Let's Encrypt Renewal error in Apache2 Ubuntu 16.0.4


I got an error during the Let’s Encrypt renewal process.

Can anyone help me in solving this issue.

Below is the ERROR which I have noticed.

2017-01-23 06:48:04,083:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/domain.name.conf produced an unexpected error: Deserialization error: Wrong directory fields. Skipping.

2017-01-23 06:48:04,095:DEBUG:letsencrypt.cli:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1017, in renew
obtain_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 689, in obtain_cert
le_client = _init_le_client(config, authenticator, installer)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 213, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 183, in init
acme = acme_from_config_key(config, self.account.key)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 41, in acme_from_config_key
return acme_client.Client(config.server, key=key, net=net)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 63, in init
File “/usr/lib/python2.7/dist-packages/acme/messages.py”, line 169, in from_json
raise jose.DeserializationError(str(error))
DeserializationError: Deserialization error: Wrong directory fields

2017-01-23 06:48:04,097:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 9, in
load_entry_point(‘letsencrypt==0.4.1’, ‘console_scripts’, ‘letsencrypt’)()
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1986, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1034, in renew
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

LE renewal error apache2, ubuntu 16.04 LTS

Hi @pakhil,

This error is usually caused by an outdated ACME client that doesn’t understand a new directory field added on the server side.

What client are you using? Is it the latest version? Have you tried updating it?


Thanks @cpu

We have installed Let’s Encrypt client (python-letsencrypt-apache) from the official repositories of Ubuntu 16.04.

We have tried to update the client using the command
sudo apt-get install python-letsencrypt-apache

We have got this message -

Reading package lists… Done
Building dependency tree
Reading state information… Done
python-letsencrypt-apache is already the newest version (0.4.1-1).
0 upgraded, 0 newly installed, 0 to remove and 162 not upgraded.

Is there any specific way to update the Let’s Encrypt client. Please provide me.
How to overcome this issue.


Hi @Pakhil. Yes, this seems like a likely cause for the problem. You’re using version 0.4.1-1 which is quite a bit older than the current release (0.10.1). I believe you can follow these instructions to use the Certbot auto installer to install the latest version.

@bmw, @erica, @schoen Do you know a better way to upgrade from 0.4.1-1 without losing state on 16.04? Am I correct in assuming that the deserialization error @pakhil is experiencing is from the old certbot?


certbot-auto is currently the best way to upgrade to a newer version on Ubuntu 16.04, although we’re very close to getting newer packages in their repo (see https://bugs.launchpad.net/ubuntu/+source/python-letsencrypt/+bug/1640978?comments=all).

With that said, letsencrypt in Ubuntu’s repos should still be usable and we currently recommend using it over certbot-auto. The one caveat to this is the User-Agent string of letsencrypt in Ubuntu should not be modified. It is being used by Let’s Encrypt to keep compatibility with this older client. If you’re changing your UA in the command line, configuration file, or with an external program, stopping this will solve your problem. If you need/want to modify your UA string, you should upgrade to a newer version of the client with certbot-auto.

Hope this helps!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.