Renew certificates - ContextualVersionConflict


I use LE client ( and it worked fine for a long time, but today I tried to renew my certificates and I got error:

Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: letsencrypt --rsa-key-size 4096 renew
An unexpected error occurred:
ContextualVersionConflict: (idna 2.6 (/usr/local/lib/python2.7/dist-packages), Requirement.parse('idna<2.6,>=2.5'), set(['requests']))
Please see the logfile '/tmp/tmpvqlc3z' for more details.

In the log file is:

2017-08-09 16:16:10,571:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/letsencrypt", line 11, in <module>
  File "/usr/local/lib/python2.7/dist-packages/certbot/", line 733, in main
plugins = plugins_disco.PluginsRegistry.find_all()
  File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/", line 203, in find_all
plugin_ep = PluginEntryPoint(entry_point)
  File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/", line 50, in __init__
self.plugin_cls = entry_point.load()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/", line 2315, in load
self.require(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/", line 2338, in require
items = working_set.resolve(reqs, env, installer, extras=self.extras)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/", line 863, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
ContextualVersionConflict: (idna 2.6 (/usr/local/lib/python2.7/dist-packages), Requirement.parse('idna<2.6,>=2.5'), set(['requests']))

Please can you help me with that? Thank you.

@SwartzCr, would you take a look at this?

I encountered this today too with letsencrypt. I’m not too familiar with python packages but I managed to fix it temporarily by running:

sudo /usr/local/share/letsencrypt/env/bin/pip install idna==2.5

Kind of an aside, but I’m not really sure why I’m using letsencrypt instead of certbot :confused:

That is the old name for exactly the same program. If you’re using the self-updating version letsencrypt-auto/certbot-auto then you have the newest version despite using it under its old name.

1 Like

fwiw, these were the packages installed when I encountered the error:

ubuntu@XXXXXXXXXXXXX:~$ /usr/local/share/letsencrypt/env/bin/pip list
DEPRECATION: The default format will switch to columns in the future. You can use --format=(legacy|columns) (or define a format=(legacy|columns) in your pip.conf under the [list] section) to disable this warning.
acme (0.17.0)
appdirs (1.4.3)
asn1crypto (0.22.0)
certbot (0.17.0)
certifi (2017.7.27.1)
cffi (1.10.0)
chardet (3.0.4)
ConfigArgParse (0.12.0)
configobj (5.0.6)
cryptography (2.0.3)
enum34 (1.1.6)
funcsigs (1.0.2)
future (0.16.0)
idna (2.6)
ipaddress (1.0.18)
letsencrypt (0.7.0)
mock (2.0.0)
ndg-httpsclient (0.4.2)
packaging (16.8)
parsedatetime (2.4)
pbr (3.1.1)
pip (9.0.1)
psutil (4.3.1)
pyasn1 (0.2.3)
pycparser (2.18)
pyOpenSSL (17.2.0)
pyparsing (2.2.0)
pyRFC3339 (1.0)
python2-pythondialog (3.4.0)
pytz (2017.2)
requests (2.18.3)
setuptools (36.2.7)
six (1.10.0)
urllib3 (1.22)
zope.component (4.4.0)
zope.event (4.3.0)
zope.interface (4.4.2)

I encountered the same issue. My install was done via (ansible role). I was a little baffled because the role doesn’t install “idna” directly, so somewhere along the line one of the pip modules caused a version conflict.

I did the same workaround where I installed a more specific version of idna and then issued my certificate. But the way ansible works, I run install scripts over again to ensure the system is in a desired state, and going over the script again just breaks the install.

I could patch the ansible role to install a specific version of idna, but that’s not very future-proof. Anyone know more about what happened or how this can be resolved in a more permanent manner?

FYI, someone has filed a Certbot issue on GitHub:

Ah great @mnordhoff
@vaclavambroz @ideasasylum can you tell me what operating system you’re running, and what method you used to install certbot? Can you also tell me what version of certbot you have?

I use Debian in testing version (Buster) and I used git to get the app. I have actual version that is on

ah - interesting. How did you install the dependencies for it?
Why did you choose that method rather than taking the packaged version?

I’m running Ubuntu 14.04.5 with (see above for full details) Certbot 0.17.0 and Letsencrypt 0.7.0.

How was it installed? Good question… checks Ansible

pip: virtualenv="{{ letsencrypt_venv }}" virtualenv_site_packages=no name=letsencrypt state=latest

looks like we’re using ansible’s pip task to install the letsencrypt package.

I gather this isn’t the preferred method now (this server & ascripts are probably more than a year old now)?

I’m using Letsencrypt probably every 2 days and the first time I encountered the error was on Monday so I’m pretty sure it’s when my script updated certbot/letsencrypt

I see that @nbering is also using Ansible. We’re not using the same role (ours is custom) but we are effectively using the same command:

It was long time ago and I didnt know about package. There were not many dependencies - I have only python on system and then I installed pip and python-dialog I think. Maybe letsencrypt-auto installed dependencied by themselves.

idna 2.5 was released in March, and 2.6 was released 2 days ago, so that matches up.

It does. It installs necessary OS packages and sets up a virtual environment as well.

It pins specific versions of Python packages, though, so it should continue to use idna 2.5 and be unaffected by whatever this is.

Same here, exactly like @vaclavambroz. Worked for almost two years using a cron who triggers/runs “/home/pi/tools/letsencrypt/letsencrypt-auto”.

Looking forward to get a fix, otherwise… same in a few weeks :frowning:

Github issue related to this:

It is a little odd that there is a pip module, but installing with it is unsupported. Is everyone else running into this on Debian, as well? Seems to be a common thread.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.