Debian 9 apt upgrade problems

I ran this command:
apt update
apt upgrade

It produced this output:
Reading package lists... Done
Building dependency tree
Reading state information... Done
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
certbot : Depends: python3-certbot (= 0.28.0-1~deb9u2) but 0.28.0-1~deb9u3 is installed
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution).

My web server is (include version):
apache

The operating system my web server runs on is (include version):
Debian 9.13

I can login to a root shell on my machine (yes or no, or I don't know):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.28.0

Hi,
I am having problems updating certbot on Debian 9 as outputted above. apt --fix-broken install does not help, it gives...

Reading package lists... Done
Building dependency tree
Reading state information... Done
Correcting dependencies... Done
The following additional packages will be installed:
  certbot
Suggested packages:
  python3-certbot-apache python3-certbot-nginx python-certbot-doc
The following packages will be upgraded:
  certbot
1 upgraded, 0 newly installed, 0 to remove and 14 not upgraded.
18 not fully installed or removed.
Need to get 0 B/37.9 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
(Reading database ... 67981 files and directories currently installed.)
Preparing to unpack .../certbot_0.28.0-1~deb9u3_all.deb ...
Failed to stop certbot.timer: Unit certbot.timer not loaded.
dpkg: warning: subprocess old pre-removal script returned error exit status 5
dpkg: trying script from the new package instead ...
Failed to stop certbot.timer: Unit certbot.timer not loaded.
dpkg: error processing archive /var/cache/apt/archives/certbot_0.28.0-1~deb9u3_all.deb (--unpack):
 subprocess new pre-removal script returned error exit status 5
/usr/bin/deb-systemd-helper: error: unable to read certbot.timer
Failed to get unit file state for certbot.timer: No such file or directory
certbot.timer is a disabled or a static unit, not starting it.
Errors were encountered while processing:
 /var/cache/apt/archives/certbot_0.28.0-1~deb9u3_all.deb
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)

Up to now I have cron based renewals in place... and the timer unit does not seem to exist:

systemctl status certbot.timer
Unit certbot.timer could not be found.

I googled around quite a bit, but could not find a clue how to solve this. Any help appreciated.

best,
Jochen

Have you installed multiple versions of certbot or certbot-auto?
Have you also used PIP to install anything?
If the answer to both is NO, then you should probably:

• remove certbot
apt remove certbot
• restabilise the system
  apt update
apt upgrade
• reinstall certbot
  Here you may have "choices":

1. apt install certbot
2. use snap to install certbot (not sure if that is available for your specific O/S version)
3. use certbot-auto
   [chose only one (at a time) - you are free to add & remove them, if you want to try more than one]

I suspect that your problems will go away following these steps.
If they don't, then there may be more to do to stabilize the system.
Please reply back with sufficient detail on all successes or failures.

Oh, yes, and if the answer to either of those questions is "YES", then we may have to "undo" some of that too.

I don't know the exact sequence of events but I'm tempted to speculate that this could be a weird consequence of the recent change in the official way of installing Certbot packages on Debian 9:

However, I can't really figure out a reason that that would produce this particular error, which seems thoroughly unrelated to that. So I'm going to do something I haven't done in a little while and ask @bmw to think about the cause of this error.

Meanwhile, I assume that df and df -i show that your disk isn't full or out of inodes, and that dmesg doesn't show any disk errors?

thx for your thoughts!
Mhmm... this is an apt based install, running (and updating) fine for quite some time, over 1-2 years easily. I have this setup on other machines, too. All the others updated fine.

HD is fine and has room

No certbot-auto on this machine. I tried removing the package but got the same error...

Have you tried?:

If everything else fails...
Maybe try this: https://www.addictivetips.com/ubuntu-linux-tips/fix-broken-packages-on-debian/

yes, got the same error

thanks for the url, but I could not use it, as we do not have graphical user interface on our servers

Now I wanted to try aptitude to fix the installation but I cannot install it, due to the dependency problems on the system

I don't think this problem has anything to do with our recommendation to install Certbot through snap on Debian now. In fact, doing this would likely get your Certbot installation working properly again with automated renewal, but if apt/dpkg are still in a failure state, I don't think it'd help to solve that problem.

I unfortunately don't know enough about this to really offer guidance here, however, I sent a link to this thread to Certbot's Debian package maintainer and hopefully they are able to make a suggestion here.

Hi @Micsi!

I'm the maintainer of Certbot in Debian; the certbot folks passed me this thread.

