The following appears to have corrected the problem despite the new error about acme.
Original Message:
Sent: Wed July 16, 2025 02:54 PM
From: Mike Peterson
Subject: TLS Certificate renewal automation on AIX 7.2
Thanks again for the quick replies. I tried again with a clean /tmp/certbot directory. The pip3 josepy package appears to be 2.1.0 but I still get failures. AIX here is 7200-05-07 but I've gotten the same result on 7300-03-00. The lpp openssl package is 3.0.13.1000.
# rpm -qa | grep python
python-pycurl-7.43.0.5-1.ppc
python-urlgrabber-3.10.1-1.noarch
rpm-python3.9-4.15.1-32_2.ppc
python3.9-pyyaml-5.4.1.1-2.ppc
python3.9-libcomps-0.1.15-101.ppc
python3.9-hawkey-0.39.1-32_52.ppc
python3-hawkey-0.39.1-32_52.ppc
python3-gpg-1.13.1-101.ppc
python3.9-librepo-1.11.0-103.ppc
python3.9-pycparser-2.19-2.noarch
python3-3.9.22-1.ppc
python3.9-cryptography-44.0.2-1.ppc
python3-dnf-4.2.17-32_53.ppc
python-2.7.18-4.ppc
python-tools-2.7.18-4.ppc
python-iniparse-0.4-1.noarch
python-devel-2.7.18-4.ppc
python3.9-gpg-1.13.1-101.ppc
rpm-python3-4.15.1-32_2.ppc
python3.9-libdnf-0.39.1-32_52.ppc
python3-libdnf-0.39.1-32_52.ppc
python3-libcomps-0.1.15-101.ppc
python3-pyyaml-5.4.1.1-2.ppc
python3-librepo-1.11.0-103.ppc
python3.9-six-1.13.0-2.noarch
python3.9-cffi-1.13.2-2.ppc
python3.9-3.9.22-1.ppc
python3.9-dnf-4.2.17-32_53.ppc
python3-cryptography-44.0.2-1.ppc
# /opt/freeware/bin/python3 -mvenv /tmp/certbot --system-site-packages
# bash
bash-5.2# source /tmp/certbot/bin/activate
(certbot) bash-5.2# pip3 install pyopenssl==17.5.0
Collecting pyopenssl==17.5.0
Using cached pyOpenSSL-17.5.0-py2.py3-none-any.whl (53 kB)
Requirement already satisfied: six>=1.5.2 in /opt/freeware/lib/python3.9/site-packages (from pyopenssl==17.5.0) (1.13.0)
Requirement already satisfied: cryptography>=2.1.4 in /opt/freeware/lib64/python3.9/site-packages (from pyopenssl==17.5.0) (44.0.2)
Requirement already satisfied: cffi>=1.12 in /opt/freeware/lib64/python3.9/site-packages (from cryptography>=2.1.4->pyopenssl==17.5.0) (1.13.2)
Requirement already satisfied: pycparser in /opt/freeware/lib/python3.9/site-packages (from cffi>=1.12->cryptography>=2.1.4->pyopenssl==17.5.0) (2.19)
Installing collected packages: pyopenssl
Successfully installed pyopenssl-17.5.0
[notice] A new release of pip is available: 23.0.1 -> 25.1.1
[notice] To update, run: pip install --upgrade pip
(certbot) bash-5.2# pip3 install certbot==2.10.0
Collecting certbot==2.10.0
Using cached certbot-2.10.0-py3-none-any.whl (406 kB)
Requirement already satisfied: setuptools>=41.6.0 in /tmp/certbot/lib/python3.9/site-packages (from certbot==2.10.0) (58.1.0)
Requirement already satisfied: cryptography>=3.2.1 in /opt/freeware/lib64/python3.9/site-packages (from certbot==2.10.0) (44.0.2)
Collecting configobj>=5.0.6
Using cached configobj-5.0.9-py2.py3-none-any.whl (35 kB)
Collecting acme>=2.10.0
Using cached acme-4.1.1-py3-none-any.whl (101 kB)
Collecting distro>=1.0.1
Using cached distro-1.9.0-py3-none-any.whl (20 kB)
Collecting importlib-metadata>=4.6
Using cached importlib_metadata-8.7.0-py3-none-any.whl (27 kB)
Collecting josepy>=1.13.0
Using cached josepy-2.1.0-py3-none-any.whl (29 kB)
Collecting parsedatetime>=2.4
Using cached parsedatetime-2.6-py3-none-any.whl (42 kB)
Collecting pyrfc3339
Using cached pyRFC3339-2.0.1-py3-none-any.whl (5.8 kB)
Collecting ConfigArgParse>=1.5.3
Using cached configargparse-1.7.1-py3-none-any.whl (25 kB)
Collecting pytz>=2019.3
Using cached pytz-2025.2-py2.py3-none-any.whl (509 kB)
Collecting PyOpenSSL>=25.0.0
Downloading pyopenssl-25.1.0-py3-none-any.whl (56 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 56.8/56.8 kB 917.3 kB/s eta 0:00:00
Collecting requests>=2.20.0
Downloading requests-2.32.4-py3-none-any.whl (64 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 64.8/64.8 kB 2.6 MB/s eta 0:00:00
