Various errors renewing certificate on CentOS (AWS)

Hi,

I’ve recently tried to renew my certificate using the standard command:

./letsencrypt-auto --text --agree-tos --email dan@myemail.com certonly --renew-by-default --webroot --webroot-path /var/www/html/pro01.co.uk -d pro01.co.uk

and ran into the following error:

Upgrading certbot-auto 0.17.0 to 0.19.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 9, in <module>
    import zope.component
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 16, in <module>
    from zope.interface import Interface
ImportError: No module named interface

I tried the following command:
/root/.local/share/letsencrypt/bin/pip list

…and noted that zope.interface does not appear to be installed. I then ran the following command:
sudo /root/.local/share/letsencrypt/bin/pip install zope.interface which says it installed successfully.

I then restarted httpd services and tried renewing the certificate again but this time got this error:
Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module> from certbot.main import main File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 11, in <module> from acme import jose File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/acme/jose/__init__.py", line 37, in <module> from acme.jose.interfaces import JSONDeSerializable File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/acme/jose/interfaces.py", line 9, in <module> from acme.jose import util File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/acme/jose/util.py", line 4, in <module> from cryptography.hazmat.primitives.asymmetric import rsa ImportError: No module named cryptography.hazmat.primitives.asymmetric

I also tried sudo ./letsencrypt-auto --help but received the same error.

Any suggestions?

Perhaps the cryptography library needs updating.

Should be something letsencrypt-auto (does this install the same client as certbot-auto? letsencrypt is a VERY old name for certbot…) should do on its own I’d say…

I've tried the following:
pip install cryptography

But it simply says 'Requirement already satisfied'

I've also tried updating my commands to:
./certbot-auto
...but the same error persists.

Any other ideas?

Dan,

run this to update certbot:

unset PYTHON_INSTALL_LAYOUT
/root/.local/share/letsencrypt/bin/pip install --upgrade certbot

and then this to install your certificate:

certbot-auto certonly -a webroot --webroot-path=/usr/share/nginx/html/yourwebsite -d yousite.com -d www.yoursite.com --debug

or this to renew your certificate:

certbot-auto renew --post-hook ‘service nginx reload’

Hope this helps, best.

This will not install the certificate, it will only issue and retrieve it. The installation will have to be done manually.

So I ran these as two separate commands followed by the standard command I normally use to install certificates:

./letsencrypt-auto --text --agree-tos --email dan@myemail.com certonly --renew-by-default --webroot --webroot-path /var/www/html/pro01.co.uk -d pro01.co.uk

and success! Installed as normal.

Thanks for your input Romain. One last question…

What exactly did I just do?

Note: the --renew-by-default part will get you in trouble if you run the client too often, as it will always get a new certificate. It’s adviced to remove such an option and put a cd /path/to/letsencrypt/; ./letsencrypt-auto renew in a daily cronjob.

Thanks Osiris. I only run that command when the certs about to expire. I time the update alongside a three monthly cycle of server updates. I’m assuming used in this context that would be fine?

If the certificates are already up for renewal (within 30 days of expiry), the command shouldn’t be necessary too.

Ok so just:

./letsencrypt-auto --text --agree-tos --email dan@myemail.com certonly --webroot --webroot-path /var/www/html/pro01.co.uk -d pro01.co.uk

Should do the trick if all certificates are up for renewal.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.