letsencrypt fails with "PythonDialogBug" error

[wrockwood]

Greetings! First let me say thank you for this excellent plugin. It worked perfectly for me the first time I tried it, but I redeployed my dokku server with ansible and now I can't seem to letsencrypt anything at all.

Googling the error message shows some hits in the letsencrypt issues queue from back in October, but they're all closed and none of them seem to apply to me, because it doesn't seem to be writing any logs when invoked from within dokku.

Here's the error:
An unexpected error occurred:
PythonDialogBug
Please see the logfiles in /var/log/letsencrypt for more details.

Of course there is no letsencrypt log anywhere on the system (dokku doesn't write to the real /var/log, obviously, so I would expect there to be a var/log/ in the ~dokku/.letsencrypt directory, but it doesn't exist. I tried creating a 'log' directory in the 'var' directory that does exist, but that didn't work either. It's really hard to troubleshoot what is going on here exactly without being able to see any error logs.

Any suggestions? I wouldn't ever assume that a recent change to the plugin could have caused this, but it did work fine on Monday this week (with a different subdomain; when I re-deployed I also changed my subdomain from *.docker.example.com to *.apps.example.com (example.com as placeholder; I did actually use a working/resolving subdomain with appropriate wildcard dns.))

I tried changing my TERM to various things, thinking perhaps python was having issues opening a dialog as it did Monday the first time I ran it to prompt me for my email address. At first I thought it didn't like 'xterm' so I changed it to 'vt100' and then I remembered on Monday I was probably running in screen, so I ran screen and verified that my TERM was set to 'screen'. I think I've done as much troubleshooting as is possible without access to an actual verbose log file.

Thanks in advance for your time.

edit to include various random possibly-useful info:
system OS: Ubuntu 14.04.2 x64, fully updated
dokku version: 0.4.7
docker version: 1.9.1

I'm happy to provide any additional information, if needed!

further edit: I guess the logs end up in the docker container that gets created/destroyed, so I really don't have a good idea of what to do next.

[wrockwood]

Despite all my edits above, I figured this update warranted a reply: I re-hardcoded the -it argument to effectively undo the previous commit and it is working once again. (I just ran it after making the change and I see the dialog prompting for email address instead of receiving an error message. Woo!)

And now I have a working cert from letsencrypt. Whew!

[sseemayer]

OK, that's a very helpful hint! Apparently we're not correctly detecting that you're in a TTY. Here are some further ideas on how to debug this:

• Could you display the value of your $PS1 and $TERM by adding the following before/after here

    dokku_log_verbose "PS1 is '$PS1', TERM is '$TERM'"

• Could you try replacing the check for a terminal with this (source):

[[ -t 1 ]] && DOKKU_RUN_OPTS="-it"

• You can mount the let's encrypt docker container's log directory to ~dokku/.letsencrypt/log by first creating that directory and then adding the following line to the docker call:

    -v "$LETSENCRYPT_ROOT/log:/var/log" \

[wrockwood]

Thank you, I will try those things and post the results.

[sseemayer]

Derp, I just re-read the source and it should be [[ -t 1 ]], not [[ -t "$PS1" ]]. I've updated the above post but wanted to give you a ping in case you haven't seen.

[beevelop]

I experience the same issue and tried your suggested changes. So there you go:

PS1 is '', TERM is 'xterm-256color'

I guess this issue is caused by the necessity to initially provide the email address, as reverting the changes afterwards don't seem to affect the functionality (even though letsencrypt complains about insufficient authorization in my case for all subsequent requests).

Wouldn't it be possible to provide an email address as a command line argument (for the dokku command) or something like dokku letsencrypt:register <email>?

[kianhean]

Hey

No worries. Thanks for the heads up. Yea it doesnt work for me and i am facing the same issue.
I second beevelop's suggestion on using the following

dokku letsencrypt:register <email>

or

$ dokku help
    letsencrypt <app> <email>                  Enable or renew letsencrypt certificate for app with email

as a required field

[sseemayer]

Thanks for the update everyone! Apparently $PS1 is not a reliable way to determine if we have a TTY. Could any of you check whether replacing the TTY detection with the above-mentioned [[ -t 1 ]] works?

