Segmentation fault installing nginx plugin


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

thomiel.spdns.de

I ran this command:

sudo apt-get install python-certbot-nginx

It produced this output:

sudo apt-get install python-certbot-nginx
Paketlisten werden gelesen… Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen… Fertig
Die folgenden Pakete wurden automatisch installiert und werden nicht mehr benötigt:
python-acme python-certbot python-configargparse python-configobj python-dnspython python-funcsigs python-mock python-parsedatetime python-pbr python-pyicu python-rfc3339 python-tz python-zope.component python-zope.event
python-zope.hookable python-zope.interface
Verwenden Sie »sudo apt autoremove«, um sie zu entfernen.
The following additional packages will be installed:
certbot python3-acme python3-certbot python3-certbot-nginx python3-configargparse python3-configobj python3-josepy python3-mock python3-parsedatetime python3-pbr python3-pyparsing python3-requests-toolbelt python3-rfc3339
python3-tz python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface
Vorgeschlagene Pakete:
python3-certbot-apache python-certbot-doc python-acme-doc python-certbot-nginx-doc python-configobj-doc python-mock-doc python-pyparsing-doc
Empfohlene Pakete:
python3-pyicu
Die folgenden NEUEN Pakete werden installiert:
python-certbot-nginx python3-acme python3-certbot python3-certbot-nginx python3-configargparse python3-configobj python3-josepy python3-mock python3-parsedatetime python3-pbr python3-pyparsing python3-requests-toolbelt
python3-rfc3339 python3-tz python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface
Die folgenden Pakete werden aktualisiert (Upgrade):
certbot
1 aktualisiert, 18 neu installiert, 0 zu entfernen und 210 nicht aktualisiert.
Es mĂĽssen noch 0 B von 905 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 4.704 kB Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n] j
Segmentation fault
E: Unterprozess /usr/bin/apt-listchanges --apt || test ? -lt 10 hat Fehlercode zurĂĽckgegeben (1) E: Failure running script /usr/bin/apt-listchanges --apt || test ? -lt 10

My web server is (include version):

nginx 1.10.3

The operating system my web server runs on is (include version):

raspian ( 4.14.52+ #1123 Wed Jun 27 17:05:32 BST 2018 armv6l GNU/Linux )

My hosting provider, if applicable, is:

n/a

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

0.10.2


#2

Hallo @thomiel,

I believe someone identified a problem in Raspian where there are different kinds of ARM processor which some versions of Raspian treat as the same, where in reality the CPUs are different and do not support the exact same binaries. Perhaps I can find the earlier thread here.

If we don’t find a straightforward solution, maybe you could ask on a Raspian forum since the problem of segmentation faults when installing packages will probably be familiar to them. :frowning:


#3

Thanks, but I will stick with the webroot plugin then. I hope I finally figured out the correct line in my crontab:

@weekly root certbot renew --webroot --webroot-path /var/www/html –post-hook „service nginx restart“


#4

You should/could run that daily.
It will mostly just check and do nothing.


#5

I think I have read somewhere that after two months certbot will allow the certificate to be renewed. As the certificate runs three months, there are plenty of opportunities even if checks are @weekly. Where am I wrong here?


#6

It only tries to renew during the last 30 days (not throughout all 90 days).
So how many 7 day intervals are there in a 30 day period?
[how many chances to renew]
At best 5.
@weekly limits your system to (at most) 5 chances to renew the cert before it expires.
@daily limits your system to 30 chances to renew.


#7

@rg305 Right. So you are implying 4-5 chances wouldn’t be engouh?


#8

Yes; if anything goes wrong…
I’m saying 30 tries is a lot better than 4-5 tries.

this from: https://certbot.eff.org/docs/using.html
Since renew only renews certificates that are near expiry it can be run as frequently as you want - since it will usually take no action.

It is normally recommended at twice a day (with a delayed offset).


#9

Wouldn’t make much difference, in my opinion. But the offset you mentioned makes sense, so that not all servers request new certificates at midnight – depending on the timezone, this can put some load on the certservers. So I have changed my crontab to run certbot at a random time on a random weekday.


#10

The randomizing does help to reduce spikes.

But the recommended scheduling is twice a day:
[repeated in this forum many times - here is one of them]

“We recommend running certbot renew twice a day every day from cron. It will renew your certificates when they’re a month from expiry.”


#11

The –post-hook „service nginx restart“ means that I restart the nginx service in case the certificate has been renewed so the web server won’t be accessible for a second (otherwise nginx does not recognize the new certificate because it somehow has cached the old one). So I want to reduce the frequency of renewal runs to a minimum. Avoiding the restart was actually my motivation for trying to install the nginx plugin in the first place.


#12

Certbot only runs the hook when renewing a certificate, not every time it runs.

And if you use "service nginx reload", Nginx will gracefully reload without downtime.


#13

From: https://certbot.eff.org/docs/using.html

When Certbot detects that a certificate is due for renewal, --pre-hook and --post-hook hooks run before and after each attempt to renew it. If you want your hook to run only after a successful renewal, use --deploy-hook in a command like this.

certbot renew --deploy-hook /path/to/deploy-hook-script


closed #14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.