Problem when I renew with route53

metabsd · December 20, 2018, 5:09pm

I ran this command: certbot renew --dns-route53 --dns-route53-propagation-seconds 30 --dry-run --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/deploy-to-zabbix-grafana-apache.sh

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/saltmaster.elementai.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Credentials found in config file: ~/.aws/config
Plugins selected: Authenticator dns-route53, Installer None
Attempting to renew cert (saltmaster.elementai.net) from /etc/letsencrypt/renewal/saltmaster.elementai.net.conf produced an unexpected error: 'AWSHTTPSConnection' object has no attribute 'ssl_context'. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/zabbix.utility.elementai.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-route53, Installer None
Attempting to renew cert (zabbix.utility.elementai.net) from /etc/letsencrypt/renewal/zabbix.utility.elementai.net.conf produced an unexpected error: 'AWSHTTPSConnection' object has no attribute 'ssl_context'. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/saltmaster.elementai.net/fullchain.pem (failure)
  /etc/letsencrypt/live/zabbix.utility.elementai.net/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/saltmaster.elementai.net/fullchain.pem (failure)
  /etc/letsencrypt/live/zabbix.utility.elementai.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

mnordhoff · December 20, 2018, 5:16pm

What OS is this on?

How was Certbot installed?

What version of Certbot is it?

Can you paste the traceback from letsencrypt.log?

metabsd · December 20, 2018, 5:24pm

I use ubuntu 16.04, I install it from apt official repo.

Version : 0.28.0-1

2018-12-20 17:03:00,057:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2018-12-20 17:03:00,059:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
2018-12-20 17:03:00,080:WARNING:certbot.renewal:Attempting to renew cert (zabbix.utility.elementai.net) from /etc/letsencrypt/renewal/zabbix.utility.elementai.net.conf produced an unexpected error: 'AWSHTTPSConnection' object has no attribute 'ssl_context'. Skipping.
2018-12-20 17:03:00,081:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1166, in renew_cert
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 604, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 521, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 181, in register
    acme = acme_from_config_key(config, key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 51, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 763, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1097, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1046, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 502, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 612, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 345, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 846, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 311, in connect
    if self.ssl_context is None:
AttributeError: 'AWSHTTPSConnection' object has no attribute 'ssl_context'

2018-12-20 17:03:00,081:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2018-12-20 17:03:00,081:ERROR:certbot.renewal:  /etc/letsencrypt/live/saltmaster.elementai.net/fullchain.pem (failure)
  /etc/letsencrypt/live/zabbix.utility.elementai.net/fullchain.pem (failure)
2018-12-20 17:03:00,081:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1247, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 455, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 2 renew failure(s), 0 parse failure(s)

mnordhoff · December 20, 2018, 5:27pm

You mean Certbot PPA : “certbot” team?

It sounds like this issue:

github.com/certbot/certbot

certbot-dns-route53 failing with 'AWSHTTPSConnection' object has no attribute 'ssl_context'

opened 02:48PM - 26 Sep 18 UTC

closed 06:56PM - 10 Oct 18 UTC

andrewbanchich

area: pkging area: dns

## My operating system is (include version): Ubuntu 16.04 ## I installed C…ertbot with (certbot-auto, OS package manager, pip, etc): Ubuntu PPA ## I ran this command and it produced this output: I ran `sudo certbot renew --dry-run --dns-route53` and it produced: ``` Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected err or: 'AWSHTTPSConnection' object has no attribute 'ssl_context'. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure) ``` I believe this is happening due to [this botocore issue](https://github.com/boto/botocore/issues/1258#issuecomment-416155843).

