Certbot - IPv6 failure to add cert

eekfonky · May 17, 2018, 9:30am

I have to use IPv6 as my ISP Hyperoptic only supports this as IPv4 uses CG-NAT and wants money for a static IPv4
When I ran certbot on my Raspberry Pi (running DietPi) I got the following error;

2018-05-17 09:27:08,848:DEBUG:certbot.main:Root logging level set at 20
2018-05-17 09:27:08,853:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-05-17 09:27:08,856:DEBUG:certbot.main:certbot version: 0.10.2
2018-05-17 09:27:08,856:DEBUG:certbot.main:Arguments: ['-a', 'webroot', '-w', '/var/www/', '-i', 'nginx', '--redirect', '--hsts', '--agree-tos', '--rsa-key-size', '4096', '-m', 'chris.welsh23@gmail.com', '-d', 'lexinet.co.uk']
2018-05-17 09:27:08,859:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#standalone)
2018-05-17 09:27:08,861:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer nginx
2018-05-17 09:27:09,688:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x75ec7d10>
Prep: True
2018-05-17 09:27:09,693:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x75b181b0>
Prep: True
2018-05-17 09:27:09,694:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x75b181b0> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x75ec7d10>
2018-05-17 09:27:09,730:DEBUG:certbot.main:Picked account: <Account(80a7f86f150fecb06d258042b3f1b630)>
2018-05-17 09:27:09,736:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-05-17 09:27:09,759:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2018-05-17 09:27:10,193:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2018-05-17 09:27:10,196:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
Replay-Nonce: 0xMURt_QLIt7z0tF0OWtb8-DP1RhM98UuWFqrU2Mnvk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 17 May 2018 09:27:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 17 May 2018 09:27:09 GMT
Connection: keep-alive

{
  "2qmehnpDpvQ": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2018-05-17 09:27:10,231:INFO:certbot.renewal:Cert not yet due for renewal
2018-05-17 09:27:11,693:INFO:certbot.main:Keeping the existing certificate
2018-05-17 09:27:11,993:INFO:certbot.crypto_util:Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0001_key.pem
2018-05-17 09:27:11,995:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 386, in deploy_certificate
    fullchain_path=fullchain_path)
  File "/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py", line 183, in deploy_cert
    vhost = self.choose_vhost(domain)
  File "/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py", line 237, in choose_vhost
    self._make_server_ssl(vhost)
  File "/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py", line 461, in _make_server_ssl
    snakeoil_cert, snakeoil_key = self._get_snakeoil_paths()
  File "/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py", line 433, in _get_snakeoil_paths
    cert = acme_crypto_util.gen_ss_cert(key, domains=[socket.gethostname()])
  File "/usr/lib/python2.7/dist-packages/acme/crypto_util.py", line 211, in gen_ss_cert
    cert.set_serial_number(int(binascii.hexlify(OpenSSL.rand.bytes(16)), 16))
AttributeError: 'module' object has no attribute 'rand'

2018-05-17 09:27:11,996:DEBUG:certbot.error_handler:Calling registered functions
2018-05-17 09:27:12,731:DEBUG:certbot.reporter:Reporting to user: Unable to install the certificate
2018-05-17 09:27:12,733:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 579, in run
    lineage.chain, lineage.fullchain)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 386, in deploy_certificate
    fullchain_path=fullchain_path)
  File "/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py", line 183, in deploy_cert
    vhost = self.choose_vhost(domain)
  File "/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py", line 237, in choose_vhost
    self._make_server_ssl(vhost)
  File "/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py", line 461, in _make_server_ssl
    snakeoil_cert, snakeoil_key = self._get_snakeoil_paths()
  File "/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py", line 433, in _get_snakeoil_paths
    cert = acme_crypto_util.gen_ss_cert(key, domains=[socket.gethostname()])
  File "/usr/lib/python2.7/dist-packages/acme/crypto_util.py", line 211, in gen_ss_cert
    cert.set_serial_number(int(binascii.hexlify(OpenSSL.rand.bytes(16)), 16))
AttributeError: 'module' object has no attribute 'rand'

_az · May 17, 2018, 9:35am

Your IPv6 shouldn't be a problem, it looks correctly configured.

However,

I think this is too old to work on rpi distros. See AttibuteError: 'module' object has no attribute 'rand' has occured at acme/acme/crypto_util.py with >=pyOpenSSL-17.2.0 · Issue #5111 · certbot/certbot · GitHub .

Perhaps try using certbot-auto? It should bring the correct versions of dependencies to your system.

Otherwise you can try upgrading certbot using jessie-backports/stretch-backports/whatever version of Debian your DietPI distro is based on.

eekfonky · May 17, 2018, 9:54am

certbot-auto did the trick, thanks

system · June 16, 2018, 9:54am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.