Letsencrypt certificate is renewed but LSWS doesn't restart

Centos

New Member
#1
Hello,

I am running the WordPress cloud instance on Linode.com Everything works fine except when the SSL cert is renewed LSWS doesn't restart so browser throws an error saying "Your connection is not private".

So then I manually restart LSWS and website loads fine.

/etc/cron.d/certbot has this in it which appears to be correct.

Code:
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook "systemctl restart lsws"
Please help!
 

Cold-Egg

Administrator
#2
Hi,

Have you tried following commands before?
Code:
/usr/local/lsws/bin/lswsctrl stop >/dev/null
systemctl stop lsws >/dev/null
systemctl start lsws >/dev/null
Any hook related log shows in "/var/log/letsencrypt/letsencrypt.log"?

You can force it and check if lsws restart success. Don't run it too many times otherwise you may hit the monthly limit.
Code:
certbot renew --force-renew --deploy-hook "systemctl restart lsws"
FYI, you can check LSWS restart log from "/usr/local/lsws/logs/lsrestart.log".
 

Centos

New Member
#3
It happened on another server few hours ago. Certificate was renewed but it was still serving old certificate so browser threw error. I manually restarted lsws and it fixed the issue.

Here is what I have in "/var/log/letsencrypt/letsencrypt.log". It says

Code:
2021-03-07 02:04:26,330:DEBUG:certbot.main:certbot version: 0.40.0
2021-03-07 02:04:26,331:DEBUG:certbot.main:Arguments: ['-q']
2021-03-07 02:04:26,331:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-03-07 02:04:26,345:DEBUG:certbot.log:Root logging level set at 30
2021-03-07 02:04:26,345:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-03-07 02:04:26,358:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fa85ffbf6d0> and installer <certbot.cli._Default object at 0x7fa85ffbf6d0>
2021-03-07 02:04:26,372:INFO:certbot.renewal:Cert not yet due for renewal
2021-03-07 02:04:26,372:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-03-07 02:04:26,373:DEBUG:certbot.renewal:no renewal failures
2021-03-07 23:19:16,588:DEBUG:certbot.main:certbot version: 0.40.0
2021-03-07 23:19:16,588:DEBUG:certbot.main:Arguments: ['-q']
2021-03-07 23:19:16,588:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-03-07 23:19:16,600:DEBUG:certbot.log:Root logging level set at 30
2021-03-07 23:19:16,601:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-03-07 23:19:16,618:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f7bb00fb700> and installer <certbot.cli._Default object at 0x7f7bb00fb700>
2021-03-07 23:19:16,633:INFO:certbot.renewal:Cert not yet due for renewal
2021-03-07 23:19:16,634:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-03-07 23:19:16,635:DEBUG:certbot.renewal:no renewal failures

2021-03-08 00:39:04,916:DEBUG:certbot.main:certbot version: 0.40.0
2021-03-08 00:39:04,916:DEBUG:certbot.main:Arguments: ['-q']
2021-03-08 00:39:04,916:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-03-08 00:39:04,928:DEBUG:certbot.log:Root logging level set at 30
2021-03-08 00:39:04,928:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-03-08 00:39:04,938:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f3f05795700> and installer <certbot.cli._Default object at 0x7f3f05795700>
2021-03-08 00:39:04,949:INFO:certbot.renewal:Cert not yet due for renewal
2021-03-08 00:39:04,950:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-03-08 00:39:04,950:DEBUG:certbot.renewal:no renewal failures
2021-03-08 23:23:13,949:DEBUG:certbot.main:certbot version: 0.40.0
2021-03-08 23:23:13,950:DEBUG:certbot.main:Arguments: ['-q']
2021-03-08 23:23:13,950:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-03-08 23:23:13,961:DEBUG:certbot.log:Root logging level set at 30
2021-03-08 23:23:13,961:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-03-08 23:23:13,972:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7efedc2a46a0> and installer <certbot.cli._Default object at 0x7efedc2a46a0>
2021-03-08 23:23:13,983:INFO:certbot.renewal:Cert not yet due for renewal
2021-03-08 23:23:13,984:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-03-08 23:23:13,984:DEBUG:certbot.renewal:no renewal failures

2021-03-09 11:26:31,704:DEBUG:certbot.main:certbot version: 0.40.0
2021-03-09 11:26:31,705:DEBUG:certbot.main:Arguments: ['-q']
2021-03-09 11:26:31,705:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-03-09 11:26:31,717:DEBUG:certbot.log:Root logging level set at 30
2021-03-09 11:26:31,717:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-03-09 11:26:31,729:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fc30b4c46a0> and installer <certbot.cli._Default object at 0x7fc30b4c46a0>
2021-03-09 11:26:31,741:INFO:certbot.renewal:Cert not yet due for renewal
2021-03-09 11:26:31,742:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-03-09 11:26:31,742:DEBUG:certbot.renewal:no renewal failures
2021-03-09 16:48:08,484:DEBUG:certbot.main:certbot version: 0.40.0
2021-03-09 16:48:08,485:DEBUG:certbot.main:Arguments: ['-q']
2021-03-09 16:48:08,486:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-03-09 16:48:08,500:DEBUG:certbot.log:Root logging level set at 30
2021-03-09 16:48:08,500:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-03-09 16:48:08,511:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f9697f00730> and installer <certbot.cli._Default object at 0x7f9697f00730>
2021-03-09 16:48:08,529:INFO:certbot.renewal:Cert not yet due for renewal
2021-03-09 16:48:08,530:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-03-09 16:48:08,530:DEBUG:certbot.renewal:no renewal failures

2021-03-10 05:06:48,318:DEBUG:certbot.main:certbot version: 0.40.0
2021-03-10 05:06:48,319:DEBUG:certbot.main:Arguments: ['-q']
2021-03-10 05:06:48,319:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-03-10 05:06:48,345:DEBUG:certbot.log:Root logging level set at 30
2021-03-10 05:06:48,346:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-03-10 05:06:48,366:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fa92754b6a0> and installer <certbot.cli._Default object at 0x7fa92754b6a0>
2021-03-10 05:06:48,382:INFO:certbot.renewal:Cert not yet due for renewal
2021-03-10 05:06:48,382:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-03-10 05:06:48,382:DEBUG:certbot.renewal:no renewal failures
2021-03-10 14:11:48,304:DEBUG:certbot.main:certbot version: 0.40.0
2021-03-10 14:11:48,305:DEBUG:certbot.main:Arguments: ['-q']
2021-03-10 14:11:48,305:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-03-10 14:11:48,317:DEBUG:certbot.log:Root logging level set at 30
2021-03-10 14:11:48,317:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-03-10 14:11:48,329:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f605f9246d0> and installer <certbot.cli._Default object at 0x7f605f9246d0>
2021-03-10 14:11:48,341:INFO:certbot.renewal:Cert not yet due for renewal
2021-03-10 14:11:48,342:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-03-10 14:11:48,342:DEBUG:certbot.renewal:no renewal failures

2021-03-11 00:20:16,221:DEBUG:certbot.main:certbot version: 0.40.0
2021-03-11 00:20:16,221:DEBUG:certbot.main:Arguments: ['-q']
2021-03-11 00:20:16,221:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-03-11 00:20:16,233:DEBUG:certbot.log:Root logging level set at 30
2021-03-11 00:20:16,233:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-03-11 00:20:16,243:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f2c2644a6d0> and installer <certbot.cli._Default object at 0x7f2c2644a6d0>
2021-03-11 00:20:16,254:INFO:certbot.renewal:Cert not yet due for renewal
2021-03-11 00:20:16,255:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-03-11 00:20:16,255:DEBUG:certbot.renewal:no renewal failures

Here is the output of /usr/local/lsws/logs/lsrestart.log

Code:
Tue Dec  8 22:53:49 UTC 2020
stop, LSWS running: 0
Tue 08 Dec 2020 10:53:50 PM UTC
start, LSWS running: 0
Tue Dec  8 22:55:29 UTC 2020
stop, LSWS running: 1
Tue Dec  8 22:55:30 UTC 2020
start, LSWS running: 0
Tue Dec  8 22:56:38 UTC 2020
stop, LSWS running: 1
Tue Dec  8 22:56:42 UTC 2020
stop, LSWS running: 0
Tue 08 Dec 2020 10:56:43 PM UTC
start, LSWS running: 0
Tue Dec  8 22:56:58 UTC 2020
stop, LSWS running: 1
Tue 08 Dec 2020 10:56:59 PM UTC
start, LSWS running: 0
Tue 08 Dec 2020 10:57:04 PM UTC
delay-stop, LSWS running: 1
Tue 08 Dec 2020 10:58:11 PM UTC
start, LSWS running: 0
Tue 08 Dec 2020 10:59:24 PM UTC
delay-stop, LSWS running: 1
Tue 08 Dec 2020 10:59:27 PM UTC
stop, LSWS running: 0
Tue 08 Dec 2020 10:59:29 PM UTC
start, LSWS running: 0
Tue 08 Dec 2020 11:00:51 PM UTC
stop, LSWS running: 1
Tue 08 Dec 2020 11:00:52 PM UTC
start, LSWS running: 0
Tue 08 Dec 2020 11:02:00 PM UTC
stop, LSWS running: 1
Tue 08 Dec 2020 11:02:01 PM UTC
start, LSWS running: 0
Thu 11 Mar 2021 04:44:28 AM UTC
delay-stop, LSWS running: 1
Thu 11 Mar 2021 04:44:31 AM UTC
start, LSWS running: 0
 

Cold-Egg

Administrator
#4
Hi,

I don't see any hook or renew log from the last reply. What if you force to dry-run cert renew? Will you see any hook-related log?
 

Colcol

New Member
#5
Not sure this is of any help, but I have the SSL auto-renew/OLS auto-restart working like this:

From Certbot:
https://certbot.eff.org/docs/using.html#renewing-certificates
"You can also specify hooks by placing files in subdirectories of Certbot’s configuration directory."

I created a bash script file:
# nano /etc/letsencrypt/renewal-hooks/deploy/restart_ols.sh

Inside the file I put this:
#!/bin/sh
/usr/local/lsws/bin/lswsctrl restart

I made the file executable:
# chmod +x /etc/letsencrypt/renewal-hooks/deploy/restart_ols.sh

And I think you can test it with this (may need to be in the /etc/letsencrypt/renewal-hooks/deploy directory):
# . restart_ols.sh

Should return an [OK] message.

I am an OLS/Linux amateur so the above may not be the optimum solution. I run OLS on Debian 10 with Certbot installed via snap as per the official docs.
 

Centos

New Member
#6
Hi,

I don't see any hook or renew log from the last reply. What if you force to dry-run cert renew? Will you see any hook-related log?

Ok. I have tried what you suggested.

certbot renew --force-renew --deploy-hook "systemctl restart lsws"
According to the log LSWS restarts fine when --force-renew is used.


Code:
certbot renew --dry-run --force-renew --deploy-hook "systemctl restart lsws"
Adding --dry-run skips the restart hook with this message. "Dry run: skipping deploy hook command: systemctl restart lsws"

Code:
certbot renew --deploy-hook "systemctl restart lsws"
and this doesn't do anything since no certs are due for renewal.
 

Cold-Egg

Administrator
#7
Code:
certbot renew --force-renew --deploy-hook "systemctl restart lsws"
According to the log LSWS restarts fine when --force-renew is used.
Looks good to me, let's see if it will work on the next renewal.
 

Lui

New Member
#10
Hi,
Is this issue been solved?

I'm experiencing the same problem on all my Digital Ocean droplets, the restart hook doesn't work and has to be done manually every 3 months.
 

Lui

New Member
#13
Hi mate,
Thanks for your prompt reply.

I've raised a ticket with the team. When you say resolved, was it an lsws upgrade to fix it or how was it solved?
 

Cold-Egg

Administrator
#14
Sure thing, ticket replied.
The resolve means it is fixed in the image/marketplace. Please try to avoid mixing service and systemctl to control the lsws service. it may break the hook.
 

Cold-Egg

Administrator
#15
If the hook does not work for some reason, we can also implement restart lsws weekly to avoid such issues.
Other people who asked in LE forum, https://community.letsencrypt.org/t/deploy-hook-not-being-run/93342/2

Code:
echo '0 0 * * 3 root systemctl restart lsws' | sudo tee -a /etc/cron.d/certbot > /dev/null
Feel free to adjust the cronjob time

I also pushed it to the git repo, so the newly launched cloud image server should have this setup.
https://github.com/litespeedtech/ls-cloud-image/commit/1925a68b347b5f16676aeb46047e147ddec3158d
 
Last edited:
Top