Need to update from certbot-auto 1.8.0

Help
1

Debian Buster on VPS with nginx.

certbot --version
1.8.0

Warning: Potential Security Risk Ahead
The certificate for bridge.noisebridge.info expired on 12/16/2020.

Error code: SEC_ERROR_EXPIRED_CERTIFICATE

https://www.noisebridge.net/wiki/Unicorn

$ /home/noisebridge/bin/recert
Requesting to rerun /home/noisebridge/repos/certbot/certbot-auto with root privileges...

Your system is not supported by certbot-auto anymore.
Certbot will no longer receive updates.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
An unexpected error occurred:
ReadTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)
Please see the logfiles in /var/log/letsencrypt for more details.

Any guidance and suggestions appreciated!

2

Hi @sunjam,

You can find the right way to install Certbot for your system using https://certbot.eff.org/instructions.

However, this error message is probably not related to your certbot-auto installation. It instead suggests that your system can't connect to the Let's Encrypt API server.

What is the output of:

curl -v -m10 https://acme-v02.api.letsencrypt.org/directory
mtr --report -c 30 acme-v02.api.letsencrypt.org
2 Likes
3
Summary

$ curl -v -m10 https://acme-v02.api.letsencrypt.org/directory

  • Expire in 0 ms for 6 (transfer 0x560225051a90)
  • Expire in 10000 ms for 8 (transfer 0x560225051a90)
  • Expire in 1 ms for 1 (transfer 0x560225051a90)
  • Expire in 0 ms for 1 (transfer 0x560225051a90)
  • Expire in 2 ms for 1 (transfer 0x560225051a90)
  • Expire in 2 ms for 1 (transfer 0x560225051a90)
  • Expire in 2 ms for 1 (transfer 0x560225051a90)
  • Expire in 2 ms for 1 (transfer 0x560225051a90)
  • Expire in 2 ms for 1 (transfer 0x560225051a90)
  • Expire in 2 ms for 1 (transfer 0x560225051a90)
  • Expire in 2 ms for 1 (transfer 0x560225051a90)
  • Expire in 3 ms for 1 (transfer 0x560225051a90)
  • Expire in 3 ms for 1 (transfer 0x560225051a90)
  • Expire in 4 ms for 1 (transfer 0x560225051a90)
  • Expire in 4 ms for 1 (transfer 0x560225051a90)
  • Expire in 4 ms for 1 (transfer 0x560225051a90)
  • Expire in 4 ms for 1 (transfer 0x560225051a90)
  • Expire in 5 ms for 1 (transfer 0x560225051a90)
  • Expire in 5 ms for 1 (transfer 0x560225051a90)
  • Expire in 4 ms for 1 (transfer 0x560225051a90)
  • Expire in 6 ms for 1 (transfer 0x560225051a90)
  • Expire in 6 ms for 1 (transfer 0x560225051a90)
  • Expire in 8 ms for 1 (transfer 0x560225051a90)
  • Expire in 7 ms for 1 (transfer 0x560225051a90)
  • Expire in 7 ms for 1 (transfer 0x560225051a90)
  • Expire in 8 ms for 1 (transfer 0x560225051a90)
  • Expire in 8 ms for 1 (transfer 0x560225051a90)
  • Expire in 8 ms for 1 (transfer 0x560225051a90)
  • Expire in 8 ms for 1 (transfer 0x560225051a90)
  • Expire in 10 ms for 1 (transfer 0x560225051a90)
  • Expire in 10 ms for 1 (transfer 0x560225051a90)
  • Expire in 8 ms for 1 (transfer 0x560225051a90)
  • Expire in 11 ms for 1 (transfer 0x560225051a90)
  • Expire in 11 ms for 1 (transfer 0x560225051a90)
  • Expire in 16 ms for 1 (transfer 0x560225051a90)
  • Expire in 14 ms for 1 (transfer 0x560225051a90)
  • Expire in 14 ms for 1 (transfer 0x560225051a90)
  • Expire in 16 ms for 1 (transfer 0x560225051a90)
  • Expire in 15 ms for 1 (transfer 0x560225051a90)
  • Expire in 15 ms for 1 (transfer 0x560225051a90)
  • Expire in 16 ms for 1 (transfer 0x560225051a90)
  • Expire in 50 ms for 1 (transfer 0x560225051a90)
  • Expire in 50 ms for 1 (transfer 0x560225051a90)
  • Expire in 32 ms for 1 (transfer 0x560225051a90)
  • Expire in 50 ms for 1 (transfer 0x560225051a90)
  • Expire in 50 ms for 1 (transfer 0x560225051a90)
  • Expire in 32 ms for 1 (transfer 0x560225051a90)
  • Expire in 50 ms for 1 (transfer 0x560225051a90)
  • Expire in 50 ms for 1 (transfer 0x560225051a90)
  • Expire in 64 ms for 1 (transfer 0x560225051a90)
  • Expire in 50 ms for 1 (transfer 0x560225051a90)
  • Expire in 50 ms for 1 (transfer 0x560225051a90)
  • Expire in 64 ms for 1 (transfer 0x560225051a90)
  • Expire in 50 ms for 1 (transfer 0x560225051a90)
  • Expire in 50 ms for 1 (transfer 0x560225051a90)
  • Expire in 64 ms for 1 (transfer 0x560225051a90)
  • Expire in 50 ms for 1 (transfer 0x560225051a90)
  • Expire in 50 ms for 1 (transfer 0x560225051a90)
  • Expire in 64 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 64 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 128 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 250 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 250 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 250 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 250 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 250 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 250 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Expire in 200 ms for 1 (transfer 0x560225051a90)
  • Trying 172.65.32.248...
  • TCP_NODELAY set
  • Expire in 4366 ms for 3 (transfer 0x560225051a90)
  • Expire in 200 ms for 4 (transfer 0x560225051a90)
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
  • TCP_NODELAY set
  • Expire in 4366 ms for 3 (transfer 0x560225051a90)
  • Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: CN=acme-v01.api.letsencrypt.org
  • start date: Dec 4 21:42:36 2020 GMT
  • expire date: Mar 4 21:42:36 2021 GMT
  • subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
  • issuer: C=US; O=Let's Encrypt; CN=R3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x560225051a90)

