/root/.local/share/letsencrypt/bin/pip: No such file or directory


#1

Hi,

Last days i wanted to get started with letsencrypt.org but there are not really good tutorials for “server noobs”. I know how to make websites, but i am not really into the “server things”. However i think the main goal of letsencrypt.org is that everyone will use https. The first step is to make good / step by step tutorials for everyone. Also for people who don’t know that much about servers.

In the end i started with: https://raymii.org/s/articles/Lets_Encrypt_Directadmin.html

Some information i know:

  • I have root access to my server.
  • Directadmin is running on server.
  • Running on CentOS 5.5
  • Python version 2.4.3
  • uname -a information: i686 i686 i386 GNU/Linux

What i did:

  • Downloaded Putty.
  • Made a SSH connection with the server as root.
  • I tried to do: yum install git but it resulted in some errors. After searching on Google i did: yum --disableexcludes=main install git and later on i could install git.
  • Then i did:
    git clone https://github.com/letsencrypt/letsencrypt
  • cd letsencrypt*
  • Then:
  • ./letsencrypt-auto*

Problem:
At the end i got this:

./letsencrypt-auto: line 103: [: too many arguments
./letsencrypt-auto: line 105: [: too many arguments
Updating letsencrypt and virtual environment dependencies…/letsencrypt-auto: line 185: /root/.local/share/letsencrypt/bin/pip: No such file or directory

I tried to solve the problem by searching on Google for this problem, but i did not really find a working solution.

I hope someone can help me. Thanks in advance!


Installing letsencrypt
#2

I understand where you are coming from, and agree. This product is not at the point of general public release for everyone though, it’s still in “beta”, which unfortunately means it isnt’ really aimed at “noobs” just yet.

You are running on a relatively old server ( CentOS 5.5 and Python 2.4.3 ). LE won’t run on this, you really need to update your system first.


#3

Try another client


#4

Thank you @serverco and @Licaon_Kter for the reply!

@serverco:
I have almost 100 domains, so till now i did not work with https, because of the costs. I understand that it’s in beta, but i am not too lazy to learn some things or spend some time on it, so i will give it a try anyway.

I have a host who is doing the updates and arranging the things on the server etcetera, but i have root access to made some adjustments. I am not sure yet if it’s wise to update and change “CentOS 5.5”, but i will ask my host. Is it also possible to make it work by only updating Python?

@Licaon_Kter: I am already stuck at the term: “ACME”:

“Here’s an incomplete list of clients and libraries I’m aware of that implement ACME.”

What is it and for what reason i would need it?


#5

@Licaon_Kter: Ah by reading everything again i already found what ACME is:

“For Let’s Encrypt to issue you a certificate, you must prove to them that you control the domain. If we own the domain, we can do this with a series of challenge-response transactions, which is part of the ACME protocol. Let’s Encrypt explains this process well.”

p.s. Why you need a ACME protocol for that? With some services of Google you also have to prove that the domain belongs to you, but that’s much easier (meta tags, file upload, etc.). Or is this a more secure way of proving the domain is yours?

The only thing is that i don’t know what to do now…


#6

Hi Hendrik,

see how it works for detail, but it’s essentially the same as you mention for google. A small file is uploaded to a specific location that is then checked, to demonstrate that you have control over the domain.

You could do this with one of the other methods ( as @Licaon_Kter suggested ). Some of those may be better for you.

In answer to your question;

“Is it also possible to make it work by only updating Python?”

I think that should work, but can’t be certain. You can have more than one version of python on the server, so worth a try.


#7

Thanks! First i will try to make it work with the official client, because otherwise there is probably even less documentation etc. to make everything work.

I was just checking the client “PHP (via Webroot)”, because i am familiar with php, but they are saying “Warning: This software is under heavy development. Use at your own risk.”. I dont know what i am exactly doing with letsencrypt, so maybe it’s better first to try it the official way.

I will try to contact my host if it’s safe to try to update or put a newer version of Python on the server.


#8

You don’t even need to run anything on the target webserver for the certs.
Have another (newer ahem :)) machine (or VM) and use manual setup with the main client or another client like: https://gethttpsforfree.com (you just need a way to run openssl hence the new machine and setup 2 folders and one file on the target webserver)


#9

I just had contact with my host. I have one ipaddress for the whole server, so i have to run a certificate for multiple domains, but that’s only possible from CentOS 6. So i think i have to update the server first anyway.


#10

I already tried https://gethttpsforfree.com for one domain. But i am stuck at the following:

openssl dhparam -out dhparam.pem 4096

Then i see a lot of dots and plus signs, but at the end (after more than an hour) it results in errors:

[root@srv /]# [root@srv /]# openssl dhparam -out dhparam.pem 4096
-bash: [root@srv: command not found
[root@srv /]# Generating DH parameters, 4096 bit long safe prime, generator 2
-bash: Generating: command not found
[root@srv /]# This is going to take a long time
-bash: This: command not found

All the steps before went well till this one. Is this also because of the old server or why that command is not working? Actually the comment is working, because it’s showing the …+… etc. , but something is going wrong during it.


#11

I don’t know what kind of SSH client/connection you have, but it looks like it’s FUBAR :stuck_out_tongue: Looks like it’s executing the output of the commands… Not good, not good at all…

Also, although generating custom Diffie–Hellman parameters is always good, it’s not necessary for a LE certificate. In what step of gethttpsforfree.com is it mentioned? I haven’t tried it myself. Perhaps you could skip that step.


#12

@Osiris: I am using Putty as mentioned before.

And it’s in “Step 5: Install Certificate (see below)”

How to install https on nginx or apache:

1. Copy and paste both the below domain certificate and the below intermediate certificate into the same text file called “chained.pem”.

2. If not done already, generate non-default dhparams.
openssl dhparam -out dhparam.pem 4096


#13

Ah well, you can skip that step, it’s not 100 % necessary. For now…

Default, 2048 bits DH parameters are deemed non-secure, but I wouldn’t include it in the steps of configuring a certificate :confounded:

Hardening your TLS is always a good idea, but comprises way more than only generating non-default DH parameters :confused:


#14

But if i skip that step i don’t have a dhparam.pem file and in the next steps it’s needed.


#15

How is it needed? :neutral_face: Some configuration option you can leave out? :wink: Let me guess, SSLOpenSSLConfCmd DHParameters /path/to/dhparam.pem for Apache or ssl_dhparam /path/to/dhparam.pem for nginx? :stuck_out_tongue:

It’s very wise to implement, but optional.


#16

Yeah for that it’s needed:

SSLOpenSSLConfCmd DHParameters “/etc/ssl/certs/dhparam.pem” ###See serverfault.com/q/693241/

So i don’t think it’s a good idea to configurate it without that option. It’s also possible to buy a car without a lock, but then i pass ;)…


#17

I’m not saying you shouldn’t implement it, you very much should… But if you’re having troubles with your SSH connection, but you want to launch your Let’s Encrypt certificates anyway, you can do it without the DH parameters.

I myself haven’t got any non-ECC DH suites enabled, so I don’t bother :stuck_out_tongue: Better performance and almost every client has ECDHE support. So why the trouble by leaving those performance eating DHE suits enabled :neutral_face:


#18

So you are vulnerable for that attack? But that last part i don’t understand…i am kind of newbie with “server things” as mentioned before, so non-ECC / ECDHE / DHE is like Chinese for me ;).


#19

No I’m not. The attack is at Diffie-Hellman key exchanges. My server doesn’t offer that. It only offers the elliptic curve variant, which isn’t vulnerable. Some older operating systems like XP don’t understand that, but with my user base of like, 10 visitors per what, month? Half a year? I don’t care :wink:

In any case, you’ll probably want to do those steps, but I’m hoping you’re not running a beta piece of software on a production server with production critical stuff on it… So… Whether you’ll add those DH parameters now or in 5 minutes or tomorrow… I don’t think the NSA will hack your precious TLS connections that soon :wink:

BTW, analyze your server at SSL Labs, perhaps it has even more vulnerabilites you can fix :yum: Gives you great insight into your TLS configuration, but you shouldn’t aim for a 100 % score on every bar (of those 4 in the Summary). I myself have 100/95/100/90 b/c of TLS1.0 support (the 95) and 128 bit AES next to the 256 bit variants (the 90). And 128 bit AES GCM is fine. :neutral_face: So in my opinion 100/100/100/100 is overrated. Even without it, my server gets an “A+” :smile:


#20

Yeah the DHParams generation takes a while, do it on a local machine or VM and just upload it when done.