Letsencrypt notice - cron issues

inverse · September 7, 2017, 11:32am

I got an email that my ssl cert is expiring soon so I am assuming the cronjob that automates the renewal process is not running correctly.

in the root crontab I have:

33 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
30 2 * * 1 ~/acme.sh/acme.sh --cron --home ~/acme.sh > /dev/null

When I manually tried running the first command It complains that port 80 is bound.

box:~/.acme.sh# ./acme.sh --cron --home "/root/.acme.sh/"
[Thu Sep  7 13:28:30 CEST 2017] ===Starting cron===
[Thu Sep  7 13:28:30 CEST 2017] Renew: '<domain here>'
[Thu Sep  7 13:28:30 CEST 2017] Standalone mode.
[Thu Sep  7 13:28:30 CEST 2017] LISTEN     0      128         :::80                      :::*                   users:(("apache2",pid=26431,fd=4),("apache2",pid=26183,fd=4),("apache2",pid=26182,fd=4),("apache2",pid=26181,fd=4),("apache2",pid=26180,fd=4),("apache2",pid=26179,fd=4),("apache2",pid=26175,fd=4),("apache2",pid=6128,fd=4))
[Thu Sep  7 13:28:30 CEST 2017] tcp port 80 is already used by 80                      
[Thu Sep  7 13:28:30 CEST 2017] Please stop it first
[Thu Sep  7 13:28:30 CEST 2017] _on_before_issue.
[Thu Sep  7 13:28:30 CEST 2017] Error renew <domain here>
[Thu Sep  7 13:28:30 CEST 2017] ===End cron===

When I disable apache and run it all is good. But should this script be updated to handle this case or better still change the way we get new certs without having to stop apache?

JMSolo · September 7, 2017, 2:06pm

Correction, you’ll get the email regardless, it doesn’t mean your cron isn’t working. It’s more of a courtesy they implement to let you know that there is an upcoming expiry on a certificate. This is handy when you’re using your server to generate certificates for things like (example: a CDN like MaxCDN when providing your own certificates for custom subdomains).

That’s something that I have noticed the acme script needs. It requires the apache service to stop on connection for the generation of certificates. It should post the service stop at the head of the script. I know there could be a few seconds of interruption on the process, but to me this is a fair price to pay for free ssl certs.

github.com

QuickBox/QB/blob/master/packages/package/install/installpackage-letsencrypt#L20


# URL                :   https://quickbox.io
#
# QuickBox Copyright (C) 2017 QuickBox.io
# Licensed under GNU General Public License v3.0 GPL-3 (in short)
#
#   You may copy, distribute and modify the software as long as you track
#   changes/dates in source files. Any modifications to our software
#   including (via compiler) GPL-licensed code must also be made available
#   under the GPL along with build & install instructions.


service apache2 stop
apt -y -qq install socat


cd /root
mkdir -p /etc/apache2/ssl/{site,certs}
git clone https://github.com/Neilpang/acme.sh.git acme.sh-master
cd /root/acme.sh-master


echo -ne "Please enter an administrator email: " ; read EMAIL
echo -ne "Please enter a valid domain: " ; read DOMAIN

inverse · September 7, 2017, 6:10pm

But shouldn’t the cronjob that renews the certificates take care of that server restart?

There must be a way to get it to work on a different port? or another way…