Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

npm uses deprecated path for certbot

See original GitHub issue

Describe the bug In jc21/nginx-proxy-manager:latest (2.9.2) npm is using the old certbot path const certbot_command = '/opt/certbot/bin/certbot'; This behavior breaks issuing/renewing let’s encrypt certs with Cloudflare.

[5/19/2021] [3:04:20 PM] [SSL      ] › ✖  error     Error: Command failed: /opt/certbot/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf (cert: npm-2) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf (cert: npm-3) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/npm-4.conf (cert: npm-4) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/npm-5.conf (cert: npm-5) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/npm-6.conf (cert: npm-6) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.
0 renew failure(s), 5 parse failure(s)
    at ChildProcess.exithandler (node:child_process:326:12)
    at ChildProcess.emit (node:events:369:20)
    at maybeClose (node:internal/child_process:1067:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0

and

[5/19/2021] [3:29:29 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates via Cloudflare for Cert #14: *.redacted, redacted
[5/19/2021] [3:29:30 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[5/19/2021] [3:29:30 PM] [Express  ] › ⚠  warning   Command failed: /opt/certbot/bin/certbot certonly --non-interactive --cert-name "npm-14" --agree-tos --email "redacted_email" --domains "*.redacted,redacted" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-14"
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --dns-cloudflare-credentials /etc/letsencrypt/credentials/credentials-14

I saw in the changelogs that the image comes with certbot preinstalled. It is already included in the PATH, but can also be added as a constant which certbot /usr/local/bin/certbot

Using this version of certbot fixes the issue.

For example:

[root@docker-97ed925400b5:/app]# certbot renew --cert-name "npm-6"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/npm-6.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate for redacted
Performing the following challenges:
dns-01 challenge for redacted
dns-01 challenge for redacted
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/npm-6/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded: 
  /etc/letsencrypt/live/npm-6/fullchain.pem (success)

Issue Analytics

State:
Created 2 years ago
Comments:12

Top GitHub Comments

1reaction

Na3bliscommented, Jun 4, 2021

@aparaschiv I’m on 2.9.3, but I don’t have certbot in /usr/local/bin. When I look at the dir I only have:

[root@docker-1ddfaee157f8:/app]# ls /usr/local/bin
json2lua
lua
lua2json
luac
luarocks
luarocks-admin
pip
pip3
pip3.7
wheel

0reactions

schevenincommented, Sep 4, 2021

Hi, I solve my problem with this bash commands in the container ( sudo docker exec -ti nginx-proxy-manager bash ):

mkdir -p /opt/certbot/bin/certbot

cp -a /usr/bin/certbot /opt/certbot/bin/certbot

delete all experied cert and renew. My certbot dir was:

which certbot /usr/local/bin/certbot => /usr/bin/certbot

How did you change which certbot your system was using? Mine still uses /opt/certbot/bin/certbot