./renew_certificate.sh fails

[MrTimid]

Platform/Firmware Information

Platform = X86_PINEVIEW Model = TS-459 Internal Model = TS-459 Version = 4.2.0 Build Number = 20160130 Rsync Model = QNAP Build Date = 2016-01-30 Python 2.7.5

**Issue Summary (provide relevant error messages and log output):**
Everything works as described until I try to run ./renew_certificates.sh, 
which fails with the error below.
Could this be a bug or is it more likely  a misconfiguration on my part that is responsible?

# ./renew_certificate.sh 
Checking whether to renew certificate on Sun, 27 Mar 2016 18:52:14 +0200
Renewing certificate...
Stopping Qthttpd hogging port 80..
Shutting down Qthttpd services: OK.
Started python SimpleHTTPServer with pid 2808
Could not import runpy module
Traceback (most recent call last):
  File "acme-tiny/acme_tiny.py", line 2, in <module>
    import argparse, subprocess, json, os, sys, base64, binascii, time, hashlib, re, copy, textwrap, logging
  File "/root/daily_build/4.2.0/Model/TS-459/../../SysUtil/Python-2.7.5-cross/install_path_full/lib/python2.7/argparse.py", line 85, in <module>
ImportError: No module named collections

[Yannik]

Which python qpkgs do you have installed? Any other python installations? What's the output of which python?

[MrTimid]

Which python gives me "/usr/local/bin/python" # /usr/local/bin/python --version -> Python 2.7.5

Frankly I am at loss when it comes to python and the QPKG-Center. Because of the error I tried to install python3 via the App-Center, which did not change behaviour. In the app-center I am offered to install Python 2.7.3

find got me an additional "/share/MD0_DATA/.qpkg/Optware/bin/python2.6"

I have the feeling python 3 did not install propperly, since find got many hits in

/share/MD0_DATA/.qpkg/Python3/src/ (including bin) but none in a path I would expect.

[Yannik]

Please try ls -alsh $(which python). You should have Python 2.7.3 installed in the appcenter, I am unsure what kind of install that python 2.7.5 is.

[MrTimid]

ls -alsh $(which python) -> 0 lrwxrwxrwx 1 admin administ 30 Mar 28 00:35 /usr/local/bin/python -> /mnt/ext/opt/Python/bin/python*

Python 2.7.3 does not seem to be installed, but is offered in the QTS-App-Center.

To add to the confusion: quite some time ago I installed python via optware (to use duplicity) but ipkg list_installed | grep python gives: python26 - 2.6.8-1 - Python is an interpreted, interactive, object-oriented programming language.

[Yannik]

I'd remove the optware python package and install python 2.7.3 from the app center. This should fix your issue.

[Yannik]

@MrTimid update on this?

[MrTimid]

sorry for the delayed answer, I was away for a few days. I did as suggested and removed the optware python (which was v.2.6) and installed 2.7.3.

Now ls -alsh $(which python) yields /usr/bin/python -> /share/MD0_DATA/.qpkg/Python/bin/python*

python --version yields Python 2.7.9

renew_certificate.sh now works, so thank you very much for your help.

_This issue seems resolved. _ - so thank you very much for your support!!

I am still working on the additional certificates, though. although I followed the instructions given on "How to generate content of /etc/ssl/certs?", firefox still complains about SEC_ERROR_UNKNOWN_ISSUER

Just in case that it's of intererest to you here are excerpts from https://www.ssllabs.com/ssltest/analyze.html

Additional Certificates (if supplied) Certificates provided 2 (2496 bytes) Chain issues Incomplete, Extra certs

2

Subject Let's Encrypt Authority X1 Fingerprint SHA1: 3eae91937ec85d74483ff4b77b07b43e2af36bf4 Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= Valid until Mon, 19 Oct 2020 22:33:36 UTC (expires in 4 years and 6 months) Key RSA 2048 bits (e 65537) Issuer DST Root CA X3 Signature algorithm SHA256withRSA

Certification Paths Path #1: Trusted 1 Sent by server [my server-name] Fingerprint SHA1: 797357d1a9858225dd5f2280d751d7a09f7e2a1e Pin SHA256: bwfbkMUM10a1m8287HCVudOskxF6Sd61fpPRDGleMVQ= RSA 2048 bits (e 65537) / SHA256withRSA 2 Extra download Let's Encrypt Authority X3 Fingerprint SHA1: e6a3b45b062d509b3382282d196efe97d5956ccb Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= RSA 2048 bits (e 65537) / SHA256withRSA 3 In trust store DST Root CA X3 Self-signed
Fingerprint SHA1: dac9024f54d8f6df94935fb1732638ca6ad77c13 Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= RSA 2048 bits (e 65537) / SHA1withRSA Weak or insecure signature, but no impact on root certificate

[Yannik]

The intermediate certificate is not being sent by your nas.

We'll have to check how your apache is configured.

ps aux |grep apache
ps aux |grep stunnel
lsof -i :443
lsof -i :8080
grep -i ssl /etc/apache-sys-proxy-ssl.conf

[Yannik]

@MrTimid I think I found the issue, letsencrypt change their intermediate certificates. Try again with the latest version of qnap-letsencrypt please.

[MrTimid]

That did the trick. Thank you so much!