Certbot 1.23.0 still shows errors with pre/posthook in Windows 10

SamLowryMOI · February 23, 2022, 9:37am

Hi,
since the old topic (look here) has been closed, I'll start a new one. The problem still exists.

OS: Windows 10 Home, I'm admin
Domains: Some Dyndns, e.g. 24.dedyn.io
certbot 1.23.0

If I use empty batch files:

C:\Certbot# certbot certonly ^
   --standalone ^
   --dry-run ^   
   --test-cert ^
   --pre-hook "C:\Certbot\empty.bat" ^ 
   --post-hook "C:\Certbot\empty.bat" ^
   --preferred-challenges http ^
   --email me@somewhere  ^    
   -d 24.dedyn.io
Saving debug log to C:\Certbot\log\letsencrypt.log
Exception in thread Thread-2:
Traceback (most recent call last):
  File "threading.py", line 973, in _bootstrap_inner
  File "threading.py", line 910, in run
  File "subprocess.py", line 1479, in _readerthread
  File "encodings\cp1252.py", line 23, in decode
UnicodeDecodeError: 'charmap' codec can't decode byte 0x81 in position 138: character maps to <undefined>
An unexpected error occurred:
AttributeError: 'NoneType' object has no attribute 'strip'
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

if I use these batch files:
pre-hook.bat

@echo off
START "" /MIN  "D:\WinNMP\WinNMP.exe" "/k" >nul 2>nul

post-hook.bat

@echo off
START "" /MIN  "D:\WinNMP\WinNMP.exe" "/s" >nul 2>nul

C:\Certbot# certbot certonly ^
   --standalone ^
   --dry-run ^
   --test-cert ^
   --pre-hook "C:\Certbot\pre-hook.bat" ^  
   --post-hook "C:\Certbot\post-hook.bat" ^
   --preferred-challenges http ^
   --email klemm.f@gmx.de  ^
   -d 24.dedyn.io
Saving debug log to C:\Certbot\log\letsencrypt.log
Exception in thread Thread-2:
Traceback (most recent call last):
  File "threading.py", line 973, in _bootstrap_inner
  File "threading.py", line 910, in run
  File "subprocess.py", line 1479, in _readerthread
  File "encodings\cp1252.py", line 23, in decode
UnicodeDecodeError: 'charmap' codec can't decode byte 0x81 in position 138: character maps to <undefined>
An unexpected error occurred:
AttributeError: 'NoneType' object has no attribute 'strip'
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

But a running WinNMP.exe will be terminated.

The problem with the space in the path still persists

--pre-hook "C:\A test\a.bat"
--pre-hook '"C:\A test\a.bat"'
--pre-hook """C:\A test\a.bat"""
--pre-hook "\"C:\A test\a.bat\""

Everything doesn't work.

The ACLs are not set correctly. After a restart, neither the web server nor me as a user can access the certificates.

Am I the only one who wants to use certbot on windows?
Are there any intentions/plans to fix these bugs?
Should I better open an issue on github?

Questions, questions, questions...

Please help me.

_az · February 23, 2022, 9:55am

I opened hooks: investigate decoding errors in subprocess code · Issue #9171 · certbot/certbot · GitHub back when you originally reported this but it hasn't been prioritized yet, sorry.

SamLowryMOI · February 23, 2022, 10:17am

Thanks for the quick reply and the opening on github.

It is important that the scripts work, especially with wildcard certificates, to automate the creation (and deletion) of the TXT records.

It is very annoying that access to the certificates is not possible after a restart due to the ACLs. Is the problem known or reproducible?

_az · February 23, 2022, 10:32am

There is an issue for that as well (windows: Investigate "Controlled Folder Access" breaking Certbot · Issue #9165 · certbot/certbot · GitHub), but the issue is not well understood. Personally I have a hard time finding a Windows 10/11 machine to try reproduce this on. I wasn't able to hit this issue using Windows Server edition.

webprofusion · February 23, 2022, 12:08pm

You can run a Windows 11 (or 10) vm on Azure, not sure about AWS etc.

SamLowryMOI · February 23, 2022, 4:02pm

Maybe because the web server runs as a service under the system account? The system account has access through the ACL. Any non-administrator should not even be allowed to read the certificate files.

SamLowryMOI · March 14, 2022, 7:41pm

@_az

You might be interested. I have additionally installed certbot (1.24.0).
python -m pip install certbot
And updated the windows version.

When I use the certbot.exe in 'C:\Users\me\AppData\Local\Programs\Python\Python310\Scripts' (almost) everything runs smoothly. No error messages. If I use the certbot.exe in 'C:\Program Files (x86)\Certbot\bin', I get the following error messages:

at dns challenge

Exception in thread Thread-2:
Traceback (most recent call last):
  File "threading.py", line 973, in _bootstrap_inner
  File "threading.py", line 910, in run
  File "subprocess.py", line 1479, in _readerthread
  File "encodings\cp1252.py", line 23, in decode
UnicodeDecodeError: 'charmap' codec can't decode byte 0x81 in position 136: character maps to <undefined>
Encountered exception during recovery: KeyError: KeyAuthorizationAnnotatedChallenge(challb=ChallengeBody(chall=DNS01(token=b'\x7f&,\xb7\xfb\x1d\xd3\x1a\xa8\x06\xa3\xf8\xb9q\xd7\x83\xb7 \x03\x1e\xad\xec\xe6\x17\xc5\xfag\xe8 e\xc7\x8a"'), uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/ 87627104920/VQloDA', _url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/87627104920/VQloDA', status=Status(pending), validated=None, error=None), domain ='xxx, account_key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey object at 0x04A986E8>)>))
An unexpected error occurred:
AttributeError: 'NoneType' object has no attribute 'strip'
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

at http challenge

Exception in thread Thread-2:
Traceback (most recent call last):
  File "threading.py", line 973, in _bootstrap_inner
  File "threading.py", line 910, in run
  File "subprocess.py", line 1479, in _readerthread
  File "encodings\cp1252.py", line 23, in decode
UnicodeDecodeError: 'charmap' codec can't decode byte 0x81 in position 136: character maps to <undefined>
An unexpected error occurred:
AttributeError: 'NoneType' object has no attribute 'strip'

Amazing that it works with the one exe.

However, both of them still have the following problem.
If I start any program in a bat (e.g. 'START "" /MIN "notepad.exe"'), whether pre or post, hook or manual, Certbot always waits for the end of this program, even though the bat does should actually continue and then end. If I run the bat on the command line, this also happens. Is that intentional?

SamLowryMOI · March 16, 2022, 3:00pm

If anyone is interested, the python version of certbot works reasonably well. Since this version supports plugins, I could have saved myself some work with self-made scripts.

What remains are two (big) problems.

The assignment of rights in the Certbot directory
Certbot waits for ALL programs started in a hook script to finish. THAT IS NOT RIGHT! Certbot should only wait for the script to finish, whether I want to wait for a program I started in the script is something I want (and can) decide for myself!

9peppe · March 16, 2022, 3:05pm

They're probably run in a subshell and certbot waits for the subshell to exit, which it can't do if there are background processes. I think you should fork your process explicitly if you want that behavior.

NB: the hook is not a script but a command.

SamLowryMOI · March 16, 2022, 3:27pm

Pre and Post Validation Hooks

Certbot allows for the specification of pre and post validation hooks when run in manual mode. The flags to specify these scripts are --manual-auth-hook and --manual-cleanup-hook respectively and can be used as follows:

certbot certonly --manual --manual-auth-hook /path/to/http/authenticator.sh --manual-cleanup-hook /path/to/http/cleanup.sh -d secure.example.com

This will run the authenticator.sh script, attempt the validation, and then run the cleanup.sh script. Additionally certbot will pass relevant environment variables to these scripts:

(From Pre and Post Validation Hooks)

9peppe · March 16, 2022, 3:32pm

Yeah, I guess --manual-{auth,cleanup}-hook are different than --{pre,post,deploy}-hook

(no, they aren't, it's just the documentation example that's a bit confusing.)

manual:
  Authenticate through manual configuration or custom shell scripts. When
  using shell scripts, an authenticator script must be provided. The
  environment variables available to this script depend on the type of
  challenge. $CERTBOT_DOMAIN will always contain the domain being
  authenticated. For HTTP-01 and DNS-01, $CERTBOT_VALIDATION is the
  validation string, and $CERTBOT_TOKEN is the filename of the resource
  requested when performing an HTTP-01 challenge. An additional cleanup
  script can also be provided and can use the additional variable
  $CERTBOT_AUTH_OUTPUT which contains the stdout output from the auth
  script. For both authenticator and cleanup script, on HTTP-01 and DNS-01
  challenges, $CERTBOT_REMAINING_CHALLENGES will be equal to the number of
  challenges that remain after the current one, and $CERTBOT_ALL_DOMAINS
  contains a comma-separated list of all domains that are challenged for the
  current certificate.

  --manual-auth-hook MANUAL_AUTH_HOOK
                        Path or command to execute for the authentication
                        script (default: None)
  --manual-cleanup-hook MANUAL_CLEANUP_HOOK
                        Path or command to execute for the cleanup script
                        (default: None)

9peppe · March 16, 2022, 3:39pm

The actual behavior is here, but I don't know python on windows well enough to understand what it does.

SamLowryMOI · March 16, 2022, 3:46pm

Neither do I.

SamLowryMOI · March 23, 2022, 2:29pm

In the new version 1.25.0 the hook scripts work under windows. There are still character set errors, e.g. if you output German umlauts in the script, but the scripts run error-free.

Any program started in the hook script must also be terminated, otherwise certbot will wait for the program to exit before continuing its execution. That can't be changed, unfortunately. Way out: you do not start 'certbot renew' directly in the task scheduler, but in a batch file and then start the required programs in this batch file. If you want to make startup dependent on a successful renewal of a certificate, you have to work with environment variables that you can set in a deploy-hook.

-edit
Assignment of rights: After further testing I have to correct my opinion. The desired functionality is already available. Any process running with administrator or system privileges can easily access it. Each user who is to access the certificates is given read rights in the two folders live and archive with the value 'This folder, subfolders and files' for 'Apply To'.

Spaces in paths must be avoided, certbot cannot handle them. The developers don't seem to care.

SamLowryMOI · March 23, 2022, 2:30pm

Use version 1.25.0 or above.

system · April 22, 2022, 2:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.