Configuring certbot after ubuntu upgrade

Hello I have recently upgraded an ubuntu server from 16.04 to 18.04. Certbot stopped working properly after that. I am trying to figure out how to re-configure/recover. I am using nginx and certbot-dns-cloudflare. The version of certbot is 0.27.0.

certbot prompts me to use certbot certonly to regenerate/reconfigure everything. Since I need to reconfigure everything, I want to do everything properly.

First question I have is should I aim for cerbot v 0.31.0 instead of trying to make 0.27.0 work?

First problem I have is that despite using certbot certonly --dns-cloudflare-credentials /etc/nginx/cloudflare.ini command I get bellow error when I try to test if I can run auth at all.

“Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA”

I am having a bit of a difficulty on where to begin troubleshooting this.

does certbot renew --dry-run complain?

There is nothing to renew though. This will end up being a fresh config.

Is it possible it’s something as simple as a missing --dns-cloudflare option?

(you might also want to add --installer nginx)

The exact command line I have is s follows (per your suggestion). I get the exact same error. Cloudflare.ini is from before the upgrade so it should have the correct info.

certbot certonly --installer nginx --dns-cloudflare-credentials /etc/nginx/cloudflare.ini

--dns-cloudflare-credentials and --dns-cloudflare are two separate options :slight_smile:

Oh! Did not fix the error but did remove the auth selection menu.

Can you show us the exact command and error message?

Is there an /etc/letsencrypt/cli.ini file?

Can you test validating a new, never-before-used subdomain? E.g.:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/nginx/cloudflare.ini --dry-run -d randomly-generated-subdomain.your-domain.com

cli.ini contains the following:

#Because we are using logrotate for greater flexibility, disable the
#internal certbot logrotation.
max-log-backups = 0

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/nginx/cloudflare.ini --dry-run -d randomly-generated-subdomain.your-domain.com

Running above command yields:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for randomly-generated-subdomain.your-domain.com
Unsafe permissions on credentials configuration file: /etc/letsencrypt/cloudflare.ini
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
-The dry run was successful.

So I was able to resolve this problem. Here is what I did:

First I was a bit suspicious and ran the below command:

apt list --installed "certbot" 2>/dev/null |awk -F'/' 'NR>1{print $1}'
certbot
python3-certbot
python3-certbot-dns-cloudflare

I had installed certbot after the upgrade because the certbot command was no longer working. I thought certbot was somehow uninstalled along with several others during the upgrade (do-release-upgrade). I realized my certbot installation is unhelpfully split into two. Everything runs without crashes because bits and pieces of commands are able to find the disjointed libraries somehow. I did not really investigate.

So I ran the below commands to delete the problematic certbot install, re-added the certbot repo and installed the nginx related packages.

sudo apt-get remove certbot
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

Afterwards I forced the certs renewal per the ongoing security issue.

sudo certbot --force-renewal

It ended successfully.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.