Strange error involving ssl.conf line


#1

Encountered an odd error during a cert renewal that I was able to resolve but would love someone to shed light on why this happened.

Here’s what happened (this is on Amazon Linux 2, Apache 2.4):

    [ec2-user@ip-177-77-77-77 ~]$ sudo certbot renew --debug --dry-run
    Saving debug log to /var/log/letsencrypt/letsencrypt.log

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/mydomain.com.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Cert is due for renewal, auto-renewing...
    Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
    The error was: PluginError('There has been an error in parsing the file /etc/httpd/conf.d/ssl.conf on line 149: Syntax error',)
    Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: The apache plugin is not working; there may be problems with your existing configuration.
    The error was: PluginError('There has been an error in parsing the file /etc/httpd/conf.d/ssl.conf on line 149: Syntax error',). Skipping.
    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ** DRY RUN: simulating 'certbot renew' close to cert expiry
    **          (The test certificates below have not been saved.)

    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
    ** DRY RUN: simulating 'certbot renew' close to cert expiry
    **          (The test certificates above have not been saved.)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Exiting abnormally:
    Traceback (most recent call last):
      File "/bin/certbot", line 9, in <module>
        load_entry_point('certbot==0.29.1', 'console_scripts', 'certbot')()
      File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1352, in main
        return config.func(config, plugins)
      File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1259, in renew
        renewal.handle_renewal_request(config)
      File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 457, in handl                                                                                    e_renewal_request
        len(renew_failures), len(parse_failures)))
    Error: 1 renew failure(s), 0 parse failure(s)
    Please see the logfiles in /var/log/letsencrypt for more details.

I checked line 149 in ssl.conf, and it was commented out:

#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

When I removed that line, it worked. But why? If it’s commented out, why would it matter?

Totally confused. Please enlighten me.


#2

The line fails syntax checks:
I count two left “(” and only one right “)” = unbalanced.

How it got that way… is another question.


#3

I think I remember seeing something like that before and that it also had a backslash at the end of the line, so that may be relevant - maybe the backslash confuses Certbot’s parser somehow?


#4

Ending with a backslash seems to imply that this line continues on the next.
Does it continue on the next line? Does it just end there?
But if he commented out this part only, how would it then pass syntax checks,

Can we see the line(s) that follow?


#5

After I pulled my hair out for a while trying to figure out what in the world the problem was, I finally just removed this entire block that included the offending line:

#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

I’m still confused, though. I thought if the line begins with a # then everything on that line is just ignored. Isn’t that the whole point of having comments? Is this normal or expected behavior? I’ve never run into it before and it’s challenging my understanding of how comment symbols work…

Incidentally, this whole block was in the default ssl.conf that got installed in Apache, as far as I know I never touched it (until now!).


#6

I just copied that whole thing into my apache config and it didn’t seem to cause any problem. Are you using an old version of certbot maybe?


#7

WTF?

[ec2-user@ip-177-77-77-77 ~]$ sudo certbot -v
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator None and installer None
Apache version is 2.4.34
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_centos.CentOSConfigurator object at 0x7f55                                                                             59655e90>
Prep: True
Selected authenticator <certbot_apache.override_centos.CentOSConfigurator object                                                                              at 0x7f5559655e90> and installer <certbot_apache.override_centos.CentOSConfigur                                                                             ator object at 0x7f5559655e90>
Plugins selected: Authenticator apache, Installer apache

Please choose an account
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ip-172-31-31-31.us-east-2.compute.internal@2018-07-31T19:29:47Z (ee5c)
2: ip-172-31-31-32.us-east-2.compute.internal@2018-04-20T05:20:30Z (7de9)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): Exiting abnormally:
Traceback (most recent call last):
  File "/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.29.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1352, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1088, in run
    le_client = _init_le_client(config, authenticator, installer)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 606, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 515, in _determine_account
    acc = display_ops.choose_account(accounts)
  File "/usr/lib/python2.7/site-packages/certbot/display/ops.py", line 86, in choose_account
    "Please choose an account", labels, force_interactive=True)
  File "/usr/lib/python2.7/site-packages/certbot/display/util.py", line 155, in menu
    code, selection = self._get_valid_int_ans(len(choices))
  File "/usr/lib/python2.7/site-packages/certbot/display/util.py", line 418, in _get_valid_int_ans
    ans = input_with_timeout(input_msg)
  File "/usr/lib/python2.7/site-packages/certbot/display/util.py", line 82, in input_with_timeout
    line = compat.readline_with_timeout(timeout, prompt)
  File "/usr/lib/python2.7/site-packages/certbot/compat.py", line 107, in readline_with_timeout
    rlist, _, _ = select.select([sys.stdin], [], [], timeout)
error: (4, 'Interrupted system call')
An unexpected error occurred:
error: (4, 'Interrupted system call')
Please see the logfiles in /var/log/letsencrypt for more details.

#8

-v is short for --verbose. I guess you want --version


#9

Ah, thanks for correcting me.

[ec2-user@ip-172-77-77-77 ~]$ sudo certbot --version
certbot 0.29.1

closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.