Certbot cron job nginx plugin NoInstallationError()


#1

My domain is:

I ran this command:
certbot -q renew (in cron.d/certbot)

It produced this output (received via email):

Attempting to renew cert (winecountryswing.com) from /etc/letsencrypt/renewal/winecountryswing.com.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(). Skipping. All renewal attempts failed.
The following certs could not be renewed: /etc/letsencrypt/live/winecountryswing.com/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)

My web server is (include version):
nginx 1.10.3

The operating system my web server runs on is (include version):
ubuntu 16.04.5

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
(I use Webmin 1.890 for some things, but mostly I use shell access.)

Note that this was working fine until a few weeks ago. I think it broke after a certbot update. Here is the cron file:

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

#2

This means that Certbot can’t find the nginx binary (or perhaps the nginx configuration directory).

If either is relocated (as is the case with some control panels like Bitnami), then you need to tell Certbot where to find it.

certbot help nginx

nginx:
  Nginx Web Server plugin

  --nginx-server-root NGINX_SERVER_ROOT
                        Nginx server root directory. (default: /etc/nginx)
  --nginx-ctl NGINX_CTL
                        Path to the 'nginx' binary, used for 'configtest' and
                        retrieving nginx version number. (default: nginx)

Edit: make sure you’re actually running the renew command as root. If nginx is located in /sbin/ for example, that may not be in your PATH when you’re not root, so this could just be a red herring, and the true cause of failure something else.


#3

The defaults are correct for this system.

The nginx binary is in /usr/sbin, which is in $PATH for root and for me. The cron job runs as root.

Should I add --nginx-ctl /usr/sbin/nginx to the certbot renew command in the cron.d/certbot file?


#4

Sure, you can try run it and see what happens:

sudo certbot renew --dry-run --nginx-ctl /usr/sbin/nginx --nginx-server-root /etc/nginx

#5

Understand that certbot renew --dry-run always succeeded. The command in the cron job is what’s failing. It used to work. My nginx configuration has not changed.

I’ve added the --nginx-ctl /usr/sbin/nginx --nginx-server-root /etc/nginx parameters to the cron.d/certbot file. We’ll see what happens when it runs this afternoon.


#6

Still failed. I see that in my /etc/letsencrypt/renewal directory there is a new file winecountryswing.com-0001.conf. It is dated Jul 24 and it is missing the line installer = nginx. That line is present in winecountryswing.com.conf.

Also there’s a winecountryswing.com-0001 in the live and archive subdirectories, containing certificates. What’s going on there? Has it created the certs and then failed to install them and clean up?


#7

Hi @b0blee

you have created a new certificate yesterday:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:winecountryswing.com&lu=cert_search

Check your local folders with

certbot certificates


#8

I may have created that manually. Here’s what I have now, according to certbot cetificates:

  Certificate Name: winecountryswing.com-0001
    Domains: winecountryswing.com
    Expiry Date: 2018-10-23 02:26:27+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/winecountryswing.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/winecountryswing.com-0001/privkey.pem
  Certificate Name: winecountryswing.com
    Domains: winecountryswing.com www.winecountryswing.com
    Expiry Date: 2018-08-21 18:35:18+00:00 (VALID: 26 days)
    Certificate Path: /etc/letsencrypt/live/winecountryswing.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/winecountryswing.com/privkey.pem

Apparently the new ‘-0001’ certificate doesn’t include the www domain. Moreover, nginx is unaware of it. Here’s the nginx config:

    listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/winecountryswing.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/winecountryswing.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

#9

Since the most recent certbot update a few days ago, everything appears to be back to normal. There’s no error message in the latest renewal email. On checking, I see that the cert was properly renewed on July 27. I guess that the “nginx plugin is not working” problem was specific to a certain version of certbot. :roll_eyes:


#10

Do you know which old version you used?


#11

I was using 0.26.0. One notable change in that version was “The Nginx plugin is no longer marked labeled as an “Alpha” version.” Maybe that’s why it thought the plugin wasn’t installed.

An update appeared a couple of days ago and installing it seems to have solved the problem. They didn’t bump the version number for that. I see on github a change 6 days ago in certbot-nginx labeled “Bump the acme version needed for account reuse (#6250)”. Perhaps that was the fix.

Whatever it is, I’m a happy camper now.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.