webmin letsencrypt certbot issue

Hi there

Have just updated my Debian 9 install to Webmin 1.940 and can confirm that Lets Encrypt no longer works

When accessing lets Encrypt under SSL Management for the domains this is the information message displayed

Let's Encrypt is a free, automated, and open certificate authority that can be used to generate an SSL certificate for use by Virtualmin.

However, it cannot be used on your system : The Let's Encrypt client command letsencrypt or certbot was not found on your system

After running apt-get -y install certbot

Lets Encrypt service is found again and existing certs are recognised - I have also requested a new cert which did complete correctly however this message was displayed and the end of the request

Failed to request certificate : Failed to open PID file

Kind Regards Brad

The same issue, the same message after last Webmin update. CentOS 6.10 Webmin 1.940 Virtualmin 6.08 Pro

Even more, every 1:05 hours a hassle messages arrives to the admin emails...so please imagine the system with 500+ users. Please solve this ASAP.

Hi, Brad.

We are releasing Webmin 1.941 pretty soon to address issues for older OSes (CentOS 6 and Debian 8).

What is the output of whereis certbot on your Debian 8?

Hi Ilia

Thank you for the update

Unfortunately I do not have any Debian 8 installs with Webmin but on Debian 9

This is the output

~# whereis certbot

certbot:

Sorry not much use.

Kind Regards

Brad

It seems that it's not installed?

You could install it by running:

apt-get install certbot

Before doing it, if you go to Virtualmin/Server Configuration/SSL Certificate, then Let's Encrypt tab - what do you see? I think you don't see the prompt to install it?

I also don't see it on Ubuntu. I suppose it's Debian-like issue.

Jamie, look at the screenshot. There is no Install button under Virtualmin, while there is under Webmin. It seems like a bug to fix before the upcoming release.

Hi Ilia, Do you have any ETA for the release of Webmin 1.941? It's pretty much urgent...

Hi Ilia

No it is not installed as per my first comment on this issue - after installing and renewing a cert I see this message even though the cert is issued correctly

Failed to request certificate : Failed to open PID file

You are correct regarding the missing certbot install link (in Debian 9)

Kind Regards

Brad

Hi,

I will talk to Jamie to make it as soon as possible. I think all is ready.

You can take minimum risk and update it right now from GitHub repo. Jamie made patches to address this issue on CentOS 6, I believe. If something goes wrong, you can simply re-run yum reinstall webmin on the console.

I have just tested latest Git version of Webmin on CentOS 6, and it seems to work flawlessly.

Give it a try and return to us as soon as possible.

It will take only few minutes to update, by running the following command:

cd /usr/libexec/webmin && ./update-from-repo.sh -y

Note: You will need to install as well yum install python-argparse module for ACME script to work.

An update from GitHub repo works well. We've just tested Let's Encrypt - it works. Hope all other features of Virtualmin should works correctly.

Thanks for your help.

It was in Debian jessie backports but now is not possible to install it. Repo is outdated.

You don't need to. Upcoming Webmin release will support it by using ACME script as a fallback.

Like mentioned on my previous comment, you are welcome to give it immediate try.

Please let us know if it worked same fine for you on Debian 8.

The update from GitHub repo seems to work well for CentOS 6.

One question - is there a report or query I can run to get a list of virtual servers that had a failed certificate install? I'm afraid that if I don't manually update them, those sites will go down with "expired certificate" soon.

I don't believe there's an automated way to show what domains have expired certificates in Virtuamin.

Now, there should be an email from Virtualmin for each domain that failed, you could always look through those.

Another idea is that if you do some scripting, you could write some code that uses the Virtualmin CLI to grab all the SSL expiration dates.

You can list all the domains with SSL enabled with this command: "virtualmin list-domains --with-feature ssl".

And this command will show when a domain's SSL cert expires: "virtualmin get-ssl --domain DOMAIN_NAME".

You could build a script that combines the above and displays a list of all domains and all the SSL expiration dates.

If you aren't familiar with scripting, there's some examples here that may get you started:

https://www.virtualmin.com/documentation/developer/cli_examples

Okay, it's true, Eric is right, there was no such script, so I spent some time today to make one called virtualmin-get-domains-ssl-status.pl

Learn more details here.

