apache AH00171: Graceful restart requested, doing restart

自從安裝了 nginx 之後，apache 的 service 每天都自動地被關閉。

用下面指令查看 apache log:

tail -n 15 /var/log/apache2/error.log

---

[Tue Feb 07 00:00:35.176718 2017] [mpm_prefork:notice] [pid 1393] AH00171: Graceful restart requested, doing restart
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
[Tue Feb 07 00:00:35.374235 2017] [mpm_prefork:alert] [pid 1393] no listening sockets available, shutting down
[Tue Feb 07 00:00:35.374243 2017] [:emerg] [pid 1393] AH00019: Unable to open logs, exiting
[Tue Feb 07 00:00:43.772645 2017] [core:warn] [pid 7398] AH00098: pid file /var/run/apache2/apache2.pid overwritten -- Unclean shutdown of previous Apache run?
[Tue Feb 07 00:00:43.774845 2017] [mpm_prefork:notice] [pid 7398] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Tue Feb 07 00:00:43.774879 2017] [core:notice] [pid 7398] AH00094: Command line: '/usr/sbin/apache2'
[Tue Feb 07 00:05:35.586000 2017] [mpm_prefork:notice] [pid 7398] AH00169: caught SIGTERM, shutting down

---

查看 /etc/logrotate.d/apache2

先修改上面的 /etc/init.d/apache2 reload 為 /etc/init.d/apache2 restart 之後，明天的 00:00 時候再試看看 apache 會不會又crash.

---

結果隔了一天，還是又掛了，新的 Error Log 還是長一樣：

[Wed Feb 08 00:00:33.919348 2017] [mpm_prefork:notice] [pid 12057] AH00171: Graceful restart requested, doing restart
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
[Wed Feb 08 00:00:34.029522 2017] [mpm_prefork:alert] [pid 12057] no listening sockets available, shutting down
[Wed Feb 08 00:00:34.029536 2017] [:emerg] [pid 12057] AH00019: Unable to open logs, exiting
[Wed Feb 08 00:00:42.448650 2017] [core:warn] [pid 16845] AH00098: pid file /var/run/apache2/apache2.pid overwritten -- Unclean shutdown of previous Apache run?
[Wed Feb 08 00:00:42.450795 2017] [mpm_prefork:notice] [pid 16845] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Wed Feb 08 00:00:42.450817 2017] [core:notice] [pid 16845] AH00094: Command line: '/usr/sbin/apache2'
[Wed Feb 08 00:00:52.544625 2017] [mpm_prefork:notice] [pid 16845] AH00169: caught SIGTERM, shutting down

 

---

在 /var 目錄下指令：

grep -r 'tls_sni_01_page' *

發現是 letsencrypt renew 的排程讓 apache2 掛掉。

重新研究一下 certbot 的指令：
https://certbot.eff.org/docs/using.html#manual

 

發現使用 standalone 會啟動一個暫時的 web server  來取得憑證。

https://certbot.eff.org/docs/using.html#standalone

standalone:
  Spin up a temporary webserver

---

certonly 參數如下：

certonly:
  Options for modifying how a cert is obtained

  --tls-sni-01-port TLS_SNI_01_PORT
                        Port used during tls-sni-01 challenge. This only
                        affects the port Certbot listens on. A conforming ACME
                        server will still attempt to connect on port 443.
                        (default: 443)
  --http-01-port HTTP01_PORT
                        Port used in the http-01 challenge.This only affects
                        the port Certbot listens on. A conforming ACME server
                        will still attempt to connect on port 80. (default:
                        80)
  --csr CSR             Path to a Certificate Signing Request (CSR) in DER or
                        PEM format. Currently --csr only works with the
                        'certonly' subcommand. (default: None)

---

 

certbot certonly --standalone -d example.com --tls-sni-01-port 443 --http-01-port 80

新的版本的 certbot 用起來更簡單：

certbot certonly --cert-name your-domain-name

 

nginx 請修改 config 裡：

  # 啟用 SSL
  ssl on;

  # 設定 SSL 憑證
  ssl_certificate /etc/letsencrypt/live/your-domain-name/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/your-domain-name/privkey.pem;

 

官方教學：

https://certbot.eff.org/lets-encrypt/ubuntuxenial-other

 

---

相關文章：

How to know why my server crashes?
http://askubuntu.com/questions/405655/how-to-know-why-my-server-crashes

Apache reload/graceful restart causes Apache segfault
https://talk.plesk.com/threads/apache-reload-graceful-restart-causes-apache-segfault.335534/