Unable to renew certbot with dockers


#1

Hi,

I set up certbot and is due for its first renewal. And when I try sudo certbot renew it gives command not found error. I guess it is a path error. Except that I cannot seem to find where it is located.

When I created it (I had saved the commands) I used: sudo certbot --nginx. I do not remember which directory.

The details of my server are:

  1. Running on AWS.
  2. Ubuntu : 16.04 Xenial

Could someone please help me locate the directory?

Thanks,

Raj


#2

Hi @Raju_Rao,

If certbot isn’t in your path, maybe you were using certbot-auto instead? (certbot comes from an OS package which would normally put it in a directory that’s already in your path. certbot-auto comes from a manual download and you could have saved it in any directory of your choice.)

Maybe you could run locate certbot and/or history | grep certbot?


#3

Thanks schoen. locate certbot shows

/etc/apt/sources.list.d/certbot-ubuntu-certbot-xenial.list
/etc/apt/sources.list.d/certbot-ubuntu-certbot-xenial.list.save
/etc/apt/trusted.gpg.d/certbot_ubuntu_certbot.gpg
/etc/apt/trusted.gpg.d/certbot_ubuntu_certbot.gpg~
/etc/cron.d/certbot
/etc/letsencrypt/csr/0000_csr-certbot.pem
/etc/systemd/system/certbot.timer
/etc/systemd/system/timers.target.wants/certbot.timer
/var/lib/apt/lists/ppa.launchpad.net_certbot_certbot_ubuntu_dists_xenial_InRelease
/var/lib/apt/lists/ppa.launchpad.net_certbot_certbot_ubuntu_dists_xenial_main_binary-amd64_Packages
/var/lib/apt/lists/ppa.launchpad.net_certbot_certbot_ubuntu_dists_xenial_main_i18n_Translation-en
/var/lib/dpkg/info/certbot.list
/var/lib/dpkg/info/certbot.postrm
/var/lib/systemd/deb-systemd-helper-enabled/certbot.timer.dsh-also
/var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/certbot.timer
/var/lib/systemd/deb-systemd-helper-masked/certbot.timer
/var/lib/systemd/timers/stamp-certbot.timer

Does this help in suggesting how I run the renew command? There does not seem to be directory. As mentioned I have setup dockers and do not remember using auto or download but only certbot --nginx.

The history | grep certbot command throws up:

 1644  sudo certbot renew
 1652  sudo certbot renew
 1654  cd .certbot
 1655  which certbot-auto
 1656  which certbot
 1657  sudo certbot renew --dry-run
 1691  sudo certbot renew
 1724  sudo certbot renew
 1732  locate certbot
 1733  history | grep certbot

Any suggestions? Thanks


#4

Huh, it looks like you might have installed it and then uninstalled it for some reason. Could you try running a dpkg command to check into this?

dpkg -l certbot python-certbot letsencrypt python-letsencrypt


#5

It shows:

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
rc  certbot        0.19.0-1+ubu all          automatically configure HTTPS usi
un  letsencrypt    <none>       <none>       (no description available)
un  python-certbot <none>       <none>       (no description available)
dpkg-query: no packages found matching python-letsencrypt

#6

Huh! Well, if you installed Certbot with apt-get install certbot or something similar, maybe you could reinstall it the same way? (This doesn’t erase your existing certificates or their renewal configurations or anything.)


#7

You mentioned Docker—maybe you used a particular Docker container image to obtain your certificate and so Certbot may not currently be installed on your server in the host environment? Maybe when you most recently used Certbot, it was inside a container?

(The rc does suggest that Certbot was once installed on the host system, but that it was subsequently removed. But that doesn’t show whether this copy of Certbot is the one you used to obtain your certificates.)


#8

Here is what I did Schoen:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

Followed by:

 sudo certbot --nginx

#9

It could be possible that I removed images because there was something funny going on with Dockers. It is my first time. And I found multiple images being created. And removed the images and ran docker build. :roll_eyes:


#10

Schoen: If I were to recreate the AWS server and setup the whole thing without dockers, how do I get certbot installed using my existing certificates? Is it an easy process or complicated? My server is currently beta and being tested for what we are doing. So no loss on recreating it … as long as it works. :slight_smile:


#11

You can install Certbot from apt or with the certbot-auto auto-downloader. If you still have your files in /etc/letsencrypt and haven’t deleted or renamed them, it will find them and use them for renewals.


#12

So you are suggesting that I run the apt update commands and run renew. I have confirmed that the /etc/letsencrypt has all the requisite files. Just in case I wish to re-create the server and set up certbot again, is there any link or procedure listed on how to create a fresh server using existing archived letsencrypt directory or keys. I searched and found one community question but the process was not very clear. Many thanks


#13

Schoen: I reinstalled certbot using apt update and this time it began the renewal process but gave the following error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/hudddle.io.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for hudddle.io
tls-sni-01 challenge for www.hudddle.io
nginx: [error] invalid PID number "" in "/run/nginx.pid"
Cleaning up challenges
nginx: [error] invalid PID number "" in "/run/nginx.pid"
Encountered exception during recovery
nginx restart failed:
b''
b''
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 115, in _solve_challenges
    resp = self.auth.perform(self.achalls)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 865, in perform
    self.restart()
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 680, in restart
    nginx_restart(self.conf('ctl'), self.nginx_conf)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 926, in nginx_restart
    "nginx restart failed:\n%s\n%s" % (out.read(), err.read()))
certbot.errors.MisconfigurationError: nginx restart failed:
b''
b''

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 100, in _call_registered
    self.funcs[-1]()
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 284, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 884, in cleanup
    self.restart()
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 680, in restart
    nginx_restart(self.conf('ctl'), self.nginx_conf)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 926, in nginx_restart
    "nginx restart failed:\n%s\n%s" % (out.read(), err.read()))
certbot.errors.MisconfigurationError: nginx restart failed:
b''
b''
Attempting to renew cert (hudddle.io) from /etc/letsencrypt/renewal/hudddle.io.conf produced an unexpected error: nginx restart failed:
b''
b''. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/hudddle.io/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/hudddle.io/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

Any suggestions?


#14

Oops, now my nginx is not starting :frowning_face:


#15

have decided to reconfigure my server. Lesson learnt on dockers. :frowning_face:. Thanks for the help


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.