Certbot --nginx

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 1341site.xyz

I ran this command: /var/log/letsencrypt $ certbot --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The following error was encountered:
[Errno 13] Permission denied: '/etc/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx

The operating system my web server runs on is (include version):
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian

My hosting provider, if applicable, is: self-hosted, Raspberry Pi

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using
Certbot):
certbot 2.6.0

Hi @desmondkan, and welcome to the LE community forum :slight_smile:

Have you tried?:
sudo certbot --nginx

if so, please show:
ls -l /etc/letsencrypt/.certbot.lock
ls -l /etc/ | grep letsencrypt

2 Likes

Hi @desmondkan, and welcome to the LE community forum :slight_smile:

Have you tried?:
sudo certbot --nginx

if so, please show:
ls -l /etc/letsencrypt/.certbot.lock
ls -l /etc/ | grep letsencrypt

3 Likes

yes, command not found when I ran as root or sudo ... see below.

/var/log/letsencrypt $ sudo certbot --nginx
sudo: certbot: command not found
/var/log/letsencrypt $ sudo su
/var/log/letsencrypt# certbot --nginx
bash: certbot: command not found
/var/log/letsencrypt#

here you go.

/var/log/letsencrypt# ls -l /etc/letsencrypt/.certbot.lock
ls: cannot access '/etc/letsencrypt/.certbot.lock': No such file or directory
/var/log/letsencrypt# ls -l /etc/ | grep letsencrypt
drwxr-xr-x 3 root root 4096 Sep 30 15:41 letsencrypt
/var/log/letsencrypt#

1 Like

Show:
find / -name certbot

3 Likes

This shouldn't have happened. How did you install certbot?

I'm going to leave this here, but this is just treating the symptoms: How to make `sudo` preserve $PATH? - Unix & Linux Stack Exchange

3 Likes

thx for your help in advance here. see below.