Requirement already satisfied: cffi>=1.12 in /opt/freeware/lib64/python3.9/site-packages (from cryptography>=3.2.1->certbot==2.10.0) (1.13.2)
Collecting zipp>=3.20
Downloading zipp-3.23.0-py3-none-any.whl (10 kB)
Requirement already satisfied: pycparser in /opt/freeware/lib/python3.9/site-packages (from cffi>=1.12->cryptography>=3.2.1->certbot==2.10.0) (2.19)
Collecting typing-extensions>=4.9
Using cached typing_extensions-4.14.1-py3-none-any.whl (43 kB)
Collecting urllib3<3,>=1.21.1
Downloading urllib3-2.5.0-py3-none-any.whl (129 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 129.8/129.8 kB 3.4 MB/s eta 0:00:00
Collecting charset_normalizer<4,>=2
Downloading charset_normalizer-3.4.2-py3-none-any.whl (52 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 52.6/52.6 kB 2.3 MB/s eta 0:00:00
Collecting idna<4,>=2.5
Using cached idna-3.10-py3-none-any.whl (70 kB)
Collecting certifi>=2017.4.17
Using cached certifi-2025.7.14-py3-none-any.whl (162 kB)
Installing collected packages: pytz, pyrfc3339, parsedatetime, zipp, urllib3, typing-extensions, idna, distro, configobj, ConfigArgParse, charset_normalizer, certifi, requests, importlib-metadata, PyOpenSSL, josepy, acme, certbot
Attempting uninstall: PyOpenSSL
Found existing installation: pyOpenSSL 17.5.0
Uninstalling pyOpenSSL-17.5.0:
Successfully uninstalled pyOpenSSL-17.5.0
Successfully installed ConfigArgParse-1.7.1 PyOpenSSL-25.1.0 acme-4.1.1 certbot-2.10.0 certifi-2025.7.14 charset_normalizer-3.4.2 configobj-5.0.9 distro-1.9.0 idna-3.10 importlib-metadata-8.7.0 josepy-2.1.0 parsedatetime-2.6 pyrfc3339-2.0.1 pytz-2025.2 requests-2.32.4 typing-extensions-4.14.1 urllib3-2.5.0 zipp-3.23.0
[notice] A new release of pip is available: 23.0.1 -> 25.1.1
[notice] To update, run: pip install --upgrade pip
(certbot) bash-5.2# ls -l /tmp/certbot/bin/certbot
-rwxr-xr-x 1 root system 219 Jul 16 13:36 /tmp/certbot/bin/certbot
(certbot) bash-5.2# /tmp/certbot/bin/certbot --version
Traceback (most recent call last):
File "/tmp/certbot/bin/certbot", line 5, in <module>
from certbot.main import main
File "/tmp/certbot/lib64/python3.9/site-packages/certbot/main.py", line 6, in <module>
from certbot._internal import main as internal_main
File "/tmp/certbot/lib64/python3.9/site-packages/certbot/_internal/main.py", line 29, in <module>
from certbot import crypto_util
File "/tmp/certbot/lib64/python3.9/site-packages/certbot/crypto_util.py", line 485, in <module>
def dump_pyopenssl_chain(chain: Union[List[crypto.X509], List[josepy.ComparableX509]],
AttributeError: module 'josepy' has no attribute 'ComparableX509'
(certbot) bash-5.2# ls -ld /tmp/certbot/lib/python3.9/site-packages/josepy*
drwxr-xr-x 3 root system 4096 Jul 16 13:36 /tmp/certbot/lib/python3.9/site-packages/josepy
drwxr-xr-x 2 root system 256 Jul 16 13:36 /tmp/certbot/lib/python3.9/site-packages/josepy-2.1.0.dist-info
------------------------------
Mike AIX
Original Message:
Sent: Wed July 16, 2025 02:16 PM
From: Andrey Klyachkin
Subject: TLS Certificate renewal automation on AIX 7.2
Hi Mike,
I just checked on one of my servers.
Python 3.11 will not work unfortunately. There is no python3.11-cryptography package and it is required for certbot.
The latest version of certbot installs on Python 3.9 without any real problem. I executed exactly the commands I wrote above and everything worked like a charm.
I've got some stupid warning, but certbot is there.
Your error message (with certbot on Python 3.9) says, that you have some problem with josepy package. Check with pip3 list inside the virtual environment, which version of the package you have. As for me it is josepy 2.1.0.
Looking at your first error from yesterday, it looks like you forgot to install cryptography package. This is the only place where rust compiler is required.
------------------------------
Andrey Klyachkin
https://www.power-devops.com
Original Message:
Sent: Wed July 16, 2025 01:23 PM
From: Mike Peterson
Subject: TLS Certificate renewal automation on AIX 7.2
Sorry, I simply missed the python3.11 packages. Trying that, I don't get as far:
# rm -rf /tmp/certbot
# rpm -qa | grep python3.11
python3.11-3.11.9-1.ppc
python3.11-pip-23.3.1-1.noarch
# /usr/opt/python3/bin/python3.11 -mvenv /tmp/certbot --system-site-packages
Error: Command '['/tmp/certbot/bin/python3.11', '-m', 'ensurepip', '--upgrade', '--default-pip']' returned non-zero exit status 1.
------------------------------
Mike AIX
Original Message:
Sent: Wed July 16, 2025 01:14 PM
From: Mike Peterson
Subject: TLS Certificate renewal automation on AIX 7.2
Thanks for the quick reply Andrey.
I'd prefer to use the newer version of certbot if that is an option. I'm happy to follow some other documentation or steps if you have them.
Considering the first option you provided, I don't see a python 3.11 available via the aixtoolbox. Following the other option, updated to the latest RPMs available from IBM and started over with the direction you provided above (I first deleted the '/path/to/certbot/' directory), including the change to set certbot=2.10.0. All the commands seemed to execute fine but running certbot --version gave the following errors:
(certbot) bash-5.2# /tmp/certbot/bin/certbot --version
Traceback (most recent call last):
File "/tmp/certbot/bin/certbot", line 5, in <module>
from certbot.main import main
File "/tmp/certbot/lib64/python3.9/site-packages/certbot/main.py", line 6, in <module>
from certbot._internal import main as internal_main
File "/tmp/certbot/lib64/python3.9/site-packages/certbot/_internal/main.py", line 29, in <module>
from certbot import crypto_util
File "/tmp/certbot/lib64/python3.9/site-packages/certbot/crypto_util.py", line 485, in <module>
def dump_pyopenssl_chain(chain: Union[List[crypto.X509], List[josepy.ComparableX509]],
AttributeError: module 'josepy' has no attribute 'ComparableX509'
------------------------------
Mike AIX
Original Message:
Sent: Tue July 15, 2025 04:41 PM
From: Andrey Klyachkin
Subject: TLS Certificate renewal automation on AIX 7.2
Hi Mike,
the post was written one year ago and the actual version of certbot was 2.10.0.
One year later the actual version of certbot is 4.1.1. Even if the documentation says that the minimum supported Python version is 3.9.2, I don't think it is actual.
You can try either to use newer Python 3.11 or to use older certbot like pip3 install certbot==2.10.0
------------------------------
Andrey Klyachkin
https://www.power-devops.com
Original Message:
Sent: Tue July 15, 2025 03:49 PM
From: Mike Peterson
Subject: TLS Certificate renewal automation on AIX 7.2
Andrey, Thanks for the directions. I gave this a try and hit a snag running the "pip3 install certbot" step. I tried on both 7.2 and 7.3 running against a repo that was updated on 2024-05-20.
The pip3 command fails with the following error. Any suggestions?
× Preparing metadata (pyproject.toml) did not run successfully.
│ exit code: 1
╰─> [3 lines of output]
Python reports SOABI: cpython-39
Unsupported platform: 39
Rust not found, installing into a temporary directory
[end of output]
note: This error originates from a subprocess, and is likely not a problem with pip.
error: metadata-generation-failed
------------------------------
Mike AIX
Original Message:
Sent: Tue May 14, 2024 06:58 AM
From: Andrey Klyachkin
Subject: TLS Certificate renewal automation on AIX 7.2
Hi Robert,
Install python3.9 and python3-cryptography packages on your AIX box:
dnf -y install python3-cryptography
Create a virtual environment for certbot and copy system packages into it:
/opt/freeware/bin/python3 -mvenv /path/to/certbot --system-site-packages
Start bash and activate the environment:
ksh# bashbash$ source /path/to/certbot/bin/activate
Install pyOpenSSL 17.5.0:
pip3 install pyopenssl==17.5.0
Install certbot:
pip3 install certbot
Now you can use certbot without activating the python environment:
# /path/to/certbot/bin/certbot --versioncertbot 2.10.0# /path/to/certbot/bin/certbot --help - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
I hope it helps.
------------------------------
Andrey Klyachkin
https://www.power-devops.com
Original Message:
Sent: Mon May 13, 2024 04:11 PM
From: Robert Johnson
Subject: TLS Certificate renewal automation on AIX 7.2
Hi Everyone,
We are trying to prepare for the eventual 90 certificate renewal mandate that is coming and wanted to see what others are doing to automate their TLS/SSL certificates on AIX. Our Linux servers can leverage Certbot, but that doesn't look pleasant to compile on AIX (or is it?). I see that acme.sh might be a possibility and maybe even just using pure bash or python since our CA has an API we can use.
What do you all use/recommend for doing automated certificate renewals? Anyone out there with some lessons learned from doing this?
Many thanks for any input!
-Robert
------------------------------
Robert Johnson
------------------------------