Renew or create produced an unexpected error: 'ascii' codec can't encode character u'\xe1' in position 271: ordinal not in range(128). Skipping

Hello,

I have some domains with - character. There is problem with renew and certonly. It throws this error:

Attempting to renew cert from /usr/local/etc/letsencrypt/renewal/my-domain.cz.conf produced an unexpected error: ‘ascii’ codec can’t encode character u’\xe1’ in position 271: ordinal not in range(128). Skipping.

Thank you for help.
D

Hi @darius1706,

Is there a non-ASCII character in the my-domain.cz file?

There is also a known bug in older versions of Certbot where if your web server returns an error page (like a 404 error document) with a non-ASCII character, and the certificate authority quotes the error back to Certbot, Certbot will encounter this error. What version of Certbot do you have?

Hello,
I dont think so - file was created over putty on FreeBSD machine with command “certbot certonly”. On filesystem looks file without problems.

I use certbot 0.16.0 from FreeBSD pkg system.

Thank you
D

Could you run

tr -d '\0-\177' < /usr/local/etc/letsencrypt/renewal/my-domain.cz.conf | wc -c

to confirm whether this file is really only comprised of ASCII characters?

You might potentially have found a previously unknown bug in Certbot related to Unicode. Could you post the log file which might be in /var/log/letsencrypt (or perhaps /usr/local/var/log/letsencrypt) to show more about what Certbot was trying to do at the moment that it encountered this error?

Tip: Another good test I’ve found for files that might not be ASCII after all is to run:

iconv -f ASCII filename > /dev/null

Regardless of what locale the user is in this forces iconv to “decode” the input as ASCII and it reports any errors while doing so.

tr -d ‘\0-\177’ < /usr/local/etc/letsencrypt/renewal/my-domain.cz.conf | wc -c
0

This shows nothing, without errors.

And here is log:

2017-09-06 07:28:39,999:INFO:certbot.auth_handler:Cleaning up challenges
2017-09-06 07:28:39,999:DEBUG:certbot.plugins.webroot:Removing /data/www/my-domain.cz/httpdocs/.well-known/acme-challenge/MIS39_2wW6iaN1xTOdijRESlKNZOWk3wMechBVUji-4
2017-09-06 07:28:40,000:DEBUG:certbot.plugins.webroot:Removing /data/www/my-domain.cz/httpdocs/.well-known/acme-challenge/kL2gOkZZOQiYgB9l9RE6sxjmCQrgXtUU28IQan417co
2017-09-06 07:28:40,000:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /data/www/my-domain.cz/httpdocs/.well-known/acme-challenge
2017-09-06 07:28:40,000:WARNING:certbot.renewal:Attempting to renew cert from /usr/local/etc/letsencrypt/renewal/my-domain.cz.conf produced an unexpected error: ‘ascii’ codec can’t encode character u’\xe1’ in position 271: ordinal not in range(128). Skipping.
2017-09-06 07:28:40,054:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/local/lib/python2.7/site-packages/certbot/renewal.py”, line 419, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/local/lib/python2.7/site-packages/certbot/main.py”, line 641, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/local/lib/python2.7/site-packages/certbot/main.py”, line 77, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/local/lib/python2.7/site-packages/certbot/renewal.py”, line 297, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/usr/local/lib/python2.7/site-packages/certbot/client.py”, line 317, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 81, in get_authorizations
self._respond(resp, best_effort)
File “/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File “/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 201, in _poll_challenges
_report_failed_challs(all_failed_achalls)
File “/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 492, in _report_failed_challs
_generate_failed_chall_msg(achalls), reporter.MEDIUM_PRIORITY)
File “/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 508, in _generate_failed_chall_msg
if messages.is_acme_error(error):
File “/usr/local/lib/python2.7/site-packages/acme/messages.py”, line 39, in is_acme_error
return (ERROR_PREFIX in str(err)) or (OLD_ERROR_PREFIX in str(err))
UnicodeEncodeError: ‘ascii’ codec can’t encode character u’\xe1’ in position 271: ordinal not in range(128)

2017-09-06 07:28:40,054:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/local/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.16.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/local/lib/python2.7/site-packages/certbot/main.py”, line 743, in main
return config.func(config, plugins)
File “/usr/local/lib/python2.7/site-packages/certbot/main.py”, line 693, in renew
renewal.handle_renewal_request(config)
File “/usr/local/lib/python2.7/site-packages/certbot/renewal.py”, line 436, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

That looks like the bug @schoen mentioned. It was fixed in Certbot 0.17.0. :sweat:

Farther up in the log file it should show exactly what went wrong.

Importantly, there are two separate issues:

  1. The certificate failed to renew, and the Let’s Encrypt API server returned an error to Certbot.

  2. Due to the aforementioned bug, Certbot was unable to understand the non-ASCII error message, and broke.

Upgrading Certbot to 0.17.0 would fix the second issue, but not the first one. (Well, unless it was failing to renew due to some other bug.)

Usually this happens because the Let’s Encrypt validation server tried to download http://my-domain.cz/.well-known/acme-challenge/xxxxxxxx and, instead of receiving the expected challenge file, received some sort of non-ASCII “404 Not Found” or “403 Forbidden” error page, or other HTML document.

But we can’t be sure without knowing the error message.

It would be best if you could upgrade to a newer version of Certbot, but it should be possible to make progress and renew your certificates even if you can’t. (It just means digging error messages out of log files when “certbot renew” can’t display them.)

1 Like

It could be, because I made redirect to https. I will try it.

But 0.17.0 is still not in FreeBSD, so I will try it.

That could do it. It's okay to redirect to HTTPS -- Let's Encrypt will follow redirects -- but it has to find the right file in the end.

/usr/local/etc/letsencrypt/renewal/my-domain.cz.conf will show where Certbot is putting the files. Is it correct and consistent with the web server configuration? my-domain.cz.conf or the web server's config may need to be changed.

The web server's error.log may also show more about what happened.

It helps. Problem is, that on this domain is Wordpress running. When file not exists, I got 404 with some text from Wordpress.
Thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.