Certbot: InsecurePlatformWarning

Created on 12 Dec 2015  Â·  37Comments  Â·  Source: certbot/certbot

./letsencrypt-auto is generating an InsecurePlatformWarning on Ubuntu 14.04 LTS. This looks like a conflict between python and python3? What is the proper way to resolve this conflict and how can we implement a fix to eliminate a custom workaround?

Terminal excerpt:

swebber@dev:~/letsencrypt$ sudo -H ./letsencrypt-auto --help
...
Updating letsencrypt and virtual environment dependencies.....
/home/swebber/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/home/swebber/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
certbot-auto security
Source
picture seanthewebber
👍1

Most helpful comment

still happening on Ubuntu 14.04

Requirement already satisfied (use --upgrade to upgrade): setuptools>=1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography==1.2.3->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 35))
Collecting psutil>=2.2.1 (from certbot==0.8.1->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 165))
In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    psutil>=2.2.1 from https://pypi.python.org/packages/22/a8/6ab3f0b3b74a36104785808ec874d24203c6a511ffd2732dd215cf32d689/psutil-4.3.0.tar.gz#md5=ca97cf5f09c07b075a12a68b9d44a67d (from certbot==0.8.1->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 165))
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.0.3, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
picture LorenzoBoccaccia on 27 Jul 2016
👍7

All 37 comments

It should only be an issue because ubuntu ships with python 2.7.6 while urllib issues that warning on anything below 2.7.9, updating python2 should fix it.

Certain Python platforms (specifically, versions of Python earlier than 2.7.9)
from https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning

devster31 picture devster31 on 13 Dec 2015

That's strange. I just ran sudo apt-get update and sudo apt-get dist-upgrade on this server and everything (including python?) is up to date.

seanthewebber picture seanthewebber on 13 Dec 2015

Ubuntu repos have an older version, try running python --version, if it's below 2.7.9 you get the error you described.

devster31 picture devster31 on 13 Dec 2015 
swebber@dev:~$ python --version
Python 2.7.6

Yep, there it is. Does that mean these instructions will over write the older version assuming you replaced 2.7.5 with 2.7.10?

seanthewebber picture seanthewebber on 13 Dec 2015

It should. You probably need to run those instructions as root, you can also check the official python docs here. Latest stable is 2.7.11 for python2. You can also use this PPA if you don't want to build from source.

devster31 picture devster31 on 13 Dec 2015

So you either run unofficial or update by building the source... that's a pain. Is there any reason python3 cannot be added to letsencrypt-auto:90 like this:

DeterminePythonVersion() {
  if command -v python3.4 > /dev/null ; then
    export LE_PYTHON=${LE_PYTHON:-python3.4}
  elif command -v python3 > /dev/null ; then
    export LE_PYTHON=${LE_PYTHON:-python3}
...
}
seanthewebber picture seanthewebber on 13 Dec 2015

I suppose an if statement detecting Python < 2.7.9 and implementing pyOpenSSL is also an option, but it seems like a dirty patch that could break break more than it solves.

seanthewebber picture seanthewebber on 13 Dec 2015

It shouldn't be a python2 and python3 conflict since letsencrypt-auto generates a virtual environment based on the python2 version your system has. You could could add it to a requirements file for versions below 2.7.9 here. I can't answer you on the python3 support however.

devster31 picture devster31 on 13 Dec 2015

What would the syntax for that look like? Additionally, that would require urllib3.contrib.pyopenssl.inject_into_urllib3() to be copied throughout the code base?

seanthewebber picture seanthewebber on 13 Dec 2015

@devster31 @pde I was poking around the other open issues and it looks like this may be a duplicate of #1623? Thoughts or comments?

seanthewebber picture seanthewebber on 14 Dec 2015

I think it's a duplicate if you only get the warning during the initial run, if I understood correctly I don't think there's a way to avoid that besides suppressing warnings as suggested in #1623. However further warnings during normal letsencrypt operations should be fixed separately using something like what's already in acme/acme/client.py:

