NoInstallationError() from Apache plugin within renewal cron jobs due to /usr/sbin not being in the PATH #1833

Closed
linuxlurak opened this Issue Dec 8, 2015 · 32 comments

Comments

Projects
None yet
@linuxlurak

Im running a cron job that executes a script with the following content:

#!/bin/sh
echo "" >> /var/log/letsencrypt/$1.log
echo "$(date): Certificate Renewal of $1">> /var/log/letsencrypt/$1.log
echo "-----------------------------------------------------------------"
/root/letsencrypt/letsencrypt-auto certonly --apache --rsa-key-size 4096 --renew-by-default --hsts --redirect --agree-tos -m EMAIL.TLD -d $1 --text >> /var/log/letsencrypt/$1.log 2>&1

I get this Error:

Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --apache --rsa-key-size 4096 --renew-by-default --hsts --redirect --agree-tos -m EMAIL.TLD -d DOMAIN.TLD --text
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()"

Anything i can do?

@pde pde added the area: apache label Dec 9, 2015

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Dec 9, 2015

Member

Run interactively with -vvv and --debug, to get more detail on what the problem is. I suspect but am not sure that the apache plugin is crashing on one of your conf files; if you can figure out which one, can you paste it?

Member

pde commented Dec 9, 2015

Run interactively with -vvv and --debug, to get more detail on what the problem is. I suspect but am not sure that the apache plugin is crashing on one of your conf files; if you can figure out which one, can you paste it?

@pde pde added the question label Dec 9, 2015

@linuxlurak

This comment has been minimized.

Show comment
Hide comment
@linuxlurak

linuxlurak Dec 9, 2015

The error appears only when i run the script by cron. If I run it directly everything scceeds.
Debug log:

2015-12-09 18:57:29,688:DEBUG:letsencrypt.cli:Root logging level set at 0
2015-12-09 18:57:29,689:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2015-12-09 18:57:29,689:DEBUG:letsencrypt.cli:letsencrypt version: 0.1.0
2015-12-09 18:57:29,690:DEBUG:letsencrypt.cli:Arguments: ['--debug', '-vvv', '--apache', '--rsa-key-size', '4096', '--renew-by-default', '--hsts', '--redirect', '--agree-tos', '-m', 'REMOVED', '-d', 'REMOVED', '--text']
2015-12-09 18:57:29,690:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2015-12-09 18:57:29,692:DEBUG:letsencrypt.cli:Requested authenticator apache and installer apache
2015-12-09 18:57:29,713:DEBUG:letsencrypt.plugins.disco:No installation (PluginEntryPoint#apache):
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 103, in prepare
    self._initialized.prepare()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 142, in prepare
    raise errors.NoInstallationError
NoInstallationError
2015-12-09 18:57:29,715:DEBUG:letsencrypt.display.ops:No candidate plugin
2015-12-09 18:57:29,716:DEBUG:letsencrypt.cli:Selected authenticator None and installer None

stderr and stdout:

-vvv
Updating letsencrypt and virtual environment dependencies...
Requirement already up-to-date: setuptools in ./.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already up-to-date: pip in ./.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already up-to-date: letsencrypt in ./.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already up-to-date: letsencrypt-apache in ./.local/share/letsencrypt/lib/python2.7/site-packages
Collecting ConfigArgParse from git+https://github.com/kuba/ConfigArgParse.git@python2.6-0.9.3#egg=ConfigArgParse (from -r /root/letsencrypt/py26reqs.txt (line 1))
  Cloning https://github.com/kuba/ConfigArgParse.git (to python2.6-0.9.3) to /tmp/pip-build-JknXHd/ConfigArgParse
Requirement already up-to-date: acme==0.1.0 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: setuptools in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: python2-pythondialog>=3.2.2rc1 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: PyOpenSSL in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: requests in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: parsedatetime in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: configobj in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: pytz in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: psutil>=2.1.0 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: six in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: cryptography>=0.7 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: zope.interface in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: zope.component in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: mock in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: pyrfc3339 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: python-augeas in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt-apache)
Requirement already up-to-date: pyasn1 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from acme==0.1.0->letsencrypt)
Requirement already up-to-date: ndg-httpsclient in ./.local/share/letsencrypt/lib/python2.7/site-packages (from acme==0.1.0->letsencrypt)
Requirement already up-to-date: werkzeug in ./.local/share/letsencrypt/lib/python2.7/site-packages (from acme==0.1.0->letsencrypt)
Requirement already up-to-date: idna>=2.0 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->letsencrypt)
Requirement already up-to-date: enum34 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->letsencrypt)
Requirement already up-to-date: ipaddress in ./.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->letsencrypt)
Requirement already up-to-date: cffi>=1.1.0 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->letsencrypt)
Requirement already up-to-date: zope.event in ./.local/share/letsencrypt/lib/python2.7/site-packages (from zope.component->letsencrypt)
Requirement already up-to-date: funcsigs in ./.local/share/letsencrypt/lib/python2.7/site-packages (from mock->letsencrypt)
Requirement already up-to-date: pbr>=0.11 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from mock->letsencrypt)
Requirement already up-to-date: pycparser in ./.local/share/letsencrypt/lib/python2.7/site-packages (from cffi>=1.1.0->cryptography>=0.7->letsencrypt)
Installing collected packages: ConfigArgParse
  Found existing installation: ConfigArgParse 0.9.3
    Uninstalling ConfigArgParse-0.9.3:
      Successfully uninstalled ConfigArgParse-0.9.3
  Running setup.py install for ConfigArgParse
Successfully installed ConfigArgParse-0.9.3
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --debug -vvv --apache --rsa-key-size 4096 --renew-by-default --hsts --redirect --agree-tos -m REMOVED -d REMOVED --text
2015-12-09 19:57:29,688:DEBUG:letsencrypt.cli:Root logging level set at 0
2015-12-09 19:57:29,689:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2015-12-09 19:57:29,689:DEBUG:letsencrypt.cli:letsencrypt version: 0.1.0
2015-12-09 19:57:29,690:DEBUG:letsencrypt.cli:Arguments: ['--debug', '-vvv', '--apache', '--rsa-key-size', '4096', '--renew-by-default', '--hsts', '--redirect', '--agree-tos', '-m', 'REMOVED', '-d', 'REMOVED', '--text']
2015-12-09 19:57:29,690:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2015-12-09 19:57:29,692:DEBUG:letsencrypt.cli:Requested authenticator apache and installer apache
2015-12-09 19:57:29,713:DEBUG:letsencrypt.plugins.disco:No installation (PluginEntryPoint#apache):
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 103, in prepare
    self._initialized.prepare()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 142, in prepare
    raise errors.NoInstallationError
NoInstallationError
2015-12-09 19:57:29,715:DEBUG:letsencrypt.display.ops:No candidate plugin
2015-12-09 19:57:29,716:DEBUG:letsencrypt.cli:Selected authenticator None and installer None
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()

The error appears only when i run the script by cron. If I run it directly everything scceeds.
Debug log:

2015-12-09 18:57:29,688:DEBUG:letsencrypt.cli:Root logging level set at 0
2015-12-09 18:57:29,689:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2015-12-09 18:57:29,689:DEBUG:letsencrypt.cli:letsencrypt version: 0.1.0
2015-12-09 18:57:29,690:DEBUG:letsencrypt.cli:Arguments: ['--debug', '-vvv', '--apache', '--rsa-key-size', '4096', '--renew-by-default', '--hsts', '--redirect', '--agree-tos', '-m', 'REMOVED', '-d', 'REMOVED', '--text']
2015-12-09 18:57:29,690:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2015-12-09 18:57:29,692:DEBUG:letsencrypt.cli:Requested authenticator apache and installer apache
2015-12-09 18:57:29,713:DEBUG:letsencrypt.plugins.disco:No installation (PluginEntryPoint#apache):
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 103, in prepare
    self._initialized.prepare()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 142, in prepare
    raise errors.NoInstallationError
NoInstallationError
2015-12-09 18:57:29,715:DEBUG:letsencrypt.display.ops:No candidate plugin
2015-12-09 18:57:29,716:DEBUG:letsencrypt.cli:Selected authenticator None and installer None

stderr and stdout:

