Certbot is hopelessly broken

I’m having a very hard time keeping certbot operating smoothly. It worked for many months, then stopped for no apparent reason. Looking into it, I’ve tried going through the install instructions here https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

Despite apparent success installing, it always complains that the The requested nginx plugin does not appear to be installed.

Calling apt install python-certbot-nginx would just say python-certbot-nginx is already the newest version (0.31.0-1+ubuntu18.04.1+certbot+1)

So I finally decided to remove and re-install python-certbot-nginx. Doing so resulted in countless errors about missing Python modules (e.g. ImportError: No module named configobj). I tried pip installing those as they came up, but gave up.

Completely removing and reinstalling certbot hasn’t helped, either.

Why is this so fragile and hard to do?

My domain is: jetforme.org, frakkinfrocks.com, https://questionable-engineering.com (all on same server)

I ran this command:

It produced this output:

My web server is (include version):

# nginx  -V
nginx version: nginx/1.17.1
built by gcc 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04) 
built with OpenSSL 1.1.0g  2 Nov 2017 (running with OpenSSL 1.1.1  11 Sep 2018)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.17.1/debian/debuild-base/nginx-1.17.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

The operating system my web server runs on is (include version):

# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.2 LTS
Release:	18.04
Codename:	bionic

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

# certbot --version
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 7, in <module>
    from certbot.main import main
  File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 21, in <module>
    from certbot import client
  File "/usr/local/lib/python2.7/dist-packages/certbot/client.py", line 16, in <module>
    from acme import client as acme_client
  File "/usr/local/lib/python2.7/dist-packages/acme/client.py", line 15, in <module>
    from requests_toolbelt.adapters.source import SourceAddressAdapter
ImportError: No module named requests_toolbelt.adapters.source

/usr/local/bin/certbot is not part of the Certbot package. It was likely installed by (Python 2!) pip. Try using /usr/bin/certbot directly, or getting rid of the second installation.

So, there’s more than one file that belongs to certbot, how do I ensure all the wrong files are removed?

In any case, that seems to have fixed it. I hope my auto renew cron jobs work (although I get the feeling that’s deprecated, too)

Look through /usr/local for stuff named "acme", "certbot", "josepy" or "letsencrypt", I guess.

There is a pip uninstall command, if your version of pip is new enough, but I'm not certain it will work, I'm not certain the stuff was even installed with pip, and you need to be extremely careful it doesn't start deleting stuff outside of /usr/local.

https://pip.pypa.io/en/stable/reference/pip_uninstall/

The apt package installs a certbot systemd timer and a /etc/cron.d/certbot cron job that disables itself when systemd is in use.

you installed from a PPA. That's the official way. It has however a few problems: it can break system dependencies if package needs newer versions of system packages, it can be broken when system evolves (never upgrade a distro from a version to another while having PPA installed...but distros can also do wide changes all by themselves), it has a tendency to lag behind last version leading users to try to add missing features by using 'sudo pip' (just say no to that) leading to more breakages... I don't think Ubuntu would have created snapcraft if PPAs were such a great system.

Trying to fix PPAs by yourself is like lifting the bonnet (hood if you prefer) of your car while holding a hammer. You should know what you are doing,
Don't trust blindly what you can see on the internet, ask first for advice on this forum or on the certbot github issues.

Or just use another letsencrypt client. I use certbot-auto, other people use acme.sh or many other applications.

Well, there's the problem, isn't it? A fragile dependency/install system. Not to mention the degree to which certbot has changed over the past couple of years, with the newer methods unable to clean up after the older methods.

…and this is probably the biggest reason I’m not much of a fan of certbot–far too complex, far too many dependencies. I prefer acme.sh for most applications. However, the auth-hook script for certbot to work with acme-dns is quite a bit more flexible than acme.sh’s built-in support for acme-dns, so…

I wont' dispute about PPA. Certbot developers are struggling with this problem; but that's the case of many, many other applications. I'd say all complex application evolving 'fast' (for current sense of fast). Either you ship all dependencies separately and it's terribly complex and can break here or there, or you ship blobs and get slammed for distributing monsters. I forgot to say that Certbot developers are doing the blob thing too, you can get Certbot packaged with Docker.
Try certbot-auto. It's the ugly duckling unloved by everyone even the parents, but in fact it's a hard working kid :-), always up-to-date, and will never break your system.

You could still potentially hit an unknown bug where it rewrites your web server configuration in a broken way when installing the certificate. But at least it won't step on your OS packages!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.