Certbot fails after upgrade to Windows 11 - no usable temp directory

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dforeman.homedns.org

I ran this command: certbot --dry-run

It produced this output:
FileNotFoundError: [Errno 2] No usable temporary directory found in ['C:\Users\dj\AppData\Local\Temp', 'C:\Users\dj\AppData\Local\Temp', 'C:\Users\dj\AppData\Local\Temp', 'C:\WINDOWS\Temp', 'c:\temp', 'c:\tmp', '\temp', '\tmp', 'C:\WINDOWS\system32']

My web server is (include version): Apache 2.4 (x64)

The operating system my web server runs on is (include version):
Windows 11
My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no. direct control at my PC.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): gives same error as the dry-run command.

The c:\Temp directory is writable and is not a protected folder.

3 Likes

Is Win11 new for you since you last got a cert on Oct12? Did you use certbot to get that cert?

2 Likes

Yes, I upgraded to windows 11 AFTER the last certbot run with Windows 10.

3 Likes

Certbot is a python script and that error is issued by Python in response to a request to use the temp folder. It is likely something is now faulty in your Python setup.

I am not expert in Python setup and do not have a Windows11 to test on anyway. So best I can offer is to double-check your python setup and maybe try un-installing Certbot and re-installing. Hopefully someone with expertise in python install on Windows can assist. But, be warned that there are not that many volunteers with that specific expertise. I changed the title of your post in hopes of drawing their attention.

3 Likes

@MikeMcQ
Thanks. I'll check my python. Maybe it needs an upgrade.

3 Likes

I upgraded Python. Didn't help. Really appears to be a Windows 11 "protection" problem.

3 Likes

DEFINITELY a Windows protection problem. I went to "settings" and turned off "Controlled folder access", ran certbot and bingo! I got my certificate renewed. Windows 11 "Virus & Threat Protection" did NOT show the blocking action, probably because all the TEMP folders are protected inside the C:\ protection. Seems like Certbot should have a way for the user to specify a non-protected folder, rather than one of the pre-defined protected ones.

4 Likes

Debatable whether it's certbots responsibility, you (or group policy) switched that feature on and didn't add certbot to the trusted apps list.

[Edit: This was a rather terse response, but given the nature of the feature and that Certbot generally runs as Administrator, it's seems that blocking it is exactly the expected/desired result. I'd argue that the lack of visible logging for temp folder access is a bug in the windows feature.]

3 Likes

I added certbot's folder AND certbot.exe to the exceptions list and it still was blocked. So it is a deeper problem than this. Certbot is expecting to have a non-protected TEMP folder, so why not provide an ability to tell it what user-owned folder to use? And btw, I didn't switch the feature on. It is automatically turned on when Win 11 is installed.

1 Like

Ok, I think you should raise this as a bug with Windows via their Feedback system. My Win11 installs don't have the feature enabled by default but they were upgrades rather than fresh installs.

2 Likes

Additional information: I viewed the Protection History and it shows that it is the Python interpreter (python-3.10.1-amd64.exe) that was blocked. So the actions by Certbot.exe itself do not appear to be seen by Windows. It would be a real problem to add the interpreter as an exception, because it would allow ANY Python program to get access to everything. There is no (current) mechanism to unprotect a specific folder, just a way to let a program through a folder.

3 Likes

I have already sent that feedback and rated it as a "severe" problem, because blockiong SSL certificate renewal is a severe hit to security.

2 Likes

There are Windows ACME clients which do not rely on python. webprofusion is behind Certify the Web but here are other options. Just note we do not as often see Apache on Windows (IIS more so) so make sure any other client supports that.

2 Likes

Thanks MikeMcQ. I'll look into some of them. For now, I'm going to update my quarterly BAT file to tell me to turn folder protection off before running Certbot and back on afterward.

3 Likes

Maybe you could add that in (and out of) the script?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.