AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'

Help
1

Both installing Certbot using Snap and using the rehmatworks/serverpilot-letsencrypt installer fails with the below errors. Thanks for any help.

My domain is: outdoorgearalerts.com

It produced this output:

/usr/local/lib/python3.5/dist-packages/OpenSSL/crypto.py:14: CryptographyDeprecationWarning: Python 3.5 support will be dropped in the next release of cryptography. Please upgrade your Python.
  from cryptography import utils, x509
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for outdoorgearalerts.com
An unexpected error occurred:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
Please see the logfiles in /var/log/letsencrypt for more details.

2020-12-28 19:42:26,574:DEBUG:acme.client:Storing nonce: 0003VYPB8UBaxOATSNM9a2gbyi6ST9kpnLfnUnxcuquZcAo
2020-12-28 19:42:26,575:INFO:certbot.auth_handler:Performing the following challenges:
2020-12-28 19:42:26,575:INFO:certbot.auth_handler:http-01 challenge for outdoorgearalerts.com
2020-12-28 19:42:26,576:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())  
  File "/usr/local/lib/python3.5/dist-packages/certbot/main.py", line 1378, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.5/dist-packages/certbot/main.py", line 1265, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python3.5/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/local/lib/python3.5/dist-packages/certbot/client.py", line 405, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/lib/python3.5/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.5/dist-packages/certbot/client.py", line 384, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/local/lib/python3.5/dist-packages/certbot/auth_handler.py", line 61, in handle_authorizations
    achalls = self._choose_challenges(authzrs)
  File "/usr/local/lib/python3.5/dist-packages/certbot/auth_handler.py", line 185, in _choose_challenges
    if any(isinstance(achall.chall, challenges.TLSSNI01) for achall in achalls):
  File "/usr/local/lib/python3.5/dist-packages/certbot/auth_handler.py", line 185, in <genexpr>
    if any(isinstance(achall.chall, challenges.TLSSNI01) for achall in achalls):
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
2020-12-28 19:42:26,578:ERROR:certbot.log:An unexpected error occurred:

My web server is (include version): nginx/1.19.6

The operating system my web server runs on is (include version): Ubuntu 16.04.7 LTS (GNU/Linux 5.8.3-x86_64-linode137 x86_64)

My hosting provider, if applicable, is: Linode using Serverpilot

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No, but using Serverpilot. I have root access.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.39.0

2 Likes
2

It sounds like you might have more than one version of certbot installed.
I suggest uninstalling the packaged one first.
sudo apt remove certbot

Then ensure the snap version is installed and run that.

Also, there may be something incorrect in the file:
/etc/letsencrypt/renewal/{your.domain}.conf

2 Likes
3

I don't see certbot installed by apt. I'm also not seeing any .conf file for this particular domain, although this is for another that is using a now archived serverpilot installer script.

4

Then it might be useful to see the entire command you ran.

2 Likes
5

Sorry! I thought I had pasted it in originally.

certbot certonly --non-interactive --dry-run --webroot -w /srv/users/serverpilot/apps/outdoorgearalerts/public --register-unsafely-without-email --agree-tos -d outdoorgearalerts.com

So I'm pulling this command out of debugging the rwssl script for Serverpilot, since this is failing the script is not proceeding further.

2 Likes
6

Please show:
which certbot

And try placing some test text files.
One in the webroot folder.
Like:

echo "test file 1" > /srv/users/serverpilot/apps/outdoorgearalerts/public/test-file-1

Then another in the expected challenge path:

mkdir /srv/users/serverpilot/apps/outdoorgearalerts/public/.well-known/
mkdir /srv/users/serverpilot/apps/outdoorgearalerts/public/.well-known/acme-challenge/
echo "test file 2" > /srv/users/serverpilot/apps/outdoorgearalerts/public/.well-known/acme-challenge/test-file-2

And see if they can be accessed from the Internet:
http://outdoorgearalerts.com/test-file-1
http://outdoorgearalerts.com/.well-known/acme-challenge/test-file-2

3 Likes
7

@rg305, the "module 'acme.challenges' has no attribute 'TLSSNI01'" error has to do with how Certbot is installed and is not an indication of running it with the wrong options.

3 Likes
8

@schoen, yes, that is true.
But 3/5 of what I've asked/said has pointed in that direction.

  1. It sounds like you might have more than one version of certbot installed.
    I suggest uninstalling the packaged one first.
    sudo apt remove certbot

Reply: "I don't see certbot installed by apt."
Review: Unable to show how the 0.39.0 version was installed.

  1. Then ensure the snap version is installed and run that.

Reply: Only showed the command ran
Review: There is no way to tell from the information provided which certbot is being run

certbot certonly --non-interactive --dry-run --webroot -w /srv/users/serverpilot/apps/outdoorgearalerts/public --register-unsafely-without-email --agree-tos -d outdoorgearalerts.com
  1. Please show:
    which certbot

Reply: (still waiting on that...)
Review: Much needed information is missing here.

  1. Also, there may be something incorrect in the file:
    /etc/letsencrypt/renewal/{your.domain}.conf

Reply: I'm also not seeing any .conf file for this particular domain
Review: Not terribly incriminating. This can be set aside for now.

  1. try placing some test text files.

Reply: (still waiting on that...)
Review: The very last part is me thinking about what may happen next (after the main issue has been resolved).

So, you may be right, I may have gotten a bit ahead of pace; since there is still so much unanswered.

3 Likes
9 
~# which certbot
/usr/local/bin/certbot

I can only see the first.

3 Likes
10

Thank you.
This information is very useful.

Try:
/snap/bin/certbot --version

This is problematic, but we will have to set that aside for now.

3 Likes
11 
# /snap/bin/certbot --version
certbot 1.10.1
2 Likes
12

OK!
Now try:

/snap/bin/certbot certonly --non-interactive --dry-run --webroot -w /srv/users/serverpilot/apps/outdoorgearalerts/public --register-unsafely-without-email --agree-tos -d outdoorgearalerts.com

[just add /snap/bin/ path]

3 Likes
13 
# /snap/bin/certbot certonly --non-interactive --dry-run --webroot -w /srv/users/serverpilot/apps/outdoorgearalerts/public --register-unsafely-without-email --agree-tos -d outdoorgearalerts.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for outdoorgearalerts.com
Performing the following challenges:
http-01 challenge for outdoorgearalerts.com
Using the webroot path /srv/users/serverpilot/apps/outdoorgearalerts/public for all unmatched domains.
Waiting for verification...
Challenge failed for domain outdoorgearalerts.com
http-01 challenge for outdoorgearalerts.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: outdoorgearalerts.com
   Type:   unauthorized
   Detail: Invalid response from
   http://outdoorgearalerts.com/.well-known/acme-challenge/6qf5KXQac7uHO9BSUrVUZ97O4zXrFD30Yre9LcbCSt8
   [45.79.78.13]: 404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
2 Likes
14

This:

Goes directly to this:

The second file fails:

We will need to see the nginx vhost config.
First show the output of:
nginx -t
Then show the vhost config file that covers that FQDN for HTTP access.
And the output of this will be helpful too:
nginx -T | grep -Ei 'listen|root|server_name|cert|encrypt|virt|config|location'

3 Likes
15

I think I discovered the problem. Oddly there is no vhosts file! Let me fix that and see if the problem is resolved.

2 Likes
16

You still have two versions of cerbot installed; One of which is broken (and happens to be the one used by default).
[There is nothing any nginx config change can do to fix that]

But, if your happy, then, I'm happy.

3 Likes
17

I think it was the vhosts files that were missing. I've fixed them and am getting this...

# /snap/bin/certbot certonly --non-interactive --dry-run --webroot -w /srv/users/serverpilot/apps/outdoorgearalerts/public --register-unsafely-without-email --agree-tos -d outdoorgearalerts.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for outdoorgearalerts.com
Performing the following challenges:
http-01 challenge for outdoorgearalerts.com
Using the webroot path /srv/users/serverpilot/apps/outdoorgearalerts/public for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.
2 Likes
18

That is much improved.

FYI: test-file-2 now works too :slight_smile:

3 Likes
19

Odd how the dry run works but this doesn't.

# sudo certbot certonly --non-interactive --agree-tos --register-unsafely-without-email --webroot -w /var/.rwssl/ --cert-name outdoorgearalerts --config-dir /etc/nginx-sp/le-ssls -d outdoorgearalerts.com
/usr/local/lib/python3.5/dist-packages/OpenSSL/crypto.py:14: CryptographyDeprecationWarning: Python 3.5 support will be dropped in the next release of cryptography. Please upgrade your Python.
  from cryptography import utils, x509
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for outdoorgearalerts.com
An unexpected error occurred:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
Please see the logfiles in /var/log/letsencrypt for more details.
1 Like
20

That is the broken certbot (version 0.39.0).
We already showed how using the one installed by snap works (version 1.10.1).
By forcing its' use with:
/snap/bin/certbot ...

I hate to sound short, but your probably much taller than I am - LOL

2 Likes