# Certbot fails with "'module' object has no attribute 'UnsupportedExtension'"



## kjpetrie (Jun 10, 2018)

```
]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /usr/local/etc/letsencrypt/renewal/www.xxxx.yyy.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Attempting to renew cert (www.xxxx.yyy) from /usr/local/etc/letsencrypt/renewal/www.xxxx.yyy.conf produced an unexpected error: 'module' object has no attribute 'UnsupportedExtension'. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /usr/local/etc/letsencrypt/live/www.xxxx.yyy/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /usr/local/etc/letsencrypt/live/www.xxxx.yyy/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)
```

The log shows:

```
2018-06-10 17:10:33,809:DEBUG:certbot.main:certbot version: 0.25.0
2018-06-10 17:10:33,810:DEBUG:certbot.main:Arguments: []
2018-06-10 17:10:33,810:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-06-10 17:10:33,951:DEBUG:certbot.log:Root logging level set at 20
2018-06-10 17:10:33,953:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-06-10 17:10:34,099:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x29efdd8c> and installer <certbot.cli._Default object at 0x29efdd8c>
2018-06-10 17:10:34,160:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2018-06-29 23:33:20 UTC.
2018-06-10 17:10:34,160:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2018-06-10 17:10:34,160:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-06-10 17:10:34,170:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x29ebde2c>
Prep: True
2018-06-10 17:10:34,171:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x29ebde2c> and installer None
2018-06-10 17:10:34,171:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2018-06-10 17:10:34,188:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, contact=(u'mailto:ffff@gggg.hh.jj',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x29efdd6c>)>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/19923440', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), 23d9c0b52da631b66f4153af351b344f, Meta(creation_host=u'evenas.org', creation_dt=datetime.datetime(2017, 8, 13, 20, 45, 27, tzinfo=<UTC>)))>
2018-06-10 17:10:34,191:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-06-10 17:10:34,219:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2018-06-10 17:10:34,308:WARNING:certbot.renewal:Attempting to renew cert (www.xxxx.yyy) from /usr/local/etc/letsencrypt/renewal/www.xxxx.yyy.conf produced an unexpected error: 'module' object has no attribute 'UnsupportedExtension'. Skipping.
2018-06-10 17:10:34,435:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/certbot/renewal.py", line 429, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 1154, in renew_cert
    le_client = _init_le_client(config, auth, installer)
  File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 649, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/local/lib/python2.7/site-packages/certbot/client.py", line 239, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/local/lib/python2.7/site-packages/certbot/client.py", line 50, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 721, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 1054, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 1003, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 601, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 850, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python2.7/site-packages/urllib3/connection.py", line 337, in connect
    cert = self.sock.getpeercert()
  File "/usr/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 348, in getpeercert
    'subjectAltName': get_subj_alt_name(x509)
  File "/usr/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 202, in get_subj_alt_name
    except (x509.DuplicateExtension, x509.UnsupportedExtension,
AttributeError: 'module' object has no attribute 'UnsupportedExtension'

2018-06-10 17:10:34,435:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2018-06-10 17:10:34,436:ERROR:certbot.renewal:  /usr/local/etc/letsencrypt/live/www.xxxx.yyy/fullchain.pem (failure)
2018-06-10 17:10:34,439:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.25.0', 'console_scripts', 'certbot')()
  File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 1323, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 1235, in renew
    renewal.handle_renewal_request(config)
  File "/usr/local/lib/python2.7/site-packages/certbot/renewal.py", line 454, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)
```

Any ideas what this means?


----------



## VladiBG (Jun 10, 2018)

what is inside your www.xxxx.yyy.conf
also check your x509 extensions in the current cert.pem
to view the certificate type:
`openssl x509 -in /usr/local/etc/letsencrypt/live/[URL='http://www.xxxx.yyy.conf']www.xxxx.yyy[/URL]/cert.pem -text -noout`


----------



## ShelLuser (Jun 10, 2018)

What FreeBSD version are you using and how did you install the port? I'm assuming you're using security/py-certbot or is it another variant?

Reason I ask is because that port utilizes flavors, like so many others, so I can't help wonder if there might be a chance that something went wrong with a recent update. Because although a bad certificate is certainly a possibility it does seem weird to me that they wouldn't have anticipated for this.


----------



## kjpetrie (Jun 10, 2018)

```
]$ uname -r
11.1-RELEASE-p10
```


```
$ pkg info |grep certbot
py27-certbot-0.25.0,1          Let's Encrypt client
```
Package compiled with ports-mgmt/poudriere from security/py-certbot.

```
]# openssl x509 -in /usr/local/etc/letsencrypt/live/www.xxxx.yyy/cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:6d:b2:3a:42:04:8a:77:f2:70:a8:f2:e7:07:f1:45:29:f7
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Mar 31 23:33:20 2018 GMT
            Not After : Jun 29 23:33:20 2018 GMT
        Subject: CN=www.xxxx.yyy
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ba:ad:84:a0:49:97:5d:e1:49:e9:02:aa:69:c3:
                    f4:31:6f:39:ed:25:00:65:91:87:c3:b9:4e:e2:b0:
                    04:eb:25:59:f2:ef:80:d8:26:9e:4e:4a:84:05:6d:
                    dd:79:1b:82:b5:1b:99:f5:2a:dd:18:7a:4d:aa:bf:
                    d8:5f:17:bc:1f:f4:43:3b:5d:93:a0:5e:b2:4f:bc:
                    2a:30:39:c1:40:2d:96:bf:ea:4c:56:98:99:92:5d:
                    e1:38:09:07:44:93:eb:85:dd:8a:6b:f9:69:c7:60:
                    29:a8:5b:5a:e6:de:ad:d8:95:79:7c:e5:91:ef:c6:
                    eb:d8:17:9b:bd:87:00:95:e0:7b:82:46:40:bd:11:
                    03:99:69:43:10:22:f1:a5:73:2f:ac:1b:0a:f9:92:
                    a9:b9:e3:3c:0f:4a:4b:0e:b6:7a:f7:49:f8:ef:96:
                    b1:9b:f1:da:5d:ae:55:74:f5:a2:13:24:61:80:17:
                    23:37:8b:64:a2:32:83:8c:56:92:cd:4f:88:8e:ce:
                    b1:3f:b4:7b:12:32:05:d8:ec:a0:9b:db:0d:01:72:
                    8d:c8:c4:41:3a:25:9f:fb:59:a7:3d:cd:39:88:e3:
                    07:a1:45:e7:cb:64:b2:14:69:ff:00:4f:37:70:b4:
                    2e:12:49:9b:dd:d1:7a:dc:b3:81:1d:ff:45:37:f1:
                    07:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                B4:02:5C:0A:77:53:12:32:FE:6B:DF:25:C6:9F:64:22:7D:9D:A1:23
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:xxxx.yyy, DNS:zzzz.aaaa.yyy, DNS:www.xxxx.yyy, DNS:www.aaaa.yyy
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9:
                                AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64
                    Timestamp : Apr  1 00:33:20.335 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:DF:39:7A:1E:B6:5A:22:A4:5C:DA:55:
                                08:72:84:8A:5F:45:8D:26:3D:3F:C9:61:C6:8A:75:2F:
                                4D:89:EA:0D:8A:02:21:00:CB:C5:49:AE:7E:9B:8D:04:
                                7B:9E:BF:02:DC:80:2F:2C:E2:E2:04:5F:9E:B5:E2:1F:
                                5B:8B:3B:F5:38:11:39:69
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
                                6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
                    Timestamp : Apr  1 00:33:20.355 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:A1:D5:48:68:EB:6E:2A:65:E4:E9:23:
                                29:52:88:AD:82:A8:CC:25:67:7A:7C:5D:CA:C5:27:7C:
                                DD:9B:E7:87:50:02:20:18:73:E5:FF:E6:EE:32:B8:34:
                                3C:75:8D:29:FB:01:23:57:10:83:E7:86:E7:06:39:17:
                                85:E9:64:95:36:2B:6E
    Signature Algorithm: sha256WithRSAEncryption
         66:1a:72:a1:7c:ec:80:44:fb:94:b8:ea:66:d9:0e:5a:08:d9:
         70:de:8d:f9:0b:1f:b6:50:6e:cd:62:34:07:ed:0c:ae:b1:3f:
         ab:d6:ec:3f:a9:8d:cf:29:d9:fd:a7:71:88:25:97:87:e7:ab:
         9f:45:e3:c5:ca:56:79:e3:ce:11:23:0a:c0:28:d6:fa:ae:1b:
         7c:e6:61:9f:28:71:cd:61:b5:1d:4f:20:1f:d9:ff:01:45:33:
         09:59:8b:fa:13:e5:62:5b:65:f9:9d:2a:56:33:e6:af:7d:19:
         d4:e6:bb:ac:8a:1a:00:2b:e7:4b:15:58:e0:ad:a2:92:83:4a:
         9f:ce:d9:fe:7b:0f:a7:4c:9b:df:40:54:91:cb:e8:ce:82:ab:
         c1:19:80:6e:1d:77:91:c1:32:a4:3c:83:e3:c5:41:8c:35:1d:
         36:e0:6b:c0:c9:88:06:17:9e:38:61:1a:67:98:d5:46:15:33:
         ca:36:a1:3f:52:f0:b1:aa:de:75:75:75:42:df:a7:29:c5:d5:
         36:e6:eb:c1:5e:37:19:92:23:b2:18:10:91:1a:c2:cf:3d:dd:
         93:c5:83:23:b3:cc:5a:68:ab:84:0a:cb:ef:2a:5f:79:9e:41:
         50:77:ec:83:f3:62:7c:bc:05:69:ed:04:04:4f:dc:e8:75:e5:
         49:73:e6:12
```
(Secured domains munged)


