Letsencrypt Auto Renew


I am running two instances of Nextcloud 12.0.0 on a Tech and Me virtual appliance.

At the beginning of June on both instances /var/scripts/letsencryptrenew.sh started to fail to auto renew SSL certificate.

/var/log/letsencrypt/cronjob.log content:

Let’s Encrypt SUCCESS!–2017-04-09_00:00
Let’s Encrypt SUCCESS!–2017-04-16_00:00
Let’s Encrypt SUCCESS!–2017-04-23_00:00
Let’s Encrypt SUCCESS!–2017-04-30_00:00
Let’s Encrypt SUCCESS!–2017-05-07_00:00
Let’s Encrypt SUCCESS!–2017-05-14_00:00
Let’s Encrypt SUCCESS!–2017-05-21_00:00
Let’s Encrypt SUCCESS!–2017-05-28_00:00
Let’s Encrypt FAILED!–2017-06-04_00:00
Let’s Encrypt FAILED!–2017-06-11_00:00
Let’s Encrypt FAILED!–2017-06-18_00:00
Let’s Encrypt FAILED!–2017-06-25_00:00

Errors from /var/log/letsencrypt/letsencrypt.log

2017-06-27 16:06:48,166:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/domain.name.conf produced an unexpected error: Could n$
2017-06-27 16:06:48,168:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py”, line 271, in _handle_perform_error
raise errors.PluginError(msg)
PluginError: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again…

2017-06-27 16:06:48,169:DEBUG:certbot.log:Exiting abnormally:
Error: 1 renew failure(s), 0 parse failure(s)

Any help in identifying the root cause is appreciated.


I normaly run the update twice: once checking if an renewal is needed and if so stop webserver, renew certs and restart (reload) webserver. For big sites might not be suitable though since you’ll have a short outage every 3 months, but then again for big sites you probably want a longer valid certificate anyway.

If memory serves letsencrypt only allows a certain number of renews during a 3 month period (7 I think). It looks like your renewing every week.

When ran manually from an SSH session the script manages to renew the certificate just fine. It is still a puzzle why it was failing as a weekly cron job. Also, the first cron based renewal after the manual script execution was reported as successful.

You can change it to daily instead. That ensures more tries. Also set the time to something that isn’t 00:00.

I’m not exactly sure what this script does, but the certbot renew command will automatically renew only if necessary, otherwise it just checks the expiration and makes no changes. That way you can run it as often as you want, and when I set mine up, the recommendation was twice a day.

the script looks like this: https://github.com/nextcloud/vm/blob/master/lets-encrypt/test-new-config.sh#L50-L55

By the book…

Correct, this is what I am using. Lines 50-55. Pretty simple commands.