Re: py39-certbot-2.6.0,1

> On Nov 16, 2023, at 14:12, Pete Wright <pete@nomadlogic.org> wrote:
> 
> 
> 
> On 11/16/23 2:02 PM, Doug Hardie wrote:
>>> On Nov 16, 2023, at 13:59, TIM KELLERS <trkellers@gmail.com> wrote:
>>> 
>>> I use that certbot, too, and I just do an apachectl stop before "certbot renew."  I also have to stop the pf service because my firewall doesn't like port 80 traffic, but that's a different use case.
>>> 
>>> 
>>> Tim
>>> 
>>> 
>>> On 11/16/23 4:34 PM, Doug Hardie wrote:
>>>> I have been using py39-certbot-2.6.0,1 for sometime now without any issues.  However, earlier this month it started generating errors:
>>>> 
>>>> Renewing an existing certificate for sermon-archive.info and 5 more domains
>>>> Failed to renew certificate sermon-archive.info with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.
>>>> 
>>>> Huh?  Of course there is a web server there.  That's why I need a certificate.  Anyone know how to fix this issue, or should I switch to some other LetsEncrypt client?  Thanks,
>>>> 
>> Stopping the web server is not a viable approach.  It is on a production machine and that would affect my clients.  It has never done this in the years I have been using LetsEncrypt.  I don't see any changes in that port either.
> 
> have you added any vhosts or 301 redirects on port 80 in your httpd configuration?  i have this issue with one system that does a 301 redirect to port 443 on port 80.  on another host where i don't do this certbot works as expected without having to stop httpd.

Addressing this response as well as several others not sent to the list.

I have not added any vhosts and standalone does not appear anywhere in the setup.  The initial setup output was:

INITIAL CERTIFICATE SETUP:
certbot certonly --webroot 

sermon-archive.info,sasa-web.net,steveandconnielarson.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarson.com

LATEST CERTIFICATE UPDATE:
certbot certonly cert-name sermon-archive.info -d sermon-archive.info,sasa-web.net,steveandconnielarson.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarson.com


mail.sermon-archive.info

master.sermon-archive.info

ADDING A NEW SAN:
certbot certonly --webroot --expand -d sermon-archive.info,sasa-web.net,steveandconnielarson.com,vintagecorvettessocal.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarson.com,www.vintagecorvettessocal.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /usr/local/etc/letsencrypt/live/rssllc.us/fullchain.pem
   Your key file has been saved at:
   /usr/local/etc/letsencrypt/live/rssllc.us/privkey.pem
   Your cert will expire on 2020-05-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


Since thqt time, I added a vhost and that had no issues.  However, recently a client went elsewhere and I deleted a vhost.  All I did was remove the vhost entry in the renew command which now reads:

#!/bin/sh -e
echo "Starting renew"
cd /www/certs
export PATH=/www/certs:$PATH
echo $PATH

certbot renew --webroot-path /www --key-type rsa 

echo "RC = $RC"
echo "End of renew"

Since that doesn't list the domains, I suspect I did a command something like:

certbot certonly --webroot --expand -d sermon-archive.info,sasa-web.net,steveandconnielarson.com,vintagecorvettessocal.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarson.com <http://www.steveandconnielarson.com/>

However, I am not sure.  Obviously certbot saves the domain names somewhere and perhaps the deleted one is still there and certbot is trying to renew it with a default of standalone.

My web server is setup to handle the certbot challenges and has worked for some time.

-- Doug