Sudo: unable to execute /opt/bitnami/letsencrypt/scripts/renew-certificate.sh: no such file or directory

binarypub · April 3, 2024, 1:53am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: high-lift.com

I ran this command:

0 1 * * sudo -u root /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

It produced this output:

sudo: unable to execute /opt/bitnami/letsencrypt/scripts/renew-certificate.sh: no such file or directory

My web server is (include version):

Server version: Apache/2.4.27 (Unix)
Server built: Aug 28 2017 15:17:56

The operating system my web server runs on is (include version):

Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty

My hosting provider, if applicable, is:

AWS

I can login to a root shell on my machine (yes or no, or I don't know):

YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Requesting to rerun /usr/local/bin/certbot-auto with root privileges...
WARNING: unable to check for updates.
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
certbot 0.37.2

rg305 · April 3, 2024, 2:31am

Hi @binarypub, and welcome to the LE community forum

That version is ancient.
Please remove it and install a newer version.
See: Certbot (eff.org)

That version is also ancient.
You should upgrade that ASAP.

Osiris · April 3, 2024, 6:36am

I'm not sure how this issue is Let's Encrypt related: your cron is trying to run a certain script, but that script isn't there.

We can't tell you what happened to that script: was it there once in the first place? Or was it never there? What happened to it? All questions we can't answer for you.

Also: Python 2.7? The heck?

binarypub · April 3, 2024, 1:01pm

The /opt/bitnami/letsencrypt/scripts/renew-certificate.sh is there and always has been.

I set this server up years ago, automatic certificate renewal never worked even when everything was up to date. I've been manually running the script.

I'm not opening the "update everything" can of worms.

MikeMcQ · April 3, 2024, 2:15pm

But why would you get the below error?

Sure, but, clearly something on your system has changed. There is also some reference to certbot-auto which was deprecated years ago. I don't know how we could reproduce such a problem to try to help.

binarypub · April 3, 2024, 2:51pm

I am also puzzled why I receive that error when the file exists.

Could it be a user/file permissions issue?

I would think the error would be different if that were the case.

I did originally use certbot-auto before installing lego, etc.

MikeMcQ · April 3, 2024, 3:05pm

I don't know how to help debug such an old system which you say hasn't changed. I have no way to reproduce or even experiment on a similar system.

Just from your explanation you say you manually ran the command for years. Does that still work?

Because your first post shows a cronjob failing. Is that something you are trying new?

binarypub · April 3, 2024, 3:37pm

The renew-certificate.sh contains the code that I run manually via SSH that works.

I followed the cron setup steps mentioned here:

https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/

Here's the contents of renew-certificate.sh (without my domains, etc. as I am at my day job now and don't have access)

#!/bin/bash

sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache

The script works great when run manually via SSH.

My letsencrypt/ folder is owned by root:root

I was never able to get the cron working and have been running it manually for years.  Finally got tired of it.

Osiris · April 3, 2024, 3:44pm

How do you run it manually? What's the output of ls -l /opt/bitnami/letsencrypt/scripts/renew-certificate.sh?

Also, if your script is using lego, it doesn't make much sense to use certbot-auto. The "certbot" in the "version of my client" question was just an example of a possible ACME client. When using lego, the proper answer to that question was the version of the lego ACME client used.

MikeMcQ · April 3, 2024, 3:49pm

That's not the correct format for a cronjob task. The 5th option is day of week not "sudo". That changes the parsing of all the following options and "-u" is not executable

Check this out
https://go-acme.github.io/lego/usage/cli/renew-a-certificate/

binarypub · April 3, 2024, 5:46pm

Thanks, I am pretty sure that is a forum typo but I will check my server this evening.

binarypub · April 3, 2024, 9:16pm

Here is my entire email error I receive from crontab:

From root@ip-172-31-1-27 Wed Apr 3 21:05:01 2024
Return-Path: root@ip-172-31-1-27
X-Original-To: root
Delivered-To: root@ip-172-31-1-27
Received: by ip-172-31-1-27 (Postfix, from userid 0)
id A052548A98; Wed, 3 Apr 2024 21:05:01 +0000 (UTC)
From: root@ip-172-31-1-27 (Cron Daemon)
To: root@ip-172-31-1-27
Subject: Cron root@ip-172-31-1-27 /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /tmp/cert_cron_test.log 2>&1
Content-Type: text/plain; charset=ANSI_X3.4-1968
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
Message-Id: 20240403210501.A052548A98@ip-172-31-1-27
Date: Wed, 3 Apr 2024 21:05:01 +0000 (UTC)

/bin/sh: 1: /opt/bitnami/letsencrypt/scripts/renew-certificate.sh: not found

MikeMcQ · April 3, 2024, 9:26pm

And what is your actual cronjob entry? Because if that's the command the redirects look odd

rg305 · April 3, 2024, 9:30pm

What shows?:
ls -l /opt/bitnami/letsencrypt/scripts/renew-certificate*

binarypub · April 5, 2024, 7:24pm

bitnami@ip-172-31-1-27:~$ ls -l /opt/bitnami/letsencrypt/scripts/renew-certificate*
-rwxrwxr-- 1 bitnami bitnami 350 Jun 19 2022 /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
-rw------- 1 bitnami bitnami 234 Sep 3 2019 /opt/bitnami/letsencrypt/scripts/renew-certificate.sh.save
-rwxrwxr-x 1 bitnami bitnami 344 Jun 19 2022 /opt/bitnami/letsencrypt/scripts/renew-certificate.sh.save.1

Osiris · April 5, 2024, 7:34pm

Looks like the script is only executable for the bitnami-user. Is the cron job also running as bitnami?

rg305 · April 5, 2024, 7:38pm

root not equal bitnami
root not in the bitnami group

binarypub · April 5, 2024, 8:04pm

I renamed the script filename to renew.sh, changed my cronjob to below and now it works suddenly?

0 1 * * * sudo -u bitnami /opt/bitnami/letsencrypt/scripts/renew.sh 2> /tmp/cert_test_root_crontab_bitnami_user_renewsh.log 2>&1

Osiris · April 5, 2024, 9:28pm

Your change from sudo -u root to sudo -u bitnami probably did the trick.

rg305 · April 5, 2024, 9:55pm

I see nothing "sudden" about making multiple changes and creating/finding the solution: