Renew certificates - ContextualVersionConflict

vaclavambroz · August 9, 2017, 2:18pm

Hello,

I use LE client (https://github.com/letsencrypt/letsencrypt) and it worked fine for a long time, but today I tried to renew my certificates and I got error:

Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: letsencrypt --rsa-key-size 4096 renew
An unexpected error occurred:
ContextualVersionConflict: (idna 2.6 (/usr/local/lib/python2.7/dist-packages), Requirement.parse('idna<2.6,>=2.5'), set(['requests']))
Please see the logfile '/tmp/tmpvqlc3z' for more details.

In the log file is:

2017-08-09 16:16:10,571:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/letsencrypt", line 11, in <module>
sys.exit(main())
  File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 733, in main
plugins = plugins_disco.PluginsRegistry.find_all()
  File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/disco.py", line 203, in find_all
plugin_ep = PluginEntryPoint(entry_point)
  File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/disco.py", line 50, in __init__
self.plugin_cls = entry_point.load()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2315, in load
self.require(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2338, in require
items = working_set.resolve(reqs, env, installer, extras=self.extras)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 863, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
ContextualVersionConflict: (idna 2.6 (/usr/local/lib/python2.7/dist-packages), Requirement.parse('idna<2.6,>=2.5'), set(['requests']))

Please can you help me with that? Thank you.

schoen · August 9, 2017, 10:05pm

@SwartzCr, would you take a look at this?

ideasasylum · August 9, 2017, 10:27pm

I encountered this today too with letsencrypt. I’m not too familiar with python packages but I managed to fix it temporarily by running:

sudo /usr/local/share/letsencrypt/env/bin/pip install idna==2.5

Kind of an aside, but I’m not really sure why I’m using letsencrypt instead of certbot

schoen · August 9, 2017, 10:33pm

That is the old name for exactly the same program. If you're using the self-updating version letsencrypt-auto/certbot-auto then you have the newest version despite using it under its old name.

ideasasylum · August 9, 2017, 10:58pm

fwiw, these were the packages installed when I encountered the error:

ubuntu@XXXXXXXXXXXXX:~$ /usr/local/share/letsencrypt/env/bin/pip list
DEPRECATION: The default format will switch to columns in the future. You can use --format=(legacy|columns) (or define a format=(legacy|columns) in your pip.conf under the [list] section) to disable this warning.
acme (0.17.0)
appdirs (1.4.3)
asn1crypto (0.22.0)
certbot (0.17.0)
certifi (2017.7.27.1)
cffi (1.10.0)
chardet (3.0.4)
ConfigArgParse (0.12.0)
configobj (5.0.6)
cryptography (2.0.3)
enum34 (1.1.6)
funcsigs (1.0.2)
future (0.16.0)
idna (2.6)
ipaddress (1.0.18)
letsencrypt (0.7.0)
mock (2.0.0)
ndg-httpsclient (0.4.2)
packaging (16.8)
parsedatetime (2.4)
pbr (3.1.1)
pip (9.0.1)
psutil (4.3.1)
pyasn1 (0.2.3)
pycparser (2.18)
pyOpenSSL (17.2.0)
pyparsing (2.2.0)
pyRFC3339 (1.0)
python2-pythondialog (3.4.0)
pytz (2017.2)
requests (2.18.3)
setuptools (36.2.7)
six (1.10.0)
urllib3 (1.22)
zope.component (4.4.0)
zope.event (4.3.0)
zope.interface (4.4.2)

nbering · August 10, 2017, 1:26pm

I encountered the same issue. My install was done via https://github.com/thefinn93/ansible-letsencrypt (ansible role). I was a little baffled because the role doesn’t install “idna” directly, so somewhere along the line one of the pip modules caused a version conflict.

I did the same workaround where I installed a more specific version of idna and then issued my certificate. But the way ansible works, I run install scripts over again to ensure the system is in a desired state, and going over the script again just breaks the install.

I could patch the ansible role to install a specific version of idna, but that’s not very future-proof. Anyone know more about what happened or how this can be resolved in a more permanent manner?

mnordhoff · August 10, 2017, 1:35pm

FYI, someone has filed a Certbot issue on GitHub:

SwartzCr · August 10, 2017, 2:59pm

Ah great @mnordhoff
@vaclavambroz @ideasasylum can you tell me what operating system you’re running, and what method you used to install certbot? Can you also tell me what version of certbot you have?

vaclavambroz · August 10, 2017, 3:06pm

I use Debian in testing version (Buster) and I used git to get the app. I have actual version that is on https://github.com/certbot/certbot

SwartzCr · August 10, 2017, 4:08pm

ah - interesting. How did you install the dependencies for it?
Why did you choose that method rather than taking the packaged version?

ideasasylum · August 10, 2017, 5:02pm

I’m running Ubuntu 14.04.5 with (see above for full details) Certbot 0.17.0 and Letsencrypt 0.7.0.

How was it installed? Good question… checks Ansible…

pip: virtualenv="{{ letsencrypt_venv }}" virtualenv_site_packages=no name=letsencrypt state=latest

looks like we’re using ansible’s pip task to install the letsencrypt package.

I gather this isn’t the preferred method now (this server & ascripts are probably more than a year old now)?

I’m using Letsencrypt probably every 2 days and the first time I encountered the error was on Monday so I’m pretty sure it’s when my script updated certbot/letsencrypt

ideasasylum · August 10, 2017, 5:07pm

I see that @nbering is also using Ansible. We’re not using the same role (ours is custom) but we are effectively using the same command: https://github.com/thefinn93/ansible-letsencrypt/blob/master/tasks/main.yml#L49

vaclavambroz · August 10, 2017, 5:30pm

It was long time ago and I didnt know about package. There were not many dependencies - I have only python on system and then I installed pip and python-dialog I think. Maybe letsencrypt-auto installed dependencied by themselves.

mnordhoff · August 10, 2017, 6:32pm

idna 2.5 was released in March, and 2.6 was released 2 days ago, so that matches up.

github.com

kjd/idna/blob/master/HISTORY.rst

.. :changelog:

History
-------

3.6 (2023-11-25)
++++++++++++++++

- Fix regression to include tests in source distribution.

3.5 (2023-11-24)
++++++++++++++++

- Update to Unicode 15.1.0
- String codec name is now "idna2008" as overriding the system codec
  "idna" was not working.
- Fix typing error for codec encoding
- "setup.cfg" has been added for this release due to some downstream
  lack of adherence to PEP 517. Should be removed in a future release
  so please prepare accordingly.

This file has been truncated. show original

It does. It installs necessary OS packages and sets up a virtual environment as well.

It pins specific versions of Python packages, though, so it should continue to use idna 2.5 and be unaffected by whatever this is.

bcutter · August 10, 2017, 9:24pm

Same here, exactly like @vaclavambroz. Worked for almost two years using a cron who triggers/runs “/home/pi/tools/letsencrypt/letsencrypt-auto”.

Looking forward to get a fix, otherwise… same in a few weeks

nbering · August 11, 2017, 3:41pm

Github issue related to this: https://github.com/certbot/certbot/issues/5015

It is a little odd that there is a pip module, but installing with it is unsupported. Is everyone else running into this on Debian, as well? Seems to be a common thread.

system · September 10, 2017, 3:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.