Renew certificate, Parse failure

fransvan · November 4, 2021, 2:14pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: f103.nl

I ran this command: certbot renew

It produced this output: Processing /etc/letsencrypt/renewal/f103.nl.conf

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 408, in init
self.configfile = configobj.ConfigObj(config_filename)
File "/usr/lib/python3/dist-packages/configobj.py", line 1229, in init
self._load(infile, configspec)
File "/usr/lib/python3/dist-packages/configobj.py", line 1318, in _load
raise error
File "", line None
configobj.ParseError: Invalid line ('/etc/letsencrypt/live/f103.nl/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart') (matched as neither section nor keyword) at line 19.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 411, in init
"error parsing {0}".format(config_filename))
certbot.errors.CertStorageError: error parsing /etc/letsencrypt/renewal/f103.nl.conf
Renewal configuration file /etc/letsencrypt/renewal/f103.nl.conf is broken. Skipping.

No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/f103.nl.conf (parsefail)

My web server is (include version): Icecast2

The operating system my web server runs on is (include version): ubuntu 18.04.5

My hosting provider, if applicable, is: My own VPS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):?

What am I doing wrong? Please help.

MikeMcQ · November 4, 2021, 3:13pm

As the message describes, that is not a valid line. Can you upload:
/etc/letsencrypt/renewal/f103.nl.conf

Do you know how that got into the renewal conf file? Did you put it there manually or was it part of a hook command when you created the cert initially?

fransvan · November 4, 2021, 4:04pm

This is the print of the file:

renew_before_expiry = 30 days

version = 0.27.0
archive_dir = /etc/letsencrypt/archive/f103.nl
cert = /etc/letsencrypt/live/f103.nl/cert.pem
privkey = /etc/letsencrypt/live/f103.nl/privkey.pem
chain = /etc/letsencrypt/live/f103.nl/chain.pem
fullchain = /etc/letsencrypt/live/f103.nl/fullchain.pem

Options used in the renewal process

[renewalparams]
account = dc44e70a3e0b4d5c70b687163dcf0cef
authenticator = webroot
webroot_path = /usr/share/icecast2/web,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
f103.nl = /usr/share/icecast2/web
www.f103.nl = /usr/share/icecast2/web
post_hook = cat /etc/letsencrypt/live/f103.nl/fullchain.pem
/etc/letsencrypt/live/f103.nl/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart

MikeMcQ · November 4, 2021, 4:06pm

Would you please do what I asked above? It would be helpful to see the file as it is - with line endings in place.

Also, you did not answer my question about how that line got there.

fransvan · November 4, 2021, 4:09pm

I put the lines under this by myself:

"post_hook = cat /etc/letsencrypt/live/f103.nl/fullchain.pem
/etc/letsencrypt/live/f103.nl/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart"

MikeMcQ · November 4, 2021, 4:23pm

Needs to be on one line. You keep showing it like it is two.

If you used the --post-hook option during the renew it would properly update the renewal conf for you.

fransvan · November 4, 2021, 6:12pm

When I make it one line, This is the output after the renew command:

Processing /etc/letsencrypt/renewal/f103.nl.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for f103.nl
http-01 challenge for www.f103.nl
Cleaning up challenges
Encountered exception during recovery:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 126, in _solve_challenges
resp = self.auth.perform(all_achalls)
File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 83, in perform
self._create_challenge_dirs()
File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 172, in _create_challenge_dirs
stat_path = os.stat(path)
FileNotFoundError: [Errno 2] No such file or directory: 'cat /etc/letsencrypt/live/f103.nl/fullchain.pem /etc/letsencrypt/live/f103.nl/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 108, in _call_registered
self.funcs-1
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 310, in _cleanup_challenges
self.auth.cleanup(achalls)
File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 222, in cleanup
os.remove(validation_path)
FileNotFoundError: [Errno 2] No such file or directory: '/usr/share/icecast2/web/.well-known/acme-challenge/sqPhBFg0kV1ds48c-U7GGAfXCuxBliAh3tnrTCHrQMQ'
Attempting to renew cert (f103.nl) from /etc/letsencrypt/renewal/f103.nl.conf produced an unexpected error: [Errno 2] No such file or directory: 'cat /etc/letsencrypt/live/f103.nl/fullchain.pem /etc/letsencrypt/live/f103.nl/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart'. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/f103.nl/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/f103.nl/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

MikeMcQ · November 4, 2021, 6:36pm

I think you want deploy_hook and not post_hook anyway. But, you will also need to disable hook validation. See this page in the docs for details of the hooks. There are also other ways of setting them up in hook folders.

