Checklist
[Y] I have read intro post: About the Installation Issues category
[Y] I have read the tutorials, help and searched for similar issues
[Y] I provide relevant information about my server (component names and versions, etc.)
[Y] I provide a copy of my logs and healthcheck
[Y] I describe the steps I have taken to trouble shoot the problem
[Y] I describe the steps on how to reproduce the issue

I’ve successfully got Passbolt running, after a few tries. To say the least on AlmaLinux
I am accessing the passwords server via another local IP address which is acting as a proxy.
Internally, no issues at all - can create users, add passwords, folders etc (AFTER setting the SELinux policy).

*Faild to activate Passbolt CE with AlmaLinux - #20 by amr.salem
*SELinux causes issues - preventing PGP from running, run these as root; BEFORE SETTING UP A USER!!!
setsebool -P httpd_use_gpg=on
setsebool -P gpg_web_anon_write=on
semanage permissive -a gpg_web_t

However, from external browsers I get an error stating that Strict-Transport-Security has been enabled, and it can’t be worked around. (On Firefox Ver 117.0.1).
After a bit of digging around by doing a curl on the domain;
$ curl --head https://passwords.blah.com
curl: (60) Peer’s Certificate has expired.
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

Ok, lets see if we can do an update on the certificate…

[root@localhost lib64]# certbot renew --dry-run
/opt/certbot/lib64/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
from cryptography.hazmat.bindings.openssl.binding import Binding
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Python 3.6 support will be dropped in the next release of Certbot - please upgrade your Python version.

Processing /etc/letsencrypt/renewal/passwords.blah.com.conf

Failed to renew certificate passwords.blah.com with error: HTTPSConnectionPool(host=‘acme-staging-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(‘<urllib3.connection.HTTPSConnection object at 0x7f9d80504470>: Failed to establish a new connection: [Errno -2] Name or service not known’,))

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/passwords.blah.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[root@localhost lib64]#

If I attempt to remove Python3.6 (Python 3.9 is installed)
Removing:
python36 x86_64 3.6.8-38.module_el8.5.0+2569+5c5719bc @appstream 13 k
Removing dependent packages:
fail2ban noarch 1.0.2-3.el8 @epel 0
Removing unused dependencies:
esmtp x86_64 1.2-15.el8 @epel 100 k
fail2ban-firewalld noarch 1.0.2-3.el8 @epel 319
fail2ban-selinux noarch 1.0.2-3.el8 @epel 31 k
fail2ban-sendmail noarch 1.0.2-3.el8 @epel 12 k
fail2ban-server noarch 1.0.2-3.el8 @epel 1.4 M
libesmtp x86_64 1.0.6-18.el8 @epel 160 k
liblockfile x86_64 1.14-2.el8 @baseos 51 k
python3-pip noarch 9.0.3-22.el8 @appstream 2.8 k

Not something I’d like to do. Just yet.

Have I missed something in the install process, or does Passbolts version of Certbot rely on Python 3.6

Or is there a work-around?

Hello @Android,
I think you forgot to add the context there, could you be more specific on the issues you are encountering and what do you expect to happen instead?

I’ve just realised, by doing a helathcheck
$ sudo -H -u nginx bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck”

There is an update;
[FAIL] This installation is not up to date. Currently using 4.2.0 and it should be 4.3.0.
I’ll update now and see what happens

Hi,

From my understanding, it seems your server is not able to resolve the acme-staging-v02.api.letsencrypt.org domain name.

Are you able to ping it?

ping acme-staging-v02.api.letsencrypt.org

Cheers,

After making a backup,
As the VM was proxied via another IP address, in order for it to ping out, I set it up as the public IP address in the router.

I have removed Python36
Successfully updated, rebooted etc.
Healthcheck : [PASS] No error found. Nice one sparky!

Performed a dry run:

certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/passwords.blah.com.conf

Simulating renewal of an existing certificate for passwords.blah.com

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/passwords.blah.com/fullchain.pem (success)

$ curl --head https://passwords.blah.com
HTTP/1.1 404 Not Found
Server: nginx/1.14.1
Date: Mon, 02 Oct 2023 22:08:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=5
X-Powered-By: PHP/8.1.24
Content-Security-Policy: default-src ‘self’; script-src ‘self’; style-src ‘self’ ‘unsafe-inline’; img-src ‘self’;frame-src ‘self’ https://*.duosecurity.com;

*** So, everything now seems to be running correctly, without python36. ***
However…
Having a password server open to the internet is not an ideal solution, and adding fail2ban back (Which insists on Python36) breaks Certbot

certbot renew --dry-run

/opt/certbot/lib64/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
from cryptography.hazmat.bindings.openssl.binding import Binding
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Python 3.6 support will be dropped in the next release of Certbot - please upgrade your Python version.

Processing /etc/letsencrypt/renewal/passwords.blah.com.conf

Simulating renewal of an existing certificate for passwords.blah.com
Failed to renew certificate passwords.blah.com with error: Invalid version. The only valid version for X509Req is 0.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/passwords.blah.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

So, I guess I need to leave it on the Public IP, drop fail2ban (Which uses Python 36 for the moment) and ensure the firewall is set up correctly
Or has anyone had experience with forcing Certbot to use Python 39?
That would resolve most of my problems

Another option for you would be to not use certbot and the auto certificate option. You can always handle the certs manually to avoid having the server open to the internet

I have found a work-around.
Not the best, but it works;
update-alternatives --config python3
#select version 3.9
certbot certificates
certbot renew --cert-name passwords.blah.com
update-alternatives --config python3
#select version 3.6

Also, I have setup a proxy using apache on the host with direct internet access with masquarading on the firewall and set the gateway IP on the passwords machine to the proxy IP
Also requires a certificate on the proxy server too

• Not the prettiest solution, but it seems to work