Fail to renew using snap daemon

jimoe · December 4, 2022, 5:45pm

AFAICT there is nothing incorrect about the parameters causing the failures.

systemd ran this command:

2022-12-04T03:04:13-0700 sma-server3 systemd[1]: Starting Service for snap application certbot.renew...

It produced this output:

2022-12-04T03:04:16-0700 sma-server3 certbot.renew[3052]: Renewal configuration file /etc/letsencrypt/renewal/sma-inc.us-0001.conf (cert: sma-inc.us-0001) produced an unexpected error: 'Namespace' object has no attribute 'dns_rfc2136_propagation_seconds'. Skipping.
2022-12-04T03:04:16-0700 sma-server3 certbot.renew[3052]: Renewal configuration file /etc/letsencrypt/renewal/sma-inc.us.conf (cert: sma-inc.us) produced an unexpected error: 'Namespace' object has no attribute 'dns_rfc2136_credentials'. Skipping.
2022-12-04T03:04:16-0700 sma-server3 certbot.renew[3052]: 0 renew failure(s), 2 parse failure(s)
2022-12-04T03:04:16-0700 sma-server3 systemd[1]: snap.certbot.renew.service: Main process exited, code=exited, status=1/FAILURE
2022-12-04T03:04:16-0700 sma-server3 systemd[1]: snap.certbot.renew.service: Failed with result 'exit-code'.
2022-12-04T03:04:16-0700 sma-server3 systemd[1]: Failed to start Service for snap application certbot.renew.
2022-12-04T03:10:49-0700 sma-server3 snapd[30713]: storehelpers.go:748: cannot refresh: snap has no updates available: "certbot", "core", "core20"

My web server is (include version):
n/a

The operating system my web server runs on is (include version):
opensuse 15.4
linux 5.14.21-150400.24.33-default x86_64

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site:
no

The version of my client is:
certbot 1.22.0

/etc/letsencrypt/renewal/sma-inc.us-0001.conf:

# Options used in the renewal process
[renewalparams]
account = xxx
rsa_key_size = 4096
authenticator = dns-rfc2136
dns_rfc2136_propagation_seconds = 15
dns_rfc2136_credentials = /root/.secrets/certbot/rfc2136.ini
server = https://acme-v02.api.letsencrypt.org/directory

/etc/letsencrypt/renewal/sma-inc.us.conf:

# Options used in the renewal process
[renewalparams]
authenticator = dns-rfc2136
account = xxx
server = https://acme-v02.api.letsencrypt.org/directory
# dns_rfc2136_propagation_seconds = 10
dns_rfc2136_credentials = /root/.secrets/certbot/rfc2136.ini

Osiris · December 4, 2022, 6:12pm

Please post the output of certbot plugins.

Also, I'm curious about the output of certbot certificates as it seems you're having two certs for the same domain name, which is often unnecessary.

jimoe · December 4, 2022, 7:57pm

$ sudo certbot plugins
[sudo] password for root: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT

* dns-rfc2136
Description: Obtain certificates using a DNS TXT record (if you are using BIND
for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-rfc2136 =
certbot_dns_rfc2136._internal.dns_rfc2136:Authenticator

* standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I was testing a renewal script that seemed to work... Except it apparently created a new cert.

$ sudo certbot certificates
[sudo] password for root: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: sma-inc.us-0001
    Serial Number: 36f8c3b7c56266f5558e0035b210c30323a
    Key Type: RSA
    Domains: *.sma-inc.us
    Expiry Date: 2023-02-17 20:42:17+00:00 (VALID: 75 days)
    Certificate Path: /etc/letsencrypt/live/sma-inc.us-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/sma-inc.us-0001/privkey.pem
  Certificate Name: sma-inc.us
    Serial Number: 3ee4c4fcb1f8c5be87978ae1511f39c7cec
    Key Type: RSA
    Domains: *.sma-inc.us sma-inc.us
    Expiry Date: 2023-02-15 21:58:49+00:00 (VALID: 73 days)
    Certificate Path: /etc/letsencrypt/live/sma-inc.us/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/sma-inc.us/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Osiris · December 4, 2022, 8:08pm

With regard to the first output: weird to see the plugin there.. Could you please post the output of whereis certbot and also ls -l /usr/bin/certbot ?

With regard to the second output: it seems the certificate with the name sma-inc.us-0001 is superfluous with regard to the certificate with the name sma-inc.us: it contains the same wildcard hostname, but lacks the apex domain. You should make sure all services using a certificate use the files in /etc/letsencrypt/live/sma-inc.us/ and after that you could delete the certificate with the name sma-inc.us-0001. See User Guide — Certbot 2.0.0 documentation for more info, especially the part about safely deleting certificates.

jimoe · December 4, 2022, 8:25pm

$ whereis certbot
certbot: /usr/bin/certbot /snap/bin/certbot

$ ls -l /usr/bin/certbot
lrwxrwxrwx 1 root root 25 Jul 12 01:33 /usr/bin/certbot -> /etc/alternatives/certbot*

$ ls -l /snap/bin/certbot
lrwxrwxrwx 1 root root 13 Nov 18 16:24 /snap/bin/certbot -> /usr/bin/snap*

Osiris · December 4, 2022, 9:02pm

That's weird. I've never heard about the directory /etc/alternatives/, let alone /etc/alternatives/certbot. The symbolic link /usr/bin/certbot should actually point to /snap/bin/certbot. I have no idea what that /etc/alternatives/ is, but it seems that if you're running certbot from the command line, it's running a different Certbot than the one installed by snap. I'm pretty sure that if you'd run sudo /snap/bin/certbot plugins, you won't see the dns-rfc2136 plugin listed.

jimoe · December 4, 2022, 9:07pm

You are correct.
How do I install rfc2136 then?

I installed the older version (1.22) from the system's repo.

Osiris · December 4, 2022, 9:10pm

See the Certbot instructions for OpenSuse: Certbot Instructions | Certbot and click the "Wildcard" tab on the top of the instructions. Besides the generic "how to install Certbot using snap" it also includes instructions on how to install the DNS plugin.

Remember that it's probably not a good idea to have multiple Certbots installed. You probably want to uninstall whatever is installed in /etc/alternatives/ and symlink /usr/bin/certbot to /snap/bin/certbot`.

jimoe · December 4, 2022, 10:33pm

Okay, I deleted the older version, and installed the rfc2136 plugin.
I won't know about the timer renewal until it runs.

I have a shell script that I tested and worked 2 weeks ago; it renews the certificate. Now it does not. (Sigh.) The name server is local to the network. Updates should happen in less than a second.

# /snap/bin/certbot certonly -d *.sma-inc.us --agree-tos --dns-rfc2136 --dns-rfc2136-credentials /root/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 15 --rsa-key-size 4096 --dry-run
... normal stuff ...
Certbot failed to authenticate some domains (authenticator: dns-rfc2136). The Certificate Authority reported these problems:
  Domain: sma-inc.us
  Type:   dns
  Detail: DNS problem: query timed out looking up TXT for _acme-challenge.sma-inc.us

Log entries from BIND:

04-Dec-2022 14:20:59.515 update: info: client @0x7ff334280310 192.168.69.246#40264/key letsencrypt: updating zone 'sma-inc.us/IN': adding an RR at '_acme-challenge.sma-inc.us' TXT "KtQ1YsbBZB6eQTpE3MNWhG3MnynC3sq3oAe7BRlNCwM"
04-Dec-2022 14:20:59.539 notify: info: zone sma-inc.us/IN: sending notifies (serial 2022111838)
04-Dec-2022 14:21:46.374 update: info: client @0x7ff33833a470 192.168.69.246#32954/key letsencrypt: updating zone 'sma-inc.us/IN': deleting an RR at _acme-challenge.sma-inc.us TXT
04-Dec-2022 14:21:46.398 notify: info: zone sma-inc.us/IN: sending notifies (serial 2022111839)

_az · December 4, 2022, 11:20pm

Does the query timeout happen reliably? Over multiple dry runs?

One thing you can try fix is to make sure your zonefile contains both authoritative nameservers, as currently it only lists ns1:

$ dig +noall +answer @ns1.sma-inc.us sma-inc.us ns
sma-inc.us.             38400   IN      NS      ns1.sma-inc.us.

Something like that can occasionally have an impact.

rg305 · December 5, 2022, 12:11am

The older version of the plugin OR certbot ?

Try a bit longer than 15 seconds.

jimoe · December 5, 2022, 12:16am

Both.

I tried 30 seconds. Just took longer to fail.

system · January 4, 2023, 12:17am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.