Python3 error in certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: patrickconnolly.net

I ran this command:
'certbot renew --dns-route53'
the AWS_CONFIG_FILE env var is set and contains the correct aws credentials for the route53 dns plugin. This command has worked before with the same setup - I'm wondering if there has been an upgrade to certbot which uses Python3 instead of Python 2 and this breaks some code - see stack trace below

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/patrickconnolly.net.conf


Failed to renew certificate patrickconnolly.net with error: '<' not supported between instances of 'NoneType' and 'NoneType'


All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/patrickconnolly.net/fullchain.pem (failure)


My web server is (include version):
nginx/1.18.0 (Ubuntu) (not applicable in this case I think)

The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is:
AWS (Not applicable in this case I believe)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): using snaps for certbot and certbot-dns-route53
certbot version: 1.13.0
certbot-dns-route53 version: 1.13.0

The stack trace given in the logs is:
2021-03-09 12:42:35,684:ERROR:certbot._internal.renewal:Failed to renew certificate patrickconnolly.net with error: '<' not supported between instances of 'NoneType' and 'NoneType'
2021-03-09 12:42:35,684:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/snap/certbot/1042/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 463, in handle_renewal_request
renewal_candidate.ensure_deployed()
File "/snap/certbot/1042/lib/python3.8/site-packages/certbot/_internal/storage.py", line 813, in ensure_deployed
if self.has_pending_deployment():
File "/snap/certbot/1042/lib/python3.8/site-packages/certbot/_internal/storage.py", line 832, in has_pending_deployment
smallest_current = min(self.current_version(x) for x in ALL_FOUR)
TypeError: '<' not supported between instances of 'NoneType' and 'NoneType'

1 Like

To me, this signals there is something wrong with the currently stored certificate and private key files in /etc/letsencrypt/. Can you show me the entire output of:

ls -l /etc/letsencrypt/live/patrickconnolly.net/

,

cat /etc/letsencrypt/renewal/patrickconnolly.net.conf

and

ls -l /etc/letsencrypt/archive/patrickconnolly.net/

?

1 Like

You're both right, @ConnPK & @Osiris

That comparison operation was valid in Python2 and not in Python3...

But triggering it is more indicative of some error in the configuration.

1 Like

Hi Osiris, here's the output from those commands:

ls -l /etc/letsencrypt/live/patrickconnolly.net/
total 4
-rw-r--r-- 1 root root 543 Sep 21 2019 README
lrwxrwxrwx 1 root root 42 Dec 26 16:52 cert.pem -> ../../archive/patrickconnolly.net/cert.pem
lrwxrwxrwx 1 root root 43 Dec 26 16:51 chain.pem -> ../../archive/patrickconnolly.net/chain.pem
lrwxrwxrwx 1 root root 47 Dec 26 16:51 fullchain.pem -> ../../archive/patrickconnolly.net/fullchain.pem
lrwxrwxrwx 1 root root 45 Dec 26 16:51 privkey.pem -> ../../archive/patrickconnolly.net/privkey.pem

cat /etc/letsencrypt/renewal/patrickconnolly.net.conf

renew_before_expiry = 30 days

version = 1.9.0
archive_dir = /etc/letsencrypt/archive/patrickconnolly.net
cert = /etc/letsencrypt/live/patrickconnolly.net/cert.pem
privkey = /etc/letsencrypt/live/patrickconnolly.net/privkey.pem
chain = /etc/letsencrypt/live/patrickconnolly.net/chain.pem
fullchain = /etc/letsencrypt/live/patrickconnolly.net/fullchain.pem

Options used in the renewal process

[renewalparams]
account = eb082dc87d688e11569fc563849a8b1a
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = dns-route53

ls -l /etc/letsencrypt/archive/patrickconnolly.net/
total 16
-rw-r--r-- 1 root root 1887 Dec 26 15:43 cert.pem
-rw-r--r-- 1 root root 1586 Dec 26 15:43 chain.pem
-rw-r--r-- 1 root root 3473 Dec 26 15:43 fullchain.pem
-rw------- 1 root root 1708 Dec 26 15:43 privkey.pem

The files in /archive/ should have a number, e.g. cert1.pem. It looks like you've modified the file names in that directory manually?

4 Likes

Aaah good catch @Osiris , I had completely forgotten - I did rename them. I have a few bash scripts that do the auto renewing and copy the certs to an ssl directory, and I removed the numeric suffix. I just added it back and the renewal went through fine.
Thanks a lot for your help, I would never have spotted it

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.