Trying to renew my letsencrypt certs on OpenBSD 5.9.
I can find any other command than letsencrypt-renewer to do so, and it is resulting in this output. How to solve this?:
letsencrypt-renewer
Processing domain.conf
/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
Traceback (most recent call last):
File “/usr/local/bin/letsencrypt-renewer”, line 9, in
load_entry_point(‘letsencrypt==0.3.0’, ‘console_scripts’, ‘letsencrypt-renewer’)()
File “/usr/local/lib/python2.7/site-packages/letsencrypt/renewer.py”, line 203, in main
renew(cert, old_version)
File “/usr/local/lib/python2.7/site-packages/letsencrypt/renewer.py”, line 97, in renew
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(sans)
File “/usr/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 264, in obtain_certificate
csr = crypto_util.init_save_csr(key, domains, self.config.csr_dir)
File “/usr/local/lib/python2.7/site-packages/letsencrypt/crypto_util.py”, line 78, in init_save_csr
csr_pem, csr_der = make_csr(privkey.pem, names)
File “/usr/local/lib/python2.7/site-packages/letsencrypt/crypto_util.py”, line 118, in make_csr
value=", ".join(“DNS:%s” % d for d in domains)
File “/usr/local/lib/python2.7/site-packages/OpenSSL/crypto.py”, line 651, in init
extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx, type_name, value)
TypeError: initializer for ctype ‘char *’ must be a str or list or tuple, not unicode
By running letsencrypt-renewer -vvv I get some more info:
2016-07-31 20:32:17,679:DEBUG:letsencrypt.cli:Root logging level set at 0
2016-07-31 20:32:17,681:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/renewer.log
Processing domain.conf 2016-07-31 20:32:17,693:DEBUG:letsencrypt.storage:Should renew, less than 30 days before certificate expiry 2016-08-15 20:03:00 UTC.
2016-07-31 20:32:17,982:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-07-31 20:32:17,989:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
and some more… can’t really see if they are confidential, so I will rather not post them.
Hmm. It really does look like somehow it’s choking on an unexpected Unicode character.
I don’t know enough about the internals of certbot / the Let’s Encrypt client code to be sure where this list it’s contemplating “for d in domains” comes from, but two parallel ideas come to mind
Maybe the problem is only an encoding issue, that somehow the string it ends up with is Python’s Unicode type, when it could just as well be a plain ASCII str type, and all that’s needed is a cast to “fix” the type.
Maybe there is truly a character that cannot be expressed in ASCII and so that needs to be eliminated, since Let’s Encrypt won’t certify that even if we managed to encode it and send it over.
Sorry, my musings might not be much help, but I understand why you’re anxious with a certificate that expires in less than two weeks.
I don’t really have anything to add to what @tialaramex said - the client version included in OpenBSD 5.9 is fairly old in terms of the changes that have happened since, especially in the renewal area, so this is a bit tricky.
As a workaround, renewing certificates is also possible using the regular letsencrypt certonly ... command. With --keep-until-expiring, you can even put that in a daily cronjob and have the client figure out when it’s actually time to renew (30 days prior to expiration by default). Snapshot has a more up-to-date version of certbot (formerly known as letsencrypt), so this should all go away with the next major OpenBSD release.