Let’s not Encrypt on CentOS5


TL;DR – Let’s Encrypt requires a newer version of OpenSSL than CentOS 5 has installed. Unless you want to pass around with compiling OpenSSL yourself, don’t try it.

When your friend will upgrade his CentOS 5 system "someday"

When your friend will upgrade his CentOS 5 system “someday”

Installing Python 2.7 on CentOS 5

What we want to do: get letsencrypt installed. However, it requires(*) python 2.7, so we’re getting that on CentOS 5 first:

Thankfully, Inline with Upstream Stable that python 2.7 for CentOS 5, so we’re just going to use their work. Start by getting the RPM install file:

wget https://centos5.iuscommunity.org/ius-release.rpm

Install the repo. Unfortunately, IUS don’t appear to expose their GPG key to import it early, so we have to disable the key check while installing it:

yum -y --nogpgcheck localinstall  ius-release-1.0-14.el5.noarch.rpm

Then, install python 2.7 & some dependencies we need:

yum install python27 python27-pip python27-virtualenv git gcc

For some reason the pip package didn’t install the /usr/bin/pip script, so I had to go to /usr/lib/python2.7/site-packages and run
python2.7 pip install --upgrade --force-reinstall pip

Installing Let’s Encrypt on CentOS 5

At this point we have a working Python 2.7 install, so we can go ahead and setup letsencrypt:
I ran LE_PYTHON=python2.7 ./letsencrypt-auto – the LE_PYTHON variable is to force it to use the Python27 install. (Side note: it installed the default package versions, like python-2.4-devel, and gcc-4.1)

It’s important to note that if anything goes wrong, run rm -rf ~/.local/share/letsencrypt to blow away the virtualenv. letsencrypt will automatically reinstall everything for you.

Not updating OpenSSL on CentOS 5

Unfortunately, at this point I hit an OpenSSL error – AttributeError: 'module' object has no attribute 'SSL_set_tlsext_host_name'. As it turns out, the version of OpenSSL in CentOs 5 is just too old.
Unlike Python, there’s no easy alternative, or updated OpenSSL package that I know of that’s a drop in replacement. With a choice between

Useful take-aways

unalias, for when I tried to alias pip to python2.7 pip
The --force-reinstall flag for pip , along with -U making --upgrade a lot shorter

,

  1. #1 by Kamil Maslowski on March 14, 2016 - 12:39 pm

    I successfully generated certificates using letencrypt.sh (another client) on CentOS5. Check it out: github.com/lukas2511/letsencrypt.sh

  2. #2 by David on April 19, 2016 - 3:20 pm

    I wish I found this article before I had gone done and spent 2 hours and hitting the same road block. The imagery perfectly explains my pain.

  3. #3 by John on May 30, 2016 - 6:53 am

    Don’t give up yet! Just edit OpenSSL/SSL.py in your Python2.7 site-packages directory (see /var/log/letsencrypt/letsencrypt.log for the path) and put a try/except block around the offending line:

    try: _lib.SSL_set_tlsext_host_name(self._ssl, name)
    except: pass

    Worked fine for me and now I have the cert on CentOS 5, thanks!

  4. #4 by Andreas H on June 8, 2016 - 9:06 am

    Use the alternative ACME-client instead: (Testet OK on RedHat 5.11)
    github.com/Neilpang/acme.sh

  5. #5 by thisma on June 23, 2016 - 5:13 am

    David :
    I wish I found this article before I had gone done and spent 2 hours and hitting the same road block. The imagery perfectly explains my pain.

    yep

  6. #6 by thisma on June 23, 2016 - 6:00 am

    I installed OpenSSL from source but I’m still getting the same error: AttributeError: ‘module’ object has no attribute ‘SSL_set_tlsext_host_name’

    Perhaps I have to change something about OpenSSL’s installation, or maybe certbot-auto needs to be told to use the new OpenSSL? Sigh…

  7. #7 by thisma on June 23, 2016 - 9:18 am

    After installing a recent version OpenSSH from source I used getssl which worked just fine. github.com/srvrco/getssl

  8. #8 by Anand Chhatpar on September 4, 2016 - 2:01 am

    I was able to use your instructions and the instructions in the comments by John (to edit SSL.py) and thisma (to use getssl) and successfully installed a certificate on CentOS 5.8.

    Thank you, everyone!

(will not be published)