How to verify the python environment for the "certbot-auto" script


#1

Hi, how can I run the script just to verify that the python environment and its modules work? pip, setuptools …
Without having a domain, nor nginx in operation. I need this to create a test in Travis CI.

git clone https://github.com/certbot/certbot /opt/letsencrypt
chmod a+x /opt/letsencrypt/certbot-auto

cd /opt/letsencrypt/ || exit 1
./certbot-auto ...

P.S. I’m having this problem updating my compiler script for a LEMP Server and that’s why I want to have a test in Travis, to verify.
Additionally I also appreciate any help to solve this problem that I leave attached to the end.


#2

Hi @dertin,

We don’t really recommend using git clone to install Certbot for various reasons; if you’re using it just to get certbot-auto, note that certbot-auto is going to separately re-download the majority of the code that you’ve downloaded from GitHub!

We’d normally suggest getting it from https://dl.eff.org/certbot-auto using something like wget.

If you want certbot-auto to create its Python environment and download its dependencies but not issue a certificate, one option is to run it with --help or even --version. Some people have complained that it downloads dependencies and upgrades in this case, which they found counterintuitive, but since you actually want it to do so, this might be helpful for you.


#3

Hello@schoen

Thanks for the advice, I will use wget in the future.

I just tried with these two commands:

The test in Travis CI failed, because it is not in quiet mode.: https://travis-ci.org/dertin/lemp-stack-debian/jobs/490668312#L6375

I will try to add the parameter --quiet

./certbot-auto --version --quiet
./certbot-auto --debug --os-packages-only --quiet

What do you think? I do not understand the functionality of the param: --os-packages-only


#4

Hi @schoen

As expected in Travis CI, I have the same error as in my server with Debian 9.5.

I think the problem is in this commit is when I update the OpenSSL software and other packages.

The error is because it is not possible to find the path to authority certificates.

The only way I can make it work is to add these two lines within the “certbot-auto” script.

export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
export SSL_CERT_DIR=/etc/ssl/certs/

I clarify that if they are exported as environment variables outside the script, it will not work.

But once I solve this strange problem with the validation of the certificate, another problem appeared, as you can read in …

I’m going to try Travis CI, applying a patch with the environment variables for the certificate path inside “certbot-auto”, to see if I get a second error. And I’ll also try again with the previous versions of OpenSSL … where I did not have these problems.

I will notify you of the results, I hope to find what software is causing this behavior.


#5

Will I have solved it with this change ?

I do not see an output in the Travis CI terminal for the command. but the command has not returned an error code.

changed files:

I have doubts if the patch will be correct ?. Now I’m working from Windows and I’m not testing anything on Linux. Maybe tomorrow or Monday, I can test it in an instance of Debian 9.5 on AWS.

If the patch works, I have no idea because now it is necessary. We will have to investigate if the cause was to update the OpenSSL versions from 1.1.1 to 1.1.1a or if a Python module was updated.

regards


#6

The patch is not necessary. It works with Python 2.7.15 and Python 3.7.2 compiled and the new version of pip 19.0.2

It is not clear to me if the defect was from the version of pip 19.0.1 or it was because of using the version of Python 3 installed from the repository and not compiled together with OpenSSL.


#7

I’m getting a strange new error.

There is an active apt process while another apt process is attempted to run. Which results in a blocking error.

$ docker exec -t container_test /bin/bash -c “/opt/letsencrypt/certbot-auto-patched --version --quiet”

E: Could not get lock /var/lib/dpkg/lock - open (11: Resource temporarily unavailable)
E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?

The command “docker exec -t container_test /bin/bash -c “/opt/letsencrypt/certbot-auto-patched --version --quiet”” exited with 100.

https://travis-ci.org/dertin/lemp-stack-debian/jobs/491720410#L6205

I have tried several things, but the error is inside the script “certbot-auto”, I have only tried it in the environment of Travis CI with docker. But I think I ruled out a problem with Travis CI when using this file


#8

@joohoi, could you take a look at this at some point?


#9

That certainly looks strange. Before taking a deeper jump into your tests, have you tried using --non-interactive CLI argument for certbot-auto. This makes certbot-auto to be able to handle the dependency installation without user input which I can see some of your tests failing to.


#10

Hi @joohoi

Sorry first I run the script in quiet mode (–quiet) and then in (–non-interactive)

–quiet

E: Could not get lock /var/lib/dpkg/lock - open (11: Resource temporarily unavailable)
E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?

–non-interactive

E: Could not get lock /var/cache/apt/archives/lock - open (11: Resource temporarily unavailable)
E: Unable to lock directory /var/cache/apt/archives/

I suppose quiet mode leaves some active apt process.


#11

I am sending a new change to Travis CI, it takes 1 hour to process it. I will inform you what obtain from these two commands:

docker exec -t container_test /bin/bash -c “/opt/letsencrypt/certbot-auto-patched --version --no-self-upgrade --quiet”

docker exec -t container_test /bin/bash -c “/opt/letsencrypt/certbot-auto --version --non-interactive”


#12

the previous test failed.

@joohoi If I am using the parameter (–quiet) should I also add the parameter (–non-interactive)?

I send new change to the branch. I’m waiting for results.


#13

the script failed again.

Maybe I can list the active processes of “apt” before executing the bootstrap function in the certbot script.

It would be logical that with the parameter --no-bootstrap not give this error. I’ll try it anyway.


closed #14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.