Certbot-Auto - Upgrade Behavior and a Bad Cert on PYPI Means Renewals/New Certificates Don't Work

After running this command:

sudo -H ./letsencrypt-auto certonly --standalone

I get this output:

Bootstrapping dependencies for Debian-based OSes… (you can skip this with --no-bootstrap)
Hit:1 http://sfo1.mirrors.digitalocean.com/ubuntu xenial InRelease
Hit:2 http://sfo1.mirrors.digitalocean.com/ubuntu xenial-updates InRelease
Get:3 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Hit:4 http://sfo1.mirrors.digitalocean.com/ubuntu xenial-backports InRelease
Hit:5 https://deb.nodesource.com/node_6.x xenial InRelease
Fetched 102 kB in 0s (133 kB/s)
Reading package lists… Done
Reading package lists… Done
Building dependency tree
Reading state information… Done
augeas-lenses is already the newest version (1.4.0-0ubuntu1).
ca-certificates is already the newest version (20160104ubuntu1).
gcc is already the newest version (4:5.3.1-1ubuntu1).
libaugeas0 is already the newest version (1.4.0-0ubuntu1).
libffi-dev is already the newest version (3.2.1-4).
python is already the newest version (2.7.11-1).
python-dev is already the newest version (2.7.11-1).
libssl-dev is already the newest version (1.0.2g-1ubuntu4.6).
openssl is already the newest version (1.0.2g-1ubuntu4.6).
python-virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
The following packages were automatically installed and are no longer required:
libpython-all-dev python-all python-all-dev python-wheel
Use ‘sudo apt autoremove’ to remove them.
0 upgraded, 0 newly installed, 0 to remove and 17 not upgraded.
Creating virtual environment…
Installing Python packages…
Failed building wheel for pip
Failed building wheel for wheel
Command “/root/.local/share/letsencrypt/bin/python2.7 -u -c “import setuptools, tokenize;file=’/tmp/pip-3iC98J-build/setup.py’;f=getattr(tokenize, ‘open’, open)(file);code=f.read().replace(’\r\n’, ‘\n’);f.close();exec(compile(code, file, ‘exec’))” install --record /tmp/pip-_et8p5-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/pip” failed with error code 1 in /tmp/pip-3iC98J-build/
Traceback (most recent call last):
File “/tmp/tmp.ghgrshu22e/pipstrap.py”, line 146, in
exit(main())
File “/tmp/tmp.ghgrshu22e/pipstrap.py”, line 133, in main
shell=True)
File “/usr/lib/python2.7/subprocess.py”, line 574, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command ‘pip install --no-index --no-deps -U /tmp/pipstrap-G2rqvp/pip-8.0.3.tar.gz /tmp/pipstrap-G2rqvp/setuptools-20.2.2.tar.gz /tmp/pipstrap-G2rqvp/wheel-0.29.0.tar.gz’ returned non-zero exit status 1
user@server:/opt/letsencrypt$ sudo -H ./letsencrypt-auto certonly --standalonesudo -H ./letsencrypt-auto certonly --standalone
Bootstrapping dependencies for Debian-based OSes… (you can skip this with --no-bootstrap)
Hit:1 http://mirrors.digitalocean.com/ubuntu xenial InRelease
Get:2 http://mirrors.digitalocean.com/ubuntu xenial-updates InRelease [102 kB]
Get:3 http://mirrors.digitalocean.com/ubuntu xenial-backports InRelease [102 kB]
Get:4 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Hit:5 https://deb.nodesource.com/node_6.x xenial InRelease
Fetched 306 kB in 1s (281 kB/s)
Reading package lists… Done
Reading package lists… Done
Building dependency tree
Reading state information… Done
augeas-lenses is already the newest version (1.4.0-0ubuntu1).
ca-certificates is already the newest version (20160104ubuntu1).
gcc is already the newest version (4:5.3.1-1ubuntu1).
libaugeas0 is already the newest version (1.4.0-0ubuntu1).
libffi-dev is already the newest version (3.2.1-4).
python is already the newest version (2.7.11-1).
python-dev is already the newest version (2.7.11-1).
libssl-dev is already the newest version (1.0.2g-1ubuntu4.6).
openssl is already the newest version (1.0.2g-1ubuntu4.6).
python-virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
The following packages were automatically installed and are no longer required:
libpython-all-dev python-all python-all-dev python-wheel
Use ‘sudo apt autoremove’ to remove them.
0 upgraded, 0 newly installed, 0 to remove and 17 not upgraded.
Creating virtual environment…
Installing Python packages…
Failed building wheel for pip
Failed building wheel for wheel
Command “/root/.local/share/letsencrypt/bin/python2.7 -u -c “import setuptools, tokenize;file=’/tmp/pip-wxS65k-build/setup.py’;f=getattr(tokenize, ‘open’, open)(file);code=f.read().replace(’\r\n’, ‘\n’);f.close();exec(compile(code, file, ‘exec’))” install --record /tmp/pip-KZgWzW-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/pip” failed with error code 1 in /tmp/pip-wxS65k-build/
Traceback (most recent call last):
File “/tmp/tmp.JjTowIeXpB/pipstrap.py”, line 146, in
exit(main())
File “/tmp/tmp.JjTowIeXpB/pipstrap.py”, line 133, in main
shell=True)
File “/usr/lib/python2.7/subprocess.py”, line 574, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command ‘pip install --no-index --no-deps -U /tmp/pipstrap-ewSDdW/pip-8.0.3.tar.gz /tmp/pipstrap-ewSDdW/setuptools-20.2.2.tar.gz /tmp/pipstrap-ewSDdW/wheel-0.29.0.tar.gz’ returned non-zero exit status 1

The point where it seems to mess up is here:

Installing Python packages…
Failed building wheel for pip
Failed building wheel for wheel

Any ideas on how to fix this? This is a 512 MB memory server running Ubuntu 16.04.2 x64.

