LetsEncrypt renew cronjob always restarting httpd

janjaapvanklave

New member
Joined
Jan 11, 2017
Messages
2
Hey guys,

It's nice to have LetsEncrypt in DirectAdmin, but with quite some confidence we have found a significant problem.
The cron that is ran is:
CMD (echo 'action=tally&value=all' >> /usr/local/directadmin/data/task.queue

Is it true this will ALWAYS restart the httpd process? Every night we see Apache restarting. If there is nothing to renew and no new certificates added, or removed, then no restart should happen of course.
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
642
Location
Netherlands Germany
Howe else is it possible to have the certifcate loading ?

I don't know if http2 the httpd reload ( gracefull restart) is a bug with apache 2.4.25, only httpd restart is working correct then

Gracefull yes or no settings is in directadmin.conf
 

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
On our systems the tally does a reload of httpd, not a restart. What happens if you run "systemctl reload httpd", does that also restart the service?
 

janjaapvanklave

New member
Joined
Jan 11, 2017
Messages
2
Please read my post carefully. It is of course not possible to do certificate management without any reload/restart, but it seems the DA cronjob is run EVERY night, regardless of 'tally' or whatever, AND it seems that the DA cronjob for renewal will ALWAYS restart, even when no renewal was done.

If you host 30 (medium-traffic) domains there, and 1 of them uses a LetsEncrypt certificate, it should not be the case that every night at 0:10 the whole server goes down for a minute.

I did a check on my personal VPS, and when you run
Code:
letsencrypt --apache renew
the status code will be 0 when no errors occur (as is normal for all linux processes), so you can not differentiate whether or not a renewal was done by that unfortunately :(

(I'm still an advocate for LE, but this plugin seems to behave weirdly)
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,463
When the DirectAdmin tally run every night at 00:10, it also runs other things. It runs statistic of webalizer and/or awstats, and when that is done it rotate your log files. When it rotate your log files, it is needed with a reload/restart of apache. Therefore it reload/restart every night regardless of Let's Encrypt.

By the way, if you have CentOS 6.x it will restart apache, if you have CentOS 7.x it will do a graceful restart of apache (no downtime).

However I have never experienced it takes a minute to restart apache on CentOS 6, for us that only takes about one second. I don't understand why it would go down for a full minute like you say.
 
Top