----------



## VladiBG (Jun 10, 2018)

Can you check your Certificate Signing Request  (CSR) and verify your x509 SAN you can do this with:
`openssl req -in mycsr.csr -noout -text`

the CSR is located in /usr/local/etc/letsencrypt/csr

I'm also using the py27-certbot-0.25.0,1 and it's working fine. You must check if your py27-openssl is up to date too. And you can try to rebuild the port.

The error that you are receiving is for invalid X509v3 Subject Alternative Name that is checked by pyopenssl.py

Verify this part:

```
X509v3 Subject Alternative Name:
                DNS:xxxx.yyy, DNS:zzzz.aaaa.yyy, DNS:www.xxxx.yyy, DNS:www.aaaa.yyy
```



```
except (x509.DuplicateExtension, x509.UnsupportedExtension,
            x509.UnsupportedGeneralNameType, UnicodeError) as e:
        # A problem has been found with the quality of the certificate. Assume
        # no SAN field is present.
        log.warning(
            "A problem was encountered with the certificate that prevented "
            "urllib3 from finding the SubjectAlternativeName field. This can "
            "affect certificate validation. The error was %s",
            e,
        )
        return []
```


----------



## kjpetrie (Jun 10, 2018)

Sorry, forgot this one:

```
]# cat /usr/local/etc/letsencrypt/renewal/www.xxxx.yyy.conf
# renew_before_expiry = 30 days
version = 0.22.2
archive_dir = /usr/local/etc/letsencrypt/archive/www.xxxx.yyy
cert = /usr/local/etc/letsencrypt/live/www.xxxx.yyy/cert.pem
privkey = /usr/local/etc/letsencrypt/live/www.xxxx.yyy/privkey.pem
chain = /usr/local/etc/letsencrypt/live/www.xxxx.yyy/chain.pem
fullchain = /usr/local/etc/letsencrypt/live/www.xxxx.yyy/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 23d9c0b52da631b66f4153af351b344f
[[webroot_map]]
zzzz.aaaa.yyy = /usr/jails/xxxx/home/instabook/public_html/xxxx
xxxx.yyy = /usr/jails/xxxx/home/instabook/public_html/xxxx
www.xxxx.yyy = /usr/jails/xxxx/home/instabook/public_html/xxxx
www.aaaa.yyy = /usr/jails/bbbb/home/instabook/public_html
```


----------



## kjpetrie (Jun 10, 2018)

```
]# openssl req -in /usr/local/etc/letsencrypt/csr/0004_csr-certbot.pem -noout -text
Certificate Request:
    Data:
        Version: 2 (0x2)
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ba:ad:84:a0:49:97:5d:e1:49:e9:02:aa:69:c3:
                    f4:31:6f:39:ed:25:00:65:91:87:c3:b9:4e:e2:b0:
                    04:eb:25:59:f2:ef:80:d8:26:9e:4e:4a:84:05:6d:
                    dd:79:1b:82:b5:1b:99:f5:2a:dd:18:7a:4d:aa:bf:
                    d8:5f:17:bc:1f:f4:43:3b:5d:93:a0:5e:b2:4f:bc:
                    2a:30:39:c1:40:2d:96:bf:ea:4c:56:98:99:92:5d:
                    e1:38:09:07:44:93:eb:85:dd:8a:6b:f9:69:c7:60:
                    29:a8:5b:5a:e6:de:ad:d8:95:79:7c:e5:91:ef:c6:
                    eb:d8:17:9b:bd:87:00:95:e0:7b:82:46:40:bd:11:
                    03:99:69:43:10:22:f1:a5:73:2f:ac:1b:0a:f9:92:
                    a9:b9:e3:3c:0f:4a:4b:0e:b6:7a:f7:49:f8:ef:96:
                    b1:9b:f1:da:5d:ae:55:74:f5:a2:13:24:61:80:17:
                    23:37:8b:64:a2:32:83:8c:56:92:cd:4f:88:8e:ce:
                    b1:3f:b4:7b:12:32:05:d8:ec:a0:9b:db:0d:01:72:
                    8d:c8:c4:41:3a:25:9f:fb:59:a7:3d:cd:39:88:e3:
                    07:a1:45:e7:cb:64:b2:14:69:ff:00:4f:37:70:b4:
                    2e:12:49:9b:dd:d1:7a:dc:b3:81:1d:ff:45:37:f1:
                    07:31
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:www.xxxx.yyy, DNS:xxxx.yyy, DNS:zzzz.aaaa.yyy, DNS:www.aaaa.yyy
    Signature Algorithm: sha256WithRSAEncryption
         a3:94:04:d8:83:2e:ea:3f:95:a4:a0:62:7d:41:0a:0a:5f:d6:
         a1:b0:fd:f2:69:b6:1e:76:e0:ae:6f:c0:e2:dd:ea:3b:e9:0e:
         f5:6f:b6:72:5b:8e:d6:38:6a:b4:2f:2b:b6:14:57:f1:af:fa:
         d9:83:2b:01:4d:8f:30:ef:fd:17:bd:d6:37:4a:44:18:cc:bb:
         f4:60:4f:97:60:7e:01:4f:cf:e6:c1:b6:43:8d:13:06:f6:e4:
         12:44:fb:2a:b3:17:b3:04:ee:38:96:7f:d6:0b:d6:ea:02:49:
         0f:cf:f8:d5:2a:6a:6c:9f:60:2d:49:3e:a5:d1:b6:f9:8d:94:
         cf:af:a5:ee:de:6f:c8:91:01:73:83:fd:3a:cd:d6:4a:5c:2a:
         d5:d7:85:29:fd:9e:e1:f7:2e:5c:35:89:c1:d2:26:de:10:01:
         51:36:85:97:bd:98:f2:43:df:9a:75:31:ca:72:a2:f0:43:9f:
         83:d4:6f:44:0f:23:bd:f8:18:da:34:e3:b4:9e:ce:2b:8f:61:
         04:7f:75:3f:19:aa:64:6f:80:7d:ae:82:33:d2:32:99:09:33:
         bd:b8:75:4f:98:a1:67:33:d1:cc:33:db:6c:cd:4f:85:9b:e3:
         1d:e9:68:f0:52:8c:15:e7:06:b4:10:08:02:43:52:fe:99:d1:
         a7:64:c6:56
```


```
]# pkg info | grep openssl
py27-openssl-17.5.0_1          Python interface to the OpenSSL library
```

ports-mgmt/poudriere declines to rebuild anything so I'll have a look at its man page to see how I can force it to rebuild, although if I just do that and there's a problem with its configuration it would probably just repeat the error.