-vvv
Updating letsencrypt and virtual environment dependencies...
Requirement already up-to-date: setuptools in ./.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already up-to-date: pip in ./.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already up-to-date: letsencrypt in ./.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already up-to-date: letsencrypt-apache in ./.local/share/letsencrypt/lib/python2.7/site-packages
Collecting ConfigArgParse from git+https://github.com/kuba/ConfigArgParse.git@python2.6-0.9.3#egg=ConfigArgParse (from -r /root/letsencrypt/py26reqs.txt (line 1))
  Cloning https://github.com/kuba/ConfigArgParse.git (to python2.6-0.9.3) to /tmp/pip-build-JknXHd/ConfigArgParse
Requirement already up-to-date: acme==0.1.0 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: setuptools in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: python2-pythondialog>=3.2.2rc1 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: PyOpenSSL in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: requests in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: parsedatetime in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: configobj in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: pytz in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: psutil>=2.1.0 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: six in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: cryptography>=0.7 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: zope.interface in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: zope.component in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: mock in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: pyrfc3339 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
Requirement already up-to-date: python-augeas in ./.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt-apache)
Requirement already up-to-date: pyasn1 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from acme==0.1.0->letsencrypt)
Requirement already up-to-date: ndg-httpsclient in ./.local/share/letsencrypt/lib/python2.7/site-packages (from acme==0.1.0->letsencrypt)
Requirement already up-to-date: werkzeug in ./.local/share/letsencrypt/lib/python2.7/site-packages (from acme==0.1.0->letsencrypt)
Requirement already up-to-date: idna>=2.0 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->letsencrypt)
Requirement already up-to-date: enum34 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->letsencrypt)
Requirement already up-to-date: ipaddress in ./.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->letsencrypt)
Requirement already up-to-date: cffi>=1.1.0 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->letsencrypt)
Requirement already up-to-date: zope.event in ./.local/share/letsencrypt/lib/python2.7/site-packages (from zope.component->letsencrypt)
Requirement already up-to-date: funcsigs in ./.local/share/letsencrypt/lib/python2.7/site-packages (from mock->letsencrypt)
Requirement already up-to-date: pbr>=0.11 in ./.local/share/letsencrypt/lib/python2.7/site-packages (from mock->letsencrypt)
Requirement already up-to-date: pycparser in ./.local/share/letsencrypt/lib/python2.7/site-packages (from cffi>=1.1.0->cryptography>=0.7->letsencrypt)
Installing collected packages: ConfigArgParse
  Found existing installation: ConfigArgParse 0.9.3
    Uninstalling ConfigArgParse-0.9.3:
      Successfully uninstalled ConfigArgParse-0.9.3
  Running setup.py install for ConfigArgParse
Successfully installed ConfigArgParse-0.9.3
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --debug -vvv --apache --rsa-key-size 4096 --renew-by-default --hsts --redirect --agree-tos -m REMOVED -d REMOVED --text
2015-12-09 19:57:29,688:DEBUG:letsencrypt.cli:Root logging level set at 0
2015-12-09 19:57:29,689:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2015-12-09 19:57:29,689:DEBUG:letsencrypt.cli:letsencrypt version: 0.1.0
2015-12-09 19:57:29,690:DEBUG:letsencrypt.cli:Arguments: ['--debug', '-vvv', '--apache', '--rsa-key-size', '4096', '--renew-by-default', '--hsts', '--redirect', '--agree-tos', '-m', 'REMOVED', '-d', 'REMOVED', '--text']
2015-12-09 19:57:29,690:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2015-12-09 19:57:29,692:DEBUG:letsencrypt.cli:Requested authenticator apache and installer apache
2015-12-09 19:57:29,713:DEBUG:letsencrypt.plugins.disco:No installation (PluginEntryPoint#apache):
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 103, in prepare
    self._initialized.prepare()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 142, in prepare
    raise errors.NoInstallationError
NoInstallationError
2015-12-09 19:57:29,715:DEBUG:letsencrypt.display.ops:No candidate plugin
2015-12-09 19:57:29,716:DEBUG:letsencrypt.cli:Selected authenticator None and installer None
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()
@joohoi

This comment has been minimized.

Show comment
Hide comment
@joohoi

joohoi Dec 9, 2015

Member

Seems like it's not able to find the executables. This is most likely due cron using more sparse env variables as opposed to the user (including PATH - variable) try setting them separately.

Member

joohoi commented Dec 9, 2015

Seems like it's not able to find the executables. This is most likely due cron using more sparse env variables as opposed to the user (including PATH - variable) try setting them separately.

@linuxlurak

This comment has been minimized.

Show comment
Hide comment
@linuxlurak

linuxlurak Dec 11, 2015

Can you give me a hint? I put some apache env vars in my script. Perhaps not what you meant...

#!/bin/sh
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
# temporary state file location. This might be changed to /run in Wheezy+1
export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid
export APACHE_RUN_DIR=/var/run/apache2$SUFFIX
export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX
# Only /var/log/apache2 is handled by /etc/logrotate.d/apache2.
export APACHE_LOG_DIR=/var/log/apache2$SUFFIX

echo "" >> /var/log/letsencrypt/$1.log
echo "$(date): Certificate Renewal of $1">> /var/log/letsencrypt/$1.log
echo "-----------------------------------------------------------------">> /var/log/letsencrypt/$1.log
/root/letsencrypt/letsencrypt-auto --debug -vvv --apache --rsa-key-size 4096 --renew-by-default --hsts --redirect --agree-tos -m REMOVE -d $1 --text >> /var/log/letsencrypt/$1.log 2>&1

Same result. What env vars do i have to put where? Thanks for your help.

