Configuring issue

Hi Please can someone help as I'd like to get https working but seem to be going around in circles!
The http access is/was working fine for this

My domain is: aussietennis.club

I ran this command: certbot --nginx

It produced this output:

Traceback (most recent call last):
File "/bin/certbot", line 9, in
load_entry_point('certbot==1.3.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 558, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 2682, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 2355, in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 2361, in resolve
module = import(self.module_name, fromlist=['name'], level=0)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 2, in
from certbot._internal import main as internal_main
File "/usr/lib/python2.7/site-packages/certbot/internal/main.py", line 16, in
from certbot import crypto_util
File "/usr/lib/python2.7/site-packages/certbot/crypto_util.py", line 29, in
from certbot import util
File "/usr/lib/python2.7/site-packages/certbot/util.py", line 23, in
from certbot.internal import constants
File "/usr/lib/python2.7/site-packages/certbot/internal/constants.py", line 6, in
from acme import challenges
File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 11, in
import requests
File "/usr/lib/python2.7/site-packages/requests/init.py", line 58, in
from . import utils
File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in
from .exceptions import InvalidURL
File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in
from urllib3.exceptions import HTTPError as BaseHTTPError
File "/usr/lib/python2.7/site-packages/urllib3/init.py", line 8, in
from .connectionpool import (
File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 29, in
from .connection import (
File "/usr/lib/python2.7/site-packages/urllib3/connection.py", line 39, in
from .util.ssl
import (
File "/usr/lib/python2.7/site-packages/urllib3/util/init.py", line 8, in
from .ssl
import (
File "/usr/lib/python2.7/site-packages/urllib3/util/ssl
.py", line 10, in
from ..exceptions import (
ImportError: cannot import name ProxySchemeUnsupported
[root@instance-philw-1 conf.d]#

My web server is (include version): nginx version: nginx/1.12.2

The operating system my web server runs on is (include version): Oracle Linux Server 7.9"

My hosting provider, if applicable, is: Oracle

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): auto

2 Likes

Welcome to the Let's Encrypt Community, Phil :slightly_smiling_face:

I have researched this issue and inquired with the Certbot developers (as seen in the post below).


In the meantime...

Your certbot isn't terribly outdated (1.3.0 vs 1.9.0), but you might try to upgrade to the snap version if possible. This could both bypass the issue (as you will need to remove your deprecated certbot-auto instance when installing the snap version) and get you the most recent certbot version.


It appears that your IPv6 responds differently from your IPv4. You will likely need to either ensure that your IPv6 and IPv4 point to the same server or disable the one you don't want to respond to Let's Encrypt.

2 Likes

@certbot-devs, @_az

Any thoughts here? Please also see the post from philwinfield directly below this post.

I did a bit of research and found this:

You have circular dependent imports.

Possibly this?

2 Likes

Griffin, wow thanks for such a fast reply!

I'm useless at Linux afraid, so bear with me. How do I updated this and now I have what I hope is got closer to sorting this out? The problem seems to be associated with Python...

./certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
Creating virtual environment...
Traceback (most recent call last):
File "/bin/virtualenv", line 3, in
virtualenv.main()
AttributeError: 'module' object has no attribute 'main'
Traceback (most recent call last):
File "", line 27, in
File "", line 19, in create_venv
File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['virtualenv', '--no-site-packages', '--python', '/bin/python2.7', '/opt/eff.org/certbot/venv']' returned non-zero exit status
1

I've updated my ipv6 address to 0:0:0:0:0:ffff:8cee:56ea which I converted using an online tool. Hopefully, this is right!

Thanks,

Phil

2 Likes

No worries, my friend. :slightly_smiling_face: The link I gave you to Certbot has instructions on updating to the snap version. I'm waiting on a response from the Certbot developers. I have good confidence that they will know what to do here.

Did you run certbot-auto as root in your last post?


Looks like it worked. :slightly_smiling_face:

1 Like

How is that an routable IPv6 address?



https://rdap-web.lacnic.net/ip/0:0:0:0:0:ffff:8cee:56ea

This is what DNS shows me:

Name:   aussietennis.club
Address: 140.238.86.234 <<< IPv4 address
Name:   aussietennis.club
Address: ::ffff:140.238.86.234  <<< NOT an IPv6 address
2 Likes

This is a valid ipv6 address.

It's ok to write the last 4 bytes in the ipv4 style.

PS: But it's a private ipv6, so it's not possible to connect that address.

2 Likes

How is ::ffff:... routable?
ARIN/RIPE/LACNIC all don't show anything for that IP

2 Likes

That's a different problem - see my edit.

3 Likes

So he effectively just disabled the public IPv6?

1 Like

8 bytes

2 Likes

Every A-record has 4 bytes, not 8.

255.255.255.255 = 4 positions.

1 Like

I think it is actually some sort of IPv6>IPv4 tunneling service:

curl -Iki [::ffff:8cee:56ea]
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 12 Nov 2020 22:31:29 GMT
Content-Type: text/html
Content-Length: 3700
Last-Modified: Fri, 30 Mar 2018 05:06:50 GMT
Connection: keep-alive
ETag: "5abdc5ea-e74"
Accept-Ranges: bytes

curl -Iki4 aussietennis.club
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 12 Nov 2020 22:33:23 GMT
Content-Type: text/html
Content-Length: 45
Last-Modified: Tue, 10 Nov 2020 18:22:02 GMT
Connection: keep-alive
ETag: "5faada4a-2d"
Accept-Ranges: bytes

OR
It just tells the local system to use the IPv4 address within that IPv6 string.

2 Likes

Makes sense.

I guess it makes it private though?

1 Like

I tested with:

curl -Ik [::ffff:10.1.2.3]`
HTTP/1.1 302 Found
Date: Thu, 12 Nov 2020 22:38:23 GMT
Server: <redacted>
Location: https://[::ffff:10.1.2.3]/
Content-Type: text/html; charset=iso-8859-1

So it's a completely fake IPv6 number - no toredo type tunnel.
Zero, zip, nada, nothing.
It merely connects via IPv4 to the IPv4 number found at the very end.

So these two are one and the same:

Name:   aussietennis.club
Address: 140.238.86.234
Name:   aussietennis.club
Address: ::ffff:140.238.86.234

[ which includes the Hex version as well: [::ffff:8cee:56ea] ]
For those that can't see how the last two are the same:
x8c = 140
xee = 238
x56 = 86
xea = 234

2 Likes

I recognized the hex conversion immediately when philwinfield posted it. I am just not yet familiar enough with IPv6 nomenclature to know the ramifications. According to Let's Debug it should not stop philwinfield from getting a cert via http-01 though. :grin:

The "translation" is fraud.
There is no IPv6 connection.
It simply says...
"You want an IPv6 address, well I'll give you an IPv6 address!"
"Here is my IPv4 address as an IPv6 address."
So "10.1.2.3" becomes [::ffff:10.1.2.3]
& [::ffff:a:1:2:3]
& [::ffff:000a:0001:0002:0003]

1 Like

I think the Python installation on your system is broken. I suspect you'll get the same traceback as

if you run a simple command like python -c 'import requests'.

Similarly, this command shows the virtualenv command on your system being broken:

Both of these problems are almost always caused by installing Python packages from multiple sources such as your OS package manager and pip. The two package managers do not work well together and clobber packages installed by the other.

If you can, I'd recommend using the Certbot snap as suggested above. It includes its own Python installation avoiding problems like this entirely.

If you cannot, I recommend trying to remove any packages you may have installed with pip and reinstall them using yum.

3 Likes

Thanks, as always, for coming to the rescue, bmw. :slightly_smiling_face:

:robot: :man_superhero:


It's a bird! :bird:

It's a plane! :airplane:

It's a beemer! :oncoming_automobile:

2 Likes

OK that's very helpful and also replies from Griffin and rg305 thanks so much!

So I have attempted this and think I may be closer to getting up and running. I've removed the ipv6 reference too.

I now get the following when I try and install which looks the same:

root@instance-philw-1 bin]# sudo certbot --nginx
raceback (most recent call last):
File "/bin/certbot", line 9, in
load_entry_point('certbot==1.3.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 558, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 2682, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 2355, in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/init.py", line 2361, in resolve
module = import(self.module_name, fromlist=['name'], level=0)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 2, in
from certbot._internal import main as internal_main
File "/usr/lib/python2.7/site-packages/certbot/internal/main.py", line 16, in
from certbot import crypto_util
File "/usr/lib/python2.7/site-packages/certbot/crypto_util.py", line 29, in
from certbot import util
File "/usr/lib/python2.7/site-packages/certbot/util.py", line 23, in
from certbot.internal import constants
File "/usr/lib/python2.7/site-packages/certbot/internal/constants.py", line 6, in
from acme import challenges
File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 11, in
import requests
File "/usr/lib/python2.7/site-packages/requests/init.py", line 58, in
from . import utils
File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in
from .exceptions import InvalidURL
File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in
from urllib3.exceptions import HTTPError as BaseHTTPError
File "/usr/lib/python2.7/site-packages/urllib3/init.py", line 8, in
from .connectionpool import (
File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 29, in
from .connection import (
File "/usr/lib/python2.7/site-packages/urllib3/connection.py", line 39, in
from .util.ssl
import (
File "/usr/lib/python2.7/site-packages/urllib3/util/init.py", line 8, in
from .ssl
import (
File "/usr/lib/python2.7/site-packages/urllib3/util/ssl
.py", line 10, in
from ..exceptions import (
mportError: cannot import name ProxySchemeUnsupported
root@instance-philw-1 bin]#

So it looks like despite getting httpd installed, I need to remove python which was installed with pip or yum or apt? Sorry again, I'm struggling with troubleshooting this now!

2 Likes