TL;DR – Let’s Encrypt requires a newer version of OpenSSL than CentOS 5 has installed. Unless you want to pass around with compiling OpenSSL yourself, don’t try it.
When your friend will upgrade his CentOS 5 system “someday”
Installing Python 2.7 on CentOS 5
What we want to do: get letsencrypt installed. However, it requires(*) python 2.7, so we’re getting that on CentOS 5 first:
Thankfully, Inline with Upstream Stable that python 2.7 for CentOS 5, so we’re just going to use their work. Start by getting the RPM install file:
wget https://centos5.iuscommunity.org/ius-release.rpm
Install the repo. Unfortunately, IUS don’t appear to expose their GPG key to import it early, so we have to disable the key check while installing it:
yum -y --nogpgcheck localinstall ius-release-1.0-14.el5.noarch.rpm
Then, install python 2.7 & some dependencies we need:
yum install python27 python27-pip python27-virtualenv git gcc
For some reason the pip package didn’t install the /usr/bin/pip script, so I had to go to /usr/lib/python2.7/site-packages and run
python2.7 pip install --upgrade --force-reinstall pip
Installing Let’s Encrypt on CentOS 5
At this point we have a working Python 2.7 install, so we can go ahead and setup letsencrypt:
I ran LE_PYTHON=python2.7 ./letsencrypt-auto – the LE_PYTHON variable is to force it to use the Python27 install. (Side note: it installed the default package versions, like python-2.4-devel, and gcc-4.1)
It’s important to note that if anything goes wrong, run rm -rf ~/.local/share/letsencrypt to blow away the virtualenv. letsencrypt will automatically reinstall everything for you.
Not updating OpenSSL on CentOS 5
Unfortunately, at this point I hit an OpenSSL error – AttributeError: 'module' object has no attribute 'SSL_set_tlsext_host_name'. As it turns out, the version of OpenSSL in CentOs 5 is just too old.
Unlike Python, there’s no easy alternative, or updated OpenSSL package that I know of that’s a drop in replacement. With a choice between
Useful take-aways
unalias, for when I tried to alias pip to python2.7 pip
The --force-reinstall flag for pip , along with -U making --upgrade a lot shorter
#1 by Kamil Maslowski on March 14, 2016 - 12:39 pm
I successfully generated certificates using letencrypt.sh (another client) on CentOS5. Check it out: github.com/lukas2511/letsencrypt.sh
#2 by David on April 19, 2016 - 3:20 pm
I wish I found this article before I had gone done and spent 2 hours and hitting the same road block. The imagery perfectly explains my pain.
#3 by John on May 30, 2016 - 6:53 am
Don’t give up yet! Just edit OpenSSL/SSL.py in your Python2.7 site-packages directory (see /var/log/letsencrypt/letsencrypt.log for the path) and put a try/except block around the offending line:
try: _lib.SSL_set_tlsext_host_name(self._ssl, name)
except: pass
Worked fine for me and now I have the cert on CentOS 5, thanks!
#4 by Andreas H on June 8, 2016 - 9:06 am
Use the alternative ACME-client instead: (Testet OK on RedHat 5.11)
github.com/Neilpang/acme.sh
#5 by thisma on June 23, 2016 - 5:13 am
yep
#6 by thisma on June 23, 2016 - 6:00 am
I installed OpenSSL from source but I’m still getting the same error: AttributeError: ‘module’ object has no attribute ‘SSL_set_tlsext_host_name’
Perhaps I have to change something about OpenSSL’s installation, or maybe certbot-auto needs to be told to use the new OpenSSL? Sigh…
#7 by thisma on June 23, 2016 - 9:18 am
After installing a recent version OpenSSH from source I used getssl which worked just fine. github.com/srvrco/getssl
#8 by Anand Chhatpar on September 4, 2016 - 2:01 am
I was able to use your instructions and the instructions in the comments by John (to edit SSL.py) and thisma (to use getssl) and successfully installed a certificate on CentOS 5.8.
Thank you, everyone!
#9 by lindowx on October 19, 2017 - 9:34 am
gist.github.com/lindowx/8d4b41fc67b5720e3e5999d7123fb020
#10 by 42 on March 23, 2019 - 1:36 am
Many thanks!