Hi, About a month ago I upgraded an ISPConfig 3 server from Debian 7 to Debian 8 and afterwards installed an update to ISPConfig using ispconfig_update.sh. Everything seemed to work fine. But two weeks ago I received a warning that one of our Let's Encrypt certificates were about to expire. So I opened /var/log/ispconfig/cron.log to check for errors, and I found this: Sat Dec 2 03:00:20 UTC 2017 Traceback (most recent call last): Sat Dec 2 03:00:20 UTC 2017 File "/root/.local/share/letsencrypt/bin/letsencrypt", line 7, in <module> Sat Dec 2 03:00:20 UTC 2017 from certbot.main import main Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 9, in <module> Sat Dec 2 03:00:20 UTC 2017 from acme import jose Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/__init__.py", line 37, in <module> Sat Dec 2 03:00:20 UTC 2017 from acme.jose.interfaces import JSONDeSerializable Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/interfaces.py", line 9, in <module> Sat Dec 2 03:00:20 UTC 2017 from acme.jose import util Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/util.py", line 5, in <module> Sat Dec 2 03:00:20 UTC 2017 import OpenSSL Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module> Sat Dec 2 03:00:20 UTC 2017 from OpenSSL import rand, crypto, SSL Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/rand.py", line 12, in <module> Sat Dec 2 03:00:20 UTC 2017 from OpenSSL._util import ( Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 6, in <module> Sat Dec 2 03:00:20 UTC 2017 from cryptography.hazmat.bindings.openssl.binding import Binding Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 156, in <module> Sat Dec 2 03:00:20 UTC 2017 Binding.init_static_locks() Sat Dec 2 03:00:20 UTC 2017 File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 140, in init_static_loc$ Sat Dec 2 03:00:20 UTC 2017 __import__("_ssl") Sat Dec 2 03:00:20 UTC 2017 ImportError: No module named _ssl Sat Dec 2 03:01:01 UTC 2017 Sat Dec 2 03:01:01 UTC 2017 Sat Dec 2 03:01:01 UTC 2017 finished. I don't recall installing Let's Encrypt myself when I followed the "The perfect server" guide for Debian 7 and Apache. So I assume ISPConfig installed it at some point (perhaps as a dependency - not sure). Can someone help me resolve this problem? It's a bit urgent - the certificate about to expire is used on a very large webshop, so we are facing a huge economic penalty if this is not resolved soon. - Thanks in advance Jimmy
ISPConfig does not install certbot/letsencrypt. That has to be done by the user. I prefer the manual installation as it is more up to date than the system packages. Please uninstall packages "certbot" or "python-certbot" if you have installed them by packaging tool, then run Code: cd /tmp wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto ./certbot-auto --dry-run Ignore the warning about the dry run only possible on certonly etc. command at the end. It doesn't matter. The command will update your system packages needed for certbot and update certbot itself to the latest version.
Hi Croydon. Thanks for replying so quickly. The procedure you suggest is for Debian 7 (https://certbot.eff.org/#debianwheezy-apache). Should I really do that on Debian 8? I actually did download and run certbot some time ago, but I expected it to be a standalone binary - I never installed it to /root/.local/share/letsencrypt/bin/letsencrypt or /opt/eff.org/certbot/venv/bin/certbot where usr/local/ispconfig/server/lib/classes/cron.d/900-letsencrypt.inc.php seems to expect it to be. Am I wrong in this assumption? And should I infact perform your suggested fix on Debian 8? If so, what makes it install into the two locations I mentioned? Thanks again Jimmy
Hi. The procedure is the same for many distributions ;-) I use it on debian 9, too. The debian 9 and debian 8 backport packages contain certbot 0.10 or 0.11 while the manuall installation leads to 0.19. It is no standalone binary it is an installer that installs prerequisites and the real certbot files into /opt/eff.org - /root/.local was the former installation location which has changed a while ago.
Hello again. Thanks for elaborating. I did what you suggested but received the following error: Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module> from certbot.main import main File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 9, in <module> from acme import jose File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/__init__.py", line 37, in <module> from acme.jose.interfaces import JSONDeSerializable File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/interfaces.py", line 9, in <module> from acme.jose import util File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/util.py", line 5, in <module> import OpenSSL File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import rand, crypto, SSL File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/rand.py", line 12, in <module> from OpenSSL._util import ( File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 6, in <module> from cryptography.hazmat.bindings.openssl.binding import Binding File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 156, in <module> Binding.init_static_locks() File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 140, in init_static_locks __import__("_ssl") ImportError: No module named _ssl To work around this I renamed the original version installed and ran certbot again: mv /opt/eff.org /opt/eff.org_OLD ./certbot-auto --dry-run This time it worked - it installed all the missing dependencies, and certbot no longer throws the exception: /opt/eff.org/certbot/venv/bin/certbot --version This outputs: certbot 0.19.0 How can I force ISPConfig to immediately try to renew all the certificates to make sure the certificates about to expire gets renewed? Jimmy
Hi Tuumke. Yes, no new entries. The renewal cronjob has not been executed yet. But I looked through /usr/local/ispconfig/server/lib/classes/cron.d/900-letsencrypt.inc.php and found that simply invoking "cert -n renew" would be sufficient. certbot -n renew /etc/init.d/apache2 restart All certificate created by ISPConfig was renewed successfully Thanks a lot guys! Best regards Jimmy
Just for information: You can run any ISPConfig cron from the cron.d directory like this cd /usr/local/ispconfig/server/ php cron_debug.php --cronjob=900-letsencrypt.inc.php
