Certbot-auto fails while setting up virtual environment, complains about package hashes


#1

Running ./certbot-auto renew --dry-run --agree-tos (any certbot command, really,) produces the following output:

Requirement already satisfied (use --upgrade to upgrade): setuptools>=1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography==1.2.3->-r /tmp/tmp.KrRJg6fS8B/letsencrypt-auto-requirements.txt (line 35))
THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    pycparser==2.14 from https://pypi.python.org/packages/74/0e/111a4349e81e2a9846129e0357e154b496559799ec34a6b27bc677247bfa/pycparser-2.14-py2.py3-none-any.whl#md5=130e8dc5b640d9339ee4056da0cdc73a (from -r /tmp/tmp.KrRJg6fS8B/letsencrypt-auto-requirements.txt (line 11)):
        Expected sha256 7959b4a74abdc27b312fed1c21e6caf9309ce0b29ea86b591fd2e99ecdf27f73
             Got        52bcedd9180999fc7f3128b4b89ce638ffc0ffcbd136873379d5a37e4f9e7932

It looks like the sha256 hardcoded into certbot-auto refers to the .tar.gz package of pycparser, and pip is trying to download the .whl; obviously the hashes don’t match.

After adding the sha256 manually, certbot fails again, this time while installing cryptography==1.2.3:

  File "/root/.local/share/letsencrypt/lib/python2.7/sre_compile.py", line 583, in compile
    "sorry, but this version only supports 100 named groups"
AssertionError: sorry, but this version only supports 100 named groups

----------------------------------------
Command "/root/.local/share/letsencrypt/bin/python2.7 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-m2aW7m/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('
', '
'), __file__, 'exec'))" install --record /tmp/pip-zcVRIo-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography" failed with error code 1 in /tmp/pip-build-m2aW7m/cryptography

Is it a bug in an old version of cryptography, or is it something with my setup (although I can’t imagine what)? Did anybody else encounter errors? Googling doesn’t return any results.


Issues with certbot and centos 6
#2

I am getting the same error… I didn’t try adding the sha256 manually, so not sure if I would get that cryptography error, but definitely have the same initial hash mismatch error.


#3

I’m getting the same error.


#4

same here. Looked at the repo https://github.com/eliben/pycparser and it looks like nothing’s changed for a year so this looks like an integrity compromise.


#5

Same here.

Tampered with hashes, and it made the trick. Question is is it okay, or something funny is going on and security is potentially compromised.


#6

It’s not good to tamper with the hashes. as you say: “something funny is going on and security is potentially compromised.” We should file this against pypi or pycparser


#7

I’m also seeing this error.

I tried the hash trick with pycparser just before finding this thread.
I now have the same error installing cryptography.

Ubuntu 16.04 on a DigitalOcean Droplet


#8

Yep. Happening here too. Ubuntu 14.04 with Python 2.7.6 and Apache 2.2

Strangely, it worked on another Ubuntu 14.04 machine which is running Nginx from my home directory rather than Apache. Both are VMs.

There are some confusing (to me, I’m no guru) errors listed below relating to “InsecurePlatformWarning” with a URL reference[1].

Following that through there is a reference to pyOpenSSL[2] which fails to install. When trying to install its dependencies, being pyOpenSSL, cryptography, idna and certifi, the error “AssertionError: sorry, but this version only supports 100 named groups” pops up for the first two in that list of four.

Sorry for cluttering up this forum but here is the pertinent part of the session[3]

Thanks for any hints

Cheers

Mike

[1] https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
[2] https://urllib3.readthedocs.io/en/latest/user-guide.html#ssl-py2
[3]

