Fails to renew certificate

Issuance Tech
1

Hi

Trying to renew my certificate I get exit status 1,
I am on Ubuntu 16.04.3 LTS, it the micro instance on amazon aws.
The certificate update used to work all last year, it is a small instance, I have also added some swap space. Any ideas why it would fail?

Looking at the logs below, it does create a virtual environment by doing also a pip install
subprocess.CalledProcessError: Command ‘pip install --no-index --no-deps -U --no-cache-dir /tmp/pipstrap-tPqyjI/pip-9.0.1.tar.gz /tmp/pipstrap-tPqyjI/setuptools-40.6.3.zip /tmp/pipstrap-tPqyjI/wheel-0.29.0.tar.gz’ returned non-zero exit status

How can i replicate the steps to find the source of the problem?

Thanks

./letsencrypt-auto certonly --debug --standalone -d example.com
Requesting to rerun ./letsencrypt-auto with root privileges…
Bootstrapping dependencies for Debian-based OSes… (you can skip this with --no-bootstrap)
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]
Hit:2 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu xenial InRelease
Get:3 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]
Get:4 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]
Hit:5 https://apt.postgresql.org/pub/repos/apt trusty-pgdg InRelease
Fetched 325 kB in 1s (297 kB/s)
Reading package lists… Done
Reading package lists… Done
Building dependency tree
Reading state information… Done
gcc is already the newest version (4:5.3.1-1ubuntu1).
libffi-dev is already the newest version (3.2.1-4).
augeas-lenses is already the newest version (1.4.0-0ubuntu1.1).
ca-certificates is already the newest version (20170717~16.04.2).
libaugeas0 is already the newest version (1.4.0-0ubuntu1.1).
libssl-dev is already the newest version (1.0.2g-1ubuntu4.14).
openssl is already the newest version (1.0.2g-1ubuntu4.14).
python is already the newest version (2.7.12-1~16.04).
python-dev is already the newest version (2.7.12-1~16.04).
python-virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
The following packages were automatically installed and are no longer required:
comerr-dev krb5-multidev libgssrpc4 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-8 linux-aws-headers-4.4.0-1049 linux-aws-headers-4.4.0-1052
linux-aws-headers-4.4.0-1054 linux-aws-headers-4.4.0-1055 linux-aws-headers-4.4.0-1057 linux-aws-headers-4.4.0-1060 linux-aws-headers-4.4.0-1061
linux-aws-headers-4.4.0-1062 linux-aws-headers-4.4.0-1065 linux-aws-headers-4.4.0-1066 linux-aws-headers-4.4.0-1069 linux-aws-headers-4.4.0-1070
linux-headers-4.4.0-1049-aws linux-headers-4.4.0-1052-aws linux-headers-4.4.0-1054-aws linux-headers-4.4.0-1055-aws linux-headers-4.4.0-1057-aws
linux-headers-4.4.0-1060-aws linux-headers-4.4.0-1061-aws linux-headers-4.4.0-1062-aws linux-headers-4.4.0-1065-aws linux-headers-4.4.0-1066-aws
linux-headers-4.4.0-1069-aws linux-headers-4.4.0-1070-aws linux-image-4.4.0-1049-aws linux-image-4.4.0-1052-aws linux-image-4.4.0-1054-aws
linux-image-4.4.0-1055-aws linux-image-4.4.0-1057-aws linux-image-4.4.0-1060-aws linux-image-4.4.0-1061-aws linux-image-4.4.0-1062-aws
linux-image-4.4.0-1065-aws linux-image-4.4.0-1066-aws linux-image-4.4.0-1069-aws linux-image-4.4.0-1070-aws
Use ‘sudo apt autoremove’ to remove them.
0 upgraded, 0 newly installed, 0 to remove and 111 not upgraded.
Creating virtual environment…
Installing Python packages…
Command “/opt/eff.org/certbot/venv/bin/python2.7 -u -c “import setuptools, tokenize;file=’/tmp/pip-IQpHhf-build/setup.py’;exec(compile(getattr(tokenize, ‘open’, open)(file).read().replace(’\r\n’, ‘\n’), file, ‘exec’))” install --record /tmp/pip-_rt078-record/install-record.txt --single-version-externally-managed --compile --install-headers /opt/eff.org/certbot/venv/include/site/python2.7/pip” failed with error code 1 in /tmp/pip-IQpHhf-build/
Traceback (most recent call last):
File “/tmp/tmp.yCKR7d3gI9/pipstrap.py”, line 177, in
exit(main())
File “/tmp/tmp.yCKR7d3gI9/pipstrap.py”, line 164, in main
shell=True)
File “/usr/local/lib/python2.7/subprocess.py”, line 219, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command ‘pip install --no-index --no-deps -U --no-cache-dir /tmp/pipstrap-tPqyjI/pip-9.0.1.tar.gz /tmp/pipstrap-tPqyjI/setuptools-40.6.3.zip /tmp/pipstrap-tPqyjI/wheel-0.29.0.tar.gz’ returned non-zero exit status 1

2

Please show the LE-auto version.

