Nothing happens in the console

Michelgard · January 5, 2020, 4:36pm

Hello,
I am under Debian 8 I installed the cerbot as indicated on the site and I launched: sudo / usr / local / bin / certbot-auto --apache but the installation is blocked.
Now when I launch sudo / usr / local / bin / certbot-auto --apache nothing happens in the console (no message) and the console remains blocked impossible to regain control.
thank you

rg305 · January 5, 2020, 8:16pm

It seems that the certbot-auto output is being caught or blocked somehow.
Try changing to root user first.
sudo su
then
/usr/local/bin/certbot-auto --apache

[see if that helps or even changes the behavior]

Michelgard · January 5, 2020, 8:47pm

I’m already in root it doesn’t change anything!

rg305 · January 5, 2020, 8:58pm

Please show the contents of all files found with:
find /etc/letsencrypt/ -name *.ini

and also the contents of files within:
/etc/letsencrypt/renewal/

[you can erase any account numbers, if you like]

Michelgard · January 5, 2020, 9:55pm

find /etc/letsencrypt/ -name *.ini
find: “/etc/letsencrypt/”: Aucun fichier ou dossier de ce type

cd /etc/letsencrypt/renewal/
-bash: cd: /etc/letsencrypt/renewal/: Aucun fichier ou dossier de ce type

_az · January 5, 2020, 10:48pm

Does it still hang if you add --non-interactive to your command?

Michelgard · January 6, 2020, 6:31am

root@BotBinance:~ --> /usr/local/bin/certbot-auto --non-interactive

Nothing happens

_az · January 6, 2020, 8:45am

Could you:

sudo apt install strace

and then:

sudo strace -ff timeout 30s certbot-auto --version 2>&1 | tee /tmp/certbot-strace.txt

This will save a large debug log to /tmp/certbot-strace.txt. If you could upload this somewhere and share the link, that would provide helpful information for figuring out what’s happening.

Michelgard · January 6, 2020, 9:17am

Here is the link of the generated file: http://dl.free.fr/bAbbNJQfO

_az · January 6, 2020, 9:37am

Interesting.

Did you Ctrl-C the process in the end, or did you let it timeout on its own?

What appears to be happening is that the cryptographic library used by Certbot is trying to generate some secure random numbers by reading from /dev/random, but your system has insufficient entropy, and so Certbot hangs while it waits for entropy to be generated.

(On a more modern version of Linux/Debian, /dev/random would not be used, and better alternatives like getrandom are used instead).

Could you please show the output of:

cat /proc/sys/kernel/random/entropy_avail
cat /proc/sys/kernel/random/poolsize

Could you please also provide some information about what kind of server this is? Is it virtualized, and if so, what type of virtualization? Or maybe a small device like a Raspberry Pi?

Michelgard · January 6, 2020, 9:53am

The process ended alone.
It is a VPS in OPENVZ

root@BotBinance:~ --> cat /proc/sys/kernel/random/entropy_avail
0
root@BotBinance:~ --> cat /proc/sys/kernel/random/poolsize
4096

Thank you for all your research

_az · January 6, 2020, 9:56am

This is very bad, and explains why Certbot doesn't work. A modern Linux system on the internet can't function properly without entropy. Anything below 1000-ish is not a good sign.

I am not surprised that you are using OpenVZ - shared kernel means that entropy is shared between each guest on the server. This could suggest that some other guest on the server is draining all of the entropy on the server, which is a very finite resource.

I would talk to your host about it. There's nothing you can really do to increase entropy on an OpenVZ server, without being the admin of the entire physical OpenVZ host.

Michelgard · January 6, 2020, 10:11am

Ok thank you for all this info I understand better the few malfunctions that I also have with this VPS. I will open a ticket to see if a solution is possible with them otherwise I will move

Thank you again for all

schoen · January 6, 2020, 11:18pm

It's probably not: On Linux’s Random Number Generation | NCC Group Research Blog | Making the world safer and more secure ; https://www.2uo.de/myths-about-urandom/#what-about-entropy-running-low

(I mean, it is a finite resource in one sense but it doesn't seem that we can conceive of many realistic attacks when sharing it out among multiple mutually untrusting systems. However, this is a problem with the virtualization method implementation and not with anything @Michelgard is doing.)

_az · January 6, 2020, 11:22pm

I was curious yesterday and was trying to find info about whether or not virtio rng or kernel namespacing consider "fairness" when it comes to the entropy pool, since it seems like a weakness in shared environments. You can, at the end of the day, cause (some) processes to block.

Nothing came up, though. Maybe it's buried in the driver code and nobody talks about it D:.

Edit: I had a look at what pyca/cryptography is actually doing with /dev/random at the time Certbot hangs. Turns out it doesn't actually read from it - it's just its way of checking that the kernel CSRNG has been initialized: Before using /dev/urandom verify CSPRNG has been seeded with select · Issue #4645 · pyca/cryptography · GitHub . Less paranoid applications would not know any better, I guess.

system · February 5, 2020, 11:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.