Issue while trying to configure Letsencrypt SSL certificate on clean CentOS

Hello Community,

I have been trying for hours to fix an issue when running this command sudo -H bench setup lets-encrypt erp.example.com

Still I cannot find a solution for my problem. I am using:

  • Clean CentOS 7
  • Followed Easy Install script
  • All setup Processes went fine without any error.
  • Site is accessible and working as expected.

This is the error when I run the command sudo -H bench setup lets-encrypt erp.example.com

sudo -H bench setup lets-encrypt erp.example.com
Running this will stop the nginx service temporarily causing your sites to go offline
Do you want to continue? [y/N]: y
$ sudo systemctl stop nginx
$ /opt/certbot-auto --config /etc/letsencrypt/configs/erp.example.com.cfg certonly
Bootstrapping dependencies for RedHat-based OSes… (you can skip this with --no-bootstrap)
dnf is /bin/dnf
dnf is hashed (/bin/dnf)
Last metadata expiration check: 12:41:39 ago on Thu 21 May 2020 03:23:23 PM +03.
Package gcc-4.8.5-39.el7.x86_64 is already installed.
Package augeas-libs-1.4.0-9.el7_8.1.x86_64 is already installed.
Package openssl-1:1.0.2k-19.el7.x86_64 is already installed.
Package openssl-devel-1:1.0.2k-19.el7.x86_64 is already installed.
Package libffi-devel-3.0.13-19.el7.x86_64 is already installed.
Package redhat-rpm-config-9.1.0-88.el7.centos.noarch is already installed.
Package ca-certificates-2019.2.32-76.el7_7.noarch is already installed.
Package python-devel-2.7.5-88.el7.x86_64 is already installed.
Package python-virtualenv-15.1.0-4.el7_7.noarch is already installed.
Package python-tools-2.7.5-88.el7.x86_64 is already installed.
Package python2-pip-8.1.2-12.el7.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!
Creating virtual environment…
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/virtualenv.py”, line 2327, in
main()
File “/usr/lib/python2.7/site-packages/virtualenv.py”, line 712, in main
symlink=options.symlink)
File “/usr/lib/python2.7/site-packages/virtualenv.py”, line 944, in create_environment
download=download,
File “/usr/lib/python2.7/site-packages/virtualenv.py”, line 900, in install_wheel
call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
File “/usr/lib/python2.7/site-packages/virtualenv.py”, line 796, in call_subprocess
% (cmd_desc, proc.returncode))
OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pip wheel failed with error code 1
Traceback (most recent call last):
File “”, line 27, in
File “”, line 19, in create_venv
File “/usr/lib64/python2.7/subprocess.py”, line 542, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command ‘[‘virtualenv’, ‘–no-site-packages’, ‘–python’, ‘/bin/python2.7’, ‘/opt/eff.org/certbot/venv’]’ returned non-zero exit status 1
nginx.conf already exists and this will overwrite it. Do you want to continue? [y/N]: y
$ sudo systemctl start nginx
Job for nginx.service failed because the control process exited with error code. See “systemctl status nginx.service” and “journalctl -xe” for details.

I have searched the forum but no luck on how to fix this issue. All fixes are not working in my environment.

Experts, please help me in fixing this issue.

Thank you!

What these report may give clues, also CentOS selinux may be the issue Nginx ERROR with CentOS 7 during install.py - fix SELinux -> Permissive

@Alaa

Perhaps look here:

1 Like

Thank you all for your replies.

Performing this command systemctl status nginx.service -l gives this message:

May 22 17:33:13 erp.example.com nginx[24224]: nginx: [warn] the “ssl” directive is deprecated, use the “listen … ssl” directive instead in /etc/nginx/conf.d/e rpnext-prd.conf:32
May 22 17:33:13 erp.example.com nginx[24224]: nginx: [emerg] cannot load certifi cate “/etc/letsencrypt/live/erp.example.com/fullchain.pem”: BIO_new_file() faile d (SSL: error:02001002:system library:fopen:No such file or directory:fopen(‘/et c/letsencrypt/live/erp.example.com/fullchain.pem’,‘r’) error:2006D080:BIO routin es:BIO_new_file:no such file)
May 22 17:33:13 systemd[1]: nginx.service: control process exite d, code=exited status=1
May 22 17:33:13 systemd[1]: Failed to start nginx - high perform ance web server.
May 22 17:33:13 systemd[1]: Unit nginx.service entered failed st ate.
May 22 17:33:13 systemd[1]: nginx.service failed.

