[SOLVED] Let's Encrypt renewal fails after upgrade

Discussion in 'ISPConfig 3 Priority Support' started by Jemt, Dec 2, 2017.

  1. Jemt

    Jemt New Member HowtoForge Supporter

    Hi,

    About a month ago I upgraded an ISPConfig 3 server from Debian 7 to Debian 8 and afterwards installed an update to ISPConfig using ispconfig_update.sh. Everything seemed to work fine. But two weeks ago I received a warning that one of our Let's Encrypt certificates were about to expire.

    So I opened /var/log/ispconfig/cron.log to check for errors, and I found this:

    Sat Dec 2 03:00:20 UTC 2017 Traceback (most recent call last):
    Sat Dec 2 03:00:20 UTC 2017 File "/root/.local/share/letsencrypt/bin/letsencrypt", line 7, in <module>
    Sat Dec 2 03:00:20 UTC 2017 from certbot.main import main
    Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 9, in <module>
    Sat Dec 2 03:00:20 UTC 2017 from acme import jose
    Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/__init__.py", line 37, in <module>
    Sat Dec 2 03:00:20 UTC 2017 from acme.jose.interfaces import JSONDeSerializable
    Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/interfaces.py", line 9, in <module>
    Sat Dec 2 03:00:20 UTC 2017 from acme.jose import util
    Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/util.py", line 5, in <module>
    Sat Dec 2 03:00:20 UTC 2017 import OpenSSL
    Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module>
    Sat Dec 2 03:00:20 UTC 2017 from OpenSSL import rand, crypto, SSL
    Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/rand.py", line 12, in <module>
    Sat Dec 2 03:00:20 UTC 2017 from OpenSSL._util import (
    Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 6, in <module>
    Sat Dec 2 03:00:20 UTC 2017 from cryptography.hazmat.bindings.openssl.binding import Binding
    Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 156, in <module>
    Sat Dec 2 03:00:20 UTC 2017 Binding.init_static_locks()
    Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 140, in init_static_loc$
    Sat Dec 2 03:00:20 UTC 2017 __import__("_ssl")
    Sat Dec 2 03:00:20 UTC 2017 ImportError: No module named _ssl
    Sat Dec 2 03:01:01 UTC 2017
    Sat Dec 2 03:01:01 UTC 2017
    Sat Dec 2 03:01:01 UTC 2017 finished.

    I don't recall installing Let's Encrypt myself when I followed the "The perfect server" guide for Debian 7 and Apache. So I assume ISPConfig installed it at some point (perhaps as a dependency - not sure).

    Can someone help me resolve this problem? It's a bit urgent - the certificate about to expire is used on a very large webshop, so we are facing a huge economic penalty if this is not resolved soon.

    - Thanks in advance

    Jimmy
     
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    ISPConfig does not install certbot/letsencrypt. That has to be done by the user. I prefer the manual installation as it is more up to date than the system packages.
    Please uninstall packages "certbot" or "python-certbot" if you have installed them by packaging tool, then run
    Code:
    cd /tmp
    wget https://dl.eff.org/certbot-auto
    chmod a+x certbot-auto
    ./certbot-auto --dry-run
    
    Ignore the warning about the dry run only possible on certonly etc. command at the end. It doesn't matter. The command will update your system packages needed for certbot and update certbot itself to the latest version.
     
  3. Jemt

    Jemt New Member HowtoForge Supporter

    Hi Croydon.
    Thanks for replying so quickly.
    The procedure you suggest is for Debian 7 (https://certbot.eff.org/#debianwheezy-apache). Should I really do that on Debian 8?
    I actually did download and run certbot some time ago, but I expected it to be a standalone binary - I never installed it to
    /root/.local/share/letsencrypt/bin/letsencrypt or /opt/eff.org/certbot/venv/bin/certbot where usr/local/ispconfig/server/lib/classes/cron.d/900-letsencrypt.inc.php seems to expect it to be. Am I wrong in this assumption? And should I infact perform your suggested fix on Debian 8? If so, what makes it install into the two locations I mentioned?

    Thanks again :)

    Jimmy
     
    Last edited: Dec 2, 2017
  4. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Hi.
    The procedure is the same for many distributions ;-) I use it on debian 9, too.
    The debian 9 and debian 8 backport packages contain certbot 0.10 or 0.11 while the manuall installation leads to 0.19.
    It is no standalone binary it is an installer that installs prerequisites and the real certbot files into /opt/eff.org - /root/.local was the former installation location which has changed a while ago.
     
  5. Jemt

    Jemt New Member HowtoForge Supporter

    Hello again.

    Thanks for elaborating. I did what you suggested but received the following error:

    Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
    Traceback (most recent call last):
    File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 9, in <module>
    from acme import jose
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/__init__.py", line 37, in <module>
    from acme.jose.interfaces import JSONDeSerializable
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/interfaces.py", line 9, in <module>
    from acme.jose import util
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/util.py", line 5, in <module>
    import OpenSSL
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/rand.py", line 12, in <module>
    from OpenSSL._util import (
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 156, in <module>
    Binding.init_static_locks()
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 140, in init_static_locks
    __import__("_ssl")
    ImportError: No module named _ssl

    To work around this I renamed the original version installed and ran certbot again:
    mv /opt/eff.org /opt/eff.org_OLD
    ./certbot-auto --dry-run

    This time it worked - it installed all the missing dependencies, and certbot no longer throws the exception:
    /opt/eff.org/certbot/venv/bin/certbot --version
    This outputs: certbot 0.19.0

    How can I force ISPConfig to immediately try to renew all the certificates to make sure the certificates about to expire gets renewed?

    Jimmy
     
  6. Tuumke

    Tuumke Member HowtoForge Supporter

    Did you check the /var/log/letsencrypt/letsencrypt.log?
     
  7. Jemt

    Jemt New Member HowtoForge Supporter

    Hi Tuumke.

    Yes, no new entries. The renewal cronjob has not been executed yet.

    But I looked through /usr/local/ispconfig/server/lib/classes/cron.d/900-letsencrypt.inc.php and found that simply invoking "cert -n renew" would be sufficient.

    certbot -n renew
    /etc/init.d/apache2 restart

    All certificate created by ISPConfig was renewed successfully :)

    Thanks a lot guys! :)

    Best regards
    Jimmy
     
    Last edited: Dec 3, 2017
    Tuumke likes this.
  8. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Just for information: You can run any ISPConfig cron from the cron.d directory like this
    cd /usr/local/ispconfig/server/
    php cron_debug.php --cronjob=900-letsencrypt.inc.php
     
    Tuumke likes this.
  9. Jemt

    Jemt New Member HowtoForge Supporter

    Oh cool - that's really helpful. Thanks :)
     

Share This Page