Reading package lists… Done
Reading package lists… Done
Building dependency tree
Reading state information… Done
dialog is already the newest version.
gcc is already the newest version.
python is already the newest version.
python-dev is already the newest version.
augeas-lenses is already the newest version.
ca-certificates is already the newest version.
libaugeas0 is already the newest version.
libffi-dev is already the newest version.
libssl-dev is already the newest version.
python-virtualenv is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 8 not upgraded.
Creating virtual environment…
Installing Python packages…
Had a problem while installing Python packages:
Collecting argparse==1.4.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 5))
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/vendor/requests/packages/urllib3/util/ssl.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
SNIMissingWarning
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/vendor/requests/packages/urllib3/util/ssl.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Downloading argparse-1.4.0-py2.py3-none-any.whl
Collecting pycparser==2.14 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 11))
Downloading pycparser-2.14-py2.py3-none-any.whl (196kB)
Collecting cffi==1.4.2 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 14))
Downloading cffi-1.4.2.tar.gz (365kB)
Collecting ConfigArgParse==0.10.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 31))
Downloading ConfigArgParse-0.10.0.tar.gz
Collecting configobj==5.0.6 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 33))
Downloading configobj-5.0.6.tar.gz
Collecting cryptography==1.2.3 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 35))
Downloading cryptography-1.2.3.tar.gz (373kB)
Collecting enum34==1.1.2 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 57))
Downloading enum34-1.1.2.tar.gz (46kB)
Collecting funcsigs==0.4 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 60))
Downloading funcsigs-0.4-py2.py3-none-any.whl
Collecting idna==2.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 63))
Downloading idna-2.0-py2.py3-none-any.whl (61kB)
Collecting ipaddress==1.0.16 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 66))
Downloading ipaddress-1.0.16-py27-none-any.whl
Collecting linecache2==1.0.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 69))
Downloading linecache2-1.0.0-py2.py3-none-any.whl
Collecting ndg-httpsclient==0.4.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 72))
Downloading ndg_httpsclient-0.4.0.tar.gz
Collecting ordereddict==1.1 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 74))
Downloading ordereddict-1.1.tar.gz
Collecting parsedatetime==2.1 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 76))
Downloading parsedatetime-2.1-py2-none-any.whl
Collecting pbr==1.8.1 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 79))
Downloading pbr-1.8.1-py2.py3-none-any.whl (89kB)
Collecting psutil==3.3.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 82))
Downloading psutil-3.3.0.tar.gz (261kB)
Collecting pyasn1==0.1.9 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 104))
Downloading pyasn1-0.1.9-py2.py3-none-any.whl
Collecting pyOpenSSL==0.15.1 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 116))
Downloading pyOpenSSL-0.15.1-py2.py3-none-any.whl (102kB)
Collecting pyRFC3339==1.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 119))
Downloading pyRFC3339-1.0-py2.py3-none-any.whl
Collecting python-augeas==0.5.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 122))
Downloading python-augeas-0.5.0.tar.gz (90kB)
Collecting python2-pythondialog==3.3.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 124))
Downloading python2-pythondialog-3.3.0.tar.bz2 (1.8MB)
Collecting pytz==2015.7 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 127))
Downloading pytz-2015.7-py2.py3-none-any.whl (476kB)
Collecting requests==2.9.1 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 141))
Downloading requests-2.9.1-py2.py3-none-any.whl (501kB)
Collecting six==1.10.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 144))
Downloading six-1.10.0-py2.py3-none-any.whl
Collecting traceback2==1.4.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 147))
Downloading traceback2-1.4.0-py2.py3-none-any.whl
Collecting unittest2==1.1.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 150))
Downloading unittest2-1.1.0-py2.py3-none-any.whl (96kB)
Collecting zope.component==4.2.2 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 153))
Downloading zope.component-4.2.2.tar.gz (546kB)
Collecting zope.event==4.1.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 155))
Downloading zope.event-4.1.0.tar.gz (476kB)
Collecting zope.interface==4.1.3 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 157))
Downloading zope.interface-4.1.3.tar.gz (141kB)
Collecting mock==1.0.1 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 175))
Downloading mock-1.0.1.zip (861kB)
Collecting letsencrypt==0.7.0 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 178))
Downloading letsencrypt-0.7.0-py2-none-any.whl
Collecting acme==0.8.1 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 184))
Downloading acme-0.8.1-py2.py3-none-any.whl (91kB)
Collecting certbot==0.8.1 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 187))
Downloading certbot-0.8.1-py2-none-any.whl (217kB)
Collecting certbot-apache==0.8.1 (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 190))
Downloading certbot_apache-0.8.1-py2-none-any.whl (103kB)
Requirement already satisfied (use --upgrade to upgrade): setuptools>=1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography==1.2.3->-r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 35))
THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
pycparser==2.14 from https://pypi.python.org/packages/74/0e/111a4349e81e2a9846129e0357e154b496559799ec34a6b27bc677247bfa/pycparser-2.14-py2.py3-none-any.whl#md5=130e8dc5b640d9339ee4056da0cdc73a (from -r /tmp/tmp.7Gegmf3spG/letsencrypt-auto-requirements.txt (line 11)):
Expected sha256 7959b4a74abdc27b312fed1c21e6caf9309ce0b29ea86b591fd2e99ecdf27f73
Got 52bcedd9180999fc7f3128b4b89ce638ffc0ffcbd136873379d5a37e4f9e7932

/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/vendor/requests/packages/urllib3/util/ssl.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
You are using pip version 8.0.3, however version 8.1.2 is available.
You should consider upgrading via the ‘pip install --upgrade pip’ command.
mike@pq4:/usr/local/sbin$


#9

Happening here too… no idea how to progress :frowning: Any help would be greatly appreciated.

DigitalOcean Droplet running Ubuntu 14.04, Python 2.7.6, Apache 2.4.7


#10

Right, about cryptography… It caused the same thing on one of my servers which is running Ubuntu 14.04, however on another one recetly upgraded to 16.04 there was no such error and tampering with hashes “solved” it for now. Could be that limit of 100 groups changed with slightly newer Python version, or something like that.


#11

Someone already filed this issue: https://github.com/eliben/pycparser/issues/148

Looks like someone re-uploaded the whl file today onto pypi Not sure why. Perhaps someone can do a comparative study (diff repo and whl and see what changed)


#12

Am too facing the same issue. Tampering the sha signature is not a good idea! Lets see what the community says about this issue !


#13

Hey all I just did the following and it worked around the problem for me

pip install pycparser==2.13

Give it a try

I was trying to upgrade to cryptography-1.5.2.tar.gz with a pip install cryptography


#14

Unfortunately, it doesn’t work for me

My platform: Ubuntu 14.04.5 LTS, Python 2.7.6, pip 8.1.2


#15

Just tried it too. Didn’t work for me either. Is there something else you might have done?


#16

same problem here too. ubuntu 16.04 LTS


#17

Same issue…
Ubuntu 14.04, python 2.7.6, pip 8.1.2


#18

On my 14.04 I ended up removing pycparser from the list and simply adding another pip call with URL mentioned at #147: git+https://github.com/eliben/pycparser@release_v2.14

That’s still not a solution, unless you want certificates right now :slight_smile:


#19

I am also having the same issue on CentOS 7


#20

Same issue
Debian GNU/Linux 8.6 (jessie), Python 2.7.9