Unable to install certbot Ubuntu 24 server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wetleaves.com

I ran this command: sudo snap install --classic certbot

It produced this output: either:
error: unable to contact snap store
--or--
error: cannot perform the following tasks:

I have tried numerous times and get either of these responses. I have no problems getting anywhere else on Internet.

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 24server LTS

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not applicable, can't get this far...

Please advise how to troubleshoot....syslog shows:

2024-08-25T00:33:13.919764+00:00 signalsecurity2 systemd[1]: Starting snapd.service - Snap Daemon...
2024-08-25T00:33:13.965431+00:00 signalsecurity2 snapd[298289]: overlord.go:271: Acquiring state lock file
2024-08-25T00:33:13.965499+00:00 signalsecurity2 snapd[298289]: overlord.go:276: Acquired state lock file
2024-08-25T00:33:14.000893+00:00 signalsecurity2 snapd[298289]: daemon.go:247: started snapd/2.63.1+24.04 (series 16; classic) ubuntu/24.04 (amd64) linux/6.8.0-41-generic.
2024-08-25T00:33:14.024387+00:00 signalsecurity2 snapd[298289]: daemon.go:340: adjusting startup timeout by 30s (pessimistic estimate of 30s plus 5s per snap)
2024-08-25T00:33:14.025810+00:00 signalsecurity2 snapd[298289]: backends.go:58: AppArmor status: apparmor is enabled and all features are available
2024-08-25T00:33:14.095383+00:00 signalsecurity2 kernel: audit: type=1400 audit(1724545994.093:25): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/lib/snapd/snap-confine" pid=298337 comm="apparmor_parser"
2024-08-25T00:33:14.095392+00:00 signalsecurity2 kernel: audit: type=1400 audit(1724545994.093:26): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=298337 comm="apparmor_parser"
2024-08-25T00:33:14.103636+00:00 signalsecurity2 systemd[1]: Started snapd.service - Snap Daemon.
2024-08-25T00:33:14.117130+00:00 signalsecurity2 snapd[298289]: api_snaps.go:427: Installing snap "certbot" revision unset
2024-08-25T00:33:14.117391+00:00 signalsecurity2 snapd[298289]: store_download.go:142: no host system xdelta3 available to use deltas
2024-08-25T00:34:29.158127+00:00 signalsecurity2 snapd[298289]: daemon.go:519: gracefully waiting for running hooks
2024-08-25T00:34:29.158517+00:00 signalsecurity2 snapd[298289]: daemon.go:521: done waiting for running hooks
2024-08-25T00:34:32.159083+00:00 signalsecurity2 snapd[298289]: overlord.go:515: Released state lock file
2024-08-25T00:34:32.159194+00:00 signalsecurity2 snapd[298289]: daemon stop requested to wait for socket activation
2024-08-25T00:34:32.163896+00:00 signalsecurity2 systemd[1]: snapd.service: Deactivated successfully.

I think its an apparmor problem, wretched apparmor just seems to foul up everything. I think I am turning apparmor off, but the snap seems to turn it back on? Any help would be appreciated...

That is definitely a connection problem. If you think it is AppArmor you'll have to go to their support forum.

Given Ubuntu, Snapcraft and AppArmor are all by Canonical I wouldn't expect any problems out of the box. Is this a new setup?

Usually snap installs are very easy on Ubuntu given it is included with Ubuntu

You say other connections work but what does this say

curl -I https://acme-v02.api.letsencrypt.org/directory
2 Likes

This is not causing your outbound comms problem but your DNS is setup to use a GoDaddy Domain Forwarding (or URL Redirect) service. You will need to disable that and set an A record to point directly to your public IP address instead.

You won't be able to get a cert using the HTTP Challenge method and you won't have control over the responding server (GoDaddy's) to configure your cert if you did.

We see that pretty often. See below post for a different customer's explanation of how to set the DNS correctly

3 Likes

I think you are mistaken on this aspect of my problem. What I am doing is trying to roll out a new server. My existing server, which is still operational, has been successfully running Certbot for several years via the current Godaddy setup. I checked my Godaddy setup just now and it does in fact have an A record pointing at my fixed public IP, there is no URL redirect AFAICT. Once my new server is fully operational (Cerbot being one of my last steps), it will replace my existing server, at the same IP (I will simply repoint the 443 and 80 ports to the new server internal IP). My current certs on the existing older server were pulled successfully by Certbot in July and are good through some date in October. So your points about this wont work with Godaddy are provably incorrect. However, I do appreciate your time in trying to help me solve my problem with my new server.

Here's what I get from that command:

HTTP/2 200 
server: nginx
date: Sun, 25 Aug 2024 11:50:27 GMT
content-type: application/json
content-length: 746
cache-control: public, max-age=0, no-cache
replay-nonce: cBNzKmlOQdlYdoky0YJ7CngulZmg5d8l49U6Bd_qWOTApNaHCog
x-frame-options: DENY
strict-transport-security: max-age=604800
1 Like

A connection timeout to canonical-bos01.cdn.snapcraftcontent.com might be due to numerous reasons. I don't have experience with Ubuntu/snap/AppArmor, but given the fact that snap is quite integrated into Ubuntu, including AppArmor, I doubt AppArmor is the issue here. Unless you've modified AppArmor settings for snapd in the past.

Can you curl the snap URI? E.g.:

curl -LIv "https://canonical-bos01.cdn.snapcraftcontent.com/download-origin/canonical-lgw01/PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4_21759.snap?interactive=1&token=1724547600_5e906b10abcbea6b8609c3680d985bca024d59af"

1 Like

Oh, so are you just working on the signal.wetleaves.com domain rather than wetleaves.com which you noted in your first post?

Because your apex domain most definitely uses GoDaddy Domain Forwarding and uses a GoDaddy certificate. Possibly also with some sort of purchased package from them. Below is the DNS A records in the public DNS. Those IP are each related to an AWS Global Accelerator which is what GoDaddy uses for the Domain Forwarding service. This would be a problem trying to get a Let's Encrypt (or any ACME) cert for this domain.

wetleaves.com.	0	IN	A	15.197.148.33
wetleaves.com.	0	IN	A	3.33.130.190

Your signal subdomain is very different and has a history of Let's Encrypt certs. So, I assume that's the domain being worked on?

signal.wetleaves.com.	3600	IN	A	68.169.142.151
2 Likes

That works and if the curl Osiris showed also connects (I connect and get http 410 reply) then there is something odd related to snapcraft. I previously suggested AppArmor forum but the snapcraft forum might be better starting place.

Certbot also has a python pip install or even rely on the (also not recommended) apt install if for some reason you can't work through the snap install issues.

There are also many other ACME Clients. Apache even has mod_md which is an ACME Client built-in to Apache. If you are skilled Apache admin this is likely easier than Certbot.
https://httpd.apache.org/docs/current/mod/mod_md.html

3 Likes

MikeMcQ - your are right, of course. I honestly do not know what those IPs are for wetleaves, I think they are A records for proton mail. My mistake is in forgetting that there is anything even setup for wetleaves, I had mistakenly assumed equivalence between wetleaves.com and signal.wetleaves.com. So you have educated me on that.

But my point is, NONE of this matters, because I cant even get the install script to run! I think that the certbot script actually turns apparmor on. I have had nothing but frustrating problems with apparmor across several machines, and so all I ever do is turn it off so ordinary stuff (like adding a PPA) will work. My opinion (which of course is worth about one fart in a hurricane) is apparmor is the worst aspect of Ubuntu, it only interferes with stuff Im trying to accomplish.

That said, since the curl commands work, I am led to believe that the certbot snap install script is failing because of apparmor and I dont know how to thwart it so the script can run. I turn apparmor off, run the snap install, it fails, and apparmor is now back on. Perhaps Im jumping to conclusions, but again and again, turning apparmor off has allowed me to proceed with installs that failed with apparmor turned on.

I saw the python script, I may try that next. But I respectfully submit that if I am having problems in this endeavor, others likely will also.

My Ubuntu is plain vanilla, with only UFW and apparmor turned off for installation of Apache2, mysql, and zoneminder (none of which would work right with apparmor, and all of which worked fine without it). I planned to turn UFW back on and properly configure it once everything is working. So whatever is blocking the snap access to snapcraftcontent etc is preventing the certbot installation, verified by the fact that the curl commands work by themselves. That seems undeniable. Am I correct?

I suppose I'll have to pursue one of the other installation methods since the cerbot snap wont run.

That may be but we do not often see snap install failures here. Certbot is one of the more popular ACME Clients and snap is its recommended install.

I am not doubting your problem. There just isn't much I can do about it personally. A snap install problem is best handled on the snapcraft forum. Or, perhaps try posting at the github for EFF's Certbot : Issues · certbot/certbot · GitHub I am pretty sure the devs there will say to contact snapcraft but maybe they will have further insights. Or, perhaps a different volunteer here will have such insight.

There are a wide variety of ACME Clients. I can appreciate why you'd want to stay with something you know. But, snap is a "heavy" infrastructure and not everyone cares for it. A python venv takes great care to get right. You might just try installing certbot from apt. Your Ubuntu should have a fairly recent version of it.

I still think mod_md is something to look at.

I see Osiris is about to post so hopefully he has more

2 Likes

Which script? Snap is just snap. I don't think there's any Certbot script. It seems like your snap is malfunctioning altogether.

Can you install other (classic?) snaps? Also please try the curl command to snapcraft I posted earlier.

This is my first attempt at a snap, no exposure before....well maybe the first certbot install a couple years ago. RE: the curl command, I did, my second reply above, it worked fine apparently. Something inside the snap is causing connectivity to whatever the snap is trying to talk to to fail.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.