Closed hancush closed 6 months ago
For some reason, opennessproject.com did not recognize the updated cert. The nginx access logs looked like this:
ubuntu@ip-10-0-0-169:~$ tail -f /var/log/nginx/error.log
2021/04/08 20:00:24 [emerg] 17125#17125: bind() to 0.0.0.0:443 failed (98: Address already in use)
2021/04/08 20:00:24 [emerg] 17125#17125: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/04/08 20:00:24 [emerg] 17125#17125: bind() to [::]:80 failed (98: Address already in use)
2021/04/08 20:00:24 [emerg] 17125#17125: bind() to 0.0.0.0:443 failed (98: Address already in use)
2021/04/08 20:00:24 [emerg] 17125#17125: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/04/08 20:00:24 [emerg] 17125#17125: bind() to [::]:80 failed (98: Address already in use)
2021/04/08 20:00:24 [emerg] 17125#17125: bind() to 0.0.0.0:443 failed (98: Address already in use)
2021/04/08 20:00:24 [emerg] 17125#17125: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/04/08 20:00:24 [emerg] 17125#17125: bind() to [::]:80 failed (98: Address already in use)
2021/04/08 20:00:24 [emerg] 17125#17125: still could not bind()
And there were no entries in the app access logs.
Looks like an Nginx process was started from root. I wound up following the instructions here to kill the old process and restart Nginx, and the issue was resolved.
ubuntu@ip-10-0-0-169:~$ ps aux -P | grep nginx
ubuntu 16993 0.0 0.0 10472 928 pts/0 S+ 19:57 0:00 grep --color=auto nginx
root 28009 0.0 0.1 91588 2816 ? Ss Mar12 0:00 nginx: master process nginx -c /etc/nginx/nginx.conf
www-data 28014 0.0 0.2 91868 4308 ? S Mar12 34:07 nginx: worker process
ubuntu@ip-10-0-0-169:~$ sudo fuser -k 443/tcp
443/tcp: 28009 28014
ubuntu@ip-10-0-0-169:~$ sudo service nginx restart
nginx stop/waiting
nginx start/running, process 17260
ubuntu@ip-10-0-0-169:~$ ps aux -P | grep nginx
root 17260 0.0 0.0 90820 1300 ? Ss 20:02 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 17262 0.0 0.1 91512 3684 ? S 20:02 0:00 nginx: worker process
ubuntu 17377 0.0 0.0 10472 924 pts/0 S+ 20:06 0:00 grep --color=auto nginx
Auto renewal still not happening, but instructions in description work.
@hancush do we still need to do this?
@smcalilly Yes.
@hancush since we're working on this project now, do we want to take of this?
Doesn't look like we have a cron to auto renew certs (or an up-to-date version of Certbot) on the NMID server. Shelled in and manually renewed the cert like this:
(Follow recommendations from this thread after finding the LetsEncrypt command in the server's shell history.)
I guess this is fine, but it would be nice to not have to do this every SSL cert life cycle. Let's see if we can wire up auto renewals when we get spare cycles.