2

I am trying to create and install a Let's Encrypt SSL certificate using certbot. It's for a subdomain named private.mydomain.de (on a different server than mydomain.de). Certbot aborts with the following messages: 

An unexpected error occurred:
AttributeError: 'module' object has no attribute 'TLSSNI01'

Went to https://letsdebug.net/ and checked the domain in question.
http-01 and DNS-01 tests passed, TLS-ALPN-01 fails with these verbose error messages:

IssueFromLetsEncrypt 
ERROR 
A test authorization for private.mydomain.de to the Let's Encrypt staging service 
has revealed issues that may prevent any certificate for this domain being issued.
Connection refused

DEBUG
Challenge update failures for private.mydomain.de in order  
https://acme-staging-v02.api.letsencrypt.org/acme/order/<....>/<....>
acme: error code 400 "urn:ietf:params:acme:error:connection":  
Connection refused PublicSuffix

RateLimit
DEBUG
1 Certificates contributing to rate limits for this domain
Serial: <serialnr>
NotBefore: 2020-02-02 22:23:22 +0000 UTC 
Names: [finance.mydomain.de mydomain.de]

My plan now is to revoke the certificate contributing to the rate limit:

Used https://censys.io/certificates?q=...serialnr and copied the PEM, inserted it at https://tools.letsdebug.net/cert-revoke, completed the DNS challanges and checked with dig. 'Revoke certificate' then aborts with the error:

An error occured
Unfortunately something went wrong during the process. Usually this is  
not recoverable - you will need to start from the beginning.
Error: Request failed with status code 400

Tried it again with same outcome, now I am asking here, what can I do?

UPDATE I renamed the server in nginx.conf from 'private.mydomain.de' to 'consult.mydomain.de'. This subdomain has been used previously on this server and has had a certificate before (which was uninstalled by certbot delete --cert-name ...). With this new old name, Certbot ran without problems, created and installed a certificate.

SOLUTION
After having several more issues with Certbot and more research, I found this solution: On the Oracle Cloud Infrastructure (OCI) with Oracle Linux 7, don't use Certbox, but install certbot-auto:
'''
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
sudo /usr/local/bin/certbot-auto certonly --standalone
'''
From: https://blogs.oracle.com/developers/free-ssl-certificates-in-the-oracle-cloud-using-certbot-and-lets-encrypt

I was able to create and install all desired certificates.

jamacoe
  • 193
  • 2
  • 7
  • Does your server respond to a request for mydomain.de/.well-known/acme-challenge? Because in Names: it says that it checks also and probably first: mydomain.de. – Gerrit Feb 04 '20 at 16:22
  • @user188737 not sure if I understand your question. In the last step I had to complete DNS challanges on the nameserver of mydomain.de with a TXT records for _acme-challenge.mydomain.de as well as _acme-challenge.finance.mydomain.de Both test passed before the 'Revoke certificate' button appeared. – jamacoe Feb 04 '20 at 16:35
  • The certificate you are trying to issue/revoke seems to have two DNS names: finance.mydomain.de and mydomain.de. On at least one of those there seems to be a webserver responding with an http status 400 when the acme challenge bot comes asking. – Gerrit Feb 04 '20 at 17:24
  • @user188737 the subdomain finance.mydomain.de is not used anymore and has no DNS. The domain mydomain.de has cloudflare DNS and proxy services and the certificate presented to the browser is by cloudflare, not from my server and not from LetsEncrypt. So I thought I could delete this certificate as it is not installed anywhere. However, I think the core of the problem might be the message "Connection refused PublicSuffix". Probably I don't have to delete/revoke a cert, as it is only contributing, but not breaking my rate limits for the domain – jamacoe Feb 04 '20 at 18:11
  • It seems then the final revoke action still checks both domains on http even if you did the DNS challenges. Remains a bit unclear. – Gerrit Feb 05 '20 at 11:02
  • found a solution, please read update. – jamacoe Feb 17 '20 at 17:55

4 Answers4

4

For a very fragile workaround, you can edit /usr/lib/python3/dist-packages/certbot_nginx/configurator.py and replace return [challenges.HTTP01, challenges.TLSSNI01] with return [challenges.HTTP01] (or you… can use the webroot plugin)

Stuggi
  • 3,506
  • 4
  • 19
  • 36
Smilefounder
  • 141
  • 3
0

I had the same issue after updating to Ubuntu 20.04.

There's a one-liner install that runs on Focal: https://github.com/vinyll/certbot-install#how-to-install

That solved for me, and there's an uninstall also when certbot PPA will be fixed.

vinyll
  • 101
  • 2
0

Use webroot plugin:

certbot certonly --webroot -w /var/www/yourdoma.in -d yourdoma.in

where /var/www/yourdoma.in is your domain's webroot directory.

Ilyich
  • 103
  • 3
0

This error can be obtained when using old packages on Ubuntu/Debian distros.

Check if you have at the same time the packages python-certbot and python3-certbot. You should uninstall the older one (python-certbot).

Also update the ca-certificates package with apt install ca-certificates

NetVicious
  • 462
  • 5
  • 17