Unexpected error: 'utf-8' codec can't decode byte 0xe3 in position 18: invalid continuation byte

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:jjw.com.br

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/integrador.jjw.com.br.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/portal.jjw.com.br.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/jjw.com.br.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jjw.com.br
http-01 challenge for www.jjw.com.br
Cleaning up challenges
Encountered exception during recovery:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 132, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/manual.py", line 169, in perform
    perform_achall(achall)
  File "/usr/lib/python3/dist-packages/certbot/plugins/manual.py", line 205, in _perform_achall_with_script
    _, out = hooks.execute(self.conf('auth-hook'))
  File "/usr/lib/python3/dist-packages/certbot/hooks.py", line 245, in execute
    out, err = cmd.communicate()
  File "/usr/lib/python3.4/subprocess.py", line 960, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
  File "/usr/lib/python3.4/subprocess.py", line 1659, in _communicate
    self.stdout.encoding)
  File "/usr/lib/python3.4/subprocess.py", line 888, in _translate_newlines
    data = data.decode(encoding)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xe3 in position 18: invalid continuation byte

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 108, in _call_registered
    self.funcs[-1]()
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 316, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/manual.py", line 242, in cleanup
    env = self.env.pop(achall)
KeyError: KeyAuthorizationAnnotatedChallenge(challb=ChallengeBody(chall=HTTP01(token=b'\xad\x86rw-\xaaA\xf4\xb8X\x99\xea\x9c\x85e\xbb\xcf/\xd9\x83\x04\xa1\xc9\xb4v\x95,4\xe9Ls\x8d'), uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/4352617991/FtJzdQ', status=Status(pending), error=None, validated=None, _url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/4352617991/FtJzdQ'), domain='jjw.com.br', account_key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey object at 0x7f13046a06a0>)>))
Attempting to renew cert (jjw.com.br) from /etc/letsencrypt/renewal/jjw.com.br.conf produced an unexpected error: 'utf-8' codec can't decode byte 0xe3 in position 18: invalid continuation byte. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/jjw.com.br/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/integrador.jjw.com.br/fullchain.pem expires on 2020-07-15 (skipped)
  /etc/letsencrypt/live/portal.jjw.com.br/fullchain.pem expires on 2020-06-08 (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/jjw.com.br/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 14.04.5 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

My first suggestion would be to update your O/S.
Ubuntu 14.04.05 LTS reached end of standard support in April of last year.

My second suggestion is to try to update the certbot client - but that might be the latest on that dist.

My last suggestion (if those two can’t be done or don’t fix the problem) would be to use an alternate ACME client - like acme.sh or certbot-auto

Hi @jjw.roberto

0xe3 is 227, may be ã as unicode code point, may be another char (code page specific). May be you have that char in one of your config files, code or comment.

Check that and remove / change that character.

This is my config
image

I have noted that the response of the CERT_TOKEN file are returning the Content-Type as text/plain charset=ISO-8859-1, but the real content of the file is UTF-8.

Can this be the problem?

What exactly does the manual auth hook output? Is it valid UTF-8? What’s in position 18?

Is it possible that you’ve edited one of your configuration files with an editor that included non-ASCII characters in them?

Could you run grep -P '[\x80-\xFF]' on this file or other relevant files to see if it finds anything?

The GREP command returns nothing.

And this is the char 18 in the config file (the char “i”):

What’s character 18 in the stderr or stdout output from your manual auth hook program?

This is my “ftp-put.sh” script:

ftp -n << EOF
open ftp03.tpa.com.br
user USER PASSWORD
pass
bin
cd web
mkdir .well-known
cd .well-known
mkdir acme-challenge
cd acme-challenge
put $CERTBOT_TOKEN
EOF

The char 18 is the “space” after the “open” command:

open ftp03.tpa.com.br
    ^

There

you have your problem - checking your domain - the portcheck part, there is an ftp check - https://check-your-website.server-daten.de/?q=ftp03.tpa.com.br#portchecks

220-Bem-vindo a Pure-FTPd. 220-Voc? ? o usu?rio n?mero 5 de 150 permitidos 220-Hora local agora ? 17:09. Porta do servidor: 21. 220-Este ? um sistema privado - N?o ? permitido usu?rio an?nimo 220-Conex?es IPv6 tamb?m s?o bem-vindas neste servidor 220 Voc? ser? desconectado ap?s 15 minutos de inatividade.

Looks like a missing code information.

Checked manual (telnet):

220-Bem-vindo a Pure-FTPd.
220-VocÛ Ú o usußrio n·mero 4 de 150 permitidos
220-Hora local agora Ú 17:04. Porta do servidor: 21.
220-Este Ú um sistema privado - NÒo Ú permitido usußrio an¶nimo
220-Conex§es IPv6 tambÚm sÒo bem-vindas neste servidor
220 VocÛ serß desconectado ap¾s 15 minutos de inatividade.

A lot of chars not in ASCII.

PS: The output is important, not the script.

1 Like

How can I solve it? This output has no importance for me…

Solved, I changed my script to this:

ftp -i -n << EOF > /dev/null
open ftp03.tpa.com.br 
...
2 Likes

This is probably a bug in Certbot because it doesn’t seem inappropriate to have non-ASCII output from a hook script, but good job finding a working solution for your situation!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.