Unexpected error on cert renewal - "no such extra feature 'security'"


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
misdemo.temple.edu

I ran this command:
sudo certbot renew --dry-run

It produced this output:

An unexpected error occurred:
UnknownExtra: requests 2.6.0 has no such extra feature ‘security’
Please see the logfile ‘/tmp/tmp8g6o3P’ for more details.

And …

2019-04-01 09:15:46,971:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/bin/certbot”, line 11, in
sys.exit(main())
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 723, in main
plugins = plugins_disco.PluginsRegistry.find_all()
File “/usr/lib/python2.7/site-packages/certbot/plugins/disco.py”, line 203, in find_all
plugin_ep = PluginEntryPoint(entry_point)
File “/usr/lib/python2.7/site-packages/certbot/plugins/disco.py”, line 50, in init
self.plugin_cls = entry_point.load()
File “/usr/lib/python2.7/site-packages/pkg_resources/init.py”, line 2315, in load
self.require(*args, **kwargs)
File “/usr/lib/python2.7/site-packages/pkg_resources/init.py”, line 2338, in require
items = working_set.resolve(reqs, env, installer, extras=self.extras)
File “/usr/lib/python2.7/site-packages/pkg_resources/init.py”, line 866, in resolve
new_requirements = dist.requires(req.extras)[::-1]
File “/usr/lib/python2.7/site-packages/pkg_resources/init.py”, line 2590, in requires
“%s has no such extra feature %r” % (self, ext)
UnknownExtra: requests 2.6.0 has no such extra feature ‘security’

My web server is (include version):
Apache/2.4.6 (Red Hat Enterprise Linux)

The operating system my web server runs on is (include version):
Red Hat Enterprise Linux Server release 7.6 (Maipo)

My hosting provider, if applicable, is:
NA

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.32.0


#2

Hi @shafer

check the config file of that domain. In

/etc/letsencrypt/renewal

Looks like there is a wrong entry. Or share the file content.


#3

Hi @shafer,

Did you install or upgrade any Python packages outside of your operating system package manager, like using pip?


#4

renew_before_expiry = 30 days

version = 0.29.1
archive_dir = /etc/letsencrypt/archive/misdemo.temple.edu
cert = /etc/letsencrypt/live/misdemo.temple.edu/cert.pem
privkey = /etc/letsencrypt/live/misdemo.temple.edu/privkey.pem
chain = /etc/letsencrypt/live/misdemo.temple.edu/chain.pem
fullchain = /etc/letsencrypt/live/misdemo.temple.edu/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = b5c4e5df981007ad45c619629e872487
server = https://acme-v02.api.letsencrypt.org/directory


#5

Very likely… although that was probably in December or so…


#6

@bmw, do you happen to know how this particular dependency issue could go awry?


#7

I suspect you have a version of our acme library (or a version of a package not maintained by the Certbot team that the plugin you’re trying to use depends on) from pip.

I think what probably happened here is shortly after you last obtained your certificates, you installed packages from pip breaking Certbot’s installation. If you ran pip as root, this is very dangerous because on CentOS 7 pip by default will modify the Python files provided by your OS rather than making all of its changes in a separate directory. This makes fixing these problems especially difficult because undoing the changes isn’t as easy as deleting the packages added by pip.

You can try running yum reinstall acme to see if it fixes the problem. If not, if you remember the packages you installed using pip, I recommend running pip uninstall to remove them. You may also need to reinstall or uninstall/install other Python packages that may be also been modified by pip.

If you’re need/want to renew your certificates ASAP, you can use certbot-auto which installs Certbot in an isolated Python environment to try and avoid issues like this.


#8

That command did it for me. Yay!