Peep install error when running letsencrypt-auto

[singlow]

Just cloned the repo and tried to run in an Ubuntu 14.04 VPS. Using master f205d15

peep: (3, 1, 1)
python: '2.7.6 (default, Jun 22 2015, 17:58:13) 
[GCC 4.8.2]'
pip: '1.5.4'
Command line:  ['/tmp/tmp.zrzkeazK61/peep.py', 'install', '-r', '/tmp/tmp.zrzkeazK61/letsencrypt-auto-requirements.txt']
Traceback (most recent call last):
  File "/tmp/tmp.zrzkeazK61/peep.py", line 967, in <module>
    exit(main())
  File "/tmp/tmp.zrzkeazK61/peep.py", line 939, in main
    return commands[argv[1]](argv[2:])
  File "/tmp/tmp.zrzkeazK61/peep.py", line 884, in peep_install
    req.install()
  File "/tmp/tmp.zrzkeazK61/peep.py", line 652, in install
    run_pip(['install'] + other_args + ['--no-deps', '-U', archive_path])
  File "/tmp/tmp.zrzkeazK61/peep.py", line 206, in run_pip
    status_code = pip.main(initial_args)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/__init__.py", line 185, in main
    return command.main(cmd_args)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/basecommand.py", line 161, in main
    text = '
'.join(complete_log)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 79: ordinal not in range(128)```

[singlow]

More info. Looks like it may be related to a recent openssl update in Ubuntu. I see that openssl updated today on my all my systems and this brand new vm has the latest openssl. The message below hints that it is related to openssl. So this probably isn't anything you can do anything about.

generating cffi module 'build/temp.linux-x86_64-2.7/_constant_time.c'

generating cffi module 'build/temp.linux-x86_64-2.7/_openssl.c'

building '_openssl' extension

creating build/temp.linux-x86_64-2.7/build

creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7

x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o

build/temp.linux-x86_64-2.7/_openssl.c:710:6: error: conflicting types for ‘BIO_new_mem_buf’

 BIO *BIO_new_mem_buf(void *, int);

      ^

In file included from /usr/include/openssl/asn1.h:65:0,

                 from build/temp.linux-x86_64-2.7/_openssl.c:426:

/usr/include/openssl/bio.h:692:6: note: previous declaration of ‘BIO_new_mem_buf’ was here

 BIO *BIO_new_mem_buf(const void *buf, int len);

      ^

error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

----------------------------------------
Cleaning up...
Command /root/.local/share/letsencrypt/bin/python -c "import setuptools, tokenize;__file__='/tmp/pip-sS7QAO-build/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('
', '
'), __file__, 'exec'))" install --record /tmp/pip-Ee8cI9-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7 failed with error code 1 in /tmp/pip-sS7QAO-build

[singlow]

Some references in case anyone else shows up here with the issue:

pyca/cryptography#2750

http://stackoverflow.com/questions/35736598/cannot-pip-install-cryptography-in-docker-alpine-linux-3-3-with-openssl-1-0-2g

[singlow]

I came up with a temporary workaround for Ubuntu 14.04:

# downgrade and hold the openssl and libssl packages
# this makes you vulnerable to DROWN if you have SSLv2 enabled
apt-get install openssl=1.0.1f-1ubuntu2.18 libssl-dev=1.0.1f-1ubuntu2.18
apt-mark hold libssl-dev openssl

Then edit letsencrypt-auto to add --no-upgrade to prevent it from trying to upgrade libssl-dev which would break because it stops when the warning appears:

  $SUDO apt-get install -y --no-install-recommends --no-upgrade \
    python \
    python-dev \
    $virtualenv \
    gcc \
    dialog \
    $augeas_pkg \
    libssl-dev \
    libffi-dev \
    ca-certificates \

Then you can run letsencrypt-auto and get the certificate. Then upgrade openssl and libssl-dev when the certificate is installed. This will probably be resolved before it needs to renew.

apt-mark unhold libssl-dev openssl
apt-get upgrade

[navjotjsingh]

Your solution worked for me. And looks like the issue has been resolved at pyca/cryptography#2750

[erikrose]

It looks like you're having 2 problems: that cryptography one and then another that's likely a pip 1.5.4 bug, also seen in many other instances:

erikrose/peep#129
erikrose/peep#128
erikrose/peep#127
erikrose/peep#125

That version of pip is 2 years old, so we're going to see about doing an isolated upgrade in those cases.

[s7anley]

Thanks @singlow!

[xzitlou]

I tried @singlow 's solution on ubuntu 16.04 but it doesnt work, this issue shows up every time I try to run pip install -r requirements.txt

[bmw]

@xzitlou, there are letsencrypt packages available on 16.04. Using these packages should be preferred in most cases instead of installing Certbot through pip.

If you still want to try to install through pip, however, did you also install Certbot's OS dependencies with apt? The easiest way to do this is to is to use to run certbot-auto --os-packages-only.

[xzitlou]

@bmw I had to clear the $PATH and re install python and pip, I also remove cryptography from my requirements.txt and I installed manually, this fix the issue.

Thanks anyway.