"httpd could not be started" after monthly cron lego certificate renewal script was run

Keywords: WordPress - AWS - Technical issue - Secure Connections (SSL/HTTPS)
bnsupport ID: 3374b6ed-0c6a-5c42-d7d3-ae8bd9ac4429
Description:
We’ve been using lego to update our certificate for the last 2 years or so without issue using this command: sudo /usr/local/bin/lego --email="" --domains="" --domains=“www.” --path="/etc/lego" renew

That command is sandwiched between stopping and starting apache2 in the script file which is scheduled to run on the 1st and 15th of each month. After June 1 the command to start apache2 failed with this error:
/opt/bitnami/apache2/scripts/ctl.sh : httpd could not be started

The apache logs at /opt/bitnami/apache2/logs/error_log show this:

[Wed Jun 09 22:00:08.111260 2021] [ssl:emerg] [pid 23940:tid 140528951609088] AH02562: Failed to configure certificate localhost:443:0 (with chain), check /opt/bitnami/apache2/conf/server.crt
[Wed Jun 09 22:00:08.111307 2021] [ssl:emerg] [pid 23940:tid 140528951609088] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Jun 09 22:00:08.111324 2021] [ssl:emerg] [pid 23940:tid 140528951609088] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
AH00016: Configuration Failed

There is an error log for the cron job at /var/log/renew.log. Here are the last two entries:

Unmonitored apache
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
2021/05/15 00:00:05 [INFO][<domain removed>] acme: Trying renewal with 695 hours remaining
2021/05/15 00:00:05 [INFO][<domain removed>, www.<domain removed>] acme: Obtaining bundled SAN certificate
2021/05/15 00:00:07 [INFO][<domain removed>] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13123488067
2021/05/15 00:00:07 [INFO][www.<domain removed>] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13123488083
2021/05/15 00:00:07 [INFO][<domain removed>] acme: Trying to solve HTTP-01
2021/05/15 00:00:07 [INFO][<domain removed>] Served key authentication
2021/05/15 00:00:07 [INFO][<domain removed>] Served key authentication
2021/05/15 00:00:07 [INFO][<domain removed>] Served key authentication
2021/05/15 00:00:07 [INFO][<domain removed>] Served key authentication
2021/05/15 00:00:12 [INFO][<domain removed>] The server validated our request
2021/05/15 00:00:12 [INFO][www.<domain removed>] acme: Trying to solve HTTP-01
2021/05/15 00:00:13 [INFO][www.<domain removed>] Served key authentication
2021/05/15 00:00:13 [INFO][www.<domain removed>] Served key authentication
2021/05/15 00:00:13 [INFO][www.<domain removed>] Served key authentication
2021/05/15 00:00:13 [INFO][www.<domain removed>] Served key authentication
2021/05/15 00:00:18 [INFO][www.<domain removed>] The server validated our request
2021/05/15 00:00:18 [INFO][<domain removed>, www.<domain removed>] acme: Validations succeeded; requesting certificates
2021/05/15 00:00:19 [INFO][<domain removed>] Server responded with a certificate.
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Monitored apache
Unmonitored apache
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
2021/06/01 00:00:07 [INFO][<domain removed>] acme: Trying renewal with 1751 hours remaining
2021/06/01 00:00:07 [INFO][<domain removed>, www.<domain removed>] acme: Obtaining bundled SAN certificate
2021/06/01 00:00:11 [INFO][<domain removed>] AuthURL: <same as above but removed because I can only post 2 links as a new user>
2021/06/01 00:00:11 [INFO][www.<domain removed>] AuthURL: <same as above but removed because I can only post 2 links as a new user>
2021/06/01 00:00:11 [INFO][<domain removed>] acme: Authorization already valid; skipping challenge
2021/06/01 00:00:11 [INFO][www.<domain removed>] acme: Authorization already valid; skipping challenge
2021/06/01 00:00:11 [INFO][<domain removed>, www.<domain removed>] acme: Validations succeeded; requesting certificates
2021/06/01 00:00:22 [INFO][<domain removed>] Server responded with a certificate.
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd could not be started

When I try to run the script manually I get this error:

2021/06/09 22:13:43 no certificates were found while parsing the bundle

The file at /opt/bitnami/apache2/conf/server.crt is a link to etc/lego/certificates/.crt, which I can see was created on June 1 at midnight.

Any advice on how to get this back up and running is appreciated!

Hi @cmdr_keen,

Thanks for using Bitnami. I see the next errors in the Apache log

[Wed Jun 09 22:23:29.146699 2021] [ssl:emerg] [pid 24136:tid 140432941557504] AH02562: Failed to configure certificate localhost:443:0 (with chain), check /opt/bitnami/apache2/conf/server.crt
[Wed Jun 09 22:23:29.146748 2021] [ssl:emerg] [pid 24136:tid 140432941557504] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Jun 09 22:23:29.146765 2021] [ssl:emerg] [pid 24136:tid 140432941557504] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
AH00016: Configuration Failed

I see you are using an old version of the Bitnami WordPress image. Can you try to install the latest lego client as explained in the next guide and then generate the SSL certificate again?

https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#step-1-install-the-lego-client

Thank you! That did the trick. I’m embarrassed that it was so simple :slight_smile:

Forgive my ignorance, but what is the significance of the email address in the line:
sudo /usr/local/bin/lego --tls --email="<email address>" --domains="<domain>" --domains=“www.<domain>” --path="/etc/lego" renew

I ask because someone else set this up for us initially and it uses their email address. I would like to update it to something that is valid, but I’m not sure if I can just change that email address in the script or if it needs to refer to a letsencrypt account that’s tied to our domain. Are there any gotchas for updating the email address? What does the email address actually matter?

Thanks,
-keen

Hi @cmdr_keen,

Thanks for letting us know. I’m glad updating the lego tool worked for you :slight_smile:

Regarding the email address, it is the email address to which Let’s Encrypt will send notification emails like reminders for renewing the SSL certificate. If you want to use a different email address, I think you will need to generate a fresh new certificate providing the new email. However, we recommend you to ask in the Let’s Encrypt forums in case there is any way of updating the email address associated with a SSL certificate.

https://community.letsencrypt.org/

Thanks! I will do that :slight_smile:

Hi @cmdr_keen,

Thanks for your message. We hope the Let’s Encrypt community help you with that.

Regards,
Gonzalo