Letsencrypt renewal fails: Could not bind to IPv4 or IPv6.. Skipping - lets-encrypt

The full error message I'm getting is:
Attempting to renew cert from /etc/letsencrypt/renewal/somedomain.com.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping.
This is running on an AWS ubuntu 14.04 instance. All ports are open outgoing and 443 is open incoming.

You just need to stop all running servers like Apache, nginx or OpenShift before doing this.
Stop Nginx
sudo systemctl stop nginx
Stop Apache2
sudo systemctl stop apache2

you probably run the script with (preconfigurated) --standalone when your server is already running at port 443.
You can stop server before renew and start them after.
man says:
--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
--nginx Use the Nginx plugin for authentication & installation
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script hooks
If I run renew with --apache I can't get any error.

As hinted in the other answers, you need to pass the option for your running webserver, for example:
Without webserver param:
sudo certbot renew
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:tls-sni-01 challenge for example.com
Cleaning up challenges
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected
error:
Problem binding to port 443: Could not bind to IPv4 or IPv6..
Skipping.
Then, again with the webserver param (success):
sudo certbot renew --nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges: tls-sni-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
Congratulations, all renewals succeeded. The following certs have been
renewed: /etc/letsencrypt/live/example.com/fullchain.pem (success)

[This is specifically for ubuntu]
Login as root user to your server
Stop your server using the following command (for nginx)
service nginx stop
Then renew your certificate
certbot renew
Start your server
service nginx start
[TIP] To check the expiry date of your renewed certificate, enter the command below
ssl-cert-check -c [Path_to_your_certificate]/fullchain.pem
For example
ssl-cert-check -c /etc/letsencrypt/live/[your_domain_name]/fullchain.pem
Or
ssl-cert-check -c /etc/letsencrypt/live/[your_domain_name]/cert.pem
If you don't have ssl-cert-check already installed in your server, install it using
apt install ssl-cert-check
Note: The certificate can be renewed only if it is not expired. If it is expired, you have to create new one.

For NodeJS/PM2 users
I was using PM2 for my NodeJS service and when trying to renew the certificate I also got the "Problem binding to port 80: Could not bind to IPv4 or IPv6." error message.
As mentioned in above answers for Apache/Ngnix, Stopping my service and then trying to renew solved the problem.
pm2 stop all
sudo certbot renew
pm2 start all

First you need to install NGiNX lets encrypt plugin (if you work with NGiNX):
sudo apt install python-certbot-nginx
Then you can safely run:
sudo certbot renew --nginx
and it will work.
Note: certbot should already be installed.

For ngnix
sudo certbot renew --nginx

This happened because you used --standalone. The purpose of that option is to launch a temporary webserver because you don't have one running.
Next time use the --webroot method, and you'll be able to use your already running nginx server.

Borrowing from #JKLIR Simply run
/etc/letsencrypt/letsencrypt-auto renew --apache >> /var/log/letsencrypt/renew.log
to renew the ssl certificate

If you're trying to perform the certbot command as a regular user, you may not have access to bind to port 80 and other lower ports. If this is the case, you can grant python access to bind via:
First, see if you can find python 3+ (adjust as needed)
echo "$(readlink -f "$(which python3)")"
Allow python to open port 80 as a regular user (adjust as needed)
sudo setcap CAP_NET_BIND_SERVICE=+eip "$(readlink -f "$(which python3)")"
Re-run the failing certbot command.
Important: On Ubuntu 18.04, Python is called python3. It may be called a number of different things depending on the OS and how you obtained certbot. This command WILL VARY between OSs.
Warning: These lower ports are restricted for good reason. There are security considerations with the setcap command. You may read more about them here: https://superuser.com/a/892391

I use Nginx and needed to stop the server before I can proceed. Then I run the command:
$ sudo ./certbot-auto certonly --standalone -d chaklader.ddns.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for chaklader.ddns.net
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: xxx.chakfffder#gmail.com).
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/cdddddder.ddns.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/chaklader.ddns.net/privkey.pem
Your cert will expire on 2045-01-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

I had a similar issue when I was running two websites (hosts) on a single instance. I stopped Nginx and then ran sudo certbot certonly --standalone --preferred-challenges http -d domain.com -d www.domain.com. After restarting Nginx everything started to work fine.

Related

How do I renew my Let's Encrypt TLS certificate on AWS Lightsail Wordpress instance?

I setup a wordpress instance on AWS Lightsail and enabled HTTPS using bncert-tool as per this guide. Today I received an urgent email from Let's Encrypt asking to renew my TLS certificate(s) that were issued from Let's Encrypt using the TLS-ALPN-01 validation method.
How do I renew the certificate?
SSH into your lightsail instance and run the following commands:
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start
In the preceding commands, replace EMAIL-ADDRESS and DOMAIN with the correct values.
You can use any of your working email addresses. Or, you can use the same email address that you used when you installed the certificate. You can retrieve the email you used when installing the certificate by running the following command:
sudo ls /opt/bitnami/letsencrypt/accounts/acm*
You can confirm the domain name by running the following command:
sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list
For more info, please refer to this documentation
Now by default Bitnami bncert-tool renew the certificate automatically each month.
Source: generate-install-lets-encrypt-ssl
Run the following command:
sudo /opt/bitnami/bncert-tool
If you encounter Account [EMAIL ADDRESS] is not registered. Use 'run' to register a new account.
Use this command to register a new account and create a new certificate:
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" run
Source: letsencrypt community

Single laravel install, multiple domains, SSL Encryption

I'm building an app in Laravel that has a single codebase that will serve multiple domain names, a new domain can be added in the CMS, and all that should have to be done for that new domain to work is have it's records pointed to the server. The CMS itself will then display the appropriate pages for that domain, based on the request()->getHost(); function.
The app is being managed with Laravel Forge.
My question is regarding nginx, and LetsEncrypt: I would like all new domains added in this way to be secured via SSL, would every new domain need to be added to forge manually, or is there some way to allow a wildcard TLD in the certificate? (And if so, is that a security risk?).
Will nginx require some specific configuration to work with wildcard TLDs?
My aim is to avoid additional configuration and have it automatic, with the domain name simply being added to the backend.
Thanks!
Please follow the Steps. Hope it will work for you.
1 - First clone Letsencrypt/Certbot repo from Github
cd /opt
git clone https://github.com/certbot/certbot.git
2 - Now enter new created directory and run certificate bot
cd certbot
./letsencrypt-auto certonly --manual --preferred-challenges=dns --email mymail#gmail.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.mywebsite.com
3 - Now Certbot will ask for a DNS record to check that if you really have rights at this domain.
------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.mywebsite.com with the following value:
5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX
Before continuing, verify the record is deployed.
------------------------------------------------------------------
Press Enter to Continue
4 - After adding this DNS TXT record to your domain and wait for few seconds press enter and continue.
5 - Your certificate is ready!
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mywebsite.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mywebsite.com/privkey.pem
Your cert will expire on 2018-08-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
6 - Now we will copy our fullchain.pem and privkey.pem to our Nginx folder and add this to our Nginx server configuration. For example;
server {
listen 443 ssl;
server_name test.mywebsite.com;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
...
Hope it will helpful.

Disable let's encrypt certbot daily renew emails

Is it possible to tell certbot not to email me every day when running on cronjob?
My cronjob is:
0 0 * * * sudo /usr/bin/certbot renew --post-hook "sudo service nginx reload"
And I get emails:
Cert not yet due for renewal
I only want to get emailed when a certificate is up for renewal, failed to renew, or has been renewed.
I don't need to be notified daily that there is nothing to renew.
According to the Certbot user guide, if you only wanted to be informed of renewal failures then you could add the --quiet option to your command:
certbot renew --quiet --post-hook "sudo service nginx reload"
If you only want to suppress this one particular message then you could modify your command to use grep to discard the message, something like:
certbot renew --post-hook "sudo service nginx reload" | grep -v "not yet due for renewal"
As far as I know certbot never sends any emails, it's just a command line utility. It's letsencrypt.org who sends certificate expiration notice. But it only sends email when the certificate is about to expire for a domain whose certificate was procured using your email (by --email flag of certbot).
I assume there is some other custom service or script which is sending this email.

Sesman-Xvnc throws password failed with every user

I have an Ubuntu 16.04 LTS virtual machine that I use for log management. Since I created it, I use Sesman-Xvnc and has always been nice and easy to log in. However, after been on it for the last 3 weeks with on issues whatsoever, today I got to the office and it throws this error:
Connecting to sesman ip 127.0.0.1 port 3350
sesman connect ok
sending login info to session manager, please wait...
xrdp_mm_process_login_response: login successful for display
Started connecting
connecting to 127.0.0.1 5912
tcp connected
security level is 2 (1 = none, 2 = standard)
password failed
error - problem connecting
I didn't changed my password, the machine was on all the time and I am able to log in via ssh with my user and password.
I have tried reinstalling the services with:
sudo apt-get remove xrdp vnc4server tightvncserver
sudo apt-get install tightvncserver
sudo apt-get install xrdp
And then restarted the xrdp service with:
service xrdp restart
I have also created a new user but the results are the same; password failed.
Any ideas of how to sort this out?
Thank you very much familia. ;)
I too have the same issue facing it since today, Have put up the issue here.
XRDP doesnt connect to Azure VM suddenly
I fixed it by allowing the port which it is trying to connect to sesman in the ufw:
The moment u see connecting to "sesman ip 127.0.0.1 port 3350" (or any other port) in the RDP, Take that port number, and allow that port to the ufw using
These are the steps I used :
Downgrade ur xrdp using this :
[sudo apt-get install xrdp=0.6.1-2
and Hold the xrdp instance,
sudo apt-mark hold xrdp
Sudo ufw enable
Sudo ufw allow 3350 and
Sudo ufw allow 3389]
NB:You may use this cmd to see if its open:
sudo netstat -plnt | grep rdp
Perform these in the SSH window.
This worked for me. Hope it fixes this issue.
We had the same issue and it seems to be caused by an automatic update of 'xrdp'. Have a look to this post:
https://askubuntu.com/questions/1108550/xrdp-failed-problem-connecting-when-package-was-auto-updated

renewal of letsencrypt certificate fails

I'm using debain jessie, certbot version 0.9.3-1~bpo8+2. Since last two days I've been started getting this error while renewing certificates for my site.
Could not bind TCP port 443 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.
-------------------------------------------------------------------------------
Attempting to renew cert from /etc/letsencrypt/renewal/www.testsite.com.conf produced an unexpected error: object of type 'NoneType' has no len(). Skipping.
What should I do ? I'm not much familiar with Letsencrypt. Anybody please shade light on this ?
I haven't found a way to do this with "zero downtime", but you can auto stop/start nginx with hooks so you can handle renewals with cron:
certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
Just stop your webserver and run the same again. If you are using nginx use sudo service nginx stop
I am apache2 lover, here is solution
certbot renew --cert-name www.snippetbucket.com --pre-hook
"service apache2 stop" --post-hook "service apache2 start"
Makes more simple and works 100%.
Now, with all domain reference on apache hosted server, automated process.
certbot renew --pre-hook
"service apache2 stop" --post-hook "service apache2 start"
Advice: In case automated not works, just schedule renew process in advance according server low traffic.

Resources