Could not decode 'status' when performing a renew dry run


#1

My domain is: cashcrunchloan.firstcalgary.com AND cashcrunchloan.chinookfinancial.com

I ran this command: sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/cashcrunchloan.chinookfinancial.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (cashcrunchloan.chinookfinancial.com) from /etc/letsencrypt/renewal/cashcrunchloan.chinookfinancial.com.conf produced an unexpected error: Deserialization error: Could not decode 'status' ('ready'): Deserialization error: Status not recognized. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/cashcrunchloan.firstcalgary.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (cashcrunchloan.firstcalgary.com) from /etc/letsencrypt/renewal/cashcrunchloan.firstcalgary.com.conf produced an unexpected error: Deserialization error: Could not decode 'status' ('ready'): Deserialization error: Status not recognized. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/cashcrunchloan.chinookfinancial.com/fullchain.pem (failure)
  /etc/letsencrypt/live/cashcrunchloan.firstcalgary.com/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/cashcrunchloan.chinookfinancial.com/fullchain.pem (failure)
  /etc/letsencrypt/live/cashcrunchloan.firstcalgary.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
2 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Ive had no issues with haaving auto renew work on other domains. This is the first time I am trying it with two subdomains on the same IP address though. I’ve tried searching for this error and could not find anything.


Error sudo certbot renew --dry-run: Could not decode 'status' ('ready')
#2

Hi @byates,

This looks like the result of a recent change to the ACMEv2 staging environment adding the “ready” status: ACMEv2 Order “ready” Status

@byates What version of Certbot are you using? I believe the required fix is in version 0.25.0


How to Update Certbot on Ubuntu 18.04.1
Deserialization error: Status not recognized
#3

I’m not sure the version. I’m following this link: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

Theres an update command to which I was under the assumption would be the latest version. I’m probably misunderstanding though!


#4

You can find out with certbot --version


#5

Ah. 0.22.2 it is. Looks like an update is needed.


#6

I’ve used the command apt-get install —only-upgrade python-certbot-apache. It says I’m already at the newest version. Am I going to have to install a different package?


#7

@byates Sorry, I’m not sure!

@bmw @schoen Do you have any installation/upgrade advice for Ubuntu 16.04 users that are trying to use ACME v2 against the staging environment and need Certbot 0.22.2+ ?


#8

Unfortunately, I’ve been struggling getting our PPA maintainers to package this. I think and hope a new version of python3-acme (which is all you need to solve this problem) will be uploaded soon, but it was supposed to be done days ago.

If you need a solution now, I recommend you use certbot-auto.

A newer version of python3-acme is available in our PPA with a fix for this.


#9

Hi, i followed cerbot-auto tutorial link and executed the following:

wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --help
./certbot-auto --install-only

Then, executed (certbot-auto) it say (Command not found)
I also did (sudo apt-get update) and (apt-get install —only-upgrade python-certbot-apache) but still the version is 0.22.2.2

What you suggest?


#10

certbot-auto doesn’t automatically put itself in your PATH. You should run the script you downloaded directly like ./path/to/certbot-auto.


#11

A new version is now in the PPA. Simply run apt-get update && apt-get upgrade and run Certbot again to resolve the error:

Deserialization error: Could not decode 'status' ('ready'): Deserialization error: Status not recognized.

#12

When I use this command: sudo apt-get install python-certbot-apache (I’ve also tried the ones you’ve listed first) I get this output.

Reading package lists... Done
Building dependency tree
Reading state information... Done
python-certbot-apache is already the newest version (0.25.0-2+ubuntu16.04.1+certbot+1).
0 upgraded, 0 newly installed, 0 to remove and 13 not upgraded.

root@xxxxxxx:~# certbot --version
certbot 0.22.2

Any ideas? The one line looks like it knows its the newest version, but when I ask for the version it gives me the old one. Do I need to set one as the one I want?


#13

What do “which certbot” and “dpkg -l certbot python-certbot python3-certbot” output?


#14
root@CFPDL:~# which certbot
/usr/bin/certbot


root@CFPDL:~# dpkg -l certbot python-certbot python3-certbot
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name             Version       Architecture  Description
+++-================-=============-=============-=====================================
ii  certbot          0.22.2-1+ubun all           automatically configure HTTPS using L
ii  python3-certbot  0.22.2-1+ubun all           main library for certbot
dpkg-query: no packages found matching python-certbot

#15

So Certbot actually is version 0.22.2.

The python-certbot-apache package is version 0.25.0… however, it’s a simple transitional dummy package, and it doesn’t depend on a specific version of the current Apache plugin package, python3-certbot-apache.

You can check “dpkg -l python3-certbot-apache” but it’s almost certainly also version 0.22.2.

What happens if you run “sudo apt full-upgrade” to try to upgrade your packages?

Edit: Or simply “sudo apt upgrade”?


#16

The command before your edit worked fine enough for me. Was able to update and then perform a dry run successfully. Much appreciated to everyone here.


#17

Hi

I have the same problem on CentOS 7 with Nginx with a VPS from Contabo.
I can configure with root permissions via terminal.
I hope everybody agrees that it makes sense to add this to this post so it will solve the issue for both famous webservers.

Error message:

certbot renew --dry-run

(...)
Attempting to renew cert (cloud.example.de) from /etc/letsencrypt/renewal/cloud.example.de.conf produced an unexpected error: Deserialization error: Could not decode 'status' (u'ready'): Deserialization error: Status not recognized. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/cloud.example.de/fullchain.pem (failure)

Certbot version is 0.24.0

yum update && yum upgrade <-- does not load any updated package, so all up to date

I tried the dpkg command

which certbot
/usr/bin/certbot

dpkg -l certbot python-certbot python3-certbot

dpkg-query: no packages found matching certbot
dpkg-query: no packages found matching python-certbot
dpkg-query: no packages found matching python3-certbot

I hope it’s ok to ask here for help.


#18

EPEL hasn’t packaged 0.25.0 yet.

In the meantime, you can download the certbot-auto script and run

./certbot-auto renew

until EPEL is updated. It will automatically pick up your settings.


#19

Thanks _az :wink:

Let’s see how fast EPEL packages the updated certbot then.


#20

They have, it’s just waiting in testing.

If you need it right now you can upgrade to it with:

sudo yum --enablerepo=epel-testing update --advisory FEDORA-EPEL-2018-c5e70f5b4f

Can't renew by certbot: Could not decode 'status' (u'ready')