Cannot get renew to work

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: westlancs-eb.co.uk

I ran this command: cerbot --nginx

It produced this output:2020-07-13 12:20:58,283:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==1.3.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1317, in main
plugins = plugins_disco.PluginsRegistry.find_all()
File “/usr/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py”, line 210, in find_all
plugin_ep = PluginEntryPoint(entry_point)
File “/usr/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py”, line 54, in init
self.plugin_cls = entry_point.load()
File “/usr/lib/python2.7/site-packages/pkg_resources/init.py”, line 2355, in load
return self.resolve()
File “/usr/lib/python2.7/site-packages/pkg_resources/init.py”, line 2361, in resolve
module = import(self.module_name, fromlist=[‘name’], level=0)
File “/usr/lib/python2.7/site-packages/certbot_nginx/configurator.py”, line 20, in
from certbot import constants as core_constants
ImportError: cannot import name constants
2020-07-13 12:20:58,283:ERROR:certbot._internal.log:An unexpected error occurred:

My web server is (include version): nginx
nginx.x86_64 1:1.12.2-2.el7

The operating system my web server runs on is (include version):
Oracle Enterprise Linux 7.7

My hosting provider, if applicable, is: Oracle

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot.noarch 1.3.0-1.el7

Could you check the version of the python2-certbot-nginx package? It should be 1.3.0 too, but perhaps it is needed to upgrade it.

Good point…
Installed Packages
python2-certbot-nginx.noarch 0.39.0-1.el7
Available Packages
python2-certbot-nginx.noarch 1.3.0-1.el7

I therefore ran

sudo yum update python2-certbot-nginx

Then

sudo certbot renew --nginx

Now I get a different error…

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
From cffi callback <function _verify_callback at 0x7f5917034230>:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/OpenSSL/SSL.py”, line 309, in wrapper
_lib.X509_up_ref(x509)
AttributeError: ‘module’ object has no attribute ‘X509_up_ref’
An unexpected error occurred:
ConnectionError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,),))
Please see the logfiles in /var/log/letsencrypt for more details.

Detail of the log file is as follows…

2020-07-13 16:45:22,532:DEBUG:certbot._internal.main:certbot version: 1.3.0
2020-07-13 16:45:22,532:DEBUG:certbot._internal.main:Arguments: [’–nginx’]
2020-07-13 16:45:22,532:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-07-13 16:45:22,552:DEBUG:certbot._internal.log:Root logging level set at 20
2020-07-13 16:45:22,552:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-07-13 16:45:22,557:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2020-07-13 16:45:22,856:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f59171b3b90>
Prep: True
2020-07-13 16:45:22,856:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f59171b3b90> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f59171b3b90>
2020-07-13 16:45:22,857:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2020-07-13 16:45:22,868:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/78159866’, new_authzr_uri=None, terms_of_service=None), 4badb687fbc1cfb4541c53edc27d6b25, Meta(creation_host=u’westlancs-eb.subnet.vcn.oraclevcn.com’, creation_dt=datetime.datetime(2020, 2, 14, 12, 55, 9, tzinfo=)))>
2020-07-13 16:45:22,871:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-07-13 16:45:22,881:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2020-07-13 16:45:23,144:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/bin/certbot”, line 9, in
load_entry_point(‘certbot==1.3.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1347, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1093, in run
le_client = _init_le_client(config, authenticator, installer)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 610, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 257, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 44, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 827, in init
directory = messages.Directory.from_json(net.get(server).json())
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 1158, in get
self._send_request(‘GET’, url, **kwargs), content_type=content_type)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 1107, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 486, in request
resp = self.send(prep, **send_kwargs)
File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 598, in send
r = adapter.send(request, **kwargs)
File “/usr/lib/python2.7/site-packages/requests/adapters.py”, line 424, in send
raise ConnectionError(e, request=request)
ConnectionError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,),))
2020-07-13 16:45:23,146:ERROR:certbot._internal.log:An unexpected error occurred:

Hm, strange error. For some reason the requests Python module doesn’t recognise the TLS certificate of the ACME server.

What does curl -v https://acme-v02.api.letsencrypt.org/directory give as output?

Also, I’m reading requests uses its own internal root certificate store unless otherwise specified. Perhaps python2-requests needs updating too?

curl -v https://acme-v02.api.letsencrypt.org/directory

• About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
• Trying 172.65.32.248...
• Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
• Initializing NSS with certpath: sql:/etc/pki/nssdb
• CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
• SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• Server certificate:

•   subject: CN=acme-v01.api.letsencrypt.org
  

•   start date: Jul 10 21:38:46 2020 GMT
  

•   expire date: Oct 08 21:38:46 2020 GMT
  

•   common name: acme-v01.api.letsencrypt.org
  

•   issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
  

GET /directory HTTP/1.1
User-Agent: curl/7.29.0
Host: acme-v02.api.letsencrypt.org
Accept: /

< HTTP/1.1 200 OK
< Server: nginx
< Date: Tue, 14 Jul 2020 17:10:39 GMT
< Content-Type: application/json
< Content-Length: 658
< Connection: keep-alive
< Cache-Control: public, max-age=0, no-cache
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
<
{
"NzRZhvnafy8": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"

• Connection #0 to host acme-v02.api.letsencrypt.org left intact}

So curl seems to work.You said Perhaps python2-requests needs updating too?
sudo yum list python2-requests
Loaded plugins: langpacks, ulninfo
Available Packages
python2-requests.noarch 2.6.0-0.el7

That looks to me like python2-requests waas not installed.

I am happy to install but how could I have installed cerbot and refreshed last time if that was the case?

That's odd. Because which package installed /usr/lib/python2.7/site-packages/requests/ then?

Not 100% sure, but it looks like it was installed when I first installed certbot back in January this year. The directory is dated then, all content is 2019 or before.

I am a complete Python novice, so do you think going ahead with a yum install would be OK?

Yes, installing python2-requests shouldn't cause any harm.

Oh the perils of making assumptions with yum.

Package python2-requests-2.6.0-0.el7.noarch is obsoleted by python-requests-2.6.0-8.el7_7.noarch which is already installed
Nothing to do

So it seems python is up to date.

Reran sudo certbot --nginx still in error
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/OpenSSL/SSL.py”, line 309, in wrapper
_lib.X509_up_ref(x509)
AttributeError: ‘module’ object has no attribute ‘X509_up_ref’
An unexpected error occurred:
ConnectionError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,),))

Checking the X509 error, there were references on Stacexchaneg to pyOpenSSl version, so I checked.

yum list pyOpenSSL
Loaded plugins: langpacks, ulninfo
Installed Packages
pyOpenSSL.x86_64 0.13.1-4.el7 @anaconda/7.7

Seems a bit old, but yum update pyOpenSSL just gives
No packages marked for update

Running out of days now, so getting a bit desperate

What about the Python package cryptography? Just shooting in the wild here, I’m not sure what’s going on…

Also, perhaps worth looking into Python 3, if that’s available for your distribution?

Fixed!!!

Tried the cryptography suggestion and that did not work. It just told me all packages were up to date.
Neither did Python 3…same error as before.

So what I did ws go back to the beginning and re-installed…

wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
/usr/local/bin/certbot-auto

After that the certificate renewed…

Thank you so much for your help.
Passer

Well, it’s good you’ve renewed your certificate of course, but that’s more a workaround than a real fix unfortunately.

Fair enough.

However, as you say the Certificate has renewed, so for me, that’s the time pressure off.

What can I do to help identify the real problem. I have the yum output of the certbot-auto script if that would help?

Let’s go back to what happened.

Background: I use Oracle Apex on Oracle Cloud for an application. Oracle cloud does not support vanity URL’s so I stuck an NGINX webserver on a compute instance, again on Oracle cloud.
I needed HTTPS for REST integration and so I followed a script on a blog to install Certbot.
All went as per script. This was Jan 2020.

I got a mail from Letsencrypt saying that a certificate was about to expire and so I ran
certbot --nginx
All went well again, this was April

When I got the next mail I tried the same again but got the error messages, after which the story is pretty much as above,

So with the time pressure off, as I say, let me know if I can help.

BTW I can login to a root shell…I just forgot how to when I first raised the help request.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.