Let's Encrypt lots of errors in standalone

Discussion in 'Server Operation' started by Taleman, Jun 21, 2018.

Tags:
  1. Taleman

    Taleman Active Member HowtoForge Supporter

    Debian GNU/Linux 9.4 Stretch, certbot from stretch-backports version 0.23.0-1~bpo9+1. Also installed python3-certbot and python3-certbot-apache.
    This is a multiserver ISPConfig setup, but the LE certificate is for mail server and cerbot installed and setup manually. Mail server is a ISPConfig host, and only runs postfix, dovecot. I did not use ISPConfig to create the LE certificate, since the mail host does not run websites.

    Now the certificate has been running OK but Let's Encrypt Expiry Bot sent me e-mail that renew does not work. Indeed checking logs I see the renew keeps failing, and cerbot runtime errors a lot. After half a day of searching I have learned that
    - certbot tries to do the renew in standalone mode, which fails because Apache is already running
    - I tried dry-run on command line, and this does not show any errors:
    Code:
    certbot renew --apache --dry-run  --cert-name mailhost.companydomain.fi
    I have not yet figured out how to force cerbot to stop using standalone mode, the instructions I found tell me not to modify the files in /etc/letsencrypt/renewal. But maybe standalone mode should indeed be used, but with pre and post hooks that stop apache before renew and start apache afterwards?

    I have until 9th July before the certificate expires. I would like to test now the automatic renewal works automatically.

    If I change cerbot to authenticate with apache plugin, I believe I need to restart apache afterwards to get it to use the new certificate. Same thing for postfix and dovecot. So I need to play with pre and post hooks anyway.

    After that long preface: How is certbot manual setup to renew generally done? It seems to me the standalone authentication would be better, since apache needs to be restarted anyway, and I can in the same hook add restart for postfix and dovecot.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    When it's uncritical to stop apache for a short period and you'll have to restart it anyway, then a pre-hook that stops apache and a post hook that starts it again sound like a neat solution to me. But I haven't used that yet. My mail server still has a comodo cert, but I'll probably replace it with LE as well when it's lifespan ends.
     
  3. ahrasis

    ahrasis Active Member

Share This Page