cannot run certbot on ubuntu 14 server for lets encrypt

Question

I already had let's encrypt on an ubuntu server (python v2.7.6) but it is no longer running complaining that I am using an old client. I downloaded the certbot client for ubuntu 14 but when I run the following command, I get the error copied below - any idea on how to troubleshoot this further:

./certbot-auto certonly --text --webroot -w /usr/share/nginx/html -d actualurl.com --keep-until-expiring --expand --agree-tos --email replaced@gmail.com


2016-07-31 20:50:48,178:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f45863102d0> 
and installer None
2016-07-31 20:50:48,350:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory284. args: (), kwargs: {}
2016-07-31 20:50:48,354:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-07-31 20:50:48,803:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory284 HTTP/1.1" 404 19
2016-07-31 20:50:48,805:DEBUG:root:Received <Response [404]>. Headers: {'Content-Length': '19', 'X-Content-Type-Options': 'nosniff', 'Boulder-Re
quest-Id': 'gH76WSwBJgzedpyjF8X3TAVVYz0-TLkaiNGTjQa3Weg', 'Expires': 'Sun, 31 Jul 2016 20:50:48 GMT', 'Server': 'nginx', 'Connection': 'keep-ali
ve', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 31 Jul 2016 20:50:48 GMT', 'Content-Type': 'text/plai
n; charset=utf-8'}. Content: '404 page not found\n'
2016-07-31 20:50:48,805:DEBUG:acme.client:Received response <Response [404]> (headers: {'Content-Length': '19', 'X-Content-Type-Options': 'nosni
ff', 'Boulder-Request-Id': 'gH76WSwBJgzedpyjF8X3TAVVYz0-TLkaiNGTjQa3Weg', 'Expires': 'Sun, 31 Jul 2016 20:50:48 GMT', 'Server': 'nginx', 'Connec
tion': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 31 Jul 2016 20:50:48 GMT', 'Content-T
ype': 'text/plain; charset=utf-8'}): '404 page not found\n'
2016-07-31 20:50:48,806:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 744, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 550, in obtain_cert
    le_client = _init_le_client(config, auth, installer)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 360, in _init_le_client
    acc, acme = _determine_account(config)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 345, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 118, in register
    acme = acme_from_config_key(config, key)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 42, in acme_from_config_key
    return acme_client.Client(config.server, key=key, net=net)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 63, in __init__
    self.net.get(directory).json())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 631, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 578, in _check_response
    raise errors.ClientError(response)
ClientError: <Response [404]>

I also ran certbot-auto with certonly but I got the same error.

dialog version

Version: 1.2-20130928

lsb_release -a

Distributor ID: Ubuntu
Description:    Ubuntu 14.04.3 LTS
Release:    14.04
Codename:   trusty

I downloaded certbot using

wget https://dl.eff.org/certbot-auto

also, the nginx process was running and still had the older lets encrypt certificate. I have since tried removing that and restarted nginx but I am stilll getting the same error. I am running HA proxy on port 80 and redirecting to Nginx.

I have the following certbot plugins installed:

* apache
Description: Apache Web Server - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator

* standalone
Description: Automatically use a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

I downloaded the certbot-auto script using wget https://dl.eff.org/certbot-auto — ali haider, Jul 31 '16 at 22:10

pepoluan · Answer 1 · 2017-01-14T06:50:02.937

Since I don't like stopping the webserver (for many reasons) or any pre-processors in front of it (HAProxy, Varnish, etc.), I have been leveraging the latest version of certbot-auto's pre-hook and post-hook options this way:

certbot-auto certonly --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 44033 \
  --pre-hook  "iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 44033" \
  --post-hook "iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 44033"

What happens if I run that command is:

certbot-auto checks whether all certs need renewal
If any cert needs renewal, it executes the pre-hook: Create a redirect from port 443 (the one the webserver is listening on) to port 44033 (the one certbot-auto is listening on)
After renewal is complete, it executes the post-hook: Delete the redirect created in Step 2.

There are many benefits:

As mentioned previously, I don't have to stop any process(es) currently listening on port 443 (or 80)
Also, I don't have to change any configuration of the webserver ... and remembering to revert the changes afterwards
It's self contained within one file. I now have the following script inside /etc/cron.daily:

letsencrypt-renew.sh

#!/bin/bash
Redir() {
    echo "iptables -t nat $1 PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 44033"
}
certbot-auto renew --standalone \
    --preferred-challenges tls-sni-01 --tls-sni-01-port 44033 \
    --pre-hook "$(Redir -I)" \
    --post-hook "$(Redir -D)"

(Do note that by simply replacing renew with certonly, you can also use this script to do the initial request of certificates. Replace renew with ${1:-renew} to allow specifying the action as an arg to the script.)

score 0 · Accepted Answer · answered Aug 01 '16 at 00:04

I followed the steps on this link and it worked for me (was able to get a cert).

https://github.com/eustasy/certbot-with-nginx

The only thing missing in the steps was to ensure that we copy the nginx.welll-known.conf file into the /etc/nginx directory (or simply create a link). I am using nginx to serve content (I shut down HA Proxy listening on port 80 to ensure that this setup worked).

cannot run certbot on ubuntu 14 server for lets encrypt

2 Answers2