21

Certbot and nginx versions:

certbot installed using certbot.eff.org install guide.

  • Certbot version: 0.22.2
  • Nginx version: 1.10.3

Getting ssl certificates works fine:

certbot --nginx

But, in renewal of cerbot certificated

certbot renew --dry-run

nginx fails to start causing:

nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)

I have tried changing post-hook and pre-hook in /etc/letsencrypt/renewal/*com.conf/

  • commenting installer=nginx
  • changing authenticator to nginx and standalone

Adding post and pre hooks in /etc/letsencrypt/renewal-hooks/pre/ and /etc/lestencrypt/renewal-hooks/post/ to stop and start nginx service.

Seems nginx is not starting properly or isn't stop properly. after renewal completes nginx fails with (code=exited, status=1/FAILURE)

Nginx error log show:

nginx log image

Error while certbot renew: Certbot error log in renewal

Roshan Shrestha
  • 421
  • 1
  • 3
  • 13

7 Answers7

25

Try to execute:

sudo service nginx restart

Then test your nginx configuration file(s) (until you see "nginx: configuration file /etc/nginx/nginx.conf test is successful")

sudo nginx -s reload -t

Pay attention on paths to certificates, and other stuff

and then reload configuration without -t option:

sudo nginx -s reload

It's not recommended to modify configuration files in /etc/letsencrypt/ but creating (if it doesn't exist) and modifying cli.ini file here is working for me. You can specify post-hook in this file once and it will work for all your certificates, see my current file:

# /etc/letsencrypt/cli.ini
max-log-backups = 0
authenticator = webroot
webroot-path = /var/www/html
post-hook = service nginx reload
text = True

I hope this will help future readers. Solution source is here (however the article is in Russian)

hotenov
  • 911
  • 1
  • 11
  • 17
  • It works. there is so called `pid` file there, so the solution is just because `sudo service nginx restart` can create `/run/nginx.pid` right? – http8086 Jun 24 '22 at 19:55
  • @http8086 Not sure that I understood your question. But I think the issue is certbot trying to operate with NGINX process using `.pid` file. Path to `.pid` file can be changed in conf file. After restarting NGINX `.pid` file can be located in new place. Honestly, I don't remember why I started from restarting NGINX :) The key thing is using correct `post-hook` command for reloading NGINX in `cli.ini` file and tested NGINX configuration file, of course. – hotenov Jun 25 '22 at 07:40
4

I had the same issue on Ubuntu 16.04

I've just removed post and pre hooks in /etc/letsencrypt/renewal/*.conf and changed authenticator to nginx - I had in two entries standalone.

And it is working now fine.

Edit:

Recommended way to update renewal config is to reissue new certificate using:

certbot -i nginx -d example.com -d www.example.com certonly

S.S. Anne
  • 15,171
  • 8
  • 38
  • 76
lechup
  • 3,031
  • 27
  • 26
  • Just as an addition: There is a nice explanation about how to correct the .conf files in this post: https://stackoverflow.com/a/54540470/2692283 – sagacity Nov 27 '20 at 21:51
4

You can run this command line before run reload nginx.

sudo nginx -c /etc/nginx/nginx.conf

or

sudo nginx -c /usr/local/etc/nginx/nginx.conf

then you can start nginx nomaly

sudo nginx -s reload

Good luck.

tuanngocptn
  • 1,241
  • 13
  • 21
0

I had the same error...

When I installed certbot, I followed the instructions and put in a cronjob (5 3 15 * *):

certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

this morning nginx was dead, and the log showed

open() "/run/nginx.pid" failed (2: No such file or directory)

I did not connect the two, but do I understand that certbot triggers the nginx failure?

Wido Menhardt
  • 67
  • 3
0
  1. ps -ef | grep nginx, find all nginx process
  2. sudo kill -9 xxx xxx xxx or sudo pkill nginx
  3. sudo systemctl restart nginx
  4. sudo nginx -t
山茶树和葡萄树
  • 2,050
  • 1
  • 18
  • 18
0

I had this problem and followed a similar tack to those outlined here.

I had had certbot install a certificate, but it was in certonly --nginx mode, I supplied my own nginx serverblocks. certbot worked, but an nginx failure cast doubt on the accuracy of my provisioning.

This certbot call "restarts" nginx with a modified server block configuration, so it can answer the HTTP-01 challenges. I know this because when it fails, it will log, "nginx restart failed:" just before the bind() failures I'm about to show. My nginx server was down when provisioning succeeded.

I couldn't get systemctl or service to start it and systemd status nginx would only ever show "failed".

Whilst I could get nginx up, and serving, with nginx -s reload I wanted systemd to manage it for me.

No amount of systemctl {start|restart|stop|quit} nginx, would work. The status remained as failed and would show errors with bind():

Oct 07 10:04:13 HostXYZ systemd[1]: Starting A high performance web server and a reverse proxy server...
Oct 07 10:04:13 HostXYZ nginx[17096]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Unknown error)
Oct 07 10:04:13 HostXYZ nginx[17096]: nginx: [emerg] bind() to [::]:80 failed (98: Unknown error)
Oct 07 10:04:13 HostXYZ nginx[17096]: nginx: [emerg] bind() to [::]:443 failed (98: Unknown error)
Oct 07 10:04:13 HostXYZ nginx[17096]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Unknown error)

That would repeat in journalctl output, 4 or 5 times.

I checked the process and saw:

:~$ ps aux | grep nginx
root       12960  0.0  0.6  77216  9816 ?        Ss   Oct06   0:00 nginx: master process nginx -c /etc/nginx/nginx.conf
www-data   16944  0.0  0.5  77360  8604 ?        S    08:43   0:00 nginx: worker process

That process, which appeared to be occupying the ports needed by my systemd service. My systemd service doesn't use that -c /etc/nginx/nginx.conf. It uses:

ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'

nginx -s stop, and quit would not rid me of the rogue process. Instead they both gave the error the OP had:

:~$ sudo nginx -s stop
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)

Both my systemd service unit and /etc/nginx/nginx.conf gave /run/nginx.pid as the PIDFile/pid. For some reason, /etc/nginx/nginx.conf wasn't creating it.

What I needed to do:

sudo killall nginx
sudo systemctl start nginx

That knocked out the other nginx service (I think it came from nginx -s reload but I couldn't shut it down by the corollary command) Which looked like this:

:~$ sudo killall nginx
:~$ ps aux | grep nginx
john    17140  0.0  0.1   4008  2004 pts/0    S+   10:10   0:00 grep --color=auto nginx
:~$ sudo systemctl start nginx
:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-10-07 10:10:25 UTC; 1s ago
...
:~$ ps aux | grep nginx
root       11481  0.0  0.1  76484  2588 ?        Ss   10:10   0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data   11482  0.0  0.2  76876  4284 ?        S    10:10   0:00 nginx: worker process
:~$ cat /run/nginx.pid 
11481
John
  • 6,433
  • 7
  • 47
  • 82
0

This happens to me due to different authenticator plugin for each domain: one was with authenticator = standalone, another with authenticator = nginx. Also pre- post- hooks was set to both, which is also wrong, it should be used only with standalone plugin.

When I get rid of this mess, specified authenticator = nginx for all domains in /etc/letsencrypt/renewal/*.conf and removed hooks -- everything starts to work smooth.

Askar Timirgazin
  • 69
  • 2
  • 3