Ubuntu 16.04 LetsEncrypt Not working

I enabled Letsencypt for a domain and is failing

Code:

root@web1:~# /usr/local/ispconfig/server/server.sh
           

An unexpected error occurred:
DeserializationError: Deserialization error: Wrong directory fields
Please see the logfiles in /var/log/letsencrypt for more details.
finished.
root@web1:~#

letsencrypt log have following

Code:

root@web1:~# cat /var/log/letsencrypt/letsencrypt.log
2018-07-22 18:53:28,454:DEBUG:letsencrypt.cli:Root logging level set at 30
2018-07-22 18:53:28,454:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-07-22 18:53:28,455:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
2018-07-22 18:53:28,455:DEBUG:letsencrypt.cli:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v02.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'ispconfig-test.serverok.in', '--webroot-path', '/usr/local/ispconfig/interface/acme']
2018-07-22 18:53:28,455:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2018-07-22 18:53:28,456:DEBUG:letsencrypt.cli:Requested authenticator webroot and installer None
2018-07-22 18:53:28,456:DEBUG:letsencrypt.plugins.webroot:Creating root challenges validation dir at /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
2018-07-22 18:53:28,456:DEBUG:letsencrypt.display.ops:Single candidate plugin: * webroot
Description: Webroot Authenticator
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = letsencrypt.plugins.webroot:Authenticator
Initialized: <letsencrypt.plugins.webroot.Authenticator object at 0x7feef5f00610>
Prep: True
2018-07-22 18:53:28,457:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.webroot.Authenticator object at 0x7feef5f00610> and installer None
2018-07-22 18:53:29,569:DEBUG:root:Sending GET request to https://acme-v02.api.letsencrypt.org/directory. args: (), kwargs: {}
2018-07-22 18:53:29,574:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2018-07-22 18:53:29,894:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 658
2018-07-22 18:53:29,896:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '658', 'Expires': 'Sun, 22 Jul 2018 18:53:29 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 22 Jul 2018 18:53:29 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json'}. Content: '{\n  "ElMJ2R2o14s": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",\n  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",\n  "meta": {\n    "caaIdentities": [\n      "letsencrypt.org"\n    ],\n    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",\n    "website": "https://letsencrypt.org"\n  },\n  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",\n  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",\n  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",\n  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"\n}'
2018-07-22 18:53:29,897:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '658', 'Expires': 'Sun, 22 Jul 2018 18:53:29 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 22 Jul 2018 18:53:29 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json'}): '{\n  "ElMJ2R2o14s": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",\n  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",\n  "meta": {\n    "caaIdentities": [\n      "letsencrypt.org"\n    ],\n    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",\n    "website": "https://letsencrypt.org"\n  },\n  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",\n  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",\n  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",\n  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"\n}'
2018-07-22 18:53:29,898:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.4.1', 'console_scripts', 'letsencrypt')()
  File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1986, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 689, in obtain_cert
    le_client = _init_le_client(config, authenticator, installer)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 206, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 191, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 116, in register
    acme = acme_from_config_key(config, key)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 41, in acme_from_config_key
    return acme_client.Client(config.server, key=key, net=net)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 63, in __init__
    self.net.get(directory).json())
  File "/usr/lib/python2.7/dist-packages/acme/messages.py", line 169, in from_json
    raise jose.DeserializationError(str(error))
DeserializationError: Deserialization error: Wrong directory fields

root@web1:~#

Any idea why it is failing ?

 

https://community.letsencrypt.org/t/lets-encrypt-renewal-error-in-apache2-ubuntu-16-0-4/26295/4
https://certbot.eff.org/lets-encrypt/pip-apache
go get a recent certbot or upgrade ubuntu or wait

 

Thanks, On Ubuntu 16.04, problem fixed by running

Code:

apt update
apt install software-properties-common
apt-repository ppa:certbot/certbot
apt update
apt upgrade -y
apt remove letsencrypt -y
apt install python-certbot-nginx -y

 

I have this same problem for Ubuntu 16.04 LTS with apache 2.4.34. Does anybody know that upgrade certbot manually won't break LE SSL option in ISPConfig? Moreover the command

Code:

apt-cache policy certbot | grep -i Installed

gives me information that I haven't installed certbot. Is it possible if I installed letsencrypt and ISP with Perfect Server tutorial?

PS
For Apache for install certbot (not update) from official site:

Code:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache 

 

I think you have to remove letsencrypt too, as posted before yours.

 

Yes, but does it be safe for issuing LE SSL from ISP panel? Seriously I am affraid to break this ISP feature. I am unable to check certbot or letsencrypt version. I checked docs and there is a command "certbot --version" but it gives:

Code:

root@s1:# certbot --version
certbot: command not found

PS

Code:

root@s1:# apt-get install python-certbot-apache
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package python-certbot-apache

Code:

root@s1:# apt-get install python-letsencrypt-apache
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  augeas-lenses libaugeas0 python-augeas
Suggested packages:
  augeas-doc augeas-tools
The following NEW packages will be installed:
  augeas-lenses libaugeas0 python-augeas python-letsencrypt-apache
0 upgraded, 4 newly installed, 0 to remove and 1 not upgraded.
Need to get 471 kB of archives.
After this operation, 2,300 kB of additional disk space will be used.
Do you want to continue? [Y/n] n

Second case - how check what software is used in ISP to issuing certs? If currently I don't use certbot but letsencrypt (earlier version of certbot?) why shell asked me about installation of "python-letsencrypt-apache"?

 

1. You should only use certbot or letsencrypt, not both, so I think that is the issue if you want to use the latest version of certbot.

2. Python is needed to issue the certs whether you are using letsencrypt or certbot, I think.

 

But how can I determine which I use? Both software give /etc/letsencrypt directories. Do you know which I use when I setup server using Perfect Server tutorial? There is a command "apt-get -y install letsencrypt" to install LE. And I am not sure I understood well about issue. Do you mean that the issue is, because I try use both?

Ok, it's required but why I have to install it if LE worked until maybe week ago?

 

1. Well, you can run "apt install letsencrypt certbot" or "apt remove letsencrypt certbot" via ssh to determine that; but to me you should definitely use only one of them, preferably certbot since it is the latest so far.

2. Since it is your server, I don't know what happened to your python for letsencrypt / certbot, but I think you definitely need them for LE issuance / renewal to work.

3. I also think you may not be able to install cerbot if you do not install its ppa properly for Ubuntu 16.04, so check whether you have installed it right.

 

1. Commands produce:

Code:

root@s1:~# apt install letsencrypt certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package certbot

root@s1:~# apt remove letsencrypt certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package certbot

2. Which one do you recommend if I used PerfectServer tutorial:
apt-get install python-letsencrypt-apache
apt-get install python-certbot-apache
I don't want to break ISP.
3. I will check it if nothing other help.

PS
Results of searching phrases "letsencrypt" and "certbot":

Code:

root@s1:/usr/bin# find / -name letsencrypt
/var/lib/letsencrypt
/var/log/letsencrypt
/etc/letsencrypt
/usr/lib/python2.7/dist-packages/letsencrypt
/usr/share/doc/letsencrypt
/usr/bin/letsencrypt
root@s1:/usr/bin# find / -name certbot
root@s1:/usr/bin#

So probably I have letsencrypt, not certbot. Moreover I find thread where people said that I can safetly update letsencrypt to certbot. Here guy says that I don't have to remove letsencrypt but only execute commands:

Code:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache 

and all things will be done.

 

Well, this thread suggest you install latest certbot using its ppa and remove letsencrypt. However, if you are afraid to do it on your live server, use it on your test server instead. Only proceed if you already understand what you are going to do and how to troubleshoot if something goes wrong while doing it.

 

I just finished the job. Lets Encrypt Community Manager gave me some self-confidence. Now I am going to renew/issue my certs. I hope my stress help somebody.

PS
All things are working perfect!

 

Well, seems like it does help you, though we do not know what did you do until you share it here.

 

Yea, right. I didn't post what I have done. Of course I did:

Code:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache