Certbot-Auto Upgrades corrupt Certbot and Not Able To Renew


#1

Since 2 days I’m unable to renew/get certificates. letsencrypt-auto is suddenly complaining about

Command “/root/.local/share/letsencrypt/bin/python2 -u -c “import setuptools, tokenize;file=’/tmp/pip-build-D67rxR/python-augeas/setup.py’;f=getattr(tokenize, ‘open’, open)(file);code=f.read().replace(’\r\n’, ‘\n’);f.close();exec(compile(code, file, ‘exec’))” install --record /tmp/pip-MWkfcN-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.6/python-augeas” failed with error code 1 in /tmp/pip-build-D67rxR/python-augeas/

I’m still using python 2.6, but that has never been a problem.

Please fill out the fields below so we can help you better.

My domain is: -

I ran this command:
./letsencrypt-auto --debug

It produced this output:
Updating letsencrypt and virtual environment dependencies…DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
.DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
.DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
.DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
.DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
Command “/root/.local/share/letsencrypt/bin/python2 -u -c “import setuptools, tokenize;file=’/tmp/pip-build-D67rxR/python-augeas/setup.py’;f=getattr(tokenize, ‘open’, open)(file);code=f.read().replace(’\r\n’, ‘\n’);f.close();exec(compile(code, file, ‘exec’))” install --record /tmp/pip-MWkfcN-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.6/python-augeas” failed with error code 1 in /tmp/pip-build-D67rxR/python-augeas/

My operating system is (include version):
CentOS release 6.6 (Final)

My web server is (include version): -

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi, I’m also having issues related to python augeas, and in running python 2.7:

Updating letsencrypt and virtual environment dependencies…Command “/root/.local/share/letsencrypt/bin/python2.7 -u -c “import setuptools, tokenize;file=’/tmp/pip-build-3_fcnw/python-augeas/setup.py’;f=getattr(tokenize, ‘open’, open)(file);code=f.read().replace(’\r\n’, ‘\n’);f.close();exec(compile(code, file, ‘exec’))” install --record /tmp/pip-lO0Svt-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/python-augeas” failed with error code 1 in /tmp/pip-build-3_fcnw/python-augeas/

OS: Debian 8.2

Any tips? Thank you!


#3

I have the exact same issue, even after upgraded python. CentOS release 6.8 (Final)

Failed building wheel for python-augeas
Command "/root/.local/share/letsencrypt/bin/python2.7 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-h7KQCf/python-augeas/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-aJ7QO2-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/python-augeas" failed with error code 1 in /tmp/pip-build-h7KQCf/python-augeas/

#4

Unable to find a solution and feared to break yum (and possible other things) on Centos by upgrading Python I took a look at other clients.

Acme.sh… what a live safer!! Better, faster, same if not more options, etc. Should have used that from the start!

Just changed a few lines in my script and replaced letsencrypt-auto with acme.sh… and all my 36 SNI certificates for 3.500+ domains are ready to go again.


#5

Hi @patrickw

A review of the manual would have made you aware of a behavior that I don’t think should happen but does happen

–no-self-upgrade (certbot-auto only) prevent the certbot-auto script
from upgrading itself to newer released versions
(default: Upgrade automatically)

Essentially this is the root cause of most failures.

If the OS gets upgraded or python cannot complete the upgrade as wanted it might break your install.

I would run it with the no-auto-upgrade line.

If you have corrupted certbot then I suggest creating a virtual environment and installing certbot in that

Because of the paths setup a certbot install in a virtual environment will still be able to use certificates created previously.

Andrei


#6

Do you know why this doesn’t make any sense? I was running a very old version of the tool, the original let’s encript client and not the certbot. My version was so old that it said it wasn’t automatically updated anymore and yet yesterday this happened.


#7

I had exactly the same issue. - running Centos 7 - and a very old version of the letsencrypt-auto tool so I ran in verbose mode and gcc was barfing about not finding augeas.h.

I installed augeas-devel and python-augeas (not sure why they weren’t there before), then gcc complained about libxml/tree.h, now I know I have libxml installed (libxml2) and checked the headers which were there, albeit as /usr/include/libxml2/libxml/tree.h - I put in a sym link /usr/include/libxml -> /usr/include/libxml2/libxml and now it runs and updates my certs.

