Renew failed : broken packages libssl1.1

thierryler · July 13, 2019, 9:30pm

Hello,
I just tried to renew my certificate on Debian

My domain is:
https://www.profil4-sandbox.com/

I ran this command:

/opt/letsencrypt/letsencrypt-auto renew

It produced this output:

Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
Get:1 http://ppa.launchpad.net/ondrej/php/ubuntu disco InRelease [20.8 kB]
Ign:2 http://deb.debian.org/debian stretch InRelease
Get:3 http://deb.debian.org/debian stretch-updates InRelease [91.0 kB]
Get:4 http://security.debian.org stretch/updates InRelease [94.3 kB]
Hit:5 http://deb.debian.org/debian stretch Release
Ign:1 http://ppa.launchpad.net/ondrej/php/ubuntu disco InRelease
Err:6 https://packages.sury.org/php stretch InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743
Fetched 206 kB in 0s (382 kB/s)
Reading package lists... Done
W: GPG error: http://ppa.launchpad.net/ondrej/php/ubuntu disco InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4F4EA0AAE5267A6C
W: The repository 'http://ppa.launchpad.net/ondrej/php/ubuntu disco InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php stretch InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743
W: Failed to fetch https://packages.sury.org/php/dists/stretch/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists... Done
Building dependency tree
Reading state information... Done
augeas-lenses is already the newest version (1.8.0-1+deb9u1).
libaugeas0 is already the newest version (1.8.0-1+deb9u1).
gcc is already the newest version (4:6.3.0-4).
libffi-dev is already the newest version (3.2.1-6).
python is already the newest version (2.7.13-2).
python-dev is already the newest version (2.7.13-2).
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libssl-dev : Depends: libssl1.1 (= 1.1.1c-1+ubuntu19.04.1+deb.sury.org+1) but 1.1.0k-1~deb9u1 is to be installed
 openssl : Depends: libssl1.1 (>= 1.1.1) but 1.1.0k-1~deb9u1 is to be installed
E: Unable to correct problems, you have held broken packages.

The operating system my web server runs on is (include version):
uname -a
Linux vpsXXXXXX 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot-auto --version fails…

_az · July 13, 2019, 9:38pm

I think you have busted your packages by mixing Ubuntu and Debian repositories. That can be a hard problem to solve, depending on the extent of the damage. No ideas from me, sorry.

If you already had a functioning certbot-auto installation, you might try add these parameters to your certbot-auto invocation to avoid the packaging problem:

--no-self-upgrade --no-bootstrap

thierryler · July 13, 2019, 9:44pm

If it helps, I’ve tried on an other server with the same config.

/opt/letsencrypt/letsencrypt-auto renew
Upgrading certbot-auto 0.35.1 to 0.36.0...
Replacing certbot-auto...

and it ends with the same error

The “–no-bootstrap” option worked on the 2nd server. Thanks

But now I’ve have to repear the 1st

thierryler · July 14, 2019, 10:01am

My first server seems KO I’ve tried:

apt install libssl1.1 -t stretch-backports

But it failed:

Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libssl1.1 : Depends: libc6 (>= 2.25) but 2.24-11+deb9u4 is to be installed
E: Unable to correct problems, you have held broken packages.

And now when I tried:

/opt/letsencrypt/letsencrypt-auto renew --no-bootstrap --no-self-upgrade --dry-run

It failed more:

Creating virtual environment...
Traceback (most recent call last):
  File "<stdin>", line 27, in <module>
  File "<stdin>", line 19, in create_venv
  File "/usr/lib/python2.7/subprocess.py", line 181, in check_call
    retcode = call(*popenargs, **kwargs)
  File "/usr/lib/python2.7/subprocess.py", line 168, in call
    return Popen(*popenargs, **kwargs).wait()
  File "/usr/lib/python2.7/subprocess.py", line 390, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1024, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory

I do not understand anything

thierryler · July 14, 2019, 10:35am

Well I’ve founded the solution. I had problems with apt-get update. I solved them, and now it works.

Thx everybody

system · August 13, 2019, 10:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.