Let’s not Encrypt on CentOS5

TL;DR – Let’s Encrypt requires a newer version of OpenSSL than CentOS 5 has installed. Unless you want to pass around with compiling OpenSSL yourself, don’t try it.

When your friend will upgrade his CentOS 5 system "someday"

When your friend will upgrade his CentOS 5 system “someday”

Installing Python 2.7 on CentOS 5

What we want to do: get letsencrypt installed. However, it requires(*) python 2.7, so we’re getting that on CentOS 5 first:

Thankfully, Inline with Upstream Stable that python 2.7 for CentOS 5, so we’re just going to use their work. Start by getting the RPM install file:

wget https://centos5.iuscommunity.org/ius-release.rpm

Install the repo. Unfortunately, IUS don’t appear to expose their GPG key to import it early, so we have to disable the key check while installing it:

yum -y --nogpgcheck localinstall  ius-release-1.0-14.el5.noarch.rpm

Then, install python 2.7 & some dependencies we need:

yum install python27 python27-pip python27-virtualenv git gcc

For some reason the pip package didn’t install the /usr/bin/pip script, so I had to go to /usr/lib/python2.7/site-packages and run
python2.7 pip install --upgrade --force-reinstall pip

Installing Let’s Encrypt on CentOS 5

At this point we have a working Python 2.7 install, so we can go ahead and setup letsencrypt:
I ran LE_PYTHON=python2.7 ./letsencrypt-auto – the LE_PYTHON variable is to force it to use the Python27 install. (Side note: it installed the default package versions, like python-2.4-devel, and gcc-4.1)

It’s important to note that if anything goes wrong, run rm -rf ~/.local/share/letsencrypt to blow away the virtualenv. letsencrypt will automatically reinstall everything for you.

Not updating OpenSSL on CentOS 5

Unfortunately, at this point I hit an OpenSSL error – AttributeError: 'module' object has no attribute 'SSL_set_tlsext_host_name'. As it turns out, the version of OpenSSL in CentOs 5 is just too old.
Unlike Python, there’s no easy alternative, or updated OpenSSL package that I know of that’s a drop in replacement. With a choice between

Useful take-aways

unalias, for when I tried to alias pip to python2.7 pip
The --force-reinstall flag for pip , along with -U making --upgrade a lot shorter

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. I wish I found this article before I had gone done and spent 2 hours and hitting the same road block. The imagery perfectly explains my pain.

  2. Don’t give up yet! Just edit OpenSSL/SSL.py in your Python2.7 site-packages directory (see /var/log/letsencrypt/letsencrypt.log for the path) and put a try/except block around the offending line:

    try: _lib.SSL_set_tlsext_host_name(self._ssl, name)
    except: pass

    Worked fine for me and now I have the cert on CentOS 5, thanks!

  3. David :
    I wish I found this article before I had gone done and spent 2 hours and hitting the same road block. The imagery perfectly explains my pain.

    yep

  4. I installed OpenSSL from source but I’m still getting the same error: AttributeError: ‘module’ object has no attribute ‘SSL_set_tlsext_host_name’

    Perhaps I have to change something about OpenSSL’s installation, or maybe certbot-auto needs to be told to use the new OpenSSL? Sigh…

  5. I was able to use your instructions and the instructions in the comments by John (to edit SSL.py) and thisma (to use getssl) and successfully installed a certificate on CentOS 5.8.

    Thank you, everyone!