CentOS/Redhat 7 users can just install Python 3.x side by side 
1 Like
Soooo, the following:
..actually isn't a problem then? 
1 Like
No, Python 3 is not necessarily the issue here. The issue is that a lot of dependencies have to be packaged due to EPEL shipping all certbot plugins as well. An update simply means a huge amount of work for @FelixSchwarz and co.
2 Likes
When CentOS 7 was released (June 2014) it did not provide a Python 3 package. Fedora EPEL 7 did include Python 3.4 much later, then upgraded to Python 3.6 and at some point also Red Hat included that Python 3.6 in their base distribution.
So you can install the Python 3.6 interpreter with the standard library even on CentOS 7. The problem is that Fedora EPEL ships all official certbot plugins which have a significant dependency tree. In EPEL 7 we started to ship certbot 0.6 in 2016! By that time the Fedora maintainers relied on Python 2 as the Python 3 stack was too incomplete on CentOS 7.
Fast forward a few years: Since certbot 1.12 Python 3 is required. Still there are only 1-2 persons in Fedora who did some work on the certbot stack and mind you - both are volunteers with day jobs, family and a lot of other Python packages. For example my pagure profile says I have access to 521 packages - though most of these came through the Python maintainers group. Even if I can leave most of them to fellow maintainers there are roughly 50 packages where I'm the primary committer. Most notable parts are the certbot stack (~ 30 packages), the WeasyPrint stack(~ 10 packages) and BorgBackup.
Even after the Python 3 stack in CentOS 7 was mostly complete I had to adapt/tweak ~2 dozen packages until this point (details: bugzilla, click "Expand All").
Sometimes this means other packagers made mistakes previously which went unnoticed and I have to figure out a contingency strategy to fix these as well (to be clear: I'm also making mistakes, no blaming here!). It can involve writing lengthy emails with planning, prodding inactive maintainers, getting test suites to run in software I'm completely unfamiliar with and sometimes also asking certbot upstream to relax their dependency requirements. Also there are roughly monthly certbot updates to handle for Fedora 33, 34 and rawhide plus CentOS 8.
So this is a lot of work involved and none it is "sexy" or "fun" work. Still it is gratifying for me if I get such a complex transition to work but the time I can dedicate to that is limited.
If someone is really interested in this work and wants to help out (though it might not be the best start as a Fedora packager as this is not the easiest project) you welcome to check out:
- github repo with work-in-progress patches for Python 3 support
- COPR repo with work-in-progress builds
Still I'm sorry that I missed the importance of certbot 1.12+ for our CentOS certbot users. I'm sorry about that and feeling the need for sure motivates me to get recent certbot versions to work but I can't fix this quickly.
6 Likes
I pushed an update to certbot in EPEL 7 so you can also use --preferred-chain as in certbot 1.12+: Certbot update for CentOS 7: use --prefered-chain to select a shorter chain
5 Likes