Unable to Execute Certbot - Python Errors


#1

Hi All,

Firstly, thank you for providing an excellent service of free SSL certificates with great documentation.

However, I’m facing an issue with certificate renewal when I run the certbot utility, details of which are given below.


My domain is: vinayhegde.info / www.vinayhegde.info

I ran this command || It produced this output: In this Link

My web server is (include version): nginx version: nginx/1.12.2

The operating system my web server runs on is (include version): CentOS Linux release 7.5.1804 (Core)

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


Please let me know if I can provide any more information or logs here for more diagnosis.

Many Thanks in advance,
Vinay


#2

Facing same issue but no response from anyone and couldnt find this topic troubleshooting in google.


#3

Exactly @Amanda, even I searched for a solution to this on Google, StackOverFlow & DuckDuckGo but no luck there.

I’ve also removed it completely via yum and tried installing it via pip (removed it immediately since as far I know it isn’t a good practice as yum & pip often conflict each other due to upgrades in either) but that didn’t solve my issue either. Some more logs for reference are here

Can someone from the community please help us out?


#4

Have you tried using certbot-auto instead of packaged versions?


#5

Thanks for recommending certbot-auto @eggsampler which got installed & was useful in regenerating my SSL certificate. However since my earlier one expired, I renewed it this time with a wildcard SSL that generated successfully but I faced a whole lot of other issues.


Here’s how that went by:

  1. Installed certbot-auto without a hitch.
  2. Went about renewing my SSL certificate with a wildcard: *.vinayhegde.info within 5 minutes as well. Check this how-to for it.
  3. When I deployed it to my web-server and tested it using SSLShopper, it gave a weird error

Unable to communicate securely with peer: requested example name does not match the server’s certificate

  1. Confirmed the issue with a simple curl command to my domain name which persisted post HTTPS redirection too.
  2. Surprisingly, my domain with a www was showing the new SSL perfectly along with the redirection (on HTTPS with www)
  3. After a lot of Google searches, it turned out that wildcard SSL just supports *.example.com, i.e: a.example.com or b.example.com but NOT example.com itself. More on that here & here
  4. Revoked & deleted all of my current certs, check this article on how-to do so.
  5. Went about regenerating my SSL but now was being rate-limited by LetsEncrypt, read this.
  6. Waited an hour before retrying which finally succeeded.

TL;DR - Key Points:

  1. Wildcard SSL works only on *.example.com and NOT our parent domain:example.com, we need SSL with a Subject Alternative Name - SAN for it.
  2. When doing the above, you need to add a TXT record in your DNS for LetsEncrypt to verify. Note: since you’re giving 2 domains as inputs, you’ll need 2 TXTs

For e.g:
sudo /opt/packages/certbot-auto certonly --manual -d example.com -d “*.example.com” --agree-tos --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

  1. Be careful of LetsEncrypt rate-limits, they can throw a spanner in your renewal or creation process if not adhered to.

Hope this helps for anyone who has a similar issue, cheers!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.