I'll look into passing the e-mail to let's encrypt on the command line.

[sseemayer]

Just a note to self, the let's encrypt command has the following option to specify the e-mail address via command line:

  -m EMAIL, --email EMAIL
                        Email used for registration and recovery contact.
                        (default: None)

[kianhean]

i just tried

[[ -t 1 ]] && DOKKU_RUN_OPTS="-it"

and have the same error unfortunately

[fruitl00p]

@sseemayer I can confirm that chaning the [[ -t 1 ]] did work for me...

Our setup:
we have a running dokku instance and after installing the plugin as described in the readme (dokku install... etc) we had the pythondialogerr after chaning only the mentioned line our first certificate is working!

I would however like to comment that having seperate e-mail addresses per app would be great, thus i'd opt for dokku letsencrypt:register <app> <email> and afterwards a cron-jobable: dokku letsencrypt <app> which returns a mentioning of first having to register using the :register command.

Thanks for the work!

[sseemayer]

Since it at least works better for some, I've switched to use the new method for now.

I've created an issue #15 to cover the discussed register command to discuss the design of this change since it's not clear to me yet how to best handle the let's encrypt account creation.

I'll keep this issue open since the actual TTY detection method is still unreliable for @exp00 and possibly @wrockwood and @beevelop. Suggestions on a more reliable technique, anyone?

[wrockwood]

This works for me, and I appreciate the idea of specifying the email address. My ultimate plan is to automate some of this with ansible (much like my deployment of docker/dokku itself,) and it's nice not to deal with interactivity.

[sseemayer]

I think I have a good solution for this that I'll push on the weekend that will include a new command for specifying e-mail addresses and will never request a TTY to retrieve the certificates. The change will come together with a change to https://github.com/kuba/simp_le instead of the official client since it's much easier to automate that client.

[sseemayer]

My commit already auto-closed this but can I have some confirmation that it is actually working as intended for everyone now? The command for specifying the e-mail address turned out to be dokku letsencrypt:email <app> <e-mail> instead of register because it only saves the e-mail address for the next certificate request instead of actually registering an account.

Thanks @wrockwood @beevelop @exp00 @fruitl00p for your helpful inputs!

[wrockwood]

I can confirm it is working as expected so far.

dokku letsencrypt:email
and
dokku letsencrypt

both worked as expected, and the certificate info reflects what I would expect to see. Thanks!

[kianhean]

@sseemayer thanks for your hard work!

I will give it a try later but i have a question first maybe i will start a new thread

[fruitl00p]

@sseemayer Awesome work! Great that it allows e-mails per app. Are there any special precautions to take to upgrade the plugin and not break existing ssl certs?

[sseemayer]

Account keys and certificates are now stored in a different place so any old certs that you already had installed would be ignored when you re-run dokku letsencrypt <app>. Because no certificates are found at the new location, a new account would be registered and the certificate would get requested again.

If you care about keeping your existing account key and certificates, you could try migrating them according to the simp_le wiki and placing them in $LETSENCRYPT_CONFIG_DIR/{account_key.json,fullchain.pem,chain.pem,cert.pem,key.pem} yourself. Personally, I thought it was too much work so I just re-requested everything 😀

[jrmoserbaltimore]

It's still giving me this error from docker compose.

app:
  image: quay.io/letsencrypt/letsencrypt:latest
  command:  auth
  volumes:
    - /var/lib/docker/opt/letsencrypt/data/etc/letsencrypt:/etc/letsencrypt
    - /var/lib/docker/opt/letsencrypt/data/var/lib/letsencrypt:/var/lib/letsencrypt
    - /var/lib/docker/opt/nginx/www/:/var/www/

[sseemayer]

This error is doubly strange since we 1) don't use docker compose and 2) since a while already, we've switched away from the official letsencrypt container to use simp_le instead (see e.g. 2d801df).

Are you doing something fancy with how you're running the plugin? Are you on the latest version?

[jrmoserbaltimore]

I think I had to change something in my config file, but I forget what.

[sseemayer]

I'm sorry but I don't understand what you're trying to do.

Can you please elaborate what software you are trying to use / combine how, which versions of things you're using and post the logs of a full run (ideally with dokku trace on enabled) as a gist?