Letsencrypt-renewer fails on OpenBSD 5.9


Sorry… I am new to this forum…

Trying to renew my letsencrypt certs on OpenBSD 5.9.

I can find any other command than letsencrypt-renewer to do so, and it is resulting in this output. How to solve this?:


Processing domain.conf
/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
Traceback (most recent call last):
File “/usr/local/bin/letsencrypt-renewer”, line 9, in
load_entry_point(‘letsencrypt==0.3.0’, ‘console_scripts’, ‘letsencrypt-renewer’)()
File “/usr/local/lib/python2.7/site-packages/letsencrypt/renewer.py”, line 203, in main
renew(cert, old_version)
File “/usr/local/lib/python2.7/site-packages/letsencrypt/renewer.py”, line 97, in renew
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(sans)
File “/usr/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 264, in obtain_certificate
csr = crypto_util.init_save_csr(key, domains, self.config.csr_dir)
File “/usr/local/lib/python2.7/site-packages/letsencrypt/crypto_util.py”, line 78, in init_save_csr
csr_pem, csr_der = make_csr(privkey.pem, names)
File “/usr/local/lib/python2.7/site-packages/letsencrypt/crypto_util.py”, line 118, in make_csr
value=", ".join(“DNS:%s” % d for d in domains)
File “/usr/local/lib/python2.7/site-packages/OpenSSL/crypto.py”, line 651, in init
extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx, type_name, value)
TypeError: initializer for ctype ‘char *’ must be a str or list or tuple, not unicode

Best regards, Lars.


Does your domain.conf contain unicode characters by any chance?


Not as far as I can see… I mean I have the:

export LC_CTYPE=“da_DK.UTF-8”

in my environment but I can’t find any non-US letters in that file, no.

Regards, Lars.


conf file anonymized:

cert = /etc/letsencrypt/live/file/cert.pem
privkey = /etc/letsencrypt/live/file/privkey.pem
chain = /etc/letsencrypt/live/file/chain.pem
fullchain = /etc/letsencrypt/live/file/fullchain.pem

Options and defaults used in the renewal process

no_self_upgrade = False
no_verify_ssl = False
ifaces = None
register_unsafely_without_email = False
uir = None
installer = none
config_dir = /etc/letsencrypt
text_mode = True
staging = False
prepare = False
work_dir = /var/db/letsencrypt
tos = False
init = False
http01_port = 80
duplicate = False
noninteractive_mode = False
key_path = None
nginx = False
fullchain_path = /home/someone/chain.pem
email = None
csr = None
agree_dev_preview = None
redirect = None
verbose_count = -3
config_file = None
renew_by_default = False
hsts = False
authenticator = standalone
domains = ,
rsa_key_size = 4096
verb = certonly
checkpoints = 1
manual_test_mode = False
apache = False
cert_path = /home/someone/cert.pem
webroot_path = None
reinstall = False
expand = False
strict_permissions = False
account = 1f7b5432a4c23e2eeb480c9c326186a2
manual_public_ip_logging_ok = False
chain_path = /home/someone/chain.pem
break_my_certs = False
standalone = False
manual = False
server = https://acme-v01.api.letsencrypt.org/directory
standalone_supported_challenges = "tls-sni-01,http-01"
webroot = False
os_packages_only = False
func = <function obtain_cert at 0x1b36456b1b18>
user_agent = None
debug = False
tls_sni_01_port = 443
logs_dir = /var/log/letsencrypt
configurator = None

By running letsencrypt-renewer -vvv I get some more info:

2016-07-31 20:32:17,679:DEBUG:letsencrypt.cli:Root logging level set at 0
2016-07-31 20:32:17,681:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/renewer.log
Processing domain.conf
2016-07-31 20:32:17,693:DEBUG:letsencrypt.storage:Should renew, less than 30 days before certificate expiry 2016-08-15 20:03:00 UTC.
2016-07-31 20:32:17,982:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-07-31 20:32:17,989:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

and some more… can’t really see if they are confidential, so I will rather not post them.

Regards, Lars.



Regards, Lars.


Hmm. It really does look like somehow it’s choking on an unexpected Unicode character.

I don’t know enough about the internals of certbot / the Let’s Encrypt client code to be sure where this list it’s contemplating “for d in domains” comes from, but two parallel ideas come to mind

  1. Maybe the problem is only an encoding issue, that somehow the string it ends up with is Python’s Unicode type, when it could just as well be a plain ASCII str type, and all that’s needed is a cast to “fix” the type.

  2. Maybe there is truly a character that cannot be expressed in ASCII and so that needs to be eliminated, since Let’s Encrypt won’t certify that even if we managed to encode it and send it over.

Sorry, my musings might not be much help, but I understand why you’re anxious with a certificate that expires in less than two weeks.


I don’t really have anything to add to what @tialaramex said - the client version included in OpenBSD 5.9 is fairly old in terms of the changes that have happened since, especially in the renewal area, so this is a bit tricky.

As a workaround, renewing certificates is also possible using the regular letsencrypt certonly ... command. With --keep-until-expiring, you can even put that in a daily cronjob and have the client figure out when it’s actually time to renew (30 days prior to expiration by default). Snapshot has a more up-to-date version of certbot (formerly known as letsencrypt), so this should all go away with the next major OpenBSD release. :smile:


Thank you for your support both you. I have now renewed my certificates. If only HP and Microsoft support was half as good!!!

Only problem is I have to stop httpd til renew the certs. It is an SSL reverse proxy, so there are no www-roots there )-:

Hope renewal is getting easier… I do not want to bother this much more than 4 times a year…

Thanks again… I can sleep good tonight (-;

Regards, Lars.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.