Cerbot failing when installing Python packages

FRG · November 16, 2016, 2:04pm

I’m looking forward to replace the self-signed certificates of two servers for Let’s Encrypt certificates. The servers are running an old version of OpenSUSE 12.3. I can’t upgrade the distribution because they are running old custom programs and I don’t want to risk breaking any dependencies of those programs.

I’ve tried CertBot, but it doesn’t work for some reason. During first run it did install a few packages it needed, now it seems everything it needs is already installed, but it fails on “Installing python packages”. The CertBot output can be found below, if it’s of any use…

I’m running CertBot with the certonly --standalone parameters because the Apache server listens on a non-standard port.

Thank you.

[code]server:/opt/certbot # ./certbot-auto certonly --standalone

Bootstrapping dependencies for openSUSE-based OSes…
Obteniendo los datos del repositorio…
AdvertenciaRepository ‘openSUSE-12.3-Update’ appears to be outdated. Consider using a different mirror or server.
AdvertenciaRepository ‘openSUSE-12.3-Update-Non-Oss’ appears to be outdated. Consider using a different mirror or server.
Leyendo los paquetes instalados…
‘python’ ya está instalado.
No hay actualización para ‘python-2.7.3-10.28.1.i586’. La última versión disponible ya se encuentra instalada.
‘python-devel’ ya está instalado.
No hay actualización para ‘python-devel-2.7.3-10.28.1.i586’. La última versión disponible ya se encuentra instalada.
‘gcc’ ya está instalado.
No hay actualización para ‘gcc-4.7-7.1.1.i586’. La última versión disponible ya se encuentra instalada.
‘libopenssl-devel’ ya está instalado.
No hay actualización para ‘libopenssl-devel-1.0.1j-1.71.1.i586’. La última versión disponible ya se encuentra instalada.
‘augeas-lenses’ ya está instalado.
No hay actualización para ‘augeas-lenses-0.10.0-7.5.1.i586’. La última versión disponible ya se encuentra instalada.
‘dialog’ ya está instalado.
No hay actualización para ‘dialog-1.1-51.1.1.i586’. La última versión disponible ya se encuentra instalada.
libffi-devel no se encontró como nombre de paquete, probando en prestaciones.
El paquete ‘libffi47-devel’ que proporciona ‘libffi-devel’ ya está instalado.
‘python-virtualenv’ ya está instalado.
No hay actualización para ‘python-virtualenv-1.8.4-2.1.1.noarch’. La última versión disponible ya se encuentra instalada.
Resolviendo dependencias…
No hay nada que hacer.

Creating virtual environment…
Installing Python packages…
Exception:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/pip-9.0.1-py2.7.egg/pip/basecommand.py”, line 215, in main
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/pip-9.0.1-py2.7.egg/pip/commands/install.py”, line 350, in run
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/pip-9.0.1-py2.7.egg/pip/commands/install.py”, line 436, in get_lib_location_guesses
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/pip-9.0.1-py2.7.egg/pip/locations.py”, line 140, in distutils_scheme
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg/setuptools/dist.py”, line 261, in init
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg/pkg_resources.py”, line 476, in iter_entry_points
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg/pkg_resources.py”, line 2229, in get_entry_map
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg/pkg_resources.py”, line 2034, in parse_map
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg/pkg_resources.py”, line 2560, in split_sections
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg/pkg_resources.py”, line 1854, in yield_lines
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg/pkg_resources.py”, line 2163, in _get_metadata
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg/pkg_resources.py”, line 1181, in get_metadata_lines
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg/pkg_resources.py”, line 1178, in get_metadata
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg/pkg_resources.py”, line 1238, in _get
IOError: zipimport: can not open file /root/.local/share/letsencrypt/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg
Traceback (most recent call last):
File “/tmp/tmp.wHMlI163ft/pipstrap.py”, line 146, in
exit(main())
File “/tmp/tmp.wHMlI163ft/pipstrap.py”, line 133, in main
shell=True)
File “/usr/lib/python2.7/subprocess.py”, line 544, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command ‘pip install --no-index --no-deps -U /tmp/pipstrap-WX1lIy/pip-8.0.3.tar.gz /tmp/pipstrap-WX1lIy/setuptools-20.2.2.tar.gz /tmp/pipstrap-WX1lIy/wheel-0.29.0.tar.gz’ returned non-zero exit status 2[/code]

serverco · November 16, 2016, 3:53pm

Personally I’d use one of the alternative clients - such as the bash ones, which don’t have the same dependency requirements, for use on an older system like that ( when you don’t want to risk upgrading )

Since on a non-standard port I’d also be tempted to utilise the DNS-01 challenge if possible.

FRG · November 16, 2016, 4:47pm

Any recommendations about the other available clients? There are four bash clients.

GetSSL appears to allow automation of the future renewal process via a cron job, so I think I’ll try that one first (and report back in a few days, if it may of interest to anyone reading this thread).

If I would be no longer using CertBot, can I safely remove the “letsencrypt” directory (inside $HOME/.local/share/ directory) that CerBot created?

Thanks.

serverco · November 16, 2016, 5:22pm

I wrote GetSSL - so my answer may be slightly biased If you have any issues, let me know and I’ll help you through them. GetSSL is designed so you can also run it from a different server, providing you have SSH / SFTP to the server you want to place the certs on if needed, for servers / devices where you couldn’t run most other clients.

