Unable to setup certbot properly with nginx + rails

Posted November 1, 2017 3.8k views
ApplicationsUbuntu 16.04

According to the article

I’m running command to test it:

    $ sudo certbot renew --dry-run  

And get this:

      WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: At least one of the (possibly) required ports is already taken.. Skipping.
      ** DRY RUN: simulating 'certbot renew' close to cert expiry
      **          (The test certificates below have not been saved.)

      All renewal attempts failed. The following certs could not be renewed:
        /etc/letsencrypt/live/ (failure)
      ** DRY RUN: simulating 'certbot renew' close to cert expiry
      **          (The test certificates above have not been saved.)

It’s because nginx is running. But: how is it supposted to work? Stopping nginx and my website twice a day to check and possibly renew a certificate won’t be a wise way to go

How to fix it?

I’m using nginx + rails.

In cron I have this job:

    $ sudo certbot renew 


These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

You shouldn’t need to restart nginx, a reload should be enough. Check --help to see if your certbot has support for --post-hook "service nginx reload"

I believe newer nginx version will reload certificates as part of their reload - and if they don’t --post-hook should only result in one nginx restart every 3 months.

  • it’s not about reloading.
    it’s about the fact that certbot doesn’t work at all when nginx is running on 443 port.

    • I never tired to get the verification to work on https because it doesn’t make sense to me. I can see things really not working well when my certificate expires, and I need https running in order to get a new cert.

      I serve acme requests on plain-old-http, so I have an https-redirect server section like this in each of my LEed name-based vhosts:

         server {
              listen 80 ;
              location / {
                  return 301 https://$host$request_uri;
              location ^~ /.well-known/acme-challenge/ {
                  alias /websites/websitenamehere/well-known/acme-challenge/;
                  index  index.html index.htm;
                  allow all;
                  default_type "text/plain";

      and I tell le to dump it’s challenges there.