Can you give me a hint? I put some apache env vars in my script. Perhaps not what you meant...

#!/bin/sh
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
# temporary state file location. This might be changed to /run in Wheezy+1
export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid
export APACHE_RUN_DIR=/var/run/apache2$SUFFIX
export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX
# Only /var/log/apache2 is handled by /etc/logrotate.d/apache2.
export APACHE_LOG_DIR=/var/log/apache2$SUFFIX

echo "" >> /var/log/letsencrypt/$1.log
echo "$(date): Certificate Renewal of $1">> /var/log/letsencrypt/$1.log
echo "-----------------------------------------------------------------">> /var/log/letsencrypt/$1.log
/root/letsencrypt/letsencrypt-auto --debug -vvv --apache --rsa-key-size 4096 --renew-by-default --hsts --redirect --agree-tos -m REMOVE -d $1 --text >> /var/log/letsencrypt/$1.log 2>&1

Same result. What env vars do i have to put where? Thanks for your help.

@joohoi

This comment has been minimized.

Show comment
Hide comment
@joohoi

joohoi Dec 11, 2015

Member

You need to set your PATH - environment variable in that .sh file. I guess cron doesn't hold the same $PATH as your user does, so you'll need to add it manually.

Member

joohoi commented Dec 11, 2015

You need to set your PATH - environment variable in that .sh file. I guess cron doesn't hold the same $PATH as your user does, so you'll need to add it manually.

@linuxlurak

This comment has been minimized.

Show comment
Hide comment
@linuxlurak

linuxlurak Dec 11, 2015

Thank you very much. Now it works. I did the following:

  1. As user get your PATH-environment variable content by this: echo $PATH
    2.Copy the content you get to your script and set the variable: PATH=CONTENT-YOU-GOT

So my working script looks like this (edit EMAIL.TLD accordingly to your needs):

#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
echo "" >> /var/log/letsencrypt/$1.log
echo "$(date): Certificate Renewal of $1">> /var/log/letsencrypt/$1.log
echo "-----------------------------------------------------------------">> /var/log/letsencrypt/$1.log
/root/letsencrypt/letsencrypt-auto --apache --rsa-key-size 4096 --renew-by-default --hsts --redirect --agree-tos -m EMAIL.TLD -d $1 --text >> /var/log/letsencrypt/$1.log 2>&1

My cron job (edit root crontab by running "crontab -e" as root) to run the renewal-script every two months looks like this:

* * * */2 * /root/letsencrypt-renewal.sh DOMAIN.TLD

Edit DOMAIN.TLD accordingly to your needs.

Thank you very much. Now it works. I did the following:

  1. As user get your PATH-environment variable content by this: echo $PATH
    2.Copy the content you get to your script and set the variable: PATH=CONTENT-YOU-GOT

So my working script looks like this (edit EMAIL.TLD accordingly to your needs):

#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
echo "" >> /var/log/letsencrypt/$1.log
echo "$(date): Certificate Renewal of $1">> /var/log/letsencrypt/$1.log
echo "-----------------------------------------------------------------">> /var/log/letsencrypt/$1.log
/root/letsencrypt/letsencrypt-auto --apache --rsa-key-size 4096 --renew-by-default --hsts --redirect --agree-tos -m EMAIL.TLD -d $1 --text >> /var/log/letsencrypt/$1.log 2>&1

My cron job (edit root crontab by running "crontab -e" as root) to run the renewal-script every two months looks like this:

* * * */2 * /root/letsencrypt-renewal.sh DOMAIN.TLD

Edit DOMAIN.TLD accordingly to your needs.

@linuxlurak

This comment has been minimized.

Show comment
Hide comment
@linuxlurak

linuxlurak Dec 11, 2015

Last question: Is there already a working fully automated renewal so my script could be obsolete? Or is there anything else to be improved in this solution?

Last question: Is there already a working fully automated renewal so my script could be obsolete? Or is there anything else to be improved in this solution?

@joohoi

This comment has been minimized.

Show comment
Hide comment
@joohoi

joohoi Dec 11, 2015

Member

I don't think there is. The configurations vary so much that it's a lot of work and testing.

