PIP error with certbot-auto

Hi all

My domain is:

I ran this command after wget’ing the latest version:

It produced this output:
Requesting to rerun ./certbot-auto with root privileges…
Bootstrapping dependencies for Debian-based OSes… (you can skip this with --no-bootstrap)

Reading package lists… Done
Reading package lists… Done
Building dependency tree
Reading state information… Done
gcc is already the newest version.
python is already the newest version.
python-dev is already the newest version.
python-virtualenv is already the newest version.
augeas-lenses is already the newest version.
libaugeas0 is already the newest version.
ca-certificates is already the newest version.
libffi-dev is already the newest version.
libssl-dev is already the newest version.
openssl is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Creating virtual environment…
Installing Python packages…
/opt/eff.org/certbot/venv/bin/python: No module named pip.main; ‘pip’ is a package and cannot be directly executed
Traceback (most recent call last):
File “/tmp/tmp.79grOEfihq/pipstrap.py”, line 177, in
File “/tmp/tmp.79grOEfihq/pipstrap.py”, line 149, in main
pip_version = StrictVersion(check_output([python, ‘-m’, ‘pip’, ‘–version’])
File “/usr/lib/python2.7/subprocess.py”, line 544, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command ‘[’/opt/eff.org/certbot/venv/bin/python’, ‘-m’, ‘pip’, ‘–version’]’ returned non-zero exit status 1

This is on Debian 7 (yes I know I should upgrade).

If there’s not an obvious reason for the error then I’ll look into upgrading but I was just trying a simple auto renew of a cert I’ve had for a while.


I have the exact same error (nothing changed on server, worked fine before).
Running on Ubuntu 12.04
Did you find a way to fix the problem?

Description of problem and its workarounds @ https://github.com/certbot/certbot/issues/6824

tl;dr; upgrade your OS or run 0.31 with --no-self-upgrade.

1 Like

Nothing works for me (Debian 7.11 Wheezy, yes its EOL) . Rollback to 0.30. or 0.31 also not works :confused:

I tried all workarounds on https://github.com/certbot/certbot/issues/6824, but nothing.

Any idea for me?

# certbot-auto renew --no-self-upgrade
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
OK   http://wertarbyte.de ./ Release.gpg
OK   http://wertarbyte.de ./ Release                                                                                                                      
OK   http://packages.dotdeb.org wheezy Release.gpg                                                                                                        
OK   http://wertarbyte.de ./ Packages                                                                                                                                      
OK   http://packages.dotdeb.org wheezy-php56-zts Release.gpg                                                                                                               
OK   http://packages.dotdeb.org wheezy Release                                                                                                                                                                   
OK   http://packages.dotdeb.org wheezy-php56-zts Release                                                                                                                                        
OK   http://security.debian.org wheezy/updates Release.gpg                                                                                                 
OK   http://packages.dotdeb.org wheezy/all Sources                                                                                                         
OK   http://packages.dotdeb.org wheezy/all amd64 Packages                                                                                                                    
OK   http://security.debian.org wheezy/updates Release                                                                                           
OK   http://packages.dotdeb.org wheezy-php56-zts/all Sources                                                                                     
OK   http://packages.dotdeb.org wheezy-php56-zts/all amd64 Packages                                                 
OK   http://security.debian.org wheezy/updates/main Sources                                     
OK   http://security.debian.org wheezy/updates/contrib Sources                                                         
OK   http://security.debian.org wheezy/updates/non-free Sources                                     
OK   http://security.debian.org wheezy/updates/main amd64 Packages                                                    
OK   http://security.debian.org wheezy/updates/contrib amd64 Packages                                              
OK   http://security.debian.org wheezy/updates/non-free amd64 Packages                     
OK   http://http.debian.net wheezy-backports Release.gpg                                   
OK   http://cdn.debian.net wheezy Release.gpg
OK   http://http.debian.net wheezy-backports Release
OK   http://cdn.debian.net wheezy Release         
OK   http://http.debian.net wheezy-backports/main amd64 Packages
OK   http://cdn.debian.net wheezy/main Sources      
OK   http://cdn.debian.net wheezy/non-free Sources  
OK   http://cdn.debian.net wheezy/contrib Sources
OK   http://cdn.debian.net wheezy/main amd64 Packages
OK   http://cdn.debian.net wheezy/non-free amd64 Packages
OK   http://cdn.debian.net wheezy/contrib amd64 Packages
Paketlisten werden gelesen... Fertig
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.       
Statusinformationen werden eingelesen.... Fertig
gcc ist schon die neueste Version.
python ist schon die neueste Version.
python-dev ist schon die neueste Version.
python-virtualenv ist schon die neueste Version.
ca-certificates ist schon die neueste Version.
libffi-dev ist schon die neueste Version.
libssl-dev ist schon die neueste Version.
openssl ist schon die neueste Version.
augeas-lenses ist schon die neueste Version.
libaugeas0 ist schon die neueste Version.
0 aktualisiert, 0 neu installiert, 0 zu entfernen und 23 nicht aktualisiert.
Creating virtual environment...
Installing Python packages...
/opt/eff.org/certbot/venv/bin/python: No module named pip.__main__; 'pip' is a package and cannot be directly executed
Traceback (most recent call last):
  File "/tmp/tmp.eGwywBfra5/pipstrap.py", line 177, in <module>
  File "/tmp/tmp.eGwywBfra5/pipstrap.py", line 149, in main
    pip_version = StrictVersion(check_output([python, '-m', 'pip', '--version'])
  File "/usr/lib/python2.7/subprocess.py", line 544, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '['/opt/eff.org/certbot/venv/bin/python', '-m', 'pip', '--version']' returned non-zero exit status 1

You need to modify your local version of certbot-auto to use pip install instead of python -m pip AND use --no-self-upgrade.