The same with renew:

Failed building wheel for pip
Failed building wheel for wheel
Command “/root/.local/share/letsencrypt/bin/python2.7 -u -c “import setuptools, tokenize;file=’/tmp/pip-Zob1sr-build/setup.py’;f=getattr(tokenize, ‘open’, open)(file);code=f.read().replace(’\r\n’, ‘\n’);f.close();exec(compile(code, file, ‘exec’))” install --record /tmp/pip-La0uTX-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/pip” failed with error code 1 in /tmp/pip-Zob1sr-build/
Traceback (most recent call last):
File “/tmp/tmp.8zuLeEfYno/pipstrap.py”, line 146, in
exit(main())
File “/tmp/tmp.8zuLeEfYno/pipstrap.py”, line 133, in main
shell=True)
File “/usr/lib/python2.7/subprocess.py”, line 574, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command ‘pip install --no-index --no-deps -U /tmp/pipstrap-FryAla/pip-8.0.3.tar.gz /tmp/pipstrap-FryAla/setuptools-20.2.2.tar.gz /tmp/pipstrap-FryAla/wheel-0.29.0.tar.gz’ returned non-zero exit status 1

Ubuntu server 16.04.2 LTS

Same for me on Ubuntu

Exactly the same here on a Xenial 16.04.2 LTS with 1GB RAM.

Same for me on Ubuntu.

Exactly the same with Ubuntu 16.04.2 LTS 16 GB RAM !

2 Likes

same on debian (stretch)

everything “is already the newest version

Failed building wheel for pip
Failed building wheel for wheel
Command "/abc/def/.local/share/letsencrypt/bin/python2.7 -u -c "import setuptools, tokenize;__file__='/tmp/pip-F_KhR0-build/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-PkDYOa-record/install-record.txt --single-version-externally-managed --compile --install-headers /abc/def/.local/share/letsencrypt/include/site/python2.7/pip" failed with error code 1 in /tmp/pip-F_KhR0-build/

Traceback (most recent call last):
  File "/tmp/tmp.5c620xYdLv/pipstrap.py", line 146, in <module>
    exit(main())
  File "/tmp/tmp.5c620xYdLv/pipstrap.py", line 133, in main
    shell=True)
  File "/usr/lib/python2.7/subprocess.py", line 219, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command 'pip install --no-index --no-deps -U /tmp/pipstrap-k2p2j2/pip-8.0.3.tar.gz /tmp/pipstrap-k2p2j2/setuptools-20.2.2.tar.gz /tmp/pipstrap-k2p2j2/wheel-0.29.0.tar.gz' returned non-zero exit status 1

Catching TCP flow, I’ve noticed an Encrypted alert linked with the process…

Have same issue, what a problem? Two days ago all works nice…

I think I’ve found the problem (In my case, processing using ipv6 - I didn’t ask for that!)
pipy.python.org is resolved by DNS as to be CNAME prod.python.map.fastly.net

And, here the response when I try to reach this host, using ipv6 :
curl -6 https://prod.python.map.fastly.net/
curl: (51) SSL: certificate subject name (www.python.org) does not match target host name 'prod.python.map.fastly.net
By the way, using ipv4 has exactly the same effect :
curl -4 https://prod.python.map.fastly.net/
curl: (51) SSL: certificate subject name (www.python.org) does not match target host name ‘prod.python.map.fastly.net

How to resolve this ?
Asking python.org webmaster to configure a virtualhost for prod.python.map.fastly.net and use an appropriate SSL certificate ? It should be the best thing to do.
Otherwise, I’d to find out how to make pip to ignore SSL alert, which is not a good thing…
Any other ideas to solve this problem ?

Im trying to disable ipv6 - same result =(

Yes, because ipv6 and ipv4 host is the same, and responding with a SSL certificate which have been made for www.python.org domain name.

@fracolo some workaround?

The client connects using the server name pypi.python.org. CNAMEs involved in the DNS queries don't change that. The certificate has www.python.org as the Common Name, and pypi.python.org among the Subject Alternative Names. Again, with a modern TLS client, that's all fine.

(Older versions of Python do not provide a modern TLS client, but a recent OS like Ubuntu 16.04 is new enough, and the TLS and HTTPS libraries Certbot uses might be fine even on older versions.)

Ipv6 is not the issue.

The wrong cert is the isue this must be fix by python.org

The cert looks fine to me.

can you do a nslookup and what ip do you get ?

ping www.python.org go to https://python.map.fastly.net/

but https://python.map.fastly.net/ have RED

Can it be related to this? https://github.com/pypa/setuptools/pull/1043

Same problem here, when using:

~# /opt/certbot/certbot-auto certonly --standalone -d domain.tld --email contact@domain.tld --agree-tos

Ubuntu server 16.04.2 LTS