Date: Thu, 16 Nov 2023 21:10:02 -0800 From: Doug Hardie <bc979@lafn.org> To: Pete Wright <pete@nomadlogic.org> Cc: questions@freebsd.org Subject: Re: py39-certbot-2.6.0,1 Message-ID: <6AA4AA77-A7FA-4290-A75B-14090F47F41F@sermon-archive.info> In-Reply-To: <75f4ef5a-e6cc-425f-8a07-9f5f95e4d8aa@nomadlogic.org> References: <E9299A1C-27B1-46CE-95B3-926AAEA56DF1@sermon-archive.info> <173e9c01-1e50-43ce-8acb-22a33f9603d4@gmail.com> <8D21AE27-BE70-4158-B198-4B06C7D4A981@sermon-archive.info> <75f4ef5a-e6cc-425f-8a07-9f5f95e4d8aa@nomadlogic.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_38F0104D-765E-406E-9695-8C89BA275B7E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On Nov 16, 2023, at 14:12, Pete Wright <pete@nomadlogic.org> wrote: >=20 >=20 >=20 > On 11/16/23 2:02 PM, Doug Hardie wrote: >>> On Nov 16, 2023, at 13:59, TIM KELLERS <trkellers@gmail.com> wrote: >>>=20 >>> I use that certbot, too, and I just do an apachectl stop before = "certbot renew." I also have to stop the pf service because my firewall = doesn't like port 80 traffic, but that's a different use case. >>>=20 >>>=20 >>> Tim >>>=20 >>>=20 >>> On 11/16/23 4:34 PM, Doug Hardie wrote: >>>> I have been using py39-certbot-2.6.0,1 for sometime now without any = issues. However, earlier this month it started generating errors: >>>>=20 >>>> Renewing an existing certificate for sermon-archive.info and 5 more = domains >>>> Failed to renew certificate sermon-archive.info with error: Could = not bind TCP port 80 because it is already in use by another process on = this system (such as a web server). Please stop the program in question = and then try again. >>>>=20 >>>> Huh? Of course there is a web server there. That's why I need a = certificate. Anyone know how to fix this issue, or should I switch to = some other LetsEncrypt client? Thanks, >>>>=20 >> Stopping the web server is not a viable approach. It is on a = production machine and that would affect my clients. It has never done = this in the years I have been using LetsEncrypt. I don't see any = changes in that port either. >=20 > have you added any vhosts or 301 redirects on port 80 in your httpd = configuration? i have this issue with one system that does a 301 = redirect to port 443 on port 80. on another host where i don't do this = certbot works as expected without having to stop httpd. Addressing this response as well as several others not sent to the list. I have not added any vhosts and standalone does not appear anywhere in = the setup. The initial setup output was: INITIAL CERTIFICATE SETUP: certbot certonly --webroot=20 = sermon-archive.info,sasa-web.net,steveandconnielarson.com,www.sasa-web.net= ,www.sermon-archive.info,www.steveandconnielarson.com LATEST CERTIFICATE UPDATE: certbot certonly cert-name sermon-archive.info -d = sermon-archive.info,sasa-web.net,steveandconnielarson.com,www.sasa-web.net= ,www.sermon-archive.info,www.steveandconnielarson.com mail.sermon-archive.info master.sermon-archive.info ADDING A NEW SAN: certbot certonly --webroot --expand -d = sermon-archive.info,sasa-web.net,steveandconnielarson.com,vintagecorvettes= socal.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarso= n.com,www.vintagecorvettessocal.com IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /usr/local/etc/letsencrypt/live/rssllc.us/fullchain.pem Your key file has been saved at: /usr/local/etc/letsencrypt/live/rssllc.us/privkey.pem Your cert will expire on 2020-05-28. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Since thqt time, I added a vhost and that had no issues. However, = recently a client went elsewhere and I deleted a vhost. All I did was = remove the vhost entry in the renew command which now reads: #!/bin/sh -e echo "Starting renew" cd /www/certs export PATH=3D/www/certs:$PATH echo $PATH certbot renew --webroot-path /www --key-type rsa=20 echo "RC =3D $RC" echo "End of renew" Since that doesn't list the domains, I suspect I did a command something = like: certbot certonly --webroot --expand -d = sermon-archive.info,sasa-web.net,steveandconnielarson.com,vintagecorvettes= socal.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarso= n.com <http://www.steveandconnielarson.com/>; However, I am not sure. Obviously certbot saves the domain names = somewhere and perhaps the deleted one is still there and certbot is = trying to renew it with a default of standalone. My web server is setup to handle the certbot challenges and has worked = for some time. -- Doug --Apple-Mail=_38F0104D-765E-406E-9695-8C89BA275B7E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii <html><head><meta http-equiv=3D"content-type" content=3D"text/html; = charset=3Dus-ascii"></head><body style=3D"overflow-wrap: break-word; = -webkit-nbsp-mode: space; line-break: = after-white-space;"><div><blockquote type=3D"cite"><div>On Nov 16, 2023, = at 14:12, Pete Wright <pete@nomadlogic.org> wrote:</div><br = class=3D"Apple-interchange-newline"><div><meta charset=3D"UTF-8"><br = style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: = 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; = letter-spacing: normal; text-align: start; text-indent: 0px; = text-transform: none; white-space: normal; word-spacing: 0px; = -webkit-text-stroke-width: 0px; text-decoration: none;"><br = style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: = 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; = letter-spacing: normal; text-align: start; text-indent: 0px; = text-transform: none; white-space: normal; word-spacing: 0px; = -webkit-text-stroke-width: 0px; text-decoration: none;"><span = style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: = 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; = letter-spacing: normal; text-align: start; text-indent: 0px; = text-transform: none; white-space: normal; word-spacing: 0px; = -webkit-text-stroke-width: 0px; text-decoration: none; float: none; = display: inline !important;">On 11/16/23 2:02 PM, Doug Hardie = wrote:</span><br style=3D"caret-color: rgb(0, 0, 0); font-family: = Helvetica; font-size: 14px; font-style: normal; font-variant-caps: = normal; font-weight: 400; letter-spacing: normal; text-align: start; = text-indent: 0px; text-transform: none; white-space: normal; = word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: = none;"><blockquote type=3D"cite" style=3D"font-family: Helvetica; = font-size: 14px; font-style: normal; font-variant-caps: normal; = font-weight: 400; letter-spacing: normal; orphans: auto; text-align: = start; text-indent: 0px; text-transform: none; white-space: normal; = widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none;"><blockquote type=3D"cite">On Nov 16, 2023, at = 13:59, TIM KELLERS <trkellers@gmail.com> wrote:<br><br>I use that = certbot, too, and I just do an apachectl stop before "certbot = renew." I also have to stop the pf service because my firewall = doesn't like port 80 traffic, but that's a different use = case.<br><br><br>Tim<br><br><br>On 11/16/23 4:34 PM, Doug Hardie = wrote:<br><blockquote type=3D"cite">I have been = using py39-certbot-2.6.0,1 for sometime now without any issues. = However, earlier this month it started generating = errors:<br><br>Renewing an existing certificate for sermon-archive.info = and 5 more domains<br>Failed to renew certificate sermon-archive.info = with error: Could not bind TCP port 80 because it is already in use by = another process on this system (such as a web server). Please stop the = program in question and then try again.<br><br>Huh? Of course = there is a web server there. That's why I need a certificate. = Anyone know how to fix this issue, or should I switch to some = other LetsEncrypt client? = Thanks,<br><br></blockquote></blockquote>Stopping the web server = is not a viable approach. It is on a production machine and that = would affect my clients. It has never done this in the years I = have been using LetsEncrypt. I don't see any changes in that port = either.<br></blockquote><br style=3D"caret-color: rgb(0, 0, 0); = font-family: Helvetica; font-size: 14px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none;"><span style=3D"caret-color: rgb(0, 0, 0); = font-family: Helvetica; font-size: 14px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none; float: none; display: inline !important;">have = you added any vhosts or 301 redirects on port 80 in your httpd = configuration? i have this issue with one system that does a 301 = redirect to port 443 on port 80. on another host where i don't do = this certbot works as expected without having to stop = httpd.</span></div></blockquote><br></div><div>Addressing this response = as well as several others not sent to the = list.</div><div><br></div><div>I have not added any vhosts and = standalone does not appear anywhere in the setup. The initial = setup output was:</div><div><br></div><div><div>INITIAL CERTIFICATE = SETUP:</div><div>certbot certonly = --webroot </div><div><br></div><div>sermon-archive.info,sasa-web.net,= steveandconnielarson.com,www.sasa-web.net,www.sermon-archive.info,www.stev= eandconnielarson.com</div><div><br></div><div>LATEST CERTIFICATE = UPDATE:</div><div>certbot certonly cert-name sermon-archive.info -d = sermon-archive.info,sasa-web.net,steveandconnielarson.com,www.sasa-web.net= ,www.sermon-archive.info,www.steveandconnielarson.com</div><div><br></div>= <div><br></div><div>mail.sermon-archive.info</div><div><br></div><div>mast= er.sermon-archive.info</div><div><br></div><div>ADDING A NEW = SAN:</div><div>certbot certonly --webroot --expand -d = sermon-archive.info,sasa-web.net,steveandconnielarson.com,vintagecorvettes= socal.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarso= n.com,www.vintagecorvettessocal.com</div><div><br></div><div>IMPORTANT = NOTES:</div><div> - Congratulations! Your certificate and chain = have been saved at:</div><div> = /usr/local/etc/letsencrypt/live/rssllc.us/fullchain.pem</div><div>&n= bsp; Your key file has been saved at:</div><div> = /usr/local/etc/letsencrypt/live/rssllc.us/privkey.pem</div><div>&nbs= p; Your cert will expire on 2020-05-28. To obtain a new or = tweaked</div><div> version of this certificate in the = future, simply run certbot</div><div> again. To = non-interactively renew *all* of your certificates, run</div><div> = "certbot renew"</div><div> - If you like Certbot, please = consider supporting our work by:</div><div><br></div><div> = Donating to ISRG / Let's Encrypt: = https://letsencrypt.org/donate</div><div> Donating to EFF: = = https://eff.org/donate-le</div><div><br></div><div><br></div><div>Si= nce thqt time, I added a vhost and that had no issues. However, = recently a client went elsewhere and I deleted a vhost. All I did = was remove the vhost entry in the renew command which now = reads:</div><div><br></div><div><div>#!/bin/sh -e</div><div>echo = "Starting renew"</div><div>cd /www/certs</div><div>export = PATH=3D/www/certs:$PATH</div><div>echo = $PATH</div><div><br></div><div>certbot renew --webroot-path /www = --key-type rsa </div><div><br></div><div>echo "RC =3D = $RC"</div><div>echo "End of renew"</div><div><br></div><div>Since that = doesn't list the domains, I suspect I did a command something = like:</div><div><br></div><div>certbot certonly --webroot --expand -d = sermon-archive.info,sasa-web.net,steveandconnielarson.com,vintagecorvettes= socal.com,www.sasa-web.net,www.sermon-archive.info,<a = href=3D"http://www.steveandconnielarson.com">www.steveandconnielarson.com<= /a></div><div><br></div><div>However, I am not sure. Obviously = certbot saves the domain names somewhere and perhaps the deleted one is = still there and certbot is trying to renew it with a default of = standalone.</div><div><br></div><div>My web server is setup to handle = the certbot challenges and has worked for some = time.</div><div><br></div><div>-- = Doug</div><div><br></div><div><br></div><div><br></div></div></div></body>= </html>= --Apple-Mail=_38F0104D-765E-406E-9695-8C89BA275B7E--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6AA4AA77-A7FA-4290-A75B-14090F47F41F>