I wanted to use LetsEncrypt to install a free SSL certificate on a website (call it “mywebsite.com” for this example) that runs on a CentOS 6.7 VM. I downloaded the LetsEncrypt client and ran my command to download a cert that I would configure in Nginx.
letsencrypt-auto certonly --agree-tos --webroot --webroot-path /var/www/html/mywebsite.com -d mywebsite.com
I had done this previously on Ubuntu 14.04 without any problem. On CentOS 6.7, I was greeted by this error:
WARNING: Python 2.6 support is very experimental at present... if you would like to work on improving it, please ensure you have backups and then run this script again with the --debug flag!
It isn’t actually clear what this error means. Did it actually do anything? Is it just informational? Turns out, what it is saying is that the LetsEncrypt client is not compatible with Python 2.6 – it requires Python 2.7 and above. This is a big problem for CentOS 6 as the basic tools of the operating system (‘yum’ for instance) rely on Python 2.6. You will completely bork your system if you replace Python 2.6 with Python 2.7. This applies for RedHat Enterprise Linux (RHEL) 6 as well.
Software Collections! Good luck figuring out what these are from any of the RedHat documentation. Software Collections are actually a way to install multiple versions of software on a CentOS or RHEL server without resorting to compiling from source or Docker containers. What it means for us is that we can install Python 2.7 on this same server and only activate it when running LetsEncrypt. The default Python version on the system will remain 2.6.
To get started, install software collections through yum
yum install centos-release-SCL
Check your version of Python to make sure it remains 2.6.x
[~]# python -V Python 2.6.6
Install Python 2.7 via Software Collections (referred to as SCL from here on)
yum install python27
Check and make sure the default Python version is what you started with
[~]# python -V Python 2.6.6
Now comes the fun stuff. If you look in /opt/rh/python27/root/, you’ll see yum has created a whole system directory structure, complete with /etc, /var, /home, /bin, etc. This is where your simulated system for Python 2.7 lives. Your Python 2.7 configuration files, log files, binary files – these are all within this “fake” directory structure. Python 2.7 lives entirely in here and will not impact anything in the normal system structure.
To activate and use Python 2.7, we need to run the commands through the SCL system like so:
scl enable python27 "/root/letsencrypt/letsencrypt-auto certonly --agree-tos --webroot --webroot-path /var/www/html/mywebsite.com -d mywebsite.com"
The basic syntax of Software Collections is simple
scl <action> [<collection>...] <command>
We need to use quotes in this case to identify the entire letsencrypt client string and configuration flags as part of the single command. To see a full list of what scl can do, use
At this point, the LetsEncrypt client should run just like normal, using Python 2.7. Your certificate will be downloaded and the LetsEncrypt client will exit without error. If you want to do some debugging and have a shell with Python 2.7 as your default Python, try
scl enable python27 bash
In that shell, everything you do will use Python 2.7. Simply type “exit” to jump back to the regular shell and Python 2.6.
Now that we know how to activate Python 2.7, we can automate certificate renewal via a cron job. I put this in /etc/crontab, but it would work fine if put into “crontab -e”
03 3 * * * root scl enable python27 "/root/letsencrypt/letsencrypt-auto certonly --keep-until-expiring --agree-tos --quiet --webroot --webroot-path /var/www/html/mywebsite.com -d mywebsite.com"; service nginx reload
Software Collections are great for solving all sorts of problems, from running multiple versions of PHP on a single server to creating software testing environments.
Hope this helped and you are on your way to enjoying a free SSL certificate!
- Same approach with SCL, but uses a slightly different workflow
- LetsEncrypt issue discussion of Python 2.6 support