My Ubuntu 14.04 lts server died so I rebuilt it with 20.04 last night (April's not that far around the corner), and I thought it was finally time to get my Subsonic site behind some encryption. My guess is that certbot just isn't ready for 20.04, as I can't get the ppa installed (404's on focal release when I try to add it). I was hoping someone might have had some luck getting it done though, but Google and the forum search here are coming up dry so far. Thanks for any help that can be offered, even if it's "keep waiting"!

My domain is: earnom.adenansu.com

I ran this command: sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email --domain earnom.adenansu.com

It produced this output:
Performing the following challenges:
An unexpected error occurred:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): nginx/1.17.9 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Additional info that another post looking into a very similar issue had people asking for:

$ head /usr/bin/certbot
#!/usr/bin/python3

EASY-INSTALL-ENTRY-SCRIPT: 'certbot==0.40.0','console_scripts','certbot'

requires = 'certbot==0.40.0'
import re
import sys
from pkg_resources import load_entry_point

if name == 'main':
sys.argv[0] = re.sub(r'(-script.pyw?|.exe)?$', '', sys.argv[0])
sys.exit(

$ /usr/bin/python3 -c 'import acme; print(acme)'
<module 'acme' from '/usr/lib/python3/dist-packages/acme/init.py'>

$ dpkg -l python3-acme
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-==================================
ii python3-acme 1.1.0-1 all ACME protocol library for Python 3

This might be correct. Pinging @schoen for more information.

In the mean time, you can use other acme clients.
I would personally suggest to try out acme.sh

Thank you

Well, there is an official package of certbot for Ubunu 20.04: https://packages.ubuntu.com/focal/certbot So why bother trying the PPA? It has an older version anyway. But looking at your version of certbot, you've used the official repository already.

Strange why your 0.40 version of certbot would try to use the tls-sni-01 challenge? Do you mention this challenge anywhere in your configuration files? Also, could you post more output of certbot when you get that error? Especially a trace.

Right, I'm using the official one, I thought I saw somewhere that CertBot 1.0 had been released late last year, so I thought this 0.40 version was old. I'm new to using all of this, so my mistake

I removed a few things that looked like they might be sensitive

2020-03-08 11:55:41,643:DEBUG:certbot.main:certbot version: 0.40.0
2020-03-08 11:55:41,643:DEBUG:certbot.main:Arguments: ['--nginx', '--agree-tos', '--redirect', '--hsts', '--staple-ocsp', '--email', '', '--domain', 'earnom.adenansu.com']
2020-03-08 11:55:41,643:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-03-08 11:55:41,654:DEBUG:certbot.log:Root logging level set at 20
2020-03-08 11:55:41,654:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-03-08 11:55:41,655:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2020-03-08 11:55:41,655:DEBUG:certbot.plugins.selection:No candidate plugin
2020-03-08 11:55:41,655:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2020-03-08 11:56:13,586:DEBUG:certbot.main:certbot version: 0.40.0
2020-03-08 11:56:13,587:DEBUG:certbot.main:Arguments: ['--nginx', '--agree-tos', '--redirect', '--hsts', '--staple-ocsp', '--email', '', '--domain', 'earnom.adenansu.com']
2020-03-08 11:56:13,587:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-03-08 11:56:13,605:DEBUG:certbot.log:Root logging level set at 20
2020-03-08 11:56:13,605:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-03-08 11:56:13,606:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2020-03-08 11:56:13,800:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7efd86a7f340>
Prep: True
2020-03-08 11:56:13,801:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7efd86a7f340> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7efd86a7f340>
2020-03-08 11:56:13,801:INFO:certbot.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2020-03-08 11:56:13,805:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/80036369', new_authzr_uri=None, terms_of_service=None), c8e806da10ef2da1ece77df462d13da2, Meta(creation_dt=datetime.datetime(2020, 3, 8, 6, 50, 35, tzinfo=), creation_host='dispenser'))>
2020-03-08 11:56:13,806:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-03-08 11:56:13,808:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2020-03-08 11:56:14,097:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2020-03-08 11:56:14,097:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 08 Mar 2020 18:56:14 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"A1TuAWRdbTM": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2020-03-08 11:56:14,098:INFO:certbot.main:Obtaining a new certificate
2020-03-08 11:56:14,194:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0010_key-certbot.pem
2020-03-08 11:56:14,197:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0010_csr-certbot.pem
2020-03-08 11:56:14,198:DEBUG:acme.client:Requesting fresh nonce
2020-03-08 11:56:14,198:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-03-08 11:56:14,265:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2020-03-08 11:56:14,266:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 08 Mar 2020 18:56:14 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0001349JpF30x9WkjtXpXJMkJR12oum32uCNv6Z-GTtHmps
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2020-03-08 11:56:14,266:DEBUG:acme.client:Storing nonce: 0001349JpF30x9WkjtXpXJMkJR12oum32uCNv6Z-GTtHmps
2020-03-08 11:56:14,266:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "earnom.adenansu.com"\n }\n ]\n}'
2020-03-08 11:56:14,270:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "",
"signature": "",
"payload": ""
}
2020-03-08 11:56:14,341:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 339
2020-03-08 11:56:14,342:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sun, 08 Mar 2020 18:56:14 GMT
Content-Type: application/json
Content-Length: 339
Connection: keep-alive
Boulder-Requester: 80036369
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/80036369/2577298128
Replay-Nonce: 0001k3n1YibNjV-IEyvFBanRC7i_ab40p8vU_EvVv8DnmlE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2020-03-15T06:50:49Z",
"identifiers": [
{
"type": "dns",
"value": "earnom.adenansu.com"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/3231562998"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/80036369/2577298128"
}
2020-03-08 11:56:14,342:DEBUG:acme.client:Storing nonce: 0001k3n1YibNjV-IEyvFBanRC7i_ab40p8vU_EvVv8DnmlE
2020-03-08 11:56:14,342:DEBUG:acme.client:JWS payload:
b''
2020-03-08 11:56:14,346:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/3231562998:
{
"protected": "",
"signature": "",
"payload": ""
}
2020-03-08 11:56:15,087:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/3231562998 HTTP/1.1" 200 797
2020-03-08 11:56:15,088:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 08 Mar 2020 18:56:15 GMT
Content-Type: application/json
Content-Length: 797
Connection: keep-alive
Boulder-Requester: 80036369
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0002kda-JKbEe9vRIQbquLpF8m7zZkHFIr5zbMhgjDFM094
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "earnom.adenansu.com"
},
"status": "pending",
"expires": "2020-03-15T06:50:49Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/3231562998/cXSq9Q",
"token": ""
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/3231562998/_P00-g",
"token": ""
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/3231562998/T-Zxrg",
"token": ""
}
]
}
2020-03-08 11:56:15,089:DEBUG:acme.client:Storing nonce: 0002kda-JKbEe9vRIQbquLpF8m7zZkHFIr5zbMhgjDFM094
2020-03-08 11:56:15,089:INFO:certbot.auth_handler:Performing the following challenges:
2020-03-08 11:56:15,090:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1132, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 62, in handle_authorizations
achalls = self._choose_challenges(authzrs)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 206, in _choose_challenges
self._get_chall_pref(authzr.body.identifier.value),
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 221, in _get_chall_pref
plugin_pref = self.auth.get_chall_pref(domain)
File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 1110, in get_chall_pref
return [challenges.HTTP01, challenges.TLSSNI01]
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
2020-03-08 11:56:15,092:ERROR:certbot.log:An unexpected error occurred:

Edit: I'm not mentioning that challenge in my config, as far as I'm aware.

I started off this attempt by following this how-to: How to Install Subsonic Media Server on Ubuntu 18.04, 19.04 and Enable HTTPS

this is obsolete. did you move over your config files for certbot from ubuntu 14.04? you need to edit them and move to http-01 or tls-alpn-01 or dns-01

This is my first time using LetsEncrypt/CertBot. Completely fresh 20.04 install, no settings/configs transferred over.

this doesn’t make any sense, other than a bug in certbot itself.

try adding a --preferred-challenges=http switch anyway

or maybe use another acme client, like acme.sh

$ sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email (my email) --domain earnom.adenansu.com --preferred-challenges=http
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
An unexpected error occurred:
AttributeError: module ‘acme.challenges’ has no attribute ‘TLSSNI01’
Please see the logfiles in /var/log/letsencrypt for more details.

I’m starting to read up on acme clients right now.

Oh, you're absolutely right, 0.40 is old.. However, the PPA is even older... For some reason, the certbot team has issues keeping the official packages up to date, although I'm pretty sure there are also non-certbot-team package managers in play which might be a part of the delay.

In combination with:

Tells me you don't have the nginx plugin installed? However..:

Well, there it is... Where did it come from? Strange..

What version of the nginx plugin is installed?

python3-certbot-nginx version 0.39.0-1

it looks like you have mismatched versions of python3-certbot and python3-certbot-nginx, ubuntu/debian packaging bug.

Thanks for catching that!

For a very fragile workaround, you can edit /usr/lib/python3/dist-packages/certbot_nginx/configurator.py and replace

return [challenges.HTTP01, challenges.TLSSNI01]

with

return [challenges.HTTP01]

(or you… can use the webroot plugin)

I'll mark this is the solution, many thanks! Seems to be working locally on my network now, I'll be troubleshooting the public side issues with nginx (edit, helps to open port 443)

It’s fragile because it will be reverted whenever apt upgrades the python3-certbot-nginx package, eh.

Should probably send this thread to the ubuntu packagers, though.

I’ll watch for it. Hopefully whatever update breaks the hack will also resolve the issue.

Someone experienced with this?

I’ll send in a bug report and link to this thread.

Edit: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1866567

Ah yes.. References to the tls-sni-01 challenge were removed in version 0.40 of the nginx plugin.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.