Let’s Encrypt cert renewals broken after Debian 10 ‘Buster’ upgrade

encrypted browsing session graphic

After upgrading one of our servers to Debian 10 ‘Buster’ the letsencrypt CRON job reported this error:

Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
from certbot.main import main
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 6, in <module>
import logging.handlers
File "/usr/lib/python2.7/logging/__init__.py", line 26, in <module>
import sys, os, time, cStringIO, traceback, warnings, weakref, collections
File "/usr/lib/python2.7/weakref.py", line 14, in <module>
from _weakref import (
ImportError: cannot import name _remove_dead_weakref

One of the upgrades in Debian 10 is a Python upgrade to v3.7.2. This caused my certbot renewal to break.

How to fix the error:

sudo apt update

Next, install the dependencies for the python3-certbot-nginx package, which include the python3-acme, python3-certbot, python3-mock, python3-openssl, python3-pkg-resources, python3-pyparsing, and python3-zope.interface packages

sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface

Finally, install the python3-certbot-nginx package:

sudo apt install python3-certbot-nginx

To verify that your certbot is working properly:

certbot renew --dry-run

Don’t forget to check your Cron jobs…

In my case – the old Cron job for Let’s Encrypt renewals remained broken, so I disabled it and created a new one.

Old Cron:

/opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

New Cron:

certbot renew >> /var/log/le-renew.log