Illegal Instruction: 4 after macOS Catalina upgrade

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
martinsub.dyndns.org

I ran this command:
sudo certbot --apache

It produced this output:
martinatl:apache2 minime$ sudo certbot --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Unable to read ssl_module file; not disabling session tickets.

Which names would you like to activate HTTPS for?


1: martinnav.dyndns.org

2: martinsub.dyndns.org


Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel):

Illegal instruction: 4

martinatl:apache2 minime$

My web server is (include version):
Server version: Apache/2.4.41 (Unix)
Server built: Jun 5 2020 23:42:06

The operating system my web server runs on is (include version):
macOS Catalina 10.15.7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.20.0

Like the subject says, I can't run certbot successfully after upgrading from High Sierra to Catalina.

Things I've tried so far:
brew reinstall certbot
brew reinstall python

Still just get that "Illegal instruction: 4" whenever I run certbot (like it shows in the Q&A above).

The certbot --apache plugin has been known to (let's say) misinterpret MacOS Apache.
I would try switching to webroot.

But first, we should see what you already have:
certbot certificates

And the MacOS equivalent (I don;t have access to one now) of:
sudo apachectl -t -D DUMP_VHOSTS
[OR sudo apachectl -S]

Then we can better advise your next (possible) move(s).

martinatl:bin minime$ sudo certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Illegal instruction: 4

martinatl:bin minime$

martinatl:bin minime$ sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 is a NameVirtualHost
default server martinsub.dyndns.org (/private/etc/apache2/extra/httpd-vhosts.conf:40)
port 80 namevhost martinsub.dyndns.org (/private/etc/apache2/extra/httpd-vhosts.conf:40)
port 80 namevhost martinnav.dyndns.org (/private/etc/apache2/extra/httpd-vhosts.conf:49)

Just FYI- I completely removed Homebrew (including all installed packages) and then reinstalled it and then reinstalled Certbot. As you can see, I'm still getting the "Illegal instruction: 4" and I'm suspecting that it's a Python error but, so far my searches for how to remedy it aren't yielding anything useful.

Ok so there are no certs (we should be able to get you one with webroot).
And there is no secure vhost configured...
Are you capable of writing a TLS/SSL/HTTPS secured vhost for that name?

While you think about that, and if you know the document root path then try getting a cert with:
sudo certbot certonly --webroot -w /the/DocumentRoot/path -d martinsub.dyndns.org

If you don't know the DocumentRoot, then show the file:

Maybe I read through this too fast...
If you can't run certbot at all, then we have a real problem...
I would try uninstalling certbot and reinstalling it.
Then
certbot certificates

[f that can't work, there is no sense in continuing until it can]

I believe I have confirmed that the "Illegal instruction: 4" means that Python has crashed and that this is a Python issue and not a Certbot issue.

I still stick with my advice:

I did that as a part of ripping Homebrew and all of its installed packages out and then reinstalling Hombrew and using it to install Certbot again.

The reason I believe that "Illegal instruction: 4" is a Python error is because if I switch from Bash to Zsh and run "sudo certbot --apache", I get "zsh: illegal hardware instruction sudo certbot --apache"

And, I discovered that if I remote control the desktop interface of the machine in question, there is a crash report stating that Python quit unexpectedly.

Either:

  • "fix" python

OR

  • reinstall certbot
    [which might reload whatever dependencies it has]

Stick with the basics.
For now, just try to get this to output anything at all (without throwing errors):
certbot certificates

While this is probably true, I don't think you can conclude that of the output above? Certbot just seems to crash!

But you already seem to realise that :stuck_out_tongue:

@RussellM72 Can you post the contents of /var/log/letsencrypt/letsencrypt.log after a crash?

1 Like
martinatl:letsencrypt root# cat letsencrypt.log
2021-10-11 08:48:41,341:DEBUG:certbot._internal.main:certbot version: 1.20.0
2021-10-11 08:48:41,342:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2021-10-11 08:48:41,342:DEBUG:certbot._internal.main:Arguments: ['--apache']
2021-10-11 08:48:41,343:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-10-11 08:48:41,491:DEBUG:certbot._internal.log:Root logging level set at 30
2021-10-11 08:48:41,494:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2021-10-11 08:48:42,500:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.41
2021-10-11 08:48:43,580:DEBUG:certbot_apache._internal.configurator:[Errno 2] No such file or directory: '/etc/apache2/libexec/apache2/mod_ssl.so'
Traceback (most recent call last):
File "/usr/local/Cellar/certbot/1.20.0/libexec/lib/python3.9/site-packages/certbot_apache/_internal/configurator.py", line 277, in _open_module_file
with open(ssl_module_location, mode="rb") as f:
FileNotFoundError: [Errno 2] No such file or directory: '/etc/apache2/libexec/apache2/mod_ssl.so'
2021-10-11 08:48:43,582:WARNING:certbot_apache._internal.configurator:Unable to read ssl_module file; not disabling session tickets.
2021-10-11 08:48:43,589:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_darwin.DarwinConfigurator object at 0x10ed181c0>
Prep: True
2021-10-11 08:48:43,592:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_darwin.DarwinConfigurator object at 0x10ed181c0> and installer <certbot_apache._internal.override_darwin.DarwinConfigurator object at 0x10ed181c0>
2021-10-11 08:48:43,592:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2021-10-11 08:48:43,622:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/122234252', new_authzr_uri=None, terms_of_service=None), c0460f4255305eb9ed2c621cc83beb43, Meta(creation_dt=datetime.datetime(2021, 5, 4, 2, 11, 40, tzinfo=<UTC>), creation_host='Mac-Mini.local', register_to_eff=None))>
2021-10-11 08:48:43,662:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-10-11 08:48:43,735:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-10-11 08:48:43,972:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-10-11 08:48:43,974:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 11 Oct 2021 12:48:43 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"AmdSnsE1uLs": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-10-11 08:48:47,991:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache

So, I am now fairly convinced that this is a Python problem and it is because I am using Catalina on an unsupported Mac Mini Mid 2010 model. I used Dosdude1's Catalina Patcher to install it.

I think I'm going to need to figure out how to either install certs manually or use a different client than Certbot. Which is a real bummer because I had everything working fairly well under High Sierra with Apache virtual hosts and Certbot.

Any advice on a guide that will help me understand how to generate and install certs for my 2 configured apache vhosts?

Here's what my /etc/apache2/extra/httpd-vhosts.conf file looks like:

# Virtual Hosts
#
# Required modules: mod_log_config

# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at 
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
#<VirtualHost *:80>
#    ServerAdmin webmaster@dummy-host.example.com
#    DocumentRoot "/usr/docs/dummy-host.example.com"
#    ServerName dummy-host.example.com
#    ServerAlias www.dummy-host.example.com
#    ErrorLog "/private/var/log/apache2/dummy-host.example.com-error_log"
#    CustomLog "/private/var/log/apache2/dummy-host.example.com-access_log" common
#</VirtualHost>
#
#<VirtualHost *:80>
#    ServerAdmin webmaster@dummy-host2.example.com
#    DocumentRoot "/usr/docs/dummy-host2.example.com"
#    ServerName dummy-host2.example.com
#    ErrorLog "/private/var/log/apache2/dummy-host2.example.com-error_log"
#    CustomLog "/private/var/log/apache2/dummy-host2.example.com-access_log" common
#</VirtualHost>

<VirtualHost *:80>
    ServerName martinsub.dyndns.org
    ProxyPass / http://localhost:4040/
    ProxyPassReverse / http://localhost:4040/
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =martinsub.dyndns.org
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
    ServerName martinnav.dyndns.org
    ProxyPass / http://localhost:4533/
    ProxyPassReverse / http://localhost:4533/
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =martinnav.dyndns.org
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

As you may notice, I'm just using apache for it's ability to do reverse proxy to secure two otherwise insecure web apps.

I'm a total noob at this. I don't know how to generate or install certs manually.

Ideally, I'd like to figure out how to use one of the clients that just relies on bash.

Thanks for advance for any guidance or help.

Finding information online on how to write an HTTPS vhost config file for Apache should be super easy.

Getting a cert on this system using certbot with the apache plugin... probably not possible.

So... what do we do?

You don't use the --apache plugin! - LOL

First edit this section to handle the challenge requests locally (not passed through the proxy).

<VirtualHost *:80>
    ServerName martinsub.dyndns.org
    <Location /.well-known/acme-challenge/>
       DocumentRoot /Some/New/PATH     # Create a new path just for the challenge files
    </Location>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>

Then try using:
certbot certonly --webroot -w /Some/New/PATH -d martinsub.dyndns.org

Note: "/Some/New/PATH" is a figurative placeholder (not a literal).
Please replace that path with an actual new path of your choosing.

1 Like

No matter how I run Certbot, I get the "Illegal instruction" error and it is because the Python package that Homebrew installs isn't compatible with the CPU in this machine.

So, Certbot is never gonna run on this machine under macOS Catalina. I would need to downgrade back to High Sierra (the last version of macOS this machine officially supports) or switch to Ubuntu (which I'm considering but, this is my music server and I really like having iTunes on it).

I believe I either need to learn how to run Certbot on another machine and then move the certs over manually -or- use another tool like acme.sh.

Alternatively, maybe you could compile or cross-compile your own Python. I guess the illegal instruction issue is because the binary package for Python in that version of macOS assumes the presence of some CPU feature that your machine doesn't actually have. But that assumption isn't something about Python itself, but rather about the target architecture model in the compiler that was used to compile this Python package. If a compiler instead targeted your actual CPU, your Python would presumably run correctly.

1 Like