That's an interesting error. It seems like, for some reason, your apt installation is aware of the new version of the python3-certbot library but not the new version of the certbot library.

Could you paste me the output of the following commands please?

apt update
apt show certbot -a
apt show python3-certbot -a

Hi, thanks for looking by!

apt update
Ign:1 http://deb.debian.org/debian stretch InRelease
Hit:2 http://security.debian.org/debian-security stretch/updates InRelease
Hit:3 http://deb.debian.org/debian stretch Release
Hit:4 http://ppa.launchpad.net/webupd8team/java/ubuntu trusty InRelease
Ign:5 http://ftp.de.debian.org/debian stretch InRelease
Hit:6 http://ftp.de.debian.org/debian stretch-updates InRelease
Hit:7 http://ftp.de.debian.org/debian stretch-backports InRelease
Hit:8 https://packages.cisofy.com/community/lynis/deb stable InRelease
Hit:9 https://packages.sury.org/php stretch InRelease
Hit:10 http://ftp.de.debian.org/debian stretch Release
Hit:11 http://apt.puppetlabs.com stretch InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
17 packages can be upgraded. Run 'apt list --upgradable' to see them.

> apt show certbot -a
Package: certbot
Version: 0.28.0-1~deb9u3
Priority: extra
Section: web
Source: python-certbot
Maintainer: Debian Let's Encrypt <team+letsencrypt@tracker.debian.org>
Installed-Size: 66.6 kB
Provides: letsencrypt
Depends: python3-certbot (= 0.28.0-1~deb9u3), init-system-helpers (>= 1.18~), python3:any
Suggests: python3-certbot-apache, python3-certbot-nginx, python-certbot-doc
Breaks: letsencrypt (<= 0.6.0)
Replaces: letsencrypt
Homepage: https://certbot.eff.org/
Download-Size: 37.9 kB
APT-Sources: http://security.debian.org/debian-security stretch/updates/main amd64 Packages
Description: automatically configure HTTPS using Let's Encrypt
 The objective of Certbot, Let's Encrypt, and the ACME (Automated
 Certificate Management Environment) protocol is to make it possible
 to set up an HTTPS server and have it automatically obtain a
 browser-trusted certificate, without any human intervention. This is
 accomplished by running a certificate management agent on the web
 server.
 .
 This agent is used to:
 .
   - Automatically prove to the Let's Encrypt CA that you control the website
   - Obtain a browser-trusted certificate and set it up on your web server
   - Keep track of when your certificate is going to expire, and renew it
   - Help you revoke the certificate if that ever becomes necessary.
 .
 This package contains the main application, including the standalone
 and the manual authenticators.

Package: certbot
Version: 0.28.0-1~deb9u2
Priority: extra
Section: web
Source: python-certbot
Maintainer: Debian Let's Encrypt <team+letsencrypt@tracker.debian.org>
Installed-Size: 66.6 kB
Provides: letsencrypt
Depends: python3-certbot (= 0.28.0-1~deb9u2), init-system-helpers (>= 1.18~), python3:any
Suggests: python3-certbot-apache, python3-certbot-nginx, python-certbot-doc
Breaks: letsencrypt (<= 0.6.0)
Replaces: letsencrypt
Homepage: https://certbot.eff.org/
Download-Size: 37.7 kB
APT-Manual-Installed: yes
APT-Sources: http://ftp.de.debian.org/debian stretch/main amd64 Packages
Description: automatically configure HTTPS using Let's Encrypt
 The objective of Certbot, Let's Encrypt, and the ACME (Automated
 Certificate Management Environment) protocol is to make it possible
 to set up an HTTPS server and have it automatically obtain a
 browser-trusted certificate, without any human intervention. This is
 accomplished by running a certificate management agent on the web
 server.
 .
 This agent is used to:
 .
   - Automatically prove to the Let's Encrypt CA that you control the website
   - Obtain a browser-trusted certificate and set it up on your web server
   - Keep track of when your certificate is going to expire, and renew it
   - Help you revoke the certificate if that ever becomes necessary.
 .
 This package contains the main application, including the standalone
 and the manual authenticators.