The script would produce the following output:

.---------------------------------------------------------------------------------------------------------------------.
|                                          SSL CERTIFICATES EXPIRATION DATES                                          |
+---------------------+-------------------------------------------+-----------------------------+------------+--------+
| DOMAIN NAME         | PATH TO CERTIFICATE FILE                  | VALID UNTIL                 | EXPIRES IN | STATUS |
+---------------------+-------------------------------------------+-----------------------------+------------+--------+
| site1.com           | /etc/pki/domains/site1.com.cert           | Mar 08, 2020 (Sun 09:44:56) | 61 days    | VALID  |
| mywebsite.io        | /etc/pki/domains/mywebsite.io.cert        | Mar 08, 2020 (Sun 11:49:48) | 61 days    | VALID  |
| myothersite007.com  | /etc/pki/domains/myothersite007.com.cert  | Mar 19, 2020 (Thu 05:24:46) | 72 days    | VALID  |
| mywebsite.io        | /etc/pki/domains/mywebsite.io.cert        | Feb 15, 2020 (Sat 07:43:05) | 39 days    | VALID  |
| example.io          | /etc/pki/domains/example.io.cert          | Mar 08, 2020 (Sun 09:50:05) | 61 days    | VALID  |
'---------------------+-------------------------------------------+-----------------------------+------------+--------'

The usage is simple:

perl virtualmin-get-domains-ssl-status.pl

It will help you to monitor with ease which domains are about to expire @PaliGap. :)

Many thanks for the Perl script. Did the job perfectly.

You are welcome.

Later it might change the location or even be integrated to UI.

For debian 8 , downgrade to https://sourceforge.net/projects/webadmin/files/webmin/1.930/webmin_1.93... And it works.

Hi,

I have the same issue on CentOS 7

Ilia wrote: We are releasing Webmin 1.941 pretty soon to address issues for older OSes (CentOS 6 and Debian 8). Will 1.941 also fix it for CentOS 7 ?

Regards, Leffe

Which issue are you seeing exactly?

Normally on CentOS 7, you should be able to resolve that by installing certbot, which can be done with yum install certbot.

Hi,

Let's encrypt was working perfectly before last update! Now I get this message on the

Let's Encrypt is a free, automated, and open certificate authority that can be used to generate an SSL certificate for use by Virtualmin. However, it cannot be used on your system : The Let's Encrypt client command letsencrypt or certbot was not found on your system

Why do Webmin update remove packages or if changing something and not install the required packages so that the system is still working the same way and maintain the functions it had before the update!? Or is this a bug?

What has changed, it was working fine before? if I install Certbot it also requires about 30 dependencies...

Regards, Leffe

What has changed, it was working fine before? if I install Certbot it also requires about 30 dependencies

Yes, it's better to rely on distro built package (I mean certbot), supplied by repo to make sure things will not break out of the blue in the future.

Just install certbot. New 1.941 will work as it used to be, if certbot command is not installed.

For anyone else troubled by the issue of the 1.940 update breaking this previously working letsencrypt functionality. As noted per comment #20 - I installed certbot via yum install certbot on CentOS 7 and it immediately restored this functionality on the Server Configuration > SSL Certificate > Let's Encrypt page.

Hi apt_virtualmin,

The previous way worked just fine and I don't like to install packages that requires lots of dependencies if I don't have to... As long as the previous way is working and supported we should have a choice and make the selection which one we like to use. As I said, installing certbot also installs 30 dependencies so I prefer to use the previous way with the ACME script which hopefully will be back in 1.941

Regards, Leffe

The previous way worked just fine and I don't like to install packages that requires lots of dependencies if I don't have to.

Yes, Webmin 1.941 should work without installing certbot command, even on CentOS 7 server.

Just so I understand this clearly.

Version Webmin 1.940 removed The let's Encrypt client and Webmin 1.941 will reinstall it?

One of my domains updated a little while ago but after the latest update my last Let's Encrypt update attempt failed on another domain. If the update will be out soon I will just wait for it rather than install Certbot. I am running Centos 7. I assume that, if it doesn't work for some reason, I can just use 'yum install certbot' and it will re-enable all my previous setups and I won't have to go through the hassle of getting each domain to work properly again?

