Can't install certbot - Apache not working

Hi. I’m very new to SSL certificates and using SSH to install software on the server so I’m asking for advice instead of doing something stupid. Please bear with me.

I have a VPS running apache on CentOS 6.6 (or 6.7 i don’t remember) and I’ve successfully executed the commands

$ sudo yum install epel-release
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

They installed a few packages and updated a few others but then I received an error when I entered

$ ./certbot-auto

The error is

/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Version: 1.1-20080819
Version: 1.1-20080819
/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py:496: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6
  return e.message
No installers are available on your OS yet; try running "letsencrypt-auto certonly" to get a cert you can install manually

Does that mean I have to update Python? If so, does it affect my websites/emails/anything?

You should be okay. The top warning is just that Python 2.6 isn’t supported by the Python team anymore and the Cryptography library may eventually no longer work. This should be okay as long as you stay with the core repositories like you are. They won’t package a broken Python Cryptography library.

The second message is just stating that you haven’t installed any specific plugins, so you’re limited to the certonly method.

So you’re saying this code from the user manual will work?

./certbot-auto certonly --standalone --email admin@example.com -d
example.com -d www.example.com -d other.example.net

If so, I’m gonna give it a try tomorrow.

I’ve never tried with the standalone server, but that should work if you replace the values with your details. I recommend you use the “–dry-run” switch for testing so you don’t hit the production rate limits.

Note that you can also use the “–testing” switch to experiment with certificates obtained from the testing/staging server instead of “–dry-run” which removes the certificates after completion. I do not recommend using this switch after you get your first valid certificates, as it’s a pain to clean up when you mix things.

You’ll probably need to prefix that command with sudo–“sudo ./certbot-auto certonly…”

Ahh, I just saw you’re trying to get the certbot-auto tool. SInce you’re on CentOS, I’d suggest installing the certbot package from EPEL. It’s actively maintained and usually updated in a reasonable time after official certbot releases.

Note that you’ll still need to use sudo to root or run the certboot tool as root.

I don’t believe there’s an EPEL package available for CentOS 6–there is for CentOS 7 though.

certbot’s home page doesn’t specify anything like that when I choose CentOs6. It should do that.

The first commands

$ sudo yum install epel-release
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

were supposed to install the epel and it did do something. I guess that’s not gonna work. Will the certonly method be able to auto renew the certificates?

@danb35 is right, the packaged version of certbot (in EPEL) is only available on CentOS 7, the instructions for CentOS 6 are correct as they are right now. The epel-release package that’s included for CentOS 6 is a different matter - that’s to satisfy some certbot requirements.

certonly will work with auto-renewal, yes. I would personally recommend the webroot plugin as it can be used without having to stop apache at all. You’ll need to enable and configure SSL manually, and in order to make sure that apache uses the new certificate files after renewal, you need some kind of hook that (gracefully) restarts apache whenever the certificates change. This can be done using ./certbot-auto renew --post-hook "apachectl graceful".

In the next release of Certbot, certbot-auto will offer to enable EPEL to get those dependencies on CentOS 6 automatically, so this should be a little easier for folks after 0.9.0. In fact, if anyone would like to review this pull request you can help us get there sooner :slight_smile: :

If I could, I would definitely do it but all I have is a production environment with dozens of client’s websites. I’m afraid I can’t take any chances with that.

@pfg I’m gonna try the webroot method and will let you know how it goes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.