Apache Modsecurity Configuration and Old Certbot Prevents Renewal from Working

kparker · 2017-05-11 19:46:14 UTC

My automatic renewal wasn’t working, but after many hours figured out the problem. Here’s the fix in case someone else has the problem.

When trying to renew, this was the warning: “WARNING:letsencrypt.cli:Attempting to renew cert from … produced an unexpected error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError((‘There has been an error in parsing the file (%s): %s’, u’/usr/share/modsecurity- crs/rules/REQUEST-910-IP-REPUTATION.conf’, u’Syntax error’),). Skipping.”

Turns out REQUEST-910-IP-REPUTATION.conf had this line commented:
"#SecRule TX:REAL_IP “@ipMatchFromFile ip_blacklist.data” " but the lines under were not commented out for this rule. Once I commented out the rest of the SecRule (16 lines), the renewal worked.

The REQUEST-910-IP-REPUTATION.conf file on Github (https://github.com/fastly/waf_testbed/blob/master/templates/default/REQUEST-910-IP-REPUTATION.conf.erb) contains this syntax error.

schoen · 2017-05-11 21:05:54 UTC

@kparker, what version of Certbot do you have? Can you check with --version?

@bmw, this could be another Apache parser error, although I’m not certain that it’s the most recent Certbot.

kparker · 2017-05-11 21:26:58 UTC

I assume this is the version, which is the result of letsencrypt --version (certbot --version does not work): letsencrypt 0.4.1

bmw · 2017-05-11 21:43:40 UTC

This was an error with Certbot’s Apache parser but it has been fixed in more recent versions. You can download a newer version of Certbot that includes this fix by following the instructions at https://certbot.eff.org/#ubuntuxenial-apache.

schoen · 2017-05-11 21:44:02 UTC

You might be experiencing a problem with how far operating system-provided packages are lagging behind our current releases. The letsencrypt client was renamed to certbot over a year ago, and the version you have is more than a year old. It’s possible that this issue has been fixed in the meantime.

Edit: looks like @bmw agrees that this is the issue. Thanks for checking, Brad.

kparker · 2017-05-11 22:51:49 UTC

Thank you! I updated as directed to version 0.12.0 (version 12?). Is it true that it has a built in crontab for auto renewal, or do I need to enter one? Thanks again!!

schoen · 2017-05-12 00:39:11 UTC

If you got it with certbot-auto, it didn’t create a crontab file for you and you’ll have to do that yourself. However, if you still have the operating system package installed, it may have created one which may still exist (and may be running the older version of the renewer).

kparker · 2017-05-12 05:36:01 UTC

I installed it using:
> sudo apt-get install software-properties-common
> sudo add-apt-repository ppa:certbot/certbot
> sudo apt-get update
> sudo apt-get install python-certbot-apache
> certbot –apache

I assume, then, that this created the crontab? Where would it be located so I could check it?

My old crontab had:

30 2 * * 1 letsencrypt renew >> /var/log/letsencrypt/le-renew.log

Should I keep it but change it to:

30 2 * * 1 certbot renew >> /var/log/letsencrypt/le-renew.log

Thank you!

system · 2017-06-11 05:36:43 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.