Let's Encrypt was not automatically updated

Let's Encrypt, which I introduced three months ago, wasn't automatically updated for some reason. I've solved it, so I'll post it as a memorandum. I didn't intend to give it to Qiita, so I didn't take screenshots.

environment

ConoHa(CentOS8)

Notice that Apache is crazy

-I should have set the automatic update of Let's Encrypt, but for some reason it has not been updated. I remember setting it with reference to this article. ・ I didn't understand even after reading the error statement, but it seems that Apache is strange (I guess) -When I checked with the following command, Apache startup failed. "Active: failed (Result: exit-code)" is displayed.

Terminal


$ systemctl status httpd

-If you read the status carefully, there are two "(98) Address already in use" errors. It seems that Apache couldn't start because port 443 was already used by Node.js.

→ Notice that Apache is required to update Let's Encrypt (← stupid)

Rebuild Apache and update Let's Encrypt

-End the Node.js process (killed this time) and restart Apache. This time it worked fine. After that, I manually updated Let's Encrypt and it succeeded.

▼ Manual update of Let's Encrypt

Terminal


$ sudo certbot renew

Reference for process deletion: Corrective action for Address already in use

→ I thought Node.js was running on Apache, but I understood that it was running independently.

I was able to update it, but ...

-But this requires you to stop Node.js and start Apache every time you update Let's Encrypt. -If you set Apache to not use port 443, you can start it at the same time as Node.js. (Open only port 80) -Rewritten "/etc/httpd/conf.d/ssl.conf". Commented out "Listen 443 https".

:/etc/httpd/conf.d/ssl.conf


#
# When we also provide SSL we have to listen to the 
# standard HTTPS port in addition.
#
#Listen 443 https                  //← Comment out this line

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

The following is omitted

reference (98) Address already in use occurs when Apache is restarted! Two causes and countermeasures

-After restarting Apache, the forced update of Let's Encrypt was successful, so this time it seems okay. I hope the next automatic update will succeed.

▼ Forcibly renew regardless of the expiration date of the SSL certificate

Terminal


$ sudo certbot renew --force-renew

reference How to manually renew the SSL certificate of Let's Encrypt

Failure story

I have rewritten firewalld to block Apache's 443 port. I couldn't connect to the web app after setting the port 443 to repel the connection. (No wonder)

Recommended Posts

Let's Encrypt was not automatically updated
Introducing Let's Encrypt on CentOS 7