Member

joohoi commented Dec 11, 2015

I don't think there is. The configurations vary so much that it's a lot of work and testing.

@linuxlurak linuxlurak closed this Dec 11, 2015

@linas

This comment has been minimized.

Show comment
Hide comment
@linas

linas Jun 21, 2016

seems to be a common problem that bites lots of people. At least, that's what a google search suggests.

linas commented Jun 21, 2016

seems to be a common problem that bites lots of people. At least, that's what a google search suggests.

@bmw bmw removed the question label Jun 21, 2016

@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Jun 21, 2016

Contributor

@linas,

  1. What OS are you using?
  2. How did you install Certbot?
  3. Do you have a log of the issue (feel free to redact domain names and e-mail addresses if you prefer)?
Contributor

bmw commented Jun 21, 2016

@linas,

  1. What OS are you using?
  2. How did you install Certbot?
  3. Do you have a log of the issue (feel free to redact domain names and e-mail addresses if you prefer)?

@bmw bmw reopened this Jun 21, 2016

@linas

This comment has been minimized.

Show comment
Hide comment

linas commented Jun 22, 2016

Hi,

  1. Ubuntu 14.04.4 LTS
  2. Don't recall ... followed instructions on website
  3. The general issue is essentially the same as that posted above; see also
    https://community.letsencrypt.org/t/fails-when-running-cronjob/8207
    https://community.letsencrypt.org/t/letsencrypt-renew-not-working-with-cronjob-manually-it-works/16738
    https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04
    https://www.howtoforge.com/community/threads/integrate-lets-encrypt-ssl-certificates-into-ispconfig.71055/page-5

I am assuming that 100% of it is explainable by the missing/empty PATH environment variable in cron.

@linas

This comment has been minimized.

Show comment
Hide comment
@linas

linas Jun 22, 2016

Here are relevant extracts from syslog:

2016-06-12 04:33:05,786:DEBUG:letsencrypt.plugins.disco:No installation (PluginE
ntryPoint#apache): 
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsenc
rypt/plugins/disco.py", line 103, in prepare
    self._initialized.prepare()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsenc
rypt_apache/configurator.py", line 152, in prepare
    raise errors.NoInstallationError
NoInstallationError
2016-06-12 04:33:05,805:DEBUG:letsencrypt.display.ops:No candidate plugin
2016-06-12 04:33:05,805:DEBUG:letsencrypt.display.ops:No candidate plugin
2016-06-12 04:33:05,805:DEBUG:letsencrypt.cli:Selected authenticator None and installer None

and more error messages follow, but the above seems to be the only relevant one.

linas commented Jun 22, 2016

Here are relevant extracts from syslog:

2016-06-12 04:33:05,786:DEBUG:letsencrypt.plugins.disco:No installation (PluginE
ntryPoint#apache): 
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsenc
rypt/plugins/disco.py", line 103, in prepare
    self._initialized.prepare()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsenc
rypt_apache/configurator.py", line 152, in prepare
    raise errors.NoInstallationError
NoInstallationError
2016-06-12 04:33:05,805:DEBUG:letsencrypt.display.ops:No candidate plugin
2016-06-12 04:33:05,805:DEBUG:letsencrypt.display.ops:No candidate plugin
2016-06-12 04:33:05,805:DEBUG:letsencrypt.cli:Selected authenticator None and installer None

and more error messages follow, but the above seems to be the only relevant one.

@linas

This comment has been minimized.

Show comment
Hide comment
@linas

linas Jun 22, 2016

The problem can be reproduced at the command line by saying

export PATH=/usr/bin:/sbin:/bin
/root/.local/share/letsencrypt/bin/letsencrypt renew --apache --renew-by-default  --no-self-upgrade --no-redirect --text --agree-tos --dry-run

which will lead to the failure, whereas

export PATH=/usr/bin:/usr/sbin:/sbin:/bin

is enough to get it to work, it seems. Looking at the contents of /usr/sbin, I notiice that apache2 is there ... I don't see how anything else in that directory would matter. and this makes sense ... the error is from python2.7/site-packages/letsencrypt_apache/configurator.py so, without /usr/sbin, its not finding apache2 and its croaking as a result.

linas commented Jun 22, 2016

The problem can be reproduced at the command line by saying

export PATH=/usr/bin:/sbin:/bin
/root/.local/share/letsencrypt/bin/letsencrypt renew --apache --renew-by-default  --no-self-upgrade --no-redirect --text --agree-tos --dry-run

which will lead to the failure, whereas

export PATH=/usr/bin:/usr/sbin:/sbin:/bin

is enough to get it to work, it seems. Looking at the contents of /usr/sbin, I notiice that apache2 is there ... I don't see how anything else in that directory would matter. and this makes sense ... the error is from python2.7/site-packages/letsencrypt_apache/configurator.py so, without /usr/sbin, its not finding apache2 and its croaking as a result.

