Bug 1119619 - certbot does not renew certificates (again)
certbot does not renew certificates (again)
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
x86-64 All
: P5 - None : Normal (vote)
: ---
Assigned To: Security Team bot
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2018-12-15 01:54 UTC by James Carter
Modified: 2022-07-11 16:40 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description James Carter 2018-12-15 01:54:27 UTC
Formerly I had python-certbot-0.26.1-1.1.noarch and it could 
renew certs.  Now I have 
python3-certbot-0.28.0-2.1.noarch on OpenSuSE Tumbleweed VERSION="20181208"
This is the one with the dependency on python-mock restored/added.
It says "No renewals were attempted"  on both of my hosts that use certbot.  
I tracked this down to a (non) migration issue: formerly the state dir
was /etc/certbot but now it is /etc/letsencrypt, which of course contains
no lineages, so no renewals were attempted.  

mv /etc/letsencrypt /etc/letsencrypt.empty
mv /etc/certbot /etc/letsencrypt
ln -s letsencrypt certbot
The symlink is so explicit filenames in config files, or symlinks in e.g. 
/etc/openssl/private, will still find the cert and key until I locate 
and fix them.  Tested: my Apache webserver still can authenticate using
the (not quite expired) old cert.  I ran "certbot renew", its webroot
challenges were acceptable (despite some DNAT stuff), and the report was:
Congratulations, all renewals succeeded... (list of 1 renewed cert).
Testing: the webserver successfully uses the new cert.  

By the way, old logs are in /var/log/certbot which is still there but is
supplanted by /var/log/letsencrypt.  

It would be nice if the python3-certbot and python2-certbot packages 
had a migration script for users who are having trouble figuring out 
why their certs are not being renewed.  

I'm not sure whether migration scripts in packages should be reported
upstream, or to the distro; if the former, let me know and I'll open a
ticket upstream.  Also I set the component to "security" since the X.509
certificate's purpose is security, but if a different component would
be more appropriate please feel free to change it.
Comment 1 Eric Schirra 2018-12-17 13:19:12 UTC
I'm no more maintainer of this package.
Since each package was separate i don't want do it.
Because it is much more work. And i have no time for such games.

Please talk to Dominique.
Comment 2 Tomas Kuchta 2019-02-20 11:48:00 UTC
This exact issue is also present in leap opensuse 15.0

Perhaps the package in opensuse should use default /etc/letsencrypt instead of changing it to /etc/certbot at the certificate install only. Certbot is using default /etc/letsencrypt for other sub-commands.

BTW: the link command for the workaround bellow need adjustment:
mv /etc/letsencrypt /etc/letsencrypt.empty
mv /etc/certbot /etc/letsencrypt
(cd /etc ; ln -s letsencrypt certbot)

After this all seems working fine.

Hope this helps,
Comment 3 Johannes Weberhofer 2019-04-03 09:29:03 UTC
Currently the packages are maintained by @mcalabkova and @scarabeus_iv. It would be great see this issue solved. 
IMHO the package should automatically create the compatibility links if necessary.
Comment 4 Jon Brightwell 2019-04-23 10:26:30 UTC
Confirmed on L15

`certbot certificates` doesn't list pre-existing certs from before the update. Linking to certbot fixes it.
Comment 5 Markéta Machová 2019-05-03 13:59:03 UTC
I try to fix this issue: https://build.opensuse.org/package/show/home:mcalabkova:branches:devel:languages:python:certbot/python-certbot

Please, review. I did not test it.
Comment 6 Markéta Machová 2019-05-16 15:18:07 UTC
I have created a submit request and it was already accepted.

I am a bit uncertain whom to reassign this bug. But it is "Security:" component, so I am assigning it back to security team.
Comment 7 Swamp Workflow Management 2019-07-18 09:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1119619) was mentioned in
https://build.opensuse.org/request/show/716227 15.0 / python-certbot
Comment 8 Swamp Workflow Management 2019-07-23 09:50:07 UTC
This is an autogenerated message for OBS integration:
This bug (1119619) was mentioned in
https://build.opensuse.org/request/show/717808 15.0 / python-certbot
Comment 9 Freek de Kruijf 2019-08-01 16:11:12 UTC
I used python3-certbot version 0.36.0-2.1 on a Raspberry Pi 2B with arguments "certonly --manual" and it crashed. Error message: Segmentation error (core dumped). coredump could not be found.
debug log:
2019-08-01 17:49:52,530:DEBUG:certbot.main:certbot version: 0.36.0
2019-08-01 17:49:52,533:DEBUG:certbot.main:Arguments: ['--manual']
2019-08-01 17:49:52,534:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginE
2019-08-01 17:49:52,667:DEBUG:certbot.log:Root logging level set at 20
2019-08-01 17:49:52,671:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-08-01 17:49:52,677:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2019-08-01 17:49:52,716:DEBUG:certbot.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at 0xffff958f7e10>
Prep: True
2019-08-01 17:49:52,720:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.manual.Authenticator object at 0xfff
f958f7e10> and installer None
2019-08-01 17:49:52,721:INFO:certbot.plugins.selection:Plugins selected: Authenticator manual, Installer None
2019-08-01 17:49:52,749:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agr
eement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme
-v02.api.letsencrypt.org/acme/acct/46675256', new_authzr_uri=None, terms_of_service=None), 0f68e94ffa7bc96cf454d7d1152095bf, Meta(cr
eation_dt=datetime.datetime(2018, 11, 28, 17, 2, 20, tzinfo=<UTC>), creation_host='bpim64tumpine.beelaertsict.nl'))>
2019-08-01 17:49:52,756:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-08-01 17:49:52,774:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443

I used the python2 version, also 0.36.0-2.1 which did succeed.
Comment 10 Swamp Workflow Management 2019-08-12 13:30:07 UTC
This is an autogenerated message for OBS integration:
This bug (1119619) was mentioned in
https://build.opensuse.org/request/show/722683 15.1 / python-certbot
Comment 11 Dirk Mueller 2022-07-11 15:39:22 UTC
assuming this is fixed nowadays?
Comment 12 OBSbugzilla Bot 2022-07-11 16:40:03 UTC
This is an autogenerated message for OBS integration:
This bug (1119619) was mentioned in
https://build.opensuse.org/request/show/988418 Backports:SLE-15-SP4 / python-certbot