Powershell calling certbot in console or ISE script execution causes remoteException seemingly related to virtual terminal handling

if i type:

certbot renew

at the PS console prompt (in PS ISE), then the following is written to the console:

certbot : Saving debug log to C:\Certbot\log\letsencrypt.log
At line:1 char:1certbot : Saving debug log to C:\Certbot\log\letsencr
+ certbot renew
+ ~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Saving debug lo...letsencrypt.log:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError


Processing C:\Certbot\renewal\*****.conf


Certificate not yet due for renewal


The following certificates are not due for renewal yet:

C:\Certbot\live\*******\fullchain.pem expires on 2022-**-** (skipped)

No renewals were attempted.


(Note: I used * character to obfuscate my domain name info.)

It seems like certbot ran the subcommand ok, but there was some issue and a Powershell exception that seems related to the output of the first line output:

certbot : Saving debug log to C:\Certbot\log\letsencrypt.log

From the debug log:

2022-06-05 15:14:37,649:DEBUG:certbot._internal.main:certbot version: 1.24.0
2022-06-05 15:14:37,649:DEBUG:certbot._internal.main:Location of certbot entry point: C:\Program Files (x86)\Certbot\bin\certbot.exe
2022-06-05 15:14:37,649:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2022-06-05 15:14:37,649:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-06-05 15:14:37,649:DEBUG:certbot.compat.misc:Failed to set console mode
Traceback (most recent call last):
File "C:\Program Files (x86)\Certbot\pkgs\certbot\compat\misc.py", line 60, in prepare_virtual_console
h.SetConsoleMode(h.GetConsoleMode() | ENABLE_VIRTUAL_TERMINAL_PROCESSING)
pywintypes.error: (6, 'GetConsoleMode', 'The handle is invalid.')
2022-06-05 15:14:37,759:DEBUG:certbot._internal.log:Root logging level set at 30

And comparing this to debug log contents for the execution of the same command except from the Windows CMD console (wherein the output is exactly the same except that there is no PS remote exception):

2022-06-05 15:13:26,430:DEBUG:certbot._internal.main:certbot version: 1.24.0
2022-06-05 15:13:26,430:DEBUG:certbot._internal.main:Location of certbot entry point: C:\Program Files (x86)\Certbot\bin\certbot.exe
2022-06-05 15:13:26,430:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2022-06-05 15:13:26,430:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-06-05 15:13:26,524:DEBUG:certbot._internal.log:Root logging level set at 30

It seems the issue may be related to the virtual terminal processing in the misc.py code when certbot is invoked from powershell.

I get similar results when calling certbot from a PS script using the & (Powershell call operator).

When I look at a debug log from execution of the scheduled task add by the earlier "certbot run" with windows command:

Powershell.exe -NoProfile -WindowStyle Hidden -Command "certbot renew"

the first few lines of output are:

2022-06-04 12:00:06,572:DEBUG:certbot._internal.main:certbot version: 1.24.0
2022-06-04 12:00:06,572:DEBUG:certbot._internal.main:Location of certbot entry point: C:\Program Files (x86)\Certbot\bin\certbot.exe
2022-06-04 12:00:06,572:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2022-06-04 12:00:06,572:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-06-04 12:00:06,666:DEBUG:certbot._internal.log:Root logging level set at 30

So, past the point of issue when invoked from console or execution of script in ISE.

Any ideas, on why the exception is happening and how this could be avoided?

Welcome @segmentlime

As background, Certbot is developed by EFF. Let's Encrypt is by ISRG.

A nice report and perhaps a developer for Certbot will see it and comment. But, this is mainly a forum to support Let's Encrypt. Of course, we often help people use certbot and other acme clients but in this case the problem seems just with certbot interacting with Powershell and not related much to the LE certs.

Perhaps someone here will be comment but I think you will be best served raising an issue on the Certbot github. Just giving you another option.

2 Likes

Thanks for your reply Mike, and about the Let's Encrypt Community Support forum focus!

I understand. I will post similar to certbot github, and bear this in mind for future posts.

2 Likes

fyi - i post this to:

https://github.com/certbot/certbot/issues/9313

I'm not a Windows expert, but it doesn't look like anything is wrong here.

This error is non-fatal. If it's not possible to set that console mode (because the PowerShell host remoting doesn't allow it), then Certbot doesn't really care and will swallow the error. It won't affect whether invoking Certbot succeeds or fails.

I've done a bit of reading and it seems like PowerShell ISE might interpret any process output to standard error (stderr) as an error.

This doesn't really track with how UNIX commands work, where stderr is commonly used and process exit codes, instead, are used to report errors.

If you want, you can try redirecting all output to stdout. Or maybe there are some other idioms in PowerShell to deal with this issue, I'm not sure.

2 Likes

Since you're already running in PowerShell, might I also suggest Posh-ACME which is a PowerShell native ACME client instead of certbot. Full disclosure, I'm the module author.

5 Likes