Configuring issue

Help
1

Hi Please can someone help as I'd like to get https working but seem to be going around in circles!
The http access is/was working fine for this

My domain is: aussietennis.club

I ran this command: certbot --nginx

It produced this output:

Traceback (most recent call last):
File "/bin/certbot", line 9, in
load_entry_point('certbot==1.3.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 558, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 2682, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 2355, in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 2361, in resolve
module = import(self.module_name, fromlist=['name'], level=0)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 2, in
from certbot._internal import main as internal_main
File "/usr/lib/python2.7/site-packages/certbot/internal/main.py", line 16, in
from certbot import crypto_util
File "/usr/lib/python2.7/site-packages/certbot/crypto_util.py", line 29, in
from certbot import util
File "/usr/lib/python2.7/site-packages/certbot/util.py", line 23, in
from certbot.internal import constants
File "/usr/lib/python2.7/site-packages/certbot/internal/constants.py", line 6, in
from acme import challenges
File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 11, in
import requests
File "/usr/lib/python2.7/site-packages/requests/init.py", line 58, in
from . import utils
File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in
from .exceptions import InvalidURL
File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in
from urllib3.exceptions import HTTPError as BaseHTTPError
File "/usr/lib/python2.7/site-packages/urllib3/init.py", line 8, in
from .connectionpool import (
File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 29, in
from .connection import (
File "/usr/lib/python2.7/site-packages/urllib3/connection.py", line 39, in
from .util.ssl import (
File "/usr/lib/python2.7/site-packages/urllib3/util/init.py", line 8, in
from .ssl import (
File "/usr/lib/python2.7/site-packages/urllib3/util/ssl.py", line 10, in
from ..exceptions import (
ImportError: cannot import name ProxySchemeUnsupported
[root@instance-philw-1 conf.d]#

My web server is (include version): nginx version: nginx/1.12.2

The operating system my web server runs on is (include version): Oracle Linux Server 7.9"

My hosting provider, if applicable, is: Oracle

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): auto

2 Likes
2

Welcome to the Let's Encrypt Community, Phil :slightly_smiling_face:

I have researched this issue and inquired with the Certbot developers (as seen in the post below).

In the meantime...

Your certbot isn't terribly outdated (1.3.0 vs 1.9.0), but you might try to upgrade to the snap version if possible. This could both bypass the issue (as you will need to remove your deprecated certbot-auto instance when installing the snap version) and get you the most recent certbot version.

It appears that your IPv6 responds differently from your IPv4. You will likely need to either ensure that your IPv6 and IPv4 point to the same server or disable the one you don't want to respond to Let's Encrypt.

Screenshot_20201112-132725_Samsung Internet
Screenshot_20201112-132725_Samsung Internet1395×1084 648 KB

2 Likes
3

@certbot-devs, @_az

Any thoughts here? Please also see the post from philwinfield directly below this post.

I did a bit of research and found this:

You have circular dependent imports.

Possibly this?

http://python-notes.curiousefficiency.org/en/latest/python_concepts/import_traps.html

2 Likes
4

Griffin, wow thanks for such a fast reply!

I'm useless at Linux afraid, so bear with me. How do I updated this and now I have what I hope is got closer to sorting this out? The problem seems to be associated with Python...

./certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
Creating virtual environment...
Traceback (most recent call last):
File "/bin/virtualenv", line 3, in
virtualenv.main()
AttributeError: 'module' object has no attribute 'main'
Traceback (most recent call last):
File "", line 27, in
File "", line 19, in create_venv
File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['virtualenv', '--no-site-packages', '--python', '/bin/python2.7', '/opt/eff.org/certbot/venv']' returned non-zero exit status
1

I've updated my ipv6 address to 0:0:0:0:0:ffff:8cee:56ea which I converted using an online tool. Hopefully, this is right!

Thanks,

Phil

2 Likes
5

No worries, my friend. :slightly_smiling_face: The link I gave you to Certbot has instructions on updating to the snap version. I'm waiting on a response from the Certbot developers. I have good confidence that they will know what to do here.

Did you run certbot-auto as root in your last post?

Looks like it worked. :slightly_smiling_face:

Screenshot_20201112-141506_Samsung Internet
Screenshot_20201112-141506_Samsung Internet1391×578 233 KB

1 Like
6

How is that an routable IPv6 address?

https://rdap-web.lacnic.net/ip/0:0:0:0:0:ffff:8cee:56ea

This is what DNS shows me:

Name:   aussietennis.club
Address: 140.238.86.234 <<< IPv4 address
Name:   aussietennis.club
Address: ::ffff:140.238.86.234  <<< NOT an IPv6 address
2 Likes
7

This is a valid ipv6 address.

It's ok to write the last 4 bytes in the ipv4 style.

PS: But it's a private ipv6, so it's not possible to connect that address.

2 Likes
8

How is ::ffff:... routable?
ARIN/RIPE/LACNIC all don't show anything for that IP

2 Likes
9

That's a different problem - see my edit.

3 Likes
10

So he effectively just disabled the public IPv6?

1 Like
11

8 bytes

2 Likes
14

Every A-record has 4 bytes, not 8.

255.255.255.255 = 4 positions.

1 Like
20

I think it is actually some sort of IPv6>IPv4 tunneling service:

curl -Iki [::ffff:8cee:56ea]
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 12 Nov 2020 22:31:29 GMT
Content-Type: text/html
Content-Length: 3700
Last-Modified: Fri, 30 Mar 2018 05:06:50 GMT
Connection: keep-alive
ETag: "5abdc5ea-e74"
Accept-Ranges: bytes

curl -Iki4 aussietennis.club
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 12 Nov 2020 22:33:23 GMT
Content-Type: text/html
Content-Length: 45
Last-Modified: Tue, 10 Nov 2020 18:22:02 GMT
Connection: keep-alive
ETag: "5faada4a-2d"
Accept-Ranges: bytes

OR
It just tells the local system to use the IPv4 address within that IPv6 string.

2 Likes
21

Makes sense.

I guess it makes it private though?

1 Like
22

I tested with:

curl -Ik [::ffff:10.1.2.3]`
HTTP/1.1 302 Found
Date: Thu, 12 Nov 2020 22:38:23 GMT
Server: <redacted>
Location: https://[::ffff:10.1.2.3]/
Content-Type: text/html; charset=iso-8859-1

So it's a completely fake IPv6 number - no toredo type tunnel.
Zero, zip, nada, nothing.
It merely connects via IPv4 to the IPv4 number found at the very end.

So these two are one and the same:

Name:   aussietennis.club
Address: 140.238.86.234
Name:   aussietennis.club
Address: ::ffff:140.238.86.234

[ which includes the Hex version as well: [::ffff:8cee:56ea] ]
For those that can't see how the last two are the same:
x8c = 140
xee = 238
x56 = 86
xea = 234

2 Likes
23

I recognized the hex conversion immediately when philwinfield posted it. I am just not yet familiar enough with IPv6 nomenclature to know the ramifications. According to Let's Debug it should not stop philwinfield from getting a cert via http-01 though. :grin:

24

The "translation" is fraud.
There is no IPv6 connection.
It simply says...
"You want an IPv6 address, well I'll give you an IPv6 address!"
"Here is my IPv4 address as an IPv6 address."
So "10.1.2.3" becomes [::ffff:10.1.2.3]
& [::ffff:a:1:2:3]
& [::ffff:000a:0001:0002:0003]

1 Like
25

I think the Python installation on your system is broken. I suspect you'll get the same traceback as

if you run a simple command like python -c 'import requests'.

Similarly, this command shows the virtualenv command on your system being broken:

Both of these problems are almost always caused by installing Python packages from multiple sources such as your OS package manager and pip. The two package managers do not work well together and clobber packages installed by the other.

If you can, I'd recommend using the Certbot snap as suggested above. It includes its own Python installation avoiding problems like this entirely.

If you cannot, I recommend trying to remove any packages you may have installed with pip and reinstall them using yum.

3 Likes
26

Thanks, as always, for coming to the rescue, bmw. :slightly_smiling_face:

:robot: :man_superhero:

It's a bird! :bird:

It's a plane! :airplane:

It's a beemer! :oncoming_automobile:

bmw
bmw2048×2048 333 KB

2 Likes
27

OK that's very helpful and also replies from Griffin and rg305 thanks so much!

So I have attempted this and think I may be closer to getting up and running. I've removed the ipv6 reference too.

I now get the following when I try and install which looks the same:

root@instance-philw-1 bin]# sudo certbot --nginx
raceback (most recent call last):
File "/bin/certbot", line 9, in
load_entry_point('certbot==1.3.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 558, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 2682, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 2355, in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 2361, in resolve
module = import(self.module_name, fromlist=['name'], level=0)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 2, in
from certbot._internal import main as internal_main
File "/usr/lib/python2.7/site-packages/certbot/internal/main.py", line 16, in
from certbot import crypto_util
File "/usr/lib/python2.7/site-packages/certbot/crypto_util.py", line 29, in
from certbot import util
File "/usr/lib/python2.7/site-packages/certbot/util.py", line 23, in
from certbot.internal import constants
File "/usr/lib/python2.7/site-packages/certbot/internal/constants.py", line 6, in
from acme import challenges
File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 11, in
import requests
File "/usr/lib/python2.7/site-packages/requests/init.py", line 58, in
from . import utils
File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in
from .exceptions import InvalidURL
File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in
from urllib3.exceptions import HTTPError as BaseHTTPError
File "/usr/lib/python2.7/site-packages/urllib3/init.py", line 8, in
from .connectionpool import (
File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 29, in
from .connection import (
File "/usr/lib/python2.7/site-packages/urllib3/connection.py", line 39, in
from .util.ssl import (
File "/usr/lib/python2.7/site-packages/urllib3/util/init.py", line 8, in
from .ssl import (
File "/usr/lib/python2.7/site-packages/urllib3/util/ssl.py", line 10, in
from ..exceptions import (
mportError: cannot import name ProxySchemeUnsupported
root@instance-philw-1 bin]#

So it looks like despite getting httpd installed, I need to remove python which was installed with pip or yum or apt? Sorry again, I'm struggling with troubleshooting this now!

2 Likes