Ubuntu: "urllib3 or chardet doesn't match a supported version"?

gilgongo · January 11, 2021, 5:35pm

This issue is similar to this one but not exactly, and that issue doesn't seem to have had a resolution, but apologies for possible dupe.

I'm using Certbot 0.27.0 on Ubuntu 18.04 with certbot installed from the Ubuntu standard repo. I have root CLI access.

I'm getting this:

~$ certbot --version
/usr/lib/python3/dist-packages/requests/__init__.py:80: RequestsDependencyWarning: urllib3 (1.26.2) or chardet (3.0.4) doesn't match a supported version!
  RequestsDependencyWarning)
certbot 0.27.0

And the systemd unit for certbot service starts up and seems to renew certs OK, but then exits with this:

2021-01-11 08:38:56,710:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.27.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1276, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 468, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 2 renew failure(s), 0 parse failure(s)

(the 2 renewal failures are I think expired domains)

Does anyone know what's going on or what's best to do?

rg305 · January 11, 2021, 6:57pm

My best advice is to remove certbot from apt and install it via snapd.
[Your 0.27.0 has seen its' final cert!]

gilgongo · January 11, 2021, 6:29pm

Oh wow - I don't know anything about snaps. Is that now the recommended way of getting certbot for Ubuntu then?

rg305 · January 11, 2021, 6:31pm

Yes and it comes shipped with Ubuntu...since 16.04?

gilgongo · January 11, 2021, 6:38pm

OK this is I have to say a bit scary. So I apt remove certbot and then snap install certbot ? And all my certs and stuff will be fine?

Wow snap certbot is v 1.1.0?

rg305 · January 11, 2021, 6:39pm

apt remove certbot will NOT remove any of your certs.
Only certbot delete --cert-name {name} will do that.

Yes, simple, and painless

gilgongo · January 11, 2021, 6:39pm

OK. I've got about 50 sites on the machine so I hope not. Here I go...

rg305 · January 11, 2021, 6:43pm

Do certbot certificates before and after - they will be exactly the same.
You might have to review your renewal jobs to ensure they run after the change.
or
better; do once:
certbot renew --dry-run

Which should "cycle" through the motions and setup the cron/systemd.timer renewal job for you.

gilgongo · January 11, 2021, 6:44pm

Oh.

~# snap install certbot
error: This revision of snap "certbot" was published using classic confinement and thus may perform  arbitrary system changes outside of the security sandbox that snaps are usually confined to, which may put your system at risk. If you understand and want to proceed, repeat the command including --classic.

Now what?

rg305 · January 11, 2021, 6:47pm

I see you don't follow guides much

sudo apt update
sudo apt install snapd
sudo snap install snap-store
sudo snap install --classic certbot

That should put it all up-to-date.

Install certbot on Ubuntu using the Snap Store | Snapcraft

gilgongo · January 11, 2021, 6:49pm

OK I didn't even know there was a guide. Until 5mins ago I'd never installed a snap.

Seems to have done it OK:

~# snap install --classic certbot
2021-01-11T18:48:22Z INFO Waiting for automatic snapd restart...
certbot 1.11.0 from Certbot Project (certbot-eff✓) installed

rg305 · January 11, 2021, 6:51pm

rg305 · January 11, 2021, 6:53pm

Just a curiosity...
I gave you 4 command lines:

How many did you run?

gilgongo · January 11, 2021, 6:56pm

All of them.

Now I get:

~# certbot certificates 
bash: /usr/bin/certbot: No such file or directory

~# snap list
Name     Version   Rev    Tracking       Publisher     Notes
certbot  1.11.0    889    latest/stable  certbot-eff✓  classic
core20   20201210  904    latest/stable  canonical✓    base
snapd    2.48.2    10707  latest/stable  canonical✓    snapd

~# snap services
Service        Startup   Current   Notes
certbot.renew  disabled  inactive  timer-activated

Does the snap install put the certbot command somewhere else?

EDIT: Ah, I had to reload my shell.

rg305 · January 11, 2021, 6:57pm

Yes.
try:
/snap/bin/certbot --version

rg305 · January 11, 2021, 7:00pm

There is still some housecleaning things to tidy up:
cron/systemd.timer renewal jobs
test a renewal

gilgongo · January 11, 2021, 7:01pm

certbot 1.11.0

Also systemd - is that not involved any more? Seems broken in some way:

~# service certbot status
● certbot.service
   Loaded: not-found (Reason: No such file or directory)
   Active: failed (Result: exit-code) since Mon 2021-01-11 08:38:56 GMT; 10h ago
 Main PID: 5068 (code=exited, status=1/FAILURE)

rg305 · January 11, 2021, 7:04pm

Please review:
crontab -l
crontab -u root -l
and
sudo systemctl list-timers
[Which may not be setup until cerbot 1.11.0 actually runs]

gilgongo · January 11, 2021, 7:08pm

That lists the snap.certbot.renew.service

/etc/cron.d/certbot contains this which I guess is OK to keep or should I delete the file?

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

EDIT: no - /usr/bin/certbot so I guess I should delete it.

rg305 · January 11, 2021, 7:08pm

Hopefully, this file no longer exists:

So, yes, remove it from cron.