Renewal doesn't work

[kellertk]

The plugin doesn't appear to pick up the certbot-asa:asa-host option when renewing. Because this option is unspecified, the plugin throws an error on renewals.

Here's the error log on the renewal:

2017-08-27 18:54:26,603:DEBUG:certbot.main:Root logging level set at 10
2017-08-27 18:54:26,610:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-08-27 18:54:26,615:DEBUG:certbot.main:certbot version: 0.10.2
2017-08-27 18:54:26,616:DEBUG:certbot.main:Arguments: ['--force-renewal']
2017-08-27 18:54:26,622:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#certbot-asa:asa,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#manual)
2017-08-27 18:54:26,654:DEBUG:certbot.renewal:Auto-renewal forced with --force-renewal...
2017-08-27 18:54:26,661:DEBUG:certbot.plugins.selection:Requested authenticator certbot-asa:asa and installer certbot-asa:asa
2017-08-27 18:54:26,671:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoint#certbot-asa:asa): You haven't specified any ASAs for certificate installation. Use: --certbot-asa:asa-host <host>
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/certbot/plugins/disco.py", line 114, in prepare
    self._initialized.prepare()
  File "build/bdist.linux-armv7l/egg/certbot_asa/configurator.py", line 72, in prepare
    "Use: %shost <host>" % (self.argprefix))
PluginError: You haven't specified any ASAs for certificate installation. Use: --certbot-asa:asa-host <host>
2017-08-27 18:54:26,674:DEBUG:certbot.plugins.selection:No candidate plugin
2017-08-27 18:54:26,676:DEBUG:certbot.plugins.selection:No candidate plugin
2017-08-27 18:54:26,677:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2017-08-27 18:54:26,678:INFO:certbot.main:Could not choose appropriate plugin: The certbot-asa:asa plugin is not working; there may be problems with your existing configuration.
The error was: PluginError("You haven't specified any ASAs for certificate installation. Use: --certbot-asa:asa-host <host>",)
2017-08-27 18:54:26,684:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/home.tompkel.net.conf produced an unexpected error: The certbot-asa:asa plugin is not working; there may be problems with your existing configuration.
The error was: PluginError("You haven't specified any ASAs for certificate installation. Use: --certbot-asa:asa-host <host>",). Skipping.
2017-08-27 18:54:26,688:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 413, in handle_renewal_request
    main.obtain_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 617, in obtain_cert
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/usr/lib/python2.7/dist-packages/certbot/plugins/selection.py", line 197, in choose_configurator_plugins
    diagnose_configurator_problem("authenticator", req_auth, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/plugins/selection.py", line 272, in diagnose_configurator_problem
    raise errors.PluginSelectionError(msg)
PluginSelectionError: The certbot-asa:asa plugin is not working; there may be problems with your existing configuration.
The error was: PluginError("You haven't specified any ASAs for certificate installation. Use: --certbot-asa:asa-host <host>",)

2017-08-27 18:54:26,690:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 655, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

The certificate was installed with:

certbot -a certbot-asa:asa -d home.tompkel.net --certbot-asa:asa-host c5506.int.tompkel.net --certbot-asa:asa-castore /etc/ssl/asa-mgmt.pem

[chrismarget]

Thanks for reporting this.

How are you running the renewal, exactly? The command you cited is pretty much a one-shot thing. It won't do renewals by itself.

The debugs indicate a "--force-renewal" option... I'm guessing there's a cronjob or something going on here?

[kellertk]

Sorry about not specifying. The initial failure was through the normal certbot cronjobs, and also running a "certbot renew" manually. Since my certificate was expiring, I reissued it as a new cert, then attempted to reproduce the issue by forcing the renewal, since certbot won't renew if it doesn't have to otherwise. The renewal also fails in cronjobs and with a normal "certbot renew".

[chrismarget]

What arguments were used by the cronjob and the manual "certbot renew" command?

Were the required options present?

I'd like to reproduce your issue ... What exactly (beyond the plugin's readme) do I need to do to reproduce your result?

[kellertk]

Absolutely. The cronjob isn't actually a cronjob at all; Debian is now shipping a systemd timer, which is below:

root@unifi-controller:/lib/systemd/system# cat certbot.timer 
[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=3600
Persistent=true

[Install]
WantedBy=timers.target
root@unifi-controller:/lib/systemd/system# cat certbot.service
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true

So essentially it's running certbot -q renew to renew certificates. This is expected, since certbot renew is supposed to renew all certificates using the options you specified at certificate issue time. I suspect that what's happening is the specific options that the asa plugin uses aren't getting saved by certbot to use again on renewal. Here is the certbot renewal config file for this domain:

root@unifi-controller:/etc/letsencrypt/renewal# cat home.tompkel.net.conf 
# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/home.tompkel.net
cert = /etc/letsencrypt/live/home.tompkel.net/cert.pem
privkey = /etc/letsencrypt/live/home.tompkel.net/privkey.pem
chain = /etc/letsencrypt/live/home.tompkel.net/chain.pem
fullchain = /etc/letsencrypt/live/home.tompkel.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = certbot-asa:asa
installer = certbot-asa:asa
account = <REDACTED>
server = https://acme-v01.api.letsencrypt.org/directory

Notice there's no parameters that were passed to the plugin.

Steps to reproduce, at least for me:

1. Request and install a new certificate with the plugin. Specifically, I'm using certbot -a certbot-asa:asa -d home.tompkel.net --certbot-asa:asa-host c5506.int.tompkel.net --certbot-asa:asa-castore /etc/ssl/asa-mgmt.pem
2. Wait 90 days and allow the certificate to expire, and the cronjob/systemd timer to attempt an auto renewal, or renew manually with certbot renew. Alternatively, force a renewal with certbot renew --force-renewal. Note that simply using certbot renew won't work right now, since the certificate is still valid.

One way this might work would to write a custom cronjob that runs throw a full reissuance every 90 days, since that does appear to work, but doing that would be using certbot incorrectly. The certbot documentation wants you to use certbot renew for all renewals, and this is how my distro is doing the default cron.

[rsaeks]

Also experiencing issues renewing. Here is some output to help out:

-bash-4.2$ certbot renew
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

Processing /etc/letsencrypt/renewal/HOST.conf

Should renew, less than 30 days before certificate expiry 2017-11-15 03:05:00 UTC.
Cert is due for renewal, auto-renewing...
Requested authenticator certbot-asa:asa and installer certbot-asa:asa
Attempting to renew cert from /etc/letsencrypt/renewal/HOST.conf produced an unexpected error: cannot concatenate 'str' and 'list' objects. Skipping.
Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 418, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 634, in renew_cert
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
File "/usr/lib/python2.7/site-packages/certbot/plugins/selection.py", line 187, in choose_configurator_plugins
installer = pick_installer(config, req_inst, plugins)
File "/usr/lib/python2.7/site-packages/certbot/plugins/selection.py", line 32, in pick_installer
config, default, plugins, question, (interfaces.IInstaller,))
File "/usr/lib/python2.7/site-packages/certbot/plugins/selection.py", line 77, in pick_plugin
verified.prepare()
File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 238, in prepare
return [plugin_ep.prepare() for plugin_ep in six.itervalues(self._plugins)]
File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 120, in prepare
self._initialized.prepare()
File "build/bdist.linux-x86_64/egg/certbot_asa/configurator.py", line 74, in prepare
allhosts = self.conf('host') + self.conf('chost')
TypeError: cannot concatenate 'str' and 'list' objects

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/HOST/fullchain.pem (failure)
Exiting abnormally:
Traceback (most recent call last):
File "/bin/certbot", line 11, in
load_entry_point('certbot==0.14.1', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 742, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 692, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 435, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)