$ find / -name certbot
find: ‘/opt/containerd’: Permission denied
/snap/certbot
/snap/certbot/3026/bin/certbot
/snap/certbot/3026/lib/python3.8/site-packages/certbot
find: ‘/snap/core20/2019/etc/ssl/private’: Permission denied
find: ‘/snap/core20/2019/root’: Permission denied
find: ‘/snap/core20/2019/var/cache/ldconfig’: Permission denied
find: ‘/snap/core20/2019/var/cache/private’: Permission denied
find: ‘/snap/core20/2019/var/lib/private’: Permission denied
find: ‘/snap/core20/2019/var/lib/snapd/void’: Permission denied
/snap/bin/certbot
find: ‘/snap/core/16096/etc/chatscripts’: Permission denied
find: ‘/snap/core/16096/etc/ppp/peers’: Permission denied
find: ‘/snap/core/16096/etc/ssl/private’: Permission denied
find: ‘/snap/core/16096/root’: Permission denied
find: ‘/snap/core/16096/var/cache/ldconfig’: Permission denied
find: ‘/snap/core/16096/var/lib/machines’: Permission denied
find: ‘/snap/core/16096/var/lib/private’: Permission denied
find: ‘/snap/core/16096/var/lib/snapd/void’: Permission denied
find: ‘/snap/core/16096/var/lib/waagent’: Permission denied
find: ‘/snap/core/16096/var/spool/cron/crontabs’: Permission denied
find: ‘/snap/core/16096/var/spool/rsyslog’: Permission denied
find: ‘/snap/core18/2794/etc/ssl/private’: Permission denied
find: ‘/snap/core18/2794/root’: Permission denied
find: ‘/snap/core18/2794/var/cache/ldconfig’: Permission denied
find: ‘/snap/core18/2794/var/lib/private’: Permission denied
find: ‘/lost+found’: Permission denied
find: ‘/root’: Permission denied
find: ‘/tmp/snap-private-tmp’: Permission denied
find: ‘/tmp/systemd-private-1696c16cd0a74d039820c667d0fcd593-systemd-timesyncd.service-3siRVg’: Permission denied
find: ‘/tmp/systemd-private-1696c16cd0a74d039820c667d0fcd593-ModemManager.service-J5ge2g’: Permission denied
find: ‘/tmp/systemd-private-1696c16cd0a74d039820c667d0fcd593-systemd-logind.service-AXYR5i’: Permission denied
find: ‘/proc/tty/driver’: Permission denied
find: ‘/proc/1/task/1/fd’: Permission denied
find: ‘/proc/1/task/1/fdinfo’: Permission denied
find: ‘/proc/1/task/1/ns’: Permission denied
find: ‘/proc/1/fd’: Permission denied
find: ‘/proc/1/map_files’: Permission denied
find: ‘/proc/1/fdinfo’: Permission denied
find: ‘/proc/1/ns’: Permission denied
find: ‘/proc/2/task/2/fd’: Permission denied
find: ‘/proc/2/task/2/fdinfo’: Permission denied
find: ‘/proc/2/task/2/ns’: Permission denied
find: ‘/proc/2/fd’: Permission denied
.... 
find: ‘/proc/1119/ns’: Permission denied
find: ‘/proc/1137/task/1137/fd’: Permission denied
find: ‘/proc/1137/task/1137/fdinfo’: Permission denied
find: ‘/proc/1137/task/1137/ns’: Permission denied
find: ‘/proc/1137/fd’: Permission denied
find: ‘/proc/1137/map_files’: Permission denied
find: ‘/proc/1137/fdinfo’: Permission denied
find: ‘/proc/1137/ns’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
/var/snap/certbot
find: ‘/var/cache/private’: Permission denied
find: ‘/var/cache/ldconfig’: Permission denied
find: ‘/var/cache/apt/archives/partial’: Permission denied
find: ‘/var/lib/private’: Permission denied
find: ‘/var/lib/docker’: Permission denied
find: ‘/var/lib/udisks2’: Permission denied
find: ‘/var/lib/containerd’: Permission denied
find: ‘/var/lib/apt/lists/partial’: Permission denied
find: ‘/var/lib/snapd/cache’: Permission denied
find: ‘/var/lib/snapd/cookie’: Permission denied
find: ‘/var/lib/snapd/snapshots’: Permission denied
find: ‘/var/lib/snapd/void’: Permission denied
find: ‘/var/lib/NetworkManager’: Permission denied
find: ‘/var/lib/bluetooth’: Permission denied
find: ‘/var/lib/polkit-1’: Permission denied
find: ‘/var/tmp/systemd-private-1696c16cd0a74d039820c667d0fcd593-ModemManager.service-wDQ8Li’: Permission denied
find: ‘/var/tmp/systemd-private-1696c16cd0a74d039820c667d0fcd593-systemd-timesyncd.service-dg3wXh’: Permission denied
find: ‘/var/tmp/systemd-private-1696c16cd0a74d039820c667d0fcd593-systemd-logind.service-5X9wjj’: Permission denied
find: ‘/var/log/private’: Permission denied
find: ‘/sys/kernel/tracing’: Permission denied
find: ‘/sys/kernel/debug’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/sys/fs/bpf’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/etc/ppp/peers’: Permission denied
find: ‘/etc/chatscripts’: Permission denied
find: ‘/etc/polkit-1/localauthority’: Permission denied
find: ‘/run/docker’: Permission denied
find: ‘/run/containerd’: Permission denied
find: ‘/run/user/1000/systemd/inaccessible/dir’: Permission denied
find: ‘/run/sudo’: Permission denied
find: ‘/run/systemd/unit-root’: Permission denied
find: ‘/run/systemd/inaccessible/dir’: Permission denied
/home/admin/snap/certbot

I used snap to install the cerbot ...

Try that as root:
sudo find / -name certbot

3 Likes

Here you go ..

