Forums

Mansoor
Mansoor
Offline
Resolved
0 votes
One domain's certificate expired. When I looked at Let's Encrypt log, I found that it has not run since last year! So, I tried to manually renew using:
sudo certbot renew


but then got the following error:

Traceback (most recent call last):
File "/bin/certbot", line 9, in <module>
load_entry_point('certbot==1.3.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 489, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2852, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2443, in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2449, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 2, in <module>
from certbot._internal import main as internal_main
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 23, in <module>
from certbot._internal import client
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 13, in <module>
from acme import client as acme_client
File "/usr/lib/python2.7/site-packages/acme/client.py", line 37, in <module>
requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3() # type: ignore
File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 118, in inject_into_urllib3
_validate_dependencies_met()
File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 160, in _validate_dependencies_met
"'pyOpenSSL' module missing required functionality. "
ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.


It seems a common error, but all the solutions I found online didn't work. I tried to upgrade the 'pyOpenSSL' module using:
`sudo pip install --upgrade pyopenssl


but got the following error message:

ERROR: Cannot uninstall 'pyOpenSSL'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.


Any idea how to resume Let's Encrypt renew bot?

Thank you
Thursday, April 16 2020, 01:24 AM
Share this post:

Accepted Answer

Mansoor
Mansoor
Offline
Thursday, April 16 2020, 03:05 PM - #Permalink
Resolved
0 votes
Ok, I got rid of all pip and rpm packages related to certbot and started fresh. The aim is to have working certbot and Let's Encrypt app.

1. Manually installing an updated version of pyOpenSSL and its dependencies, because the one in the yum repo is outdated.
$ sudo yum install python2-cffi-1.11.2-1.el7.x86_64.rpm
$ sudo yum update python2-ipaddress-1.0.19-9.2.noarch.rpm
$ sudo yum update python2-cryptography-2.5-1.el7.x86_64.rpm
$ sudo yum install python2-pyOpenSSL-19.0.0-1.el7.noarch.rpm


2. Installed certbot and the dashboard app:
$ sudo yum install app-lets-encrypt
$ sudo yum install certbot-apache
The reply is currently minimized Show
Responses (7)
  • Accepted Answer

    Friday, April 17 2020, 07:47 AM - #Permalink
    Resolved
    0 votes
    But bearing in mind I have said the a fresh installation of ClearOS and Let's Encrypt worked fine yesterday with a customer, I assume you don't need a more up to date version of python2-pyOpenSSL as I don't have it and it does not exist in the repos. My suspicion is that you have four third-party repos enabled and these could have updated ClearOS packages giving yourself a dependency mess. I am especially looking at rpmfusion.
    The reply is currently minimized Show
  • Accepted Answer

    Mansoor
    Mansoor
    Offline
    Thursday, April 16 2020, 08:46 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:
    AFAIK the ClearOS repo packages are fine. python2-cffi python2-ipaddress and python2-pyOpenSSL are not needed and python2-cryptography-1.7.2-2.el7 is fine. I have a feeling you have repo problems.

    python2-cffi and python2-ipaddress are required for the newer version of python2-pyOpenSSL. python2-pyOpenSSL is a request for app-lets-encrypt.
    $ sudo yum install app-lets-encrypt
    Installing:
    app-lets-encrypt noarch 1:1.10.7-1.v7 clearos-contribs 9.7 k
    Installing for dependencies:
    app-lets-encrypt-core noarch 1:1.10.7-1.v7 clearos-contribs 13 k
    certbot noarch 1.3.0-1.el7 clearos-epel 42 k
    pyOpenSSL x86_64 0.13.1-4.el7 clearos-centos 135 k
    python-ndg_httpsclient noarch 0.3.2-1.el7 clearos-epel 43 k
    python2-acme noarch 1.3.0-1.el7 clearos-epel 75 k
    python2-certbot noarch 1.3.0-1.el7 clearos-epel 365 k
    python2-josepy noarch 1.3.0-2.el7 clearos-epel 89 k


    Nick Howitt wrote:What do you get from "yum repolist".

