Can't renew by certbot: Could not decode 'status' (u'ready')


#1

I’m try to renew my cert now, it will Expiry after 18 days.

domain: astr.moe
certbot verstion: 0.24.0
with CloudFlare

$ sudo certbot renew --dry-run

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-cloudflare, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (astr.moe) from /etc/letsencrypt/renewal/astr.moe.conf produced an unexpected error: Deserialization error: Could not decode 'status' (u'ready'): Deserialization error: Status not recognized. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/astr.moe/fullchain.pem (failure)

/var/log/letsencrypt/letsencrypt.log

2018-06-28 14:09:39,771:DEBUG:acme.client:Received response:
HTTP 201
content-length: 547
expires: Thu, 28 Jun 2018 05:09:39 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
location: https://acme-staging-v02.api.letsencrypt.org/acme/order/{Delete}
pragma: no-cache
boulder-requester: 5934668
date: Thu, 28 Jun 2018 05:09:39 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: {Delete}

{
  "status": "ready",
  "expires": "2018-07-05T05:09:39.641761796Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.astr.moe"
    },
    {
      "type": "dns",
      "value": "astr.moe"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/{Delete}",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/{Delete}"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/{Delete}"
}
2018-06-28 14:09:39,772:DEBUG:acme.client:Storing nonce: {Delete}
2018-06-28 14:09:39,772:WARNING:certbot.renewal:Attempting to renew cert (astr.moe) from /etc/letsencrypt/renewal/astr.moe.conf produced an unexpected error: Deserialization error: Could not decode 'status' (u'ready'): Deserialization error: Status not recognized. Skipping.
2018-06-28 14:09:39,774:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 422, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1151, in renew_cert
    _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 113, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 297, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 294, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 326, in _get_order_and_authorizations
    orderr = self.acme.new_order(csr_pem)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 779, in new_order
    return self.client.new_order(csr_pem)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 606, in new_order
    body = messages.Order.from_json(response.json())
  File "/usr/lib/python2.7/site-packages/josepy/json_util.py", line 289, in from_json
    return cls(**cls.fields_from_json(jobj))
  File "/usr/lib/python2.7/site-packages/josepy/json_util.py", line 284, in fields_from_json
    slot, value, error))
DeserializationError: Deserialization error: Could not decode 'status' (u'ready'): Deserialization error: Status not recognized

.conf

version = 0.22.2

It can be fix? or maybe I need remove all cert and restart just like I never have any cert?
Maybe I should turn off HSTS first? It is set to Max-Age: 12 months.


#2

Hi,

This is due to a new status change
It could be fixed…(I remember it would need 0.25+?)
Please update to the latest version of certbot to apply the fix.

Thank you


#3

It’s latest version on yum (0.24.0).

I also try to use certbot-auto

renewal configuration file /etc/letsencrypt/renewal/astr.moe.conf (cert: astr.moe) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.

/etc/letsencrypt/renewal/astr.moe.conf

# renew_before_expiry = 30 days
version = 0.22.2
archive_dir = /etc/letsencrypt/archive/astr.moe
cert = /etc/letsencrypt/live/astr.moe/cert.pem
privkey = /etc/letsencrypt/live/astr.moe/privkey.pem
chain = /etc/letsencrypt/live/astr.moe/chain.pem
fullchain = /etc/letsencrypt/live/astr.moe/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = dns-cloudflare
installer = nginx
account = {Delete}
dns_cloudflare_credentials = /usr/share/nginx/certbot-cloudflare.ini
server = https://acme-v02.api.letsencrypt.org/directory

#4

The reason certbot-auto didn’t work is because it doesn’t ship with the Cloudflare plugin.

You can do this to force certbot-auto to work

sudo su -
cd /opt/eff.org/certbot
source venv/bin/activate
pip install certbot-dns-cloudflare
deactivate

and then try renew.


#5

certbot renew and certbot things used to work with Cloudflare prior to 0.22.2 without using any plugin, using webroot authentication. Should I just wait for 0.25.0 to come out to get rid of these errors? (asking if I should do nothing)

Example output from sudo apt-get upgrade -V:

The following packages have been kept back:
   certbot (0.22.2-1+ubuntu16.04.1+certbot+1 => 0.25.0-1+ubuntu16.04.1+certbot+1)
   python3-acme (0.22.2-1+ubuntu16.04.1+certbot+1 => 0.25.1-1+ubuntu16.04.1+certbot+1)
   python3-certbot (0.22.2-1+ubuntu16.04.1+certbot+1 => 0.25.0-1+ubuntu16.04.1+certbot+1)
   python3-certbot-nginx (0.22.0-1+ubuntu16.04.1+certbot+2 => 0.25.0-2+ubuntu16.04.1+certbot+1)
   python3-requests (2.9.1-3 => 2.18.1-1+ubuntu16.04.1+certbot+1)
   python3-urllib3 (1.13.1-2ubuntu0.16.04.1 => 1.21.1-1+ubuntu16.04.1+certbot+1)

Example errors “could not decode” for certbot renew --dry-run:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/REDACTED.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (REDACTED.com) from /etc/letsencrypt/renewal/REDACTED.com.conf produced an unexpected error: Deserialization error: Could not decode 'status' ('ready'): Deserialization error: Status not recognized. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/REDACTED.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (REDACTED.com) from /etc/letsencrypt/renewal/REDACTED.com.conf produced an unexpected error: Deserialization error: Could not decode 'status' ('ready'): Deserialization error: Status not recognized. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/REDACTED.com/fullchain.pem (failure)
  /etc/letsencrypt/live/REDACTED.com/fullchain.pem (failure)

#6

You specifically should figure out why your Certbot package isn’t being upgraded, because it’s available in the Ubuntu repo.

Maybe

apt full-upgrade

#7

Hi,

It seems you are using staging server…

P.S. those certificates are not valid…

I resolved the issue by updating the certbot from pip (remove & reinstall) (since my program was installed via pip & yum only have v24 too)


#8

Yum is Redhat/Centos, they haven’t added 0.25 yet.


#9

@baelatas is using Ubuntu.

(For what it’s worth, it looks like 0.25 will be promoted in EPEL, in 6 hours from this post).


#10

Didn’t see it was a different problem. Never mind!


#11

So I got sudo certbot renew --dry-run to work. Documenting here:

Running dry run install of the kept-back packages apt-get install -sV certbot python3-acme python3-certbot python3-certbot-nginx python3-requests python3-urllib3, I get:

The following additional packages will be installed:
   python3-certifi (2017.4.17-2+ubuntu16.04.1+certbot+1)
   python3-requests-toolbelt (0.8.0-1+ubuntu16.04.1+certbot+1)
Suggested packages:
   python3-certbot-apache (0.25.0-2+ubuntu16.04.1+certbot+1)
   python-certbot-doc
   python-acme-doc (0.4.1-1)
   python-certbot-nginx-doc (0.19.0-1+ubuntu16.04.1+certbot+1)
   python3-socks (1.5.0+dfsg-4)
The following NEW packages will be installed:
   python3-certifi (2017.4.17-2+ubuntu16.04.1+certbot+1)
   python3-requests-toolbelt (0.8.0-1+ubuntu16.04.1+certbot+1)
The following packages will be upgraded:
   certbot (0.22.2-1+ubuntu16.04.1+certbot+1 => 0.25.0-1+ubuntu16.04.1+certbot+1)
   python3-acme (0.22.2-1+ubuntu16.04.1+certbot+1 => 0.25.1-1+ubuntu16.04.1+certbot+1)
   python3-certbot (0.22.2-1+ubuntu16.04.1+certbot+1 => 0.25.0-1+ubuntu16.04.1+certbot+1)
   python3-certbot-nginx (0.22.0-1+ubuntu16.04.1+certbot+2 => 0.25.0-2+ubuntu16.04.1+certbot+1)
   python3-requests (2.9.1-3 => 2.18.1-1+ubuntu16.04.1+certbot+1)
   python3-urllib3 (1.13.1-2ubuntu0.16.04.1 => 1.21.1-1+ubuntu16.04.1+certbot+1)
6 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.

So only two new packages need to be installed, so I did the real install sudo apt-get --with-new-pkgs upgrade -V.

Now sudo certbot renew --dry-run succeeds and problem is solved. Thanks!


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.