# Prior to Python 2.7.9 the stdlib SSL module did not allow a user to configure
# many important security related options. On these platforms we use PyOpenSSL
# for SSL, which does allow these options to be configured.
# https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
if sys.version_info < (2, 7, 9):  # pragma: no cover
    requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()

which would be the best solution possible. PyOpenSSL is already a dependency and is installed during the bootstrap process, so the fix would be to add the above lines wherever requests is imported.

devster31 picture devster31 on 14 Dec 2015

Mm.. who could do something like that? Admittedly, I know not how to write Python. :/

Would suppressing the warning still allow certificates to be deployed, or would more runtime errors occur later on down the road? I'm writing a tutorial about Let's Encrypt and I'm on the fence about telling readers to suppress warnings. :/

seanthewebber picture seanthewebber on 18 Dec 2015

There's a discussion with a pull request about suppressing warnings during the installation, I already linked it in the previous comment. It shouldn't cause any problems with the process besides the security vulnerabilities.

devster31 picture devster31 on 18 Dec 2015

Got'cha. I will stay on the lookout. Thanks for conversing with me on the matter! :)

seanthewebber picture seanthewebber on 18 Dec 2015

Once we land the new letsencrypt-auto and close #1572, we should be able to suppress InsecurePlatformWarnings due to the OS's venv without security risk.

pde picture pde on 18 Dec 2015

I was messing around with letsencrypt-auto a little more this evening, and it turns out InsecurePlatformWarning is not _just_ a warning. Let's Encrypt totally crashes about thirty seconds afterwards.

...
InsecurePlatformWarning

Command "/root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-adjhtc/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-LNTy2r-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography" failed with error code 1 in /tmp/pip-build-adjhtc/cryptography

Anything I can do? Cannot obtain/renew any certificates currently.

seanthewebber picture seanthewebber on 26 Dec 2015
👍1

+1 have same issue on Ubuntu 14.04, which comes with default Python 2.7.6

After fail, I was trying to install pyOpenSSL with:

/root/.local/share/letsencrypt/bin/pip install pyopenssl ndg-httpsclient pyasn1

But there is some issue with compiling cryptography:

# /root/.local/share/letsencrypt/bin/pip install pyopenssl ndg-httpsclient pyasn1
Collecting pyopenssl
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Using cached pyOpenSSL-0.15.1-py2.py3-none-any.whl
Collecting ndg-httpsclient
  Using cached ndg_httpsclient-0.4.0.tar.gz
Requirement already satisfied (use --upgrade to upgrade): pyasn1 in /root/.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already satisfied (use --upgrade to upgrade): six>=1.5.2 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from pyopenssl)
Collecting cryptography>=0.7 (from pyopenssl)
  Using cached cryptography-1.1.2.tar.gz
Requirement already satisfied (use --upgrade to upgrade): idna>=2.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): setuptools in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): enum34 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): ipaddress in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): cffi>=1.1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): pycparser in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cffi>=1.1.0->cryptography>=0.7->pyopenssl)
Installing collected packages: cryptography, pyopenssl, ndg-httpsclient
  Running setup.py install for cryptography
    Complete output from command /root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-am3f0F/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-MCNXuz-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography:
    running install
    running build
    running build_py
    creating build
    creating build/lib.linux-x86_64-2.7
    creating build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/exceptions.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/fernet.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/__init__.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/utils.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/__about__.py -> build/lib.linux-x86_64-2.7/cryptography
    creating build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/extensions.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/oid.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/general_name.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/base.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/name.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat
    copying src/cryptography/hazmat/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings
    copying src/cryptography/hazmat/bindings/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    copying src/cryptography/hazmat/backends/interfaces.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    copying src/cryptography/hazmat/backends/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    copying src/cryptography/hazmat/backends/multibackend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/cmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/keywrap.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/serialization.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/padding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/constant_time.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    copying src/cryptography/hazmat/bindings/openssl/binding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    copying src/cryptography/hazmat/bindings/openssl/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    copying src/cryptography/hazmat/bindings/openssl/_conditional.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
    copying src/cryptography/hazmat/bindings/commoncrypto/binding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
    copying src/cryptography/hazmat/bindings/commoncrypto/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/dsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/cmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/ciphers.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/rsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/backend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/x509.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/ec.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/ciphers.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/backend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/modes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/base.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/algorithms.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/hkdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/x963kdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/concatkdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/pbkdf2.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/dsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/rsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/ec.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/dh.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/padding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/interfaces
    copying src/cryptography/hazmat/primitives/interfaces/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/interfaces
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/hotp.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/totp.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    running egg_info
    writing requirements to src/cryptography.egg-info/requires.txt
    writing src/cryptography.egg-info/PKG-INFO
    writing top-level names to src/cryptography.egg-info/top_level.txt
    writing dependency_links to src/cryptography.egg-info/dependency_links.txt
    writing entry points to src/cryptography.egg-info/entry_points.txt
    warning: manifest_maker: standard file '-c' not found

    reading manifest file 'src/cryptography.egg-info/SOURCES.txt'
    reading manifest template 'MANIFEST.in'
    no previously-included directories found matching 'docs/_build'
    warning: no previously-included files matching '*' found under directory 'vectors'
    writing manifest file 'src/cryptography.egg-info/SOURCES.txt'
    running build_ext
    generating cffi module 'build/temp.linux-x86_64-2.7/_padding.c'
    creating build/temp.linux-x86_64-2.7
    generating cffi module 'build/temp.linux-x86_64-2.7/_constant_time.c'
    generating cffi module 'build/temp.linux-x86_64-2.7/_openssl.c'
    building '_openssl' extension
    creating build/temp.linux-x86_64-2.7/build
    creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7
    x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
    x86_64-linux-gnu-gcc: internal compiler error: Killed (program cc1)
    Please submit a full bug report,
    with preprocessed source if appropriate.
    See <file:///usr/share/doc/gcc-4.8/README.Bugs> for instructions.
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 4

    ----------------------------------------
Command "/root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-am3f0F/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-MCNXuz-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography" failed with error code 1 in /tmp/pip-build-am3f0F/cryptography
alexkravets picture alexkravets on 28 Dec 2015

I guess the problem is that cryptography tries to compile using system library python, -I/usr/include/python2.7, while letsencrypt python version is installed at /root/.local/share/letsencrypt/:

x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
    x86_64-linux-gnu-gcc: internal compiler error: Killed (program cc1)
    Please submit a full bug report,
    with preprocessed source if appropriate.
    See <file:///usr/share/doc/gcc-4.8/README.Bugs> for instructions.
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 4
alexkravets picture alexkravets on 28 Dec 2015

The problem appeared to be in lack of memory, adding swap fixed the issue for me:

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
alexkravets picture alexkravets on 28 Dec 2015
👍2

@alexkravets I am having trouble understanding how adding SWAP memory fixes a Python dependency issue. Elaborate, please!

seanthewebber picture seanthewebber on 28 Dec 2015

@seanthewebber python dependency is fail to compile due to lack of memory

alexkravets picture alexkravets on 28 Dec 2015

@alexkravets Oohhh. So letsencrypt-auto needs 2GB total RAM to compile its dependencies? That means the following command sequence _should_ work?

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
/root/.local/share/letsencrypt/bin/pip install pyopenssl ndg-httpsclient pyasn1
seanthewebber picture seanthewebber on 28 Dec 2015
👍3

@seanthewebber It worked with 1Gb in swap for me, but that depends how much free memory you have on the server. No need to install any dependencies by hands after adding swap, just run ./letsencrypt-auto — this should install all dependencies automatically.

alexkravets picture alexkravets on 28 Dec 2015

@alexkravets Sorry for not replying until now. Just confirmed that adding 1GB SWAP like you said fixes the problem. I was able to obtain a certificate a moment ago. Thanks for the help!

Solution: ACME client must run on a host with < 2GB of combined RAM and SWAP.

