Configuring certbot after ubuntu upgrade

Hello I have recently upgraded an ubuntu server from 16.04 to 18.04. Certbot stopped working properly after that. I am trying to figure out how to re-configure/recover. I am using nginx and certbot-dns-cloudflare. The version of certbot is 0.27.0.

certbot prompts me to use certbot certonly to regenerate/reconfigure everything. Since I need to reconfigure everything, I want to do everything properly.

First question I have is should I aim for cerbot v 0.31.0 instead of trying to make 0.27.0 work?

First problem I have is that despite using certbot certonly --dns-cloudflare-credentials /etc/nginx/cloudflare.ini command I get bellow error when I try to test if I can run auth at all.

“Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA”

I am having a bit of a difficulty on where to begin troubleshooting this.

does certbot renew --dry-run complain?

There is nothing to renew though. This will end up being a fresh config.

Is it possible it’s something as simple as a missing --dns-cloudflare option?

(you might also want to add --installer nginx)

The exact command line I have is s follows (per your suggestion). I get the exact same error. Cloudflare.ini is from before the upgrade so it should have the correct info.

certbot certonly --installer nginx --dns-cloudflare-credentials /etc/nginx/cloudflare.ini

--dns-cloudflare-credentials and --dns-cloudflare are two separate options

Oh! Did not fix the error but did remove the auth selection menu.

Can you show us the exact command and error message?

Is there an /etc/letsencrypt/cli.ini file?

Can you test validating a new, never-before-used subdomain? E.g.:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/nginx/cloudflare.ini --dry-run -d randomly-generated-subdomain.your-domain.com

cli.ini contains the following:

#Because we are using logrotate for greater flexibility, disable the
#internal certbot logrotation.
max-log-backups = 0

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/nginx/cloudflare.ini --dry-run -d randomly-generated-subdomain.your-domain.com

Running above command yields:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for randomly-generated-subdomain.your-domain.com
Unsafe permissions on credentials configuration file: /etc/letsencrypt/cloudflare.ini
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
-The dry run was successful.

So I was able to resolve this problem. Here is what I did:

First I was a bit suspicious and ran the below command:

apt list --installed "certbot" 2>/dev/null |awk -F'/' 'NR>1{print $1}'
certbot
python3-certbot
python3-certbot-dns-cloudflare

I had installed certbot after the upgrade because the certbot command was no longer working. I thought certbot was somehow uninstalled along with several others during the upgrade (do-release-upgrade). I realized my certbot installation is unhelpfully split into two. Everything runs without crashes because bits and pieces of commands are able to find the disjointed libraries somehow. I did not really investigate.

So I ran the below commands to delete the problematic certbot install, re-added the certbot repo and installed the nginx related packages.

sudo apt-get remove certbot
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

Afterwards I forced the certs renewal per the ongoing security issue.

sudo certbot --force-renewal

It ended successfully.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.