Thanks for the clarification

I will start using subdomains and stop using .local in the future.

I use the same domain internally and externally as my set up is quite old. I probably wouldn't do that again. The recommendation from Microsoft with Active Directory Domain Controller is to use a subdomain of your external domain on your LAN. You should not use the common .local and .lan as they are both reserved (.local for avahi/bonjour services for Apples) but it generally isn't a problem.

With your current setup you can add a DNS entry for your ClearOS LAN IP and map it to your_clearos_server.example.ch so your certificate still still work. Same for mail services and so on.

It is working now...I reinstalled the server! Not by choice, but that is a different story.

Let's Encrypt works. But I have a different problem now. I always used example.local for my internal name
resolution and example.ch for external. In this special case I access the server with both nominations. That
was no problem as long as I used my own certificates. Now I want to use Let's Encrypt but it won't create certificates
for a .local domain.
That's not really a problem. I still can use my own certificates for internal purposes (or don't encrypt at all )

My question is: Have I been doing this the wrong way for the last 20 years? Is there a better way than .local and .ch.
Maybe you can provide me with a tip or a guide to do this right

Thanks a lot for your help

The problem is that pip could have overwritten files installed by yum. I don't know how to walk a yum dependency tree to see what packages may need reinstalling. I've tried googling and it seems impossible to find a yum/rpm dependency tree. The big one seems to be python2-certbot, but I can only see one level:

[root@server ~]# rpm -q --requires  python2-certbot

/usr/bin/python2

python(abi) = 2.7

python-configobj

python-parsedatetime >= 1.3

python-setuptools

python-zope-component

python-zope-interface

python2-acme >= 1.6.0

python2-configargparse >= 0.9.3

python2-cryptography >= 1.2.3

python2-distro >= 1.0.1

python2-josepy >= 1.1.0

python2-mock

python2-pyrfc3339

pytz

rpmlib(CompressedFileNames) <= 3.0.4-1

rpmlib(FileDigests) <= 4.6.0-1

rpmlib(PartialHardlinkSets) <= 4.0.4-1

rpmlib(PayloadFilesHavePrefix) <= 4.0-1

rpmlib(PayloadIsXz) <= 5.2-1

and

[root@server ~]# yum deplist python2-certbot -q

package: python2-certbot.noarch 1.9.0-1.el7

  dependency: /usr/bin/python2

   provider: python.x86_64 2.7.5-88.el7

  dependency: python(abi) = 2.7

   provider: python.x86_64 2.7.5-88.el7

  dependency: python-configobj

   provider: python-configobj.noarch 4.7.2-7.el7

  dependency: python-parsedatetime >= 1.3

   provider: python2-parsedatetime.noarch 2.4-6.el7

  dependency: python-setuptools

   provider: python-setuptools.noarch 0.9.8-7.el7

  dependency: python-zope-component

   provider: python-zope-component.noarch 1:4.1.0-5.el7

  dependency: python-zope-interface

   provider: python-zope-interface.x86_64 4.0.5-4.el7

  dependency: python2-acme >= 1.6.0

   provider: python2-acme.noarch 1.9.0-1.el7

  dependency: python2-configargparse >= 0.9.3

   provider: python2-configargparse.noarch 0.11.0-2.el7

  dependency: python2-cryptography >= 1.2.3

   provider: python2-cryptography.x86_64 1.7.2-2.el7

  dependency: python2-distro >= 1.0.1

   provider: python2-distro.noarch 1.2.0-3.el7

  dependency: python2-josepy >= 1.1.0

   provider: python2-josepy.noarch 1.3.0-2.el7

  dependency: python2-mock

   provider: python2-mock.noarch 1.0.1-10.el7

  dependency: python2-pyrfc3339

   provider: python2-pyrfc3339.noarch 1.1-3.el7

  dependency: pytz

   provider: pytz.noarch 2016.10-2.el7

Fubar

I found a system with a working installation of Let's Encrypt.
I checked the yum python and pip packages and made sure both are the same.
yum list installed "python-*" | sort
yum list installed "python2*" | sort
yum list installed "python3*" | sort
give now the same results.

