Issues updating Certbot from 0.26 - Segmentation fault on 0.31.0

I have had certbot (letsencrypt) installed for some time on my Ubuntu Server
Hardware: Hardkernel Odroid XU4

The operating system my web server runs on is (include version):
odroid@odroid:~$ sudo uname -a
Linux odroid 4.14.157-171 #1 SMP PREEMPT Wed Dec 4 08:21:54 -03 2019 armv7l armv7l armv7l GNU/Linux
My domain is:bothma.org.za

My web server is (include version):
odroid@odroid:~$ nginx -v
nginx version: nginx/1.17.5

I have tried to upgrade it with the folowing commands:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

After which i noticed that both the new and old ones are installed, i proceeded to rename them as follows:
Old (0.26)
which certbot.bak
/usr/local/bin/certbot.bak
Newly installed (0.31)
which certbot
/usr/bin/certbot

When i try and update i keep getting segmentation faults on the new version, while the old version seems to run fine (except for the fact that it gets an error as it uses TLS-SNI-01 validation)

What have i done:
I have purged and reinstalled certbot
I have manually removed (and backed up the old certbot folders:var.lib.letsencrypt) and then freshly installed the latest certbot
I have run the folowing command to remove all references to sni-01:

sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak

When i run the following commands on the old vs the new version i get the folowing results:
Old-

sudo certbot.bak renew --dry-run -vvvvvv
Root logging level set at -40
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/bothma.org.za.conf


Requested authenticator <certbot.cli._Default object at 0xb5d2ee90> and installer <certbot.cli._Default object at 0xb5d2ee90>
Var dry_run=True (set by user).
Var server=set([‘staging’, ‘dry_run’]) (set by user).
Var dry_run=True (set by user).
Var server=set([‘staging’, ‘dry_run’]) (set by user).
Var account=set([‘server’]) (set by user).
Cert not due for renewal, but simulating renewal for dry run
Requested authenticator nginx and installer nginx
Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0xb5d179d0>
Prep: True
Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0xb5d179d0>
Prep: True
Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0xb5d179d0> and installer <certbot_nginx.configurator.NginxConfigurator object at 0xb5d179d0>
Plugins selected: Authenticator nginx, Installer nginx
Picked account: <Account(RegistrationResource(body=Registration(status=u’valid’, terms_of_service_agreed=None, agreement=u’https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, only_return_existing=None, contact=(), key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0xb5d2ef10>)>)), uri=u’https://acme-staging.api.letsencrypt.org/acme/reg/5834657’, new_authzr_uri=u’https://acme-staging.api.letsencrypt.org/acme/new-authz’, terms_of_service=u’https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’), c23ead3c7c3965ed2c639cf050d6f0e7, Meta(creation_host=u’odroid’, creation_dt=datetime.datetime(2018, 3, 30, 4, 41, 32, tzinfo=)))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 724
Received response:
HTTP 200
Server: nginx
Date: Tue, 14 Jan 2020 05:46:29 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

The new version gets a segmentation fault after sending get request as per below.
sudo python3 /usr/bin/certbot renew --dry-run -vvvv
Root logging level set at -20
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/bothma.org.za.conf


Requested authenticator <certbot.cli._Default object at 0xb3836ab0> and installer <certbot.cli._Default object at 0xb3836ab0>
Var dry_run=True (set by user).
Var server={‘staging’, ‘dry_run’} (set by user).
Var dry_run=True (set by user).
Var server={‘staging’, ‘dry_run’} (set by user).
Var account={‘server’} (set by user).
Cert not due for renewal, but simulating renewal for dry run
Requested authenticator nginx and installer nginx
Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0xb388a3f0>
Prep: True
Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0xb388a3f0>
Prep: True
Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0xb388a3f0> and installer <certbot_nginx.configurator.NginxConfigurator object at 0xb388a3f0>
Plugins selected: Authenticator nginx, Installer nginx
Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0xb37be450>)>), contact=(), agreement=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, status=‘valid’, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri=‘https://acme-staging.api.letsencrypt.org/acme/reg/5834657’, new_authzr_uri=‘https://acme-staging.api.letsencrypt.org/acme/new-authz’, terms_of_service=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’), c23ead3c7c3965ed2c639cf050d6f0e7, Meta(creation_dt=datetime.datetime(2018, 3, 30, 4, 41, 32, tzinfo=), creation_host=‘odroid’))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
Segmentation fault

Tail of log:
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0xb38d19d0>
Prep: True
2020-01-14 08:01:01,371:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0xb38d19d0> and instal$
2020-01-14 08:01:01,371:INFO:certbot.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2020-01-14 08:01:01,379:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.haz$
2020-01-14 08:01:01,383:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2020-01-14 08:01:01,388:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443

1 Like

UPDATE
I ended up fixing the segmentation fault, it ended up being the result of version confilcts with certbot-nginx installed via pip3.

I uninstalled all certbot pip versions (as they were version 1.0, and my distro PPA version is still on 0.31)
sudo -H python3 -m pip uninstall certbot-nginx

The post that helped was My certbot got broken (error of version conflict)

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.