Have you tried with “--no-self-upgrade” ?

3

Hi

I have tried it, I still get the same error.

When you say, Please show the LE-auto version.
How do I do this? I will need to install a different package?
I looked in the web, you mean this page ? https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx
It looks a big change as it affect nginx configs etc

Thanks

./letsencrypt-auto certonly --no-self-upgrade --debug --standalone -d xxx.com
I still get the same error

Installing Python packages…
Command “/opt/eff.org/certbot/venv/bin/python2.7 -u -c “import setuptools, tokenize;file=’/tmp/pip-TU1Jwr-build/setup.py’;exec(compile(getattr(tokenize, ‘open’, open)(file).read().replace(’\r\n’, ‘\n’), file, ‘exec’))” install --record /tmp/pip-ZmRffP-record/install-record.txt --single-version-externally-managed --compile --install-headers /opt/eff.org/certbot/venv/include/site/python2.7/pip” failed with error code 1 in /tmp/pip-TU1Jwr-build/
Traceback (most recent call last):
File “/tmp/tmp.61DRoUOc2K/pipstrap.py”, line 177, in
exit(main())
File “/tmp/tmp.61DRoUOc2K/pipstrap.py”, line 164, in main
shell=True)
File “/usr/local/lib/python2.7/subprocess.py”, line 219, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command ‘pip install --no-index --no-deps -U --no-cache-dir /tmp/pipstrap-pXAZ19/pip-9.0.1.tar.gz /tmp/pipstrap-pXAZ19/setuptools-40.6.3.zip /tmp/pipstrap-pXAZ19/wheel-0.29.0.tar.gz’ returned non-zero exit status 1

4

./letsencrypt-auto --version

5

[you may already be doing this - but just to be 100% sure]

I would also ensure running LE from the within the same folder where it is located.

which letsencrypt-auto
cd {to the folder shown form above command}
then
./letsencrypt-auto …

6

Hello,

I’m having exactly the same error and trying to figure it out. My previous renewals worked just fine but I’m trying it for two days now and it’s not working. Can you please update if you fixed this issue? If yes then how did you do that? Will appreciate your help.

7

@Bilal, You should open a new thread and provide all the details there.

8

@rg305 Thanks. The error is very similar with the same instance I’m running on AWS. But I’ll go ahead and create new thread. I’m going to copy the screenshots here just in case @vassilis has an update on this

Screenshot%201
Screenshot 1.png1992×920 274 KB
Screenshot%202
Screenshot 2.png2016×1190 447 KB
Screenshot%203
Screenshot 3.png2020×1140 432 KB

9

Hi
You seem to have the same issue as i had with letsencrypt-auto failing to authenticate as part of the pip install. I gave up eventually.

There are 2 ways to issue a certificate,
1 letsencrypt-auto which seems to me to be the old way ( it rebuilds the package every time you need to issue a cerfificate).
2 to use the certbot package. you install it as an ubuntu package.

I tried the 2nd way and it worked.

This is what I did on amazon aws following this doc

I tried the steps first of a copied image of my instance, then I pointed the aws route 53 into that instance and checked if after updating the instance and installing certbot it all still worked ok, it did

Here are the instructions

Here is what I did
$ sudo apt-get update

$ sudo apt-get install software-properties-common

$ sudo add-apt-repository universe

$ sudo add-apt-repository ppa:certbot/certbot

$ sudo apt-get update

Because I use nginx i did those steps also

$ sudo apt-get install certbot python-certbot-nginx

$ sudo certbot --nginx

it worked. So from now on I use certbot instead of letsencrypt-auto

Vassilis

2 Likes
10

This is an autoupdater script (whose modern name is certbot-auto), and it rebuilds the package every time there’s a new upstream release (which might well be every time you need to issue a certificate, if you haven’t run it successfully in between!). But it isn’t rebuilding it for no reason, but rather because the software has changed in some way. Some of the changes are important bug fixes.

(I realize that certbot-auto can have a lot of compatibility problems on some OSes, but I just wanted to point out that there’s a good reason behind the autoupdates that you see it attempting to perform.)

11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.