Certbot suddenly failing

Help
21

Hi, yes, it is a virtual machine on a cloud provider somewhere. Requested command outputs follow:

~$ sudo apt-get update
Hit:1 http://archive.canonical.com/ubuntu xenial InRelease
Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease
Hit:3 http://apt.postgresql.org/pub/repos/apt xenial-pgdg InRelease
Hit:4 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial InRelease
Hit:5 http://archive.ubuntu.com/ubuntu xenial InRelease
Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://ppa.launchpad.net/deadsnakes/ppa/ubuntu xenial InRelease
Hit:8 http://ppa.launchpad.net/webupd8team/java/ubuntu xenial InRelease
Reading package lists... Done
:~$ sudo apt-cache policy snapd
snapd:
  Installed: 2.48
  Candidate: 2.48
  Version table:
 *** 2.48 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.45.1ubuntu0.2 500
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
     2.0.2 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
~$ uname -r
2.6.32-042stab120.11
~$
22

Very big difference:
uname -r
4.4.0-197-generic

23

Ok... I upgraded python3, nuked and reinstalled a bunch of libraries, and now certbot is working. Rewinding to where we were earlier, I was able to do certbot certificates:

~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: xyzzy.org
    Domains: xyzzy.org
    Expiry Date: 2021-01-22 14:39:26+00:00 (VALID: 19 days)
    Certificate Path: /etc/letsencrypt/live/xyzzy.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/xyzzy.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~$

And, again...

~$ sudo /root/bin/certbot-auto renew --no-self-upgrade --no-bootstrap
Your system is not supported by certbot-auto anymore.
Certbot will no longer receive updates.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/xyzzy.org.conf
-------------------------------------------------------------------------------
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/xyzzy.org.conf with version 0.21.1 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Attempting to renew cert (xyzzy.org) from /etc/letsencrypt/renewal/xyzzy.org.conf produced an unexpected error: 'Directory field not found': new_authz. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xyzzy.org/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xyzzy.org/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)
~$
1 Like
24

Brave soul!
But certbot 0.31.0 won't be getting any updates...

When its' time is done, and if you can't update the OS kernel to get certbot via snap...
I would suggest you move to another client - like: acme.sh

25

The main advantage of certbot for me is that I have a guy who understands this better than I do who maintains a similar machine, and I can copy what he does there (and, until today, it worked fine.)

But I've installed acme.sh; it has added the following cron job:
34 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Is that all I need to do to replace the cron job running sh /root/bin/certbot_update.sh ?

26

and then...

27

Aheheheh.... Whoops.

(Iā€™m horrible)

28

I don't understand the question.

29

I tried to force certbot to upgrade.

That was today, in response to the email telling me my certs were going to expire. Before that, I touched nothing. I (usually) know when to leave well enough alone!

So does acme.sh serve the same function as certbot_update, and will the default acme cron job (which I showed above) keep my certs updated?

30

I don't know what certbot_update is...
But I would have to say NO.
certbot and acme.sh do the same things - they are two ACME clients.

Right now acme.sh will run and do nothing as is has no certs that it maintains.
certbot should also run and will maintain its' certs when that time comes.

31

Sorry! I have a cron job that keeps my certs updated. It's called certbot_update.sh, and it runs the command I opened with:

/root/bin/certbot-auto renew --no-self-upgrade --no-bootstrap

I thought that was a standard name, but maybe it was something they guy I'm copying this from made up.

So, to clarify my question, does:

 "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

do the same thing as:

/root/bin/certbot-auto renew --no-self-upgrade --no-bootstrap

Your subsequent posting suggests that I need to get new certs with acme, and that acme and certbot manage different certificates. So, if I'm clear, that means that by moving to acme, I need to apply for new certificates and abandon the ones I currently have with certbot.

Sorry if I sound dense; I started off with what I thought would be a simple question, and it has become a much bigger issue than I imagined it could have, as these things sometimes do.

1 Like
32

You get the picture just fine.
They store cert files differently and in different locations.
So, yes, you would have to redo any certbot certs that you want to move over to acme.sh.
But it's a very simple process.
You can do them one at a time.

But to clearly answer your question: NO.
They do similar things to different softwares.

To be clear: ACME.SH and CERTBOT are like...
COKE and PEPSI
BURGER KING and McDONALDS
FORD and CHEVY
[Except they are not in the for profit business, so they don't fight for users!]

They do very similar things - but in their own completely separate ways.

33

Are you running certbot-auto?

34

Apparently, yes, I was. But now, I'm on team acme.

I installed a new cert, and deployed it to apache. That all went well.

I have my cron job scheduled (as shown in my previous message).

The website still works with https.

Am I now good to go on autopilot until something breaks?

This is a lot of work to encrypt a site that pumps out static HTML and is all open source :slight_smile: and collects no information about anyone or anything!

1 Like
35

Probably, if acme.sh installed the cronjob/systemd timer correctly. However, I don't have much experience with acme.sh so YMMV. Check to be certain in 60 days of course. Set it in your calendar :wink:

By the way: mixing up certbot and certbot-auto is recipe for disaster. Although you've switched to a different ACME client now, I find it important for you to know the difference between all kinds of possible ACME clients and/or methods of installation out there. The difference can be big.

Acme.sh is a great client. Small, but verstatile. However, not everything is that well documented and there isn't that much experience with it on this Community. Certbot should be a little bit more userfriendly and there is much experience with it here.

3 Likes
36

I concur... in every possible interpretation of meaning

:grin:

1 Like
37

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.