    Here is the output:
    repo id                           repo name                            status
    !akopytov_sysbench/x86_64 akopytov_sysbench 28
    !akopytov_sysbench-source akopytov_sysbench-source 0
    !clearos/7 ClearOS 7 - x86_64 - OS 663
    !clearos-centos/x86_64 CentOS-7 - x86_64 - Base 10,042+55
    !clearos-centos-sclo-rh/x86_64 CentOS-7 - x86_64 - CentOS Software 8,968
    !clearos-centos-updates/x86_64 CentOS-7 - x86_64 - Updates 1,459+2
    !clearos-contribs/7 ClearOS 7 - x86_64 - Contribs 125
    !clearos-contribs-paid ClearOS 7 - x86_64 - Contribs Paid 99
    !clearos-contribs-testing/7 ClearOS 7 - x86_64 - Contribs (Testi 169
    !clearos-epel/7/x86_64 EPEL 7 - x86_64 21,741+2
    !clearos-fast-updates/x86_64 ClearOS 7 - x86_64 - Fast Updates 3
    !clearos-infra/7 ClearOS 7 - x86_64 - Infrastructure 16
    !clearos-paid ClearOS 7 - x86_64 - Paid 213
    !clearos-updates/7 ClearOS 7 - x86_64 - Updates 417
    !docker-ce-stable/x86_64 Docker CE Stable - x86_64 70
    !private-clearcenter-dnsthingy DNSthingy 6
    !private-clearcenter-plex ClearCenter Plex Media Server 0
    !rpmfusion-free-updates/x86_64 RPM Fusion for EL 7 - Free - Updates 248
    !rpmfusion-nonfree-updates/x86_64 RPM Fusion for EL 7 - Nonfree - Upda 81
    repolist: 44,348
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, April 16 2020, 06:39 PM - #Permalink
    Resolved
    0 votes
    AFAIK the ClearOS repo packages are fine. python2-cffi python2-ipaddress and python2-pyOpenSSL are not needed and python2-cryptography-1.7.2-2.el7 is fine. I have a feeling you have repo problems.

    What do you get from "yum repolist".

    [edit]
    I did a fresh install of Let's Encrypt for a customer today from the marketplace and it worked fine. He created his certificate without problem.
    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    Mansoor
    Mansoor
    Offline
    Thursday, April 16 2020, 11:54 AM - #Permalink
    Resolved
    0 votes
    You are right Nick. I installed the Let’s Encrypt app after renewing the domain’s certificate. That was a mistake, because it installed old versions of the python modules (using yum) and certbot is broken again!

    At least my website is working now with a renewed certificate. I’ll try to fix the issue later on and update this thread. I’ll use a simple crontab to renew certificates instead of relying on the Let’s Encrypt app.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, April 16 2020, 10:42 AM - #Permalink
    Resolved
    0 votes
    You are on your own then. ClearOS will still try to install and update things like python-certbot and I've now idea what conflicts are going to happen. It would have been better to sort out the underlying issue, especially if it was working for you for other certificates. What versions of python2-certbot, python2-certbot-abache and certbot did you have installed?
    The reply is currently minimized Show
  • Accepted Answer

    Mansoor
    Mansoor
    Offline
    Thursday, April 16 2020, 10:25 AM - #Permalink
    Resolved
    0 votes
    Thank you Nick.

    The python modules installed by yum are outdated. I was able to solve the problem by doing the following:

    yum remove pyOpenSSL
    yum install openssl-devel python-devel
    pip install certbot
    pip install certbot-apache
    certbot
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, April 16 2020, 07:46 AM - #Permalink
    Resolved
    0 votes
    If at all possibly, avoid trying to install python packages with pip. Look for the yum equivalent. Otherwise you can have two package managers fighting each other. The message is off as the version of pyOpenSSL installed is pyOpenSSL-0.13.1-4.el7.x86_64. I have had no problems with that and my last certificate renewed on 17th March. What version do you have ("rpm -q pyOpenSSL").

    If it is only one certificate of a number which is failing, it suggests a certificate configuration problem rather than a programming problem. Have a look in /etc/letsencrypt/renewal and see if there is any obvious configuration difference. Also, you could try deleting the certificate and recreating it.
    The reply is currently minimized Show
Your Reply