Run "certbot certonly ..." failing

mastrodaro · April 23, 2020, 6:46pm

I am using --dry-run flag since I am testing ansible scripts. The command:

certonly --webroot --webroot-path /var/www/certbot
--email {{ cert_email }} --cert-name {{ domain_name }}
-d {{ domain_name }} --rsa-key-size 4096
--agree-tos --force-renewal --dry-run

was working and suddenly stopped few days later.

When it was running correct I was getting (letsencrypt.log):

2020-04-19 14:38:25,212:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2020-04-19 14:38:25,219:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/', new_authzr_uri=None, terms_of_service=None), , Meta(creation_dt=datetime.datetime(2020, 4, 19, 14, 27, 10, tzinfo=), creation_host=''))>

Now im getting:

2020-04-23 17:54:07,925:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f3c420f2a90> and installer None
2020-04-23 17:54:07,925:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2020-04-23 17:54:07,962:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 11, in
load_entry_point('certbot', 'console_scripts', 'certbot')()
File "/opt/certbot/src/certbot/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1347, in main
return config.func(config, plugins)
File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1217, in certonly
le_client = _init_le_client(config, auth, installer)
File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 603, in _init_le_client
acc, acme = _determine_account(config)
File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 511, in _determine_account
acc = display_ops.choose_account(accounts)
File "/opt/certbot/src/certbot/certbot/display/ops.py", line 83, in choose_account
code, index = z_util(interfaces.IDisplay).menu(
File "/opt/certbot/src/certbot/certbot/display/util.py", line 153, in menu
code, selection = self._get_valid_int_ans(len(choices))
File "/opt/certbot/src/certbot/certbot/display/util.py", line 411, in _get_valid_int_ans
ans = input_with_timeout(input_msg)
File "/opt/certbot/src/certbot/certbot/display/util.py", line 85, in input_with_timeout
raise EOFError

Why is that happening?

Osiris · April 23, 2020, 6:56pm

If I read the log correctly, you seem to have multiple ACME accounts and certbot doesn’t know which one to use, so it asks the user. But I’m guessing b/c of ansible, you’re not seeing the request for user input (?) and certbot times out waiting for the input.

If you’d use -n so certbot becomes non-interactive, it should immediately exit with an error stating certbot requires input, but non-interactive is requested.

Unfortunately, as far as I know (and can find in the certbot using guide certbot doesn’t have a proper way of managing accounts. It does have some options for account manipulation, but I wouldn’t call that “managing” to be honest.

Something I thought of is that maybe you could use /etc/letsencrypt/cli.ini to select one of the accounts for ALL certbot purposes, but I’m entirely not sure if that’s possible. For example, the staging server uses another account compaired to the live server. So setting one account ID in cli.ini probably isn’t going to work… But I’ve no idea how to get this to work without user input.

mnordhoff · April 23, 2020, 7:06pm

There’s an --account option documented under the “certbot unregister” command (don’t run it!). I’m not sure if it works for all commands.

I think it takes Certbot’s lengthy (pseudo)random account ID as the value.

mastrodaro · April 23, 2020, 7:07pm

Thanks for the answer. You are right, there are 2 accs:

I agree I should have one account for each prod and stagging. There are 2 each.

I dont know why since I use the same email and domain on each run - simply looking for “The dry run was successful” in the log.

Do you think its safe to remove random account to make it work again?

mnordhoff · April 23, 2020, 7:19pm

It depends.

Check all the files in /etc/letsencrypt/renewal/; if you remove an account that is in active use to renew a certificate, I assume it will probably break renewal.

If any of them are using an account you want to delete, switch them to another account with a text editor or something.

mastrodaro · April 23, 2020, 7:44pm

For sure any of stagging accounts could not be set for renewal so I have deleted both. Tests are not failing anymore.

Thanks for help. I will be looking for why (if ever again) the second account has been created.

system · May 23, 2020, 7:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.