Problems-with-python-virtual-environment


#1

My domain is: us.oracle.com

I ran this command: ./certbot-auto certonly --standalone --email snshastry@gmail.com -d us.oracle.com

It produced this output:
Creating virtual environment…
Installing Python packages…
Had a problem while installing Python packages.

pip prints the following errors:

Collecting argparse==1.4.0 (from -r /tmp/tmp.ascbhqXzuT/letsencrypt-auto-requirements.txt (line 11))
  Retrying (Retry(total=4, connect=None, read=None, redirect=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f696ab544d0>, 'Connection to pypi.python.org timed out. (connect timeout=15)')': /simple/argparse/
  Retrying (Retry(total=3, connect=None, read=None, redirect=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f696ab54a90>, 'Connection to pypi.python.org timed out. (connect timeout=15)')': /simple/argparse/
  Retrying (Retry(total=2, connect=None, read=None, redirect=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f696ab545d0>, 'Connection to pypi.python.org timed out. (connect timeout=15)')': /simple/argparse/
  Retrying (Retry(total=1, connect=None, read=None, redirect=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f696ab54590>, 'Connection to pypi.python.org timed out. (connect timeout=15)')': /simple/argparse/
  Retrying (Retry(total=0, connect=None, read=None, redirect=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f696ab54310>, 'Connection to pypi.python.org timed out. (connect timeout=15)')': /simple/argparse/
  Could not find a version that satisfies the requirement argparse==1.4.0 (from -r /tmp/tmp.ascbhqXzuT/letsencrypt-auto-requirements.txt (line 11)) (from versions: )
No matching distribution found for argparse==1.4.0 (from -r /tmp/tmp.ascbhqXzuT/letsencrypt-auto-requirements.txt (line 11))

Certbot has problem setting up the virtual environment.

We were not be able to guess the right solution from your pip
output.

Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment
for possible solutions.
You may also find some support resources at https://certbot.eff.org/support/ .

My web server is (include version):

The operating system my web server runs on is (include version): OEL7.3

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Not sure what the PIP problem is… I would only ensure you had the latest versions installed.
But couldn’t help noticing that us.oracle.com does not resolve to any IPv4 nor IPv6 address.
So you may face other issues trying to obtain a cert for that FQDN.


#3

Also… Do you really control us.Oracle.com?

Not sure if let’s encrypt will block this domain…

Thank you


#4

Even if you do control that FQDN, you will have to also correct this block:
oracle.com. 0 IN CAA 0 issue “symantec.com
oracle.com. 0 IN CAA 0 issue “digicert.com


#5

My server is running on this domain.
Format: <HOST_NAME>.us.oracle.com


#6

Check your FQDN here:
https://letsdebug.net/


#7

Test result for oracle.com using http-01

CAAIssuanceNotAllowed

FATAL

No CAA record on oracle.com (wildcard=false) contains the issuance domain “letsencrypt.org”. You must either add an additional record to include “letsencrypt.org” or remove every existing CAA record. A list of the CAA records are provided in the details.

oracle.com. 0 IN CAA 0 issue “symantec.com
oracle.com. 0 IN CAA 0 issue “digicert.com

Submitted 6s ago. Sat in queue for 3ms. Completed in 3s. Show verbose information.

We also have open-source API and CLI tools, as well as web-based certificate search and certificate revocation.

Let’s Encrypt™ is a trademark of the Internet Security Research Group.


#8

Test result for us.oracle.com using http-01

CAAIssuanceNotAllowed

FATAL

No CAA record on oracle.com (wildcard=false) contains the issuance domain “letsencrypt.org”. You must either add an additional record to include “letsencrypt.org” or remove every existing CAA record. A list of the CAA records are provided in the details.

oracle.com. 0 IN CAA 0 issue “symantec.com
oracle.com. 0 IN CAA 0 issue “digicert.com

NoRecords

FATAL

No valid A or AAAA records could be ultimately resolved for us.oracle.com. This means that Let’s Encrypt would not be able to to connect to your domain to perform HTTP validation, since it would not know where to connect to.

No A or AAAA records found.


#9

So you won’t be able to get a Let’s Encrypt cert until the domain CAA record is updated to include LetsEncrypt.org

DNS record type 257
000569737375656C657473656E63727970742E6F7267

Which (for those that can’t read hex) “translates” to:
0005 i s s u e l e t s e n c r y p t . o r g


#10

Counterintuitively, @jsha has taught me if you control the CAA DNS record for the subdomain, you can create a more-specific record that overrides this policy:

However, you might get in trouble with Oracle’s IT department if you do this without coordinating with them, because perhaps they intend for the policy to apply to subdomains by default or want to centrally track the issuance of certificates for Oracle subomains.