"Attempting to renew cert produced an unexpected error: cannot load library"

My domain is: tinytype.co

I ran this command: sudo certbot renew --dry-run

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/tinytype.co.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Attempting to renew cert (tinytype.co) from /etc/letsencrypt/renewal/tinytype.co.conf produced an unexpected error: cannot load library '/snap/certbot/356/usr/lib/x86_64-linux-gnu/libaugeas.so.0': /snap/certbot/356/usr/lib/x86_64-linux-gnu/libaugeas.so.0: cannot open shared object file: No such file or directory.  Additionally, ctypes.util.find_library() did not manage to locate a library called '/snap/certbot/356/usr/lib/x86_64-linux-gnu/libaugeas.so.0'. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/order.tinytype.co-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/order.tinytype.co-0002/fullchain.pem (failure)
  /etc/letsencrypt/live/order.tinytype.co/fullchain.pem (failure)
  /etc/letsencrypt/live/tinytype.co/fullchain.pem (failure)

My web server is (include version):
Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04.7 LTS (GNU/Linux 5.8.3-x86_64-linode137 x86_64)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.6.0.dev0

I’m quite lost – cannot figure out what the errors even mean.

1 Like

Which instructions did you use to install Certbot?

It's weird that you've ended up with a fairly old .dev0 (--edge) version while using snaps. At the very least, it should have automatically upgraded you to 1.10.0.dev0 if you were using the edge channel.

Does running this fix things for you?

sudo snap refresh --stable certbot

Well, I did have to install snap myself, as it did not come with my Ubuntu when I upgraded it. Other than that I followed the certbot manual → https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache.html

Running that command gives me the following output:
error: snap "certbot" is not available on stable but is available to install on the following

       edge       snap refresh --edge certbot

       Please be mindful pre-release channels may include features not completely tested or
       implemented. Get more information with 'snap info certbot'.
1 Like

I don't understand how you'd be getting that error on x86_64.

Do you know exactly which Linode image you are using? Could you link me to it, or its name?

I would note that it's pretty weird to have a 5.8.3 kernel on Ubuntu 16.04. Is it some kind of LXC virtualization?

uname -a
cat /etc/os-release
snap version
1 Like

That’s all probably a bit too technical for me to answer straight. I’ve run your commands, and here’s the results:

$ systemd-detect-virt

$ uname -a
Linux robin 5.8.3-x86_64-linode137 #1 SMP PREEMPT Mon Aug 24 14:50:33 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/os-release
VERSION="16.04.7 LTS (Xenial Xerus)"
PRETTY_NAME="Ubuntu 16.04.7 LTS"

$ snap version
snap    2.47.1
snapd   2.47.1
series  16
ubuntu  16.04
kernel  5.8.3-x86_64-linode137

Does that clarify anything? I guess qemu is relevant. There’s a good chance there’s some cruft from running upgrades a month ago, but I’m not the person to know how to solve or avoid that. If necessary, I can also ask someone from Linode to help with that part, but my primary concern is not having my certs expire.


Sorry, a couple more commands:

dpkg-query -l snapd
dpkg --print-architecture

After diving into the snapd code, my new suspicion is that you have snapd:i386 installed, which makes snap search for a 32-bit version of Certbot.

I can appreciate this, and thanks for being so cooperative with my questions.

If it comes down to the wire, you can still install python-certbot-apache from apt (removing the snap) and renew your existing certificates using that.


You were right: it is i386.

$ dpkg-query -l snapd
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                     Version           Architecture      Description
ii  snapd                    2.47.1            i386              Daemon and tooling that enable snap packages
$ dpkg --print-architecture

Curious to hear what went wrong here, and what I can do about it – but good to know that I can try the Python package if things get hairy.

1 Like

I think you probably upgraded from Ubuntu 14.04 at some point (which is why you have Linode's weird 5.8.3 kernel) and then on top of that, your dpkg architecture got changed to i386. Or perhaps it was always that for some reason ... but I don't see how.

This is above my level of expertise, sorry.

A very optimistic attempt to "fix this" would be:

sudo apt install snapd:amd64

but I think it's unlikely to actually work because it depends on a lot of core system packages which are probably currently installed as i386 :frowning: .

1 Like

Okay! Then I’ll try to bridge the gap with Python and hope that solves it – it at least will abstract it away from system packages, which should be helpful. You are correct that I upgraded from 14.04, and let me tell you, there were plenty of other problems when I did. So anything that can avoid that mess for now is a good idea.

One day I might just clean house, but… who wants to do that? Anyway. Thanks a lot! You’ve given me an understanding and an alternative.

1 Like