Certbot auto renewal

Hi all,

I am facing issue with certbot auto renewal, its failing when it automatically tries to renew, but manually i could renew using " certbot renew" and dry run “certbot renew --dry-run” also working fine,

nginx version 1.14.2

FYI, Below is the error when it tries to auto renew

Subject: XXX> python -c ‘import random; import time; time.sleep(random.random() * 3600)’ && certbot renew
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
Precedence: bulk
X-Cron-Env: <XDG_SESSION_ID=404>
X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0>
X-Cron-Env: <LANG=en_US.UTF-8>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id:
Date: Fri, 18 Jan 2019 00:18:50 +0800 (+08)

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/XXXX.conf


Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()
Attempting to renew cert XXX.Y.com) from /etc/letsencrypt/renewal/XXX.Y.com.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/XXX.Y.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/XXX.Y.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

Check your nginx config with:
nginx -t

Does it provide the rest of the error message?

Or does /var/log/letsencrypt/letsencrypt.log?

This probably means that the nginx executable isn't in the PATH, or -- less likely -- that Certbot can't find nginx.conf.

Check where nginx is -- e.g. with which nginx -- and make sure it's within the PATH used by cron.

Below is the output when i use nginx -t command

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

The error message from letsencrypt.log

2019-01-18 00:18:49,930:DEBUG:certbot.main:certbot version: 0.26.1
2019-01-18 00:18:49,930:DEBUG:certbot.main:Arguments:
2019-01-18 00:18:49,930:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-01-18 00:18:49,970:DEBUG:certbot.log:Root logging level set at 20
2019-01-18 00:18:49,971:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-01-18 00:18:50,015:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fa9ae03d650> and installer <certbot.cli._Default object at 0x7fa9ae03d650>
2019-01-18 00:18:50,036:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-02-07 09:24:09 UTC.
2019-01-18 00:18:50,036:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2019-01-18 00:18:50,037:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2019-01-18 00:18:50,038:DEBUG:certbot.plugins.disco:No installation (PluginEntryPoint#nginx):
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/plugins/disco.py”, line 132, in prepare
self._initialized.prepare()
File “/usr/lib/python2.7/site-packages/certbot_nginx/configurator.py”, line 139, in prepare
raise errors.NoInstallationError
NoInstallationError
2019-01-18 00:18:50,051:DEBUG:certbot.plugins.selection:No candidate plugin
2019-01-18 00:18:50,052:DEBUG:certbot.plugins.selection:No candidate plugin
2019-01-18 00:18:50,052:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2019-01-18 00:18:50,052:INFO:certbot.main:Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()
2019-01-18 00:18:50,052:WARNING:certbot.renewal:Attempting to renew cert (www.example.com) from /etc/letsencrypt/renewal/www.example.com.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(). Skipping.
2019-01-18 00:18:50,055:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 430, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1191, in renew_cert
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, “certonly”)
File “/usr/lib/python2.7/site-packages/certbot/plugins/selection.py”, line 237, in choose_configurator_plugins
diagnose_configurator_problem(“authenticator”, req_auth, plugins)
File “/usr/lib/python2.7/site-packages/certbot/plugins/selection.py”, line 341, in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
PluginSelectionError: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()

2019-01-18 00:18:50,055:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-01-18 00:18:50,055:ERROR:certbot.renewal: /etc/letsencrypt/live/www.example.com/fullchain.pem (failure)
2019-01-18 00:18:50,055:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.26.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1276, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 455, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

1 Like

Ah! That's what I said it probably was:

A newer version of Certbot added a more clear error message.

1 Like

How to change nginx path? any idea on that?

Show:
set | grep -i 'path='
which nginx

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin

The PATH looks OK.

Please show all of these:

  • which nginx
  • crontab -l
  • sudo crontab -l
  • systemctl list-timers --all | grep certbot

which nginx

/usr/sbin/nginx

crontab -l

0 0,12 * * * python -c ‘import random; import time; time.sleep(random.random() * 3600)’ && certbot renew

systemctl list-timers --all | grep certbot

No output was shown for this

NGINX is in the PATH (for root user).

Try [one of these should work]:
certbot renew --dry-run --nginx-ctl /usr/sbin/nginx
or
certbot renew --dry-run --nginx-ctl /usr/sbin

OR it will give us more clues...

Cron could be operating with a different PATH.

I can’t say what your cron daemon’s default PATH is or what the best way to change it is, though.

Yeah - very possible.
Not even sure how to get that "value" out...

certbot renew --dry-run --nginx-ctl /usr/sbin

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/www.example.com.conf


Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(“Could not find a usable ‘nginx’ binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.”,)
Attempting to renew cert (www.example.com) from /etc/letsencrypt/renewal/www.example.com.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(“Could not find a usable ‘nginx’ binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.”,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.example.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.example.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

#certbot renew --dry-run --nginx-ctl /usr/sbin/nginx
was working fine, certificate renewed successfully

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.