Auto renew: configuration help needed please

Help
1

HI,

See *Section “HELP FORM” Below:

I thought I had set up certbot to auto-renew properly but my cert expired 11/4/19. I expected it to renew 30 days prior. I ran the dry run, see response below.

I am using a Beaglebone and have the following installation directory: /home/debian/letsencrypt

with the configuration files within: /home/debian/letsencrypt/conf

The log directory is: /home/debian/letsencrypt/log but is empty

I have the directory: /etc/letsencrypt with empty /renewal and /renewal-hooks diretories.

I have logs at: /var/log/letsencrypt
See *Section “LAST LOG” below

I believe I need to direct Letsencrypt to my home directory to fix this…how do I do this and keep my current installation at /home/debian/letsencrypt ?

My first post, tried to format for easy reading…hope it worked.

Thanks,
jbro

Here is my /etc/cron.d/certbot

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Here is my /usr/bin/certbot

#!/usr/bin/python3
# EASY-INSTALL-ENTRY-SCRIPT: 'certbot==0.28.0','console_scripts','certbot'
__requires__ = 'certbot==0.28.0'
import re
import sys
from pkg_resources import load_entry_point

if __name__ == '__main__':
    sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0])
    sys.exit(
        load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
    )

*Section: HELP FORM:

My domain is:
jeffbrownmusic.duckdns.org

I ran this command:
sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

No renewals were attempted.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

My web server is (include version):
node.js v10.15.3

The operating system my web server runs on is (include version):
Debian Stretch

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.28.0

Section: LAST LOG:

letsencrypt.log.1 (truncated to 3 logs):
2019-11-03 09:13:11,371:DEBUG:certbot.main:certbot version: 0.28.0
2019-11-03 09:13:11,399:DEBUG:certbot.main:Arguments: ['-q']
2019-11-03 09:13:11,412:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-03 09:13:11,572:DEBUG:certbot.log:Root logging level set at 30
2019-11-03 09:13:11,587:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-03 09:13:11,599:DEBUG:certbot.renewal:no renewal failures
2019-11-03 21:02:45,705:DEBUG:certbot.main:certbot version: 0.28.0
2019-11-03 21:02:45,722:DEBUG:certbot.main:Arguments: ['-q']
2019-11-03 21:02:45,736:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-03 21:02:45,893:DEBUG:certbot.log:Root logging level set at 30
2019-11-03 21:02:45,908:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-03 21:02:45,920:DEBUG:certbot.renewal:no renewal failures
2019-11-04 09:25:11,199:DEBUG:certbot.main:certbot version: 0.28.0
2019-11-04 09:25:11,217:DEBUG:certbot.main:Arguments: ['-q']
2019-11-04 09:25:11,230:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-04 09:25:11,386:DEBUG:certbot.log:Root logging level set at 30
2019-11-04 09:25:11,401:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-04 09:25:11,414:DEBUG:certbot.renewal:no renewal failures
2019-11-04 16:10:59,610:DEBUG:certbot.main:certbot version: 0.28.0
2019-11-04 16:10:59,627:DEBUG:certbot.main:Arguments: ['-q']
2019-11-04 16:10:59,641:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-04 16:10:59,799:DEBUG:certbot.log:Root logging level set at 30
2019-11-04 16:10:59,814:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-04 16:10:59,826:DEBUG:certbot.renewal:no renewal failures
2019-11-05 00:48:11,335:DEBUG:certbot.main:certbot version: 0.28.0
2019-11-05 00:48:11,352:DEBUG:certbot.main:Arguments: ['-q']
2019-11-05 00:48:11,365:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-05 00:48:11,521:DEBUG:certbot.log:Root logging level set at 30
2019-11-05 00:48:11,537:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-05 00:48:11,549:DEBUG:certbot.renewal:no renewal failures
2019-11-05 18:11:34,742:DEBUG:certbot.main:certbot version: 0.28.0
2019-11-05 18:11:34,759:DEBUG:certbot.main:Arguments: ['-q']
2019-11-05 18:11:34,772:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-05 18:11:34,933:DEBUG:certbot.log:Root logging level set at 30
2019-11-05 18:11:34,948:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-05 18:11:34,961:DEBUG:certbot.renewal:no renewal failures
2019-11-06 03:08:11,182:DEBUG:certbot.main:certbot version: 0.28.0... (repeats to 11/10/2019)
2

Hi @jbro

your domain is invisible - only timeouts, so renew can't work.

Your last certificates - https://check-your-website.server-daten.de/?q=jeffbrownmusic.duckdns.org#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-08-06 2019-11-04 jeffbrownmusic.duckdns.org
1 entries
Let's Encrypt Authority X3 2019-08-06 2019-11-04 jeffbrownmusic.duckdns.org
1 entries
Let's Encrypt Authority X3 2019-05-16 2019-08-14 jeffbrownmusic.duckdns.org
1 entries
Let's Encrypt Authority X3 2019-05-16 2019-08-14 jeffbrownmusic.duckdns.org
1 entries

So there is no new certificate.

But if no renew required: Do you have more then one certbot? Certbot-auto?

Why do you have

different log directories?

What says

certbot certificates

Set the same paths

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

and use certbot certificates.

3

Thanks,

No certs found.

My certs are in : /home/debian/letsencrypt/conf/live/jeffbrownmusic.duckdns.org

There must be some way to redirect, no?

Thanks,
jbro

4

Looks like you have different certbo installations. That's terrible. Then find your other certbot and run that instance.

5

Thanks,

I'll try. its been a while since I've been on this project. This is going to take me some time to sort out. Its possible I ran into a permissions problem with the likely first install under /home/debian and reinstalled under /root, although I think I would have found a way to fix the permisons using the first install?

Do you have any suggestions as to how I might identify both installs? What should I look for? Is there a specific file or directory I might search for?

Thanks,
jbro

6

Maybe its not a matter of two installations but rather my limitations on how to program the auto-renew specifically for the user: debian. I need to learn to run the cron job from user: debian. Its never running, only the user: root cron job is running. That’s my problem, which I will try to resolve without your help. But I fear once I get that sorted out I will run into the problem seen in the command response below:

I will try to get this resolved without wasting any more of your time. If the PluginError issue returns, I’ll be back I guess.

Thanks, Jbro

So i tried the command: certbot renew --dry-run without sudo and got this:

debian@beaglebone:~$ certbot renew --dry-run

Saving debug log to /home/debian/~/home/debian/letsencrypt/logs/letsencrypt.log

Processing /home/debian/letsencrypt/conf/renewal/jeffbrownmusic.duckdns.org.conf

Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (jeffbrownmusic.duckdns.org) from /home/debian/letsencr ypt/conf/renewal/jeffbrownmusic.duckdns.org.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/home/debian/letsencrypt/conf/live/jeffbrownmusic.duckdns.org/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/home/debian/letsencrypt/conf/live/jeffbrownmusic.duckdns.org/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

7

If you have used --manual to create a certificate, you can't use

as command. renew requires an unattended installation -> the manual action must be replaced by a script -> if you don't have such a script, you can't use renew.

Instead, use the complete command you have used to create the certificate.

8

In my trials to get certbot renew to work, I ended up manually renewing the certificate...probably forgot the --dry-run option. Anyway, I have gotten it to work using a script without --dry-run produces the following output:

Mon Nov 11 19:45:01 EST 2019
Saving debug log to /home/debian/~/home/debian/letsencrypt/logs/letsencrypt.log

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /home/debian/letsencrypt/conf/renewal/jeffbrownmusic.duckdns.org.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Cert not yet due for renewal

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    The following certs are not due for renewal yet:
      /home/debian/letsencrypt/conf/live/jeffbrownmusic.duckdns.org/fullchain.pem expires on 2020-02-09 (skipped)
    No renewals were attempted.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Appending --dry-run to the same script produces the following output:

  Mon Nov 11 19:50:01 EST 2019
Saving debug log to /home/debian/~/home/debian/letsencrypt/logs/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /home/debian/letsencrypt/conf/renewal/jeffbrownmusic.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator manual, Installer None
Running pre-hook command: /home/debian/letsencrypt/conf/renewal-hooks/pre/auth.sh
Hook command "/home/debian/letsencrypt/conf/renewal-hooks/pre/auth.sh" returned error code 127
Error output from auth.sh:
/bin/sh: 1: /home/debian/letsencrypt/conf/renewal-hooks/pre/auth.sh: not found

Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for jeffbrownmusic.duckdns.org
Hook command "/home/debian/letsencrypt/conf/renewal-hooks/pre/auth.sh" returned error code 127
Error output from auth.sh:
/bin/sh: 1: /home/debian/letsencrypt/conf/renewal-hooks/pre/auth.sh: not found

Waiting for verification...
Cleaning up challenges
Hook command "/home/debian/letsencrypt/conf/renewal-hooks/post/cleanup.sh" returned error code 127
Error output from cleanup.sh:
/bin/sh: 1: /home/debian/letsencrypt/conf/renewal-hooks/post/cleanup.sh: not found

Attempting to renew cert (jeffbrownmusic.duckdns.org) from /home/debian/letsencrypt/conf/renewal/jeffbrownmusic.duckdns.org.conf produced an unexpected error: Failed authorization procedure. jeffbrownmusic.duckdns.org (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "GJ1maH6Jo6Kzk6sdxAtVeJtV8ZX2TvxC_6jlLoDuC8I" found at _acme-challenge.jeffbrownmusic.duckdns.org. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /home/debian/letsencrypt/conf/live/jeffbrownmusic.duckdns.org/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /home/debian/letsencrypt/conf/live/jeffbrownmusic.duckdns.org/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /home/debian/letsencrypt/conf/renewal-hooks/post/cleanup.sh
Hook command "/home/debian/letsencrypt/conf/renewal-hooks/post/cleanup.sh" returned error code 127
Error output from cleanup.sh:
/bin/sh: 1: /home/debian/letsencrypt/conf/renewal-hooks/post/cleanup.sh: not found

1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: jeffbrownmusic.duckdns.org
   Type:   unauthorized
   Detail: Incorrect TXT record
   "['last_text_record']" found at
   _acme-challenge.jeffbrownmusic.duckdns.org

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

In place of, "['last_text_record']" was the actual text input by me for the previous manual renewal.

Will the dry run always fail with duckdns? Am I correct in assuming that dry runs will not change the TXT record for the dns-01 challenge therefore resulting in a FAIL for the dry run?

Or will renew really fail in 2 months even without --dry-run in the script, since the expiration date will be less than 30 days away?

Thanks,

jbro

9

I was ignoring the two errors because I thought they were bogus, I could see nothing wrong with the files ... but something in fact was ...my bad.. sorry.

But I decided to run the files through dos2unix just in case and the errors disappeared. The dry run succeeded.

Out of curiosity, I ran the dry-run with the original auth.sh and cleanup.sh files, the "not found" error returned but the dry run still reported success.

Anyway, not sure what is going on, but I hope I can mark this solved, I guess I will not know for sure until two months from now, unless someone can shed some light on what actually happened.

Thanks,
jbro

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.