Can not renew the ssl.Certbot doesn't know how to automatically configure the web server on this system

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vadim.com.ru

I ran this command:certbot renew

It produced this output:Failed to renew certificate vadim.com.ru with error: The requested nginx plugin does not appear to be installed

All renewals failed. The following certificates could not be renewed:
/usr/local/etc/letsencrypt/live/vadim.com.ru/fullchain.pem (failure
Failed to renew certificate vadim.com.ru with error: The requested nginx plugin does not appear to be installed
My web server is (include version):nginx 1.22.0

The operating system my web server runs on is (include version):T rueNAS-12.0-U8.1

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.27.0

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: vadim.com.ru
Serial Number: 42ba53d873019ad044864adc3462d0543bf
Key Type: RSA
Domains: vadim.com.ru
Expiry Date: 2022-06-21 11:19:07+00:00 (INVALID: EXPIRED)
Certificate Path: /usr/local/etc/letsencrypt/live/vadim.com.ru/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/vadim.com.ru/privkey.pem

cat /usr/local/etc/letsencrypt/renewal/vadim.com.ru.conf

renew_before_expiry = 30 days

version = 1.22.0
archive_dir = /usr/local/etc/letsencrypt/archive/vadim.com.ru
cert = /usr/local/etc/letsencrypt/live/vadim.com.ru/cert.pem
privkey = /usr/local/etc/letsencrypt/live/vadim.com.ru/privkey.pem
chain = /usr/local/etc/letsencrypt/live/vadim.com.ru/chain.pem
fullchain = /usr/local/etc/letsencrypt/live/vadim.com.ru/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 41e216181510ed12c1199f2c3d63b7e4
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
root@Nextcloud:/ # nginx -T
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/etc/letsencrypt/live/truenas/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/etc/letsencrypt/live/truenas/fullchain.pem"
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful

configuration file /usr/local/etc/nginx/nginx.conf:

load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

user www;
worker_processes auto;

pid /var/run/nginx.pid;

events {
use kqueue;
worker_connections 1024;
multi_accept on;
}
http {

Basic settings

----------

sendfile on;
tcp_nopush on;
tcp_nodelay on;
reset_timedout_connection on;
keepalive_timeout 65;
keepalive_requests 1000;
types_hash_max_size 2048;
server_tokens off;
send_timeout 30;
server_names_hash_max_size 4096;

Common limits

----------

client_max_body_size 100m; # upload size
client_body_buffer_size 1m;
client_header_timeout 3m;
client_body_timeout 3m;

client_body_temp_path /var/tmp/nginx/client_body_temp;

proxy_connect_timeout 5;
proxy_send_timeout 10;
proxy_read_timeout 10;

proxy_buffer_size 4k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;

proxy_temp_path /var/tmp/nginx/proxy_temp;

include mime.types;
default_type application/octet-stream;

Logs format

----------

log_format main '$remote_addr - $host [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
'rt=$request_time ut=$upstream_response_time '
'cs=$upstream_cache_status';

log_format cache '$remote_addr - $host [$time_local] "$request" $status '
'$body_bytes_sent "$http_referer" '
'rt=$request_time ut=$upstream_response_time '
'cs=$upstream_cache_status';

access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;

GZip config

----------

gzip on;
gzip_static on;
gzip_types text/plain text/css text/javascript text/xml application/x-javascript application/javascript application/xml application/json image/x-icon;
gzip_comp_level 9;
gzip_buffers 16 8k;
gzip_proxied expired no-cache no-store private auth;
gzip_min_length 1000;
gzip_disable "msie6"
gzip_vary on;

Cache config

----------

proxy_cache_valid 1m;

Virtual host config

----------

SSL

----------

ssl_certificate /usr/local/etc/letsencrypt/live/truenas/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/truenas/privkey.pem;

Verify chain of trust of OCSP response using Root CA and Intermediate certs

ssl_trusted_certificate /usr/local/etc/letsencrypt/live/truenas/chain.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

intermediate configuration

Keep only TLS 1.2 (+ TLS 1.3)

ssl_protocols TLSv1.2 TLSv1.3;

Use only strong ciphers

ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

Use more secure ECDH Curve

ssl_ecdh_curve X25519:P-521:P-384:P-256;