----------



## VladiBG (Jun 10, 2018)

https://github.com/urllib3/urllib3/pull/1342


----------



## kjpetrie (Jun 10, 2018)

Thank you for finding that link. I'm still trying to work out whether it indicates a remedy, or just that it's broken upstream and I can never renew my site certificate! I'll keep reading in the hope it'll make sense.


----------



## VladiBG (Jun 10, 2018)

My certs are not yet due for renewal and i can't verify if the renewal is working or not at the moment.
Try to update your python, py-openssl and py-cryptography

edit:
i tested the renewal with --dry-run and it's working with the latest versions.


----------



## kjpetrie (Jun 10, 2018)

If it works for you something must be different on your system. I checked --dry-run to confirm it gives the same error.

I have
py27-asn1crypto-0.22.0,
py27-requests-toolbelt-0.8.0,
python27-2.7.15,
py27-openssl-17.5.0_1,
py27-cryptography-2.1.4, and
py27-urllib3-1.22,1.

Are these the versions you have?


----------



## VladiBG (Jun 11, 2018)

I don't use jails. Here's my py* versions. I don't have asn1crypto

```
py27-Babel-2.5.3                   =
py27-Jinja2-2.10                   =
py27-MarkupSafe-1.0                =
py27-acme-0.25.0_1,1               =
py27-alabaster-0.7.6               =
py27-asn1crypto-0.22.0             =
py27-certbot-0.25.0,1              =
py27-certifi-2018.4.16             =
py27-cffi-1.11.5                   =
py27-chardet-3.0.4                 =
py27-configargparse-0.13.0         =
py27-configobj-5.0.6_1             =
py27-cryptography-2.1.4            =
py27-docutils-0.14_3               =
py27-enum34-1.1.6                  =
py27-fail2ban-0.10.3.1             =
py27-idna-2.6                      =
py27-imagesize-0.7.1               =
py27-ipaddress-1.0.22              =
py27-josepy-1.1.0                  =
py27-openssl-17.5.0_1              =
py27-parsedatetime-2.4_1           =
py27-pycparser-2.18                =
py27-pygments-2.2.0                =
py27-pyrfc3339-1.0                 =
py27-pysocks-1.6.8                 =
py27-pystemmer-1.3.0_1             =
py27-pytest-runner-2.11.1          =
py27-pytz-2018.4,1                 =
py27-requests-2.18.4               =
py27-requests-toolbelt-0.8.0       =
py27-setuptools-39.2.0             =
py27-setuptools_scm-1.17.0         =
py27-six-1.11.0                    =
py27-snowballstemmer-1.2.0_1       =
py27-sphinx-1.6.5_1,1              =
py27-sphinx_rtd_theme-0.2.4        =
py27-sphinxcontrib-websupport-1.0.1 =
py27-sqlite3-2.7.15_7              =
py27-typing-3.6.4                  =
py27-urllib3-1.22,1                =
py27-zope.component-4.2.2          =
py27-zope.event-4.1.0              =
py27-zope.interface-4.1.3          =
python27-2.7.15                    =
```


----------



## kjpetrie (Jun 11, 2018)

Your versions are the same as mine (and you do have asn1crypto - it's in your list). Could it be the jails? Anything's possible, I suppose.


----------



## VladiBG (Jun 11, 2018)

yep i missed it, i do have asn1crypto. You can try to bring up a virtual machine with apache+certbot to test it on some other host. You will need only to create a DNS record for the test.

did you try to reinstall the certbot and py* ?


----------



## kjpetrie (Jun 11, 2018)

Yes, it was what I did before I came here for help.

I solved this by upgrading net/py-urllib3 and www/py-requests (learning about ports in the process). Now I have uncovered another problem, but that's for another thread.


----------

