Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

InsecurePlatformWarning #1883

Closed
seanthewebber opened this issue Dec 12, 2015 · 37 comments
Closed

InsecurePlatformWarning #1883

seanthewebber opened this issue Dec 12, 2015 · 37 comments

Comments

@seanthewebber
Copy link

@seanthewebber seanthewebber commented Dec 12, 2015

./letsencrypt-auto is generating an InsecurePlatformWarning on Ubuntu 14.04 LTS. This looks like a conflict between python and python3? What is the proper way to resolve this conflict and how can we implement a fix to eliminate a custom workaround?

Terminal excerpt:

swebber@dev:~/letsencrypt$ sudo -H ./letsencrypt-auto --help
...
Updating letsencrypt and virtual environment dependencies.....
/home/swebber/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/home/swebber/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
@devster31
Copy link

@devster31 devster31 commented Dec 13, 2015

It should only be an issue because ubuntu ships with python 2.7.6 while urllib issues that warning on anything below 2.7.9, updating python2 should fix it.

Certain Python platforms (specifically, versions of Python earlier than 2.7.9)
from https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning

@seanthewebber
Copy link
Author

@seanthewebber seanthewebber commented Dec 13, 2015

That's strange. I just ran sudo apt-get update and sudo apt-get dist-upgrade on this server and everything (including python?) is up to date.

@devster31
Copy link

@devster31 devster31 commented Dec 13, 2015

Ubuntu repos have an older version, try running python --version, if it's below 2.7.9 you get the error you described.

@seanthewebber
Copy link
Author

@seanthewebber seanthewebber commented Dec 13, 2015

swebber@dev:~$ python --version
Python 2.7.6

Yep, there it is. Does that mean these instructions will over write the older version assuming you replaced 2.7.5 with 2.7.10?

@devster31
Copy link

@devster31 devster31 commented Dec 13, 2015

It should. You probably need to run those instructions as root, you can also check the official python docs here. Latest stable is 2.7.11 for python2. You can also use this PPA if you don't want to build from source.

@seanthewebber
Copy link
Author

@seanthewebber seanthewebber commented Dec 13, 2015

So you either run unofficial or update by building the source... that's a pain. Is there any reason python3 cannot be added to letsencrypt-auto:90 like this:

DeterminePythonVersion() {
  if command -v python3.4 > /dev/null ; then
    export LE_PYTHON=${LE_PYTHON:-python3.4}
  elif command -v python3 > /dev/null ; then
    export LE_PYTHON=${LE_PYTHON:-python3}
...
}
@seanthewebber
Copy link
Author

@seanthewebber seanthewebber commented Dec 13, 2015

I suppose an if statement detecting Python < 2.7.9 and implementing pyOpenSSL is also an option, but it seems like a dirty patch that could break break more than it solves.

@devster31
Copy link

@devster31 devster31 commented Dec 13, 2015

It shouldn't be a python2 and python3 conflict since letsencrypt-auto generates a virtual environment based on the python2 version your system has. You could could add it to a requirements file for versions below 2.7.9 here. I can't answer you on the python3 support however.

@seanthewebber
Copy link
Author

@seanthewebber seanthewebber commented Dec 13, 2015

What would the syntax for that look like? Additionally, that would require urllib3.contrib.pyopenssl.inject_into_urllib3() to be copied throughout the code base?

@seanthewebber seanthewebber changed the title InsecurePlatformWarning on Ubuntu 14.04 caused by Python Conflict? InsecurePlatformWarning on Ubuntu 14.04 Dec 13, 2015
@seanthewebber
Copy link
Author

@seanthewebber seanthewebber commented Dec 14, 2015

@devster31 @pde I was poking around the other open issues and it looks like this may be a duplicate of #1623? Thoughts or comments?

@devster31
Copy link

@devster31 devster31 commented Dec 14, 2015

I think it's a duplicate if you only get the warning during the initial run, if I understood correctly I don't think there's a way to avoid that besides suppressing warnings as suggested in #1623. However further warnings during normal letsencrypt operations should be fixed separately using something like what's already in acme/acme/client.py:

# Prior to Python 2.7.9 the stdlib SSL module did not allow a user to configure
# many important security related options. On these platforms we use PyOpenSSL
# for SSL, which does allow these options to be configured.
# https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
if sys.version_info < (2, 7, 9):  # pragma: no cover
    requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()

which would be the best solution possible. PyOpenSSL is already a dependency and is installed during the bootstrap process, so the fix would be to add the above lines wherever requests is imported.

@seanthewebber
Copy link
Author

@seanthewebber seanthewebber commented Dec 18, 2015

Mm.. who could do something like that? Admittedly, I know not how to write Python. :/

Would suppressing the warning still allow certificates to be deployed, or would more runtime errors occur later on down the road? I'm writing a tutorial about Let's Encrypt and I'm on the fence about telling readers to suppress warnings. :/

@devster31
Copy link

@devster31 devster31 commented Dec 18, 2015

There's a discussion with a pull request about suppressing warnings during the installation, I already linked it in the previous comment. It shouldn't cause any problems with the process besides the security vulnerabilities.

@seanthewebber
Copy link
Author

@seanthewebber seanthewebber commented Dec 18, 2015

Got'cha. I will stay on the lookout. Thanks for conversing with me on the matter! :)

@pde pde added this to the 0.2.0 milestone Dec 18, 2015
@pde
Copy link
Member

@pde pde commented Dec 18, 2015

Once we land the new letsencrypt-auto and close #1572, we should be able to suppress InsecurePlatformWarnings due to the OS's venv without security risk.

@seanthewebber
Copy link
Author

@seanthewebber seanthewebber commented Dec 26, 2015

I was messing around with letsencrypt-auto a little more this evening, and it turns out InsecurePlatformWarning is not just a warning. Let's Encrypt totally crashes about thirty seconds afterwards.

...
InsecurePlatformWarning

Command "/root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-adjhtc/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-LNTy2r-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography" failed with error code 1 in /tmp/pip-build-adjhtc/cryptography

Anything I can do? Cannot obtain/renew any certificates currently.

@pde pde added the has pr label Dec 26, 2015
@alexkravets
Copy link

@alexkravets alexkravets commented Dec 28, 2015

+1 have same issue on Ubuntu 14.04, which comes with default Python 2.7.6

After fail, I was trying to install pyOpenSSL with:

/root/.local/share/letsencrypt/bin/pip install pyopenssl ndg-httpsclient pyasn1

But there is some issue with compiling cryptography:

# /root/.local/share/letsencrypt/bin/pip install pyopenssl ndg-httpsclient pyasn1
Collecting pyopenssl
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Using cached pyOpenSSL-0.15.1-py2.py3-none-any.whl
Collecting ndg-httpsclient
  Using cached ndg_httpsclient-0.4.0.tar.gz
Requirement already satisfied (use --upgrade to upgrade): pyasn1 in /root/.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already satisfied (use --upgrade to upgrade): six>=1.5.2 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from pyopenssl)
Collecting cryptography>=0.7 (from pyopenssl)
  Using cached cryptography-1.1.2.tar.gz
Requirement already satisfied (use --upgrade to upgrade): idna>=2.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): setuptools in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): enum34 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): ipaddress in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): cffi>=1.1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): pycparser in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cffi>=1.1.0->cryptography>=0.7->pyopenssl)
Installing collected packages: cryptography, pyopenssl, ndg-httpsclient
  Running setup.py install for cryptography
    Complete output from command /root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-am3f0F/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-MCNXuz-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography:
    running install
    running build
    running build_py
    creating build
    creating build/lib.linux-x86_64-2.7
    creating build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/exceptions.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/fernet.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/__init__.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/utils.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/__about__.py -> build/lib.linux-x86_64-2.7/cryptography
    creating build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/extensions.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/oid.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/general_name.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/base.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/name.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat
    copying src/cryptography/hazmat/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings
    copying src/cryptography/hazmat/bindings/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    copying src/cryptography/hazmat/backends/interfaces.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    copying src/cryptography/hazmat/backends/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    copying src/cryptography/hazmat/backends/multibackend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/cmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/keywrap.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/serialization.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/padding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/constant_time.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    copying src/cryptography/hazmat/bindings/openssl/binding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    copying src/cryptography/hazmat/bindings/openssl/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    copying src/cryptography/hazmat/bindings/openssl/_conditional.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
    copying src/cryptography/hazmat/bindings/commoncrypto/binding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
    copying src/cryptography/hazmat/bindings/commoncrypto/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/dsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/cmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/ciphers.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/rsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/backend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/x509.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/ec.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/ciphers.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/backend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/modes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/base.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/algorithms.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/hkdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/x963kdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/concatkdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/pbkdf2.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/dsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/rsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/ec.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/dh.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/padding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/interfaces
    copying src/cryptography/hazmat/primitives/interfaces/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/interfaces
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/hotp.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/totp.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    running egg_info
    writing requirements to src/cryptography.egg-info/requires.txt
    writing src/cryptography.egg-info/PKG-INFO
    writing top-level names to src/cryptography.egg-info/top_level.txt
    writing dependency_links to src/cryptography.egg-info/dependency_links.txt
    writing entry points to src/cryptography.egg-info/entry_points.txt
    warning: manifest_maker: standard file '-c' not found

