Certbot on FreeBSD14.0

If you can’t renew your let’s encrypt certificates like me on FreeBSD (because the httpd process always crash), here is the solution!

When you try to renew manually (but it’s the same with the automated method), you get the following error:

root@debnar:~ # certbot renew –dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Processing /usr/local/etc/letsencrypt/renewal/debnar.org-0001.conf
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Simulating renewal of an existing certificate for debnar.org

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: debnar.org
Type:   connection
Detail: 158.220.114.171: Fetching http://debnar.org/.well-known/acme-challenge/E: Connection refused

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).

Unable to restart apache using [‘apachectl’, ‘graceful’]
Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).
Failed to renew certificate debnar.org-0001 with error: Some challenges have failed.

There is a bug in the apachectl graceful restart: if you try to restart gracefully then apache crashes:

Jul 28 08:06:02 debnar kernel: pid 8217 (httpd), jid 0, uid 0: exited on signal 11 (core dumped)

whops. Here is the workaround: simple modify the certbot’s python code to do a full restart instead of a graceful restart. Of course it’s more aggressive and probably wouldn’t do on a production system, but hey.

vim /usr/local/lib/python3.9/site-packages/certbot_apache/_internal/configurator.py

And replace this line (84th line):

self.restart_cmd = [‘apachectl’, ‘graceful’] if not restart_cmd else restart_cmd

to this

self.restart_cmd = [‘apachectl’, ‘restart’] if not restart_cmd else restart_cmd

Now it works like a charm:

root@debnar:~ # certbot renew –dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Processing /usr/local/etc/letsencrypt/renewal/debnar.org-0001.conf
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Simulating renewal of an existing certificate for debnar.org

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Congratulations, all simulated renewals succeeded:
/usr/local/etc/letsencrypt/live/debnar.org-0001/fullchain.pem (success)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
root@debnar:~ #

Also don’t forget: you have to do this after every certbot update.

This entry was posted in English, FreeBSD and tagged , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *