Hi,
I made a clean install with the VMware virtual appliance and the adapted CLI examples, up to ACME installation.
But after a successful ACME certification installation (HTML-01) the console does not start up, and i cannot login to https://IP-address:9090.
Screen shows “systemctl enable – now cockpit.socket”. I can login via ssh and start the cockpit.
The console GUI shows that cm-cockpit-tls-certificate.service failed to start and is now disabled and I get “Copy the system cert to the cockpit tls path and restarts cockpit”.
After a reboot, I must always login via ssh and start the console manually.
The behavior is reproducible; I tried it 3 times, always with a clean VM.
I assume I need to copy the ACME certificate to /etc/cockpit/ws-certs.d, but how exactly does that work?
Is it possible to automate the process so that the certificate for the console is also provisioned after the ACME certificate is updated?
Thanks for any help!
Björn
Logfile
June 25, 2026
12:11 PM
Failed to start Copy the system cert to the cockpit tls path and restarts cockpit.
systemd
12:11 PM
cm-cockpit-tls-certificate.service: Failed with result ‘exit-code’.
systemd
12:11 PM
cm-cockpit-tls-certificate.service: Main process exited, code=exited, status=1/FAILURE
systemd
12:11 PM
Job failed. See “journalctl -xe” for details.
systemctl
12:11 PM
Starting Copy the system cert to the cockpit tls path and restarts cockpit…
Hi Martijn,
I could not find any error when running “journalctl -xe”.
I run “systemctl status cockpit.socket” and “systemctl status cm-cockpit-tls-certificate.service” instead:
[sa@cipher1 ~] $ sudo systemctl status cockpit.socket
[sudo] password for sa:
● cockpit.socket - Cockpit Web Service Socket
Loaded: loaded (/usr/lib/systemd/system/cockpit.socket; enabled; preset: disabled)
Active: active (running) since Thu 2026-06-25 10:13:35 UTC; 1h 31min ago
Until: Thu 2026-06-25 10:13:35 UTC; 1h 31min ago
Triggers: ● cockpit.service
Docs: man:cockpit-ws(8)
Listen: [::]:9090 (Stream)
Process: 2973 ExecStartPost=/usr/share/cockpit/issue/update-issue localhost (code=exited, status=0/SUCCESS)
Process: 2980 ExecStartPost=/bin/ln -snf active.issue /run/cockpit/issue (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 22814)
Memory: 8.0K (peak: 2.6M)
CPU: 52ms
CGroup: /system.slice/cockpit.socket
Jun 25 10:13:35 cipher1 systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 10:13:35 cipher1 systemd[1]: Listening on Cockpit Web Service Socket.
[sa@cipher1 ~] $ sudo systemctl status cm-cockpit-tls-certificate.service
× cm-cockpit-tls-certificate.service - Copy the system cert to the cockpit tls path and restarts cockpit
Loaded: loaded (/etc/systemd/system/cm-cockpit-tls-certificate.service; disabled; preset: disabled)
Active: failed (Result: exit-code) since Thu 2026-06-25 10:11:02 UTC; 1h 34min ago
TriggeredBy: ● cm-monitor-cockpit-tls-certificate.path
Main PID: 993 (code=exited, status=1/FAILURE)
CPU: 43ms
Jun 25 10:11:02 cipher1 systemd[1]: Starting Copy the system cert to the cockpit tls path and restarts cockpit…
Jun 25 10:11:02 cipher1 systemctl[993]: Job failed. See “journalctl -xe” for details.
Jun 25 10:11:02 cipher1 systemd[1]: cm-cockpit-tls-certificate.service: Main process exited, code=exited, status=1/FAILURE
Jun 25 10:11:02 cipher1 systemd[1]: cm-cockpit-tls-certificate.service: Failed with result ‘exit-code’.
Jun 25 10:11:02 cipher1 systemd[1]: Failed to start Copy the system cert to the cockpit tls path and restarts cockpit.
[sa@cipher1 ~] $
Just to make sure I understand the issue, the certificate is successfully requested with ACME and installed, the Web UI uses the new cert. Cockpit also uses the new cert but it fails starting up after reboot and needs a manual restart?
Yes, exactly. ACME certification installation was successfully, both the Web UI and Cockpit GUI uses the new ACME certificate. Cockpit fails to start, and after starting manually the service cm-cockpit-tls-certificate.service failed. Appliance seems working correctly (I can send mails through the appliance; encryption is not configured yet).
Let me know if I can send you more information.
Björn
After executing “systemctl enable --now cockpit.socket” to start Cockpit, the screen shows that /etc/rc.d/rc.local is not marked executable.
Hope this helps.
Jun 25 12:25:26 cipher1 systemd[1]: Starting Copy the system cert to the cockpit tls path and restarts cockpit…
Jun 25 12:25:26 cipher1 systemd[1]: cm-cockpit-tls-certificate.service: Deactivated successfully.
Jun 25 12:25:26 cipher1 systemd[1]: Finished Copy the system cert to the cockpit tls path and restarts cockpit.
for some reason “cm-cockpit-tls-certificate.service” fails when it is started during startup of the VM but not when the VM is already started. We added the following line to the systed unit which fixed the issue for someone else:
After=cockpit.socket
But is looks like it is not sufficient.
Can you show the output of this command right after a restart (i.e., before manually starting anything)
sudo systemctl status cm-cockpit-tls-certificate.service
Last login: Thu Jun 25 12:52:52 2026 from ::ffff:192.168.5.26
[sa@cipher1 ~] $ sudo systemctl status cm-cockpit-tls-certificate.service
[sudo] password for sa:
× cm-cockpit-tls-certificate.service - Copy the system cert to the cockpit tls path and restarts cockpit
Loaded: loaded (/etc/systemd/system/cm-cockpit-tls-certificate.service; disabled; preset: disabled)
Active: failed (Result: exit-code) since Thu 2026-06-25 13:00:24 UTC; 47s ago
TriggeredBy: ● cm-monitor-cockpit-tls-certificate.path
Process: 923 ExecStart=/bin/bash -c openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/private/ciphermail.tls.pem | op>
Process: 932 ExecStart=/bin/bash -c openssl pkey -in /etc/pki/tls/private/ciphermail.tls.pem > /etc/cockpit/ws-cert>
Process: 954 ExecStart=chown root:root /etc/cockpit/ws-certs.d/cockpit.cert (code=exited, status=0/SUCCESS)
Process: 1037 ExecStart=chown root:root /etc/cockpit/ws-certs.d/cockpit.key (code=exited, status=0/SUCCESS)
Process: 1069 ExecStart=chmod 640 /etc/cockpit/ws-certs.d/cockpit.cert (code=exited, status=0/SUCCESS)
Process: 1072 ExecStart=chmod 640 /etc/cockpit/ws-certs.d/cockpit.key (code=exited, status=0/SUCCESS)
Process: 1073 ExecStart=systemctl restart cockpit.socket (code=exited, status=1/FAILURE)
Main PID: 1073 (code=exited, status=1/FAILURE)
CPU: 45ms
Jun 25 13:00:24 cipher1 systemd[1]: Starting Copy the system cert to the cockpit tls path and restarts cockpit…
Jun 25 13:00:24 cipher1 systemctl[1073]: Job failed. See “journalctl -xe” for details.
Jun 25 13:00:24 cipher1 systemd[1]: cm-cockpit-tls-certificate.service: Main process exited, code=exited, status=1/FAIL>
Jun 25 13:00:24 cipher1 systemd[1]: cm-cockpit-tls-certificate.service: Failed with result ‘exit-code’.
Jun 25 13:00:24 cipher1 systemd[1]: Failed to start Copy the system cert to the cockpit tls path and restarts cockpit.
[sa@cipher1 ~] $ sudo journalctl -u cockpit.socket
[sudo] password for sa:
Jun 25 07:40:03 localhost systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 07:40:03 localhost systemd[1]: Listening on Cockpit Web Service Socket.
Jun 25 07:40:04 localhost systemd[1]: Stopping Cockpit Web Service Socket…
Jun 25 07:40:04 localhost systemd[1]: cockpit.socket: Deactivated successfully.
Jun 25 07:40:04 localhost systemd[1]: Closed Cockpit Web Service Socket.
Jun 25 07:40:04 localhost systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 07:40:04 localhost systemd[1]: Listening on Cockpit Web Service Socket.
Jun 25 07:48:50 cipher1 systemd[1]: Stopping Cockpit Web Service Socket…
Jun 25 07:48:50 cipher1 systemd[1]: cockpit.socket: Deactivated successfully.
Jun 25 07:48:50 cipher1 systemd[1]: Closed Cockpit Web Service Socket.
– Boot c7f79a95e36e45bd87bb4de603909534 –
Jun 25 07:48:59 cipher1 systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 07:48:59 cipher1 systemd[1]: Listening on Cockpit Web Service Socket.
– Boot d2ab84de396946828a0c2de2c8cce39a –
Jun 25 07:55:59 cipher1 systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 07:55:59 cipher1 systemd[1]: Listening on Cockpit Web Service Socket.
– Boot 0894366f647444e98079acf713a5771d –
Jun 25 09:54:29 cipher1 systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 09:54:29 cipher1 systemd[1]: Listening on Cockpit Web Service Socket.
– Boot bd442a46e9dd473b9db74ff5903e0a05 –
Jun 25 10:02:51 cipher1 systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 10:02:51 cipher1 systemd[1]: Listening on Cockpit Web Service Socket.
Jun 25 10:09:20 cipher1 systemd[1]: Stopping Cockpit Web Service Socket…
Jun 25 10:09:20 cipher1 systemd[1]: cockpit.socket: Deactivated successfully.
Jun 25 10:09:20 cipher1 systemd[1]: Closed Cockpit Web Service Socket.
Jun 25 10:09:20 cipher1 systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 10:09:20 cipher1 systemd[1]: Listening on Cockpit Web Service Socket.
– Boot 826cd2ef7cd74a0aaa66997a85316282 –
Jun 25 10:11:00 cipher1 systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 10:11:00 cipher1 systemd[1]: Listening on Cockpit Web Service Socket.
Jun 25 10:11:02 cipher1 systemd[1]: Stopping Cockpit Web Service Socket…
Jun 25 10:11:02 cipher1 systemd[1]: cockpit.socket: Deactivated successfully.
Jun 25 10:11:02 cipher1 systemd[1]: Closed Cockpit Web Service Socket.
Jun 25 10:11:02 cipher1 systemd[1016]: cockpit.socket: Failed to create listening socket ([::]:9090): Address already i>
Jun 25 10:11:02 cipher1 systemd[1]: cockpit.socket: Failed to receive listening socket ([::]:9090): Input/output error
Jun 25 10:11:02 cipher1 systemd[1]: cockpit.socket: Failed to listen on sockets: Input/output error
Jun 25 10:11:02 cipher1 systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 10:11:02 cipher1 systemd[1]: cockpit.socket: Failed with result ‘resources’.
Jun 25 10:11:02 cipher1 systemd[1]: Failed to listen on Cockpit Web Service Socket.
Jun 25 10:13:35 cipher1 systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 10:13:35 cipher1 systemd[1]: Listening on Cockpit Web Service Socket.
– Boot a4610c94c23841c9905618341033ef98 –
Jun 25 12:12:32 cipher1 systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 12:12:32 cipher1 systemd[1]: Listening on Cockpit Web Service Socket.
Jun 25 12:12:34 cipher1 systemd[1]: Stopping Cockpit Web Service Socket…
Jun 25 12:12:34 cipher1 systemd[1]: cockpit.socket: Deactivated successfully.
Jun 25 12:12:34 cipher1 systemd[1]: Closed Cockpit Web Service Socket.
Jun 25 12:12:34 cipher1 systemd[986]: cockpit.socket: Failed to create listening socket ([::]:9090): Address already in>
Jun 25 12:12:34 cipher1 systemd[1]: cockpit.socket: Failed to receive listening socket ([::]:9090): Input/output error
Jun 25 12:12:34 cipher1 systemd[1]: cockpit.socket: Failed to listen on sockets: Input/output error
Jun 25 12:12:34 cipher1 systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 12:12:34 cipher1 systemd[1]: cockpit.socket: Failed with result ‘resources’.
Jun 25 12:12:34 cipher1 systemd[1]: Failed to listen on Cockpit Web Service Socket.
Jun 25 12:13:33 cipher1 systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 12:13:33 cipher1 systemd[1]: Listening on Cockpit Web Service Socket.
– Boot 93b8d2f16af74cf7a1b9c140704e619b –
Jun 25 12:24:28 cipher1 systemd[1]: Starting Cockpit Web Service Socket…
Jun 25 12:24:28 cipher1 systemd[1]: Listening on Cockpit Web Service Socket.
Jun 25 12:24:29 cipher1 systemd[1]: Stopping Cockpit Web Service Socket…
Jun 25 12:24:29 cipher1 systemd[1]: cockpit.socket: Deactivated successfully.
Jun 25 12:24:29 cipher1 systemd[1]: Closed Cockpit Web Service Socket.
Jun 25 12:24:29 cipher1 systemd[1061]: cockpit.socket: Failed to create listening socket ([::]:9090): Address already i>
Jun 25 12:24:29 cipher1 systemd[1]: cockpit.socket: Failed to receive listening socket ([::]:9090): Input/output error