    reading manifest file 'src/cryptography.egg-info/SOURCES.txt'
    reading manifest template 'MANIFEST.in'
    no previously-included directories found matching 'docs/_build'
    warning: no previously-included files matching '*' found under directory 'vectors'
    writing manifest file 'src/cryptography.egg-info/SOURCES.txt'
    running build_ext
    generating cffi module 'build/temp.linux-x86_64-2.7/_padding.c'
    creating build/temp.linux-x86_64-2.7
    generating cffi module 'build/temp.linux-x86_64-2.7/_constant_time.c'
    generating cffi module 'build/temp.linux-x86_64-2.7/_openssl.c'
    building '_openssl' extension
    creating build/temp.linux-x86_64-2.7/build
    creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7
    x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
    x86_64-linux-gnu-gcc: internal compiler error: Killed (program cc1)
    Please submit a full bug report,
    with preprocessed source if appropriate.
    See <file:///usr/share/doc/gcc-4.8/README.Bugs> for instructions.
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 4

    ----------------------------------------
Command "/root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-am3f0F/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-MCNXuz-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography" failed with error code 1 in /tmp/pip-build-am3f0F/cryptography
@alexkravets
Copy link

@alexkravets alexkravets commented Dec 28, 2015

I guess the problem is that cryptography tries to compile using system library python, -I/usr/include/python2.7, while letsencrypt python version is installed at /root/.local/share/letsencrypt/:

x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
    x86_64-linux-gnu-gcc: internal compiler error: Killed (program cc1)
    Please submit a full bug report,
    with preprocessed source if appropriate.
    See <file:///usr/share/doc/gcc-4.8/README.Bugs> for instructions.
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 4
@alexkravets
Copy link

@alexkravets alexkravets commented Dec 28, 2015

The problem appeared to be in lack of memory, adding swap fixed the issue for me:

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
@seanthewebber
Copy link
Author

@seanthewebber seanthewebber commented Dec 28, 2015

@alexkravets I am having trouble understanding how adding SWAP memory fixes a Python dependency issue. Elaborate, please!

@alexkravets
Copy link

@alexkravets alexkravets commented Dec 28, 2015

@seanthewebber python dependency is fail to compile due to lack of memory

@seanthewebber
Copy link
Author

@seanthewebber seanthewebber commented Dec 28, 2015

@alexkravets Oohhh. So letsencrypt-auto needs 2GB total RAM to compile its dependencies? That means the following command sequence should work?

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
/root/.local/share/letsencrypt/bin/pip install pyopenssl ndg-httpsclient pyasn1
@alexkravets
Copy link

@alexkravets alexkravets commented Dec 28, 2015

@seanthewebber It worked with 1Gb in swap for me, but that depends how much free memory you have on the server. No need to install any dependencies by hands after adding swap, just run ./letsencrypt-auto — this should install all dependencies automatically.

@seanthewebber
Copy link
Author

@seanthewebber seanthewebber commented Jan 1, 2016

@alexkravets Sorry for not replying until now. Just confirmed that adding 1GB SWAP like you said fixes the problem. I was able to obtain a certificate a moment ago. Thanks for the help!

Solution: ACME client must run on a host with < 2GB of combined RAM and SWAP.

Moving forward... this could be a roadblock for low power embedded + IoT devices (like routers). Is there any reason the client has to compile these libraries? Could the libraries be download and installed pre-compiled?

@bmw bmw changed the title InsecurePlatformWarning on Ubuntu 14.04 InsecurePlatformWarning Jan 5, 2016
@bmw bmw modified the milestones: 0.8.0, 0.7.0 May 17, 2016
@bmw bmw modified the milestones: 0.8.0, 0.9.0 Jun 2, 2016
@pde pde modified the milestones: 0.5.0, 0.9.0 Jul 7, 2016
@pde
Copy link
Member

@pde pde commented Jul 7, 2016

This was actually closed in #2608 AFAICT.

@pde pde closed this Jul 7, 2016
@LorenzoBoccaccia
Copy link

@LorenzoBoccaccia LorenzoBoccaccia commented Jul 27, 2016

still happening on Ubuntu 14.04

Requirement already satisfied (use --upgrade to upgrade): setuptools>=1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography==1.2.3->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 35))
Collecting psutil>=2.2.1 (from certbot==0.8.1->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 165))
In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    psutil>=2.2.1 from https://pypi.python.org/packages/22/a8/6ab3f0b3b74a36104785808ec874d24203c6a511ffd2732dd215cf32d689/psutil-4.3.0.tar.gz#md5=ca97cf5f09c07b075a12a68b9d44a67d (from certbot==0.8.1->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 165))
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.0.3, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

@amirrpp
Copy link

@amirrpp amirrpp commented Jul 27, 2016

@LorenzoBoccaccia and Ubuntu 16.04 too

@eyedol
Copy link

@eyedol eyedol commented Jul 27, 2016

On Ubuntu 16.04 I had to install letsencrypt natively. I did, sudo apt-get install letsencrypt then sudo letsencrypt renew This renewed my cert using native packages instead of a virtual environment.

@bmw
Copy link
Member

@bmw bmw commented Jul 27, 2016

See if you still get the problem now. #3334 which caused the primary error in the log above has been resolved.

@seanthewebber
Copy link
Author

@seanthewebber seanthewebber commented Jul 29, 2016

@eyedol Does the native letsencrypt package work on Ubuntu 14.04, too?

@eyedol
Copy link

@eyedol eyedol commented Jul 29, 2016

@seanthewebber I didn't try with Ubuntu 14.04. I might have read somewhere that, it's packaged for Ubuntu 16.04

@benileo
Copy link
Contributor

@benileo benileo commented Jul 30, 2016

@seanthewebber the package is only available for 16.04 currently

@jgallias
Copy link

@jgallias jgallias commented Aug 8, 2016

This definitely affected one of my sites:
"The certificate expired on August 7, 2016 at 10:53 PM. The current time is August 7, 2016 at 11:03 PM."

/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.0.3, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
@jgallias
Copy link

@jgallias jgallias commented Aug 8, 2016

On Digital Ocean: Reboot fixed it per this thread:
#2804 (comment)

@bmw bmw modified the milestones: 1.0.0, 0.5.0 Aug 10, 2016
@bmw bmw reopened this Aug 10, 2016
@bmw bmw removed the has pr label Aug 10, 2016
@pde
Copy link
Member

@pde pde commented Dec 19, 2016

I believe this should be fixed in recent versions of Certbot and certbot-auto. Please reopen if it isn't!

@h0wardch3ng
Copy link

@h0wardch3ng h0wardch3ng commented Aug 1, 2017

➜ dehydrated git:(master) ✗ python --version
Python 2.7.12

➜ certbot git:(master) ./letsencrypt-auto
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
Hit:1 https://deb.nodesource.com/node_6.x xenial InRelease
Hit:2 http://mirrors.aliyuncs.com/ubuntu xenial InRelease
Hit:3 http://mirrors.aliyuncs.com/ubuntu xenial-security InRelease
Hit:4 http://mirrors.aliyuncs.com/ubuntu xenial-updates InRelease
Hit:5 http://mirrors.aliyuncs.com/ubuntu xenial-proposed InRelease
Hit:6 http://mirrors.aliyuncs.com/ubuntu xenial-backports InRelease
Hit:7 http://ppa.launchpad.net/max-c-lv/shadowsocks-libev/ubuntu xenial InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
augeas-lenses is already the newest version (1.4.0-0ubuntu1).
ca-certificates is already the newest version (20160104ubuntu1).
gcc is already the newest version (4:5.3.1-1ubuntu1).
libaugeas0 is already the newest version (1.4.0-0ubuntu1).
libffi-dev is already the newest version (3.2.1-4).
python is already the newest version (2.7.11-1).
python-dev is already the newest version (2.7.11-1).
libssl-dev is already the newest version (1.0.2g-1ubuntu4.8).
openssl is already the newest version (1.0.2g-1ubuntu4.8).
python-virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Creating virtual environment...
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in
main()
File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
symlink=options.symlink)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
download=download,
File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
% (cmd_desc, proc.returncode))
OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.