How to use SSL certificate free of Let’s Encrypt on Linux – part 2


Some errors may be occur during the installation of Let’s Encrypt on Linux

Error 1:

An unexpected error occurred:
AttributeError: 'module' object has no attribute 'SSL_set_tlsext_host_name'
Please see the logfiles in /var/log/letsencrypt for more details.

How to fix it?

Step 1:

cd /var/log/letsencrypt
cat letsencrypt.log

Result:

[root@tutorialspots letsencrypt]# cat letsencrypt.log
2016-05-07 03:30:56,933:DEBUG:letsencrypt.main:Root logging level set at 30
2016-05-07 03:30:56,933:INFO:letsencrypt.main:Saving debug log to /var/log/letse
ncrypt/letsencrypt.log
2016-05-07 03:30:56,933:DEBUG:letsencrypt.main:letsencrypt version: 0.5.0
2016-05-07 03:30:56,933:DEBUG:letsencrypt.main:Arguments: ['--apache']
2016-05-07 03:30:56,933:DEBUG:letsencrypt.main:Discovered plugins: PluginsRegist
ry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,Plugin
EntryPoint#manual,PluginEntryPoint#standalone)
2016-05-07 03:30:56,953:DEBUG:letsencrypt.plugins.selection:Requested authentica
tor apache and installer apache
2016-05-07 03:30:59,636:DEBUG:letsencrypt.plugins.selection:Single candidate plu
gin: * apache
Description: Apache Web Server - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = letsencrypt_apache.configurator:ApacheConfigurator
Initialized: <letsencrypt_apache.configurator.ApacheConfigurator object at 0x8c9
2c0c>
Prep: True
2016-05-07 03:30:59,636:DEBUG:letsencrypt.plugins.selection:Selected authenticat
or <letsencrypt_apache.configurator.ApacheConfigurator object at 0x8c92c0c> and
installer <letsencrypt_apache.configurator.ApacheConfigurator object at 0x8c92c0
c>
2016-05-07 03:37:51,113:DEBUG:root:Sending GET request to https://acme-v01.api.l
etsencrypt.org/directory. args: (), kwargs: {}
2016-05-07 03:37:51,118:INFO:requests.packages.urllib3.connectionpool:Starting n
ew HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-07 03:37:51,290:DEBUG:letsencrypt.main:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/m
ain.py", line 692, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/m
ain.py", line 455, in run
    le_client = _init_le_client(config, authenticator, installer)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/m
ain.py", line 356, in _init_le_client
    acc, acme = _determine_account(config)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/m
ain.py", line 341, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/c
lient.py", line 117, in register
    acme = acme_from_config_key(config, key)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/c
lient.py", line 41, in acme_from_config_key
    return acme_client.Client(config.server, key=key, net=net)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.p
y", line 63, in __init__
    self.net.get(directory).json())
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.p
y", line 627, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.p
y", line 609, in _send_request
    response = requests.request(method, url, *args, **kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/api.
py", line 53, in request
    return session.request(method=method, url=url, **kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/sess
ions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/sess
ions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/adap
ters.py", line 376, in send
    timeout=timeout
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/pack
ages/urllib3/connectionpool.py", line 559, in urlopen
    body=body, headers=headers)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/pack
ages/urllib3/connectionpool.py", line 345, in _make_request
    self._validate_conn(conn)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/pack
ages/urllib3/connectionpool.py", line 784, in _validate_conn
    conn.connect()
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/pack
ages/urllib3/connection.py", line 252, in connect
    ssl_version=resolved_ssl_version)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/pack
ages/urllib3/contrib/pyopenssl.py", line 296, in ssl_wrap_socket
    cnx.set_tlsext_host_name(server_hostname)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/OpenSSL/SSL.p
y", line 1237, in set_tlsext_host_name
    _lib.SSL_set_tlsext_host_name(self._ssl, name)
AttributeError: 'module' object has no attribute 'SSL_set_tlsext_host_name'

We see the lines:

File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/OpenSSL/SSL.p
y", line 1237, in set_tlsext_host_name
    _lib.SSL_set_tlsext_host_name(self._ssl, name)

Step 2:

sh /root/.local/share/letsencrypt/bin/activate

Step 3:

pip install pyopenssl==0.12

Result:

[root@tutorialspots letsencrypt]# pip install pyopenssl==0.12
Collecting pyopenssl==0.12
/usr/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/uti
l/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (S
ubject Name Indication) extension to TLS is not available on this platform. This
 may cause the server to present an incorrect TLS certificate, which can cause v
alidation failures. For more information, see https://urllib3.readthedocs.org/en
/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/uti
l/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not availabl
e. This prevents urllib3 from configuring SSL appropriately and may cause certai
n SSL connections to fail. For more information, see https://urllib3.readthedocs
.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading pyOpenSSL-0.12.tar.gz (236kB)
    100% |################################| 245kB 1.9MB/s
Building wheels for collected packages: pyopenssl
  Running setup.py bdist_wheel for pyopenssl ... done
  Stored in directory: /root/.cache/pip/wheels/1a/4c/d0/37bc489760068fa88f0fc948
bfc359ca4e38beabb189cd029b
Successfully built pyopenssl
Installing collected packages: pyopenssl
Successfully installed pyopenssl-0.12

Step 4:
Open file /root/.local/share/letsencrypt/lib/python2.7/site-packages/OpenSSL/SSL.py then comment out line 1237

ssl py

ssl py edit

Step 5: Re-run this command to re-install letsencrypt

/root/.local/share/letsencrypt/bin/letsencrypt --apache --verbose

Error 2:

The request message was malformed :: Error creating new authz :: DNS name has too many labels

Read the log file:

cd /var/log/letsencrypt
cat letsencrypt.log

You can know that, in your server, there are some deep subdomains like: a.b.c.d.e.f.g.h.domain.com

Please remove these subdomains.

Error 3:

Error creating new authz :: Too many currently pending authorizations.

Step 1:
Go to folder: /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory

Then delete the sub-folder
delete letsencrypt account

Step 2:
Then you must use other email.

Error 4:

Error while running apachectl configtest

Error while running apachectl configtest.

Syntax error on line 5 of /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf:
SSLStrictSNIVHostCheck failed; OpenSSL is not built with support for TLS extensi
ons and SNI indication. Refer to the documentation, and build a compatible versi
on of OpenSSL.

Prerequisites to use SNI

  1. Use OpenSSL 0.9.8f or later
  2. Build OpenSSL with the TLS Extensions option enabled (option enable-tlsext; OpenSSL 0.9.8k and later has this enabled by default).
  3. Apache must have been built with that OpenSSL (./configure –with-ssl=/path/to/your/openssl). In that case, mod_ssl will automatically detect the availability of the TLS extensions and support SNI.
  4. Apache must use that OpenSSL at run-time, which might require setting LD_LIBRARY_PATH or equivalent to point to that OpenSSL, maybe in bin/envvars. (You’ll get unresolved symbol errors at Apache startup if Apache was built with SNI but isn’t finding the right openssl libraries at run-time.)

So, you must upgrade OpenSSL and rebuild or upgrade Apache.

Leave a Reply