Package: certbot
Version: 0.28.0-1~bpo9+1
Priority: optional
Section: web
Source: python-certbot
Maintainer: Debian Let's Encrypt <team+letsencrypt@tracker.debian.org>
Installed-Size: 68.6 kB
Provides: letsencrypt
Depends: python3-certbot (= 0.28.0-1~bpo9+1), python3:any
Suggests: python3-certbot-apache, python3-certbot-nginx, python-certbot-doc
Breaks: letsencrypt (<= 0.6.0)
Replaces: letsencrypt
Homepage: https://certbot.eff.org/
Download-Size: 37.3 kB
APT-Sources: http://ftp.de.debian.org/debian stretch-backports/main amd64 Packages
Description: automatically configure HTTPS using Let's Encrypt
 The objective of Certbot, Let's Encrypt, and the ACME (Automated
 Certificate Management Environment) protocol is to make it possible
 to set up an HTTPS server and have it automatically obtain a
 browser-trusted certificate, without any human intervention. This is
 accomplished by running a certificate management agent on the web
 server.
 .
 This agent is used to:
 .
   - Automatically prove to the Let's Encrypt CA that you control the website
   - Obtain a browser-trusted certificate and set it up on your web server
   - Keep track of when your certificate is going to expire, and renew it
   - Help you revoke the certificate if that ever becomes necessary.
 .
 This package contains the main application, including the standalone
 and the manual authenticators.

> apt show python3-certbot -a
Package: python3-certbot
Version: 0.28.0-1~deb9u3
Priority: optional
Section: python
Source: python-certbot
Maintainer: Debian Let's Encrypt <team+letsencrypt@tracker.debian.org>
Installed-Size: 1240 kB
Depends: python3-acme (>= 0.26.0~), python3-requests (>= 2.4.3), python3-configargparse (>= 0.10.0), python3-configobj, python3-cryptography (>= 1.2), python3-josepy, python3-mock, python3-parsedatetime, python3-pkg-resources, python3-rfc3339, python3-tz, python3-zope.component, python3-zope.interface, python3:any (>= 3.3.2-2~)
Recommends: certbot
Suggests: python-certbot-doc
Breaks: python-certbot-apache (<< 0.20.0), python-certbot-nginx (<< 0.20.0), python-letsencrypt (<= 0.6.0)
Replaces: python-letsencrypt
Homepage: https://certbot.eff.org/
Download-Size: 223 kB
APT-Manual-Installed: no
APT-Sources: http://security.debian.org/debian-security stretch/updates/main amd64 Packages
Description: main library for certbot
 The objective of Certbot, Let's Encrypt, and the ACME (Automated
 Certificate Management Environment) protocol is to make it possible
 to set up an HTTPS server and have it automatically obtain a
 browser-trusted certificate, without any human intervention. This is
 accomplished by running a certificate management agent on the web
 server.
 .
 This agent is used to:
 .
   - Automatically prove to the Let's Encrypt CA that you control the website
   - Obtain a browser-trusted certificate and set it up on your web server
   - Keep track of when your certificate is going to expire, and renew it
   - Help you revoke the certificate if that ever becomes necessary.
 .
 This package contains the main libraries.

Package: python3-certbot
Version: 0.28.0-1~deb9u2
Priority: optional
Section: python
Source: python-certbot
Maintainer: Debian Let's Encrypt <team+letsencrypt@tracker.debian.org>
Installed-Size: 1239 kB
Depends: python3-acme (>= 0.26.0~), python3-requests (>= 2.4.3), python3-configargparse (>= 0.10.0), python3-configobj, python3-cryptography (>= 1.2), python3-josepy, python3-mock, python3-parsedatetime, python3-pkg-resources, python3-rfc3339, python3-tz, python3-zope.component, python3-zope.interface, python3:any (>= 3.3.2-2~)
Recommends: certbot
Suggests: python-certbot-doc
Breaks: python-certbot-apache (<< 0.20.0), python-certbot-nginx (<< 0.20.0), python-letsencrypt (<= 0.6.0)
Replaces: python-letsencrypt
Homepage: https://certbot.eff.org/
Download-Size: 222 kB
APT-Sources: http://ftp.de.debian.org/debian stretch/main amd64 Packages
Description: main library for certbot
 The objective of Certbot, Let's Encrypt, and the ACME (Automated
 Certificate Management Environment) protocol is to make it possible
 to set up an HTTPS server and have it automatically obtain a
 browser-trusted certificate, without any human intervention. This is
 accomplished by running a certificate management agent on the web
 server.
 .
 This agent is used to:
 .
   - Automatically prove to the Let's Encrypt CA that you control the website
   - Obtain a browser-trusted certificate and set it up on your web server
   - Keep track of when your certificate is going to expire, and renew it
   - Help you revoke the certificate if that ever becomes necessary.
 .
 This package contains the main libraries.

