[Let's Encrypt] How to Fix certbot renew Error: Could not bind TCP port 443 because it is already in use by another process on this system

I’ll introduce how to fix the error message “Could not bind TCP port 443 because it is already in use by another process on this system” when using the SSL certificate renewal command certbot renew with Let’s Encrypt.

certbot renew Error Message

When I ran certbot renew, the following error message occurred:

$ sudo /usr/bin/certbot renew --renew-hook "/bin/systemctl reload nginx"
[sudo] password for admin: 

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/yourdomain.example.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for yourdomain.example.com
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/yourdomain.example.com.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/yourdomain.example.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

As written in Attempting to renew cert from /etc/letsencrypt/renewal/yourdomain.example.com.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server)., it seems cert renew failed because another process was using TCP port 443.

How to Run certbot renew Without Errors

Correct certbot renew Method

certbot has —apache and —nginx options, so if you specify these options when running, you can run certbot renew without errors.

--apache Use the Apache plugin for authentication & installation
--nginx Use the Nginx plugin for authentication & installation

sudo /usr/bin/certbot renew \\
--nginx \\
--renew-hook "/bin/systemctl reload nginx"

Incorrect certbot renew Method

You can also renew by temporarily stopping Nginx and then running certbot renew as shown below, but I don’t recommend this because it causes momentary downtime.

sudo systemctl stop nginx
sudo /usr/bin/certbot renew \\
--renew-hook "/bin/systemctl start nginx"

Downtime Issue Already Solved with --nginx Option

A few seconds of downtime occurs, which is a bit concerning. You could renew during low-traffic late-night hours, but if the Nginx process start fails, you’d need to handle the incident, so I prefer to have automatic renewal during hours when I’m awake.

~~If anyone knows a way to renew Let’s Encrypt SSL certificates with certbot renew without stopping the Nginx process, please let me know.~~

By adding the —nginx option, I was able to run certbot renew without errors and without stopping the Nginx process.

That’s all from the Gemba, where I wanted error-free certbot renewal.

Reference Information

Nginx problem binding to port 80 - Help - Let's Encrypt Community Support

That’s all from the Gemba.