From stretch to buster failure

i have updated pi3 from stretch to buster

lighttpd failed to start, was able to solve that but now letsencrypt appears to fail

pi@vorman:/var/www/html/owncloud $ /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
2020-03-30 08:44:18: (configfile.c.1599) server.upload-dirs doesn’t exist: /var/cache/lighttpd/uploads
2020-03-30 08:44:18: (mod_openssl.c.445) SSL: BIO_read_filename(’/etc/letsencrypt/live/vorman.mooo.com/combined.pem’) failed
2020-03-30 08:44:18: (server.c.1183) Initialization of plugins failed. Going down.

ls -la /etc/letsencrypt/live/vorman.mooo.com

You should configure lighttpd to use fullchain.pem in that directory. If that directory is empty… go for certbot update_symlinks

pi@vorman:/var/www/html/owncloud $ sudo ls -la /etc/letsencrypt/live/vorman.mooo.com
total 24
drwxr-xr-x 2 root root 4096 Mar 3 19:58 .
drwx------ 3 root root 4096 Sep 26 2018 …
lrwxrwxrwx 1 root root 39 Mar 3 18:36 cert.pem -> …/…/archive/vorman.mooo.com/cert7.pem
lrwxrwxrwx 1 root root 40 Mar 3 18:36 chain.pem -> …/…/archive/vorman.mooo.com/chain7.pem
-rw-r–r-- 1 root root 5262 Mar 3 20:02 combined.pem
-rw-r–r-- 1 root root 3558 Mar 3 19:58 combined.pem.bk
lrwxrwxrwx 1 root root 44 Mar 3 18:36 fullchain.pem -> …/…/archive/vorman.mooo.com/fullchain7.pem
lrwxrwxrwx 1 root root 42 Mar 3 18:36 privkey.pem -> …/…/archive/vorman.mooo.com/privkey7.pem
-rw-r–r-- 1 root root 682 Sep 26 2018 README

your lighttpd config should look like:

    ssl.privkey= "/etc/letsencrypt/live/certname/privkey.pem" 
    ssl.pemfile= "/etc/letsencrypt/live/certname/cert.pem" 
    ssl.ca-file= "/etc/letsencrypt/live/certname/chain.pem"

if you need to use cert and chain in a single file, that’s fullchain.pem

thanks

this was working fine in stretch

does it change for buster

SERVER[“socket”] == “:443” {
ssl.engine = “enable”
ssl.pemfile = “/etc/letsencrypt/live/vorman.mooo.com/combined.pem”
ssl.ca-file = “/etc/letsencrypt/live/vorman.mooo.com/fullchain.pem”

see

your combined.pem is cert and key, I get it now. change to the config I gave you, there’s some issue with your config (user permissions maybe?)

permissions - confuse is the issue lighty or letsencrypt
4.0K -rw-r–r-- 1 root root 2.4K Mar 30 08:28 /etc/lighttpd/lighttpd.conf

I think lighty might not be able to read those files. On why, I have no idea. Thus I suggested you use the certbot-native symbolic links with their configs in lighty (there’s no need to combine cert and key)

https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL

i think combine is a lighttpd requisite

mine works fine without: https://natmachine.qualcuno.xyz:25003

what is certbot-native symbolic

the files in /etc/letsencrypt/live/certname/ that are created by certbot itself instead of you

i
when i check cert i see is installed correctly

TLS Certificate is correctly installed

Congratulations! This certificate is correctly installed.

dont remember why i had to use combined , anyway i tried putting file like you mentioned and get this error

root@vorman:~/lets# ./certbot-auto update_symlinks
Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in
from certbot.main import main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 2, in
from certbot._internal import main as internal_main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py”, line 6, in
import logging.handlers
File “/usr/lib/python2.7/logging/init.py”, line 26, in
import sys, os, time, cStringIO, traceback, warnings, weakref, collections
File “/usr/lib/python2.7/weakref.py”, line 14, in
from _weakref import (
ImportError: cannot import name _remove_dead_weakref

Just rename or delete the /opt/eff.org/certbot/ directory.

That will make certbot-auto reinstall itself next time you run it.

It was built against your previous OS and needs to be rebuilt.

got this error with --renew flag
usage:
certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: ambiguous option: --renew could match --renew-by-default, --renew-with-new-domains, --renew-hook

That behavior with --renew is correct—there is no such option as --renew. Is it possible that you meant certbot-auto renew rather than certbot-auto --renew?

(Some actions in Certbot are considered “verbs” or “subcommands” rather than “options”; that includes renew.)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.