You've asked to renew/replace a seemingly valid certificate with a test certificate, We will not do that unless you use the --break-my-certs flag!

XuelinMao · October 20, 2023, 7:54am

Hi !
I have a problem when renew my existing certificates in staging env.
I am using certbot 1.9.0.
The server is https://acme-staging-v02.api.letsencrypt.org/directory.

And the error is

command exec failed:/usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py:14: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography import utils, x509
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found credentials in environment variables.
Plugins selected: Authenticator dns-route53, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: 333.jiaxuan.test.cert-test.shopee.systems, *.333.jiaxuan.live-test.cert-test.shopee.systems, *.333.jiaxuan.staging.cert-test.shopee.systems, *.333.jiaxuan.test-stable.cert-test.shopee.systems, *.333.jiaxuan.test.cert-test.shopee.systems, *.333.jiaxuan.uat.cert-test.shopee.systems, 333.jiaxuan.live-test.cert-test.shopee.systems, 333.jiaxuan.staging.cert-test.shopee.systems, 333.jiaxuan.test-stable.cert-test.shopee.systems, 333.jiaxuan.uat.cert-test.shopee.systems). We will not do that unless you use the --break-my-certs flag!

Can anyone help on this?

Osiris · October 20, 2023, 7:57am

You probably want to use --dry-run, which uses the staging environment, instead of the --server option you're probably using currently.

By the way, Python 2.7? What gives?

rg305 · October 20, 2023, 8:11am

Hi @XuelinMao, and welcome to the LE community forum

Did you use the --staging flag?

Please show the complete certbot command used.

XuelinMao · October 20, 2023, 8:50am

let me try it. My command is below, preferChain is ISRG Root X1

	bin := "certbot"
	args := []string{
		"--cert-name",
		certName,
		"-d",
		certDomains,
		"--preferred-chain",
		preferChain,
		"--server",
		acmeServer,
		"--dns-route53",
		"--preferred-challenges",
		"dns",
		"certonly",
		"-n",
		"--expand",
		"--agree-tos",
		"--email",
		"example@example.com",
	}

orangepizza · October 20, 2023, 9:27am

whats in acmeServer variable?

XuelinMao · October 20, 2023, 10:02am

https://acme-staging-v02.api.letsencrypt.org/directory

orangepizza · October 20, 2023, 10:45am

why you want to renew it by staging api? you'd know it'd now trusted by clients:

XuelinMao · October 20, 2023, 10:48am

Tried but not work, still the same error

rg305 · October 20, 2023, 10:49am

Don't use the --staging flag - you won't get a real cert from it [only a test/staging cert].

XuelinMao · October 20, 2023, 10:50am

yes, I know. just in case that the same error happens in our live env

rg305 · October 20, 2023, 10:52am

What shows?:
certbot certificates

You may have installed a real cert in your testing env.

orangepizza · October 20, 2023, 10:58am

from certbot repo renewal.py line 323-333

def _avoid_invalidating_lineage(config: configuration.NamespaceConfig,
                                lineage: storage.RenewableCert, original_server: str) -> None:
    """Do not renew a valid cert with one from a staging server!"""
    if util.is_staging(config.server):
        if not util.is_staging(original_server):
            if not config.break_my_certs:
                names = ", ".join(lineage.names())
                raise errors.Error(
                    "You've asked to renew/replace a seemingly valid certificate with "
                    f"a test certificate (domains: {names}). We will not do that "
                    "unless you use the --break-my-certs flag!")

it looks like It think last server was prod? but I don't see your domain on crt.sh so it may be bug determine your old linage was staging or prod

XuelinMao · October 20, 2023, 11:12am

So if there is a real cert, will affect every test cert?
We have lots of certificates in our staging env, Orz

rg305 · October 20, 2023, 11:20am

There is no need to guess, let's see what there is:

XuelinMao · October 20, 2023, 12:45pm

there are too many, show two of them:

 Certificate Name: wildcard.nonlive.333-jiaxuan-cert-test-shopee-systems.api
    Serial Number: fa5393b1b060ca55889de7371281f798aefc
    Domains: 333.jiaxuan.test.cert-test.shopee.systems *.333.jiaxuan.live-test.cert-test.shopee.systems *.333.jiaxuan.staging.cert-test.shopee.systems *.333.jiaxuan.test-stable.cert-test.shopee.systems *.333.jiaxuan.test.cert-test.shopee.systems *.333.jiaxuan.uat.cert-test.shopee.systems 333.jiaxuan.live-test.cert-test.shopee.systems 333.jiaxuan.staging.cert-test.shopee.systems 333.jiaxuan.test-stable.cert-test.shopee.systems 333.jiaxuan.uat.cert-test.shopee.systems
    Expiry Date: 2023-11-13 07:44:03+00:00 (INVALID: TEST_CERT)
    Certificate Path: /etc/letsencrypt/live/wildcard.nonlive.333-jiaxuan-cert-test-shopee-systems.api/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wildcard.nonlive.333-jiaxuan-cert-test-shopee-systems.api/privkey.pem
  Certificate Name: wildcard.nonlive.3q6vqyz-albauto-shopee-sg.api
    Serial Number: fa143a6e49fc36203952f0fb917fb5769fe5
    Domains: 3q6vqyz.albauto.test.shopee.sg *.3q6vqyz.albauto.live-test.shopee.sg *.3q6vqyz.albauto.staging.shopee.sg *.3q6vqyz.albauto.test-stable.shopee.sg *.3q6vqyz.albauto.test.shopee.sg *.3q6vqyz.albauto.uat.shopee.sg 3q6vqyz.albauto.live-test.shopee.sg 3q6vqyz.albauto.staging.shopee.sg 3q6vqyz.albauto.test-stable.shopee.sg 3q6vqyz.albauto.uat.shopee.sg
    Expiry Date: 2023-11-08 05:07:00+00:00 (INVALID: TEST_CERT)
    Certificate Path: /etc/letsencrypt/live/wildcard.nonlive.3q6vqyz-albauto-shopee-sg.api/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wildcard.nonlive.3q6vqyz-albauto-shopee-sg.api/privkey.pem

XuelinMao · October 20, 2023, 12:47pm

and I also checked that all certs show INVALID: TEST_CERT

rg305 · October 20, 2023, 12:59pm

OK, then that most likely means that you have indeed found a bug in the certbot code.

Just to be certain, please show:
certbot certificates | grep Expiry

If that is really long, then:
certbot certificates | grep Expiry | grep -v TEST_CERT

Osiris · October 20, 2023, 1:16pm

If you think you've found a bug in Certbot, please first upgrade to the most recent Certbot version (2.7.2) and check if the problem persists.

MikeMcQ · October 20, 2023, 1:19pm

Does the most recent even support Python 2.7 ?

Of course, snap would be usually be better. @XuelinMao see https://certbot.eff.org if you do need to upgrade

Osiris · October 20, 2023, 1:21pm

No, "of course" not. But it's rather a catch 22: if you think you've found a bug, you'd need to make sure it's also present in the most recent versions and not already fixed. But if you can't upgrade, you can't test that. So you're stuck.

Python 2.7 doesn't get security upgrades since 2020 any longer, so there's absolutely no reason to continu using it. Any legacy software requiring Python 2.7 should either be ported, upgraded or discarded IMO.

Topic		Replies	Views
Cant renew certificate, problem with connecting to acme-staging Issuance Tech	12	4835	December 30, 2016
Replace a seemingly valid certificate with a test certificate Help	7	2211	December 25, 2021
Switching from staging to production server Site Feedback	6	9171	May 20, 2017
Can't renew certificate (replace test cert) Help	3	2859	May 25, 2017
Copied a server setup which broke certbot Help	10	2127	July 7, 2019

You've asked to renew/replace a seemingly valid certificate with a test certificate, We will not do that unless you use the --break-my-certs flag!

Related topics