I can't start Python virtual environment to install certbot

My domain is: sleepfirstfinancing.com

I ran this command: sudo python3 -m venv /opt/certbot/

It produced this output: The virtual environment was not created successfully because ensurepip is not available. On Debian/Ubuntu systems, you need to install the python3-venv package using the following command. apt-get install python3-venv You may need to use sudo with that command. After installing the python3-venv package, recreate your virtual environment. Failing command: ['/opt/certbot/bin/python3', '-Im', 'ensurepip', '--upgrade', '--default-pip']

My web server is (include version): Server version: Apache/2.4.29 (Ubuntu) Server built: 2023-03-08T17:34:33

The operating system my web server runs on is (include version): Ubuntu 18.04 64bit minimal

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.27.0


Ok bear with me as I'm completely new to all these elements as I'm mostly a front-end developer. This domain is used for a app in a website, and its LetsEncrypt certificate expired. I have tried many ways to get issued another one but I always run into issues, which mostly end with the fact I can't run a virtual environment of Python to install Certbot. I tried deleting all certificates and instances of Certbot, which causes an issue where Apache can't be started. I recovered a backup and tried uninstalling and reinstalling Apache which fixes the issue where it can't start, but on both sides, I can't reinstall Certbot due to the Python virtual environment.

Yes, if you remove cert files that Apache is relying on Apache won't restart (or start).

Ubuntu readily supports the snap install of Certbot. Is there some reason you chose pip/venv over snap? Here is Ubuntu 18 / Apache:

If snap is not viable, did you follow these pip/venv instructions? Seems like a step may have been missed.


Certbot recommends using snapd for installation. Since snapd is not supported on Hostinger Linux-based VPS, you can use Python by installing it first on your server.


My only option (that I know of) is using Python, and no matter which article or guide I follow, I can't start the Python virtual environment

1 Like

Sorry, I don't know pip / venv well enough to help with that. Maybe someone else here will offer help. Or, maybe ask Hostinger why their instructions failed. Or even at the EFF's github for Certbot (link here). Not trying to push you away just offering other avenues for install assistance.

I'd only suggest using a different ACME Client like acme.sh. It's a popular bash script so no snap or pip/venv. Might be easier for you to manage going forward. Just beware it's default CA is ZeroSSL so follow instructions to set default CA to Let's Encrypt.


Have you done this?


Yes, multiple times, with and without "sudo", it just says python is already installed and updated to the latest version, but the moment I try to create the virtual environment it just says I have to install it, it's an endless loop.

1 Like

Have you tried using another ACME client [that doesn't use Python]?

And... have you even tried installing via the recommended path [using snap]?
See: Certbot Instructions | Certbot (eff.org)

1 Like

From an earlier link that was shared:

snapd is not supported on Hostinger Linux-based VPS


I've been trying acme.sh, but when I do the acme.sh --issue -d sleepfirstfinancing.com -w /var/www/html command, I just get this:

[Thu Jan 25 17:27:10 UTC 2024] Using CA: https://acme.zerossl.com/v2/DV90 
[Thu Jan 25 17:27:10 UTC 2024] Single domain='sleepfirstfinancing.com' 
[Thu Jan 25 17:27:10 UTC 2024] Getting domain auth token for each domain 
[Thu Jan 25 17:27:50 UTC 2024] Getting webroot for domain='sleepfirstfinancing.com' 
[Thu Jan 25 17:27:50 UTC 2024] Error, can not get domain token "type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/cMe2v-APlkdYiUSOzODV3w","status":"invalid","error":{ 
[Thu Jan 25 17:27:50 UTC 2024] Please add '--debug' or '--log' to check more details. 
[Thu Jan 25 17:27:50 UTC 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

I've been trying to troubleshoot this issue, but I can assure you the domain is pointing to the VPS in the A records, which have the corresponding IPv4 address.

Note that ZeroSSL is a different Certificate Authority than Let's Encrypt and troubleshooting their issues is out of scope for the Let's Encrypt Community.

You can change the CA used. While you are testing, it is advisable to use the Let's Encrypt staging environment to avoid unintentionally encountering rate limits.


Sorry for bothering, but how can I do this? This is something outside of my knowledge.

1 Like

See below post


This article contains the Let's Encrypt staging endpoint URL.


I think you can use any of these values for the acme.sh --server


I'm trying to run the commands for acme.sh but I'm running into an issue where it says

Register account Error: {  "type": "urn:ietf:params:acme:error:invalidContact",   "detail": "Error creating new account :: invalid contact domain. Contact emails @example.com are forbidden", "status": 400

When I try to run this command to register my email

acme.sh --register-account -m [MY EMAIL]

it keeps returning this error for some reason

Register account Error: {  "type": "urn:ietf:params:acme:error:invalidContact",   "detail": "Error creating new account :: invalid contact domain. Contact emails @example.com are forbidden", "status": 400

apparently there's an account.conf file inside the ~/.acme.sh/ directory where the contact email should be stored, but when I got to that directory, there's no account.conf file.

Those are better questions for the acme.sh github.

I don't know why acme.sh would say your email address is something @example.com if it is not.

Besides, you don't need to register to use Let's Encrypt. That's something you do for CA's that require EAB (like ZeroSSL)


Well, you obviously would need an ACME account registered.


Yes, but is that done separately with acme.sh ? Looking at their docs it looked like that was for EAB. Perhaps I misread it. I haven't used acme.sh in ages so don't remember.

In any case, sounds like something was going wrong with whatever they did. I still think their github is better place for that problem.

EDIT: I was wrong. You do need to register once even for Let's Encrypt to setup the ACME account. I eventually found the docs about that here


Well, I did see my issue. I'm following the instructions here: GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol

And when it told me to use these commands:

curl https://get.acme.sh | sh -s email=my@example.com


./acme.sh --install -m my@example.com

I didn't change the email. So I redid everything, I generated the cert, key and fullchain files. I then edited the default-ssl.conf file to replace the existing files with the new ones. I ran the sudo a2ensite default-ssl.conf which says Site default-ssl already enabled

And right now I don't know what to do. The page is still showing the SSL error, when I use https://www.ssllabs.com it says the certificate is expired. I think the only thing that I couldn't do was restart apache after doing all of this, I tried many commands that restart it but I get no visual confirmation if it even happened, which it should do because it did so when I restarted inside the big command to generate the keys, cert and fullchain.

You should be able to see status of Apache with something like.

sudo systemctl status apache2

What does this show?

sudo apache2ctl -t -D DUMP_VHOSTS

Omit sudo from above if not needed