All renewal attempts failed. certbot.main:Could not choose appropriate plugin


#1

Centos 7 linux

using the auto renew from this tutorial https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7

I’ve had working certs for a few months now but, in the past week or so I’ve been getting emails from lets encrypt:

Your certificate (or certificates) for the names listed below will expire in 0 days (on 29 Jul 16 11:11 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

Since this service is new I wanted to see what would happen if I left it (would the auto renew script just kick in last minute to save the site?)

It looks like it tried to several times but started to fail each attempt!

/var/log/le-renew.log shows:

Checking for new version…
Requesting root privileges to run letsencrypt…
/root/.local/share/letsencrypt/bin/letsencrypt renew


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
Checking for new version…
Requesting root privileges to run letsencrypt…
/root/.local/share/letsencrypt/bin/letsencrypt renew


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
Checking for new version…
Requesting root privileges to run letsencrypt…
/root/.local/share/letsencrypt/bin/letsencrypt renew


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
Checking for new version…
Requesting root privileges to run letsencrypt…
/root/.local/share/letsencrypt/bin/letsencrypt renew


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
Checking for new version…
Requesting root privileges to run letsencrypt…
/root/.local/share/letsencrypt/bin/letsencrypt renew


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
Checking for new version…
Requesting root privileges to run letsencrypt…
/root/.local/share/letsencrypt/bin/letsencrypt renew


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
Checking for new version…
Requesting root privileges to run letsencrypt…
/root/.local/share/letsencrypt/bin/letsencrypt renew


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
Checking for new version…
Requesting root privileges to run letsencrypt…
/root/.local/share/letsencrypt/bin/letsencrypt renew


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
Checking for new version…
Upgrading letsencrypt-auto 0.5.0 to 0.6.0…
Replacing letsencrypt-auto…
cp -p /opt/letsencrypt/letsencrypt-auto /tmp/tmp.CHatZCQ6FG/letsencrypt-auto.permission-clone
cp /tmp/tmp.CHatZCQ6FG/letsencrypt-auto /tmp/tmp.CHatZCQ6FG/letsencrypt-auto.permission-clone
mv -f /tmp/tmp.CHatZCQ6FG/letsencrypt-auto.permission-clone /opt/letsencrypt/letsencrypt-auto
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Requesting root privileges to run certbot…
/root/.local/share/letsencrypt/bin/letsencrypt renew


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
Checking for new version…
Requesting root privileges to run certbot…
/root/.local/share/letsencrypt/bin/letsencrypt renew


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
Checking for new version…
Upgrading certbot-auto 0.6.0 to 0.7.0…
Replacing certbot-auto…
Creating virtual environment…
Installing Python packages…
Installation succeeded.


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
Upgrading certbot-auto 0.7.0 to 0.8.0…
Replacing certbot-auto…
Creating virtual environment…
Installing Python packages…
Installation succeeded.


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
Upgrading certbot-auto 0.8.0 to 0.8.1…
Replacing certbot-auto…
Creating virtual environment…
Installing Python packages…
Installation succeeded.


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.


Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.


Processing /etc/letsencrypt/renewal/example.com.conf

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)


Processing /etc/letsencrypt/renewal/example.com.conf

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)


Processing /etc/letsencrypt/renewal/example.com.conf

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)


Processing /etc/letsencrypt/renewal/example.com.conf

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)

yes I can login to a root shell on my machine.

Found this error in /var/log/letsencrypt/letsencrypt.log:

2016-07-25 00:30:02,622:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2016-07-25 00:30:02,635:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2016-07-25 00:30:02,643:DEBUG:certbot.plugins.disco:No installation (PluginEntryPoint#apache):
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/plugins/disco.py”, line 105, in prepare
self._initialized.prepare()
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot_apache/configurator.py”, line 161, in prepare
raise errors.NoInstallationError
NoInstallationError
2016-07-25 00:30:02,643:DEBUG:certbot.plugins.selection:No candidate plugin
2016-07-25 00:30:02,643:DEBUG:certbot.plugins.selection:No candidate plugin
2016-07-25 00:30:02,643:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2016-07-25 00:30:02,643:INFO:certbot.main:Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()
2016-07-25 00:30:02,643:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(). Skipping.
2016-07-25 00:30:02,644:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/renewal.py”, line 346, in renew_all_lineages
main.obtain_cert(lineage_config, plugins, renewal_candidate)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py”, line 546, in obtain_cert
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, “certonly”)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/plugins/selection.py”, line 196, in choose_configurator_plugins
diagnose_configurator_problem(“authenticator”, req_auth, plugins)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/plugins/selection.py”, line 273, in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
PluginSelectionError: The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()


#2

Out of curiosity, do you get the same error when you run /opt/letsencrypt/letsencrypt-auto renew manually (i.e. outside of cron), or does it succeed in that case?