Moving forward... this could be a roadblock for low power embedded + IoT devices (like routers). Is there any reason the client has to compile these libraries? Could the libraries be download and installed pre-compiled?

seanthewebber picture seanthewebber on 1 Jan 2016

More reports at #1982.

bmw picture bmw on 5 Jan 2016

This was actually closed in #2608 AFAICT.

pde picture pde on 7 Jul 2016

still happening on Ubuntu 14.04

Requirement already satisfied (use --upgrade to upgrade): setuptools>=1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography==1.2.3->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 35))
Collecting psutil>=2.2.1 (from certbot==0.8.1->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 165))
In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    psutil>=2.2.1 from https://pypi.python.org/packages/22/a8/6ab3f0b3b74a36104785808ec874d24203c6a511ffd2732dd215cf32d689/psutil-4.3.0.tar.gz#md5=ca97cf5f09c07b075a12a68b9d44a67d (from certbot==0.8.1->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 165))
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.0.3, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
LorenzoBoccaccia picture LorenzoBoccaccia on 27 Jul 2016
👍7

@LorenzoBoccaccia and Ubuntu 16.04 too

amirrpp picture amirrpp on 27 Jul 2016
👍1

On Ubuntu 16.04 I had to install letsencrypt natively. I did, sudo apt-get install letsencrypt then sudo letsencrypt renew This renewed my cert using native packages instead of a virtual environment.

eyedol picture eyedol on 27 Jul 2016

See if you still get the problem now. #3334 which caused the primary error in the log above has been resolved.

bmw picture bmw on 27 Jul 2016

@eyedol Does the native letsencrypt package work on Ubuntu 14.04, too?

seanthewebber picture seanthewebber on 29 Jul 2016

@seanthewebber I didn't try with Ubuntu 14.04. I might have read somewhere that, it's packaged for Ubuntu 16.04

eyedol picture eyedol on 29 Jul 2016

@seanthewebber the package is only available for 16.04 currently

benileo picture benileo on 30 Jul 2016

This definitely affected one of my sites:
"The certificate expired on August 7, 2016 at 10:53 PM. The current time is August 7, 2016 at 11:03 PM."

/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.0.3, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
jgallias picture jgallias on 8 Aug 2016

On Digital Ocean: Reboot fixed it per this thread:
https://github.com/certbot/certbot/issues/2804#issuecomment-220583755

jgallias picture jgallias on 8 Aug 2016
👍1

I believe this should be fixed in recent versions of Certbot and certbot-auto. Please reopen if it isn't!

pde picture pde on 19 Dec 2016

➜ dehydrated git:(master) ✗ python --version
Python 2.7.12

➜ certbot git:(master) ./letsencrypt-auto
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
Hit:1 https://deb.nodesource.com/node_6.x xenial InRelease
Hit:2 http://mirrors.aliyuncs.com/ubuntu xenial InRelease
Hit:3 http://mirrors.aliyuncs.com/ubuntu xenial-security InRelease
Hit:4 http://mirrors.aliyuncs.com/ubuntu xenial-updates InRelease
Hit:5 http://mirrors.aliyuncs.com/ubuntu xenial-proposed InRelease
Hit:6 http://mirrors.aliyuncs.com/ubuntu xenial-backports InRelease
Hit:7 http://ppa.launchpad.net/max-c-lv/shadowsocks-libev/ubuntu xenial InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
augeas-lenses is already the newest version (1.4.0-0ubuntu1).
ca-certificates is already the newest version (20160104ubuntu1).
gcc is already the newest version (4:5.3.1-1ubuntu1).
libaugeas0 is already the newest version (1.4.0-0ubuntu1).
libffi-dev is already the newest version (3.2.1-4).
python is already the newest version (2.7.11-1).
python-dev is already the newest version (2.7.11-1).
libssl-dev is already the newest version (1.0.2g-1ubuntu4.8).
openssl is already the newest version (1.0.2g-1ubuntu4.8).
python-virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Creating virtual environment...
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in
main()
File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
symlink=options.symlink)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
download=download,
File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
% (cmd_desc, proc.returncode))
OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2

h0wardch3ng picture h0wardch3ng on 1 Aug 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sh4wn picture sh4wn  Â·  55Comments
zwl1619 picture zwl1619  Â·  37Comments
mhsabbagh picture mhsabbagh  Â·  34Comments
mithro picture mithro  Â·  144Comments
alangong114 picture alangong114  Â·  35Comments