Letsencrypt notice - cron issues

apache2
letsencrypt

#1

I got an email that my ssl cert is expiring soon so I am assuming the cronjob that automates the renewal process is not running correctly.

in the root crontab I have:

33 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
30 2 * * 1 ~/acme.sh/acme.sh --cron --home ~/acme.sh > /dev/null

When I manually tried running the first command It complains that port 80 is bound.

box:~/.acme.sh# ./acme.sh --cron --home "/root/.acme.sh/"
[Thu Sep  7 13:28:30 CEST 2017] ===Starting cron===
[Thu Sep  7 13:28:30 CEST 2017] Renew: '<domain here>'
[Thu Sep  7 13:28:30 CEST 2017] Standalone mode.
[Thu Sep  7 13:28:30 CEST 2017] LISTEN     0      128         :::80                      :::*                   users:(("apache2",pid=26431,fd=4),("apache2",pid=26183,fd=4),("apache2",pid=26182,fd=4),("apache2",pid=26181,fd=4),("apache2",pid=26180,fd=4),("apache2",pid=26179,fd=4),("apache2",pid=26175,fd=4),("apache2",pid=6128,fd=4))
[Thu Sep  7 13:28:30 CEST 2017] tcp port 80 is already used by 80                      
[Thu Sep  7 13:28:30 CEST 2017] Please stop it first
[Thu Sep  7 13:28:30 CEST 2017] _on_before_issue.
[Thu Sep  7 13:28:30 CEST 2017] Error renew <domain here>
[Thu Sep  7 13:28:30 CEST 2017] ===End cron===

When I disable apache and run it all is good. But should this script be updated to handle this case or better still change the way we get new certs without having to stop apache?


#2

Correction, you’ll get the email regardless, it doesn’t mean your cron isn’t working. It’s more of a courtesy they implement to let you know that there is an upcoming expiry on a certificate. This is handy when you’re using your server to generate certificates for things like (example: a CDN like MaxCDN when providing your own certificates for custom subdomains).

That’s something that I have noticed the acme script needs. It requires the apache service to stop on connection for the generation of certificates. It should post the service stop at the head of the script. I know there could be a few seconds of interruption on the process, but to me this is a fair price to pay for free ssl certs.


#3

But shouldn’t the cronjob that renews the certificates take care of that server restart?

There must be a way to get it to work on a different port? or another way…