@joohoi

This comment has been minimized.

Show comment
Hide comment
@joohoi

joohoi Jun 22, 2016

Member

I think this should be added to documentation. It's distribution specific, but certbot site howto would be able to guide people forward. I don't think there's a good way to mitigate this at certbot code, we should assume that OS configuration is sane to begin with.

All in all, this is mostly a shortcoming in distribution specific default cron configuration.

Member

joohoi commented Jun 22, 2016

I think this should be added to documentation. It's distribution specific, but certbot site howto would be able to guide people forward. I don't think there's a good way to mitigate this at certbot code, we should assume that OS configuration is sane to begin with.

All in all, this is mostly a shortcoming in distribution specific default cron configuration.

@linas

This comment has been minimized.

Show comment
Hide comment
@linas

linas Jun 22, 2016

Yes, a documentation fix would be good, although I'm not sure that the idea of using cron is documented anywhere -- its just one of those tricks all sysadmins know, and do reflexively for this.

The idea that letsencrypt_apache/configurator.py is explicitly searching for the apache2 daemon is what catches one off-guard. Its not entirely clear to me why this is even needed; I guess its somehow used to compute a path to locate where the certs should be placed? Is the check for apache2 really needed, or is it just someone being excessively strict?

linas commented Jun 22, 2016

Yes, a documentation fix would be good, although I'm not sure that the idea of using cron is documented anywhere -- its just one of those tricks all sysadmins know, and do reflexively for this.

The idea that letsencrypt_apache/configurator.py is explicitly searching for the apache2 daemon is what catches one off-guard. Its not entirely clear to me why this is even needed; I guess its somehow used to compute a path to locate where the certs should be placed? Is the check for apache2 really needed, or is it just someone being excessively strict?

@linas

This comment has been minimized.

Show comment
Hide comment
@linas

linas Jun 22, 2016

As to it being a "distribution issue" -- it is following the FHS-- here: https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard and so it seems like checking /usr/sbin for apache2 seems like an entirely reasonable thing to do: essentially all distros are going to adhere to this standard -- this is the point of standardization. So blaming it on the distro doesn't quite seem right.

linas commented Jun 22, 2016

As to it being a "distribution issue" -- it is following the FHS-- here: https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard and so it seems like checking /usr/sbin for apache2 seems like an entirely reasonable thing to do: essentially all distros are going to adhere to this standard -- this is the point of standardization. So blaming it on the distro doesn't quite seem right.

@joohoi

This comment has been minimized.

Show comment
Hide comment
@joohoi

joohoi Jun 22, 2016

Member

Certbot actually needs apache2 for various tasks. It needs it to validate the configuration to be able to back off and restore the original configuration for user if there's a problem with autoconfigured parts. It also needs to restart apache2 to be able to perform the validation, and again to activate the new configuration and new certificate.

I think it's a distribution issue, because distribution is responsible of default paths that are available for cron through $PATH, and also controls the installation paths for software, apache2 in this case. So as I see it, distribution should either install software (in this case apache2) to a path already available to cron, or append the new installation path to the default $PATH.

Member

joohoi commented Jun 22, 2016

Certbot actually needs apache2 for various tasks. It needs it to validate the configuration to be able to back off and restore the original configuration for user if there's a problem with autoconfigured parts. It also needs to restart apache2 to be able to perform the validation, and again to activate the new configuration and new certificate.

I think it's a distribution issue, because distribution is responsible of default paths that are available for cron through $PATH, and also controls the installation paths for software, apache2 in this case. So as I see it, distribution should either install software (in this case apache2) to a path already available to cron, or append the new installation path to the default $PATH.

@linas

This comment has been minimized.

Show comment
Hide comment
@linas

linas Jun 22, 2016

Hmm. Maybe. If you feel that the distro really is the one at fault, and not your s/w -- then open a bug report. I can't really be a go-between between you and the distro, relaying who said what to whom -- this needs to be a direct conversation between you and them (or possibly between the packager and them, as I assume that someday, there will be debs and rpms for this) -- I've located the core bug: a lack of /usr/sbin in $PATH, I can't do more.

linas commented Jun 22, 2016

Hmm. Maybe. If you feel that the distro really is the one at fault, and not your s/w -- then open a bug report. I can't really be a go-between between you and the distro, relaying who said what to whom -- this needs to be a direct conversation between you and them (or possibly between the packager and them, as I assume that someday, there will be debs and rpms for this) -- I've located the core bug: a lack of /usr/sbin in $PATH, I can't do more.

