At Upgrade... Couldn't verify signature of downloaded certbot-auto

when i use

certbot-auto --debug

it return:

Upgrading certbot-auto 0.27.1 to 0.30.0…
Couldn’t verify signature of downloaded certbot-auto. Command ‘[u’openssl’, u’dgst’, u’-sha256’, u’-verify’, u’/tmp/tmp.Mm812iZM45/public_key.pem’, u’-signature’, u’/tmp/tmp.Mm812iZM45/letsencrypt-auto.sig’, u’/tmp/tmp.Mm812iZM45/letsencrypt-auto’]’ returned non-zero exit status 127

pip is updated at last version!

@schoen can you please take a look at it?

Thank you

If these files haven’t been deleted, could you post the output of these commands?

ls -l /tmp/tmp.Mm812iZM45/{public_key.pem,letsencrypt-auto.sig,letsencrypt-auto}

sha256sum /tmp/tmp.Mm812iZM45/{public_key.pem,letsencrypt-auto.sig,letsencrypt-auto}

I wonder if this is actually openssl that's missing:

which openssl
openssl version

A missing key/digest file would cause openssl to give exit code 1, whereas a shell would return exit code 127 if openssl was missing.


Whoops, yeah!

@tharivol_luis, workaround include:

  • Install openssl on your system (it’s standard on most Unix-like operating systems!)
  • Re-download certbot-auto from the beginning (via wget) so that it doesn’t immediately need to download an upgrade
  • Run certbot-auto with --no-self-upgrade

The first of these options is far preferable to the other two.

unfortunately this files do not exist inside /tmp/

i thought that could be a openssl problem… i saw this problem before… but not with this bug message…

i installed the open ssl and used the certbot-auto – no-self-upgrade and i followed the step, but at the end it returned

"Exiting abnormally:
Traceback (most recent call last):
File “/opt/”, line 11, in
File “/opt/”, line 1364, in main
return config.func(config, plugins)
File “/opt/”, line 1118, in run
certname, lineage)
File “/opt/”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/opt/”, line 310, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/opt/”, line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(, self.config.allow_subset_of_names)
File “/opt/”, line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/”, line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/opt/”, line 132, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/opt/”, line 1068, in perform
http_response = http_doer.perform()
File “/opt/”, line 60, in perform“HTTP Challenge”, True)
File “/opt/”, line 998, in save
File “/opt/”, line 243, in filedump
out = nginxparser.dumps(tree)
File “/opt/”, line 134, in dumps
return str(RawNginxDumper(blocks.spaced))
File “/opt/”, line 98, in str
return ‘’.join(self)
UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0xc3 in position 20: ordinal not in range(128)

Looks like some non-ASCII character creeped into the config somewhere...
Maybe you have edited some of the files with Windows editor?

1 Like

sorry, but this i did not got it,

“Maybe you have edited some of the files with Windows editor?”

@schoen take a loot at the result of certbot-auto --no-self-upgrade

Sometimes people edit files using windows notepad (or even wordpad) and it adds "extra" characters that unix/Linux doesn't understand.

certbot-auto is working fine - your original issue is gone.

rg305 correctly identified that somewhere in your nginx configuration files (either the contents or the filename), there are some non-ASCII characters. That's what the current error is about.

At the moment, Certbot cannot deal with non-ASCII text. It's an outstanding bug but will eventually be fixed.

You can try locate the errant text line this:

grep -R -P -n "[\x80-\xFF]" /etc/nginx/{conf.d,sites-enabled}

there are many lines with Ç and Ã, but ALL lines are marked as commentary “#”

Yes, certbot can’t handle (yet) config files with utf-8 char. (even if it’s just a comment):

1 Like

there was a combo errors, first the openssl could not be updated, i installed it again, i upgraded the pip, downloaded the last certbot version and o changed all the using sed Ã, Õ in nginx/sites-enabled

but like i said, i thought that was a openssl problem… but i never saw this error linked with openssl…

thank you all folks!


I think you had both problem :wink: I’m glad they are fixed now!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.