New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
With 0.32.0, certbot-auto stopped working for some EOL distributions #6824
Comments
Got the same, after an auto upgrade from 0.30.0 to 0.32.0 |
Second that, after upgrade from 0.31.0 to 0.32.0 |
Third that. Upgrade from 0.31.0 to 0.32.0. Debian 7.11 wheezy |
Workaround for me : |
You can also use
|
Seems to be changes in pipstrap that triggers this - manually changing pip-invocation from ['python', '-m', 'pip', … ] back to just ['pip', … ] has things working again. Curiously it also adds
|
0.30, 0.31 is working for me. debian wheezy |
All issues seems to be related to wheezy (if different, please notice it). Indeed wheezy uses an ancient version of However wheezy is EOL since end of 2018, and official support of Certbot has been dropped also. One immediate solution is to upgrade to a non-EOL Debian version. |
I don't have a system-installed pip - only the one that comes via the virtual environment in /opt/eff.org/. Though it also appears quite ancient:
I would, perhaps naively, have expected the virtenv to install a newer pip? But yes, wheezy is EOLed. |
The pip that is failing is not coming from the existing venv of Certbot. It comes from a new venv generated by certbot-auto to upgrade everything. If you try to create a bare venv from the installed So in theory, if you could get a more recent version of the deb package Yes you are right, normally virtualenv self-upgrade its base components. But we disabled it when one of the latest release of pip was broken, and so broke also certbot-auto... Now the pip installed in the new venv is pinned by pipstrap. |
After some tests, yes on wheezy, pip 1.1 is installed by default in venv. Call to Also, version of virtualenv in wheezy does not support the self-upgrading. |
My case and solution:
My steps: it download some files and works fine. |
Hi I downloaded the latest version of the certbot (https://dl.eff.org/certbot-auto) and I changed the two lines that were problematic. Line 1347 and 1357 :
and As specified by olemd,
It works for a distrib 7.3 (debian) Regards, |
Having the same problem since this morning - Debian 7.11. |
Same problem here trying to renew a cert in Ubuntu 12.04.4 LTS |
Ubuntu Precise is also EOL since 2017, and ships with pip 1.0. |
thnxs @adferrand I know Ubuntu Precise has reach the End of Life but certbot-auto has been working properly on this server til now. Time to upgrade. |
breaking things around here as well. |
As a small team of maintainers, we cannot support every distribution out there forever. Our limit is when a given version reaches its EOL. Indeed at this point it means that every dependency provided by the system will stop to be updated. It means also for Certbot that if one of this dependency start to break the software, there is nothing we can do about it from upstream. Here the situation is that pip < 1.2, released almost 7 years ago, does not support what has become the recommended way to launch pip for self-update, as a module, using It is true that certbot-auto failing suddendly because of that is a little harsh without a deprecation warning that could be displayed some time before the final break. We plan to improve that in the future. The only sane way, regarding our capability of support, and the interest on user side to rely on software that are sufficiently maintained for features and security, is to upgrade the OS. For people that are not in a situation of doing that, several solutions have been provided here to stick on a old version of certbot-auto that still works, and shutting down self upgrade. But in this case also, the only way in the long term is to upgrade in a way or another. So I am closing the issue now, as we will not fix certbot-auto for EOL distributions. |
@adferrand we, as your users, work in companies of all sizes, and maybe cant afford to stop the environment and risk everything that is already working fine because of 2 lines of code. imagine that instead of where you are right now, you had a company paying for this code. i know i have no right of complaining here since i dont contribute to the project, but still. |
@yodog If I were the devs for this project I would probably push out the two line rollback as .33 with a notice that proper calling procedures will be implemented in the first version released after 60 days have elapsed. I would not leave legacy code in place just to make people running dinosaur systems happy. That is worse for a greater number of users in the long run. It's EOL. You simply do not compromise your work to support EOL software and hardware. Not for a free, open-source product, anyway. I agree that this could have been handled more cleanly, but then since this script tends to run automated by cron, even a notice output during the auto-upgrade process would be missed by 90% of the sysadmins I know. Most rely on expiration warning emails rather than examining the logfiles for runtime messages. |
Just hit this. Not understanding the source of the issue. Is it Python, Pip, or Virtualenv? Can't I just install a newer python or pip? Is there some reason I am stuck with with the system pip? I can't upgrade the server OS for a little while, but I do know how to install Python outside the purview of the package manager. |
@adferrand Just FYI - it's not always easy to upgrade servers. In my particular case I have 2 cloud servers on Rackspace Public Cloud. To upgrade means rebuilding the server (spin up a new server, migrate everything over, change IPs, etc.) b/c in-place distro upgrades are not supported by the host. Needless to say, @ntabu's little fix did the trick for the server that didn't do the install. FYI - you can replicate by simply @wmakley it's an interface change supported by newer versions of pip. The old method still works even on the newer versions. Not sure why folks are wanting to do |
Seems #6775 was the PR that broke the older distros |
I really understand your situation. I am myself also a Certbot user in a corporate environment. We largely use an ancient CentOS 6 version in a lot of our servers, that is (hopefully) still maintained until 2020. But large efforts are engaged to move on CentOS 7. Because in my opinion, it is not acceptable to let production servers on an unsupported distribution, for which the EOL is known several years before. If in a corporate environment the cost to stay on a old, but supported, version of a software, is often lower than upgrading. However, things change with EOL: having a bug, or a critical security flaw not fixed, become the highest risk over everything else. Let put things in another point of view. Let's suppose that Certbot would continue to work apparently for unsupported distributions. So far, so good, but nobody on our team continue to make regression/security tests on it. Then, something not as visible as a big break happens, like a hidden flaw in one of our third-party dependency. Then people complain on us to expose security flaw on their system. And then we could answer that it is not supported anymore, so we can not take responsibility for that. Formally yes it is true, but we would know that we let intentionally Certbot running on systems where the security could be broken. It is quite the opposite of our purpose, isn't ? Nobody here would take this position knowing that. At least, here the situation is clear. Most of unsupported EOL distributions will not run Certbot out-of-the-box, you will not get, without knowing it, some kind of Certbot zombie that would continue to work in an unknown sanity state. That said, you still can fix yourself certbot-auto to make the shift until your production system is updated. See @ntabu answer. Add to it the Note that I cannot decently recommend to trigger pip self-upgrade like @wmakley proposed. In such old distributions, replacing os systems packages by the most recent ones from PyPI, cannot do anything else than breaking your Python environment. As a final note, I think that any further support should definitively profit to every community member that would be in this situation. So I will stop to continue to answer here, and invite you to continue the discussion, if required, on Let'sEncrypt support forum. |
So sad, just installed certbot-auto a few days ago and then this happened :( --no-self-upgrade doesn't work either. Edit: Works now... had to delete 0.32 and redownload 0.31 for --no-self-upgrade to work. Thanks for the workaround. |
Related topics on Letsencrypt forum: |
OS: Debian Wheezy
Since yesterday certbot-auto stopped working with a message 'pip' is a package and cannot be directly executed
I ran this command:
certbot-auto --debug
output:
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap) Hit http://rspamd.com wheezy Release.gpg Hit http://rspamd.com wheezy Release Hit http://rspamd.com wheezy/main amd64 Packages Hit http://deb.freexian.com wheezy-lts Release.gpg Hit http://deb.freexian.com wheezy-lts-kernel Release.gpg Hit http://deb.freexian.com wheezy-lts Release Hit http://deb.freexian.com wheezy-lts-kernel Release Hit http://deb.freexian.com wheezy-lts/main amd64 Packages Hit http://deb.freexian.com wheezy-lts/contrib amd64 Packages Hit http://deb.freexian.com wheezy-lts/non-free amd64 Packages Hit http://deb.freexian.com wheezy-lts-kernel/main amd64 Packages Reading package lists... Done Reading package lists... Done Building dependency tree Reading state information... Done augeas-lenses is already the newest version. ca-certificates is already the newest version. libaugeas0 is already the newest version. libffi-dev is already the newest version. libssl-dev is already the newest version. openssl is already the newest version. python is already the newest version. python-dev is already the newest version. gcc is already the newest version. python-virtualenv is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded. Creating virtual environment... Installing Python packages... /opt/eff.org/certbot/venv/bin/python: No module named pip.__main__; 'pip' is a package and cannot be directly executed Traceback (most recent call last): File "/tmp/tmp.mn0uym6MSb/pipstrap.py", line 177, in <module> sys.exit(main()) File "/tmp/tmp.mn0uym6MSb/pipstrap.py", line 149, in main pip_version = StrictVersion(check_output([python, '-m', 'pip', '--version']) File "/usr/lib/python2.7/subprocess.py", line 544, in check_output raise CalledProcessError(retcode, cmd, output=output) subprocess.CalledProcessError: Command '['/opt/eff.org/certbot/venv/bin/python', '-m', 'pip', '--version']' returned non-zero exit status 1
The text was updated successfully, but these errors were encountered: