Renew fails: Could not select or initialize the requested installer none


#1

I try to renew certificates obtained using the letsencrypt client version 0.4.1 as it comes with Ubuntu 16.04 LTS. Since this client seems to be outdated, I’ve downloaded certbot-auto.

Using certbot-auto, I try to renew the certificates. Since I don’t want certbot to install stuff into my OS, I use the --no-bootstrap option:

$ sudo ./certbot-auto renew --no-bootstrap
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/foo.example.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
Could not choose appropriate plugin for updaters: Could not select or initialize the requested installer none.
...

What does this error message mean? What is the correct way to use certbot-auto to renew certificates?


#2

I don’t think I’ve seen that exact message before.

The traceback in /var/log/letsencrypt/letsencrypt.log might be useful.

Still… you probably shouldn’t use --no-bootstrap.

certbot-auto doesn’t install anything in a way that you should find problematic. It installs:

  • Normal Ubuntu packages the normal way by executing apt-get
  • Python packages from PyPI in a virtualenv in /opt/eff.org

It doesn’t contaminate your system with weird stuff.


#3

The log looks like this. Not using --no-bootstrap does not change anything.

$ sudo less /var/log/letsencrypt/letsencrypt.log
2019-01-18 09:31:38,863:DEBUG:certbot.main:certbot version: 0.30.0
2019-01-18 09:31:38,863:DEBUG:certbot.main:Arguments: []
2019-01-18 09:31:38,863:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-01-18 09:31:38,887:DEBUG:certbot.log:Root logging level set at 20
2019-01-18 09:31:38,888:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-01-18 09:31:38,935:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fe5efcadfd0> and installer <certbot.cli._Default object at 0x7fe5efcadfd0>
2019-01-18 09:31:38,978:INFO:certbot.renewal:Cert not yet due for renewal
2019-01-18 09:31:38,980:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer none
2019-01-18 09:31:38,980:WARNING:certbot.updater:Could not choose appropriate plugin for updaters: Could not select or initialize the requested installer none.
2019-01-18 09:31:39,020:INFO:certbot.renewal:Cert not yet due for renewal
2019-01-18 09:31:39,021:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer none
2019-01-18 09:31:39,021:WARNING:certbot.updater:Could not choose appropriate plugin for updaters: Could not select or initialize the requested installer none.
...
2019-01-18 09:31:39,099:WARNING:certbot.updater:Could not choose ap

#4

Using --force-renewal solved this issue.

But the error message is missleading. If the cert is not due for renewal, certbot should not complain about missing installers.


#5

For what it’s worth, there’s an open bug related to this error message:

I’m still shooting from the hip and don’t know what exactly is happening, so you can ignore the rest of this post, but my guess is that version 0.30.0 is unhappy about /etc/letsencrypt/renewal/ files generated by version 0.4.1’s certonly command.

Older versions used to create really long files specifying a bunch of useless default settings. Newer versions leave that stuff out.

If it’s just a warning, I guess that’s okay. If it’s an error that would have prevented renewal, Certbot ought to work around it.


#6

I tried to clarify this message in the GH issue linked above, I’ll paste the comment here for convenience. TL;DR: This is a warning message, meaning it’s non-fatal. There wasn’t an actual error in OP message, Certbot was just telling that none of the certificates in fact needed to be renewed at the moment. The clarification comment below:

In contrary to the issue title, this is not an error , but a warning , meaning it’s non-fatal. Certbot has Installer specific functionality that gets run on renew verb, regardless of if a certificate needs to be renewed or not. This functionality is used for security enhancements like gradually increasing HSTS max-age value in Apache configuration, or refreshing the OCSP cache (upcoming).

That being said, automatically removing invalid values could cause some adverse side-effects, especially if we would be removing all invalid values (think of Apache plugin being temporarily unavailable due to a packaging issue), while user relies one of the security enhancement functionalities described above. We’ll have to think of how to resolve this - a solution might be just to make the warning message more descriptive and underlining the fact that it’s in fact non fatal.