Not sure how wise this was but it’s only my test platform so no biggie, nevertheless I think it time to upgrade my letsencrypt install


#8

Hi everyone, so I decided to try an upgrade? my letsencrypt-auto tool to certbot on Debian from a repository. Everything seem to be working fine!

Assumptions:

  • I’ve a script to take care of certificate renewal and I don’t want magic stuff happening;
  • OS: Debian 8.2
  • Previously running: letsencrypt-auto original command.

How to Upgrade

  1. Add backports to debian (https://certbot.eff.org/#debianjessie-other)
    Edit /etc/apt/sources.list and add

    deb http://ftp.debian.org/debian jessie-backports main

  2. Install Certbot
    apt-get install certbot -t jessie-backports

  3. Remove Default cron job: this runs twice a day and tried to renew the certificates automatically. In my case I had a cron job for this and due to other reasons I need to manually run it:
    Delete file /etc/cron.d/certbot

After this I simply replaced letsencrypt-auto by certbot on my script and everything else, including options like --cert-only were working just fine!


#9

@TCB13, I’m glad it’s working for you. I wanted to point out to people reading this thread that this approach is almost always a version downgrade, because letsencrypt-auto/certbot-auto is an autoupdater that gets newly released versions automatically, while using your OS packages will give you the most recent packaged version, which often lags months or a year behind the current release.

Some people who did what you did have had renewal problems because the older Certbot couldn’t parse things in the renewal configuration file. So people who are thinking of switching from certbot-auto to an OS package should be careful to check that their renewals still work as expected.


#10

@schoen you’re right. In my case it did a downgrade, I’m getting the following messages:

Attempting to parse the version 0.11.1 renewal configuration file found at /etc/letsencrypt/renewal/…conf with version 0.9.3 of Certbot. This might not work.

However I tried to force a renewal and it worked just fine! So my question is, what will happen when the repository is upgraded to 0.11.1? Will you guys fix this issue before that?

Also, wasn’t letsencrypt actually tested before an upgrade was pushed? Why did it broke so many systems?


#11

Same exact problem.

Command "/root/.local/share/letsencrypt/bin/python2.7 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-2R5qcR/python-augeas/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-8QzBZ2-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/python-augeas" failed with error code 1 in /tmp/pip-build-2R5qcR/python-augeas/

If I run:
./letsencrypt-auto renew

then many errors, including SNIMissingWarning and InsecurePlatformWarning are issued, recommending I upgrade my python version.

Keep in mind, I have very very little experience working with python. I don’t want to have to learn it just to debug non-working auto-updated this letsencrypt system. Just me complaining in this point. :’(

which python shows:
/usr/bin/python

And letsencrypt errors show it apparently using /root/.local/share/letsencrypt/bin/python2.7 for some reason. Likely for system stability, but how do I upgrade this? I don’t know if it uses plugins or libraries that are contained within and if I upgrade, they’ll get nuked and more errors will occur.


#12

Hi @patrickw, @TCB13, @edq37843, @grae, @TomACPace.

We’d love to get some more information to debug this issue.

Could you paste the output of the following command:
certbot --version && sha256sum letsencrypt-auto && pip freeze

Thanks!


Letsencrypt-auto fails at installing python-augeas on Ubuntu 14.04
#13

Erica,

I have installed certbot since my issue and that is working well, I was using an early letsencrypt git deployment circa December 2015.

However the output from your request is below, hope it helps.