And I checked
pip3 list | sort
on both systems and made sure all packages match and that they where installed by yum.
ls -1d /usr/lib/python3.6/site-packages/*egg-info | xargs rpm -qf
ls -1d /usr/lib/python2.7/site-packages/*egg-info | xargs rpm -qf

No result
certbot still gives me a "pkg_resources.DistributionNotFound: urllib3>=1.21.1,<1.25"

Any Idea what else I could check?

I think I have to reinstall the Server to get out off this mess.

Never ever will I mix yum and pip again

I only have a urllib3-1.10.2-py2.7.egg-info. Remember your "pip installs" may have dragged in other dependencies with pip. You may need to hunt them down, remove them then reinstall the correct package with yum. I have no problem creating new certificates.

[edit]
Or if you've used pip before, that may also have caused the damage.
[/edit]

Yes, python2-certbot-1.9.0-1.el7.noarch is installed.

I get the error, when i try to add my first certificate.

Presumably you also have python2-certbot-1.9.0-1.el7.noarch installed?

What are you trying to do when you get this error?

I found out that File
"/usr/lib/python2.7/site-packages/urllib3-1.24.1-py2.7.egg/urllib3/contrib/pyopenssl.py";
doesn't belong to any package installed. So I deleted the thing.
rm -rf /usr/lib/python2.7/site-packages/urllib3-1.24.1-py2.7.egg

Now I get this Error:
Traceback (most recent call last):
File "/usr/bin/certbot", line 5, in
from pkg_resources import load_entry_point
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 3011, in
parse_requirements(__requires__), Environment()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 626, in resolve
raise DistributionNotFound(req)
pkg_resources.DistributionNotFound: urllib3>=1.21.1,<1.25

rpm -qa python-urllib3
python-urllib3-1.10.2-7.el7.noarch

I don't remember messing things up. :|
I normally just use Webconfig to install/remove things. And maybe some configurations for samba on the commandline.....

Thanks a lot for the clarification. After the first error, I just followed an instruction I found
to replace pyOpenSSL yum version with pip...

I uninstalled the pip things and reinstalled the yum versions:
pip-3 uninstall certbot-apache
pip-3 uninstall certbot
yum remove python-augeas
yum install certbot pyOpenSSL
installed certbot-1.9.0-1.el7.noarchpy
installed OpenSSL-0.13.1-4.el7.x86_64

Now I have again the original error message again:
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in
load_entry_point('certbot==1.9.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 378, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2566, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
entry = __import__(self.module_name, globals(),globals(), ['__name__'])
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 2, in
from certbot._internal import main as internal_main
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 20, in
from certbot._internal import account
File "/usr/lib/python2.7/site-packages/certbot/_internal/account.py", line 18, in
from acme.client import ClientBase # pylint: disable=unused-import
File "/usr/lib/python2.7/site-packages/acme/client.py", line 39, in
requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3() # type: ignore
File "/usr/lib/python2.7/site-packages/urllib3-1.24.1-py2.7.egg/urllib3/contrib/pyopenssl.py";, line 118, in inject_into_urllib3
_validate_dependencies_met()
File "/usr/lib/python2.7/site-packages/urllib3-1.24.1-py2.7.egg/urllib3/contrib/pyopenssl.py";, line 153, in _validate_dependencies_met
raise ImportError("'pyOpenSSL' module missing required functionality. "
ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

Maybe something else is missing?

As you've gone down the pip route I can't really help now as you have a mixture of sources from yum and pip. You now probably have certbot from both yum and pip, and there should be no need for certbot-apache. My Let's Encrypt works with pyOpenSSL-0.13.1-4.el7 so I really don't know what mess you're in. Although I have python-augeas installed, I don't know why as "repoquery -q --installed --whatrequires python-augeas" returns nothing and removing it removes nothing else. It is probably an old dependency.