Hi ksihota,

I installed certbot (and the 30 dependencies) on one of our CentOs 7 servers just to test, and Let's Encrypt worked exactly as it did before 1.940 update. I tested this just to know that it worked! I will wait for 1.941 for our other server instead of using certbot.

Regards, Leffe

We highly recommend using certbot, and it's what we'll be moving to at some point in the future.

That will become a dependency of the initial Virtualmin installer, and we plan to make that transition a bit smoother than this one went.

We wanted to go the certbot direction now, but as most of you here saw we ran into some issues in doing so. To resolve that, we put an updated version of the built-in client back for the time being, until all those other issues can be fixed. It'll probably be there awhile. However, as it's a bit of a maintenance headache, and it doesn't support Let's Encrypt's features nearly as well, we'd ultimately like to move purely over to certbot at some point.

I've just run into the same issue - what is the fix for Debian 8, please?

Hi,

The temporary fix would be is to downgrade Webmin to previous version (you will be able to continue requesting certificates for existing domains). Version 1.941, as released would not have this limitation.

To downgrade run the following command:

apt-get install webmin=1.932

Hi, I discovered this issue tonight (Jan 9) on my host running Ubuntu 14.04.6 LTS. Same messages and results as other people; Toli, Brad100, @Control as above. I was unable to install certbot via apt-get. Downgrading Webmin and clicking [Request Certificate] worked for me. Looking forward to the new, fixed Webmin.

Hi, I am having the same issue.

Using CentOS 7, webmin 1.940.

The happened after upgrade.

"Let's Encrypt is a free, automated, and open certificate authority that can be used to generate an SSL certificate for use by Virtualmin. However, it cannot be used on your system : The Let's Encrypt client command letsencrypt or certbot was not found on your system"

Plz advise fix for CentOs 7.

Thank you

Hi, simply run from inbuilt command shell (Alt+K):

yum install -y certbot

Totally see why you switched to official repos for the packages - all good. I just suggest that you document if breaking change is added to the update. With additional popup where you can confirm that you know there is some manual labor needed :)

It worked. Thanks!

It was intended. The user on that screen, should've seen a prompt for installing certbot in one click.

It will be fixed in 1.941.

"The user on that screen, should've seen a prompt for installing certbot in one click."

I didn't see any prompt to install Certbot, but only the latter message posted.

I'd consider this a production fail to be honest, I think QA needs more work.

One one of my sites lost its SSL certificate. Luckily it wasn't a high traffic site.

I would say this type of update issues should not happen again.

Ilia is saying that's the bug -- that there isn't a prompt for installing certbot, and all that will be fixed in the upcoming release.

In the meantime though, marking this as resolved. Thanks!

In addition for those who do run into issues on CentOs 6.10, this workaround... On requesting a new cert in webmin->configuation->ssl encryption->letsencrypt->request cert..

It aborted in the "bootstrap". At the bottom of the log, there is a list of packages that would not be installed apparently as a "Y" is expected. As I did not want to wait for 1.941, I installed all of the required manually. No "Y" required.

Then returned to webmin->configuation->ssl encryption->letsencrypt->request cert and it succeeded.

Ubuntu 16.04.6 LTS

Same problem here. Tried the dev version, no success.

Rollback to previous working version was the solution.

Please update us for new version.

We just started the process of releasing a 1.941 version of Webmin that should fix this by bringing back the old built-in Let's Encrypt client. If you need it now, you can get it from http://www.webmin.com/devel.html

Hi,

yum install certbot ran with errors (python)

  Installing : python2-parsedatetime-2.4-5.el7.noarch                      9/28 
  Installing : python-urllib3-1.10.2-7.el7.noarch                         10/28 Error unpacking rpm package python-urllib3-1.10.2-7.el7.noarch
 
error: unpacking of archive failed on file /usr/lib/python2.7/site-packages/urllib3/packages/ssl_match_hostname: cpio: rename
  Installing : python-requests-2.6.0-8.el7_7.noarch                       11/28 
error: python-urllib3-1.10.2-7.el7.noarch: install failed
  Installing : python-requests-toolbelt-0.8.0-1.el7.noarch                12/28 

ValueError: SELinux policy is not managed or store cannot be accessed.

Installed:
  certbot.noarch 0:1.0.0-1.el7                                                  

Failed:
  python-urllib3.noarch 0:1.10.2-7.el7          

Generating LE Cert classical way via GUI now returns:

Traceback (most recent call last):
  File "/bin/letsencrypt", line 9, in 
    load_entry_point('certbot==1.0.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 378, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2566, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
    entry = __import__(self.module_name, globals(),globals(), ['__name__'])
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 2, in 
    from certbot._internal import main as internal_main
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 17, in 
    from certbot._internal import account
  File "/usr/lib/python2.7/site-packages/certbot/_internal/account.py", line 17, in 
    from acme import messages
  File "/usr/lib/python2.7/site-packages/acme/messages.py", line 11, in 
    from acme import challenges
  File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 9, in 
    import requests
  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in 
    from . import utils
  File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in 
    from .exceptions import InvalidURL
  File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in 
    from urllib3.exceptions import HTTPError as BaseHTTPError
  File "/usr/lib/python2.7/site-packages/urllib3/__init__.py", line 10, in 
    from .connectionpool import (
  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 31, in 
    from .connection import (
  File "/usr/lib/python2.7/site-packages/urllib3/connection.py", line 45, in 
    from .util.ssl_ import (
  File "/usr/lib/python2.7/site-packages/urllib3/util/__init__.py", line 4, in 
    from .request import make_headers
  File "/usr/lib/python2.7/site-packages/urllib3/util/request.py", line 5, in 
    from ..exceptions import UnrewindableBodyError
ImportError: cannot import name UnrewindableBodyError

@matolog Is this happening on CentOS 7?

What is the output of the following command:

yum repolist all

Hello, yes, its CentOS 7

Hi, i've updated at the end of last week and tried to renew my certs and all worked like a charm.

Thanks a lot.

Hi, still have the same errors

@matolog What OS do you use? Do you have certbot package installed? What are the actual errors that you see, when requesting new certificate?

@Ilia i provided more infos in previous comments.

@matolog, just came across similar problem as I have had installed python-pip on my amazon aws so the problem was urllib3 that was installed via pip, solution form here https://bugzilla.redhat.com/show_bug.cgi?id=1738348 helped me

I uninstalled urllib3 from pip and installed via yum

pip uninstall urllib3

yum install python-urllib3

and SSL from Virtualmin works again

Centos 7 and Virtualmin

Webmin version 1.941 Usermin version 1.791 Virtualmin version 6.08 Authentic theme version 19.45

Hi,

Thanks. I run both commands, pip uninstall, and urllib3, and yum install python-urllib3, now error is different:

.. request failed : Web-based validation failed :
Traceback (most recent call last):
  File "/bin/letsencrypt", line 5, in 
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 3007, in 
    working_set.require(__requires__)
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 728, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 626, in resolve
    raise DistributionNotFound(req)
pkg_resources.DistributionNotFound: urllib3>=1.21.1,
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 3007, in 
    working_set.require(__requires__)
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 728, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 626, in resolve
    raise DistributionNotFound(req)
pkg_resources.DistributionNotFound: urllib3>=1.21.1,

@matolog Have you tried Googling this error first?

Have you tired running yum clean all and then reinstalling certbot package?

What is the output of commands:

Exiting thread...

Hello, not sure butI have a feeling that your python installation is not in good state like mixed packages from different repos.

If you have had installed python-pip earlier you might updated some python libs via pip and other were installed via yum. Check if you have pip installed

pip --version

Have you had a problem with yum update so far? As I checked on all 3 server I installed python-pip and updated python via pip earlier (I think it was when I installed aws cli) I have had yum update problem and always was a problem with urllib3. And all 3 server had a problem to update/request new Let's Encrypt.

So this solution https://bugzilla.redhat.com/show_bug.cgi?id=1738348 worked for me on all 3 servers.

Hope you will find a solution for your problem.

If you are using centos just run 'yum install certbot' it will fix all lets encrypt issue. Make sure your dns is also pointing to correct nameservers