GET /directory HTTP/2
Host: acme-v02.api.letsencrypt.org
User-Agent: curl/7.64.0
Accept: /

Summary

$ mtr --report -c 30 acme-v02.api.letsencrypt.org
Start: 2020-12-17T00:27:34-0600
HOST: Loss% Snt Last Avg Best Wrst StDev
1.|-- 23-227-160-129.static.hvv 33.3% 30 725.0 677.8 351.9 981.4 211.3
2.|-- 10.253.17.69 50.0% 30 713.6 589.1 260.2 1000. 225.4
3.|-- 10.253.17.113 53.3% 30 846.9 633.5 296.1 1138. 230.1
4.|-- ??? 100.0 30 0.0 0.0 0.0 0.0 0.0
5.|-- ??? 100.0 30 0.0 0.0 0.0 0.0 0.0
6.|-- 10.253.16.13 36.7% 30 651.7 600.1 322.8 1015. 184.2
7.|-- 10.253.16.2 53.3% 30 712.6 703.8 317.6 990.9 193.1
8.|-- ipv4.de-cix.dfw.us.as1333 33.3% 30 639.9 653.0 187.9 979.0 229.6
9.|-- 172.65.32.248 46.7% 30 603.0 623.0 395.1 862.3 152.0

4

Thanks.

Both of those look good, no problems. It looks like it's a specific operation during renewal that timed out.

Could you also post the contents of /var/log/letsencrypt/letsencrypt.log after running recert?

5
6

Huh, it managed to communicate quite a lot with the Let's Encrypt server before this failure.

If you run the recert again, do you get the same error?

1 Like
7

I believe so.

Summary

$ /home/noisebridge/bin/recert
Requesting to rerun /home/noisebridge/repos/certbot/certbot-auto with root privileges...
Your system is not supported by certbot-auto anymore.
Certbot will no longer receive updates.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bridge.noisebridge.info
http-01 challenge for doc.noisebridge.info
http-01 challenge for gossip.noisebridge.info
http-01 challenge for login.noisebridge.info
http-01 challenge for mumble.noisebridge.info
http-01 challenge for noisetor.net
http-01 challenge for noisetor.noisebridge.info
http-01 challenge for printprintprint.noisebridge.info
http-01 challenge for projects.noisebridge.info
http-01 challenge for space.noisebridge.info
http-01 challenge for test-discuss.noisebridge.info
http-01 challenge for test.noisebridge.info
http-01 challenge for x.noisebridge.info
Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
ReadTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)
Please see the logfiles in /var/log/letsencrypt for more details.

8
For whatever reason our certbot works again and all certificates have renewed. Thanks all!

$ /home/noisebridge/bin/recert
Requesting to rerun /home/noisebridge/repos/certbot/certbot-auto with root privileges...
Your system is not supported by certbot-auto anymore.
Certbot will no longer receive updates.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for test-discuss.noisebridge.info
http-01 challenge for test.noisebridge.info
http-01 challenge for x.noisebridge.info
http-01 challenge for login.noisebridge.info
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/noisebridge.info/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/noisebridge.info/privkey.pem
    Your cert will expire on 2021-03-17. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    "certbot-auto renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

9

I see high packet losses.
Which might explain why it fails some of the times...

1 Like
10

Wow! Nicely spotted, eyes like a hawk.

@sunjam if the packet loss that @rg305 is pointing out is persistent, it's definitely a likely cause of the issue and worth investigating.

1 Like
11

My guess is the first hop is wireless and the channel is slammed/poor signal.

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.