$ sudo find / -name certbot
/snap/certbot
/snap/certbot/3026/bin/certbot
/snap/certbot/3026/lib/python3.8/site-packages/certbot
/snap/bin/certbot
/root/snap/certbot
/var/snap/certbot
/var/lib/docker/overlay2/d982e930f49c69797a623a96d9c87d8a8831a79a33a9c7035e55d661a45d3285/merged/usr/lib/python3.11/site-packages/certbot
/var/lib/docker/overlay2/d982e930f49c69797a623a96d9c87d8a8831a79a33a9c7035e55d661a45d3285/merged/usr/bin/certbot
/var/lib/docker/overlay2/0c33782dc80db2152cb0cfba69cc5fee4ef4f46b71db13cc894c591504e9a274/diff/usr/lib/python3.11/site-packages/certbot
/var/lib/docker/overlay2/0c33782dc80db2152cb0cfba69cc5fee4ef4f46b71db13cc894c591504e9a274/diff/usr/bin/certbot
/home/admin/snap/certbot

What shows?:
/snap/bin/certbot --version

3 Likes

certbot 2.6.0

OK, instead of that, try:
sudo /snap/bin/certbot --nginx

2 Likes

ok that helps and now I got a new error ...

$ sudo /snap/bin/certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.")

I am still a newbie to linux ...
thx for your help again.
-d

1 Like

In order to expedite a "working solution", let's try avoiding the use of --nginx.
Let's try our focus on --webroot.
To that end, show the full nginx config, with:
nginx -T

And, also, provide the name of the domain you want to obtain a cert for.

3 Likes

$ sudo /snap/bin/certbot --webroot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
With the webroot plugin, you probably want to use the "certonly" command, eg:

certbot certonly --webroot

(Alternatively, add a --installer flag. See User Guide — Certbot 2.6.0 documentation
and "--help plugins" for more information.)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

for Nginx config, see below (nginx command not found)
$ nginx -T
-bash: nginx: command not found

I used the docker to build the app webpage .. I am not sure if it makes a difference.

my domain name is t4pa.xyz

What operates within docker?
Where is nginx?

3 Likes

below is what I found when I ran systemctl status ...

├─docker.service …
│ ├─730 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
│ ├─900 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 443 -container-ip 172.17.0.2 -container-port 3001
│ ├─907 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 443 -container-ip 172.17.0.2 -container-port 3001
│ ├─921 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.17.0.2 -container-port 3000
│ └─928 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 80 -container-ip 172.17.0.2 -container-port 3000
├─polkit.service
│ └─420 /usr/libexec/polkitd --no-debug
├─bluetooth.service
│ └─662 /usr/libexec/bluetooth/bluetoothd
├─wpa_supplicant.service
│ └─444 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
├─ModemManager.service
│ └─535 /usr/sbin/ModemManager
├─systemd-journald.service
│ └─149 /lib/systemd/systemd-journald
├─ssh.service
│ └─566 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
├─snapd.service
│ └─436 /usr/lib/snapd/snapd
├─hciuart.service
│ └─649 /usr/bin/hciattach /dev/serial1 bcm43xx 3000000 flow -
├─rsyslog.service
│ └─432 /usr/sbin/rsyslogd -n -iNONE
├─dhcpcd.service
│ ├─550 wpa_supplicant -B -c/etc/wpa_supplicant/wpa_supplicant.conf -iwlan0
│ └─729 /usr/sbin/dhcpcd -w -q
├─rng-tools-debian.service
│ └─506 /usr/sbin/rngd -r /dev/hwrng
├─docker-532b82aa4f5e3a2742b5a8ca49c2d12aaed6fe09dfc03eb6aa2cb0473e7bd168.scope …
│ ├─ 970 /bin/sh /entrypoint.sh
│ ├─1036 nginx: master process nginx -g daemon off;
│ ├─1056 nginx: worker process

does it tell who operates docker or nginx here ?

I do see:

2 Likes

Try as root:
sudo nginx -T

2 Likes