Certbot-auto error message

I followed instructions on https://certbot.eff.org/lets-encrypt/centos6-apache to get certbot-auto.
But any command I issue will end up with an error. For example,

#certbot-auto --version
Bootstrapping dependencies for RedHat-based OSes that will use Python3… (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
No supported Python package available to install. Aborting bootstrap!

which python

/opt/rh/rh-python35/root/usr/bin/python

python --version

Python 3.5.1

When I search the error message, I get to many web pages but couldn’t find one with a solution. Some page also says certbot-auto is outdated and should be updated to certbot, and some examples are with “certbot” command. But I followed the current instructions on certbot.eff.org.
Can someone please advise, what is certbot-auto trying to do using yum and what is it not finding?
Thank you.

What is your actual Linux distribution? It doesn’t look like CentOS 6 to me. Take note that the Certbot website has separate installation instructions for CentOS 6 and RHEL6.

In the case of RHEL6, you will first need to install the EPEL repository.

It is CentOS6 as shown below.

cat /etc/redhat-release

CentOS release 6.6 (Final)

How can I know if I have EPEL repository? I have the following file.

ls -l /etc/yum.repos.d/epel.repo

-rw-r–r-- 1 root root 957 Nov 4 2012 /etc/yum.repos.d/epel.repo

Does that look right?

It doesn’t look like your EPEL is enabled. What is the output of this command?

yum list python34

It should be something like:

Available Packages
python34.i686                                       3.4.10-1.el6                                     epel
python34.x86_64                                     3.4.10-1.el6                                     epel

Check that your epel.repo file is not enabled=0.

I have enabled=1. However, I see the following,

yum list python34

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64 error was
14: problem making ssl connection

yum list python35

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64 error was
14: problem making ssl connection

yum list rh-python35

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64 error was
14: problem making ssl connection

Do I have the wrong python package? How should I correct this?

It’s not that you have the wrong Python package, it’s that certbot-auto depends on the python34 package from EPEL in order to bootstrap itself onto a CentOS 6 system.

Anyway, the actual problem seems to be that your server can’t talk to the EPEL server, so it is effectively disabled:

I would be checking whether you have any network connectivity issues to that mirrors.fedoraproject.org, or whether you can establish an SSL connection to it.

For example:

curl -v https://mirrors.fedoraproject.org

It’s working fine from here.

1 Like

Thank you for your instructions. I am really not familiar with the yum and EPEL stuff. Does the output below look right?

curl -v https://mirrors.fedoraproject.org

  • About to connect() to mirrors.fedoraproject.org port 443 (#0)
  • Trying 140.211.169.196…
  • Adding handle: conn: 0x17a9570
  • Adding handle: send: 0
  • Adding handle: recv: 0
  • Curl_addHandleToPipeline: length: 1
    • Conn 0 (0x17a9570) send_pipe: 1, recv_pipe: 0
  • Connected to mirrors.fedoraproject.org (140.211.169.196) port 443 (#0)
  • successfully set certificate verify locations:
  • CAfile: /opt/lampp/share/curl/curl-ca-bundle.crt
    CApath: none
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS alert, Server hello (2):
  • SSL certificate problem: unable to get local issuer certificate
  • Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

I don’t know what that path is, but I don’t think that’s the value it should be. I think that is causing your inability to install anything from EPEL.

On CentOS 6, it is by default /etc/pki/tls/certs/ca-bundle.crt, which comes from the ca-certificates package.

What does this show:

echo $CURL_CA_BUNDLE
1 Like

Output is blank. That is not defined.
I use xampp on this server. That crt might be my attempt long time ago trying to install a certificate. I don’t remember how I did it then but I am sure it was a failure.

What about

which curl

/opt/lampp/bin/curl

That’s probably related again to the xampp stuff I mentioned above.

I looked at that file, it is from 2008 … :frowning:

ls -l /opt/lampp/share/curl/curl-ca-bundle.crt

-rw-r–r-- 1 root root 238102 Jan 23 2008 /opt/lampp/share/curl/curl-ca-bundle.crt

I’m not really sure about the best way to go about fixing this stuff honestly. I think you need to get your custom curl stuff out of the $PATH because it seems like its interfering with other parts of your system, like yum.

In particular, the custom curl binary that is using the custom CA certificate store. Renaming /opt/lampp/share/curl/curl-ca-bundle.crt to something like /opt/lampp/share/curl/curl-ca-bundle.crt.old-dont-use might be needed too.

