search

bunkerity / bunkerweb

🛡️ Open-source and next-generation Web Application Firewall (WAF)
https://www.bunkerweb.io
GNU Affero General Public License v3.0
6.12k stars 339 forks source link

[BUG] Let'encrypt renewal error #335

Closed thelittlefireman closed 1 year ago

thelittlefireman commented 1 year ago

Description every time bunkerweb try to renew a certificate it's face to an issue and renew doesn't work. bunkerweb: 1.4.3, docker

How to reproduce Start bunkerweb and wait for job renewal

Logs

Failed to renew certificate dashboard.XXXXXX with error: Unable to find manual-auth-hook command /opt/bunkerized-nginx/jobs/certbot-auth.py in the PATH.
(PATH is /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
thelittlefireman commented 1 year ago

more logs 

2022-10-30 23:51:54,066:DEBUG:certbot._internal.main:certbot version: 1.25.0
2022-10-30 23:51:54,066:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/bunkerweb/deps/python/bin/certbot
2022-10-30 23:51:54,066:DEBUG:certbot._internal.main:Arguments: ['--cert-name', 'dashboard.XXXX.xx', '--deploy-hook', '/opt/bunkerweb/core/letsencrypt/jobs/certbot-deploy.py']
2022-10-30 23:51:54,066:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-10-30 23:51:54,394:DEBUG:certbot._internal.log:Root logging level set at 30
2022-10-30 23:51:54,394:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/dashboard.XXXX.xx.conf
2022-10-30 23:51:54,472:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f217eb4a670> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f217eb4a670>
2022-10-30 23:51:54,636:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-10-30 23:51:54,802:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-10-30 23:51:54,803:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/dashboard.XXXX.xx/cert1.pem is signed by the certificate's issuer.
2022-10-30 23:51:54,803:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/dashboard.XXXX.xx/cert1.pem is: OCSPCertStatus.GOOD
2022-10-30 23:51:54,807:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2022-11-26 12:55:17 UTC.
2022-10-30 23:51:54,807:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2022-10-30 23:51:54,807:INFO:certbot._internal.renewal:Non-interactive renewal: random delay of 7.481955280776499 seconds
2022-10-30 23:52:02,292:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2022-10-30 23:52:02,296:DEBUG:certbot.plugins.util:Failed to find executable /opt/bunkerized-nginx/jobs/certbot-auth.py in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2022-10-30 23:52:02,296:ERROR:certbot._internal.renewal:Failed to renew certificate dashboard.XXXX.xx with error: Unable to find manual-auth-hook command /opt/bunkerized-nginx/jobs/certbot-auth.py in the PATH.
(PATH is /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin)
2022-10-30 23:52:02,298:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/bunkerweb/deps/python/certbot/_internal/renewal.py", line 484, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/opt/bunkerweb/deps/python/certbot/_internal/main.py", line 1521, in renew_cert
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/selection.py", line 251, in choose_configurator_plugins
    authenticator = pick_authenticator(config, req_auth, plugins)
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/selection.py", line 46, in pick_authenticator
    return pick_plugin(
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/selection.py", line 120, in pick_plugin
    verified.prepare()
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/disco.py", line 309, in prepare
    return [plugin_ep.prepare() for plugin_ep in self._plugins.values()]
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/disco.py", line 309, in <listcomp>
    return [plugin_ep.prepare() for plugin_ep in self._plugins.values()]
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/disco.py", line 160, in prepare
    self._initialized.prepare()
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/manual.py", line 119, in prepare
    self._validate_hooks()
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/manual.py", line 127, in _validate_hooks
    hooks.validate_hook(hook, hook_prefix)
  File "/opt/bunkerweb/deps/python/certbot/_internal/hooks.py", line 61, in validate_hook
    raise errors.HookCommandNotFound(msg)
certbot.errors.HookCommandNotFound: Unable to find manual-auth-hook command /opt/bunkerized-nginx/jobs/certbot-auth.py in the PATH.
(PATH is /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin)

2022-10-30 23:52:02,298:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-10-30 23:52:02,298:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2022-10-30 23:52:02,298:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/dashboard.XXXX.xx/fullchain.pem (failure)
2022-10-30 23:52:02,298:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-10-30 23:52:02,298:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/bunkerweb/deps/python/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/bunkerweb/deps/python/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/bunkerweb/deps/python/certbot/_internal/main.py", line 1715, in main
    return config.func(config, plugins)
  File "/opt/bunkerweb/deps/python/certbot/_internal/main.py", line 1601, in renew
    renewal.handle_renewal_request(config)
  File "/opt/bunkerweb/deps/python/certbot/_internal/renewal.py", line 510, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2022-10-30 23:52:02,299:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)
^C
bash-5.1$ tail -f -n 200 letsencrypt.log
2022-10-30 23:51:54,066:DEBUG:certbot._internal.main:certbot version: 1.25.0
2022-10-30 23:51:54,066:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/bunkerweb/deps/python/bin/certbot
2022-10-30 23:51:54,066:DEBUG:certbot._internal.main:Arguments: ['--cert-name', 'dashboard.XXXX.xx', '--deploy-hook', '/opt/bunkerweb/core/letsencrypt/jobs/certbot-deploy.py']
2022-10-30 23:51:54,066:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-10-30 23:51:54,394:DEBUG:certbot._internal.log:Root logging level set at 30
2022-10-30 23:51:54,394:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/dashboard.XXXX.xx.conf
2022-10-30 23:51:54,472:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f217eb4a670> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f217eb4a670>
2022-10-30 23:51:54,636:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-10-30 23:51:54,802:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-10-30 23:51:54,803:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/dashboard.XXXX.xx/cert1.pem is signed by the certificate's issuer.
2022-10-30 23:51:54,803:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/dashboard.XXXX.xx/cert1.pem is: OCSPCertStatus.GOOD
2022-10-30 23:51:54,807:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2022-11-26 12:55:17 UTC.
2022-10-30 23:51:54,807:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2022-10-30 23:51:54,807:INFO:certbot._internal.renewal:Non-interactive renewal: random delay of 7.481955280776499 seconds
2022-10-30 23:52:02,292:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2022-10-30 23:52:02,296:DEBUG:certbot.plugins.util:Failed to find executable /opt/bunkerized-nginx/jobs/certbot-auth.py in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2022-10-30 23:52:02,296:ERROR:certbot._internal.renewal:Failed to renew certificate dashboard.XXXX.xx with error: Unable to find manual-auth-hook command /opt/bunkerized-nginx/jobs/certbot-auth.py in the PATH.
(PATH is /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin)
2022-10-30 23:52:02,298:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/bunkerweb/deps/python/certbot/_internal/renewal.py", line 484, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/opt/bunkerweb/deps/python/certbot/_internal/main.py", line 1521, in renew_cert
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/selection.py", line 251, in choose_configurator_plugins
    authenticator = pick_authenticator(config, req_auth, plugins)
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/selection.py", line 46, in pick_authenticator
    return pick_plugin(
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/selection.py", line 120, in pick_plugin
    verified.prepare()
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/disco.py", line 309, in prepare
    return [plugin_ep.prepare() for plugin_ep in self._plugins.values()]
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/disco.py", line 309, in <listcomp>
    return [plugin_ep.prepare() for plugin_ep in self._plugins.values()]
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/disco.py", line 160, in prepare
    self._initialized.prepare()
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/manual.py", line 119, in prepare
    self._validate_hooks()
  File "/opt/bunkerweb/deps/python/certbot/_internal/plugins/manual.py", line 127, in _validate_hooks
    hooks.validate_hook(hook, hook_prefix)
  File "/opt/bunkerweb/deps/python/certbot/_internal/hooks.py", line 61, in validate_hook
    raise errors.HookCommandNotFound(msg)
certbot.errors.HookCommandNotFound: Unable to find manual-auth-hook command /opt/bunkerized-nginx/jobs/certbot-auth.py in the PATH.
(PATH is /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin)

2022-10-30 23:52:02,298:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-10-30 23:52:02,298:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2022-10-30 23:52:02,298:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/dashboard.XXXX.xx/fullchain.pem (failure)
2022-10-30 23:52:02,298:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-10-30 23:52:02,298:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/bunkerweb/deps/python/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/bunkerweb/deps/python/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/bunkerweb/deps/python/certbot/_internal/main.py", line 1715, in main
    return config.func(config, plugins)
  File "/opt/bunkerweb/deps/python/certbot/_internal/main.py", line 1601, in renew
    renewal.handle_renewal_request(config)
  File "/opt/bunkerweb/deps/python/certbot/_internal/renewal.py", line 510, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2022-10-30 23:52:02,299:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)
cat /etc/letsencrypt/renewal/dashboard.XXX.xx.conf
# renew_before_expiry = 30 days
version = 1.16.0
archive_dir = /etc/letsencrypt/archive/dashboard.XXX.xx
cert = /etc/letsencrypt/live/dashboard.XXX.xx/cert.pem
privkey = /etc/letsencrypt/live/dashboard.XXX.xx/privkey.pem
chain = /etc/letsencrypt/live/auth.XXX.xx/chain.pem
fullchain = /etc/letsencrypt/live/dashboard.XXX.xx/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = XXXXXXXXXXXXXXXXXXXXXXXX
authenticator = manual
server = https://acme-v02.api.letsencrypt.org/directory
pref_challs = http-01,
manual_auth_hook = /opt/bunkerized-nginx/jobs/certbot-auth.py
manual_cleanup_hook = /opt/bunkerized-nginx/jobs/certbot-cleanup.py
thelittlefireman commented 1 year ago

Seems to be linked after an upgrade from 1.3.X to 1.4.X. Due to the fact that i'm using volume for all the bunkerweb data - ./nginx/config:/data it's never renew.

fix by an ugly sed -i 's#bunkerized-nginx#bunkerweb/core/letsencrypt#g' /etc/letsencrypt/renewal/* :smile:

For futher update, maybe clean the /etc/letsencrypt/renewal directory ? I don't know if it lead to some side effects.

TheophileDiot commented 1 year ago

Hello @thelittlefireman

This should be fixed in the last 1.5.0 release.

Thanks again !

If the error reoccur, feel free to open the issue back