I confirm that it works.
I changed in certbot-auto:
pip_version = StrictVersion(check_output([python, '-m', 'pip', '--version'])
pip_version = StrictVersion(check_output(['pip', '--version'])

command = [python, '-m', 'pip', 'install', '--no-index', '--no-deps', '-U']
command = ['pip', 'install', '--no-index', '--no-deps', '-U']


I can confirm the patch from @gery on Debian “wheezy” and Ubuntu “precise” (certbot-auto 0.32.0).

1 Like

I can confirm that this patch is what is needed to keep certbot working on debian wheezy.

It should be incorporated in the main trunk!

1 Like

isn’t wheezy already reached EOL? its LTS ended march 2018


you should update that

I’ve changed it in /usr/local/bin/certbot-auto

now i get the error:
Installing Python packages…
File “/tmp/tmp.zokrYrwiwP/pipstrap.py”, line 149
pip_version = StrictVersion(check_output([‘pip’, ‘–version’])
IndentationError: unexpected indent

How to fix that?

this is part of the certbot-auto:
def main():
python = sys.executable or ‘python’
pip_version = StrictVersion(check_output([‘pip’, ‘–version’])
has_pip_cache = pip_version >= StrictVersion(‘6.0’)

Thanks in advance for your help.

1 Like

@ chriscross I just had the same error. That’s because you used TAB instead spaces before the line pip_version = StrictVersion... Everything works as gery said

Hi zosia,

thank you for your help.
that exactly solves my problem.

Thank You!

Hello every one!

I had the same problem, and everything work fine after changing the certboot-auto file

But when i have renew my certification i get this:

Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible., utils.PersistentlyDeprecated2018

Do you think , we can keep our configuration with debian wheezy and old version of python or we need to upgrade it in the futur ?

Using --no-self-upgrade . option can help us in the futur?

Hi all

As a workaround, you can upgrade pip version to 1.2

After that certob-auto should work


@aitzol That sounds like a better solution than downgrading certbot-auto or patching it yourself, but… a seven year old version of pip? Seems like there should be a better way.

Gery, your patch working for my debian wheezy.
You just save my life !!! THANK YOU.
I can continue working on migration to Strech.

Hi there,

first things first: Thank you so much for conceiving and maintaining Let’s Encrypt and certbot. We would not be able to live without both of these fine tools these days.

The problem with systems running outdated versions of Python

Recently, we are getting more and more of these errors on outdated systems like Debian 7.11 ¹.

While we already took a look at lego, we still wanted to find a clean certbot-based solution for all systems which do not ship a decent Python version (any more). As it might be helpful for others, we want to share our outcome.

¹ Disclaimer: Sometimes you just can’t get enough time for doing appropriate dist-upgrades while you exactly know the systems are rotting already.

Running a recent certbot through pyenv

We based our efforts on pyenv, which will give you arbitrary Python environments like RVM for Ruby or nodeenv for Node.js and is similar delightful to use. Installing software this way makes it completely decoupled from the installation of your distribution which is a good thing and should take away your worries.

# Counter "/tmp" being mounted noexec
export TMPDIR=/var/tmp

# Install pyenv
curl -L https://raw.githubusercontent.com/pyenv/pyenv-installer/master/bin/pyenv-installer | bash

# Install Python 3.4
pyenv install 3.4.2

# Install certbot
PYENV_VERSION=3.4.2 pip install certbot requests requests-toolbelt pbr

# Activate
ln -s /root/.pyenv/versions/3.4.2/bin/certbot /usr/local/bin/certbot

# Voilà
certbot --version
certbot 0.33.1

We hope this helps.

With kind regards,

P.S.: It should definitively work with more recent versions of Python either. However, we just wanted to point out here that certbot currently requires Python 3.4 at least.


It’s not quite that simple.

The pyenv install step doesn’t work because:

WARNING: seems you still have not added 'pyenv' to the load path.

# Load pyenv automatically by adding
# the following to ~/.bashrc:

export PATH="/root/.pyenv/bin:$PATH"
eval "$(pyenv init -)"
eval "$(pyenv virtualenv-init -)"

However, after doing that the pyenv install 3.4.2 command completes with warnings:

WARNING: The Python bz2 extension was not compiled. Missing the bzip2 lib?
WARNING: The Python readline extension was not compiled. Missing the GNU readline lib?
WARNING: The Python sqlite3 extension was not compiled. Missing the SQLite3 lib?

and the certbot install fails with:

RuntimeError: cryptography requires setuptools 18.5 or newer, please upgrade to a newer version of setuptools

So, you may need:

PYENV_VERSION=3.4.2 pip install setuptools --upgrade

Also, when I run certbot now, I get a warning:

CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. A future version of cryptography will drop support for it.

Otherwise, I really like this solution! :smile:

ETA: running certbot renew tells me:

Could not choose appropriate plugin for updaters: Could not select or initialize the requested installer apache.

So, also needs:

PYENV_VERSION=3.4.2 pip install certbot-apache

or whatever other plugins you need.

1 Like

Dear Derek,

thank you so much for your feedback, we tried to put in your suggestions before publishing it in a more solid version to Installing certbot on systems running outdated versions of Python.

Please let me know if you have further suggestions on that.


1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.