Can't upgrade certbot to the latest release

#1

The current version of certbot on my system is:
certbot --version
certbot 0.28.0

Am on a VPS using Ubuntu 16.04 system running Apache/2.4.18 (Ubuntu)

Saw a similar problem in a previous post “Version Upgrade” but it didn’t
provide enough context to fully understand their solution.

When specifying “Apache” and “Ubuntu 16.04 (xenial)” the interactive
installation site recommends the following to install Certbot:

sudo apt-get update sudo apt-get install software-properties-common
sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update sudo apt-get install certbot python-certbot-apache

From what I could make out the “Version Upgrade” the above needs to be
modified to:

sudo apt-get update sudo apt-get install software-properties-common
sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update & apt-cache policy certbot ## changed sudo apt-get upgrade --with-new-pkgs ## added
$ sudo apt-get install certbot python-certbot-apache

Unfortunately I guessed wrong , as it didn’t do the update:
certbot --version
certbot 0.28.0

What should I have done?

NOTE: The docs should be updated to whatever the correction is.

-Pete

#2

Hi,

How did you install certbot initially? (From Python or apt?)

Thank you

#3

0.28.0 is the most recent version of Certbot available in the PPA.

https://launchpad.net/~certbot/+archive/ubuntu/certbot

It’s not the very latest release, but it’s pretty close.

Are you running into a specific bug fix or feature you need from a more recent version of Certbot?

1 Like
#4

I used the apt-get commands that I listed in the post. Then I modified the commands
based on input that I saw from a thread on this subject. Unfortunately that didn’t seem
to change things.

#5

Ahhh… I had assumed that I would be getting 0.31.0. If that’s not available through
the PPA then everything is ok.

Have used certbot before and have a number of certificates for sites. Unfortunately as I’m trying to
get certificates for another vhost site I’m getting:

“Type: unauthorized”
Detail: Invalid response from
http://www.ps1schreiber.com/.well-known/acme-challenge/n64Yt-9bWtyQCLfMYiJlpi4-fPIUE-WL7Dcc6aTEJRo
[198.100.45.83]: “\n\n403
Forbidden\n\n

Forbidden

\n<p”

Can’t figure out what’s generating the 403 error.

My DNS ZONE records are correct (by that I mean they’re the same as other sites for which
I’ve succeeded in receiving certificates.)
My virtual host definitions are the same, I only changed the domain names of an existing working
vhost definition. I double checked that the directory permissions are correct. Am running out of
ideas of what the problem could be.

Thought perhaps my certbot environment managed to get corrupted, so I reran apt-get to update
to the latest version (which I mistakenly assumed would be 0.31.0), but am left scratching my head.

Any pointers to similar past posts that address this type of an issue?

-Pete

#6

What command did you run?

Is there anything in Apache’s error log?

#7

Hi @renopete

run the same command with -vvv as additional option.

Then you should see that certbot creates a location directive to another directory. Check, if that directory exists. If not, create it and add correct file permissions (755).

Your configuration looks completely different. Redirects http -> https, same with /.well-known/acme-challenge, but your / redirects to www.affordablesouthwesthomes.com.

/.well-known/acme-challenge doesn’t show that redirect ( https://check-your-website.server-daten.de/?q=ps1schreiber.com ).

And your error message shows that this configuration isn’t used.

So it may be a temporary configuration created on the fly.

#8

Juergen

Thanks for taking the time to look at this issue more closely.


run the same command with -vvv as additional option.

Then you should see that certbot creates a location directive to
another directory. Check, if that directory exists. If not, create it
and add correct file permissions (755).


I created the needed directories and changed ownership and permissions
as follows:

ls -ld /var/www/html
drwxr-xr-x 11 www-data www-data 4096 2019-02-24 22:37 /var/www/html/

ls -ld /var/www/html/ps1schreiber
drwxr-xr-x 3 www-data www-data 4096 2019-02-28 00:48 /var/www/html/ps1schreiber/

ls -ld /var/www/html/ps1schreiber/.well-known
drwxr-xr-x 3 www-data www-data 4096 2019-02-28 00:48 /var/www/html/ps1schreiber/.well-known/

ls -ld /var/www/html/ps1schreiber/.well-known/acme-challenge
drwxr-xr-x 2 www-data www-data 4096 2019-02-28 00:48 /var/www/html/ps1schreiber/.well-known/acme-challenge/

ran:

sudo certbot --apache -d ps1schreiber.com -d www.ps1schreiber.com

But got the same 403 error

What can be causing this??


Your configuration looks completely different. Redirects http ->
https, same with /.well-known/acme-challenge, but your / redirects to
www.affordablesouthwesthomes.com .

/.well-known/acme-challenge doesn’t show that redirect (
https://check-your-website.server-daten.de/?q=ps1schreiber.com ).


I’ve run into the ideosyncrazy of ping reporting a different domain
name then the one you’re pinging.

ping -c1 affordablesouthwesthomes.com
PING affordablesouthwesthomes.com (198.100.45.83) 56(84) bytes of data.
64 bytes from www.winetreefarm.com (198.100.45.83): icmp_seq=1 ttl=252 time=60.3 ms

ping -c1 www.affordablesouthwesthomes.com
PING www.affordablesouthwesthomes.com (198.100.45.83) 56(84) bytes of data.
64 bytes from www.winetreefarm.com (198.100.45.83): icmp_seq=1 ttl=252 time=65.2 ms

ping -c1 ps1schreiber.com
PING ps1schreiber.com (198.100.45.83) 56(84) bytes of data.
64 bytes from corinneswine.com (198.100.45.83): icmp_seq=1 ttl=252 time=60.8 ms

ping -c1 www.ps1schreiber.com
PING www.ps1schreiber.com (198.100.45.83) 56(84) bytes of data.
64 bytes from corinneswine.com (198.100.45.83): icmp_seq=1 ttl=252 time=63.4 ms

Although ping may at times report a different domain name than what’s
being pinged, both redirect to their secure sites. So they do work.

At different times of the day ping will report a different domain name. Very
odd.

All these sites are virtual domains served from an apache2 server running on
(198.100.45.83).

Here are images of their DNS ZONE settings


Here are copies of their vhost settings

http://www.affordablesouthwesthomes.com/imgs/affordablesouthwesthomes_Vhost.txt
http://www.affordablesouthwesthomes.com/imgs/ps1schreiber_Vhost.txt

Any insights you can share would be greatly appreciated.

-Pete

#9

The -vvv - log should have a temporary definition, there is the 403 - problem. Not your webroot. But if this

/var/www/html/ps1schreiber

is your correct webroot, use it:

certbot run -a webroot -i apache -w /var/www/html/ps1schreiber -d ps1schreiber.com -d www.ps1schreiber.com

Then certbot uses direct the webroot and doesn’t create a temporary definition.

Ping isn’t relevant, these are http redirects.

Same with your dns zone. Rechecked your domain, see the results of these http redirects ( https://check-your-website.server-daten.de/?q=ps1schreiber.com ):

If you load

https://www.ps1schreiber.com/

and if you accept the wrong certificate, you are redirected to https://www.affordablesouthwesthomes.com/.

But perhaps this is only a problem of the missing 443 host with ps1schreiber.com.

#10

Juergen

Thanks for the feedback, I now have 2 sites running but managed to shoot myself
in the foot with a typo
Had put “pttps” instead of “https” in the vhost definition of ps1schreiber.com.conf.
Corrected the error in the vhost definition and reran certbot but the error of using
an unsupported protcol continued to persist. Somehow some files were not being
updated on successive attempts to create the certificate with certbot. So I:

sudo certbot revoke --cert-path /etc/letsencrypt/live/ps1schreiber.com/fullchain.pem
followed by:
sudo certbot delete --cert-name ps1schreiber.com

But apparently that did not delete everything as I now get the following when I try to create other
certificates:

Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 36 of /etc/apache2/sites-enabled/ps1schreiber.com-le-ssl.conf:
SSLCertificateFile: file ‘/etc/apache2/sites-available/~/.certbot/config/live/ps1schreiber.com
/fullchain.pem’ does not exist or is empty

When I run:
sudo certbot delete
sudo certbot certificates

they both only list two sites

It makes no mention of:
corinneswine.com <= runs with https
livingintucsonaz <= runs with https
ps1schreiber.com <= the root of my headache

Could something I might have done, create this disconnect?

-Pete

#11

You have deleted your certificate, but your Apache use the certificate. So Apache can’t start that vHost.

Check your other vHosts to find something like

        SSLCertificateKeyFile path-to-key
        SSLCertificateFile path-to-cert

and use the same entries in your ps1schreiber.com-le-ssl.conf - file. Then the certificate is wrong, but Apache should start.

closed #12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.