf service because my firewall doesn't like port 80 traffic, but that's a different use case.
Tim
Doug Hardie
Nov 16, 2023, 5:03:32 PM11/16/23
to TIM KELLERS, ques...@freebsd.org
Stopping the web server is not a viable approach. It is on a production machine and that would affect my clients. It has never done this in the years I have been using LetsEncrypt. I don't see any changes in that port either.
-- Doug
Pete Wright
Nov 16, 2023, 5:12:59 PM11/16/23
to ques...@freebsd.org
configuration? i have this issue with one system that does a 301
redirect to port 443 on port 80. on another host where i don't do this
certbot works as expected without having to stop httpd.
-pete
--
Pete Wright
pe...@nomadlogic.org
Doug Hardie
Nov 17, 2023, 12:10:32 AM11/17/23
to Pete Wright, ques...@freebsd.org
Addressing this response as well as several others not sent to the list.
I have not added any vhosts and standalone does not appear anywhere in the setup. The initial setup output was:
INITIAL CERTIFICATE SETUP:
certbot certonly --webroot
sermon-archive.info,sasa-web.net,steveandconnielarson.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarson.com
LATEST CERTIFICATE UPDATE:
certbot certonly cert-name sermon-archive.info -d sermon-archive.info,sasa-web.net,steveandconnielarson.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarson.com
ADDING A NEW SAN:
certbot certonly --webroot --expand -d sermon-archive.info,sasa-web.net,steveandconnielarson.com,vintagecorvettessocal.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarson.com,www.vintagecorvettessocal.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/usr/local/etc/letsencrypt/live/rssllc.us/fullchain.pem
Your key file has been saved at:
/usr/local/etc/letsencrypt/live/rssllc.us/privkey.pem
Your cert will expire on 2020-05-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Since thqt time, I added a vhost and that had no issues. However, recently a client went elsewhere and I deleted a vhost. All I did was remove the vhost entry in the renew command which now reads:
#!/bin/sh -e
echo "Starting renew"
cd /www/certs
export PATH=/www/certs:$PATH
echo $PATH
certbot renew --webroot-path /www --key-type rsa
echo "RC = $RC"
echo "End of renew"
Since that doesn't list the domains, I suspect I did a command something like:
certbot certonly --webroot --expand -d sermon-archive.info,sasa-web.net,steveandconnielarson.com,vintagecorvettessocal.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarson.com
However, I am not sure. Obviously certbot saves the domain names somewhere and perhaps the deleted one is still there and certbot is trying to renew it with a default of standalone.
My web server is setup to handle the certbot challenges and has worked for some time.
-- Doug
Doug Hardie
Nov 17, 2023, 12:31:19 AM11/17/23
to Pete Wright, ques...@freebsd.org
Thanks to all who pointed me in the right direction. I still don't know where certbot keeps its info, but running:
sermons# certbot certonly --webroot --expand -d sermon-archive.info,sasaweb.net,steveandconnielarson.com,www.sasa-web.net,www.sermonarchive.info,www.steveandconnielarson.com
generated new certificates without any issues. So, I am assuming that my presumption that the deleted domain was the issue. I must not have run the above command before.
-- Doug
Jon Radel
Nov 17, 2023, 1:45:57 PM11/17/23
to Doug Hardie, ques...@freebsd.org
It's somewhat odd, by general industry practice, to use the same
certificate for all one's clients. Not only do you make your client
list more visible than it really should be, but, as you've found,
failures with one client risk rippling to other clients when something
goes wrong.
Current cert:
CN = sermon-archive.info
SAN = sasa-web.net
sermon-archive.info
steveandconnielarson.com
www.sasa-web.net
www.sermon-archive.info
www.steveandconnielarson.com
The more common method:
Cert 1:
CN = www.sermon-archive.info
SAN = sermon-archive.info
www.sermon-archive.info
Cert 2:
CN = www.steveandconnielarson.com
SAN = steveandconnielarson.com
www.steveandconnielarson.com
Cert 3:
CN = www.sasa-web.net
SAN = sasa-web.net
www.sasa-web.net
--Jon Radel
Doug Hardie
Nov 17, 2023, 4:45:40 PM11/17/23
to Jon Radel, ques...@freebsd.org
> On Nov 17, 2023, at 10:45, Jon Radel <j...@radel.com> wrote:
>
> On Thu, 16 Nov 2023 21:30:51 -0800
— Doug
Jon Radel
Nov 17, 2023, 6:15:35 PM11/17/23
to Doug Hardie, ques...@freebsd.org
heard the name of in a couple of decades.
I'm actually surprised that it got SNI support for multiple TLS sites
on the same IP address. It seems to be rather abandoned now.
Unless of course you're simply having your server fib a bit about its
name.
--Jon
Doug Hardie
Nov 17, 2023, 7:33:42 PM11/17/23
to Jon Radel, Doug Hardie, ques...@freebsd.org
> On Nov 17, 2023, at 15:15, Jon Radel <j...@radel.com> wrote:
>
> On Fri, 17 Nov 2023 13:45:02 -0800
> Doug Hardie <bc...@lafn.org> wrote:
>
>> Thanks. I didn’t know that. However the web server doesn’t handle different certs for multiple clients. Hence I have to use the combined cert. I guess I’ll add multiple cert support to the server
>
> Hmmmm....are you actually running WN 2.6.1? There's a server I've not heard the name of in a couple of decades.
That is the current version. I have been running it since the late 90's. I am doing the maintenance/improvements on it now.
>
> On Fri, 17 Nov 2023 13:45:02 -0800
> Doug Hardie <bc...@lafn.org> wrote:
>
>> Thanks. I didn’t know that. However the web server doesn’t handle different certs for multiple clients. Hence I have to use the combined cert. I guess I’ll add multiple cert support to the server
>
> Hmmmm....are you actually running WN 2.6.1? There's a server I've not heard the name of in a couple of decades.
>
> I'm actually surprised that it got SNI support for multiple TLS sites on the same IP address. It seems to be rather abandoned now.
>
> Unless of course you're simply having your server fib a bit about its name.
-- Doug
Reply all
Reply to author
Forward
0 new messages