My website getting suddenly down at midnight and found out that my haproxy container was faulty on my down.
I was checking my log files to see what was caused crash and found this message that’s was caused down.
I was googled it and not found any explanation about fault.
Can somebody explain what it was caused and what it means this error codes
Hi Again,
Thanks I was checking in log files and found this error that made failing. I was checking deeply and found out that my certificate is that there couse that it failed.
I was googled and could not found that solutions, but it does not give me sense why it’s failed at certbot.
Sep 25 23:12:46 haproxy systemd[1]: certbot.service: Failed to reset devices.list: Operation not permitted
Sep 25 23:12:46 haproxy systemd[1]: Starting Certbot...
Sep 25 23:12:48 haproxy systemd[1]: Stopping HAProxy Load Balancer...
Sep 25 23:12:48 haproxy systemd[1]: Stopped HAProxy Load Balancer.
Sep 25 23:12:54 haproxy systemd[1]: haproxy.service: Unit cannot be reloaded because it is inactive.
Sep 25 23:12:54 haproxy certbot[8936]: Hook command "service haproxy reload" returned error code 1
Sep 25 23:12:54 haproxy certbot[8936]: Error output from service:
Sep 25 23:12:54 haproxy certbot[8936]: haproxy.service is not active, cannot reload.
Sep 25 23:12:55 haproxy systemd[1]: Started Certbot.
Sep 25 23:17:01 haproxy CRON[8985]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Sep 25 23:29:11 haproxy systemd-networkd[179]: eth0: Configured
Sep 25 23:55:25 haproxy systemd-networkd[179]: eth0: Configured
Sep 26 00:00:01 haproxy CRON[8992]: (root) CMD (/home/happydays/renew-cert.sh)
Sep 26 00:00:02 haproxy CRON[8991]: (CRON) info (No MTA installed, discarding output)
You seems to have an issue with certbot. Maybe you can check the permission first.
Otherwise,
Your certbot command seems to be the process stopping your haproxy. You have to check if you have another script running as in your script it should issue a start command, and the logs are showing a reload command.
At work, to manage certs with certbot without having to restart haproxy, we have set up an acl catching Letsencrypt requests :
acl letsencrypt path_beg /.well-known/acme-challenge/
use_backend letsencrypt if letsencrypt
...
backend letsencrypt
server localhost 127.0.0.1:8080
If you use certbot on the same server, you can change the certbot port (use 8080 for example) and renew with --http-01-port 8080 option.
Once renewed, you just have reload haproxy to load the new certs (maybe with the post-hook, we don’t use it so i don’t know how it works)