1 Like

Thank you very much for your help. I will try that later.
I am afraid I am getting deep into what I have no idea of and I might mess things up further.
I need that xampp stack for something running on that server and I am afraid I will screw it up. So I will proceed slowly.

I removed /opt/lampp/bin from my PATH and renamed /opt/lampp/share/curl/curl-ca-bundle.crt.
I still have same problem with certbot-auto but curl command now gives some kind of error. Do you have more advice for me?

which curl

/usr/bin/curl

which certbot-auto

/usr/local/bin/certbot-auto

certbot-auto -v

Bootstrapping dependencies for RedHat-based OSes that will use Python3… (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
No supported Python package available to install. Aborting bootstrap!

curl -v https://mirrors.fedoraproject.org

  • About to connect() to mirrors.fedoraproject.org port 443 (#0)
  • Trying 152.19.134.198… connected
  • Connected to mirrors.fedoraproject.org (152.19.134.198) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • NSS error -12190
  • Error in TLS handshake, trying SSLv3…

GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: mirrors.fedoraproject.org
Accept: /

  • Connection died, retrying a fresh connect
  • Closing connection #0
  • Issue another request to this URL: ‘https://mirrors.fedoraproject.org
  • About to connect() to mirrors.fedoraproject.org port 443 (#0)
  • Trying 152.19.134.198… connected
  • Connected to mirrors.fedoraproject.org (152.19.134.198) port 443 (#0)
  • TLS disabled due to previous handshake failure
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • NSS error -12286
  • Closing connection #0
  • SSL connect error
    curl: (35) SSL connect error

yum list python34

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64 error was
14: problem making ssl connection

These two refer to:

  • “Peer reports incompatible or unsupported protocol version.”

  • “Cannot communicate securely with peer: no common encryption algorithm(s).”

Which potentially means that your curl is using a very old version of NSS or OpenSSL which isn’t capable of talking to modern web servers anymore.

Are you sure you are using curl from /usr/bin/curl and not your custom installed one?

curl -V
/usr/bin/curl -V

You can also make a test which is closer to the behavior of yum with:

/usr/bin/python -c "import urlgrabber; print(len(urlgrabber.urlread('http://mirrors.fedoraproject.org')))"

Unfortunately this rabbit hole seems to go pretty deep, and the problems aren’t really related to Certbot but with the basic functions of your server. I’m hesitant to give further concrete advice for fear of making things worse, since I’m not really familiar with what you have done to your server so far.

It’s possible you might have better luck with a less complicated client like acme.sh.

1 Like

Thanks again for your help. I think you are right. My server is old and I don’t really know what I am doing. So perhaps I will start a new server and learn to do things the proper way. Below are some results for your reference. I will look into acme.sh.

curl -V

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

/usr/bin/curl -V

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

/usr/bin/python -c “import urlgrabber; print(len(urlgrabber.urlread(‘http://mirrors.fedoraproject.org’)))”

Traceback (most recent call last):
File “”, line 1, in
File “/usr/lib/python2.6/site-packages/urlgrabber/grabber.py”, line 638, in urlread
return default_grabber.urlread(url, limit, **kwargs)
File “/usr/lib/python2.6/site-packages/urlgrabber/grabber.py”, line 1022, in urlread
s = self._retry(opts, retryfunc, url, limit)
File “/usr/lib/python2.6/site-packages/urlgrabber/grabber.py”, line 886, in _retry
r = apply(func, (opts,) + args, {})
File “/usr/lib/python2.6/site-packages/urlgrabber/grabber.py”, line 1001, in retryfunc
fo = PyCurlFileObject(url, filename=None, opts=opts)
File “/usr/lib/python2.6/site-packages/urlgrabber/grabber.py”, line 1066, in init
self._do_open()
File “/usr/lib/python2.6/site-packages/urlgrabber/grabber.py”, line 1360, in _do_open
self._do_grab()
File “/usr/lib/python2.6/site-packages/urlgrabber/grabber.py”, line 1490, in _do_grab
self._do_perform()
File “/usr/lib/python2.6/site-packages/urlgrabber/grabber.py”, line 1295, in _do_perform
raise err
urlgrabber.grabber.URLGrabError: [Errno 14] problem making ssl connection

/opt/rh/rh-python35/root/usr/bin/python -c “import urlgrabber; print(len(urlgrabber.urlread(‘http://mirrors.fedoraproject.org’)))”

Traceback (most recent call last):
File “”, line 1, in
ImportError: No module named ‘urlgrabber’

I finally got a chance to test acme.sh and it works fine and I got my certificates. Thank you for your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.