Certbot (Let’s Encrypt): Installing on Raspbian Jessie

Like many, I use the Certbot client to obtain and renew certificates from Let’s Encrypt. Certbot was formerly the official Let’s Encrypt client, when the package was simply called “letsencrypt”. Originally there were no Debian packages for letsencrypt, so way back around version 0.3.0, I downloaded the letsencrypt-auto script, which manages the dependencies and automatically updates itself. This still exists as certbot-auto.

Now we’re over a year on and there are Debian packages for Certbot. For Jessie, the packages are in jessie-backports, which is a repository of popular packages backported from Debian Stretch (Testing) to work well with Debian Jessie (Stable). Not as good as the packages being in Jessie outright, but pretty close.

As usual, I would much rather rely on packages in APT than those not. With Certbot in particular I would prefer some stability in contrast with a script that always updates to the bleeding edge. Nevermind jessie-backports, certbot packages from any Debian release are an improvement over this – at the time of writing, jessie-backports has version 0.9.3, Stretch has 0.10.2, Sid has 0.11.1, and Certbot on GitHub is on 0.12.0.

I could install the packages from Stretch like I have done with fail2ban, rclone, and dnscrypt-proxy; but jessie-backports is specifically there to provide packages intended to work well on a Jessie system. Also, Certbot’s dependencies consist of a large number of python libraries, ones which would be shared throughout the system – very different from fail2ban (no dependencies outside stable), rclone (no dependencies outside stable), and dnscrypt-proxy (two dependencies outside stable not used for much else). Clearly this is not the time to use Stretch packages, which would make for a bad FrankenDebian.

Unfortunately, Raspbian does not have a jessie-backports branch. Now we can use Debian’s jessie-backports, but remember Raspbian mainly exists because Debian doesn’t have a port for ARMv6 processors like in the Raspberry Pi 1 – its armhf port assumes ARMv7. The result is that some armhf packages from Debian will crash on an ARMv6 Raspberry Pi 1, though they may work fine on an ARMv7+ Raspberry Pi 2 and above.

You may ask why I don’t just upgrade to a Raspberry Pi 2 or 3 considering how cheap they are. Well you know what? I have three original Raspberry Pi Model Bs, two of which were the initial model with half the RAM (just 256MB), and they all work absolutely fine day-to-day for my needs – they do what I want and they do it fast enough. In fact, right now each individual Pi is using no more than 100MB RAM! I hate waste, especially electronic waste, and I see no reason to ditch them.

Update 15/06/2017: This guide is intended to be general instructions that help you figure out the method and dependencies required to install any version of Certbot on Raspbian. It was originally written when jessie-backports had Certbot 0.9.3, whereas now it has Certbot 0.10.2. If you understand the concepts and can adapt them then you should still be able to follow this guide. If you wish to run the commands verbatim then you will find there are some differences, which will become greater as newer versions of Certbot are released. Right now, in particular, the main difference is that you will probably not need to install the python-dialog package.

Configuring jessie-backports

First off, it’s a good idea to set our default release. Right now the release we are using (Jessie) is governed by the sources.list file. We are about to add jessie-backports to sources.list. jessie-backports packages are automatically given a priority of 100 which should supposedly prevent us from installing them unintentionally, however if nothing else I like to specifically set the default release just in case. It’s more important if you also add proper releases like Stretch.

This can be done in either /etc/apt/apt.conf (which probably does not already exist) or by creating a file in /etc/apt/apt.conf.d. We can either choose a distribution like stable, or we can choose a release name like Jessie. Personaly I prefer to set it to Jessie; as when Jessie changes from stable to oldstable and Stretch changes from testing to stable, I don’t want my whole system to automatically move to Stretch.

> sudo nano /etc/apt/apt.conf
APT::Default-Release "jessie";

Now, we need to add the jessie-backports repo to our sources.

> sudo nano /etc/apt/sources.list
deb http://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
#deb-src http://archive.raspbian.org/raspbian/ jessie main contrib non-free rpi
deb http://ftp.debian.org/debian jessie-backports main

Then we are going to set our apt preferences to give Jessie packages a high priority, and prevent automatic installation of all other packages. However we are also going to temporarily allow Jessie Backports packages.

> sudo nano /etc/apt/preferences
Package: *
Pin: release n=jessie
Pin-Priority: 900

Package: *
Pin: release n=jessie-backports
Pin-Priority: 700

Package: *
Pin: release o=Raspbian
Pin-Priority: -10

Now here’s the thing – if you try to update apt at this point, you will almost certainly get an error.

> sudo apt update
...
W: There is no public key available for the following key IDs:
8B48AD6246925553
7638D0442B90D010

Or:

> sudo apt update
...
W: GPG error: http://ftp.debian.org jessie-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010

Our Raspbian has the keys to trust the Raspbian repositories…but not the Debian repositories! The Debian keys are installed as part of the package debian-archive-keyring. But watch what happens if you try to install it using APT.

> sudo apt-get install debian-archive-keyring -s
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'raspbian-archive-keyring' instead of 'debian-archive-keyring'
raspbian-archive-keyring is already the newest version.

Whoops, not possible! Thankfully it’s easy to add the keys in. Below is one way to obtain them from Ubuntu’s keyserver. (Be aware that this doesn’t obtain the key over a secure transport. It would be best practice to do so; consider reading Debian’s advice on how to do that.).

> sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553
> sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010
> sudo apt update

Examining dependencies

Now let’s simulate an install of Certbot from jessie-backports and look at the dependencies. See below for example output, though note that I have reordered the dependencies by branch and architecture.

> sudo apt-get install certbot -t jessie-backports -s
...
Inst python-pkg-resources (20.10.1-1.1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-configargparse (0.11.0-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-six (1.9.0-3~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-idna (2.0-3~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-ipaddress (1.0.16-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-pyasn1 (0.1.9-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-setuptools (20.10.1-1.1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-dnspython (1.15.0-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-funcsigs (1.0.2-3~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-openssl (16.0.0-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-ndg-httpsclient (0.4.2-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-pbr (1.8.0-4.1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-urllib3 (1.16-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-requests (2.11.1-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-rfc3339 (1.0-4~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-mock (2.0.0-3~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-acme (0.9.3-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-certbot (0.9.3-1~bpo8+2 Debian Backports:jessie-backports [all])
Inst certbot (0.9.3-1~bpo8+2 Debian Backports:jessie-backports [all])
...
Inst python-chardet (2.3.0-1 Raspbian:stable [all])
Inst python-configobj (5.0.6-1 Raspbian:stable [all])
Inst python-enum34 (1.0.3-1 Raspbian:stable [all])
Inst python-parsedatetime (1.4-1 Raspbian:stable [all])
Inst python-pyicu (1.8-1 Raspbian:stable [armhf])
Inst python-tz (2012c+dfsg-0.1 Raspbian:stable [all])
Inst python-zope.interface (4.1.1-3.1 Raspbian:stable [armhf])
Inst python-zope.event (4.0.3-2 Raspbian:stable [all])
Inst python-zope.component (4.2.1-2 Raspbian:stable [all])
...
Inst python-cffi-backend (1.4.2-2~bpo8+1 Debian Backports:jessie-backports [armhf])
Inst python-dialog (3.3.0-2~bpo8+1 Debian Backports:jessie-backports [armhf])
Inst python-psutil (4.1.0-1~bpo8+1 Debian Backports:jessie-backports [armhf])
Inst python-cryptography (1.3.4-1~bpo8+2 Debian Backports:jessie-backports [armhf])

I have reordered these as follows:

  1. Debian Backports:jessie-backports [all]
    The first group are architecture-independent packages from Debian’s jessie-backports. These are likely to work just fine.
  2. Raspbian:stable [all]
    The second group are packages from Raspbian’s Jessie. These should almost certainly work just fine.
  3. Debian Backports:jessie-backports [armhf]
    The third group are packages specific to ARM from Debian’s jessie-backports. These are the packages that are likely to cause problems, as they are compiled for ARMv7 and our CPU is only ARMv6.

First, from our apt preferences let’s remove the section for jessie-backports we put in temporarily so that they are not considered for automatic installation.

Package: *
Pin: release n=jessie
Pin-Priority: 900

#Package: *
#Pin: release n=jessie-backports
#Pin-Priority: 700

Package: *
Pin: release o=Raspbian
Pin-Priority: -10

Now let’s specifically allow certain packages from jessie-backports – those in the first group that should cause no problems when installed. Here I use a separate preferences.d fragment, but you could put this in the main apt preferences file if you want.

> sudo nano /etc/apt/preferences.d/certbot
# Architecture independent packages
Package: python-pkg-resources python-configargparse python-six python-idna python-ipaddress python-pyasn1 python-setuptools python-dnspython python-funcsigs python-openssl python-ndg-httpsclient python-pbr python-urllib3 python-requests python-rfc3339 python-mock python-acme python-certbot certbot
Pin: release n=jessie-backports
Pin-Priority: 1005

Update 15/06/2017: This guide originally used a priority of 995 above and subsequent snippets rather than 1005. According to man apt_preferences, a priority between 990 and 1000 “causes a version to be installed even if it does not come from the target release, unless the installed version is more recent”. However a couple of people in the comments have had issues where apt-get still prioritises a jessie package over a jessie-backports package despite this. A priority above 1000 “causes a version to be installed even if this constitutes a downgrade of the package”, which is stronger priority, and unlikely to cause any problems as packages in jessie-backports will almost never be older than their jessie counterparts.

Install ARM dependencies

From here, we have two options on how to handle the third group of dependencies: Either we compile them from source to work on ARMv6, or we install pre-compiled ARMv6 binaries.

The upside of compiling is that that we can compile from trusted sources obtained from Debian. The downsides are that it needs a lot of build dependencies, and takes a long time.

The upside of installing pre-compiled binaries is that it’s a lot quicker. The downside is that you either need to have compiled them from source once previously and kept them, or you need to obtain them from somewhere trusted.

Where can you obtain ARMv6 compiled jessie-backports packages that’s trusted? As far as I know there is nowhere! You are best off compiling the packages from source yourself and then keeping them for the future. However, if you really want to take a risk and trust a stranger on the Internet (which I would suggest you don’t), I have uploaded my own compiled packages here.

Option 1: From source

People who regularly develop for and test on Raspberry Pis will have one of many test environments set up; perhaps a chroot within Ubuntu, or perhaps Raspbian as-is running in QEMU emulating an ARM processor. This is well beyond the scope for us compiling just four packages, so we will do it on the Pi itself.

However the downside of this is that it takes forever to compile. You honestly need to be prepared to have your Pi out of action for several days. Especially if you only have a Class 4 SD card. Especially if your Pi only has 256MB of RAM.

Expect to stare at screens like this for a *long* time.

First of all, that RAM will really become an issue – on a 256MB model we need at least 600MB of additional swap, otherwise our build processes will be killed to prevent the system running out-of-memory. If you have a 512MB model you will probably need another 350MB of swap.

> sudo fallocate -l 600M /swaptemp
> sudo chmod 600 /swaptemp
> sudo mkswap /swaptemp
> sudo swapon /swaptemp

We enabled the Jessie Backports repo for binaries, but not sources, which we need to do:

deb http://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
#deb-src http://archive.raspbian.org/raspbian/ jessie main contrib non-free rpi
deb http://ftp.debian.org/debian jessie-backports main
deb-src http://ftp.debian.org/debian jessie-backports main

We also need to temporarily whitelist the source packages from jessie-backports.

# Architecture independent packages
Package: python-pkg-resources python-configargparse python-six python-idna python-ipaddress python-pyasn1 python-setuptools python-dnspython python-funcsigs python-openssl python-ndg-httpsclient python-pbr python-urllib3 python-requests python-rfc3339 python-mock python-acme python-certbot certbot
Pin: release n=jessie-backports
Pin-Priority: 1005

# Architecture specific packages
Package: python-cffi-backend python-dialog python-psutil python-cryptography
Pin: release n=jessie-backports
Pin-Priority: 1005

From here on, we will be using exact versions of the ARM dependencies to ensure that we are obtaining packages from Jessie Backports.

First we will work on python-cffi-backend, python-dialog, and python-psutil. The forth package python-cryptography has some of the first three as dependencies, so we can’t build that yet.

We create a folder to contain our source code, install our build dependencies, and download the source.

> mkdir packages
> cd packages

> sudo apt-get build-dep python-cffi-backend=1.4.2-2~bpo8+1 python-dialog=3.3.0-2~bpo8+1 python-psutil=4.1.0-1~bpo8+1 -y

> apt-get source python-cffi-backend=1.4.2-2~bpo8+1 python-dialog=3.3.0-2~bpo8+1 python-psutil=4.1.0-1~bpo8+1 -y

We now build the .deb package for each of our packages. Let me warn you that python-cffi in particular can take over 12 hours to compile. The long part is the various unit tests it runs, for each version of python.

Let me say now that dpkg-buildpackage built several packages that weren’t needed – in particular including packages each for python 2.7 and 3.4, normal and debug packages, and doc packages. I would guess that there is probably a way to specify the exact packages you want built to save time, but I have not looked into it.

> cd python2-pythondialog-3.3.0/
> dpkg-buildpackage
> cd ..

> cd python-cffi-1.4.2/
> dpkg-buildpackage
> cd ..

> cd python-psutil-4.1.0/
> dpkg-buildpackage
> cd ..

After this, install the packages. Optionally but recommended, we can then use apt-mark to hold the packages, preventing them from being automatically upgraded. An automatic upgrade to an ARMv7 package in jessie-backports would break the package, so this is a good idea.

> sudo dpkg -i *.deb
> sudo apt-mark hold python3-cffi python3-cffi-backend python3-cffi-backend-dbg python3-psutil python3-psutil-dbg python-cffi python-cffi-backend python-cffi-backend-dbg python-dialog python-psutil python-psutil-dbg python-psutil-doc

Now, we move on to python-cryptography. We temporarily allow jessie-backports for all packages in apt preferences (again) and look at its build dependencies.

> sudo apt-get build-dep python-cryptography=1.3.4-1~bpo8+2 -s -t jessie-backports
...
Inst libjs-jquery [1.7.2+dfsg-3.2] (1.11.3+dfsg-4~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-alabaster (0.7.8-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-imagesize (0.7.1-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-sphinx [1.2.3+dfsg-1] (1.4.9-2~bpo8+1 Debian Backports:jessie-backports [all]) []
Inst sphinx-common [1.2.3+dfsg-1] (1.4.9-2~bpo8+1 Debian Backports:jessie-backports [all]) []
Inst libjs-sphinxdoc [1.2.3+dfsg-1] (1.4.9-2~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-cryptography-vectors (1.3.4-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-hypothesis (3.4.2-2~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-idna (2.0-3~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-pyasn1 (0.1.9-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python3-setuptools [5.5.1-1] (20.10.1-1.1~bpo8+1 Debian Backports:jessie-backports [all]) []
Inst python3-pkg-resources [5.5.1-1] (20.10.1-1.1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python3-six (1.9.0-3~bpo8+1 Debian Backports:jessie-backports [all])
Inst python3-cryptography-vectors (1.3.4-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python3-hypothesis (3.4.2-2~bpo8+1 Debian Backports:jessie-backports [all])
Inst python3-idna (2.0-3~bpo8+1 Debian Backports:jessie-backports [all])
Inst python3-imagesize (0.7.1-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python3-jinja2 (2.8-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python3-pyasn1 (0.1.9-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python3-pygments (2.1.3+dfsg-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python3-alabaster (0.7.8-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python3-sphinx (1.4.9-2~bpo8+1 Debian Backports:jessie-backports [all])
Inst python-iso8601 (0.1.11-1~bpo8+1 Debian Backports:jessie-backports [all])
Inst python3-iso8601 (0.1.11-1~bpo8+1 Debian Backports:jessie-backports [all])
...
Inst fonts-font-awesome (4.2.0~dfsg-1 Raspbian:stable [all])
Inst python-babel-localedata (1.3+dfsg.1-5 Raspbian:stable [all])
Inst python-tz (2012c+dfsg-0.1 Raspbian:stable [all])
Inst python-babel (1.3+dfsg.1-5 Raspbian:stable [all])
Inst python-enum34 (1.0.3-1 Raspbian:stable [all])
Inst python-pretend (1.0.8-1 Raspbian:stable [all])
Inst python-pyasn1-modules (0.0.5-0.1 Raspbian:stable [all])
Inst python-sphinx-rtd-theme (0.1.6-1 Raspbian:stable [all])
Inst python3-tz (2012c+dfsg-0.1 Raspbian:stable [all])
Inst python3-babel (1.3+dfsg.1-5 Raspbian:stable [all])
Inst python3-roman (2.0.0-1 Raspbian:stable [all])
Inst python3-docutils (0.12+dfsg-1 Raspbian:stable [all])
Inst python3-markupsafe (0.23-1 Raspbian:stable [armhf])
Inst python3-pretend (1.0.8-1 Raspbian:stable [all])
Inst python3-pyasn1-modules (0.0.5-0.1 Raspbian:stable [all])
...
Inst libssl1.0.0 [1.0.1t-1+deb8u6] (1.0.2k-1~bpo8+1 Debian Backports:jessie-backports [armhf])
Inst libssl-dev (1.0.2k-1~bpo8+1 Debian Backports:jessie-backports [armhf])

At first it looks bad – that we’ll have to compile another two ARM packages libssl1 and libssl-dev from Jessie Backports. Thankfully the rabbit hole doesn’t actually go this deep – if we whitelist only the architecture-independent packages, running build-dep without forcing it to use jessie-backports will use older Raspbian stable versions of these packages.

# Architecture independent packages
Package: python-pkg-resources python-configargparse python-six python-idna python-ipaddress python-pyasn1 python-setuptools python-dnspython python-funcsigs python-openssl python-ndg-httpsclient python-pbr python-urllib3 python-requests python-rfc3339 python-mock python-acme python-certbot certbot
Pin: release n=jessie-backports
Pin-Priority: 1005

# Architecture specific packages
Package: python-cffi-backend python-dialog python-psutil python-cryptography
Pin: release n=jessie-backports
Pin-Priority: 1005

# build-deps for python-cryptography
Package: libjs-jquery python-alabaster python-imagesize python-sphinx sphinx-common libjs-sphinxdoc python-cryptography-vectors python-hypothesis python-idna python-pyasn1 python3-setuptools python3-pkg-resources python3-six python3-cryptography-vectors python3-hypothesis python3-idna python3-imagesize python3-jinja2 python3-pyasn1 python3-pygments python3-alabaster python3-sphinx python-iso8601 python3-iso8601
Pin: release n=jessie-backports
Pin-Priority: 1005

Then we repeat pretty much the same as earlier, but with the python-cryptography package. Let me warn you now, this package is the one that needs all the memory. If it suddenly says “Killed” halfway through, look through the syslog and you will see that it was killed for making the system out-of-memory, and you will need more swap. This took me 24 hours to compile, though in pretty much the worst case scenario (256MB Pi with Class 4 SD card).

> sudo apt-get build-dep python-cryptography=1.3.4-1~bpo8+2 -y
> apt-get source python-cryptography=1.3.4-1~bpo8+2 -y
> cd python-cryptography-1.3.4/
> dpkg-buildpackage
> cd ..
> sudo dpkg -i *.deb
> sudo apt-mark hold python3-cryptography python-cryptography python-cryptography-doc

After this, we can continue to install Certbot. Don’t forget to remove the source packages from /etc/apt/preferences.d/certbot, and to remove that extra swap if you no longer need it.

Option 2: From pre-compiled packages

In this case we already have the packages built – either we built them previously, or we downloaded them from a trusted source.

First, look at the dependencies for our packages and install them. One thing I like to do is to mark the dependencies as automatically installed, that way if I ever uninstall certbot, I can use apt-get autoremove to remove unwanted dependencies exactly as I would if certbot was installed normally through apt.

# Look at dependencies
> sudo apt-get install python-cffi-backend=1.4.2-2~bpo8+1 python-dialog=3.3.0-2~bpo8+1 python-psutil=4.1.0-1~bpo8+1 -s
...
The following extra packages will be installed:
  dialog
...
# Install dependencies only
> sudo apt-get install dialog -y
> sudo apt-mark auto dialog

After this we install the packages and prevent them from auto-ugprading.

> sudo dpkg -i python-cffi-backend_1.4.2-2~bpo8+1_armhf.deb python-dialog_3.3.0-2~bpo8+1_armhf.deb python-psutil_4.1.0-1~bpo8+1_armhf.deb

> sudo apt-mark hold python-cffi-backend python-dialog python-psutil

Then we repeat the process for our python-cryptography package.

# Look at dependencies
> sudo apt-get install python-cryptography=1.3.4-1~bpo8+2 -s
...
The following extra packages will be installed:
  python-enum34 python-idna python-ipaddress python-pkg-resources python-pyasn1 python-setuptools python-six
...
# Install dependencies only
> sudo apt-get install python-enum34 python-idna python-ipaddress python-pkg-resources python-pyasn1 python-setuptools python-six -y
> sudo apt-mark auto python-enum34 python-idna python-ipaddress python-pkg-resources python-pyasn1 python-setuptools python-six

> sudo dpkg -i python-cryptography_1.3.4-1~bpo8+2_armhf.deb
> sudo apt-mark hold python-cryptography

Installing Certbot

We should now be able to install Certbot. Double check that if we try to install it, there are no armhf packages from jessie-backports – only from Raspbian. After that we can go ahead and install!

> sudo apt-get install certbot -s | grep armhf
Inst python-pyicu (1.8-1 Raspbian:stable [armhf])
Inst python-zope.interface (4.1.1-3.1 Raspbian:stable [armhf])
Conf python-pyicu (1.8-1 Raspbian:stable [armhf])
Conf python-zope.interface (4.1.1-3.1 Raspbian:stable [armhf])

> sudo apt-get install certbot -y

After this, a quick test is to run certbot --help, as I have often seen this fail when using the Debian jessie-backports packages. However the best test is to actually try to obtain or renew a certificate.

Uninstalling Certbot

If you want to uninstall, so long as you used apt-mark for dependencies as above, it’s very simple:

> sudo apt-get remove python-cffi-backend python-dialog python-psutil python-cryptography certbot
> sudo apt-get autoremove

33 Comments

  1. Nick Baggott

    A terrific guide to installing Certbot on Jessie. Clear instructions and explanations and it worked for me!
    Thank you.

    Reply
    1. Ryan Milne (Post author)

      I am very glad to heard it worked for you.

      If it’s not too much trouble I’d be interested to know if you compiled from source or downloaded my compiled binaries.

      Reply
      1. Nick Baggott

        Against your advice and my better judgement I went for risk versus time and used the compiled binaries. I might also try compiling from source on a spare pi I have as that is clearly the safer approach.

        Reply
  2. Matthieu CHOMIENNE

    Nice tutorial ! Unfortunately, i can’t achieve it and as i’m more in the Windows system thant in unix ones, i can’t solve it by myself and i hope you could help.

    I followed all steps from beginning to just before installing certbot. I just had to make a little modification to the installation of the python-crypto dependencies (by adding the -t jessie-backports) as the version retrieve wasn’t good.

    So the “problematic” dependencies are all installed successfully. But when i execute the first line to check if it remains some missing dependencies for certbot, i’m stuck because i’m still missing a python-certbot dependencies and it says that it won’t install.

    Please let me know if you have any idea on how to complete this installation.

    Note Bene: i started with a fresh install of Raspbian (from 2017-04-10-raspbian-jessie.img) and i also have an old Raspberry Pi 1 model B

    Reply
    1. Ryan Milne (Post author)

      Sorry to hear that you’re having trouble with this. I can certainly try to help!

      I could do with some more information. Could you please get the following data for me? (There will be a lot of text so it will probably be best if you paste it onto a website like https://pastebin.com and reply with the link.)

      1. Copy and paste the exact command you’re getting stuck at and the full error that you’re getting.
      2. Copy and paste the output of the following command: sudo dpkg –list
      (This will list all packages you have installed)
      3. Upload or paste the following file from the Pi: /var/log/apt/term.log
      (This shows what has happened when you have run apt-get in the past)

      Thanks

      Reply
      1. Matthieu CHOMIENNE

        You will find the requested data at this place : https://pastebin.com/FUJn9uYb

        Reply
        1. Ryan Milne (Post author)

          Thanks for the data, that’s very helpful.

          That error means there is at least one dependency left that it needs to pull from jessie-backports that it is not allowed to because of APT preferences.

          Your python-cffi-backend, python-dialog, python-psutil and python-cryptography all look fine. So it must be another package that it can’t install.

          Can you please now get the following for me:

          1. Upload or paste the following file: /etc/apt/preferences
          2. Upload or paste the following file: /etc/apt/preferences.d/certbot
          3. Copy and paste the output of the following command: sudo apt-get install certbot -s -t jessie-backports
          (This will show us all packages that it wishes to install IF it were allowed to install ANY package from jessie-backports. We will compare it with the above two files).

          Also just so I know, did you do Option 1 (Compile the packages from source) or Option 2 (Download the pre-compiled package from this blog)?

          Thanks

          Reply
          1. Matthieu CHOMIENNE

            Here’s are data : https://pastebin.com/yq75GkMF

            I do not get /etc/apt/preferences.d/certbot as i put your content in preferences directly

            And i use option 2 (i downloaded your packages with a wget from the rapsi directly)

          2. Ryan Milne (Post author)

            Thanks again for the data.

            1) It looks like you have a blank line in /etc/apt/preferences that shouldn’t be there – line 13 in your pastebin. According to man apt_preferences, “The file consists of one or more multi-line records separated by blank lines.”, so unlike most config files that blank line might be causing a problem. So can you please remove the blank line. (To be clear, your APT preferences should then look like this: https://pastebin.com/Zw81G3wt )

            Then try running the following:

            sudo apt-get install certbot -s

            And let me know if it works – if not then as usual please paste the output.

            2) If that doesn’t work, can you please temporarily uncomment the following lines:

            Package: *
            Pin: release n=jessie-backports
            Pin-Priority: 700

            (To be clear, your APT preferences should then look like this: https://pastebin.com/yjTweetN )

            Then run this command again and paste the output:

            sudo apt-get install certbot -t jessie-backports -s

            3) Just to be sure, can you post your /etc/apt/sources.list

            Thanks

  3. Matthieu CHOMIENNE

    Hi,

    The blank line is an artifat of my copy/paste because of the length of the line 12. I had to copy it in two times from Putty and the copy of the end of the line was made with an extra carriage return. But it’s not in the file itself.

    I’ve uncommented the lines concerning jessie-backports and you will find the result here (/etc/apt/sources.list content following) https://pastebin.com/HsE533vA

    Reply
    1. Ryan Milne (Post author)

      This is very puzzling! I appreciate your patience so far, I am eager to get to the bottom of this 🙂

      I am wondering if there is something different about the French language version of Raspbian, but that would surprise me.

      Your sources looks fine.

      Can you try all of the following commands and let me know the error / output you get. This should hopefully let us narrow down the stuck package.

      sudo apt-get install python-pkg-resources python-configargparse python-six python-idna python-ipaddress python-pyasn1 python-setuptools python-dnspython python-funcsigs python-openssl python-ndg-httpsclient python-pbr python-urllib3 python-requests python-rfc3339 python-mock python-acme python-certbot certbot -s

      sudo apt-get install python-pkg-resources python-configargparse python-six python-idna python-ipaddress python-pyasn1 python-setuptools python-dnspython python-funcsigs python-openssl python-ndg-httpsclient python-pbr python-urllib3 python-requests python-rfc3339 python-mock python-acme python-certbot certbot -s -t jessie-backports

      sudo apt-get install python-cffi-backend python-cryptography python-dialog python-psutil -s

      sudo apt-get install python-cffi-backend python-cryptography python-dialog python-psutil -s -t jessie-backports

      Thanks

      Reply
    2. Ryan Milne (Post author)

      Also, it looks like aptitude gives more information than apt-get. Can you please run the following:

      sudo aptitude -s install certbot

      For each solution type “n” for no. When it says “*** No more solutions available ***” then type “q” to quit. (Obviously this may be slightly different in French language aptitude)

      Then again paste the entire output.

      Reply
      1. Matthieu CHOMIENNE

        Many thanks for the help ! You’re the one being patient 😉 With all of that, i hope it will help any one having the same issue 😉

        Here’s are the new data asked : https://pastebin.com/QJBT0k5Z

        Reply
        1. Ryan Milne (Post author)

          Right, now we’re getting somewhere!

          Before we forget, comment this out again in apt preferences – otherwise you risk installing a jessie-backports package when you don’t want to, which may break your system.

          #Package: *
          #Pin: release n=jessie-backports
          #Pin-Priority: 700

          You currently have a jessie version of python-openssl installed (0.13.1-2). The issue is that there is a newer version in jessie-backports (16.0.0-1~bpo8+1) which python-acme requires, but for some reason apt-get isn’t trying to install it.

          This is weird as you have python-openssl set to jessie-backports with a
          priority of 995 in /etc/apt/preferences , which according to the man page “causes a version to be installed even if it does not come from the target release, unless the installed version is more recent”. If jessie is your target release then the jessie version it should have a priority of 990, lower than the jessie-backports one.

          It’s possible it’s a bug in the package (it thinks 0.13.1-2 is newer than 16.0.0-1~bpo8+1), or it’s possible I have misunderstood APT preferences, or it’s possible there is a syntax error in your /etc/apt/preferences that neither of us have noticed.

          EDIT: I have just installed python-openssl 0.13.1-2 on one of my Raspberry Pis. If I now try to install certbot, it correctly tries to upgrade python-openssl to 16.0.0-1~bpo8+1, rather than produces an error like yours.. So there must be something we have missed with your setup.

          We have a couple of choices now – either (A) just install the correct python-openssl to get it working, or (B) Test some more to try to figure out why it’s not working. It’s entirely up to you – either way I am glad we have had this public discussion 🙂

          (A) Get it working

          Try running sudo aptitude install certbot again. It should run the same as before you commented out the above. When it offers the second solution (upgrade python-openssl to 16.0.0-1~bpo8+1 (jessie-backports)), type “y” accept it, like below:

          Conserver les paquets suivants dans leur version actuelle :
          1) certbot [Non installé]
          2) python-acme [Non installé]
          3) python-certbot [Non installé]

          Accepter cette solution ? [Y/n/q/?] n
          Les actions suivantes permettront de résoudre ces dépendances :
          Mettre à jour les paquets suivants :
          1) python-openssl [0.13.1-2 (now, stable) -> 16.0.0-1~bpo8+1 (jessie-backports)]

          Accepter cette solution ? [Y/n/q/?] y

          If that doesn’t work, try the below first to install the exact package version, then run the above again.

          sudo apt-get install python-openssl=16.0.0-1~bpo8+1 -t jessie-backports

          If neither of those work, as usual let me know the output.

          (B) Test some more

          1) Post your /etc/apt/apt.conf

          2) Post the output of the following: cat /etc/apt/apt.conf.d/*

          3) Try adding the below to /etc/apt/preferences and try running sudo apt-get install certbot -s again:

          Package: python-openssl
          Pin: release n=jessie-backports
          Pin-Priority: 1005

          (A priority of 1005 “causes a version to be installed even if this constitutes a downgrade of the package”.)

          Reply
          1. Matthieu CHOMIENNE

            Hey for what i understand of the output, the testing will show something interesting 😉 With the new preferences, the install shows no problem. It says it will update python-openssl from jessie-backports and all other dependencies are from Raspbian or jessie-backports [all]. https://pastebin.com/uPGD0vcK

            So it’s a bug with the python-openssl package ?

          2. Ryan Milne (Post author)

            I am glad it’s now showing no problem!

            Just to confirm, you are saying that once you added python-openssl with a priority of 1005 to APT Preferences it started working – is that correct?

            If so, I am honestly unsure of the cause – I wasn’t able to reproduce it on my end, a priority of 995 worked fine for me.

            If 1005 works but 995 does not then it sounds like it thinks that 16.0.0-1~bpo8+1 is older than 0.13.1-2, but I am not sure why that would apply on your Raspberry Pi and not mine.

            My best guesses are:
            1) Your APT is either a different version to mine.
            2) Your APT has some other configuration file different to mine.
            3) Your APT preferences still has a syntax error that neither of us have noticed. (I doubt it, but it’s possible).
            4) It is a difference between English and French APT. (Again I really doubt this one).

            As interested as I am, I think I will leave this one with you since it now seems to be working :-). I hope the rest of the Certbot install works for you!

  4. Matthieu CHOMIENNE

    I remove an extra carriage return at the end of the preferences file. And i also commented the lines with the 1005 priority. I run again a sudo apt-get update and then simulate the install of certbot and now it apperas to show what we want. So i think it’s an error only on my environement.

    Reply
    1. Ryan Milne (Post author)

      How strange. Either way, glad it’s showing correct now.

      Reply
  5. D

    Any chance of please compiling and uploading an updated python-cffi-backend package please? I think it’s now at 1.9.1.

    Reply
    1. Ryan Milne (Post author)

      I will see if I can, though (as it sounds like you have discovered) the dependencies resolve fine with the older python-cffi-backend. (Of course not to suggest it’s a good idea to run on an older package – e.g. there may be unpatched security vulnerabilities.)

      Reply
  6. Daniel

    Thanks for uploading the pre-compiled packages. I have got certbot working using them!

    I did have to do a couple of things differently though:
    1. When I tried to install python-cryptography it failed with:
    dpkg: dependency problems prevent configuration of python-cryptography:
    python-cryptography depends on python-pyasn1 (>= 0.1.8); however:
    Version of python-pyasn1 on system is 0.1.7-1.
    python-cryptography depends on python-setuptools (>= 11.3); however:
    Version of python-setuptools on system is 5.5.1-1.

    To fix, I removed python-cryptography and its dependencies and installed the dependencies from jessie-backports (using the -t option)

    2. When installing certbot I had to install from jessie-backports.

    3. I didn’t need to install dialog. I’m not sure where that came from. I noticed on my Raspberry Pi 3 after installing (without all this fuss) that when I ran `apt-get autoremove` it listed `python-dialog` as something that could be removed.

    Reply
    1. Ryan Milne (Post author)

      I’m glad that you have got it working!

      1. That seems very similar to Matthieu’s issues above. We modify APT preferences to give various packages a priority of 995 to install from jessie-backports, including python-openssl, python-pyasn1, python-setuptools. However for Matthieu this wasn’t forcing the correct version of python-openssl, and for you it wasn’t forcing the correct version of python-pyasn1 and python-setuptools.

      Using a priority of 1005 instead of 995 should resolve this. I haven’t been able to reproduce this problem myself so I am still unsure of the root cause – it could be an error in the APT preferences configuration files, it could be my misunderstanding the priorities and it only coincidentally working fine for me, it could be something else.

      2. As above. certbot is also set with a priority of 995, and so as far as I understand shouldn’t need to be explicitly specified to install as jessie-backports.

      3. I think I know the reason for this. My guide was originally written with certbot 0.9.3. Certbot 0.10.x is now in jessie-backports, and in Certbot 0.10.0 they removed the ncurses interface, which I am guessing is all that used python-dialog, hence its removal as a dependency. You can see it in the Certbot changelog here:

      https://github.com/certbot/certbot/blob/master/CHANGELOG.md

      Reply
  7. D

    Thanks. This blog saved me a headache! And for reference I didn’t touch my apt preferences.

    Reply
  8. alain thomas

    thank you all for sharing this knowledge. installation done on last rasbian image, adapted from these instructions

    Reply
  9. Stefan

    Hello Ryan,

    thank you very much for your guide.

    I am unfortunately stuck when I am trying to follow your Option 1 guide:

    sudo apt-get build-dep python-cffi-backend=1.4.2-2~bpo8+1 python-dialog=3.3.0-2~bpo8+1 python-psutil=4.1.0-1~bpo8+1 -y
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Picking ‘python-cffi’ as source package instead of ‘python-cffi-backend’
    E: Can not find version ‘1.4.2-2~bpo8+1’ of package ‘python-cffi-backend’
    E: Unable to find a source package for python-cffi

    My /etc/apt/preferences: https://pastebin.com/xVEu1jpF

    My /etc/apt/sources.list: https://pastebin.com/tiaQkWqq

    Can you help me out here?
    I am running the latest Raspberry hardware on Debian Jessie.

    Reply
    1. Ryan Milne (Post author)

      Hello Stefan,

      It looks like you’re trying to install the exact versions of those dependencies exactly as I wrote back in March. Those are unlikely to still be the best versions to install, and older ones are likely to have been removed. Indeed, a comment above from June mentioned that there is a newer python-cffi package in jessie-backports than 1.4.2-2~bpo8+1.

      When you ran the command below…

      sudo apt-get install certbot -t jessie-backports -s

      …you were supposed to use the output of it to determine (a) All jessie-backports [armhf] dependencies that you need to compile, and (b) what versions of them, and then try to install them.

      Also, in particular as per my update on 15/06/2017 you will likely find that python-dialog is no longer required, which will save you time.

      I hope this helps.

      Reply
      1. Jess Robinson

        Now its at python-cffi-backend= 1.9.1-2~bpo8+1 , which requires a bunch more dependencies.

        dpkg-checkbuilddeps: Unmet build dependencies: libffi-dev python-py python-pycparser python-pytest python3-py python3-pycparser python3-pytest python3-setuptools virtualenv | python-virtualenv (<< 1.11.6)

        Isn't this fun..

        Reply
        1. Jess Robinson

          -cryptography turned out to also be a newer version.. 1.7.1-3~bpo8+1.. which failed to build a couple of times.. I give up..

          Reply
          1. Jess Robinson

            Realised I cant.. cos letsencrypt certs dont last long.. trying dpk-buildpacka -b on python-cryptography, as its the source package thats being complained about..

  10. poku

    This helped to avoid tests when building python-cffi from source.

    DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage

    Reply
    1. poku

      Thank you for this guide!

      Reply
  11. Jess Robinson

    Anyone thoughts on removing the build-deps again? Possible/easy?

    Reply
    1. Jess Robinson

      Hmm, nevermind, got to the end.. but certbot still not working.. 🙁

      Reply

Leave a Reply to Ryan Milne Cancel reply

Your email address will not be published. Required fields are marked *