0

When one tries to create a new certificate using certbot the assumption was that either 80 or 443 needs to be available, but that does not seem to be the case as:

-------------------------------------------------------------------------------
The program nginx (process ID 123454) is already listening on TCP port 443. This
will prevent us from binding to that port. Please stop the nginx program
temporarily and then try again.
-------------------------------------------------------------------------------
At least one of the (possibly) required ports is already taken.

occurs.

How to renew certificates without stopping services, e.g. nginx?

Attempt to solve the issue

Version?

root@hostname:~# letsencrypt --version
letsencrypt 0.4.1

Options?

root@hostname:~# letsencrypt --help

  letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  renew                Renew previously obtained certs that are near expiry
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

  (the apache plugin is not installed)
  --standalone      Run a standalone webserver for authentication
  (nginx support is experimental, buggy, and not installed by default)
  --webroot         Place files in a server's webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

  --authenticator standalone --installer apache

More detailed help:

  -h, --help [topic]    print this message, or detailed help on a topic;
                        the available topics are:

   all, automation, paths, security, testing, or any of the subcommands or
   plugins (certonly, install, nginx, apache, standalone, webroot, etc)

Will it be safe to use the following option?

  (nginx support is experimental, buggy, and not installed by default)
  --webroot         Place files in a server's webroot folder for authentication
030
  • 5,731
  • 12
  • 61
  • 107
  • Yes, `--webroot` is helpful for this - it'll put the required files in that directory for the existing webserver to serve. – ceejayoz Jun 29 '17 at 14:46

2 Answers2

1

If you're trying to use the certbot in a standalone fashion (separate from any other web server), then yes your webserver will need to be stopped so that certbot can use those ports.

However, you can integrate the directories certbot needs right into your webserver config and then certbot itself doesn't need to bind to those ports.

EEAA
  • 108,414
  • 18
  • 172
  • 242
1

I never done it with nginx, but you could have certbot to use the dns-01 ACME protocol option. With this, the domain-control probes needed for certificate renewal occurs without having to bind on the ports that are actually serving traffic.

For this, you need to have control over your DNS, of course, and probably will have to signal nginx to reload its configuration after a successfull certificate renewal, but that can be done without downtime.

Pablo
  • 430
  • 2
  • 9