Defend against the BEAST attack

ssl_prefer_server_ciphers off;

OCSP Stapling

ssl_stapling on;
ssl_stapling_verify on;

include /usr/local/etc/nginx/conf.d/*.conf;
}

configuration file /usr/local/etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                                      mml;
text/plain                                       txt;
text/vnd.sun.j2me.app-descriptor                 jad;
text/vnd.wap.wml                                 wml;
text/x-component                                 htc;

image/png                                        png;
image/svg+xml                                    svg svgz;
image/tiff                                       tif tiff;
image/vnd.wap.wbmp                               wbmp;
image/webp                                       webp;
image/x-icon                                     ico;
image/x-jng                                      jng;
image/x-ms-bmp                                   bmp;

font/woff                                        woff;
font/woff2                                       woff2;

application/java-archive                         jar war ear;
application/json                                 json;
application/mac-binhex40                         hqx;
application/msword                               doc;
application/pdf                                  pdf;
application/postscript                           ps eps ai;
application/rtf                                  rtf;
application/vnd.apple.mpegurl                    m3u8;
application/vnd.google-earth.kml+xml             kml;
application/vnd.google-earth.kmz                 kmz;
application/vnd.ms-excel                         xls;
application/vnd.ms-fontobject                    eot;
application/vnd.ms-powerpoint                    ppt;
application/vnd.oasis.opendocument.graphics      odg;
application/vnd.oasis.opendocument.presentation  odp;
application/vnd.oasis.opendocument.spreadsheet   ods;
application/vnd.oasis.opendocument.text          odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                 pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                 xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                 docx;
application/vnd.wap.wmlc                         wmlc;
application/x-7z-compressed                      7z;
application/x-cocoa                              cco;
application/x-java-archive-diff                  jardiff;
application/x-java-jnlp-file                     jnlp;
application/x-makeself                           run;
application/x-perl                               pl pm;
application/x-pilot                              prc pdb;
application/x-rar-compressed                     rar;
application/x-redhat-package-manager             rpm;
application/x-sea                                sea;
application/x-shockwave-flash                    swf;
application/x-stuffit                            sit;
application/x-tcl                                tcl tk;
application/x-x509-ca-cert                       der pem crt;
application/x-xpinstall                          xpi;
application/xhtml+xml                            xhtml;
application/xspf+xml                             xspf;
application/zip                                  zip;

application/octet-stream                         bin exe dll;
application/octet-stream                         deb;
application/octet-stream                         dmg;
application/octet-stream                         iso img;
application/octet-stream                         msi msp msm;

audio/midi                                       mid midi kar;
audio/mpeg                                       mp3;
audio/ogg                                        ogg;
audio/x-m4a                                      m4a;
audio/x-realaudio                                ra;

video/3gpp                                       3gpp 3gp;
video/mp2t                                       ts;
video/mp4                                        mp4;
video/mpeg                                       mpeg mpg;
video/quicktime                                  mov;
video/webm                                       webm;
video/x-flv                                      flv;
video/x-m4v                                      m4v;
video/x-mng                                      mng;
video/x-ms-asf                                   asx asf;
video/x-ms-wmv                                   wmv;
video/x-msvideo                                  avi;

}

configuration file /usr/local/etc/nginx/conf.d/nextcloud.conf:

upstream php-handler {
server unix:/var/run/nextcloud-php-fpm.sock;
}

Redirect to HTTPS

server {
listen 80 default_server;
listen [::]:80;

location ^~ /.well-known/acme-challenge {
    # Path to the root of your installation
    root /usr/local/www/nextcloud/;
    try_files $uri $uri/ =404;
}

location / {
   return 301 https://$host:443$request_uri;
}

}

server {
listen 443 ssl http2;
server_name _;

# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;

include conf.d/nextcloud.inc;

}

configuration file /usr/local/etc/nginx/conf.d/nextcloud.inc:

set max upload size

client_max_body_size 512M;
fastcgi_buffers 64 4K;

Enable gzip but do not remove ETag headers

gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

Pagespeed is not supported by Nextcloud, so if your server is built

with the ngx_pagespeed module, uncomment this line to disable it.

#pagespeed off;

HTTP response headers borrowed from Nextcloud .htaccess

add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;

Remove X-Powered-By, which is an information leak

fastcgi_hide_header X-Powered-By;

Path to the root of your installation

root /usr/local/www/nextcloud/;

Specify how to handle directories -- specifying /index.php$request_uri

here as the fallback means that Nginx always exhibits the desired behaviour

when a client requests a path that corresponds to a directory that exists

on the server. In particular, if that directory contains an index.php file,

that file is correctly served; if it doesn't, then the request is passed to

the front-end controller. This consistent behaviour means that we don't need

to specify custom rules for certain paths (e.g. images and other assets,

/updater, /ocm-provider, /ocs-provider), and thus

try_files $uri $uri/ /index.php$request_uri

always provides the desired behaviour.

index index.php index.html /index.php$request_uri;

Rule borrowed from .htaccess to handle Microsoft DAV clients

location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

Make a regex exception for /.well-known so that clients can still

access it despite the existence of the regex rule

location ~ /(\.|autotest|...) which would otherwise handle requests

for /.well-known.

location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in .htaccess that concern /.well-known.

# Needed to prevent including the scheme, domain and port in the Location header.
absolute_redirect off;
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav  { return 301 /remote.php/dav/; }

location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;

}

Rules borrowed from .htaccess to hide certain paths from clients

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:.|autotest|occ|issue|indie|db_|console) { return 404; }

Ensure this block, which passes PHP files to the PHP process, is above the blocks

which handle static assets (as seen below). If this block is not declared first,

then Nginx will encounter an infinite rewriting loop when it prepends /index.php

to the URI, resulting in a HTTP 500 error response.

location ~ .php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy) /index.php$request_uri;

fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;

try_files $fastcgi_script_name =404;

include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
# fastcgi_param HTTPS on;

fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
fastcgi_param front_controller_active true;     # Enable pretty urls
fastcgi_pass php-handler;

fastcgi_intercept_errors on;
fastcgi_request_buffering off;

}

location ~ .(?:css|js|svg|gif|png|jpg|ico)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from .htaccess
access_log off; # Optional: Don't log access to assets
}

location ~ .woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from .htaccess
access_log off; # Optional: Don't log access to assets
}

Rule borrowed from .htaccess

location /remote {
return 301 /remote.php$request_uri;
}

location / {
try_files $uri $uri/ /index.php$request_uri;
}

configuration file /usr/local/etc/nginx/fastcgi_params:

fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;
And here is another output:

certbot -v

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

2

Pasted these files just in case

3

It looks like your certbot was not installed correctly. The nginx plug-in is not installed.

It looks like you changed your system recently. Note your renewal config file points to a folder with your domain name in it. But, your nginx config points to cert files in the truenas folder.

Further, your renewal config has certbot version 1.22 but you are currently using 1.27. It is fine to upgrade but it looks like something went wrong.

If you need help sorting out the certbot install please describe how you did that. Did you use pip? Or snap? Or? I don't know Truenas so am not sure what it supports - sorry.

But this in your nginx config:

5 Likes
4

@MikeMcQ Note your renewal config file points to a folder with your domain name in it. But, your nginx config points to cert files in the truenas folder <== I fixed this part to no avail

5

As far as different versions of certbot this what happened: I had this error that no plugin so I installed it and it uninstalled the old one and pulled the new one from the package system. TrusNas is based on FreeBSD so it installed using the package system. Do you think it is a show stopper here? Different version?

6

I don't think the 1.27 version was installed the same as the 1.22 version used for your last good cert. Do you remember how you installed certbot before?

I don't know FreeBSD either but did you follow these install instructions

5 Likes
7

Hi Mike! I believe my first install was from ports. This time I used the package system and both options are described in these instructions. I can uninstall it from package and compile from ports as before. Do you think it is going to make a difference?
I just did so and it installed version 1.22 from ports and the I also compiled py-certbot-nginx. When I try to renew it spits out the error:
certbot renew
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.22.0', 'console_scripts', 'certbot')())
File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
return next(matches).load()
File "/usr/local/lib/python3.8/importlib/metadata.py", line 77, in load
module = import_module(match.group('module'))
File "/usr/local/lib/python3.8/importlib/init.py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1014, in _gcd_import
File "", line 991, in _find_and_load
File "", line 975, in _find_and_load_unlocked
File "", line 671, in _load_unlocked
File "", line 843, in exec_module
File "", line 219, in _call_with_frames_removed
File "/usr/local/lib/python3.8/site-packages/certbot/main.py", line 6, in
from certbot._internal import main as internal_main
File "/usr/local/lib/python3.8/site-packages/certbot/_internal/main.py", line 17, in
import configobj
ModuleNotFoundError: No module named 'configobj'

8

Are you running certbot in TrueNAS, or in a jail? If the former, that's a bad idea--TrueNAS is an appliance, and you aren't expected to be installing your own software (much less manually altering any system config files). You should be uploading and installing new certs through the GUI/API; one way to automate that is here:

Now, if you're running all this in a jail, TrueNAS as such is pretty much irrelevant; you're just dealing with FreeBSD. But I still recommend avoiding certbot whenever possible and using an alternative client like acme.sh instead.

6 Likes
9

@danb35 Thanks for your tip - I am running it in jail and it was all good until I installed the newer version from the package - now after reverting all that I might have some glitches because of 2 different python versions - 38 and 39. I found similar post but on ubuntu with the same exact error Cannot update Let's Encrypt certificate for site - #15 by mnordhoff
I'll try his solution see if it flies.
I definetely will try acme.sh or your script, but for now I am willing to see if I can fix it with certbot just for the heck of it. I mean it used to work fine though.

2 Likes
10

If you aren't trying to install the cert for the TrueNAS web UI, my cert will not be helpful for you, as that's all it does.

6 Likes
11

Well - my cert is for Nextcloud which runs in the jail - not on TrueNAS itself. I still hope to fix the certbot before trying out new ways. I have removed all the files associated with package system and compiled older versions. Noe I get this error running certbot:
root@Nextcloud:~ # certbot renew
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/pkg_resources/init.py", line 568, in _build_master
ws.require(requires)
File "/usr/local/lib/python3.8/site-packages/pkg_resources/init.py", line 886, in require
needed = self.resolve(parse_requirements(requirements))
File "/usr/local/lib/python3.8/site-packages/pkg_resources/init.py", line 777, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (cryptography 3.3.2 (/usr/local/lib/python3.8/site-packages), Requirement.parse('cryptography>=35.0'), {'PyOpenSSL'})

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.22.0', 'console_scripts', 'certbot')())
File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
return next(matches).load()
File "/usr/local/lib/python3.8/importlib/metadata.py", line 77, in load
module = import_module(match.group('module'))
File "/usr/local/lib/python3.8/importlib/init.py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1014, in _gcd_import
File "", line 991, in _find_and_load
File "", line 975, in _find_and_load_unlocked
File "", line 671, in _load_unlocked
File "", line 843, in exec_module
File "", line 219, in _call_with_frames_removed
File "/usr/local/lib/python3.8/site-packages/certbot/main.py", line 6, in
from certbot._internal import main as internal_main
File "/usr/local/lib/python3.8/site-packages/certbot/_internal/main.py", line 25, in
from certbot import configuration
File "/usr/local/lib/python3.8/site-packages/certbot/configuration.py", line 10, in
from certbot import util
File "/usr/local/lib/python3.8/site-packages/certbot/util.py", line 27, in
from certbot._internal import constants
File "/usr/local/lib/python3.8/site-packages/certbot/_internal/constants.py", line 6, in
import pkg_resources
File "/usr/local/lib/python3.8/site-packages/pkg_resources/init.py", line 3243, in
def _initialize_master_working_set():
File "/usr/local/lib/python3.8/site-packages/pkg_resources/init.py", line 3226, in _call_aside
f(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/pkg_resources/init.py", line 3255, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File "/usr/local/lib/python3.8/site-packages/pkg_resources/init.py", line 570, in _build_master
return cls._build_from_requirements(requires)
File "/usr/local/lib/python3.8/site-packages/pkg_resources/init.py", line 583, in _build_from_requirements
dists = ws.resolve(reqs, Environment())
File "/usr/local/lib/python3.8/site-packages/pkg_resources/init.py", line 777, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (cryptography 3.3.2 (/usr/local/lib/python3.8/site-packages), Requirement.parse('cryptography>=35.0'), {'PyOpenSSL'})

Certbot compiled with no errors though

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.