@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Jun 22, 2016

Contributor

So there are a few actions we can take here, none of which are mutually exclusive:

  1. Make the error messge raised more useful by explicitly stating the executable we were looking for and could not find. We could also mention potential problems with PATH if we want.
  2. File a bug against relevant distros who don't have the relevant Apache binaries available through PATH in cron.
  3. Search /usr/sbin for binaries if it's not included in PATH.

I think we should do 1 and maybe 2. We could do 3 but it's an ugly hack.

Contributor

bmw commented Jun 22, 2016

So there are a few actions we can take here, none of which are mutually exclusive:

  1. Make the error messge raised more useful by explicitly stating the executable we were looking for and could not find. We could also mention potential problems with PATH if we want.
  2. File a bug against relevant distros who don't have the relevant Apache binaries available through PATH in cron.
  3. Search /usr/sbin for binaries if it's not included in PATH.

I think we should do 1 and maybe 2. We could do 3 but it's an ugly hack.

@paour

This comment has been minimized.

Show comment
Hide comment
@paour

paour Jun 30, 2016

Note that on Debian, merely adding the PATH=<snip>:/usr/sbin/ line to crontab didn't work: I had to change my weekly cron line to export PATH=$PATH && certbot renew --quiet for the path to be correctly propagated all the way to the apache plugin.

paour commented Jun 30, 2016

Note that on Debian, merely adding the PATH=<snip>:/usr/sbin/ line to crontab didn't work: I had to change my weekly cron line to export PATH=$PATH && certbot renew --quiet for the path to be correctly propagated all the way to the apache plugin.

@bigretromike

This comment has been minimized.

Show comment
Hide comment
@bigretromike

bigretromike Jul 7, 2016

Debian 8.5 also have this problem.

@paour so only adding "export PATH=$PATH && " before certbot renew in cron will do the trick?

bigretromike commented Jul 7, 2016

Debian 8.5 also have this problem.

@paour so only adding "export PATH=$PATH && " before certbot renew in cron will do the trick?

@pde pde changed the title from cron renewal ends with Error "NoInstallationError()" to NoInstallationError() from Apache plugin within renewal cron jobs due to /usr/sbin not being in the PATH Jul 8, 2016

@pde pde added the area: pkging label Jul 8, 2016

@pde pde added this to the 0.9.0 milestone Jul 8, 2016

@pde pde added the area: renewal label Jul 8, 2016

@paour

This comment has been minimized.

Show comment
Hide comment
@paour

paour Jul 8, 2016

@bigretromike I thought so at first, but I've now switched to using 30 2 * * 1 export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin && certbot renew --quiet.

paour commented Jul 8, 2016

@bigretromike I thought so at first, but I've now switched to using 30 2 * * 1 export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin && certbot renew --quiet.

@pde pde added the has pr label Jul 8, 2016

@bigretromike

This comment has been minimized.

Show comment
Hide comment
@bigretromike

bigretromike Jul 8, 2016

I just made script

#!/bin/bash

PATH=$PATH:/usr/sbin
export PATH && certbot renew --quiet

I dont think that PATH will change dramaticly on server so your solution is probably better :-) Thanks

Sadly my solution didn't helped, but your did :-)

bigretromike commented Jul 8, 2016

I just made script

#!/bin/bash

PATH=$PATH:/usr/sbin
export PATH && certbot renew --quiet

I dont think that PATH will change dramaticly on server so your solution is probably better :-) Thanks

Sadly my solution didn't helped, but your did :-)

@pde pde closed this in #3261 Jul 8, 2016

@pde pde removed the has pr label Aug 13, 2016

@pde pde removed the has pr label Oct 6, 2016

@katopz

This comment has been minimized.

Show comment
Hide comment
@katopz

katopz Dec 11, 2016

Hi guys,

Why I didn't see this export PATH mention in doc?
And how can I print log via certbot ? doc didn't tell me anything.
And why you guys didn't print log at all? How you ensure it work without log?

Thanks

katopz commented Dec 11, 2016

Hi guys,

Why I didn't see this export PATH mention in doc?
And how can I print log via certbot ? doc didn't tell me anything.
And why you guys didn't print log at all? How you ensure it work without log?

Thanks

@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Dec 12, 2016

Contributor

Why I didn't see this export PATH mention in doc?

Because we've solved this issue in Certbot 0.9.0 by manually checking a few directories.

And how can I print log via certbot ? doc didn't tell me anything.
And why you guys didn't print log at all? How you ensure it work without log?

You're right we say very little about our logs in our documentation. I created #3898 to track this issue. Certbot stores all of its logs in /var/log/letsencrypt (unless you changed the directory with the --log-dir option).

Additionally, if you're running Certbot without the --quiet flag, it prints a lot of information about what it's doing to the terminal. If you add the --quiet flag, it will notify you if an error occurs. This flag is useful when running Certbot non-interactively with something like cron or systemd.

Contributor

bmw commented Dec 12, 2016

Why I didn't see this export PATH mention in doc?

Because we've solved this issue in Certbot 0.9.0 by manually checking a few directories.

And how can I print log via certbot ? doc didn't tell me anything.
And why you guys didn't print log at all? How you ensure it work without log?

You're right we say very little about our logs in our documentation. I created #3898 to track this issue. Certbot stores all of its logs in /var/log/letsencrypt (unless you changed the directory with the --log-dir option).

Additionally, if you're running Certbot without the --quiet flag, it prints a lot of information about what it's doing to the terminal. If you add the --quiet flag, it will notify you if an error occurs. This flag is useful when running Certbot non-interactively with something like cron or systemd.

@tinodj

This comment has been minimized.

Show comment
Hide comment
@tinodj

tinodj Mar 2, 2017

Hi, how can I check which Certbot version I have installed?

I expirience this problem still with:
Ubuntu 16.04
letsencrypt 0.4.1

tinodj commented Mar 2, 2017

Hi, how can I check which Certbot version I have installed?

I expirience this problem still with:
Ubuntu 16.04
letsencrypt 0.4.1

@bigretromike

This comment has been minimized.

Show comment
Hide comment
@bigretromike

bigretromike Mar 2, 2017

@tinodj not included in -h but its certbot --version

@tinodj not included in -h but its certbot --version

@tinodj

This comment has been minimized.

Show comment
Hide comment
@tinodj

tinodj Mar 2, 2017

@bigretromike I thought that letsencrypt and certbot have different versions. I did check the letsencrypt version and reported in the first post. If that is also my certbot version, then it is clear why the problem is still there. Nonetheless, why Ubuntu 16.04 do not have newer version of certbot?

tinodj commented Mar 2, 2017

@bigretromike I thought that letsencrypt and certbot have different versions. I did check the letsencrypt version and reported in the first post. If that is also my certbot version, then it is clear why the problem is still there. Nonetheless, why Ubuntu 16.04 do not have newer version of certbot?

@bigretromike

This comment has been minimized.

Show comment
Hide comment
@bigretromike

bigretromike Mar 3, 2017

for 16.04 its python-letsencrypt-apache and its old;
You can always install newer version yourself or move to newer ubuntu

for 16.04 its python-letsencrypt-apache and its old;
You can always install newer version yourself or move to newer ubuntu

@tinodj

This comment has been minimized.

Show comment
Hide comment
@tinodj

tinodj Mar 3, 2017

@bigretromike Thanks. 16.04. is not that old it is not even full year. But yes, I can install myself newer version.

tinodj commented Mar 3, 2017

@bigretromike Thanks. 16.04. is not that old it is not even full year. But yes, I can install myself newer version.

@pramsey pramsey referenced this issue in pramsey/postgis-gh Oct 16, 2017

Closed

debbie.postgis.net ssl has expired #3887

@JimmyLincole

This comment has been minimized.

Show comment
Hide comment
@JimmyLincole

JimmyLincole May 5, 2018

@linuxlurak
thanks a billion. you save my life!!!
and now it works

@linuxlurak
thanks a billion. you save my life!!!
and now it works

@jmurphyau

This comment has been minimized.

Show comment
Hide comment
@jmurphyau

jmurphyau May 16, 2018

cron does allow variables at the top of the config, e.g:

[root@ip-10-249-77-171 ~]# crontab -l
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/aws/bin:/usr/bin:/root/bin

0 8,20 * * * /usr/local/bin/certbot-auto renew

cron does allow variables at the top of the config, e.g:

[root@ip-10-249-77-171 ~]# crontab -l
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/aws/bin:/usr/bin:/root/bin

0 8,20 * * * /usr/local/bin/certbot-auto renew
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment