InsecurePlatformWarning #1883

Closed
seanthewebber opened this Issue Dec 12, 2015 · 37 comments

Comments

Projects
None yet
@seanthewebber

./letsencrypt-auto is generating an InsecurePlatformWarning on Ubuntu 14.04 LTS. This looks like a conflict between python and python3? What is the proper way to resolve this conflict and how can we implement a fix to eliminate a custom workaround?

Terminal excerpt:

swebber@dev:~/letsencrypt$ sudo -H ./letsencrypt-auto --help
...
Updating letsencrypt and virtual environment dependencies.....
/home/swebber/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/home/swebber/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
@devster31

This comment has been minimized.

Show comment
Hide comment
@devster31

devster31 Dec 13, 2015

It should only be an issue because ubuntu ships with python 2.7.6 while urllib issues that warning on anything below 2.7.9, updating python2 should fix it.

Certain Python platforms (specifically, versions of Python earlier than 2.7.9)
from https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning

It should only be an issue because ubuntu ships with python 2.7.6 while urllib issues that warning on anything below 2.7.9, updating python2 should fix it.

Certain Python platforms (specifically, versions of Python earlier than 2.7.9)
from https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning

@seanthewebber

This comment has been minimized.

Show comment
Hide comment
@seanthewebber

seanthewebber Dec 13, 2015

That's strange. I just ran sudo apt-get update and sudo apt-get dist-upgrade on this server and everything (including python?) is up to date.

That's strange. I just ran sudo apt-get update and sudo apt-get dist-upgrade on this server and everything (including python?) is up to date.

@devster31

This comment has been minimized.

Show comment
Hide comment
@devster31

devster31 Dec 13, 2015

Ubuntu repos have an older version, try running python --version, if it's below 2.7.9 you get the error you described.

Ubuntu repos have an older version, try running python --version, if it's below 2.7.9 you get the error you described.

@seanthewebber

This comment has been minimized.

Show comment
Hide comment
@seanthewebber

seanthewebber Dec 13, 2015

swebber@dev:~$ python --version
Python 2.7.6

Yep, there it is. Does that mean these instructions will over write the older version assuming you replaced 2.7.5 with 2.7.10?

swebber@dev:~$ python --version
Python 2.7.6

Yep, there it is. Does that mean these instructions will over write the older version assuming you replaced 2.7.5 with 2.7.10?

@devster31

This comment has been minimized.

Show comment
Hide comment
@devster31

devster31 Dec 13, 2015

It should. You probably need to run those instructions as root, you can also check the official python docs here. Latest stable is 2.7.11 for python2. You can also use this PPA if you don't want to build from source.

It should. You probably need to run those instructions as root, you can also check the official python docs here. Latest stable is 2.7.11 for python2. You can also use this PPA if you don't want to build from source.

@seanthewebber

This comment has been minimized.

Show comment
Hide comment
@seanthewebber

seanthewebber Dec 13, 2015

So you either run unofficial or update by building the source... that's a pain. Is there any reason python3 cannot be added to letsencrypt-auto:90 like this:

DeterminePythonVersion() {
  if command -v python3.4 > /dev/null ; then
    export LE_PYTHON=${LE_PYTHON:-python3.4}
  elif command -v python3 > /dev/null ; then
    export LE_PYTHON=${LE_PYTHON:-python3}
...
}

So you either run unofficial or update by building the source... that's a pain. Is there any reason python3 cannot be added to letsencrypt-auto:90 like this:

DeterminePythonVersion() {
  if command -v python3.4 > /dev/null ; then
    export LE_PYTHON=${LE_PYTHON:-python3.4}
  elif command -v python3 > /dev/null ; then
    export LE_PYTHON=${LE_PYTHON:-python3}
...
}
@seanthewebber

This comment has been minimized.

Show comment
Hide comment
@seanthewebber

seanthewebber Dec 13, 2015

I suppose an if statement detecting Python < 2.7.9 and implementing pyOpenSSL is also an option, but it seems like a dirty patch that could break break more than it solves.

I suppose an if statement detecting Python < 2.7.9 and implementing pyOpenSSL is also an option, but it seems like a dirty patch that could break break more than it solves.

@devster31

This comment has been minimized.

Show comment
Hide comment
@devster31

devster31 Dec 13, 2015

It shouldn't be a python2 and python3 conflict since letsencrypt-auto generates a virtual environment based on the python2 version your system has. You could could add it to a requirements file for versions below 2.7.9 here. I can't answer you on the python3 support however.

It shouldn't be a python2 and python3 conflict since letsencrypt-auto generates a virtual environment based on the python2 version your system has. You could could add it to a requirements file for versions below 2.7.9 here. I can't answer you on the python3 support however.

@seanthewebber

This comment has been minimized.

Show comment
Hide comment
@seanthewebber

seanthewebber Dec 13, 2015

What would the syntax for that look like? Additionally, that would require urllib3.contrib.pyopenssl.inject_into_urllib3() to be copied throughout the code base?

What would the syntax for that look like? Additionally, that would require urllib3.contrib.pyopenssl.inject_into_urllib3() to be copied throughout the code base?

@seanthewebber seanthewebber changed the title from InsecurePlatformWarning on Ubuntu 14.04 caused by Python Conflict? to InsecurePlatformWarning on Ubuntu 14.04 Dec 13, 2015

@seanthewebber

This comment has been minimized.

Show comment
Hide comment
@seanthewebber

seanthewebber Dec 14, 2015

@devster31 @pde I was poking around the other open issues and it looks like this may be a duplicate of #1623? Thoughts or comments?

@devster31 @pde I was poking around the other open issues and it looks like this may be a duplicate of #1623? Thoughts or comments?

@devster31

This comment has been minimized.

Show comment
Hide comment
@devster31

devster31 Dec 14, 2015

I think it's a duplicate if you only get the warning during the initial run, if I understood correctly I don't think there's a way to avoid that besides suppressing warnings as suggested in #1623. However further warnings during normal letsencrypt operations should be fixed separately using something like what's already in acme/acme/client.py:

# Prior to Python 2.7.9 the stdlib SSL module did not allow a user to configure
# many important security related options. On these platforms we use PyOpenSSL
# for SSL, which does allow these options to be configured.
# https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
if sys.version_info < (2, 7, 9):  # pragma: no cover
    requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()

which would be the best solution possible. PyOpenSSL is already a dependency and is installed during the bootstrap process, so the fix would be to add the above lines wherever requests is imported.

I think it's a duplicate if you only get the warning during the initial run, if I understood correctly I don't think there's a way to avoid that besides suppressing warnings as suggested in #1623. However further warnings during normal letsencrypt operations should be fixed separately using something like what's already in acme/acme/client.py:

# Prior to Python 2.7.9 the stdlib SSL module did not allow a user to configure
# many important security related options. On these platforms we use PyOpenSSL
# for SSL, which does allow these options to be configured.
# https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
if sys.version_info < (2, 7, 9):  # pragma: no cover
    requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()

which would be the best solution possible. PyOpenSSL is already a dependency and is installed during the bootstrap process, so the fix would be to add the above lines wherever requests is imported.

@seanthewebber

This comment has been minimized.

Show comment
Hide comment
@seanthewebber

seanthewebber Dec 18, 2015

Mm.. who could do something like that? Admittedly, I know not how to write Python. :/

Would suppressing the warning still allow certificates to be deployed, or would more runtime errors occur later on down the road? I'm writing a tutorial about Let's Encrypt and I'm on the fence about telling readers to suppress warnings. :/

Mm.. who could do something like that? Admittedly, I know not how to write Python. :/

Would suppressing the warning still allow certificates to be deployed, or would more runtime errors occur later on down the road? I'm writing a tutorial about Let's Encrypt and I'm on the fence about telling readers to suppress warnings. :/

@devster31

This comment has been minimized.

Show comment
Hide comment
@devster31

devster31 Dec 18, 2015

There's a discussion with a pull request about suppressing warnings during the installation, I already linked it in the previous comment. It shouldn't cause any problems with the process besides the security vulnerabilities.

There's a discussion with a pull request about suppressing warnings during the installation, I already linked it in the previous comment. It shouldn't cause any problems with the process besides the security vulnerabilities.

@seanthewebber

This comment has been minimized.

Show comment
Hide comment
@seanthewebber

seanthewebber Dec 18, 2015

Got'cha. I will stay on the lookout. Thanks for conversing with me on the matter! :)

Got'cha. I will stay on the lookout. Thanks for conversing with me on the matter! :)

@pde pde added this to the 0.2.0 milestone Dec 18, 2015

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Dec 18, 2015

Member

Once we land the new letsencrypt-auto and close #1572, we should be able to suppress InsecurePlatformWarnings due to the OS's venv without security risk.

Member

pde commented Dec 18, 2015

Once we land the new letsencrypt-auto and close #1572, we should be able to suppress InsecurePlatformWarnings due to the OS's venv without security risk.

@seanthewebber

This comment has been minimized.

Show comment
Hide comment
@seanthewebber

seanthewebber Dec 26, 2015

I was messing around with letsencrypt-auto a little more this evening, and it turns out InsecurePlatformWarning is not just a warning. Let's Encrypt totally crashes about thirty seconds afterwards.

...
InsecurePlatformWarning

Command "/root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-adjhtc/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-LNTy2r-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography" failed with error code 1 in /tmp/pip-build-adjhtc/cryptography

Anything I can do? Cannot obtain/renew any certificates currently.

I was messing around with letsencrypt-auto a little more this evening, and it turns out InsecurePlatformWarning is not just a warning. Let's Encrypt totally crashes about thirty seconds afterwards.

...
InsecurePlatformWarning

Command "/root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-adjhtc/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-LNTy2r-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography" failed with error code 1 in /tmp/pip-build-adjhtc/cryptography

Anything I can do? Cannot obtain/renew any certificates currently.

@pde pde added the has pr label Dec 26, 2015

@alexkravets

This comment has been minimized.

Show comment
Hide comment
@alexkravets

alexkravets Dec 28, 2015

+1 have same issue on Ubuntu 14.04, which comes with default Python 2.7.6

After fail, I was trying to install pyOpenSSL with:

/root/.local/share/letsencrypt/bin/pip install pyopenssl ndg-httpsclient pyasn1

But there is some issue with compiling cryptography:

# /root/.local/share/letsencrypt/bin/pip install pyopenssl ndg-httpsclient pyasn1
Collecting pyopenssl
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Using cached pyOpenSSL-0.15.1-py2.py3-none-any.whl
Collecting ndg-httpsclient
  Using cached ndg_httpsclient-0.4.0.tar.gz
Requirement already satisfied (use --upgrade to upgrade): pyasn1 in /root/.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already satisfied (use --upgrade to upgrade): six>=1.5.2 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from pyopenssl)
Collecting cryptography>=0.7 (from pyopenssl)
  Using cached cryptography-1.1.2.tar.gz
Requirement already satisfied (use --upgrade to upgrade): idna>=2.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): setuptools in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): enum34 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): ipaddress in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): cffi>=1.1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): pycparser in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cffi>=1.1.0->cryptography>=0.7->pyopenssl)
Installing collected packages: cryptography, pyopenssl, ndg-httpsclient
  Running setup.py install for cryptography
    Complete output from command /root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-am3f0F/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-MCNXuz-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography:
    running install
    running build
    running build_py
    creating build
    creating build/lib.linux-x86_64-2.7
    creating build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/exceptions.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/fernet.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/__init__.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/utils.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/__about__.py -> build/lib.linux-x86_64-2.7/cryptography
    creating build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/extensions.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/oid.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/general_name.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/base.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/name.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat
    copying src/cryptography/hazmat/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings
    copying src/cryptography/hazmat/bindings/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    copying src/cryptography/hazmat/backends/interfaces.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    copying src/cryptography/hazmat/backends/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    copying src/cryptography/hazmat/backends/multibackend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/cmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/keywrap.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/serialization.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/padding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/constant_time.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    copying src/cryptography/hazmat/bindings/openssl/binding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    copying src/cryptography/hazmat/bindings/openssl/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    copying src/cryptography/hazmat/bindings/openssl/_conditional.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
    copying src/cryptography/hazmat/bindings/commoncrypto/binding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
    copying src/cryptography/hazmat/bindings/commoncrypto/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/dsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/cmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/ciphers.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/rsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/backend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/x509.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/ec.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/ciphers.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/backend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/modes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/base.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/algorithms.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/hkdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/x963kdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/concatkdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/pbkdf2.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/dsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/rsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/ec.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/dh.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/padding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/interfaces
    copying src/cryptography/hazmat/primitives/interfaces/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/interfaces
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/hotp.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/totp.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    running egg_info
    writing requirements to src/cryptography.egg-info/requires.txt
    writing src/cryptography.egg-info/PKG-INFO
    writing top-level names to src/cryptography.egg-info/top_level.txt
    writing dependency_links to src/cryptography.egg-info/dependency_links.txt
    writing entry points to src/cryptography.egg-info/entry_points.txt
    warning: manifest_maker: standard file '-c' not found

    reading manifest file 'src/cryptography.egg-info/SOURCES.txt'
    reading manifest template 'MANIFEST.in'
    no previously-included directories found matching 'docs/_build'
    warning: no previously-included files matching '*' found under directory 'vectors'
    writing manifest file 'src/cryptography.egg-info/SOURCES.txt'
    running build_ext
    generating cffi module 'build/temp.linux-x86_64-2.7/_padding.c'
    creating build/temp.linux-x86_64-2.7
    generating cffi module 'build/temp.linux-x86_64-2.7/_constant_time.c'
    generating cffi module 'build/temp.linux-x86_64-2.7/_openssl.c'
    building '_openssl' extension
    creating build/temp.linux-x86_64-2.7/build
    creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7
    x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
    x86_64-linux-gnu-gcc: internal compiler error: Killed (program cc1)
    Please submit a full bug report,
    with preprocessed source if appropriate.
    See <file:///usr/share/doc/gcc-4.8/README.Bugs> for instructions.
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 4

    ----------------------------------------
Command "/root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-am3f0F/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-MCNXuz-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography" failed with error code 1 in /tmp/pip-build-am3f0F/cryptography

+1 have same issue on Ubuntu 14.04, which comes with default Python 2.7.6

After fail, I was trying to install pyOpenSSL with:

/root/.local/share/letsencrypt/bin/pip install pyopenssl ndg-httpsclient pyasn1

But there is some issue with compiling cryptography:

# /root/.local/share/letsencrypt/bin/pip install pyopenssl ndg-httpsclient pyasn1
Collecting pyopenssl
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Using cached pyOpenSSL-0.15.1-py2.py3-none-any.whl
Collecting ndg-httpsclient
  Using cached ndg_httpsclient-0.4.0.tar.gz
Requirement already satisfied (use --upgrade to upgrade): pyasn1 in /root/.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already satisfied (use --upgrade to upgrade): six>=1.5.2 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from pyopenssl)
Collecting cryptography>=0.7 (from pyopenssl)
  Using cached cryptography-1.1.2.tar.gz
Requirement already satisfied (use --upgrade to upgrade): idna>=2.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): setuptools in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): enum34 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): ipaddress in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): cffi>=1.1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->pyopenssl)
Requirement already satisfied (use --upgrade to upgrade): pycparser in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cffi>=1.1.0->cryptography>=0.7->pyopenssl)
Installing collected packages: cryptography, pyopenssl, ndg-httpsclient
  Running setup.py install for cryptography
    Complete output from command /root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-am3f0F/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-MCNXuz-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography:
    running install
    running build
    running build_py
    creating build
    creating build/lib.linux-x86_64-2.7
    creating build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/exceptions.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/fernet.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/__init__.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/utils.py -> build/lib.linux-x86_64-2.7/cryptography
    copying src/cryptography/__about__.py -> build/lib.linux-x86_64-2.7/cryptography
    creating build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/extensions.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/oid.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/general_name.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/base.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    copying src/cryptography/x509/name.py -> build/lib.linux-x86_64-2.7/cryptography/x509
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat
    copying src/cryptography/hazmat/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings
    copying src/cryptography/hazmat/bindings/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    copying src/cryptography/hazmat/backends/interfaces.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    copying src/cryptography/hazmat/backends/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    copying src/cryptography/hazmat/backends/multibackend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/cmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/keywrap.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/serialization.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/padding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    copying src/cryptography/hazmat/primitives/constant_time.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    copying src/cryptography/hazmat/bindings/openssl/binding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    copying src/cryptography/hazmat/bindings/openssl/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    copying src/cryptography/hazmat/bindings/openssl/_conditional.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
    copying src/cryptography/hazmat/bindings/commoncrypto/binding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
    copying src/cryptography/hazmat/bindings/commoncrypto/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/dsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/cmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/ciphers.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/rsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/backend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/x509.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/ec.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    copying src/cryptography/hazmat/backends/openssl/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/ciphers.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/backend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    copying src/cryptography/hazmat/backends/commoncrypto/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/modes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/base.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    copying src/cryptography/hazmat/primitives/ciphers/algorithms.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/hkdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/x963kdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/concatkdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    copying src/cryptography/hazmat/primitives/kdf/pbkdf2.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/dsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/rsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/ec.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/dh.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    copying src/cryptography/hazmat/primitives/asymmetric/padding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/interfaces
    copying src/cryptography/hazmat/primitives/interfaces/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/interfaces
    creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/hotp.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    copying src/cryptography/hazmat/primitives/twofactor/totp.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
    running egg_info
    writing requirements to src/cryptography.egg-info/requires.txt
    writing src/cryptography.egg-info/PKG-INFO
    writing top-level names to src/cryptography.egg-info/top_level.txt
    writing dependency_links to src/cryptography.egg-info/dependency_links.txt
    writing entry points to src/cryptography.egg-info/entry_points.txt
    warning: manifest_maker: standard file '-c' not found

    reading manifest file 'src/cryptography.egg-info/SOURCES.txt'
    reading manifest template 'MANIFEST.in'
    no previously-included directories found matching 'docs/_build'
    warning: no previously-included files matching '*' found under directory 'vectors'
    writing manifest file 'src/cryptography.egg-info/SOURCES.txt'
    running build_ext
    generating cffi module 'build/temp.linux-x86_64-2.7/_padding.c'
    creating build/temp.linux-x86_64-2.7
    generating cffi module 'build/temp.linux-x86_64-2.7/_constant_time.c'
    generating cffi module 'build/temp.linux-x86_64-2.7/_openssl.c'
    building '_openssl' extension
    creating build/temp.linux-x86_64-2.7/build
    creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7
    x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
    x86_64-linux-gnu-gcc: internal compiler error: Killed (program cc1)
    Please submit a full bug report,
    with preprocessed source if appropriate.
    See <file:///usr/share/doc/gcc-4.8/README.Bugs> for instructions.
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 4

    ----------------------------------------
Command "/root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-am3f0F/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-MCNXuz-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography" failed with error code 1 in /tmp/pip-build-am3f0F/cryptography
@alexkravets

This comment has been minimized.

Show comment
Hide comment
@alexkravets

alexkravets Dec 28, 2015

I guess the problem is that cryptography tries to compile using system library python, -I/usr/include/python2.7, while letsencrypt python version is installed at /root/.local/share/letsencrypt/:

x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
    x86_64-linux-gnu-gcc: internal compiler error: Killed (program cc1)
    Please submit a full bug report,
    with preprocessed source if appropriate.
    See <file:///usr/share/doc/gcc-4.8/README.Bugs> for instructions.
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 4

I guess the problem is that cryptography tries to compile using system library python, -I/usr/include/python2.7, while letsencrypt python version is installed at /root/.local/share/letsencrypt/:

x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
    x86_64-linux-gnu-gcc: internal compiler error: Killed (program cc1)
    Please submit a full bug report,
    with preprocessed source if appropriate.
    See <file:///usr/share/doc/gcc-4.8/README.Bugs> for instructions.
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 4
@alexkravets

This comment has been minimized.

Show comment
Hide comment
@alexkravets

alexkravets Dec 28, 2015

The problem appeared to be in lack of memory, adding swap fixed the issue for me:

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile

The problem appeared to be in lack of memory, adding swap fixed the issue for me:

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
@seanthewebber

This comment has been minimized.

Show comment
Hide comment
@seanthewebber

seanthewebber Dec 28, 2015

@alexkravets I am having trouble understanding how adding SWAP memory fixes a Python dependency issue. Elaborate, please!

@alexkravets I am having trouble understanding how adding SWAP memory fixes a Python dependency issue. Elaborate, please!

@alexkravets

This comment has been minimized.

Show comment
Hide comment
@alexkravets

alexkravets Dec 28, 2015

@seanthewebber python dependency is fail to compile due to lack of memory

@seanthewebber python dependency is fail to compile due to lack of memory

@seanthewebber

This comment has been minimized.

Show comment
Hide comment
@seanthewebber

seanthewebber Dec 28, 2015

@alexkravets Oohhh. So letsencrypt-auto needs 2GB total RAM to compile its dependencies? That means the following command sequence should work?

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
/root/.local/share/letsencrypt/bin/pip install pyopenssl ndg-httpsclient pyasn1

@alexkravets Oohhh. So letsencrypt-auto needs 2GB total RAM to compile its dependencies? That means the following command sequence should work?

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
/root/.local/share/letsencrypt/bin/pip install pyopenssl ndg-httpsclient pyasn1
@alexkravets

This comment has been minimized.

Show comment
Hide comment
@alexkravets

alexkravets Dec 28, 2015

@seanthewebber It worked with 1Gb in swap for me, but that depends how much free memory you have on the server. No need to install any dependencies by hands after adding swap, just run ./letsencrypt-auto — this should install all dependencies automatically.

@seanthewebber It worked with 1Gb in swap for me, but that depends how much free memory you have on the server. No need to install any dependencies by hands after adding swap, just run ./letsencrypt-auto — this should install all dependencies automatically.

@seanthewebber

This comment has been minimized.

Show comment
Hide comment
@seanthewebber

seanthewebber Jan 1, 2016

@alexkravets Sorry for not replying until now. Just confirmed that adding 1GB SWAP like you said fixes the problem. I was able to obtain a certificate a moment ago. Thanks for the help!

Solution: ACME client must run on a host with < 2GB of combined RAM and SWAP.

Moving forward... this could be a roadblock for low power embedded + IoT devices (like routers). Is there any reason the client has to compile these libraries? Could the libraries be download and installed pre-compiled?

@alexkravets Sorry for not replying until now. Just confirmed that adding 1GB SWAP like you said fixes the problem. I was able to obtain a certificate a moment ago. Thanks for the help!

Solution: ACME client must run on a host with < 2GB of combined RAM and SWAP.

Moving forward... this could be a roadblock for low power embedded + IoT devices (like routers). Is there any reason the client has to compile these libraries? Could the libraries be download and installed pre-compiled?

@bmw bmw changed the title from InsecurePlatformWarning on Ubuntu 14.04 to InsecurePlatformWarning Jan 5, 2016

@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Jan 5, 2016

Contributor

More reports at #1982.

Contributor

bmw commented Jan 5, 2016

More reports at #1982.

@pde pde modified the milestones: 0.3.0, 0.2.0 Jan 11, 2016

@pde pde modified the milestones: 0.5.0, 0.4.0 Jan 28, 2016

rorosaurus added a commit to rorosaurus/letsencrypt that referenced this issue Feb 4, 2016

adding RAM requirement to readme
There is a non-obvious requirement for memory to be available for the crypto libraries on the client.  The readme's System Requirements section didn't reflect this.  On low-memory systems this crashes the client with an extremely verbose but not terribly useful error. 
See certbot#1883 (comment)

rorosaurus added a commit to rorosaurus/letsencrypt that referenced this issue Feb 4, 2016

updating readme with free memory requirement
There is a non-obvious requirement for free memory to be available for crypto to compile when running letsencrypt-auto. The readme's System Requirements section didn't reflect this. On low-memory systems this crashes the client with an extremely verbose but not terribly useful error. 
See certbot#1883 (comment) 
Revision 2 per certbot#2370 (comment)

@bmw bmw modified the milestones: 0.6.0, 0.5.0 Feb 18, 2016

@bmw bmw modified the milestones: 0.6.0, 0.7.0 Apr 12, 2016

@bmw bmw modified the milestones: 0.7.0, 0.8.0 May 17, 2016

@bmw bmw modified the milestones: 0.8.0, 0.9.0 Jun 2, 2016

@pde pde modified the milestones: 0.5.0, 0.9.0 Jul 7, 2016

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Jul 7, 2016

Member

This was actually closed in #2608 AFAICT.

Member

pde commented Jul 7, 2016

This was actually closed in #2608 AFAICT.

@pde pde closed this Jul 7, 2016

@LorenzoBoccaccia

This comment has been minimized.

Show comment
Hide comment
@LorenzoBoccaccia

LorenzoBoccaccia Jul 27, 2016

still happening on Ubuntu 14.04

Requirement already satisfied (use --upgrade to upgrade): setuptools>=1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography==1.2.3->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 35))
Collecting psutil>=2.2.1 (from certbot==0.8.1->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 165))
In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    psutil>=2.2.1 from https://pypi.python.org/packages/22/a8/6ab3f0b3b74a36104785808ec874d24203c6a511ffd2732dd215cf32d689/psutil-4.3.0.tar.gz#md5=ca97cf5f09c07b075a12a68b9d44a67d (from certbot==0.8.1->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 165))
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.0.3, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

still happening on Ubuntu 14.04

Requirement already satisfied (use --upgrade to upgrade): setuptools>=1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography==1.2.3->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 35))
Collecting psutil>=2.2.1 (from certbot==0.8.1->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 165))
In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    psutil>=2.2.1 from https://pypi.python.org/packages/22/a8/6ab3f0b3b74a36104785808ec874d24203c6a511ffd2732dd215cf32d689/psutil-4.3.0.tar.gz#md5=ca97cf5f09c07b075a12a68b9d44a67d (from certbot==0.8.1->-r /tmp/tmp.IeSNsdtCuj/letsencrypt-auto-requirements.txt (line 165))
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.0.3, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

@amirrpp

This comment has been minimized.

Show comment
Hide comment
@amirrpp

amirrpp Jul 27, 2016

@LorenzoBoccaccia and Ubuntu 16.04 too

amirrpp commented Jul 27, 2016

@LorenzoBoccaccia and Ubuntu 16.04 too

@eyedol

This comment has been minimized.

Show comment
Hide comment
@eyedol

eyedol Jul 27, 2016

On Ubuntu 16.04 I had to install letsencrypt natively. I did, sudo apt-get install letsencrypt then sudo letsencrypt renew This renewed my cert using native packages instead of a virtual environment.

eyedol commented Jul 27, 2016

On Ubuntu 16.04 I had to install letsencrypt natively. I did, sudo apt-get install letsencrypt then sudo letsencrypt renew This renewed my cert using native packages instead of a virtual environment.

@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Jul 27, 2016

Contributor

See if you still get the problem now. #3334 which caused the primary error in the log above has been resolved.

Contributor

bmw commented Jul 27, 2016

See if you still get the problem now. #3334 which caused the primary error in the log above has been resolved.

@seanthewebber

This comment has been minimized.

Show comment
Hide comment
@seanthewebber

seanthewebber Jul 29, 2016

@eyedol Does the native letsencrypt package work on Ubuntu 14.04, too?

@eyedol Does the native letsencrypt package work on Ubuntu 14.04, too?

@eyedol

This comment has been minimized.

Show comment
Hide comment
@eyedol

eyedol Jul 29, 2016

@seanthewebber I didn't try with Ubuntu 14.04. I might have read somewhere that, it's packaged for Ubuntu 16.04

eyedol commented Jul 29, 2016

@seanthewebber I didn't try with Ubuntu 14.04. I might have read somewhere that, it's packaged for Ubuntu 16.04

@benileo

This comment has been minimized.

Show comment
Hide comment
@benileo

benileo Jul 30, 2016

Contributor

@seanthewebber the package is only available for 16.04 currently

Contributor

benileo commented Jul 30, 2016

@seanthewebber the package is only available for 16.04 currently

@jgallias

This comment has been minimized.

Show comment
Hide comment
@jgallias

jgallias Aug 8, 2016

This definitely affected one of my sites:
"The certificate expired on August 7, 2016 at 10:53 PM. The current time is August 7, 2016 at 11:03 PM."

/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.0.3, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

jgallias commented Aug 8, 2016

This definitely affected one of my sites:
"The certificate expired on August 7, 2016 at 10:53 PM. The current time is August 7, 2016 at 11:03 PM."

/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.0.3, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
@jgallias

This comment has been minimized.

Show comment
Hide comment
@jgallias

jgallias Aug 8, 2016

On Digital Ocean: Reboot fixed it per this thread:
#2804 (comment)

jgallias commented Aug 8, 2016

On Digital Ocean: Reboot fixed it per this thread:
#2804 (comment)

@bmw bmw modified the milestones: 1.0.0, 0.5.0 Aug 10, 2016

@bmw bmw reopened this Aug 10, 2016

@bmw bmw removed the has pr label Aug 10, 2016

@mscalora mscalora referenced this issue in kappataumu/letsencrypt-cloudflare-hook Aug 15, 2016

Closed

Resolved issues #17

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Dec 19, 2016

Member

I believe this should be fixed in recent versions of Certbot and certbot-auto. Please reopen if it isn't!

Member

pde commented Dec 19, 2016

I believe this should be fixed in recent versions of Certbot and certbot-auto. Please reopen if it isn't!

@pde pde closed this Dec 19, 2016

@pde pde added the area: security label Dec 19, 2016

@ky0nch3ng ky0nch3ng referenced this issue in kappataumu/letsencrypt-cloudflare-hook Aug 1, 2017

Closed

ImportError: No module named urllib3.contrib.pyopenssl #41

@ky0nch3ng

This comment has been minimized.

Show comment
Hide comment
@ky0nch3ng

ky0nch3ng Aug 1, 2017

➜ dehydrated git:(master) ✗ python --version
Python 2.7.12

➜ certbot git:(master) ./letsencrypt-auto
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
Hit:1 https://deb.nodesource.com/node_6.x xenial InRelease
Hit:2 http://mirrors.aliyuncs.com/ubuntu xenial InRelease
Hit:3 http://mirrors.aliyuncs.com/ubuntu xenial-security InRelease
Hit:4 http://mirrors.aliyuncs.com/ubuntu xenial-updates InRelease
Hit:5 http://mirrors.aliyuncs.com/ubuntu xenial-proposed InRelease
Hit:6 http://mirrors.aliyuncs.com/ubuntu xenial-backports InRelease
Hit:7 http://ppa.launchpad.net/max-c-lv/shadowsocks-libev/ubuntu xenial InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
augeas-lenses is already the newest version (1.4.0-0ubuntu1).
ca-certificates is already the newest version (20160104ubuntu1).
gcc is already the newest version (4:5.3.1-1ubuntu1).
libaugeas0 is already the newest version (1.4.0-0ubuntu1).
libffi-dev is already the newest version (3.2.1-4).
python is already the newest version (2.7.11-1).
python-dev is already the newest version (2.7.11-1).
libssl-dev is already the newest version (1.0.2g-1ubuntu4.8).
openssl is already the newest version (1.0.2g-1ubuntu4.8).
python-virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Creating virtual environment...
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in
main()
File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
symlink=options.symlink)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
download=download,
File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
% (cmd_desc, proc.returncode))
OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2

➜ dehydrated git:(master) ✗ python --version
Python 2.7.12

➜ certbot git:(master) ./letsencrypt-auto
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
Hit:1 https://deb.nodesource.com/node_6.x xenial InRelease
Hit:2 http://mirrors.aliyuncs.com/ubuntu xenial InRelease
Hit:3 http://mirrors.aliyuncs.com/ubuntu xenial-security InRelease
Hit:4 http://mirrors.aliyuncs.com/ubuntu xenial-updates InRelease
Hit:5 http://mirrors.aliyuncs.com/ubuntu xenial-proposed InRelease
Hit:6 http://mirrors.aliyuncs.com/ubuntu xenial-backports InRelease
Hit:7 http://ppa.launchpad.net/max-c-lv/shadowsocks-libev/ubuntu xenial InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
augeas-lenses is already the newest version (1.4.0-0ubuntu1).
ca-certificates is already the newest version (20160104ubuntu1).
gcc is already the newest version (4:5.3.1-1ubuntu1).
libaugeas0 is already the newest version (1.4.0-0ubuntu1).
libffi-dev is already the newest version (3.2.1-4).
python is already the newest version (2.7.11-1).
python-dev is already the newest version (2.7.11-1).
libssl-dev is already the newest version (1.0.2g-1ubuntu4.8).
openssl is already the newest version (1.0.2g-1ubuntu4.8).
python-virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Creating virtual environment...
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in
main()
File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
symlink=options.symlink)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
download=download,
File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
% (cmd_desc, proc.returncode))
OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment