Automatic Cerbot Renew is not working (Failed to Bind to :80)

Discussion in 'General' started by Nyx_, Feb 24, 2022.

  1. Nyx_

    Nyx_ New Member HowtoForge Supporter

    Hello Everyone. Good day.

    I'm figthing an issue with the automatic SSL renew on ISPConfig.
    I'm seeing this errors on log:
    Code:
    2022-02-24 03:04:24,881:DEBUG:acme.standalone:Failed to bind to :80 using IPv6
    If I run the certbot script manually on the command line as testing (dry-run) adding the "--apache" parameter, all works fine.
    Code:
    certbot renew --apache --dry-run
    What should I change to fix the automatic cert revew via the ISPConfig scheduled task?
    Appreciate if you can shine some light on the issue.
    Thank you very much.

    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Ubuntu 20.04.4 LTS
    [INFO] uptime: 10:27:58 up 13:11, 1 user, load average: 0.00, 0.00, 0.00
    [INFO] memory:
    total used free shared buff/cache available
    Mem: 3.8Gi 1.9Gi 848Mi 44Mi 1.1Gi 1.8Gi
    Swap: 1.9Gi 6.0Mi 1.9Gi
    [INFO] systemd failed services status:
    UNIT LOAD ACTIVE SUB DESCRIPTION
    ● certbot.service loaded failed failed Certbot
    ● logrotate.service loaded failed failed Rotate log files

    LOAD = Reflects whether the unit definition was properly loaded.
    ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
    SUB = The low-level unit activation state, values depend on unit type.

    2 loaded units listed.

    [INFO] ISPConfig is installed.

    ##### ISPCONFIG #####
    ISPConfig version is 3.2.7p1


    ##### VERSION CHECK #####

    [INFO] php (cli) version is 7.4.3
    [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.3

    ##### PORT CHECK #####

    [WARN] Port 8081 (ISPConfig Apps) seems NOT to be listening

    ##### MAIL SERVER CHECK #####


    ##### RUNNING SERVER PROCESSES #####

    [INFO] I found the following web server(s):
    Apache 2 (PID 2053)
    [INFO] I found the following mail server(s):
    Postfix (PID 3597)
    [INFO] I found the following pop3 server(s):
    Dovecot (PID 1856)
    [INFO] I found the following imap server(s):
    Dovecot (PID 1856)
    [INFO] I found the following ftp server(s):
    PureFTP (PID 2198)

    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    ***.***.***.***:53 (1862/named)
    [anywhere]:21 (2198/pure-ftpd)
    [localhost]:53 (1862/named)
    ***.***.***.***:53 (863/systemd-resolve)
    [anywhere]:22 (1934/sshd:)
    [anywhere]:25 (3597/master)
    [localhost]:953 (1862/named)
    [anywhere]:993 (1856/dovecot)
    [anywhere]:995 (1856/dovecot)
    [localhost]:10023 (2018/postgrey)
    [localhost]:10024 (2928/amavisd-new)
    [localhost]:10025 (3597/master)
    [localhost]:10026 (2928/amavisd-new)
    [localhost]:3306 (1997/mysqld)
    [localhost]:10027 (3597/master)
    [anywhere]:587 (3597/master)
    [localhost]:11211 (1861/memcached)
    [anywhere]:110 (1856/dovecot)
    [anywhere]:143 (1856/dovecot)
    [anywhere]:111 (1/init)
    [anywhere]:465 (3597/master)
    *:*:*:*::*:21 (2198/pure-ftpd)
    *:*:*:*::*:53 (1862/named)
    *:*:*:*::*:22 (1934/sshd:)
    *:*:*:*::*:25 (3597/master)
    *:*:*:*::*:953 (1862/named)
    *:*:*:*::*:443 (2053/apache2)
    *:*:*:*::*:993 (1856/dovecot)
    *:*:*:*::*:995 (1856/dovecot)
    *:*:*:*::*:10023 (2018/postgrey)
    *:*:*:*::*:587 (3597/master)
    [localhost]10 (1856/dovecot)
    [localhost]43 (1856/dovecot)
    [localhost]11 (1/init)
    *:*:*:*::*:8080 (2053/apache2)
    *:*:*:*::*:80 (2053/apache2)
    *:*:*:*::*:465 (3597/master)




    ##### IPTABLES #####
    Chain INPUT (policy DROP)
    target prot opt source destination
    f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22
    f2b-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25,465,587,143,993,110,995
    ufw-before-logging-input all -- [anywhere]/0 [anywhere]/0
    ufw-before-input all -- [anywhere]/0 [anywhere]/0
    ufw-after-input all -- [anywhere]/0 [anywhere]/0
    ufw-after-logging-input all -- [anywhere]/0 [anywhere]/0
    ufw-reject-input all -- [anywhere]/0 [anywhere]/0
    ufw-track-input all -- [anywhere]/0 [anywhere]/0

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ufw-before-logging-forward all -- [anywhere]/0 [anywhere]/0
    ufw-before-forward all -- [anywhere]/0 [anywhere]/0
    ufw-after-forward all -- [anywhere]/0 [anywhere]/0
    ufw-after-logging-forward all -- [anywhere]/0 [anywhere]/0
    ufw-reject-forward all -- [anywhere]/0 [anywhere]/0
    ufw-track-forward all -- [anywhere]/0 [anywhere]/0

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ufw-before-logging-output all -- [anywhere]/0 [anywhere]/0
    ufw-before-output all -- [anywhere]/0 [anywhere]/0
    ufw-after-output all -- [anywhere]/0 [anywhere]/0
    ufw-after-logging-output all -- [anywhere]/0 [anywhere]/0
    ufw-reject-output all -- [anywhere]/0 [anywhere]/0
    ufw-track-output all -- [anywhere]/0 [anywhere]/0

    Chain f2b-postfix-sasl (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain f2b-sshd (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain ufw-after-forward (1 references)
    target prot opt source destination

    Chain ufw-after-input (1 references)
    target prot opt source destination
    ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:137
    ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:138
    ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:139
    ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:445
    ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:67
    ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:68
    ufw-skip-to-policy-input all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST

    Chain ufw-after-logging-forward (1 references)
    target prot opt source destination
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

    Chain ufw-after-logging-input (1 references)
    target prot opt source destination
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

    Chain ufw-after-logging-output (1 references)
    target prot opt source destination

    Chain ufw-after-output (1 references)
    target prot opt source destination

    Chain ufw-before-forward (1 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8
    ufw-user-forward all -- [anywhere]/0 [anywhere]/0

    Chain ufw-before-input (1 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
    ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 ctstate INVALID
    DROP all -- [anywhere]/0 [anywhere]/0 ctstate INVALID
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68
    ufw-not-local all -- [anywhere]/0 [anywhere]/0
    ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:5353
    ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:1900
    ufw-user-input all -- [anywhere]/0 [anywhere]/0

    Chain ufw-before-logging-forward (1 references)
    target prot opt source destination

    Chain ufw-before-logging-input (1 references)
    target prot opt source destination

    Chain ufw-before-logging-output (1 references)
    target prot opt source destination

    Chain ufw-before-output (1 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
    ufw-user-output all -- [anywhere]/0 [anywhere]/0

    Chain ufw-logging-allow (0 references)
    target prot opt source destination
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

    Chain ufw-logging-deny (2 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: avg 3/min burst 10
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

    Chain ufw-not-local (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL
    RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST
    RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST
    ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain ufw-reject-forward (1 references)
    target prot opt source destination

    Chain ufw-reject-input (1 references)
    target prot opt source destination

    Chain ufw-reject-output (1 references)
    target prot opt source destination

    Chain ufw-skip-to-policy-forward (0 references)
    target prot opt source destination
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain ufw-skip-to-policy-input (7 references)
    target prot opt source destination
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain ufw-skip-to-policy-output (0 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0

    Chain ufw-track-forward (1 references)
    target prot opt source destination

    Chain ufw-track-input (1 references)
    target prot opt source destination

    Chain ufw-track-output (1 references)
    target prot opt source destination
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 ctstate NEW
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 ctstate NEW

    Chain ufw-user-forward (1 references)
    target prot opt source destination

    Chain ufw-user-input (1 references)
    target prot opt source destination
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53

    Chain ufw-user-limit (0 references)
    target prot opt source destination
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    REJECT all -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-unreachable

    Chain ufw-user-limit-accept (0 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0

    Chain ufw-user-logging-forward (0 references)
    target prot opt source destination

    Chain ufw-user-logging-input (0 references)
    target prot opt source destination

    Chain ufw-user-logging-output (0 references)
    target prot opt source destination

    Chain ufw-user-output (1 references)
    target prot opt source destination




    ##### LET'S ENCRYPT #####
    Certbot is installed in /usr/bin/letsencrypt
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I don't remember the installer using standalone mode, I thought it used webroot as well; did you issue this certificate by running certbot manually here?
     
  3. Nyx_

    Nyx_ New Member HowtoForge Supporter

    Hi Jesse. Thanks for the reply.
    I might have issue the certs manually in the past.
    If that's the case, should I remove the certs manually via certbot delete and create then again using the ISPConfig interface?
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, try one domain and test that things work, and troubleshoot if needed
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Issuing cert manually for website(s) do face problem(s) in renewal so that could be the cause that need fixing.

    Othwerwise, what version is your certbot? Old letsencrypt / certbot is also known to cause problems also, so remove them, if you are using any of them (old version) and install certbot via snap.
     
  6. recin

    recin Member

    I have this problem in a non ispconfig server: certbot fails because port 80 is in use and I have to stop apache before running certbot.
    I Don't have any problem on ispconfig
     
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Sorry, please open a new thread in non ISPConfig board if you have an issue with in non ISPConfig server. You got me confused.
     
  8. recin

    recin Member

    Sorry, I don't have any problem with this. I only wanted to share my experience with this error
     
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    1. Your problem is not related to ISPConfig matters; and
    2. Even so, certbot should not have problems with port 80 unless you installed some LE certs using --apache (or --nginx) parameter which you do not need to do if you installed all of the LE certs using --webroot parameter.

    That is mainly why in ISPConfig you do not have to turn your web server (apache2 or nginx) off and on during renewal as ISPConfig web server only uses --webroot parameter.

    So, in short, even in your own non ISPConfig web server, you will not have to turn off your webserver if you only use --webroot parameter to get LE certs.
     
  10. Nyx_

    Nyx_ New Member HowtoForge Supporter

    HI Jesse.
    I've deleted the Certs using certbot command line and re-created them using the ISPConfig interface, all seems fine now.
    Thank you for the help.
     

Share This Page