Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] certbot renew runs into errors
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 592
Location: Germany

PostPosted: Wed Jun 06, 2018 5:18 pm    Post subject: [solved] certbot renew runs into errors Reply with quote

Hey there,

since three of my certificates expire in a couple of days, I ran "certbot renew" today.
Unfortunately, it runs into the following errors for everyone of the certs I need to renew:

Code:
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/emailflut.de.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Error while running apache2ctl configtest.

tcgetattr(stdout,...): Inappropriate ioctl for device                                                                                                                                                                                             

Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running apache2ctl configtest.\n\ntcgetattr(stdout,...): Inappropriate ioctl for device\n',)
Attempting to renew cert (emailflut.de) from /etc/letsencrypt/renewal/emailflut.de.conf produced an unexpected error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running apache2ctl configtest.\n\ntcgetattr(stdout,...): Inappropriate ioctl for device\n',). Skipping.


"certbot --apache -d emailflut.de" leads to a similar error:
Code:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.

tcgetattr(stdout,...): Inappropriate ioctl for device

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running apache2ctl configtest.\n\ntcgetattr(stdout,...): Inappropriate ioctl for device\n',)


/var/log/letsencrypt/letsencrypt.log contains the following information:
Code:
2018-06-06 19:07:45,083:DEBUG:certbot.main:certbot version: 0.24.0
2018-06-06 19:07:45,084:DEBUG:certbot.main:Arguments: ['--apache', '-d', 'emailflut.de']
2018-06-06 19:07:45,085:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-06-06 19:07:45,105:DEBUG:certbot.log:Root logging level set at 20
2018-06-06 19:07:45,106:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-06-06 19:07:45,107:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2018-06-06 19:07:45,131:ERROR:certbot.util:Error while running apache2ctl configtest.

tcgetattr(stdout,...): Inappropriate ioctl for device

2018-06-06 19:07:45,132:DEBUG:certbot.plugins.disco:Misconfigured PluginEntryPoint#apache: Error while running apache2ctl configtest.

tcgetattr(stdout,...): Inappropriate ioctl for device
Traceback (most recent call last):
  File "/usr/lib64/python3.5/site-packages/certbot_apache/configurator.py", line 2048, in config_test
    util.run_script(self.constant("conftest_cmd"))
  File "/usr/lib64/python3.5/site-packages/certbot/util.py", line 85, in run_script
    raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl configtest.

tcgetattr(stdout,...): Inappropriate ioctl for device


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/python3.5/site-packages/certbot/plugins/disco.py", line 126, in prepare
    self._initialized.prepare()
  File "/usr/lib64/python3.5/site-packages/certbot_apache/configurator.py", line 206, in prepare
    self.config_test()
  File "/usr/lib64/python3.5/site-packages/certbot_apache/configurator.py", line 2050, in config_test
    raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running apache2ctl configtest.

tcgetattr(stdout,...): Inappropriate ioctl for device

2018-06-06 19:07:45,134:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_gentoo.GentooConfigurator object at 0x7ff234f6aa20>
Prep: Error while running apache2ctl configtest.

tcgetattr(stdout,...): Inappropriate ioctl for device

2018-06-06 19:07:45,136:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None


It seems that certbot does not even touch the cert files - the following files are from the 18th of March:
Code:
lrwxrwxrwx. 1 root root  36 18. Mär 11:21 cert.pem -> ../../archive/emailflut.de/cert1.pem
lrwxrwxrwx. 1 root root  37 18. Mär 11:21 chain.pem -> ../../archive/emailflut.de/chain1.pem
lrwxrwxrwx. 1 root root  41 18. Mär 11:21 fullchain.pem -> ../../archive/emailflut.de/fullchain1.pem
lrwxrwxrwx. 1 root root  39 18. Mär 11:21 privkey.pem -> ../../archive/emailflut.de/privkey1.pem
-rw-r-----. 1 root root 543 18. Mär 11:21 README


"apache2ctl configtest" does not list any config errors, when run as root.
What am I doing wrong?

I am using certbot-0.24.0 and certbot-apache-0.24.0. SELinux is running in permissive mode, and auditd does not log any denials when "certbow renew" is run.

Best regards,
Jimini


[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu]
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)


Last edited by Jimini on Wed Jun 06, 2018 6:11 pm; edited 1 time in total
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1765

PostPosted: Wed Jun 06, 2018 5:53 pm    Post subject: Reply with quote

Quote:
2018-06-06 19:07:45,107:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2018-06-06 19:07:45,131:ERROR:certbot.util:Error while running apache2ctl configtest.

This is as good as it goes. Check your apache configuration, that's one thing. You must have a correct config to reload, otherwise apache will not accept new certificate even if you have them.

If you make sure that your config is correct, and dcertbot keeps failing, try webroot authenticator instead, and reload apache configuration manually afterwards.
You can change those settings any time you run certbot, just invoke renewal with new parameters and it will fix its own config to make those params default.
No idea what apache authenticator does, but webroot definitely will not break your apache configuration. It just does not reload automagically, but this can be handled with a hook or a wrapper script.
You can find relevant config file in /etc/letsencrypt/renewal/ if you wish to back it up or inspect before tinkering.
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 592
Location: Germany

PostPosted: Wed Jun 06, 2018 6:16 pm    Post subject: Reply with quote

szatox, thank you for your quick and helpful reply.

The config is definitely correct - I use it since I set up letsencrypt certs for all my domains for the first time. I assume, that something must have changed (and broken something) in certbot. Nevertheless, with the following command I was able to renew my certs:
certbot certonly --webroot -d DOMAINNAME --webroot-path /var/www/webroot_path/

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum