Plugins selected: Authenticator manual, Installer None An unexpected error occurred: UnicodeEncodeError: 'ascii' codec can't encode character '\u2248' in position 0: ordinal not in range(128)

bullaka · May 6, 2019, 9:29pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
edenfielddentistry.com (any domain for that matter)

I ran this command:
sudo -H certbot certonly --manual --preferred-challenges dns -d www.edenfielddentistry.com -d edenfielddentistry.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
An unexpected error occurred:
UnicodeEncodeError: ‘ascii’ codec can’t encode character ‘\u2248’ in position 0: ordinal not in range(128)
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
Linux / Apache / PHP 7.2

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
LiquidWeb

I can login to a root shell on my machine (yes or no, or I don’t know):
I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
I think so

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.33.1

This happens every time I try to run any domain on this machine using the same command above with the domain switched of course. I have no issues on another machine. So I assume it’s specific to this machine obviously. I’ve read through multiple support pages

JuergenAuer · May 6, 2019, 9:37pm

Hi @bullaka

\u2248 - that's the Unicode code point with the hex value 2248 and the integer codepoint 8776 ≈

Looks like you have this character ≈ somewhere in your config file (code or comment).

Check your webserver config files and the Letsencrypt config files

/etc/letsencrypt/renewal

bullaka · May 6, 2019, 9:46pm

Thank you @JuergenAuer. I’m BRAND new at this stuff. So I know very little about what you wrote. Do you mind guiding me a bit more please?

For instance I went to that directory you mentioned. I don’t even see the domain I listed in there. I tried one of the domains in that directory and I received the same error.

JuergenAuer · May 6, 2019, 9:52pm

There are files. Check every file if the file contains ≈.

And check your Apache config files.

Certbot tries to check your configuration and doesn’t handle the character ≈ correct.

schoen · May 7, 2019, 2:18am

Wait, I don’t understand how certonly --manual is reading any web server configuration files. It should never have a reason to do that!

@bullaka, could you please show us the log file from /var/log/letsencrypt that was mentioned in the error? I feel like this special character might be in some other kind of configuration file entirely.

bullaka · May 7, 2019, 6:05pm

Thank you for your reply.

Here’s further information. I know for sure it’s my machine, hence the error, and not the server as I checked with LiquidWeb. I also know it’s my machine and not the server because it doesn’t do this using another computer, only mine. Simply trying to eliminate all the variables I can.

When I attempt to find that directory via terminal I get the following:
-bash: cd: /var/log/letsencrypt: Permission denied

So then I went to finder and then go to folder. Type in the path: /var/log/letsencrypt. I get: the folder can’t be found.

I did eventually find logs files here: Macintosh HD > private > var > log > letsencrypt which is NOT what’s in the error code. That’s: /var/log/letsencrypt. I did find 13 files in there. I searched those files and can’t find ≈.

At this point, would it be easier to manually delete Homebrew and Letsencrypt folders and reinstall them both? I’ve already tried deleting them and then reinstalling via terminal and the same issue showed up. So I’m wondering if there are some personal preferences set somewhere.

schoen · May 7, 2019, 6:11pm

I didn’t realize that you were running Certbot on your laptop rather than your web server. Normally Certbot is meant to be run directly on your web server.

Is there a way that you could run Certbot on the web server or use features in the control panel to obtain your certificates instead?

If you want to debug this with the way you’re currently doing it, I’d like to see the actual content of the log file in /var/log/letsencrypt even if it doesn’t appear to contain a literal ≈ character.

bullaka · May 7, 2019, 6:12pm

Here you go. And once again thank you!

2019-05-06 14:08:25,679:DEBUG:certbot.main:certbot version: 0.26.1
2019-05-06 14:08:25,680:DEBUG:certbot.main:Arguments: [’–manual’, ‘–preferred-challenges’, ‘dns’, ‘-d’, ‘www.edenfielddentistry.com’, ‘-d’, ‘edenfielddentistry.com’]
2019-05-06 14:08:25,680:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-05-06 14:08:25,711:DEBUG:certbot.log:Root logging level set at 20
2019-05-06 14:08:25,712:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-05-06 14:08:25,713:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2019-05-06 14:08:25,716:DEBUG:certbot.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at 0x103e63160>
Prep: True
2019-05-06 14:08:25,717:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.manual.Authenticator object at 0x103e63160> and installer None
2019-05-06 14:08:25,717:INFO:certbot.plugins.selection:Plugins selected: Authenticator manual, Installer None
2019-05-06 14:08:25,722:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x104144a58>)>), contact=(‘mailto:aaron@bullcm.com’,), agreement=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, status=‘valid’, terms_of_service_agreed=None, only_return_existing=None), uri=‘https://acme-v01.api.letsencrypt.org/acme/reg/34001879’, new_authzr_uri=‘https://acme-v01.api.letsencrypt.org/acme/new-authz’, terms_of_service=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’), 96b56b216e7842fab314906434ad4ef7, Meta(creation_dt=datetime.datetime(2018, 4, 26, 20, 19, 10, tzinfo=), creation_host=‘Bullakas-MacBook-Pro-2016.local’))>
2019-05-06 14:08:25,734:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-05-06 14:08:25,741:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2019-05-06 14:08:25,922:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2019-05-06 14:08:25,923:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 06 May 2019 18:08:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 06 May 2019 18:08:25 GMT
Connection: keep-alive