Grae

[root@theseus ~]# certbot --version && sha256sum /opt/letsencrypt/letsencrypt-auto && pip freeze
certbot 0.12.0
e50494fcac29e8691fe38c4688ba010fd5674678042a2a050d9f61879a35ece3 /opt/letsencrypt/letsencrypt-auto
acme==0.12.0
backports.ssl-match-hostname==3.4.0.2
blivet==0.61.15.59
Brlapi==0.6.0
certbot==0.12.0
certbot-apache==0.12.0
cffi==1.6.0
chardet==2.2.1
ConfigArgParse==0.11.0
configobj==4.7.2
configshell-fb==1.1.18
coverage==3.6b3
cryptography==1.3.1
cupshelpers==1.0
decorator==3.4.0
di==0.3
enum34==1.0.4
ethtool==0.8
firstboot==19.5
fros==1.0
future==0.16.0
getmail==4.9.0
idna==2.0
iniparse==0.4
initial-setup==0.3.9.36
ipaddress==1.0.16
IPy==0.75
javapackages==1.0.0
kitchen==1.1.1
kmod==0.1
langtable==0.0.31
lvm===2.02.166-2-RHEL7.-2016-11-16-
lxml==3.2.1
M2Crypto==0.21.1
mock==1.0.1
ndg-httpsclient==0.3.2
ntplib==0.3.2
openlmi==0.5.0
openlmi-software==0.5.0
openlmi-storage==0.8.0
parsedatetime==1.5
perf==0.1
ply==3.4
policycoreutils-default-encoding==0.1
psutil==2.2.1
pyasn1==0.1.9
pycparser==2.14
pycups==1.9.63
pycurl==7.19.0
pygobject==3.14.0
pygpgme==0.3
pyinotify==0.9.4
pykickstart==1.99.66.10
pyliblzma==0.5.3
pyOpenSSL==0.13.1
pyparsing==1.5.6
pyparted==3.9
pyRFC3339==1.0
python-augeas==0.5.0
python-dmidecode==3.10.13
python-meh==0.25.2
python-nss==0.16.0
python2-pythondialog==3.3.0
pytz===2012d
pyudev==0.15
pywbem==0.7.0
pyxattr==0.5.1
PyYAML==3.10
requests==2.6.0
rtslib-fb==2.1.57
scdate==1.10.6
seobject==0.1
sepolicy==1.1
setproctitle==1.1.6
setroubleshoot==1.1
six==1.9.0
slip==0.4.0
slip.dbus==0.4.0
targetcli-fb===2.1.fb41
targetd==0.7
urlgrabber==3.10
urllib3==1.10.2
urwid==1.1.1
virtualenv==1.10.1
yum-langpacks==0.4.2
yum-metadata-parser==1.1.4
zope.component==4.1.0
zope.event==4.0.3
zope.interface==4.0.5


#14

Thanks @grae, that was helpful!

To anyone else who might be hitting this issue:

You are likely using an old version of letsencrypt-auto from before we pinned versions of python-augeas. Replacing that script with https://dl.eff.org/certbot-auto (or downloading from any other certbot source) and running as before should fix this issue.


#15

Hi Erica, thanks for the advice. I’ve followed it, downloading the new certbot-auto script and run it:

certbot-auto renew

and received the following:

An unexpected error occurred:
VersionConflict: (acme 0.12.0 (/root/.local/share/letsencrypt/lib/python2.7/site-packages), Requirement.parse('acme==0.10.1'))
Please see the logfile 'certbot.log' for more details.

certbot.log contains:

Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 872, in main
    plugins = plugins_disco.PluginsRegistry.find_all()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/plugins/disco.py", line 183, in find_all
    plugin_ep = PluginEntryPoint(entry_point)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/plugins/disco.py", line 34, in __init__
    self.plugin_cls = entry_point.load()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2301, in load
    self.require(*args, **kwargs)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2324, in require
    items = working_set.resolve(reqs, env, installer, extras=self.extras)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 859, in resolve
    raise VersionConflict(dist, req).with_context(dependent_req)
VersionConflict: (acme 0.12.0 (/root/.local/share/letsencrypt/lib/python2.7/site-packages), Requirement.parse('acme==0.10.1'))

#16

@TomACPace I actually replaced my version with a clean one from the Debian repo, and it works. Read the post above.


#17

@TomACPace Looks like it’s getting confused about which versions are installed where. I’d recommend following the steps for your operating system at https://certbot.eff.org/.


#18

Thank you, erica! The server with the errors as listed above are now renewed.

I need to spend some time and learn the differences between certbot vs classic letsencrypt client.


#19

certbot is the new name for letsencrypt since about one year ago. However, there shouldn’t be differences in functionality.


#20

Update! python-augeas 1.0.2, now on pypi, removes the additional OS dependency and fixes this issue, even for the oldest versions of letsencrypt-auto.