Certbot dns-cloudflare automatic renewal issue

I am renewing my letsencrypt certificate using certbot with dns-cloudflare authenticator.

When I originally set things up, I used this command:

$ certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/certbot-cloudflare.ini -d dev.newbanking.com

And it worked. (And it still works.)

When I manually renew my certificates with this command:

$ certbot renew

it works too.

However, the automatic renewal does not work. In the syslog, I get this:

Jul 9 15:00:21 dev systemd[1]: Starting Certbot…
Jul 9 15:00:23 dev certbot[21649]: Renewal configuration file /etc/letsencrypt/renewal/dev.newbanking.com.conf (cert: dev.newbanking.com) produced an unexpected error: ‘Namespace’ object has no attribute ‘dns_cloudflare_credentials’. Skipping.
Jul 9 15:00:23 dev certbot[21649]: 0 renew failure(s), 1 parse failure(s)
Jul 9 15:00:23 dev systemd[1]: certbot.service: Main process exited, code=exited, status=1/FAILURE
Jul 9 15:00:23 dev systemd[1]: Failed to start Certbot.
Jul 9 15:00:23 dev systemd[1]: certbot.service: Unit entered failed state.
Jul 9 15:00:23 dev systemd[1]: certbot.service: Failed with result ‘exit-code’.

The /etc/letsencrypt/renewal/dev.newbanking.com.conf file looks like this:

renew_before_expiry = 30 days

version = 0.30.0
archive_dir = /etc/letsencrypt/archive/dev.newbanking.com
cert = /etc/letsencrypt/live/dev.newbanking.com/cert.pem
privkey = /etc/letsencrypt/live/dev.newbanking.com/privkey.pem
chain = /etc/letsencrypt/live/dev.newbanking.com/chain.pem
fullchain = /etc/letsencrypt/live/dev.newbanking.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = dns-cloudflare
account = [this-value-I-have-obscured]
server = https://acme-v02.api.letsencrypt.org/directory
dns_cloudflare_credentials = /root/certbot-cloudflare.ini

Certbot version:

$ certbot --version
certbot 0.30.0

I am running Ubuntu 16.04.

Hi @morten

looks like your automatic renew command is wrong. Share that command.

This error is usually a sign that the Cloudflare plugin is not installed (or not loading for some reason).

Double check that it is installed:

dpkg-query -l python-certbot-dns-cloudflare

and if necessary, [re]-install it

apt -y install python-certbot-dns-cloudflare

looks like your automatic renew command is wrong. Share that command.

Forgive me, but how do I find that command? I only have the log that the command produces.

I would also double check that you don’t have two copies of Certbot installed from different sources.

If you do, it could explain why manually running certbot renew works, but it fails when running as a cronjob/systemd timer.

You can check that with:

which -a certbot

I can run the certbot commands manually to successfully renew my certificate using the Cloudflare plugin. So, the Cloudflare plugin must be properly installed and used, at least when I manually run certbot.

However, running your suggested commands yield this:

root@dev:~# dpkg-query -l python-certbot-dns-cloudflare
dpkg-query: no packages found matching python-certbot-dns-cloudflare
root@dev:~# apt -y install python-certbot-dns-cloudflare
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Unable to locate package python-certbot-dns-cloudflare

Sorry, the package is called python3-certbot-dns-cloudflare on Xenial. But you’re right, it must be installed if manually running renewal works.

Still holding out hope that you’ll find something with which -a certbot :slight_smile: .

Yes, there might be an issue here:

root@dev:~# which -a certbot
/usr/local/bin/certbot
/usr/bin/certbot
root@dev:~# ls -l /usr/local/bin/certbot
-rwxr-xr-x 1 root root 214 Jan 18 11:33 /usr/local/bin/certbot
root@dev:~# ls -l /usr/bin/certbot
-rwxr-xr-x 1 root root 385 Mar 12 17:28 /usr/bin/certbot
root@dev:~# /usr/local/bin/certbot --version
certbot 0.30.0
root@dev:~# /usr/bin/certbot --version
certbot 0.31.0

What’s the proper solution to this? To replace /usr/bin/certbot (0.31.0) with a softlink to /usr/local/bin/certbot (0.30.0) ? (Seems like a hack, though.)

/usr/bin/certbot is the correct one, from the Ubuntu PPA.

/usr/local/bin/certbot is ??? probably installed from pip (which is almost always the wrong thing to do).

I would perhaps temporary delete the latter one and try trigger your systemd timer to see whether it now works. I believe you can do this with:

systemctl start certbot.timer

(or it might be certbot.service, I’m not 100% sure which one is to start the timer and which one is to trigger the process).

I found that “systemctl start certbot.timer” starts the timer and reports the following in /var/log/syslog:

Jul 11 07:37:53 dev systemd[1]: Started Run certbot twice daily.

And that “systemctl start certbot.service” triggers the process and reports the following in /var/log/syslog:

Jul 11 07:38:21 dev systemd[1]: Starting Certbot…
Jul 11 07:38:22 dev certbot[5248]: Renewal configuration file /etc/letsencrypt/renewal/dev.newbanking.com.conf (cert: dev.newbanking.com) produced an unexpected error: ‘Namespace’ object has no attribute ‘dns_cloudflare_credentials’. Skipping.
Jul 11 07:38:22 dev certbot[5248]: 0 renew failure(s), 1 parse failure(s)
Jul 11 07:38:22 dev systemd[1]: certbot.service: Main process exited, code=exited, status=1/FAILURE
Jul 11 07:38:22 dev systemd[1]: Failed to start Certbot.
Jul 11 07:38:22 dev systemd[1]: certbot.service: Unit entered failed state.
Jul 11 07:38:22 dev systemd[1]: certbot.service: Failed with result ‘exit-code’.

Good to know how to trigger the certbot timer process! With this, it seems that replacing /usr/bin/certbot with a symlink to /usr/local/bin/certbot actually solves the problem: When I now run “systemctl start certbot.service” to trigger the process, it reports the following in /var/log/syslog:

Jul 11 07:46:20 dev systemd[1]: Starting Certbot…
Jul 11 07:46:21 dev systemd[1]: Started Certbot.

But… this solution is a hack. Probably the “right” long-term solution would be to uninstall both versions (which are quite old, I think), then re-install the latest version of certbot, then configure that to use dns-cloudflare plugin, and then re-install my certificates. (Not sure if my skills are up to the task of properly purging the old versions and installing the latest version, though.)

Thanks for the help!

Weird. I would 100% double-check that you have python3-certbot-dns-cloudflare installed from apt.

But yeah, running only the package from the PPA is the best course of action. Running the one from pip can end up with weird breakages if apt and pip fight over package versions.

1 Like

I managed to do the clean up :slight_smile:

Below is the list of the commands that I issued as part of the cleanup:

add-apt-repository ppa:certbot/certbot
apt-get update
apt-get remove certbot
pip uninstall certbot
apt-get install python-certbot-nginx
apt-get install python3-certbot-dns-cloudflare
certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/certbot-cloudflare.ini -d dev.newbanking.com

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.