While installing on CentOS7, auto ssl fails

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

While installing Passbolt on a Digital Ocean CentOS 7 Droplet, auto SSL configuration fails and installation process exits. I’m posting the entire installation output.

[root@passbolt ~]# /usr/local/bin/passbolt-configure
================================================================
           ____                  __          ____
          / __ \____  _____ ____/ /_  ____  / / /_
         / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
        / ____/ /_/ (__  |__  ) /_/ / /_/ / / /_
       /_/    \__,_/____/____/_,___/\____/_/\__/

      The open source password manager for teams
      (c) 2020 Passbolt SA
      https://www.passbolt.com
================================================================
==============================================================
Do you want to install a local mariadb server on this machine?
==============================================================
1) yes
2) no
#? yes
Please select (1) or (2) to continue
#? 1
=======================================================
Please enter a new password for the root database user:
=======================================================
MariaDB Root Password:
MariaDB Root Password (verify):
======================================================
Please enter a name for the passbolt database username
======================================================
Passbolt database user name:pb
=======================================================
Please enter a new password for the mysql passbolt user
=======================================================
MariaDB passbolt user password:
MariaDB passbolt user password (verify):
==============================================
Please enter a name for the passbolt database:
==============================================
Passbolt database name:pb
================================================================================
On virtualized environments GnuPG happen to find not enough entropy
    to generate a key. Therefore, Passbolt will not run properly.
    Do you want to install Haveged to speed up the entropy generation on
    your system? Please check https://help.passbolt.com/faq/hosting/why-haveged-
virtual-env
================================================================================
1) yes
2) no
#? 1 
================================================================================
Setting hostname...
    Please enter the domain name under which passbolt will run.
    Note this hostname will be used as server_name for nginx
    and as the domain name to register a SSL certificate with
    let's encrypt.
    If you don't have a domain name and you do not plan to use
    let's encrypt please enter the ip address to access this machine
================================================================================
Hostname: [redacted]
================================================================================
Setting up SSL...
    Do you want to setup a SSL certificate and enable HTTPS now?
    - manual: Prompts for the path of user uploaded ssl certificates and set up 
nginx
    - auto:   Will issue a free SSL certificate with https://www.letsencrypt.org
 and set up nginx
    - none:   Do not setup HTTPS at all
================================================================================
1) manual
2) auto
3) none
#? 2
Enter a email address to register with Let's Encrypt: [redacted]
=============================
Installing os dependencies...
=============================
===================
Setting up nginx...
===================
Loaded plugins: fastestmirror
No Match for argument: certbot
No Packages marked for removal
Requirement already satisfied: pip in /opt/certbot/lib/python3.6/site-packages (21.3.1)
Requirement already satisfied: certbot in /opt/certbot/lib/python3.6/site-packages (1.23.0)
Requirement already satisfied: certbot-nginx in /opt/certbot/lib/python3.6/site-packages (1.23.0)
Requirement already satisfied: parsedatetime>=2.4 in /opt/certbot/lib/python3.6/site-packages (from certbot) (2.6)
Requirement already satisfied: pytz in /opt/certbot/lib/python3.6/site-packages (from certbot) (2023.3)
Requirement already satisfied: acme>=1.23.0 in /opt/certbot/lib/python3.6/site-packages (from certbot) (1.23.0)
Requirement already satisfied: zope.interface in /opt/certbot/lib/python3.6/site-packages (from certbot) (5.5.2)
Requirement already satisfied: configobj>=5.0.6 in /opt/certbot/lib/python3.6/site-packages (from certbot) (5.0.8)
Requirement already satisfied: josepy>=1.9.0 in /opt/certbot/lib/python3.6/site-packages (from certbot) (1.13.0)
Requirement already satisfied: setuptools>=39.0.1 in /opt/certbot/lib/python3.6/site-packages (from certbot) (39.2.0)
Requirement already satisfied: zope.component in /opt/certbot/lib/python3.6/site-packages (from certbot) (5.1.0)
Requirement already satisfied: cryptography>=2.5.0 in /opt/certbot/lib/python3.6/site-packages (from certbot) (40.0.2)
Requirement already satisfied: pyrfc3339 in /opt/certbot/lib/python3.6/site-packages (from certbot) (1.1)
Requirement already satisfied: ConfigArgParse>=0.9.3 in /opt/certbot/lib/python3.6/site-packages (from certbot) (1.5.3)
Requirement already satisfied: distro>=1.0.1 in /opt/certbot/lib/python3.6/site-packages (from certbot) (1.8.0)
Requirement already satisfied: pyparsing>=2.2.0 in /opt/certbot/lib/python3.6/site-packages (from certbot-nginx) (3.0.9)
Requirement already satisfied: PyOpenSSL>=17.3.0 in /opt/certbot/lib/python3.6/site-packages (from certbot-nginx) (23.2.0)
Requirement already satisfied: requests>=2.14.2 in /opt/certbot/lib/python3.6/site-packages (from acme>=1.23.0->certbot) (2.27.1)
Requirement already satisfied: requests-toolbelt>=0.3.0 in /opt/certbot/lib/python3.6/site-packages (from acme>=1.23.0->certbot) (1.0.0)
Requirement already satisfied: six in /opt/certbot/lib/python3.6/site-packages (from configobj>=5.0.6->certbot) (1.16.0)
Requirement already satisfied: cffi>=1.12 in /opt/certbot/lib/python3.6/site-packages (from cryptography>=2.5.0->certbot) (1.15.1)
Requirement already satisfied: zope.event in /opt/certbot/lib/python3.6/site-packages (from zope.component->certbot) (4.6)
Requirement already satisfied: zope.hookable>=4.2.0 in /opt/certbot/lib/python3.6/site-packages (from zope.component->certbot) (5.4)
Requirement already satisfied: pycparser in /opt/certbot/lib/python3.6/site-packages (from cffi>=1.12->cryptography>=2.5.0->certbot) (2.21)
Requirement already satisfied: idna<4,>=2.5 in /opt/certbot/lib/python3.6/site-packages (from requests>=2.14.2->acme>=1.23.0->certbot) (3.4)
Requirement already satisfied: certifi>=2017.4.17 in /opt/certbot/lib/python3.6/site-packages (from requests>=2.14.2->acme>=1.23.0->certbot) (2023.5.7)
Requirement already satisfied: charset-normalizer~=2.0.0 in /opt/certbot/lib/python3.6/site-packages (from requests>=2.14.2->acme>=1.23.0->certbot) (2.0.12)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in /opt/certbot/lib/python3.6/site-packages (from requests>=2.14.2->acme>=1.23.0->certbot) (1.26.16)
/opt/certbot/lib64/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
  from cryptography.hazmat.bindings.openssl.binding import Binding
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Python 3.6 support will be dropped in the next release of Certbot - please upgrade your Python version.
Requesting a certificate for [redacted]
An unexpected error occurred:
ValueError: Invalid version. The only valid version for X509Req is 0.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The error appears to be: ValueError: Invalid version. The only valid version for X509Req is 0.
I don’t really know what to do about it, I’ve never seen it before.

Currently I’m migrating Passbolt from one CentOS7 instance to a new one, but the installation process so far is unchanged, I’m supposed to migrate my data after installation, however auto ssl seems to be giving me a bit of trouble.

Appreciate any help. Thanks.

Hi @zqga Welcome to the forum!

Can you find more info in /var/log/letsencrypt/letsencrypt.log?

The error is a reference to x509 version values. /docs/man3.0/man3/X509_REQ_set_version.html

Hey garret, thanks for answering!

Yeah I can find a bit more info in the logs, thanks for that.

2023-06-09 11:35:15,572:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
2023-06-09 11:35:15,575:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib64/python3.6/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib64/python3.6/site-packages/certbot/_internal/main.py", line 1683, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib64/python3.6/site-packages/certbot/_internal/main.py", line 1538, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/lib64/python3.6/site-packages/certbot/_internal/main.py", line 139, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/lib64/python3.6/site-packages/certbot/_internal/client.py", line 513, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/lib64/python3.6/site-packages/certbot/_internal/client.py", line 439, in obtain_certificate
    self.config.must_staple, self.config.strict_permissions)
  File "/opt/certbot/lib64/python3.6/site-packages/certbot/crypto_util.py", line 155, in generate_csr
    privkey.pem, names, must_staple=must_staple)
  File "/opt/certbot/lib64/python3.6/site-packages/acme/crypto_util.py", line 252, in make_csr
    csr.set_version(2)
  File "/opt/certbot/lib64/python3.6/site-packages/OpenSSL/crypto.py", line 1017, in set_version
    "Invalid version. The only valid version for X509Req is 0."
ValueError: Invalid version. The only valid version for X509Req is 0.
2023-06-09 11:35:15,579:ERROR:certbot._internal.log:An unexpected error occurred:
2023-06-09 11:35:15,579:ERROR:certbot._internal.log:ValueError: Invalid version. The only valid version for X509Req is 0.

However, I still don’t get how I can intercede in that, Is Passbolt “misconfiguring” certbot? Is certbot misconfiguring itself? csr.set_version(2) but the only valid version for X509Req is 0. I get the error, don’t clearly see a path towards finding a solution. Should I reinstall Passbolt from another repository?
Should I reinstall Passbolt in another OS? Will the migration files still work?

I’d appreciate any guidance though I can see from what I’m googling it’s not a simple or common issue.

Thanks!

This is the first time I’ve seen the error. It seems to be a certbot issue vs passbolt.

I think python3.8 is available for Centos7. Maybe new versions have addressed this.

The installation process is going to check what is installed so maybe update and then re-run the installation.

Possibly someone else knows more about this.

It’s a good catch, I updated everything and it still fails, same error, close but no cigar.

I will try installing Passbolt on a Debian Droplet instead of a CentOS7 one and migrate from the original CentOS7 server to the Debian one. Will update this post after, even though its not a direct solution, it may be a pragmatic one.

Alright, so, again, not a direct solution to the SSL issue but a pragmatic one for anyone who finds themselves in my position.

I had a compromised instance A, and wanted to migrate Passbolt to an instance B. In this case, my instances are Digital Ocean droplets.

1. I backed up Passbolt using this guide from instance A which had CentOS 7.
2. I created a new instance B but, given CentOS 7 was giving me trouble, I opted for Debian 11, hopefully OS choice isn’t a big issue for you reading this. Only CentOS was giving me this error.
3. Then I followed the Debian migration guide which has a minor error on Step 5. Import the server key (uses “ instead of " on the command).
   4. SSL gave me trouble again, but this time it was a common error, one of the Lets Encrypt challenges failed, I had to remove Cloudflare from my domain (just the proxy) and point my records to the new instance’s IP address, then run installation again. Maybe, who knows, this was also producing the error in CentOS, however the errors given were different and much clearer in Debian’s case.
4. That’s it, new Passbolt up an running.

Thanks for your help @garrett, I hope you have a great day.

Cheers.

I’m having the same issue - only setting up with AlmaLinux version 8.8, minimal.

On previous attempts to install Passbolt, I’ve installed Python 3.9, then after starting the Database install, had to go back and remove Python 3.6 as it was still seeing it as a primary version.
However, on doing so - I have had nothing but trouble with PGP, signing in a second or third time as the admin user causes the system to go very slow (despite having 8GB ram and 4 cores), a reboot fixes this - however, from that point - no-one can log in - and a previously saved PGP key is no longer valid.
So, it’s, start again. And again, and again - each with different scenarios - yet the python version remains at 3.9. Which just doesn’t work.

My question is this, upon removal of Python 3.6, and upgrading to 3.9 - in order for the installer to continue - this is obviously breaking things. When could we expect a fix?
I could, as ZQGA has said go ahead and install Debian, but I’d prefer to keep all the OS the same. If possible.