https://certbot.eff.org/docs/using.html?highlight=hook#certbot-command-line-options

  --post-hook POST_HOOK
                        Command to be run in a shell after attempting to
                        obtain/renew certificates. Can be used to deploy
                        renewed certificates, or to restart any servers that
                        were stopped by --pre-hook. This is only run if an
                        attempt was made to obtain/renew a certificate. If
                        multiple renewed certificates have identical post-
                        hooks, only one will be run. (default: None)
  --deploy-hook DEPLOY_HOOK
                        Command to be run in a shell once for each
                        successfully issued certificate. For this command, the
                        shell variable $RENEWED_LINEAGE will point to the
                        config live subdirectory (for example,
                        "/etc/letsencrypt/live/example.com") containing the
                        new certificates and keys; the shell variable
                        $RENEWED_DOMAINS will contain a space-delimited list
                        of renewed certificate domains (for example,
                        "example.com www.example.com" (default: None)
  --disable-hook-validation
                        Ordinarily the commands specified for --pre-
                        hook/--post-hook/--deploy-hook will be checked for
                        validity, to see if the programs being run are in the
                        $PATH, so that mistakes can be caught early, even when
                        the hooks aren't being run just yet. The validation is
                        rather simplistic and fails if you use more advanced
                        shell constructs, so you can use this switch to
                        disable it. (default: False)

Instead of using the certbot hooks you could also make your own script. Example of a "myRenew.sh" :

sudo certbot renew (...)
cat (...)
echo (...)
and so on

fransvan · November 4, 2021, 7:20pm

Thank you for the help but it did not werk in any way. This is too much tekst / info for me. I'm visual impaired. So can you help me anyway?

MikeMcQ · November 4, 2021, 8:54pm

I cannot reproduce your error. So I am not sure how to help you using very little text. Can you upload the renewal file?

If not, paste it here but mark it as preformatted text (from formatting menu or Ctrl-E)

rg305 · November 5, 2021, 2:50am

Instead of two separate lines (which is out of syntax and fail):

Try is as one line:
~~post_hook = 'cat /etc/letsencrypt/live/f103.nl/fullchain.pem /etc/letsencrypt/live/f103.nl/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart'~~

Or perhaps, even better, as a script file:

MikeMcQ · November 5, 2021, 3:04am

Yeah, it looks like they tried that Rudy and did not work. That is why I suggested disabling hook validation (for the 'not found' part). I agree though that should work - just puzzled why it seemed not to.

rg305 · November 5, 2021, 3:09am

Yeah, I see that now

MikeMcQ · November 5, 2021, 3:10am

Just note that --deploy-hook is used on the command line but renew_hook is the name used in the renewal conf file (sorry about that). This hook only runs after a cert is actually created and is better for this case.

rg305 · November 5, 2021, 3:12am

Both operate in the same way - just at different times.
Once either is used in a sucessful issuance/renewal, the renewal config file is updated.
So either way would still need to call a script (for such complicated instructions).

MikeMcQ · November 5, 2021, 3:14am

Agree. They are combining the chain and private key and restarting the server so only needs to be done with fresh data. No great harm in doing it each try unless the server restart is disruptive. Yes, I checked, that server really needs the private key in a "bundle".

rg305 · November 5, 2021, 3:19am

The trick here is that you can't do that in one line at the Linux (even as root) prompt.
You can say:
cat /some/file
But you can't say:
"cat /some/file"
BASH won't like it wrapped in any kind of quotes

MikeMcQ · November 5, 2021, 3:35am

Hmmm. I tested this works:
post_hook = cat test.conf test.conf > test2.test && service nginx reload && echo test12-22

Also these work.

post_hook = 'cat test.conf test.conf > test2.test && service nginx reload && echo test12-22'
post_hook = "cat test.conf test.conf > test2.test && service nginx reload && echo test12-22"

Might Certbot remove the quotes during parse before issuing command?

rg305 · November 5, 2021, 3:40am

You didn't see anything unusual in the LE logs?
Did the test2.test file get created each time?
[you should have used differently named files - one for each test]

What version of certbot did you use?

MikeMcQ · November 5, 2021, 3:49am

I looked at time stamps of the result file - always changed. Did not look in LE log but no error running command was displayed. I did get a display that the "service" command redirected to "systemctl" to confirm it ran as well (which was expected and handy to see).

I am using 1.21. OH! Maybe that's it - they are, um, much older!

Anyway, I'm out - g'night