From stretch to buster failure

Soydepr · March 30, 2020, 12:44pm

i have updated pi3 from stretch to buster

lighttpd failed to start, was able to solve that but now letsencrypt appears to fail

pi@vorman:/var/www/html/owncloud $ /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
2020-03-30 08:44:18: (configfile.c.1599) server.upload-dirs doesn’t exist: /var/cache/lighttpd/uploads
2020-03-30 08:44:18: (mod_openssl.c.445) SSL: BIO_read_filename(’/etc/letsencrypt/live/vorman.mooo.com/combined.pem’) failed
2020-03-30 08:44:18: (server.c.1183) Initialization of plugins failed. Going down.

9peppe · March 30, 2020, 12:48pm

ls -la /etc/letsencrypt/live/vorman.mooo.com

You should configure lighttpd to use fullchain.pem in that directory. If that directory is empty… go for certbot update_symlinks

Soydepr · March 30, 2020, 4:16pm

pi@vorman:/var/www/html/owncloud $ sudo ls -la /etc/letsencrypt/live/vorman.mooo.com
total 24
drwxr-xr-x 2 root root 4096 Mar 3 19:58 .
drwx------ 3 root root 4096 Sep 26 2018 ..
lrwxrwxrwx 1 root root 39 Mar 3 18:36 cert.pem -> ../../archive/vorman.mooo.com/cert7.pem
lrwxrwxrwx 1 root root 40 Mar 3 18:36 chain.pem -> ../../archive/vorman.mooo.com/chain7.pem
-rw-r--r-- 1 root root 5262 Mar 3 20:02 combined.pem
-rw-r--r-- 1 root root 3558 Mar 3 19:58 combined.pem.bk
lrwxrwxrwx 1 root root 44 Mar 3 18:36 fullchain.pem -> ../../archive/vorman.mooo.com/fullchain7.pem
lrwxrwxrwx 1 root root 42 Mar 3 18:36 privkey.pem -> ../../archive/vorman.mooo.com/privkey7.pem
-rw-r--r-- 1 root root 682 Sep 26 2018 README

9peppe · March 30, 2020, 4:21pm

your lighttpd config should look like:

    ssl.privkey= "/etc/letsencrypt/live/certname/privkey.pem" 
    ssl.pemfile= "/etc/letsencrypt/live/certname/cert.pem" 
    ssl.ca-file= "/etc/letsencrypt/live/certname/chain.pem"

if you need to use cert and chain in a single file, that’s fullchain.pem

Soydepr · March 30, 2020, 4:25pm

thanks

this was working fine in stretch

does it change for buster

SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/vorman.mooo.com/combined.pem"
ssl.ca-file = "/etc/letsencrypt/live/vorman.mooo.com/fullchain.pem"

see

9peppe · March 30, 2020, 4:41pm

your combined.pem is cert and key, I get it now. change to the config I gave you, there’s some issue with your config (user permissions maybe?)

Soydepr · March 30, 2020, 4:44pm

permissions - confuse is the issue lighty or letsencrypt
4.0K -rw-r–r-- 1 root root 2.4K Mar 30 08:28 /etc/lighttpd/lighttpd.conf

9peppe · March 30, 2020, 4:48pm

I think lighty might not be able to read those files. On why, I have no idea. Thus I suggested you use the certbot-native symbolic links with their configs in lighty (there’s no need to combine cert and key)

https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL

Soydepr · March 30, 2020, 4:52pm

i think combine is a lighttpd requisite

9peppe · March 30, 2020, 4:52pm

mine works fine without: https://natmachine.qualcuno.xyz:25003

Soydepr · March 30, 2020, 5:01pm

what is certbot-native symbolic

9peppe · March 30, 2020, 5:02pm

the files in /etc/letsencrypt/live/certname/ that are created by certbot itself instead of you

Soydepr · March 31, 2020, 9:30pm

i
when i check cert i see is installed correctly

TLS Certificate is correctly installed

Congratulations! This certificate is correctly installed.

dont remember why i had to use combined , anyway i tried putting file like you mentioned and get this error

root@vorman:~/lets# ./certbot-auto update_symlinks
Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in
from certbot.main import main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 2, in
from certbot._internal import main as internal_main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py”, line 6, in
import logging.handlers
File “/usr/lib/python2.7/logging/init.py”, line 26, in
import sys, os, time, cStringIO, traceback, warnings, weakref, collections
File “/usr/lib/python2.7/weakref.py”, line 14, in
from _weakref import (
ImportError: cannot import name _remove_dead_weakref

mnordhoff · March 31, 2020, 9:45pm

Just rename or delete the /opt/eff.org/certbot/ directory.

That will make certbot-auto reinstall itself next time you run it.

It was built against your previous OS and needs to be rebuilt.

Soydepr · March 31, 2020, 10:02pm

got this error with --renew flag
usage:
certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: ambiguous option: --renew could match --renew-by-default, --renew-with-new-domains, --renew-hook

schoen · March 31, 2020, 11:00pm

That behavior with --renew is correct—there is no such option as --renew. Is it possible that you meant certbot-auto renew rather than certbot-auto --renew?

(Some actions in Certbot are considered “verbs” or “subcommands” rather than “options”; that includes renew.)

system · April 30, 2020, 11:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Lighttpd usable chained file Feature Requests	4	11507	December 31, 2015
Fullchain.pem failed on lighttpd Help	6	1909	October 17, 2020
Empty files fullchain.pem Help	7	1319	April 3, 2020
Certbot - Live Symlinks Not Updating As Expected - New Certificate Available But Not Used Help	13	9193	July 9, 2017
Renewal failure after server migration Help	12	3119	January 27, 2019

From stretch to buster failure

TLS Certificate is correctly installed

Related topics