I've fallen & can't get up - Can't find virtualenv in .pyenv AWS Centos6

As an update could I perhaps have my .bash_profile misconfigured? I’m running Python, Airbnb Superset well at the time being. It’s configured as:

.bash_profile

Get the aliases and functions

if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

User specific environment and startup programs

PATH=$PATH:$HOME/.local/bin:$HOME/bin

export PATH=~/.local/bin:$PATH

export PATH
export PYENV_ROOT="$HOME/.pyenv"
export PATH="$PYENV_ROOT/bin:$PATH"
eval “$(pyenv init -)”


When trying to run certbot-auto with [ sudo /home/ec2-user/letsencrypt/certbot-auto --apache --debug ] I’m getting an error that virtualenv cannot be found.

It’s actually located in /home/ec2-user/.pyenv/versions/2.7.12/lib/python2.7/site-packages/virtualenv.py (and virtualenv.pyc)

Do I need to create a symlink (and if so where and how if you don’t mind explaining).

Or, do I need to add the above location to my path (and again if you would help explain how to do that).

I’m on an AWS Centos6, running Python2.7, Apache 2.4.25, OpenSSL 1.0.1k

Thanks for any help!

By default, sudo strips wacky directories from the PATH. You probably need to include your pyenv bindir in the secure_path for sudo. Run sudo visudo, locate the secure_path entry, and add your pyenv bindir to that path listing.

Alternatively, you could install certbot via pip into your pyenv rather than using certbot-auto. While this means you’ll have to manually upgrade certbot with pip every now and then instead of it automatically upgrading during certificate renewal, it might work with your pyenv with much less fuss.

Another alternative would be to just sudo yum install python-virtualenv and let certbot use the system python instead of your pyenv.

1 Like

Thanks for your help. I was able to get past this issue by appending the secure_path with:

secure_path = /home/ec2-user/.pyenv/shims:/sbin:/bin:/usr/sbin:/usr/bin

When I proceed I’m now hung up on “
FailedChallenges: Failed authorization procedure. poursafe.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout”

This is an AWS EC2 instance where I have a publicly accessible website. I’ve opened up the ports to send/receive all traffic but, am still getting the error above. I don’t see any indicators in the logs that describe the issue either.

Could you tell me what I should be looking for to get this resolved? Thanks much!

poursafe.net doesn’t seem to load here either. :frowning:

Does it work for you? Even on mobile data or connection in another place?

Double-check that the A record for this domain matches the external IP listed in the Amazon EC2 control panel.

Make sure that ports 80 and 443 are open in both your system firewall and in the appropriate Security Group in the Amazon control panel.

You could also try stopping and starting the instance so it gets moved to different hardware and gets a new IP address. I’m not aware of this ever resolving any connectivity issues but I do that all the time to resolve other issues. (It’s so bad Netflix programmed their instances to do so for them. :yum:)

I was just checking to be sure 443 was enabled and now have it in my vhosts, and reinstalled mod_ssl along the way. So, I can access the site poursafe.net now. When running the original script I still am getting the “FailedChallenges: Failed authorization procedure. poursafe.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout” error,

I’m now getting a ‘Server only speaks HTTP, not TLS’ error.

I checked my virtual hosts file and changed the 443 record to:

<VirtualHost *:443>
ServerName poursafe.net
DocumentRoot /var/www/poursafe.net/public_html

CustomLog /var/log/httpd/access.log combined
ErrorLog /var/log/httpd/error.log

I’m getting a rate limit message so will have to wait.

If it’s a rate limit about failed authorizations, you only have to wait for one hour (but you can also test with --staging in order to avoid this restriction).

Thanks for that help too. My hangup right now is I can’t get past the error:

Type: malformed
Detail: Server only speaks HTTP, not TLS

I uninstalled the original install and started all over but, getting same result. Is this related to my vhosts file for port 443 which includes:

<VirtualHost *:443>
  ServerName poursafe.net
  DocumentRoot /var/www/poursafe.net/public_html
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
  CustomLog /var/log/httpd/access.log combined
  ErrorLog /var/log/httpd/error.log
</VirtualHost>

Thanks for any ideas and help.

Yes, that vhosts file doesn’t specify that it should speak HTTPS! So it defaults to speaking HTTP on port 443, which is not appropriate.

1 Like

Thanks Schoen. I added this to the app1.conf (my vhosts file) and everything works like a charm. So, it appears my problem is I wasn’t set up to receive LE from generating and saving a cert because it didn’t know my file system (where to put certs?) or, it needs the localhost certs to verify before creating LE ones. (It’s all a blur but, hope this helps the next person).

<VirtualHost *:443>
  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    <Directory /var/www/poursafe.net/public_html>
    AllowOverride All
    </Directory>
    DocumentRoot /var/www/poursafe.net/public_html
  ServerName poursafe.net
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
  CustomLog /var/log/httpd/access.log combined
  ErrorLog /var/log/httpd/error.log
</VirtualHost>
1 Like

I think the way I would summarize it is that there should be either no HTTPS virtualhost, or an already working HTTPS virtualhost (whether via self-signed certificates, previous Let’s Encrypt certificates, or certificates from some other CA). The Certbot application is able to work under either condition. What doesn’t work is what we might call a partially filled in HTTPS virtualhost—Certbot is not able to detect this in order to “complete” it.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.