Welkom bij Bandhosting.nl,
hosting en webdevelopment.

grsec issue after certbot-auto install

With the recent deprecation of the ACMEv1 I was forced to switch from the default certbot package in debian Jessie (yeah yeah, still need to upgrade) to the certbot-auto package.

Unfortunately I ran into an issue with the grsec setup I'm running on this server.

The following error was visible when trying to request a certificate:

2020-01-11 14:08:05,286:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 14, in main
    return internal_main.main(cli_args)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1350, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1221, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 607, in _init_le_client
    acc, acme = _determine_account(config)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 523, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py", line 175, in register
    acme = acme_from_config_key(config, key)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py", line 45, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 827, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 1158, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 1107, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 343, in _make_request
    self._validate_conn(conn)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 839, in _validate_conn
    conn.connect()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/urllib3/connection.py", line 332, in connect
    cert_reqs=resolve_cert_reqs(self.cert_reqs),
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/urllib3/util/ssl_.py", line 281, in create_urllib3_context
    context.verify_mode = cert_reqs
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 415, in verify_mode
    _verify_callback
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1103, in set_verify
    self._verify_helper = _VerifyHelper(callback)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 333, in __init__
    "int (*)(int, X509_STORE_CTX *)", wrapper)
MemoryError: Cannot allocate write+execute memory for ffi.callback(). You might be running on a system that prevents this. For more information, see https://cffi.readthedocs.io/en/latest/using.html#callbacks
2020-01-11 14:08:05,288:ERROR:certbot._internal.log:An unexpected error occurred:

The key part of the error being:

MemoryError: Cannot allocate write+execute memory for ffi.callback(). You might be running on a system that prevents this. For more information, see https://cffi.readthedocs.io/en/latest/using.html#callbacks

This meant that something in grsec was blocking memory allocation:

Jan 11 14:05:57 web1 kernel: [492685.954600] grsec: From 212.238.236.81: denied RWX mmap of <anonymous mapping> by /opt/eff.org/certbot/venv/bin/letsencrypt[letsencrypt:8859] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/certbot-auto[certbot-auto:8836] uid/euid:0/0 gid/egid:0/0

Luckily this was an easy fix with paxctld, add this to your /etc/paxctld.conf and it will work (after restarting paxctld):

/usr/local/bin/certbot-auto    m
/opt/eff.org/certbot/venv/bin/python    E