Error: access denied to install certbot-dns-cloudflare

campari · July 29, 2021, 6:44pm

Hi,
My domain is: irchelp.com.br and I would like to install the dns-cloudflare plugin to automatically renew my wildcard certificate, however when I try to install the certbot-dns-cloudflare plugin running command: sudo snap install certbot-dns-cloudflare I get an error

error: access denied
Only connect this interface if you trust the plugin author to have root on the system.
Run snap set certbot trust-plugin-with-root=ok to acknowledge this and then run this command again to perform the connection.
If that doesn't work, you may need to remove all certbot-dns-* plugins from the system, then try installing the certbot snap again.

I already followed the steps of https://certbot.eff.org/lets-encrypt/debianstretch-apache

My web server is :
Server version: Apache/2.4.25 (Debian)
Server built: 2021-07-09T08:12:34

The operating system my web server runs on is:
Debian|
Debian GNU/Linux 9.13 (stretch)|
Release:9.13
Codename: stretch

My hosting provider, is: cloudflare.com

I can login to a root shell on my machine: Yes

I'm using a control panel to manage my site: No

The version of my client is: certbot 1.17.0

Thanks for you attention.

rg305 · July 29, 2021, 7:40pm

Hi @campari, and welcome to the LE community forum

Did you completely follow Step #3 and Step #4?

Also: Without added LTS, Deb9 is past EOL.

_az · July 29, 2021, 8:26pm

This is unfortunately a bug that appeared recently on Debian Stretch.

We plan to have a workaround for it in time for Certbot 1.18, but until then you may need to use the pip instructions instead.

campari · July 29, 2021, 8:30pm

Hi,
Yes, i completed step #3 and #4. The output to the command $sudo snap list is

Name Version Rev Tracking Publisher Notes
certbot 1.17.0 1280 latest/stable certbot-eff✓ classic
core 16-2.51.3 11420 latest/stable canonical✓ core
core20 20210702 1081 latest/stable canonical✓ base
hello-world 6.4 29 latest/stable canonical✓ -

campari · July 29, 2021, 8:38pm

Hi,
Would you can put the link with the "pip instructions"?

Thank you for your attention

_az · July 29, 2021, 9:07pm

The pip instructions are here.

campari · July 29, 2021, 9:10pm

Thank you.

campari · July 29, 2021, 9:35pm

Hi,
I did all steps the pip instructions but when i run command sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /home/campari/certs/.token/cf-api-token.ini -d *.irchelp.com.br -d irchelp.com.br -i apache

appear this output:

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --dns-cloudflare-credentials

Do you think the best thing to do is upgrade to Debian 10 or 11?

_az · July 29, 2021, 9:40pm

Did you remove the Certbot snap before installing the pip-based one? It sounds maybe like the certbot in your $PATH is from some other installation method.

If you ran:

/opt/certbot/bin/pip install certbot-dns-cloudflare

You should see Cloudflare listed if you run:

/opt/certbot/bin/certbot plugins

and you shouldn't get that error.

Upgrading to Debian Buster is up to you, but it isn't strictly necessary to get this working.

campari · July 29, 2021, 9:49pm

_az:

Did you remove the Certbot snap before installing the pip -based one? It sounds maybe like the certbot in your $PATH is from some other installation method.

If you ran:
/opt/certbot/bin/pip install certbot-dns-cloudflare
You should see Cloudflare listed if you run:
/opt/certbot/bin/certbot plugins
and you shouldn't get that error.

Upgrading to Debian Buster is up to you, but it isn't strictly necessary to get this working.

I didn't uninstall certbot snap, but when i run command /opt/certbot/bin/certbot plugins, i see the plugin dns-cloudflare.

apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT

dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using
Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare =
certbot_dns_cloudflare._internal.dns_cloudflare:Authenticator

standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator

should I uninstall certbot snap?

_az · July 29, 2021, 9:52pm

Yeah. If you're using the pip-installed version of Certbot, it is a substitute for the Certbot snap.

Afterwards, don't forget the step in the instructions to then put the pip-installed Certbot into your PATH:

sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

campari · July 29, 2021, 9:55pm

Ok. I will remove everything and redo the steps.

PS.: I didi this step sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot.

campari · July 29, 2021, 10:10pm

Okay. It worked.

Thank you very much folks.

Best wishes.

Osiris · July 30, 2021, 5:51am

@_az It seems step 4 of the pip instructions are just refering to certbot-auto and OS installed certbot packages. Probably should include snap too.

_az · July 30, 2021, 6:38am

Thanks, created a change for that.

system · August 29, 2021, 6:38am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.