#3

I have to run this manually

  1. renew

/opt/letsencrypt/letsencrypt-auto --apache -d example.com

  1. join the certs to form the mongodb cert

bash /etc/letsencrypt/le-cron.sh

le-cron.sh:

/opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
cat /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/cert.pem > /etc/letsencrypt/live/example.com/mongod-sslCert.pem
cat /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/fullchain.pem > /etc/letsencrypt/live/example.com/mongod-PEMKeyFile.pem
mongod --dbpath /data/db --shutdown
mongod --auth --config /etc/mongod.conf
service httpd restart


I think I see the problem in le-cron.sh in the first line --apache is missing. could that be why it fails?


#4

Both commands (/opt/letsencrypt/letsencrypt-auto --apache -d example.com and /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log) will try to issue a certificate for example.com - the first one explicitly, and the second by reading the renewal config and basically doing the same thing the first command does internally. I’m not sure if I understand your post correctly - are you running both commands as part of your cronjob? That doesn’t seem necessary, you’d only need the renew command.

I’m still curious whether the renew command succeeds (or what the output is) if you run it manually (outside of cron), can you try that?

No, the renew command looks at the renewal configuration files in /etc/letsencrypt/renewal, which should have a line that tells the client to use --apache if that’s what you originally used to get the certificate.


#5

sorry im not being specific enough…

the le-cron.sh is the job that the cron runs (and fails)

me manually running /opt/letsencrypt/letsencrypt-auto --apache -d example.com then running the cron script is me thinking ‘ok the le-cron will skip as always the first line but, then it will make my custom mongodb file’

so /opt/letsencrypt/letsencrypt-auto --apache -d example.com works! I get renewed no problem!


I’m still curious whether the renew command succeeds (or what the output is) if you run it manually (outside of cron), can you try that?

after i manually run the above command the letsencrypt.log reads:

2016-07-29 14:46:33,564:DEBUG:certbot.main:Root logging level set at 30
2016-07-29 14:46:33,564:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-07-29 14:46:33,564:DEBUG:certbot.main:certbot version: 0.8.1
2016-07-29 14:46:33,564:DEBUG:certbot.main:Arguments: []
2016-07-29 14:46:33,564:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-07-29 14:46:33,583:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x42d7690> and installer <certbot.cli._Default object at 0x42d7690>
2016-07-29 14:46:33,583:DEBUG:certbot.cli:Default Detector is Namespace(account=<certbot.cli._Default object at 0x42d7ad0>, agree_dev_preview=None, allow_subset_of_names=<certbot.cli._Default object at 0x42d7890>, apache=<certbot.cli._Default object at 0x42acf50>, apache_challenge_location=<certbot.cli._Default object at 0x42f8b90>, apache_ctl=<certbot.cli._Default object at 0x42f8f90>, apache_dismod=<certbot.cli._Default object at 0x42f8710>, apache_enmod=<certbot.cli._Default object at 0x42f8910>, apache_handle_modules=<certbot.cli._Default object at 0x42f8d10>, apache_handle_sites=<certbot.cli._Default object at 0x42f8e90>, apache_init_script=<certbot.cli._Default object at 0x42fa110>, apache_le_vhost_ext=<certbot.cli._Default object at 0x42f8550>, apache_server_root=<certbot.cli._Default object at 0x42f8310>, apache_vhost_root=<certbot.cli._Default object at 0x42f8110>, authenticator=<certbot.cli._Default object at 0x42d7690>, break_my_certs=<certbot.cli._Default object at 0x42f7410>, cert_path=<certbot.cli._Default object at 0x42f7cd0>, chain_path=<certbot.cli._Default object at 0x42f76d0>, checkpoints=<certbot.cli._Default object at 0x42f8790>, config_dir=<certbot.cli._Default object at 0x42f74d0>, config_file=None, configurator=<certbot.cli._Default object at 0x42d7690>, csr=<certbot.cli._Default object at 0x42f8690>, debug=<certbot.cli._Default object at 0x42d7fd0>, dialog_mode=<certbot.cli._Default object at 0x42ac310>, domains=<certbot.cli._Default object at 0x42ace90>, dry_run=<certbot.cli._Default object at 0x42ac550>, duplicate=<certbot.cli._Default object at 0x42d7bd0>, email=<certbot.cli._Default object at 0x42acc50>, expand=<certbot.cli._Default object at 0x42d7150>, fullchain_path=<certbot.cli._Default object at 0x42f78d0>, func=<function renew at 0x406ba28>, hsts=<certbot.cli._Default object at 0x42f7910>, http01_port=<certbot.cli._Default object at 0x42f7310>, ifaces=<certbot.cli._Default object at 0x42d6b10>, init=<certbot.cli._Default object at 0x42f8890>, installer=<certbot.cli._Default object at 0x42d7690>, key_path=<certbot.cli._Default object at 0x42f7ad0>, logs_dir=<certbot.cli._Default object at 0x42f70d0>, manual=<certbot.cli._Default object at 0x42ac190>, manual_public_ip_logging_ok=<certbot.cli._Default object at 0x42fa510>, manual_test_mode=<certbot.cli._Default object at 0x42fa410>, must_staple=<certbot.cli._Default object at 0x42f7610>, nginx=<certbot.cli._Default object at 0x42acad0>, no_self_upgrade=<certbot.cli._Default object at 0x42d7dd0>, no_verify_ssl=<certbot.cli._Default object at 0x42f7110>, noninteractive_mode=<certbot.cli._Default object at 0x41e53d0>, num=<certbot.cli._Default object at 0x42f8490>, os_packages_only=<certbot.cli._Default object at 0x42d7cd0>, post_hook=<certbot.cli._Default object at 0x42f8150>, pre_hook=<certbot.cli._Default object at 0x42f8050>, prepare=<certbot.cli._Default object at 0x42f8990>, quiet=<certbot.cli._Default object at 0x42d7ed0>, redirect=<certbot.cli._Default object at 0x42f7710>, register_unsafely_without_email=<certbot.cli._Default object at 0x42ac790>, reinstall=<certbot.cli._Default object at 0x42d7610>, renew_by_default=<certbot.cli._Default object at 0x42d7790>, renew_hook=<certbot.cli._Default object at 0x42f8250>, rsa_key_size=<certbot.cli._Default object at 0x42f7510>, server=<certbot.cli._Default object at 0x42d7e90>, staging=<certbot.cli._Default object at 0x42d7c90>, standalone=<certbot.cli._Default object at 0x42ac610>, standalone_supported_challenges=<certbot.cli._Default object at 0x42fa210>, staple=<certbot.cli._Default object at 0x42f7d10>, strict_permissions=<certbot.cli._Default object at 0x42f7f10>, text_mode=<certbot.cli._Default object at 0x42dd410>, tls_sni_01_port=<certbot.cli._Default object at 0x42f7210>, tos=<certbot.cli._Default object at 0x42d79d0>, uir=<certbot.cli._Default object at 0x42f7b10>, update_registration=<certbot.cli._Default object at 0x42ac9d0>, user_agent=<certbot.cli._Default object at 0x42f8590>, validate_hooks=<certbot.cli._Default object at 0x42f8350>, verb=‘renew’, verbose_count=<certbot.cli._Default object at 0x42dd1d0>, webroot=<certbot.cli._Default object at 0x42dd3d0>, webroot_map=<certbot.cli._Default object at 0x42fa310>, webroot_path=<certbot.cli._Default object at 0x42dd590>, work_dir=<certbot.cli._Default object at 0x42f72d0>)
2016-07-29 14:46:33,590:INFO:certbot.renewal:Cert not yet due for renewal
2016-07-29 14:46:33,590:DEBUG:certbot.renewal:no renewal failures


#6

so basically manually got the cert then ran the script knowing that the first line would fail but would do the rest of the script ok


#7

Try /opt/letsencrypt/letsencrypt-auto renew --dry-run. This will emulate the renewal process despite the fact that the certificate is not due for renewal. What I’m trying to figure out is whether the renewal command failing is due to it being called by cron (as opposed to a regular terminal session.)


#8

[root@panel ~]# /opt/letsencrypt/letsencrypt-auto renew --dry-run


Processing /etc/letsencrypt/renewal/example.com.conf

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

#10

@pfg I got the output of the --dry-run!


#11

Looks like it’s working from an interactive shell, so it appears to be a problem with the cron environment. Take a look at this suggested fix from another similar thread:


#12

thanks will report the result #progress!


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.