I am under Debian 8 I installed the cerbot as indicated on the site and I launched: sudo / usr / local / bin / certbot-auto --apache but the installation is blocked.
Now when I launch sudo / usr / local / bin / certbot-auto --apache nothing happens in the console (no message) and the console remains blocked impossible to regain control.
It seems that the certbot-auto output is being caught or blocked somehow.
Try changing to root user first.
[see if that helps or even changes the behavior]
I’m already in root it doesn’t change anything!
Please show the contents of all files found with:
find /etc/letsencrypt/ -name *.ini
and also the contents of files within:
[you can erase any account numbers, if you like]
find /etc/letsencrypt/ -name *.ini
find: “/etc/letsencrypt/”: Aucun fichier ou dossier de ce type
-bash: cd: /etc/letsencrypt/renewal/: Aucun fichier ou dossier de ce type
Does it still hang if you add
--non-interactive to your command?
root@BotBinance:~ --> /usr/local/bin/certbot-auto --non-interactive
sudo apt install strace
sudo strace -ff timeout 30s certbot-auto --version 2>&1 | tee /tmp/certbot-strace.txt
This will save a large debug log to
/tmp/certbot-strace.txt. If you could upload this somewhere and share the link, that would provide helpful information for figuring out what’s happening.
Here is the link of the generated file: http://dl.free.fr/bAbbNJQfO
Ctrl-C the process in the end, or did you let it timeout on its own?
What appears to be happening is that the cryptographic library used by Certbot is trying to generate some secure random numbers by reading from
/dev/random, but your system has insufficient entropy, and so Certbot hangs while it waits for entropy to be generated.
(On a more modern version of Linux/Debian,
/dev/random would not be used, and better alternatives like
getrandom are used instead).
Could you please show the output of:
cat /proc/sys/kernel/random/entropy_avail cat /proc/sys/kernel/random/poolsize
Could you please also provide some information about what kind of server this is? Is it virtualized, and if so, what type of virtualization? Or maybe a small device like a Raspberry Pi?
The process ended alone.
It is a VPS in OPENVZ
root@BotBinance:~ --> cat /proc/sys/kernel/random/entropy_avail
root@BotBinance:~ --> cat /proc/sys/kernel/random/poolsize
Thank you for all your research
This is very bad, and explains why Certbot doesn’t work. A modern Linux system on the internet can’t function properly without entropy. Anything below 1000-ish is not a good sign.
I am not surprised that you are using OpenVZ - shared kernel means that entropy is shared between each guest on the server. This could suggest that some other guest on the server is draining all of the entropy on the server, which is a very finite resource.
I would talk to your host about it. There’s nothing you can really do to increase entropy on an OpenVZ server, without being the admin of the entire physical OpenVZ host.
Ok thank you for all this info I understand better the few malfunctions that I also have with this VPS. I will open a ticket to see if a solution is possible with them otherwise I will move
Thank you again for all
(I mean, it is a finite resource in one sense but it doesn’t seem that we can conceive of many realistic attacks when sharing it out among multiple mutually untrusting systems. However, this is a problem with the virtualization method implementation and not with anything @Michelgard is doing.)
I was curious yesterday and was trying to find info about whether or not virtio rng or kernel namespacing consider “fairness” when it comes to the entropy pool, since it seems like a weakness in shared environments. You can, at the end of the day, cause (some) processes to block.
Nothing came up, though. Maybe it’s buried in the driver code and nobody talks about it D:.
Edit: I had a look at what pyca/cryptography is actually doing with
/dev/random at the time Certbot hangs. Turns out it doesn’t actually read from it - it’s just its way of checking that the kernel CSRNG has been initialized: https://github.com/pyca/cryptography/issues/4645 . Less paranoid applications would not know any better, I guess.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.