I've tried everything (I think) and I can't renew

I have an Apache 2 server running on AWS. Letsencrypt is telling me that I need to renew.
I am trying to renew with the command,

./certbot-auto renew

When I enter that, I get the response:
[root@ip-172-31-29-161 ~]# ./certbot-auto renew
Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in
from certbot.main import main
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 9, in
import zope.component
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/init.py", line 16, in
from zope.interface import Interface
ImportError: No module named interface

show:
./certbot-auto --version
and get more output detail using:
./certbot-auto renew --verbose
you can upload: /var/log/letsencrypt/letsencrypt.log

It tells me, it can’t get the currently installed version

[root@ip-172-31-29-161 ~]# ./certbot-auto --version
Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in
from certbot.main import main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py”, line 9, in
import zope.component
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/init.py”, line 16, in
from zope.interface import Interface
ImportError: No module named interface

Here is /var/log/letsencrypt/letsencrypt.log
2017-08-07 04:20:07,050:DEBUG:certbot.main:certbot version: 0.17.0
2017-08-07 04:20:07,050:DEBUG:certbot.main:Arguments: [’–debug’]
2017-08-07 04:20:07,050:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-08-07 04:20:07,061:DEBUG:certbot.log:Root logging level set at 20
2017-08-07 04:20:07,061:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-08-07 04:20:07,062:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2017-08-07 04:20:07,127:DEBUG:certbot_apache.configurator:Apache version is 2.2.32
2017-08-07 04:20:07,274:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x7f95e0a00990>
Prep: True
2017-08-07 04:20:07,275:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.configurator.ApacheConfigurator object at 0x7f95e0a00990> and installer <certbot_apache.configurator.ApacheConfigurator object at 0x7f95e0a00990>
2017-08-07 04:20:07,279:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u’mailto:bruce@centerstagesoftware.com’,), agreement=u’https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f95dfd63490>)>)), uri=u’https://acme-v01.api.letsencrypt.org/acme/reg/19656366’, new_authzr_uri=u’https://acme-v01.api.letsencrypt.org/acme/new-authz’, terms_of_service=u’https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’), f79a9ad8fb6b68f0959afa6363d1c68f, Meta(creation_host=u’ip-172-31-29-161.us-west-1.compute.internal’, creation_dt=datetime.datetime(2017, 8, 7, 4, 14, 9, tzinfo=)))>
2017-08-07 04:20:07,280:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-08-07 04:20:07,283:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-08-07 04:20:07,457:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 460
2017-08-07 04:20:07,457:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 460
Boulder-Request-Id: GzZXJwydCFGOSGwo73EG3EPQTqumxtuYONZuM2nTLGk
Replay-Nonce: IN3pp9jM7kD8v-C8b6ECrCXpR3UJDeOzC8Oa2u-IY7A
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 07 Aug 2017 04:20:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Aug 2017 04:20:07 GMT
Connection: keep-alive
"letsencrypt.log" 566L, 43304C 1,1 Top

This is troubling...
Maybe @schoen can help.

It sounds like a packaging problem of some sort. You might want to try

mv /opt/eff.org/certbot{,.old}

and then re-run the command (which should re-download some of the dependencies and create a new Python virtual environment in /opt/eff.org/certbot).

Guys,

I tried ./certbot-auto --debug then ./certbot-auto -renew

Here’s what I got:

[root@ip-172-31-29-161 ~]# mv /opt/eff.org/certbot{,.old}
mv: cannot stat ‘/opt/eff.org/certbot’: No such file or directory
[root@ip-172-31-29-161 ~]# ./certbot-auto
FATAL: Amazon Linux support is very experimental at present…
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!
Alternatively, you can install OS dependencies yourself and run this script
again with --no-bootstrap.
[root@ip-172-31-29-161 ~]# ./certbot-auto --debug
Bootstrapping dependencies for Amazon… (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main | 2.1 kB 00:00:00
amzn-updates | 2.5 kB 00:00:00
Package gcc-4.8.5-1.22.amzn1.noarch already installed and latest version
Package augeas-libs-1.0.0-5.7.amzn1.x86_64 already installed and latest version
Package 1:openssl-1.0.2k-8.105.amzn1.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.2k-8.105.amzn1.x86_64 already installed and latest version
Package libffi-devel-3.0.13-16.5.amzn1.x86_64 already installed and latest version
Package system-rpm-config-9.0.3-42.28.amzn1.noarch already installed and latest version
Package ca-certificates-2015.2.6-65.0.1.16.amzn1.noarch already installed and latest version
Package python27-2.7.12-2.121.amzn1.x86_64 already installed and latest version
Package python27-devel-2.7.12-2.121.amzn1.x86_64 already installed and latest version
Package python27-virtualenv-15.1.0-1.14.amzn1.noarch already installed and latest version
Package python27-tools-2.7.12-2.121.amzn1.x86_64 already installed and latest version
Package python27-pip-9.0.1-1.24.amzn1.noarch already installed and latest version
Nothing to do
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in
from certbot.main import main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py”, line 9, in
import zope.component
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/init.py”, line 16, in
from zope.interface import Interface
ImportError: No module named interface

[root@ip-172-31-29-161 ~]# ./certbot-auto -renew
Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in
from certbot.main import main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py”, line 9, in
import zope.component
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/init.py”, line 16, in
from zope.interface import Interface
ImportError: No module named interface
[root@ip-172-31-29-161 ~]#

We’ve had a number of people who weren’t able to resolve dependency problems on Amazon Linux. Would you be willing to try a different client like https://acme.sh/? The main limitation is that it won’t configure your web server for you after the certificate has been obtained, and setting up automated renewal may be a little bit more effort. But some people prefer clients like this anyway because it gives them more control over the certificate issuance process.

At this point, I’m willing to try anything.
I took a look at the GitHub site. It looks like there are 4 different ways to install the client. Is there any one you recommend?
Also, what information will I need to enter?

I’m not really familiar enough with acme.sh to advise you about these things, unfortunately.

where did you install certbot-auto? your home folder?
pwd
Is it possible that you encrypted your home directory and it can’t read into it?
As strange as that may sound, so does the problem.
So, try installing it and running it from elsewhere. (just to be sure).

I couldn't get acme.sh to serve the certificate. It did revoke the letsencrypt certificate so my site has no certificate now. Reading the documentation carefully implies that the certbot-auto file should be in my home subdirectory (not the /root subdirectory). I decided to re-install.

I got rid of the /root/certbot-auto and I renamed /opt/eff.org subdirectory. I ran this command ./certbot-auto --apache --debug
The installation told me this:

Installation succeeded.
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in
from certbot.main import main
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 9, in
import zope.component
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/init.py", line 16, in
from zope.interface import Interface
ImportError: No module named interface

When I enter ./certbot-auto --version I get the same message.

I have a new ~/certbot-auto I have a new /opt/eff.org But the server has no certificate. And, I have no idea where to go from here.

Does anyone know what I should do?

I would delete them and create a specific directory for certbot-auto (don’t use the ~ directory)

1. mkdir /only-for-certbot-auto
2. cd /only-for-certbot-auto
3. download certbot-auto again
4. and run it again
   ./certbot-auto --version

I’ll try it. After all, I have nothing to lose.

It didn't work. I still get the series of messages

Installation succeeded.
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in
from certbot.main import main
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 9, in
import zope.component
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/init.py", line 16, in
from zope.interface import Interface
ImportError: No module named interface

I'm exhausted and going to bed now.

Thanks for trying - good night

When you get back to this, look at these topics:

The first ends with sudo chmod 777 webroot
Although that exact command may not be your answer it does point to a permissions issue on a folder - which is similar to what I have been thinking.

The second is completely different and has a solution focused around PIP/PYTHON, involving:

unset PYTHON_INSTALL_LAYOUT
/root/.local/share/letsencrypt/bin/pip install --upgrade certbot

@bmw, can you suggest anything that will work well for people on Amazon Linux?

Unfortunately, there’s not a good way to use Certbot on Amazon Linux. certbot-auto has never worked well on the platform (see this post for more info) and we haven’t been able to get Amazon to package the project.

If unsetting PYTHON_INSTALL_LAYOUT doesn’t work for you, I think your best bet is to use a different ACME client but I am unfortunately not familiar enough with any other than Certbot to give you detailed instructions on how to use it.

I agree, that post has this entry by @dany-sh in it which looks promising:

I found a way to get this work

 pip install pip --upgrade
 pip install virtualenv --upgrade
virtualenv -p /usr/bin/python27 venv27
. venv27/bin/activate
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
unset PYTHON_INSTALL_LAYOUT

Then update letsencrypt:
./letsencrypt-auto -v

And run the command to renew your certificate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.