Package: python3-certbot
Version: 0.28.0-1~bpo9+1
Priority: optional
Section: python
Source: python-certbot
Maintainer: Debian Let's Encrypt <team+letsencrypt@tracker.debian.org>
Installed-Size: 1238 kB
Depends: python3-acme (>= 0.26.0~), python3-requests (>= 2.4.3), python3-configargparse (>= 0.10.0), python3-configobj, python3-cryptography (>= 1.2), python3-josepy, python3-mock, python3-parsedatetime, python3-pkg-resources, python3-rfc3339, python3-tz, python3-zope.component, python3-zope.interface, python3:any (>= 3.3.2-2~)
Recommends: certbot
Suggests: python-certbot-doc
Breaks: python-certbot-apache (<< 0.20.0), python-certbot-nginx (<< 0.20.0), python-letsencrypt (<= 0.6.0)
Replaces: python-letsencrypt
Homepage: https://certbot.eff.org/
Download-Size: 222 kB
APT-Sources: http://ftp.de.debian.org/debian stretch-backports/main amd64 Packages
Description: main library for certbot
 The objective of Certbot, Let's Encrypt, and the ACME (Automated
 Certificate Management Environment) protocol is to make it possible
 to set up an HTTPS server and have it automatically obtain a
 browser-trusted certificate, without any human intervention. This is
 accomplished by running a certificate management agent on the web
 server.
 .
 This agent is used to:
 .
   - Automatically prove to the Let's Encrypt CA that you control the website
   - Obtain a browser-trusted certificate and set it up on your web server
   - Keep track of when your certificate is going to expire, and renew it
   - Help you revoke the certificate if that ever becomes necessary.
 .
 This package contains the main libraries.

Thanks for taking a look!

Regards

Hi @Micsi,

I think what happened is that your last apt update happened while a mirror was syncing where it had the newer version of the certbot package but still only the older version of the python3-certbot package. Since you refreshed again, you now have the links to the newer version of both.

Based on the info from the apt show, I think you should be able to upgrade certbot without problems.

apt upgrade certbot should do the trick. If you get dpkg errors, please paste them in this thread.

Hi @hlieberman,

unfortunately not. I updated and retried several times over the last few days...

> apt upgrade certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
 certbot : Depends: python3-certbot (= 0.28.0-1~deb9u2) but 0.28.0-1~deb9u3 is installed
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution).

Hm, interesting. Alright, let's try a few different things (and post the logs if you wouldn't mind).

1. apt --fix-broken install
2. apt install apt-cudf && apt-get --simulate upgrade --solver aspcud -o APT::Solver::Strict-Pinning=false certbot python3-certbot
3. apt remove certbot python3-certbot && apt install certbot

>apt --fix-broken install
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Abhängigkeiten werden korrigiert ... Fertig
Die folgenden Pakete wurden automatisch installiert und werden nicht mehr benötigt:
  augeas-lenses libaugeas0 python3-augeas
Verwenden Sie »apt autoremove«, um sie zu entfernen.
The following additional packages will be installed:
  certbot
Vorgeschlagene Pakete:
  python3-certbot-apache python3-certbot-nginx python-certbot-doc
Die folgenden Pakete werden aktualisiert (Upgrade):
  certbot
1 aktualisiert, 0 neu installiert, 0 zu entfernen und 16 nicht aktualisiert.
 [...................................................................................................................................]
Es müssen noch 0 B von 37,9 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 0 B Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n]
Lese Changelogs... Fertig
(Lese Datenbank ... 67981 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von .../certbot_0.28.0-1~deb9u3_all.deb ...
Failed to stop certbot.timer: Unit certbot.timer not loaded..........................................................................]
dpkg: Warnung: Unterprozess altes pre-removal-Skript gab den Fehlerwert 5 zurück.....................................................]
dpkg: stattdessen wird Skript aus dem neuen Paket probiert ...
Failed to stop certbot.timer: Unit certbot.timer not loaded..........................................................................]
dpkg: Fehler beim Bearbeiten des Archivs /var/cache/apt/archives/certbot_0.28.0-1~deb9u3_all.deb (--unpack):
 Unterprozess neues pre-removal-Skript gab den Fehlerwert 5 zurück
/usr/bin/deb-systemd-helper: error: unable to read certbot.timer
Failed to get unit file state for certbot.timer: No such file or directory
certbot.timer is a disabled or a static unit, not starting it.
Fehler traten auf beim Bearbeiten von:
 /var/cache/apt/archives/certbot_0.28.0-1~deb9u3_all.deb
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)

> apt install apt-cudf && apt-get --simulate upgrade --solver aspcud -o APT::Solver::Strict-Pinning=false certbot python3-certbot
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Probieren Sie »apt --fix-broken install«, um dies zu korrigieren.
Die folgenden Pakete haben unerfüllte Abhängigkeiten:
 apt-cudf : Hängt ab von: aspcud soll aber nicht installiert werden oder
                           cudf-solver
 certbot : Hängt ab von: python3-certbot (= 0.28.0-1~deb9u2) aber 0.28.0-1~deb9u3 soll installiert werden
E: Unerfüllte Abhängigkeiten. Versuchen Sie »apt --fix-broken install« ohne Angabe eines Pakets (oder geben Sie eine Lösung an).


> apt remove certbot python3-certbot && apt install certbot
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Die folgenden Pakete wurden automatisch installiert und werden nicht mehr benötigt:
  augeas-lenses libaugeas0 python3-acme python3-augeas python3-configargparse python3-configobj python3-josepy python3-mock
  python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339 python3-tz python3-zope.component python3-zope.event
  python3-zope.hookable python3-zope.interface
Verwenden Sie »apt autoremove«, um sie zu entfernen.
Die folgenden Pakete werden ENTFERNT:
  certbot python3-certbot
0 aktualisiert, 0 neu installiert, 2 zu entfernen und 16 nicht aktualisiert.
18 nicht vollständig installiert oder entfernt.
Nach dieser Operation werden 1.307 kB Plattenplatz freigegeben.
Möchten Sie fortfahren? [J/n]
(Lese Datenbank ... 67980 Dateien und Verzeichnisse sind derzeit installiert.)
Entfernen von certbot (0.28.0-1~deb9u2) ...
Failed to stop certbot.timer: Unit certbot.timer not loaded.
dpkg: Fehler beim Bearbeiten des Paketes certbot (--remove):
 Unterprozess installiertes pre-removal-Skript gab den Fehlerwert 5 zurück
/usr/bin/deb-systemd-helper: error: unable to read certbot.timer
Failed to get unit file state for certbot.timer: No such file or directory
certbot.timer is a disabled or a static unit, not starting it.
dpkg: python3-certbot: Abhängigkeitsprobleme, wird aber wie gefordert dennoch entfernt:
 certbot hängt ab von python3-certbot (= 0.28.0-1~deb9u2).

Entfernen von python3-certbot (0.28.0-1~deb9u3) ...
dpkg: Warnung: Während Entfernens von python3-certbot ist Verzeichnis »/usr/lib/python3/dist-packages/certbot/plugins« nicht leer, wird daher nicht gelöscht
dpkg: Warnung: Während Entfernens von python3-certbot ist Verzeichnis »/usr/lib/python3/dist-packages/certbot/display« nicht leer, wird daher nicht gelöscht
Fehler traten auf beim Bearbeiten von:
 certbot
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)

Mhmm... the result is always about the same...

thanks for your help!

@hlieberman do you have any other tip for me, please?

Situation is still that updates can not be applied and certbot is not working any more :-/

Interesting. It looks like the timer file is for some reason gone, and that's breaking things really badly.

Okay, let's apply some more... aggressive measures. (For anyone else reading this thread, please don't try and follow the next set of commands; it may break your computer very badly.)

As root:

rm /var/lib/dpkg/info/certbot.*rm
find /lib/systemd/ -name 'certbot.*' -delete
find -P /etc/systemd/ -name 'certbot.*' -delete
dpkg --purge --force-all certbot
systemctl --system daemon-reload

If things break spectacularly during this process, I want to make sure you are able to get hold of me in a hurry. If you join irc.freenode.net with any IRC client, you can send me an private message, or find me in #certbot-devel. Highlights there will get pushed to my phone. It looks like I'm about six hours behind you, so you may want to wait until tomorrow afternoon to try this just in case things go badly.

Hi,

will do this in the afternoon, thank you.

Yes, it seems there's a problem with the timer. But I am unaware of this timer anyway. I thought certbot is using a cronjob for this. Is it possible that the timer is new an was not correctly installed on my System? BTW: I have other machines running without a problem. All systems are setup using the same puppet code...

Best,
Jochen