search

jupyterhub / jupyterhub-deploy-teaching

Reference deployment of JupyterHub and nbgrader on a single server
http://jupyterhub-deploy-teaching.readthedocs.io/en/latest/
BSD 3-Clause "New" or "Revised" License
246 stars 85 forks source link

Letsencrypt auto renew #79

Closed nabriis closed 7 years ago

nabriis commented 7 years ago

Hi,

I have been running this setup for a while now and it was time for the letsencrypt certificates to auto renew.

However i get the following error: 

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/[hostname_removed]/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Thu Jun 22 07:35:02 CEST 2017
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for [hostname_removed]
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/[hostname_removed].conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.. Skipping.

In the letsencrypt renew file that is within cron.daily it seems to have a command with docker. I assume this is a mistake?

#!/usr/bin/env bash

date >> /var/log/letsencrypt.log
certbot-auto renew --no-self-upgrade 2>&1 &>> /var/log/letsencrypt.log
docker kill -s HUP nginx
minrk commented 7 years ago

Indeed, that was copied from a docker deployment without proper updating.

Can you try running:

certbot-auto renew --nginx

?

minrk commented 7 years ago

Scratch that, run:

certbot-auto renew --webroot --webroot-path=/etc/letsencrypt/webroot
service reload nginx

and see if that works. If it does, I'll update the file.

nabriis commented 7 years ago

I ended up doing the following:

date >> /var/log/letsencrypt.log
kill -s HUP $( pgrep -o nginx )
fuser -k 443/tcp
fuser -k 80/tcp
certbot-auto renew --no-self-upgrade 2>&1 &>> /var/log/letsencrypt.log
sleep 10
fuser -k 443/tcp
fuser -k 80/tcp
service nginx --full-restart
service nginx reload

which seemed to work. Not very optimal i guess.

@minrk when running 

certbot-auto renew --webroot --webroot-path=/etc/letsencrypt/webroot
service reload nginx

I get an error:

Upgrading certbot-auto 0.13.0 to 0.15.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
/etc/letsencrypt/webroot does not exist or is not a directory
minrk commented 7 years ago

Try:

mkdir -p /etc/letsencrypt/webroot

first, then run it again. nginx is already serving that directory for letsencrypt upgrades.

nabriis commented 7 years ago

Ok seems to work now. Although i can't really test if the cerbot gets a connection since the certificate is not due for renewal anymore.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/[hostname].conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/[hostname]/fullchain.pem (skipped)
No renewals were attempted.

Thanks for the help :)

minrk commented 7 years ago

Thanks! We'll have to wait until a renewal is needed to test for real. #80 should fix it.

IamViditAgarwal commented 5 years ago

Hi , While setup the Jupyterhub, I saw that the let's encrypt auto-renew the certificate. But my certificate is not renewing. I saw this issue, but I am not able to figure out where we have to run this bash file or auto-renew commands