Again issue with letsencrypt / certbot

After I’ve tackle down a general issue with letsencrypt, here comes the next one.
I can’t create certificates anymore. They always fail.

So I’d try to simulate it at the CLI to see what happend:

certbot certonly --staging -d citra.shop --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): An unexpected error occurred:
EOFError
Please see the logfiles in /var/log/letsencrypt for more details.

and that the stuff from the logs look like this:

2022-04-13 11:44:10,673:DEBUG:certbot.main:certbot version: 0.40.0
2022-04-13 11:44:10,674:DEBUG:certbot.main:Arguments: ['--staging', '-d', 'citra.shop', '--dry-run']
2022-04-13 11:44:10,674:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-04-13 11:44:10,689:DEBUG:certbot.log:Root logging level set at 20
2022-04-13 11:44:10,690:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-04-13 11:44:10,694:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2022-04-13 11:44:10,695:DEBUG:certbot.plugins.selection:Multiple candidate plugins: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f6c5e576c70>
Prep: True

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f6c5e5769d0>
Prep: True
2022-04-13 11:44:10,696:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1244, in certonly
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/usr/lib/python3/dist-packages/certbot/plugins/selection.py", line 228, in choose_configurator_plugins
    authenticator = pick_authenticator(config, req_auth, plugins)
  File "/usr/lib/python3/dist-packages/certbot/plugins/selection.py", line 38, in pick_authenticator
    return pick_plugin(
  File "/usr/lib/python3/dist-packages/certbot/plugins/selection.py", line 110, in pick_plugin
    plugin_ep = choose_plugin(list(six.itervalues(prepared)), question)
  File "/usr/lib/python3/dist-packages/certbot/plugins/selection.py", line 150, in choose_plugin
    code, index = disp.menu(question, opts, force_interactive=True)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 154, in menu
    code, selection = self._get_valid_int_ans(len(choices))
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 415, in _get_valid_int_ans
    ans = input_with_timeout(input_msg)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 85, in input_with_timeout
    raise EOFError
EOFError

Any suggestion what to do?

I really wonder, why the certbot version at the server seems to be so outdated: 0.40.0, as the current release on github is far away from 0.40:

image1021×532 58.2 KB

It seems, I’ve get one step forward as follows:

1. remove old certbot apt-get remove certbot
2. add snapd apt-get install snapd
3. load new certbot sudo snap install --classic certbot
4. create a link, where virtualmin expect the file: sudo ln -s /snap/bin/certbot /usr/bin/certbot

Steps are described here at the certbot-page

This makes me able to run certbot without an fatal error, but it still don’t finish the validation. It output the following in my Custom-Command I’ve create to simulate a certification in --dry-run:

Ausgabe von virtualmin generate-letsencrypt-cert --domain citra.shop --staging ..
Requesting SSL certificate for citra.shop www.citra.shop ..
.. failed : Web-based validation failed : Requesting a certificate for citra.shop and www.citra.shop

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: citra.shop
  Type:   unauthorized
  Detail: Invalid response from http://citra.shop/.well-known/acme-challenge/k7TAULIUjnLviFo72okPbgLJ1d5pKqObv4UrvaAEuBM [2001:4b99:1:253::9]: 404

  Domain: www.citra.shop
  Type:   unauthorized
  Detail: Invalid response from https://citra.co.za/.well-known/acme-challenge/AQ56EV_nymeR7cH0yWwITl0j2IgEZ97NRCodIqQ3QuM [2001:4b98:dc5:253::9]: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
   DNS-based validation failed : Requesting a certificate for citra.shop and www.citra.shop

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: citra.shop
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.citra.shop

  Domain: www.citra.shop
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.www.citra.shop

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

BTW:
Is there an implementation for a WildCard Certificate planed, where certbot needs an DNS-Entry? See
I’m not familiar with perl, but if I can I would help to create such an plugin… there are still some for many other ISP-Software: Certbot Plugins

Ok, here my resume… as it works now again.

I’ve removed certbot, which was installed via apt (and as version 0.40.0) and installed it as snap.
The Error-Message from this new certbot (1.26.0) was caused of an wrong DNS-Entry in the customer NS. He still had the AAAA record vor ipv6 set.

So anyway, to be sure, I’ve removed the snap-installed certbot and installed the 0.40.0 from apt again… and give it a try on another domain.
There it still works to generate an vaild letsencrypt certificate.

So at least, I have no clue, why there are thrown fatal errors from certbot, but:

a) after re-install certbot with apt, or
b) install the newest Version via Snap

it works again.

Hope that helps other ones.

Even if the problem is solved, I’d like to know, what do you guys say about to upgrade certbot at virtualmin environments for an up-to-date version (>=1.26.0) by default… AND to have the posibillity to really use “Wildcard certificates” based on DNS-Entriy-Plugin?

BTW: Here might be a one, we could integrate in Virtualmin: certbot-dns-standalone

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.