github.com/certbot/certbot

Ubuntu PPA includes 'rogue' packages beyond python-certbot

opened 11:53AM - 09 Nov 17 UTC

closed 05:20PM - 25 Aug 20 UTC

alanfranz

area: debian / ubuntu area: pkging

## My operating system is (include version): Ubuntu 16.04 x86_64 ## I instal…led Certbot with (certbot-auto, OS package manager, pip, etc): Ubuntu PPA as per certbot instructions official recommendation on https://certbot.eff.org/all-instructions/#ubuntu-16-04-xenial-nginx ``` deb http://ppa.launchpad.net/certbot/certbot/ubuntu xenial main ``` ## I ran this command and it produced this output: ```apt-get -y upgrade``` [...cut...] ``` Get:38 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python-asn1crypto all 0.22.0-2+ubuntu16.04.1+certbot+1 [70.2 kB] Get:39 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python-certifi all 2017.4.17-2+ubuntu16.04.1+certbot+1 [177 kB] Get:40 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python-cffi-backend amd64 1.10.0-0.1+ubuntu16.04.1+certbot+1 [71.5 kB] Get:41 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python-chardet all 3.0.4-1+ubuntu16.04.1+certbot+2 [80.6 kB] Get:42 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python-idna all 2.5-1+ubuntu16.04.1+certbot+1 [31.5 kB] Get:43 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python-six all 1.11.0-1+ubuntu16.04.1+certbot+1 [11.9 kB] Get:44 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python-cryptography amd64 1.9-1+ubuntu16.04.1+certbot+2 [212 kB] Get:45 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python-openssl all 17.3.0-1~0+ubuntu16.04.1+certbot+1 [47.5 kB] Get:46 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python-requests all 2.18.1-1+ubuntu16.04.1+certbot+1 [76.5 kB] Get:47 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python-urllib3 all 1.21.1-1+ubuntu16.04.1+certbot+1 [97.2 kB] Get:48 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python3-certifi all 2017.4.17-2+ubuntu16.04.1+certbot+1 [177 kB] Get:49 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python3-chardet all 3.0.4-1+ubuntu16.04.1+certbot+2 [81.0 kB] Get:50 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python3-idna all 2.5-1+ubuntu16.04.1+certbot+1 [31.6 kB] Get:51 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python3-six all 1.11.0-1+ubuntu16.04.1+certbot+1 [12.0 kB] Get:52 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python3-requests all 2.18.1-1+ubuntu16.04.1+certbot+1 [76.1 kB] Get:53 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python3-urllib3 all 1.21.1-1+ubuntu16.04.1+certbot+1 [97.3 kB] ``` example for python-chardet: ``` python-chardet: Installed: 2.3.0-2 Candidate: 3.0.4-1+ubuntu16.04.1+certbot+2 Version table: 3.0.4-1+ubuntu16.04.1+certbot+2 500 500 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 Packages 500 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main i386 Packages *** 2.3.0-2 500 500 mirror://mirrors.ubuntu.com/mirrors.txt xenial/main amd64 Packages 500 mirror://mirrors.ubuntu.com/mirrors.txt xenial/main i386 Packages 500 http://ubuntu.mirrors.ovh.net/ftp.ubuntu.com/ubuntu xenial/main amd64 Packages 500 http://ubuntu.mirrors.ovh.net/ftp.ubuntu.com/ubuntu xenial/main i386 Packages 500 http://fr.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 500 http://fr.archive.ubuntu.com/ubuntu xenial/main i386 Packages 100 /var/lib/dpkg/status ``` ## Certbot's behavior differed from what I expected because: Since long (I've seen this be October, 23th, as per @oerdnj upload, but it seems that the issues existed before that), the Ubuntu PPA is providing, beyond python-certbot-* packages, a lot of python3 packages that **override default packages provided by the 16.04 distribution in main** with **radically different versions** (not just bugfix point releases). e.g. python-openssl was upgraded from 0.15 to 17.3 I wouldn't expect such a behaviour from certbot ppa; overriding system dependencies with custom versions could impact system stability and isn't generally advised. If updated python deps are required for certbot, either a) a forked package name version is advised, or b) the certbot package could provide a prebuilt virtualenv with separate dependencies.

Which is not exactly... fixed.

metabsd · December 20, 2018, 6:25pm

Yes!

If I use pip to install certbot, can I workaround that problem ?

Thank you!

rg305 · December 20, 2018, 9:30pm

Can you use certbot-auto?

system · January 19, 2019, 9:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
" The requested dns-route53 plugin does not appear to be installed." Help	21	16119	September 12, 2019
Renew --manual question Help	15	1161	August 27, 2018
Certbot renew --dry-run Help	3	89236	May 2, 2017
Failure Renew certificates Help	3	1404	July 11, 2018
Renew dry-run not working Help	2	2839	December 23, 2018

Problem when I renew with route53

Related topics