certbot has a python problem on centos 7

[jhoblitt]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 6.7.0
• Ruby: bundled
• Distribution: centos 7
• Module version: from git (current master as of now: c16fe95)

How to reproduce (e.g Puppet code you use)

class profile::core::letsencrypt(
  Optional[Hash[String, Hash]] $certonly = undef
) {
  include letsencrypt

  if ($certonly) {
    ensure_resources('letsencrypt::certonly', $certonly)
  }
}

profile::core::letsencrypt::certonly:
  foo:
    domains:
      - "dev.lsst.org"
    plugin: "dns-route53"

What are you seeing

certbot has a broken python env.

What behaviour did you expect instead

Ponies!

Output log

Notice: /Stage[main]/Profile::Core::Letsencrypt/Letsencrypt::Certonly[foo]/Exec[letsencrypt certonly foo]/returns: An unexpected error occurred:
Notice: /Stage[main]/Profile::Core::Letsencrypt/Letsencrypt::Certonly[foo]/Exec[letsencrypt certonly foo]/returns: DistributionNotFound: futures>=2.2.0,<4.0.0
Notice: /Stage[main]/Profile::Core::Letsencrypt/Letsencrypt::Certonly[foo]/Exec[letsencrypt certonly foo]/returns: Please see the logfile '/tmp/tmpmiDrLF/log' for more details.
Error: 'certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a dns-route53 --cert-name 'foo' -d 'dev.lsst.org' --dns-route53-propagation-seconds 10' returned 1 instead of one of [0]
Error: /Stage[main]/Profile::Core::Letsencrypt/Letsencrypt::Certonly[foo]/Exec[letsencrypt certonly foo]/returns: change from 'notrun' to ['0'] failed: 'certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a dns-route53 --cert-name 'foo' -d 'dev.lsst.org' --dns-route53-propagation-seconds 10' returned 1 instead of one of [0]
Notice: Applied catalog in 3.58 seconds
[root@jhoblitt-ps1 conf.d]# cat /tmp/tmpmiDrLF/log
2020-07-28 22:25:56,725:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/bin/certbot", line 9, in <module>
    load_entry_point('certbot==1.6.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1323, in main
    plugins = plugins_disco.PluginsRegistry.find_all()
  File "/usr/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 215, in find_all
    plugin_ep = PluginEntryPoint(entry_point)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 56, in __init__
    self.plugin_cls = entry_point.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2259, in load
    if require: self.require(env, installer)
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2272, in require
    working_set.resolve(self.dist.requires(self.extras),env,installer)))
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 626, in resolve
    raise DistributionNotFound(req)
DistributionNotFound: futures>=2.2.0,<4.0.0
2020-07-28 22:25:56,725:ERROR:certbot._internal.log:An unexpected error occurred:
2020-07-28 22:25:56,725:ERROR:certbot._internal.log:DistributionNotFound: futures>=2.2.0,<4.0.0

[ekohl]

That suggests a packaging bug or possibly a locally installed pypi package where futures doesn't match that version spec. Not sure there's a lot we can do here.

[jhoblitt]

This was on a fresh centos 7 test VM. I agree it could very well be a centos packaging problem. As this mod lists centos 7 in its metadata I thought it possible someone else had run into this. I will try to look into it today.

[jhoblitt]

Installing python2-futures.noarch appears to resolve it. This is probably a metadata issue with certbot-1.6.0-1.el7.noarch but we may want to add an ensure_packages() if this is going to be a persistent issue.

[ekohl]

I'd like to avoid adding workarounds here instead of fixing it upstream.

A trivial reproducer on CentOS 7:

yum -y install epel-release
yum -y install certbot
certbot --help # Note how this works
yum -y install python2-certbot-dns-route53
certbot --help # Not how this fails with DistributionNotFound: futures>=2.2.0,<4.0.0

In particular, this is listed in /usr/lib/python2.7/site-packages/s3transfer-0.1.13-py2.7.egg-info/requires.txt

# rpm -qf /usr/lib/python2.7/site-packages/s3transfer-0.1.13-py2.7.egg-info/requires.txt
python-s3transfer-0.1.13-1.el7.0.1.noarch
# yum info python-s3transfer-0.1.13-1.el7.0.1.noarch
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: mirror.karneval.cz
 * epel: ftp.icm.edu.pl
 * extras: mirror.karneval.cz
 * updates: mirror.karneval.cz
Installed Packages
Name        : python-s3transfer
Arch        : noarch
Version     : 0.1.13
Release     : 1.el7.0.1
Size        : 28 M
Repo        : installed
From repo   : base
Summary     : An Amazon S3 Transfer Manager
URL         : https://github.com/boto/s3transfer
License     : ASL 2.0
Description : S3transfer is a Python library for managing Amazon S3 transfers.

# rpm -q --requires python-s3transfer-0.1.13-1.el7.0.1.noarch
python(abi) = 2.7
python-dateutil >= 1.4
python-docutils >= 0.10
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PartialHardlinkSets) <= 4.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsXz) <= 5.2-1

A quick look in bugzilla, it appears this is https://bugzilla.redhat.com/show_bug.cgi?id=1834529

[jhoblitt]

@ekohl Nice find! You beat me too it.

[jhoblitt]

Note that the BZ issue has been open for over 2 months already.

[igalic]

soooooooo, how do we get someone who can do something about it to care?

[ekohl]

And by now the BZ has been closed as WONTFIX :(