search

certbot / certbot

Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.
Other
31.58k stars 3.4k forks source link

Clarification on statement about pip support #9075

Closed Eccenux closed 1 year ago

Eccenux commented 3 years ago

Already asked community and some suggested this would be better reported here.

This issue is mostly about updating docs/website to clarify intent.

I would mainly want to ask for clarification on this statement:

Partial support

The Certbot team supports this installation method on a best effort basis. If you are on a more obscure or heavily customized system, these instructions may not work and the Certbot team may be unable to help you resolve the problem.

Does that mean that pip support will be removed in near future (like in a year or two)? Or what does it mean really?

I'm asking because (as you might be aware) there are significant problems with snapd on some installations. Especially on LXC containers. Problems so big that it might not be feasible to overcome them. Maybe you should also warn users about them. Specifically snapd will not work out of the box on LXC container. You will get something like this:

error: system does not fully support snapd: cannot mount squashfs image using "fuse.squashfuse":

As seems fuse / squashfuse digs deep into the system and doesn't play way with virtualization. To overcome this problem you need to change LXC settings (if the host will do that for you). But be aware that it might brake your VM. We did try adding fuse=1 and it broke snapshot features of the virtualization. And generally VM became unstable. Host admin got it kind of working with mount=fuse,nesting=1, but it still brakes backups and snapshots from host side (so not really a solution). At some point that might be fixed on LXC side, but for now it seems just way easier to use Python like with older version of certbot / cerbot-auto.

My operating system is (include version):

CentOS Linux release 7.9

I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):

Tried snapd and it broke VM.

I ran this command and it produced this output:

When installing Snapd ot all seemed fine until reboot broke the system. Saved by host admin with some instructions from this: https://forum.proxmox.com/threads/ubuntu-snaps-inside-lxc-container-on-proxmox.36463/#post-312633

But then renew failed at some point (below). Snapd failed to start when rebooting VM as my host admin reported.

sudo certbot renew

Certbot's behavior differed from what I expected because:

Would be great if it could at least work without snapd on. Or just keep supporting pip installations... Or something different then Snapd (with less heavy dependencies).

Here is a Certbot log showing the issue (if available):

Log from failed renew (but this probably due to snapd not available as mentioned above).

2021-10-22 19:36:54,714:ERROR:certbot._internal.snap_config:An error occurred while fetching Certbot snap plugins: make sure the snapd service is running.
2021-10-22 19:36:54,714:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/1434/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/var/lib/snapd/snap/certbot/1434/lib/python3.8/site-packages/urllib3/connectionpool.py", line 394, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/var/lib/snapd/snap/certbot/1434/lib/python3.8/site-packages/urllib3/connection.py", line 234, in request
    super(HTTPConnection, self).request(method, url, body=body, headers=headers)
  File "/var/lib/snapd/snap/certbot/1434/usr/lib/python3.8/http/client.py", line 1252, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/var/lib/snapd/snap/certbot/1434/usr/lib/python3.8/http/client.py", line 1298, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/var/lib/snapd/snap/certbot/1434/usr/lib/python3.8/http/client.py", line 1247, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/var/lib/snapd/snap/certbot/1434/usr/lib/python3.8/http/client.py", line 1007, in _send_output
    self.send(msg)
  File "/var/lib/snapd/snap/certbot/1434/usr/lib/python3.8/http/client.py", line 947, in send
    self.connect()
  File "/var/lib/snapd/snap/certbot/1434/lib/python3.8/site-packages/certbot/_internal/snap_config.py", line 88, in connect
    self.sock.connect("/run/snapd.socket")
ConnectionRefusedError: [Errno 111] Connection refused

Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:

Just renewing cert, not conf directly.

bmw commented 3 years ago

Does that mean that pip support will be removed in near future (like in a year or two)? Or what does it mean really?

We have no plans to remove pip support for the (relatively small number of our) users who cannot use snaps. That warning is there because there are so many things that can potentially go wrong trying to install Certbot through pip. On most systems, it should work just fine, but our very small team really doesn't have the resources to be able to help people with things like "I followed your pip instructions on Solaris with a patched OpenSSL and they didn't work."

Do you have a suggestion on how we could change that text? Feel free to open a PR if so. The relevant file is https://github.com/certbot/website/blob/e896f6bae13203fd6ddec942bde6f0b28fcbf2f9/_scripts/instruction-widget/templates/install/pip.html#L6-L8.

Eccenux commented 3 years ago

Maybe something like this:

The Certbot team supports this installation method on a best effort basis.
This means we support and test this on some systems, but if you are on
 a more obscure or heavily customized system, these instructions may not work and the
 Certbot team may be unable to help you resolve the problem on a more specific installation.

Not sure if the last sentence is needed though. I don't think you would able to help me with Snapd on LXC too. I mean that there are always situations where support is not able to resolve problems (other then saying -- try on/with something else).

Eccenux commented 3 years ago

And maybe also note about possible problems with Snapd. We would just install with pip if we knew that Snapd would brake the system running on LXC.

rafalkrupinski commented 3 years ago

@bmw idea - use pipx (pip&venv essentially) as the main installation method instead of snap

github-actions[bot] commented 1 year ago

We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed.

github-actions[bot] commented 1 year ago

This issue has been closed due to lack of activity, but if you think it should be reopened, please open a new issue with a link to this one and we'll take a look.