Certbot can't seem to identify domain name in server config


#1

I ran this command: sudo certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Please choose an account
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ip-171-30-18-55.us-east-2.compute.internal@2018-07-31T19:29:47Z (ee5c)
2: ip-171-30-7-155.us-east-2.compute.internal@2018-04-20T05:20:30Z (7de9)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): c
An unexpected error occurred:
AttributeError: 'NoneType' object has no attribute 'id'
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): Apache 2.4.34

The operating system my web server runs on is (include version): Amazon Linux 2 (4.14.77-81.59.amzn2.x86_64 #1 SMP Mon Nov 12 21:32:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux)

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes


Instead of picking up my domain name from the server config. file, Certbot seems to be identifying the internal IP of my AWS instance. Have never seen this before. Why is this happening and how do I fix it? I’m just going around and around in circles at this point.

Here’s what’s in my Apache config. file, httpd.conf:

<VirtualHost *:80>
    Protocols h2 h2c http/1.1
    DocumentRoot "/var/www/html"
    ServerName mydomain.com
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =mydomain.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

#SSL

<VirtualHost *:443>
    Protocols h2 h2c http/1.1
    DocumentRoot "/var/www/html"
    ServerName mydomain.com
</VirtualHost>

#2

Hi,

What would happen if you run sudo certbot --apache -d domain.com? (Specify domain name in -d arguments)

Thank you


#3

What version of Certbot are you using? ("sudo certbot --version" can tell you.)

How was it installed?

Can you post the traceback from /var/log/letsencrypt/letsencrypt.log?


#4

Version is certbot 0.27.1

I installed it according to an AWS tutorial (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html), using sudo yum install -y certbot python2-certbot-apache from the EPEL 7 repo.

2018-12-05 19:20:21,943:DEBUG:certbot.main:certbot version: 0.27.1
2018-12-05 19:20:21,944:DEBUG:certbot.main:Arguments: []
2018-12-05 19:20:21,944:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nu$
2018-12-05 19:20:21,957:DEBUG:certbot.log:Root logging level set at 20
2018-12-05 19:20:21,957:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-12-05 19:20:21,958:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2018-12-05 19:20:22,045:DEBUG:certbot_apache.configurator:Apache version is 2.4.34
2018-12-05 19:20:22,371:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_centos.CentOSConfigurator object at 0x7f02a31bcd90>
Prep: True
2018-12-05 19:20:22,372:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_centos.CentOSConfigurator object at 0x7f02$
2018-12-05 19:20:22,373:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2018-12-05 19:20:25,409:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.27.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1116, in run
    le_client = _init_le_client(config, authenticator, installer)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 641, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 528, in _determine_account
    config.account = acc.id
AttributeError: 'NoneType' object has no attribute 'id'
2018-12-05 19:20:25,410:ERROR:certbot.log:An unexpected error occurred:

#5

Strangely I get the exact same response as without the domain flag.


#6

It looks i have the same problem! Only im using Nginx…


#7

I ran sudo yum update on the server and saw a new version of Certbot was available (0.28.0), so I let the update run:

Updated:

certbot.noarch 0:0.28.0-1.el7                        
python2-acme.noarch 0:0.28.0-1.el7          
python2-certbot.noarch 0:0.28.0-1.el7
python2-certbot-apache.noarch 0:0.28.0-1.el7

Complete!

This seems to have totally broken things. Now when I run sudo certbot I get:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

I tried sudo certbot --apache and got this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/httpd/conf.d/ssl.conf on line 149: Syntax error',)

Line 149 in ssl.conf is commented out.

Here’s the log:

2018-12-05 20:32:13,743:DEBUG:certbot.main:certbot version: 0.28.0
2018-12-05 20:32:13,743:DEBUG:certbot.main:Arguments: []
2018-12-05 20:32:13,743:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nu$
2018-12-05 20:32:13,759:DEBUG:certbot.log:Root logging level set at 20
2018-12-05 20:32:13,760:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-12-05 20:32:13,761:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2018-12-05 20:32:13,852:DEBUG:certbot_apache.configurator:Apache version is 2.4.34
2018-12-05 20:32:14,144:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoint#apache): There has been an error in parsing the file /etc/httpd/$
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 132, in prepare
    self._initialized.prepare()
  File "/usr/lib/python2.7/site-packages/certbot_apache/configurator.py", line 255, in prepare
    self.check_parsing_errors("httpd.aug")
  File "/usr/lib/python2.7/site-packages/certbot_apache/augeas_configurator.py", line 77, in check_parsing_errors
    raise errors.PluginError(msg)
PluginError: There has been an error in parsing the file /etc/httpd/conf.d/ssl.conf on line 149: Syntax error
2018-12-05 20:32:14,145:DEBUG:certbot.plugins.selection:No candidate plugin
2018-12-05 20:32:14,145:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None

WTF?

p.s. I replaced ssl.conf with a default unedited ssl.conf from a recent Apache installation and am back to where I started in this thread–certbot isn’t recognizing my domain name and instead lists those two internal AWS instance names.


#8

This is not about selecting a domain name, but rather an account from /etc/letsencrypt/accounts. This is a key used to authenticate yourself to Let’s Encrypt when you make a request. If there’s one that you don’t use, you can delete it. (If you have no existing certificates displayed with certbot certificates, you can delete all of them and allow Certbot to create a single new account automatically.)

There is no indication of a problem with the Apache configuration parsing here—that would be a later step in the process.

Again, this is not a prompt about which domain names the requested certificate should cover.


#9

Hmmmm. Okay. Never saw that prompt before.

So I should choose the account that corresponds with this particular server? One of those has the same internal IP as the AWS instance I’m on.

Then once I do that, it will proceed and prompt me with the domain name (hopefully?).

I’ll give it a shot tonight when I get a free minute and report back.

Thanks.


#10

Ideally, you should delete one of the two accounts so that there’s only one and then you won’t be prompted anymore. For most purposes, you only need one Let’s Encrypt account per server.


#11

It doesn’t matter – Certbot saved the computer’s hostname when creating the account, but it’s not significant. I don’t think the CA even knows it.

Edit: The hostname doesn’t matter, The account itself might matter but probably doesn’t, unless you got an account-specific rate limit exemption from Let’s Encrypt.


#12

Done! Thanks so much for the help.

So what’s the right way to delete one of those two accounts?

Learned something new today–but don’t ask me how much time I wasted spinning my wheels on this issue today.

I wonder where the second account came from?


#13

If you ever tested against staging environment, that could create a separate account.