Certbot error about unquoted string after upgrade

Hi,

We upgraded from certbot 1.3.0 to the latest, mainly by uninstalling it and then reinstalling using the pip method (Python 3.5, debian 9).
Since then certbot does not start anymore, can't even display the help. An example of the command result:

# /usr/local/bin/certbot --help all
/opt/certbot/lib/python3.5/site-packages/OpenSSL/crypto.py:14: CryptographyDeprecationWarning: Python 3.5 support will be dropped in the next release of cryptography. Please upgrade your Python.
  from cryptography import utils, x509
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 7, in <module>
    from certbot.main import main
  File "/opt/certbot/lib/python3.5/site-packages/certbot/main.py", line 2, in <module>
    from certbot._internal import main as internal_main
  File "/opt/certbot/lib/python3.5/site-packages/certbot/_internal/main.py", line 16, in <module>
    from certbot import crypto_util
  File "/opt/certbot/lib/python3.5/site-packages/certbot/crypto_util.py", line 30, in <module>
    from certbot import util
  File "/opt/certbot/lib/python3.5/site-packages/certbot/util.py", line 17, in <module>
    import configargparse
  File "/opt/certbot/lib/python3.5/site-packages/configargparse.py", line 406
    raise ValueError(f"Error trying to unquote the quoted string: {text}: {e}") from e
                                                                             ^
SyntaxError: invalid syntax

Do you have any idea of what could cause this?

We use it for a wildcard certificate using dns challenge with OVH as DNS registrar.
We upgraded because they changed their API like explained in this certbot isssue, so we can't really downgrade back to 1.3.0.

Best regards,

I probably know the answer already ("not possible", "legacy software requirements" et cetera), but you shouldn't be using an OS which doesn't receive security updates for more than one or three years now (depending if you had LTS or not).

The problem you're facing is that the version of configargparse that's used uses f-strings, which is not supported in Python 3.5 (since 3.6). Which is interesting, as configargparse claims support for Python 3.5 in the most recent version of the code. (Opened an issue about this: Python 3.5-support and f-strings · Issue #289 · bw2/ConfigArgParse · GitHub)

You probably want to update your Python version to 3.6 or newer.

2 Likes

3.8 or newer, as 2.3 drop support for 3.7

4 Likes

Thanks for the hints, I will try to update our Python to 3.8.
Update of the server was planned later this year but if we can't upgrade Python, I can change our plans.

1 Like

I suggest installing Snap/Snapd on your platform and using that to install Certbot and a more modern Python version.

While it is possible to handle this by installing a new Python on your server alongside the existing Python - that can be complex to do correctly for most users. Many people also overwrite the system Python, which ends up breaking many things on the server.

The snap system should let you cleanly have a secondary Python that is only used by Certbot/Snap and doesn't interfere with your linux distribution.

4 Likes

Does stretch have a snapd package? :slight_smile: I can't find it, as stretch is soooo old, it isn't even listed any more at https://packages.debian.org/

1 Like

Is this Canonical page wrong then?

https://snapcraft.io/docs/installing-snap-on-debian

3 Likes

Probably not, I was just genuinly asking, as packages.debian.org doesn't support stretch any longer. I didn't say I made a good effort of searching the rest of the internet :wink:

1 Like

Before posting the above comment, I had searched online found Debian docs that indicated a package was available:

stretch has been removed to the archive though, so I am not sure how accessible any of these packages are. Building snapd from source is an option.

Updating to a modern, supported, Operating System is the best option. Utilizing snapd is the best quick-fix IMHO, as that will let Certbot/Python be isolated from the main system.

4 Likes

Oh, sorry, the Canonical page is linked from https://certbot.eff.org so ... :slight_smile:

4 Likes

There is a convoluted process to update a local system to utilize the archives instead of the currently supported versions. Debian and Ubuntu typically make it hard to use archived material so people are incentivized to upgrade - but they rarely wipe something into oblivion and will keep the data around somewhere for those that need it.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.