Let's Encrypt broken in 0.41

[gellenburg]

Fresh install of MIAB on a new domain. 0.41.

When going to provision Let's Encrypt certificates, receiving the following error:

Log: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None You should register before running non-interactively, or provide --agree-tos and --email flags.

[alento-group]

And what happens at that point? Installation should be done I do believe ... does MiaB otherwise function? Not function? What happens?

[gellenburg]

Nothing.

A certificate is not provisioned.

root@box:/var/log/letsencrypt# cat letsencrypt.log
2019-03-04 13:50:03,151:DEBUG:certbot.main:certbot version: 0.28.0
2019-03-04 13:50:03,152:DEBUG:certbot.main:Arguments: ['--non-interactive', '-d', 'box.REDACTED.org,REDACTED.org,www.REDACTED.org', '--csr', '/tmp/tmp4dckju_p', '--cert-path', '/tmp/tmpc5u78_05/cert', '--chain-path', '/tmp/tmpc5u78_05/chain', '--fullchain-path', '/tmp/tmpc5u78_05/cert_and_chain.pem', '--webroot', '--webroot-path', '/home/user-data/ssl/lets_encrypt/webroot', '--config-dir', '/home/user-data/ssl/lets_encrypt']
2019-03-04 13:50:03,156:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-03-04 13:50:03,182:DEBUG:certbot.log:Root logging level set at 20
2019-03-04 13:50:03,182:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-03-04 13:50:03,183:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-03-04 13:50:03,183:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f0515892ba8>
Prep: True
2019-03-04 13:50:03,184:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f0515892ba8> and installer None
2019-03-04 13:50:03,184:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2019-03-04 13:50:03,184:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 50, in get_email
    force_interactive=True)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 524, in input
    self._interaction_fail(message, cli_flag)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 469, in _interaction_fail
    raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
Enter email address (used for urgent renewal and security notices)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1209, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 604, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 518, in _determine_account
    config.email = display_ops.get_email()
  File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 54, in get_email
    raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.
root@box:/var/log/letsencrypt#

[gegmar]

certbot.errors.MissingCommandlineFlag: You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.

Looks like your registration to letsencrypt failed. Use the following command (and follow instructions) to create an account: sudo certbot register

Then you should be able to issue letsencrypt certificates for your domain

[gellenburg]

I think everyone is missing the point. :-)

Of course I can do that.

But this is a fresh, virgin installation, of MIAB 0.41.

New users shouldn't HAVE to do this!

Something is broken with 0.41.

[alento-group]

Something is broken with 0.41.

No, something went wrong with your particular installation of 0.41. I installed it successfully yesterday without this error. So something went tilt while you were installing it.

[JoshData]

Re-opening. The installation should work, obviously, and we shouldn't dismiss the bug report without understanding why it didn't work.

[gellenburg]

Thanks Joshua.

Is there anything in the setup that is time-sensitive? I seem to recall starting the initial installation late in the day and then having to come back the next day to continue it (my SSH session was still open).

I don't remember anything out of the ordinary during the setup and during the initial use, and I've setup a few MIAB installs over the year where I think I'd notice.

It was only when I went into https://domain.tld/admin and attempted to provision a Let's Encrypt certificate then did things start to not work.

Note though I already DID try the sudo certbot register command before posting the issue to GitHub and it did complete successfully and DID register (because when I went to run it a second time it told me I was already registered).

This still didn't help with the provisioning of Let's Encrypt from the /admin interface.

My only solution then was to nuke the VPS and start everything from scratch again.

This time without any delay, and everything worked a second-time.

But the only thing I can think of is that I had to walk away from the install. It was during the package installation phase so when I came back the next day I was prompted to complete the setup for my admin userid and password.

I guess I can rent a VPS for one month and try to duplicate the issue if you'd like.

Thanks, George Ellenburg

[JoshData]

I can't think of a reason why that would be a problem, but who knows!

(Running the registration on the command line probably wont work because we tell letsencrypt to store account details in a custom path. You'd have to provide the same command-line flags.)

If you're up for renting another VPS and debugging it further, that would be a big help. It's also fine if we just leave the issue open until someone else runs into the same problem and has more info.

[alento-group]

Hi George, I was rather shocked when you closed this issue after my comment above. I was merely pointing out that there was something unique to your attempt to install that was not usual, but I was rather blunt and gruff about it - my apologies if that bothered you.

I would be curious to know who your VPS provider is if you'd share as you mentioned renting a VPS for a month - which is not DO's standard as they can be spun up and down on demand, so I have to assume that you are not using DO.

[gellenburg]

I have all my stuff hosted with OVH.

[theRealRizeo]

There is definitely an issues with the latest version of MIAB. I did an upgrade and the SSL was self-signed. I had to manually install the letsencrypt ssl certificate

[nizzan]

Has there been any update on this issue? I just installed MIAB and am getting the same error. I have VPSs i can spin up and down as needed for testing if that would help solve this issue. Thank you for your hard work!

[alento-group]

@nizzan Who is your VPS provider? From the notes so far it seems to only affect a few users ... looking for the common thread.

[nizzan]

@nizzan Who is your VPS provider? From the notes so far it seems to only affect a few users ... looking for the common thread.

I use Hetzner Cloud for this instance

[theRealRizeo]

I got this working by removing the old certs and the old cert folders and re-provisioning the SSL from the admin dashboard. All good now

[alento-group]

@theRealRizeo But yours was an upgrade and backup restore ... it seems that the issue the others are experiencing is with a completely fresh install. @nizzan I presume this is the case with you as well, a fresh install not a upgrade and backup restore, correct?

[nizzan]

@alento-group Correct, i provisioned a Ubuntu 18.04 and then ran curl -s https://mailinabox.email/setup.sh | sudo bash The only thing i did before this step was to run:

apt update
apt upgrade -y
apt install fail2ban

[alento-group]

@nizzan As the install script includes the things that you did before starting the install script, I would wonder what your results would be not including them? Most specifically the apt install fail2ban.

[nizzan]

After some extra testing, and a second set of eyes (Thanks @alento-group !) My issue is resolved, In my case this was an issue with a CNAME that was automatically added by my registrar. I did notice that the "Provision" button didnt appear as it should, but randomly popped up after a few page refreshes.

After the removal of the bad CNAME record, i did a complete wipe of the server (OS reinstall) and it now works like a charm.

[zatricky]

@nizzan: What was the CNAME record set to? Maybe if someone else comes across this they can try specifically to check for that.

[jvierra]

Hey guys,

mailinabox is awesome!! Thanks all for making it work and supporting it.

However, I just upgraded my Ubuntu 14.04 mailinbox to Ubuntu 18.04 with mailinabox v0.42b following the steps on the website. Like a lot of people my letsencrypt certs were broken. I spent a lot of time googling and trying various fixes I found on these forums, but none of them worked. I looked at the renew code in letsencrypt and it looked too complicated to take the time to mess around with.

So I redid the renewal code myself doing something simple. This worked for me:

Manually: certbot register /etc/init.d/nginx stop certbot --agree-tos certonly -n --standalone -d YourDomainNameHere

link the certs you just created into the mailinbox config

cd /home/user-data/ssl

mv ssl_private_key.pem old-ssl_private_key.pem mv ssl_certificate.pem old-ssl_certificate.pem

ln -s /etc/letsencrypt/live/YourDomainNameHere/fullchain.pem ssl_certificate.pem ln -s /etc/letsencrypt/live/YourDomainNameHere/privkey.pem ssl_private_key.pem /etc/init.d/nginx start

At this point my certs worked!!

Now to automate cert renewal:

Create /etc/letsencrypt/letsencrypt.renew

Put the following in the file:

!/bin/bash

echo date /etc/init.d/nginx stop /usr/bin/certbot --agree-tos certonly -n --standalone -d YourDomainNameHere /etc/init.d/nginx start

save the file and then make it executable: chmod +x /etc/letsencrypt/letsencrypt.renew

Now throw an entry into /etc/crontab to call once a week or once a month:

edit /etc/crontab

Add something like this:

Attempt autonew certs once per week 1 22 7 root /etc/letsencrypt/letsencrypt.renew >> /var/log/letsencrypt.renew.log

That's all there is to it. I ran the mailinabox upgrade script and it didn't break what I had done.

Anyway, hopefully you shouldn't have to worry about your Letsencrypt certs until the next major upgrade.

[LucaTNT]

Same issue here, it came up after upgrading from 14.04 to 18.04, something seems to have screwed up after restoring the backup. I solved it by running this command: sudo certbot register --config-dir /home/user-data/ssl/lets_encrypt

After that the web interface provisioned the certificate without error, and hopefully the scheduled job will work too when the next renewal comes up.

[jefferose]

Same issue here, it came up after upgrading from 14.04 to 18.04, something seems to have screwed up after restoring the backup. I solved it by running this command: sudo certbot register --config-dir /home/user-data/ssl/lets_encrypt

After that the web interface provisioned the certificate without error, and hopefully the scheduled job will work too when the next renewal comes up.

Brilliant. This solved the problem for me after weeks of trying other things.