From nobody Fri Nov 17 05:10:02 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SWlMp2J9Yz51VmW for ; Fri, 17 Nov 2023 05:10:14 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from mail.sermon-archive.info (sermon-archive.info [47.181.130.121]) by mx1.freebsd.org (Postfix) with ESMTP id 4SWlMn6NgQz4GXx for ; Fri, 17 Nov 2023 05:10:13 +0000 (UTC) (envelope-from bc979@lafn.org) Authentication-Results: mx1.freebsd.org; none Received: from smtpclient.apple (unknown [10.0.1.251]) by mail.sermon-archive.info (Postfix) with ESMTPSA id 4SWlMm2W5Dz2gFDK; Thu, 16 Nov 2023 21:10:12 -0800 (PST) From: Doug Hardie Message-Id: <6AA4AA77-A7FA-4290-A75B-14090F47F41F@sermon-archive.info> Content-Type: multipart/alternative; boundary="Apple-Mail=_38F0104D-765E-406E-9695-8C89BA275B7E" List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\)) Subject: Re: py39-certbot-2.6.0,1 Date: Thu, 16 Nov 2023 21:10:02 -0800 In-Reply-To: <75f4ef5a-e6cc-425f-8a07-9f5f95e4d8aa@nomadlogic.org> Cc: questions@freebsd.org To: Pete Wright References: <173e9c01-1e50-43ce-8acb-22a33f9603d4@gmail.com> <8D21AE27-BE70-4158-B198-4B06C7D4A981@sermon-archive.info> <75f4ef5a-e6cc-425f-8a07-9f5f95e4d8aa@nomadlogic.org> X-Mailer: Apple Mail (2.3731.700.6) X-Virus-Scanned: clamav-milter 1.1.2 at mail X-Virus-Status: Clean X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:5650, ipnet:47.181.128.0/18, country:US] X-Rspamd-Queue-Id: 4SWlMn6NgQz4GXx --Apple-Mail=_38F0104D-765E-406E-9695-8C89BA275B7E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On Nov 16, 2023, at 14:12, Pete Wright wrote: >=20 >=20 >=20 > On 11/16/23 2:02 PM, Doug Hardie wrote: >>> On Nov 16, 2023, at 13:59, TIM KELLERS wrote: >>>=20 >>> I use that certbot, too, and I just do an apachectl stop before = "certbot renew." I also have to stop the pf service because my firewall = doesn't like port 80 traffic, but that's a different use case. >>>=20 >>>=20 >>> Tim >>>=20 >>>=20 >>> On 11/16/23 4:34 PM, Doug Hardie wrote: >>>> I have been using py39-certbot-2.6.0,1 for sometime now without any = issues. However, earlier this month it started generating errors: >>>>=20 >>>> Renewing an existing certificate for sermon-archive.info and 5 more = domains >>>> Failed to renew certificate sermon-archive.info with error: Could = not bind TCP port 80 because it is already in use by another process on = this system (such as a web server). Please stop the program in question = and then try again. >>>>=20 >>>> Huh? Of course there is a web server there. That's why I need a = certificate. Anyone know how to fix this issue, or should I switch to = some other LetsEncrypt client? Thanks, >>>>=20 >> Stopping the web server is not a viable approach. It is on a = production machine and that would affect my clients. It has never done = this in the years I have been using LetsEncrypt. I don't see any = changes in that port either. >=20 > have you added any vhosts or 301 redirects on port 80 in your httpd = configuration? i have this issue with one system that does a 301 = redirect to port 443 on port 80. on another host where i don't do this = certbot works as expected without having to stop httpd. Addressing this response as well as several others not sent to the list. I have not added any vhosts and standalone does not appear anywhere in = the setup. The initial setup output was: INITIAL CERTIFICATE SETUP: certbot certonly --webroot=20 = sermon-archive.info,sasa-web.net,steveandconnielarson.com,www.sasa-web.net= ,www.sermon-archive.info,www.steveandconnielarson.com LATEST CERTIFICATE UPDATE: certbot certonly cert-name sermon-archive.info -d = sermon-archive.info,sasa-web.net,steveandconnielarson.com,www.sasa-web.net= ,www.sermon-archive.info,www.steveandconnielarson.com mail.sermon-archive.info master.sermon-archive.info ADDING A NEW SAN: certbot certonly --webroot --expand -d = sermon-archive.info,sasa-web.net,steveandconnielarson.com,vintagecorvettes= socal.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarso= n.com,www.vintagecorvettessocal.com IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /usr/local/etc/letsencrypt/live/rssllc.us/fullchain.pem Your key file has been saved at: /usr/local/etc/letsencrypt/live/rssllc.us/privkey.pem Your cert will expire on 2020-05-28. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Since thqt time, I added a vhost and that had no issues. However, = recently a client went elsewhere and I deleted a vhost. All I did was = remove the vhost entry in the renew command which now reads: #!/bin/sh -e echo "Starting renew" cd /www/certs export PATH=3D/www/certs:$PATH echo $PATH certbot renew --webroot-path /www --key-type rsa=20 echo "RC =3D $RC" echo "End of renew" Since that doesn't list the domains, I suspect I did a command something = like: certbot certonly --webroot --expand -d = sermon-archive.info,sasa-web.net,steveandconnielarson.com,vintagecorvettes= socal.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarso= n.com However, I am not sure. Obviously certbot saves the domain names = somewhere and perhaps the deleted one is still there and certbot is = trying to renew it with a default of standalone. My web server is setup to handle the certbot challenges and has worked = for some time. -- Doug --Apple-Mail=_38F0104D-765E-406E-9695-8C89BA275B7E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
On Nov 16, 2023, = at 14:12, Pete Wright <pete@nomadlogic.org> wrote:



On 11/16/23 2:02 PM, Doug Hardie = wrote:
On Nov 16, 2023, at = 13:59, TIM KELLERS <trkellers@gmail.com> wrote:

I use that = certbot, too, and I just do an apachectl stop before "certbot = renew."  I also have to stop the pf service because my firewall = doesn't like port 80 traffic, but that's a different use = case.


Tim


On 11/16/23 4:34 PM, Doug Hardie = wrote:
I have been = using py39-certbot-2.6.0,1 for sometime now without any issues. =  However, earlier this month it started generating = errors:

Renewing an existing certificate for sermon-archive.info = and 5 more domains
Failed to renew certificate sermon-archive.info = with error: Could not bind TCP port 80 because it is already in use by = another process on this system (such as a web server). Please stop the = program in question and then try again.

Huh?  Of course = there is a web server there.  That's why I need a certificate. =  Anyone know how to fix this issue, or should I switch to some = other LetsEncrypt client? =  Thanks,

Stopping the web server = is not a viable approach.  It is on a production machine and that = would affect my clients.  It has never done this in the years I = have been using LetsEncrypt.  I don't see any changes in that port = either.

have = you added any vhosts or 301 redirects on port 80 in your httpd = configuration?  i have this issue with one system that does a 301 = redirect to port 443 on port 80.  on another host where i don't do = this certbot works as expected without having to stop = httpd.

Addressing this response = as well as several others not sent to the = list.

I have not added any vhosts and = standalone does not appear anywhere in the setup.  The initial = setup output was:

INITIAL CERTIFICATE = SETUP:
certbot certonly = --webroot 

sermon-archive.info,sasa-web.net,= steveandconnielarson.com,www.sasa-web.net,www.sermon-archive.info,www.stev= eandconnielarson.com

LATEST CERTIFICATE = UPDATE:
certbot certonly cert-name sermon-archive.info -d = sermon-archive.info,sasa-web.net,steveandconnielarson.com,www.sasa-web.net= ,www.sermon-archive.info,www.steveandconnielarson.com

=

mail.sermon-archive.info

mast= er.sermon-archive.info

ADDING A NEW = SAN:
certbot certonly --webroot --expand -d = sermon-archive.info,sasa-web.net,steveandconnielarson.com,vintagecorvettes= socal.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarso= n.com,www.vintagecorvettessocal.com

IMPORTANT = NOTES:
 - Congratulations! Your certificate and chain = have been saved at:
  =  /usr/local/etc/letsencrypt/live/rssllc.us/fullchain.pem
&n= bsp;  Your key file has been saved at:
  =  /usr/local/etc/letsencrypt/live/rssllc.us/privkey.pem
&nbs= p;  Your cert will expire on 2020-05-28. To obtain a new or = tweaked
   version of this certificate in the = future, simply run certbot
   again. To = non-interactively renew *all* of your certificates, run
  =  "certbot renew"
 - If you like Certbot, please = consider supporting our work by:

  =  Donating to ISRG / Let's Encrypt:   = https://letsencrypt.org/donate
   Donating to EFF: =                   =  https://eff.org/donate-le


Si= nce thqt time, I added a vhost and that had no issues.  However, = recently a client went elsewhere and I deleted a vhost.  All I did = was remove the vhost entry in the renew command which now = reads:

#!/bin/sh -e
echo = "Starting renew"
cd /www/certs
export = PATH=3D/www/certs:$PATH
echo = $PATH

certbot renew --webroot-path /www = --key-type rsa 

echo "RC =3D = $RC"
echo "End of renew"

Since that = doesn't list the domains, I suspect I did a command something = like:

certbot certonly --webroot --expand -d = sermon-archive.info,sasa-web.net,steveandconnielarson.com,vintagecorvettes= socal.com,www.sasa-web.net,www.sermon-archive.info,www.steveandconnielarson.com<= /a>






= = --Apple-Mail=_38F0104D-765E-406E-9695-8C89BA275B7E--