{
“9RMo_NY0zGE”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org”
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert”
}
2019-05-06 14:08:25,937:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/local/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.26.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/local/Cellar/certbot/0.26.1/libexec/lib/python3.7/site-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/local/Cellar/certbot/0.26.1/libexec/lib/python3.7/site-packages/certbot/main.py”, line 1247, in certonly
should_get_cert, lineage = _find_cert(config, domains, certname)
File “/usr/local/Cellar/certbot/0.26.1/libexec/lib/python3.7/site-packages/certbot/main.py”, line 285, in _find_cert
action, lineage = _find_lineage_for_domains_and_certname(config, domains, certname)
File “/usr/local/Cellar/certbot/0.26.1/libexec/lib/python3.7/site-packages/certbot/main.py”, line 312, in _find_lineage_for_domains_and_certname
return _find_lineage_for_domains(config, domains)
File “/usr/local/Cellar/certbot/0.26.1/libexec/lib/python3.7/site-packages/certbot/main.py”, line 256, in _find_lineage_for_domains
ident_names_cert, subset_names_cert = cert_manager.find_duplicative_certs(config, domains)
File “/usr/local/Cellar/certbot/0.26.1/libexec/lib/python3.7/site-packages/certbot/cert_manager.py”, line 166, in find_duplicative_certs
return _search_lineages(config, update_certs_for_domain_matches, (None, None))
File “/usr/local/Cellar/certbot/0.26.1/libexec/lib/python3.7/site-packages/certbot/cert_manager.py”, line 387, in _search_lineages
rv = func(candidate_lineage, rv, *args)
File “/usr/local/Cellar/certbot/0.26.1/libexec/lib/python3.7/site-packages/certbot/cert_manager.py”, line 154, in update_certs_for_domain_matches
candidate_names = set(candidate_lineage.names())
File “/usr/local/Cellar/certbot/0.26.1/libexec/lib/python3.7/site-packages/certbot/storage.py”, line 856, in names
return crypto_util.get_names_from_cert(f.read())
File “/usr/local/Cellar/certbot/0.26.1/libexec/lib/python3.7/site-packages/certbot/crypto_util.py”, line 381, in get_names_from_cert
csr, crypto.load_certificate, typ)
File “/usr/local/Cellar/certbot/0.26.1/libexec/lib/python3.7/site-packages/certbot/crypto_util.py”, line 361, in _get_names_from_cert_or_req
loaded_cert_or_req = _load_cert_or_req(cert_or_req, load_func, typ)
File “/usr/local/Cellar/certbot/0.26.1/libexec/lib/python3.7/site-packages/certbot/crypto_util.py”, line 333, in _load_cert_or_req
return load_func(typ, cert_or_req_str)
File “/usr/local/Cellar/certbot/0.26.1/libexec/lib/python3.7/site-packages/OpenSSL/crypto.py”, line 1812, in load_certificate
buffer = buffer.encode(“ascii”)
UnicodeEncodeError: ‘ascii’ codec can’t encode character ‘\u2248’ in position 0: ordinal not in range(128)
2019-05-06 14:08:25,943:ERROR:certbot.log:An unexpected error occurred:

schoen · May 7, 2019, 6:14pm

It sounds like you have an existing certificate file that contains that strange character for some reason.

Could you show us the output of certbot certificates (or sudo certbot certificates if necessary)?

bullaka · May 7, 2019, 6:15pm

That’s with ANY certificate I try to setup on this machine for any site. Regardless of what site address I change it to, on this machine I always get the same error. Any other machine, no error.

schoen · May 7, 2019, 6:17pm

Yes, that makes sense. So, could we see the output of certbot certificates?

bullaka · May 7, 2019, 6:28pm

As I mentioned earlier, I’m new to all of this. So I’m not sure what you’re asking for. So what are you asking for? Is this what you’re looking for? This is what I get after I put in the aforementioned command.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for edenfielddentistry.com
dns-01 challenge for www.edenfielddentistry.com

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y

Please deploy a DNS TXT record under the name
_acme-challenge.edenfielddentistry.com with the following value:

And then, of course, it gives the www value

schoen · May 7, 2019, 6:30pm

I’d like you to run the command certbot certificates on your computer. (Is that the output that you got from running that?)

bullaka · May 7, 2019, 6:44pm

OOOOOHHH. Ok thank you for your patience. Here you go:

The following error was encountered:
[Errno 13] Permission denied: ‘/var/log/letsencrypt/.certbot.lock’
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.

schoen · May 7, 2019, 7:41pm

In that case, please run sudo certbot certificates instead.

bullaka · May 7, 2019, 8:46pm

Thanks again. Here you go. Since I’m a new user I couldn’t attach it nor could I copy and paste the info here. So here’s a link to it: https://www.dropbox.com/s/608065lzhsvzdbi/sudo%20certbot%20certificates.txt?dl=0

JuergenAuer · May 7, 2019, 8:49pm

What’s the content of that file:

/etc/letsencrypt/renewal/www.kalodemo.com.conf

That’s the last row.

bullaka · May 7, 2019, 8:55pm

renew_before_expiry = 30 days

version = 0.23.0
archive_dir = /etc/letsencrypt/archive/www.kalodemo.com
cert = /etc/letsencrypt/live/www.kalodemo.com/cert.pem
privkey = /etc/letsencrypt/live/www.kalodemo.com/privkey.pem
chain = /etc/letsencrypt/live/www.kalodemo.com/chain.pem
fullchain = /etc/letsencrypt/live/www.kalodemo.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 96b56b216e7842fab314906434ad4ef7
pref_challs = dns-01,
authenticator = manual
installer = None
manual_public_ip_logging_ok = True

JuergenAuer · May 7, 2019, 8:57pm

Sorry, incomplete question.

And the content of that file:

/etc/letsencrypt/live/www.kalodemo.com/cert.pem

bullaka · May 7, 2019, 8:59pm

That’s on the server side and not the domain I’m having issues with. Asking for understanding. As such, would that matter?