A question about certbot apt vs snap on Ubuntu

I know I am likely to be told to get told to get lost because this isn't an LE problem, but...

I just noticed this in my logs today:

Dec 26 01:50:01 alice systemd[1]: Starting Service for snap application certbot.renew...
Dec 26 01:53:58 alice systemd[1]: snap.certbot.renew.service: Main process exited, code=exited, status=1/FAILURE
Dec 26 01:53:58 alice systemd[1]: snap.certbot.renew.service: Failed with result 'exit-code'.

If I do snap list, I see:

Name     Version   Rev    Tracking       Publisher     Notes
certbot  1.32.2    2618   latest/stable  certbot-effâś“  classic
core20   20221123  1738   latest/stable  canonicalâś“    base
snapd    2.57.6    17883  latest/stable  canonicalâś“    snapd

but I also see:

# dpkg --list | grep certbot
rc  certbot                                0.27.0-1~ubuntu18.04.2                                               all          automatically configure HTTPS using Let's Encrypt
ii  python3-certbot                        0.27.0-1~ubuntu18.04.2                                               all          main library for certbot
# certbot --version
certbot 1.32.2

Is the error in the log to do with the fact that I've still got the apt package installed? Should I remove the apt packages? I see it's "marked for removal".

Nah, we also help people with their ACME client setup, no problem.

Can't say from the limited info we currently have, but it's not recommended to have multiple Certbot packages installed to begin with, whether it's causing an error or not.

Yes, you should :slight_smile:

With regard to the Snap Certbot renewal error: there should be more info in the Certbot log file at /var/log/letsencrypt/letsencrypt.log.

6 Likes

Ah, thanks. OK I'll see if I can remove those packages... Oh what?

$ sudo apt remove certbot python3-certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'certbot' is not installed, so not removed
The following packages will be REMOVED
  python3-certbot
0 to upgrade, 0 to newly install, 1 to remove and 0 not to upgrade.
After this operation, 1,215 kB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.

Meanwhile:

I have very little clue what I'm looking at (or even for) in that log - mostly seems to be stuff about lines of python - but nothing seems to relate to that error.

Look for a log file in the folder that matches the time shown in the syslog in your first post. Older logs have a different name with a number appended.

Then copy that to a .txt file and use the upload button in this forum post to upload it. Or, copy/paste the whole thing here if upload not viable

6 Likes

You can safely remove python3-certbot as it's not part of the snap version of Certbot.

Afterwards, make sure /usr/bin/certbot is pointing to the snap version (location starting with /snap/something/blahblah I believe).

6 Likes

OK here's the log. There are a couple of domains that have had issues, but I don't that that's related:

lets.txt (927.5 KB)

Oh, if I do this, I get some errors about domains. Would they prevent the service from starting? Or is that not what it means? I think the owners of the domains in question have let them die/expire.

~$ systemctl status snap.certbot.renew.service
â—Ź snap.certbot.renew.service - Service for snap application certbot.renew
   Loaded: loaded (/etc/systemd/system/snap.certbot.renew.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2022-12-27 15:21:06 GMT; 34min ago
  Process: 10501 ExecStart=/usr/bin/snap run --timer=00:00~24:00/2 certbot.renew (code=exited, status=1/FAILURE)
 Main PID: 10501 (code=exited, status=1/FAILURE)

Dec 27 15:14:00 alice systemd[1]: Starting Service for snap application certbot.renew...
Dec 27 15:20:52 alice certbot.renew[10501]: Failed to renew certificate www.hashnext.com with error: Some challenges have failed.
Dec 27 15:21:04 alice certbot.renew[10501]: Failed to renew certificate www.spekeugandaholidays.com with error: Some challenges have failed.
Dec 27 15:21:05 alice certbot.renew[10501]: All renewals failed. The following certificates could not be renewed:
Dec 27 15:21:05 alice certbot.renew[10501]:   /etc/letsencrypt/live/www.hashnext.com/fullchain.pem (failure)
Dec 27 15:21:05 alice certbot.renew[10501]:   /etc/letsencrypt/live/www.spekeugandaholidays.com/fullchain.pem (failure)
Dec 27 15:21:05 alice certbot.renew[10501]: 2 renew failure(s), 0 parse failure(s)
Dec 27 15:21:06 alice systemd[1]: snap.certbot.renew.service: Main process exited, code=exited, status=1/FAILURE
Dec 27 15:21:06 alice systemd[1]: snap.certbot.renew.service: Failed with result 'exit-code'.
Dec 27 15:21:06 alice systemd[1]: Failed to start Service for snap application certbot.renew.

EDIT: If I do a certbot renew --dry-run all domains are fine apart from those two. So now I don't know if this is a real problem or not...

EDIT 2: And I've also found this in sylog. This does't look good either!

Dec 27 11:47:02 alice systemd[26976]: snap.certbot.certbot.5c9f9163-8540-4e0a-b6da-acab49f702bd.scope: Failed to add PIDs to scope's control group: Permission denied
Dec 27 11:47:02 alice systemd[26976]: snap.certbot.certbot.5c9f9163-8540-4e0a-b6da-acab49f702bd.scope: Failed with result 'resources'.
Dec 27 11:47:02 alice systemd[26976]: Failed to start snap.certbot.certbot.5c9f9163-8540-4e0a-b6da-acab49f702bd.scope.

Thanks - I've done that now and put a link to /snap/bin/certbot in /usr/bin/

I notice that before I did that, which certbot said /snap/bin/certbot and now it says /usr/bin/certbot but I guess that's OK?

This was actually probably not necessary because /snap/bin was in your PATH. It's also probably not harmful.

6 Likes

Maybe unnecessary, but actually step 6 in the Certbot instructions on certbot.eff.org :slight_smile:

I don't know which path has precedence, but I'm guessing /usr/bin. So it's probably a good idea to have the symlink present there pointing to snap, just in case there's a rogue Certbot installed somwehere else, e.g. installed using pip so no other package manager tracks it.

With regard to the failing renewal service: I don't know how the snap renewal service should end if there are failing renewals. It's probably functioning as it should: if Certbots renewal fails due to some problematic renewal, it makes sense that the renewal service fails too?

7 Likes

What shows?:
certbot certificates

From that we can try renewing each certificate individually [that needs to be renewed].

4 Likes

Most of the certificates don't need renewing for about 30-40 days.

But what I can't work out is whether the certbot renewal service will run OK to renew them automatically. It has in the past, so maybe the errors I'm seeing in the logs have always been there - I've only just noticed them. But how do I tell if this is a "real" error or not?

You can modify the 30 day renewal period to a number higher than the lowest cert life.
And it will try to renew that cert on the next check.

6 Likes

Yes. I think this is the case.

Looking at the log file, I think everything is working fine. The renewal process starts up, fails to renew those two certificates, and exits with a non-zero exit code.

systemd picks this up as a failure, as noted:

7 Likes

Ah, that makes sense. So I guess I should be OK. Wish the error messages didn't look so scary though (eg "All renewals failed.") :slight_smile:

BTW is the "Failed to add PIDs to scope's control group: Permission denied" error related?

I think (hopefully) it is just a cosmetic issue which shouldn't affect Certbot. There's some more information in this comment about the error message. I think that is relevant to you, since you are on Ubuntu 18.04 which has systemd 237.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.