My main concern is not with nginx. I would say I can fix the issue in nginx config file. However, I want to get SSL working for my server. So the issue could be in this error (from my original post):

OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pip wheel failed with error code 1
Traceback (most recent call last):
File “”, line 27, in
File “”, line 19, in create_venv
File “/usr/lib64/python2.7/subprocess.py”, line 542, in check_call
raise CalledProcessError(retcode, cmd)
> subprocess.CalledProcessError: Command ‘[‘virtualenv’, ‘–no-site-packages’, ‘–python’, ‘/bin/python2.7’, ‘/opt/eff.org/certbot/venv’]’ returned non-zero exit status 1

So how can I get this command sudo -H bench setup lets-encrypt erp.domain.com works successfully?

Your guidance is really appreciated.

Thank you.

Did you bench config dns_multitenant on previously?

Also, you should migrate to python3.

Yes, I did. I am using Python3 as well.

Okay, I will take a stab at this.

In my experience, you command would only work if you had previously renamed the site1.local site to your erp.domain.com.

However, if you used the bench setup add-domain command to get your erp.domain.com to be recognized, then you would need to change your syntax.

If site1.local still exists as a directory in the ~/frappe-bench/sites/ location then you might want to try this version of the Let’s Encrypt command:

sudo –H bench setup lets-encrypt site1.local –custom-domain [sitename]

(and replace [sitename] with your erp.domain.com)

This will properly apply the certificate and resolve the challenges. However it all depends on how you created the erp.domain.com site in your system.

Hope this helps.

BKM

1 Like

Yup. You need to change site1.local to your domain name. Else it won’t work.

Hmm… Not completely true.

I do not change the site1.local folder name on any of my sites. I use this command to attach my URL:

bench setup add-domain --site site1.local [sitename]

And then I use the this command to setup my Lets Encrypt cert:

sudo –H bench setup lets-encrypt site1.local –custom-domain [sitename]

When doing it this way you do not have to rename the site directory and you can easily change the URL reference if you needed to without upsetting the system.

BKM

Actually, this is what I have done. Still the command is not working.

This gives the following parameter error:
Error: no such option: -c

This is how I setup my server and installed ERPNext.

OS: CentOS 7
Hosting: AWS

Clean and fresh server setup.

Using Root account:

sudo yum update
sudo timedatectl set-timezone Asia/Qatar
sudo yum install firwalld
configured swap file
sudo yum install epel-release
sudo yum install fail2ban
configured hostname in hosts file
export LC_ALL=en_US.UTF-8
sudo yum update -y
sudo yum install dnf wget -y
dnf groupinstall "Development Tools"
dnf install python3
dnf install ansible -y
curl -sL https://rpm.nodesource.com/setup_10.x | sudo bash -
sudo yum install nodejs

Using sudo account:

sudo wget https://raw.githubusercontent.com/frappe/bench/develop/install.py
sudo python3 install.py --production --site erp.domain.com --user erpnext --bench-name erpnext-prd --verbose
Then the software installed successfully. No failed tasks. All services are working
cd /home/erpnext/erpnext-prd
sudo bench config dns_multitenant on
sudo -H bench setup lets-encrypt erp.domain.com

I would say that the issue is related to packages compatibility. But I really don’t know how to deal with these things as I am new to linux. I am trying to read here an there with no luck.

Thank you all for your help.

Hi All,

I think the issue was because bench uses virtualenv v16.x while Certbot script needs virtualenv v15.x to work in case it was run using Python 2. So I fixed the issue in two ways:

Uninstalled virtualenv V16 and ran the certbot-script from the original path
sudo /opt/certbot-auto --renew

In this case, I had to configure the nginx.conf file and set the auto renewal in cron job.

The other way is to force the certbot to be run using Python3 as per the following steps:

cd /opt/
sudo wget https://dl.eff.org/certbot-auto
USE_PYTHON_3=1 /opt/certbot-auto --version //this command will create the venv using python 3

Then using the sudo user while in bench directory

sudo -H bench setup lets-encrypt erp.domain.com

P.S. If you already run the certbot script using python2, you will need to delete the eff.org before doing this fix.

I don’t know if my explanation is totally true. At least the issue is fixed at my end.

Thank you anyway.

4 Likes