Acme.sh is probably better if you want to do a standalone website via the bash script I think ( I haven’t tested that out on acme.sh so can’t be certain )

Yes, you can safely remove the “letsencrypt” directory

FRG · November 18, 2016, 4:01pm

serverco:

I wrote GetSSL - so my answer may be slightly biased If you have any issues, let me know and I’ll help you through them. GetSSL is designed so you can also run it from a different server, providing you have SSH / SFTP to the server you want to place the certs on if needed, for servers / devices where you couldn’t run most other clients.[/quote]

All right, there I go, I’m using GetSSL

I’ve downloaded it and created the default config files. To get a test cert, I only need to add the account email on the account level .cfg file. Then, the subdomain the server is using on the “SANS” setting on the domain .cfg file, the full path to the cert/key files on the domain .cfg file too, the port number on the “SERVER_TYPE” setting (because it’s an https server on a non standard port) and uncomment the “VALIDATE_VIA_DNS=“true”” setting on the domain .cfg file. It seems ok, isn’t it?

Then, my current problem. Whatever the DNS challenge asks me to add (I suppose its adding a TXT type DNS entry), I’ll have to add it manually at the hosting provider custom control panel… There are no commands I can use to add or delete the DNS entries. Will the program and/or challenge server wait for me somehow? Do I have to add any commands anyway…?

Thank you very much for your program and help

[quote=“serverco, post:4, topic:22722”]Yes, you can safely remove the “letsencrypt” directory

Done. Thanks

serverco · November 18, 2016, 4:09pm

close. You created the default config file for the domain you want a cert for I assume ( getssl -c domain.com). unless you have any additional domain names you want on the same cert then you don’t need to add anything to SANS.

Yes, if you’re listening on a non-standard port for http - then you will need to use the DNS challenge.

You will need to uncomment the VALIDATE_VIA_DNS=“true” but it’s also expecting the DNS_ADD_COMMAND= and DNS_DEL_COMMAND= to be set ( for automation ). The easiest is to download and install somewhere the short script files https://github.com/srvrco/getssl/blob/master/dns_scripts/dns_add_manual abd https://github.com/srvrco/getssl/blob/master/dns_scripts/dns_del_manual which you can then link to in the config. They simply print out on the screen what you need to do - then once done, and working, just press return to continue the process.

FRG · November 18, 2016, 4:59pm

serverco:

close. You created the default config file for the domain you want a cert for I assume ( getssl -c domain.com). unless you have any additional domain names you want on the same cert then you don’t need to add anything to SANS.[/quote]

Then, if I only need the certificate for the server at subdomain.domain.com, instead of using SANS to add subdomain.domain.com, should I leave SANS blank and use “getssl subdomain.domain.com” (after creating again config files for subdomain.domain.com)?

[quote=“serverco, post:6, topic:22722”]Yes, if you’re listening on a non-standard port for http - then you will need to use the DNS challenge.

You will need to uncomment the VALIDATE_VIA_DNS=“true” but it’s also expecting the DNS_ADD_COMMAND= and DNS_DEL_COMMAND= to be set ( for automation ). The easiest is to download and install somewhere the short script files https://github.com/srvrco/getssl/blob/master/dns_scripts/dns_add_manual abd https://github.com/srvrco/getssl/blob/master/dns_scripts/dns_del_manual which you can then link to in the config. They simply print out on the screen what you need to do - then once done, and working, just press return to continue the process.

Done! Got the test certificate (for “domain.com” and SANS=“subdomain.domain.com”; waiting for your reply to the above question)! Quite easy and helpful

serverco · November 18, 2016, 5:02pm

Yes, just leave the SANS blank ( and using “getssl subdomain.domain.com” as you say)

FRG · November 19, 2016, 3:05pm

I obtained the real certificate directly using the subdomain (SANS blank) and it’s now working as expected. Your client program did work perfectly, thank you very much for your program and your support

I have already added a scheduled task to renew the certificate, but I suppose that would need manual interaction anyway. I have read on another posts that the DNS verification needs to be done again after 60 days, so it would require me to add and remove the new DNS challenge entries. The host provider appears to offer a DNS API, but right now I think it’ll take less time to manually perform the DNS challenge than review the API and try to write custom add and delete scripts (If I do in the future, I’ll happily hand them over to you, just in case some other user can use them)

Again, thank you very much for your program, GetSSL, and your support on this forum

serverco · November 19, 2016, 3:38pm

You’re welcome Glad you have things sorted.

Currently all validations are remembered for 60 days - so if you obtain a new cert after 59 days, that would happen automatically without you needing to re-verify the domain (so just set RENEW_ALLOW=35 or similar in the getssl.cfg and that will renew after 55 days … i.e. 35 days remaining of the 90 ). That time is likely to reduce to 7 days in the future at some point though.

Is your current DNS provider one of AWS Route53, Cloudflare, CloudXNS, DigitalOcean, DNSimple, DnsMadeEasy, DNSPark, DNSPod, EasyDNS, Gandi, LuaDNS, Namesilo, NS1, PointHQ, Rage4, Transip, Vultr ? if so, then I already have a method to automate via their API.

If you do write a custom script for your provider, then yes please a copy for others would be great

FRG · November 19, 2016, 3:46pm

None of that list…

The DNS provider is Arsys, and they use their own control panel and everything. The only info they provide about their DNS API is this PDF: https://pdc.arsys.es/descargas/Manual%20de%20Usuario%20API%20Hosting.pdf

I have not checked it myself yet.

system · December 19, 2016, 3:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.