Certbot crashes when connecting to server

RainerKlute · May 27, 2019, 5:53am

The certbot client crashes with a segmentation fault when or after starting a new HTTPS connection to acme-v02.api.letsencrypt.org:443.

My domain is:
klute.spdns.de

I ran this command:
certbot certonly --authenticator standalone -d klute.spdns.de -v

It produced this output:

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator standalone and installer None
Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7ffac1cddeb8>
Prep: True
Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7ffac1cddeb8> and installer None
Plugins selected: Authenticator standalone, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/52298453', new_authzr_uri=None, terms_of_service=None), 83408a59493e645613678a3bfe864b65, Meta(creation_dt=datetime.datetime(2019, 2, 27, 5, 20, 40, tzinfo=<UTC>), creation_host='flynn'))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
Segmentation fault (core dumped)

My web server is (include version):
Apache 2, but I stopped it manually before running the above certbot command.

The operating system my web server runs on is (include version):
Linux flynn 5.1.2-1-default #1 SMP Tue May 14 18:21:06 UTC 2019 (08094c3) x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:
–

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.32.0

JuergenAuer · May 27, 2019, 7:46am

Hi @RainerKlute

that’s an internal error of your server. First, try it again, may be a temporary problem.

If you see the error again, ask your hoster.

You have a lot of older certificates. Looks like you have used tls-sni-01 validation with --standalone, that’s not longer supported. So you must switch to http-01 validation.

But that can’t work, your port 80 doesn’t answer ( https://check-your-website.server-daten.de/?q=klute.spdns.de ):

Domainname	Http-Status	Sec.	G
• http://klute.spdns.de/
88.68.118.70	-2	1.134	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 88.68.118.70:80

• https://klute.spdns.de/
88.68.118.70	403	0.923	M
Forbidden

• http://klute.spdns.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
88.68.118.70	-2	1.154	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 88.68.118.70:80
Visible Content:

You need an open port 80.

Check

RainerKlute · May 27, 2019, 8:49am

Thanks, Jürgen! I now opened port 80 on my server and called certbot like this:

certbot certonly -v --webroot --webroot-path /srv/local/www/default/doc -d klute.spdns.de

However, certbot still crashes with a segmentation fault, and the .well-known directory is not created.

Here’s the log:

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f8a18a5d630>
Prep: True
Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f8a18a5d630> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/52298453', new_authzr_uri=None, terms_of_service=None), 83408a59493e645613678a3bfe864b65, Meta(creation_dt=datetime.datetime(2019, 2, 27, 5, 20, 40, tzinfo=<UTC>), creation_host='flynn'))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
Segmentation fault (core dumped)

A major problem here is of course that fact that certbot crashes and doesn’t provide any helpful information that would point the user in the right direction.

JuergenAuer · May 27, 2019, 1:28pm

A Segmentation fault is like a Blue Screen in Windows. May be a hardware problem or something else. I don’t think it’s a Certbot problem.

Or it’s an OS bug.

RainerKlute · May 28, 2019, 4:19am

Thanks! I changed from Certbot to GetSSL, which was relatively painless and just worked.

JuergenAuer · May 28, 2019, 8:04am

Thanks.

Good to know. Perhaps Certbot requires too much ressources, so that had triggered a hardware bug.

RainerKlute · May 28, 2019, 8:23am

Or whatever it is. I am running openSUSE Tumbleweed, which is a rolling release, and so I am living on the bleeding edge. New kernels and new system software might trigger new bugs. <rant>Anyway, certbot (as well as any other software) should catch such exceptions and issue helpful messages that give the user some clue what exactly went wrong.</rant>