# [SOLVED] LetsEncrypt (certbot) Segfault

## dacr

Hi,

I installed certbot to two similar servers.

ServerA is working fine, but in ServerB is not OK.

# equery list python

 * Searching for python ...

[IP-] [  ] dev-lang/python-2.7.10-r1:2.7

# equery list certbot

 * Searching for certbot ...

[IP-] [  ] app-crypt/certbot-0.6.0:0

If I run certbot then I get segfault:

...

setsockopt(4, SOL_TCP, TCP_NODELAY, [1], 4) = 0

fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)

fcntl(4, F_SETFL, O_RDWR) = 0

connect(4, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("104.103.97.15")}, 16) = 0

gettimeofday({1466015284, 800180}, NULL) = 0

stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2405, ...}) = 0

fstat(12, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0

read(12, "\2334\234r\264V; Q\255ned\324\347'", 16) = 16

fstat(12, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0

read(12, "\273pj\303\216\226\36\377\374\34\256\215\7Z\260\344", 16) = 16

fstat(12, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0

read(12, "\233\360\221\34vW\303,\227\337\310\214\245yT\372", 16) = 16

open("/proc/self/status", O_RDONLY) = 5

fstat(5, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x6d666c076000

read(5, "Name:\tcertbot\nState:\tR (running)"..., 1024) = 768

close(5) = 0

munmap(0x6d666c076000, 4096) = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 EPERM (Operation not permitted)

--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} ---

+++ killed by SIGSEGV +++

segmentation fault

(result is same with webroot, standalon, manual ; I tried install from git, result is same.)

# revdep-rebuild

 * Configuring search environment for revdep-rebuild

 * Checking reverse dependencies

 * Packages containing binaries and libraries broken by a package update

 * will be emerged.

 * Collecting system binaries and libraries

 * Generated new 1_files.rr

 * Collecting complete LD_LIBRARY_PATH

 * Generated new 2_ldpath.rr

 * Checking dynamic linking consistency

[ 100% ]                 

 * Dynamic linking on your system is consistent... All done. 

Google did not help.

Does anyone have ideas?

Thank you!

edit:

Jun 15 23:25:34 serverB kernel: grsec: From xxx.xxx.xxx.xxx: denied RWX mmap of <anonymous mapping> by /usr/lib64/python-exec/python2.7/certbot[certbot:9533] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9527] uid/euid:0/0 gid/egid:0/0

Jun 15 23:25:35 serverB kernel: grsec: From xxx.xxx.xxx.xxx: denied RWX mmap of <anonymous mapping> by /usr/lib64/python-exec/python2.7/certbot[certbot:9533] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9527] uid/euid:0/0 gid/egid:0/0

Jun 15 23:25:35 serverB kernel: certbot[9533]: segfault at 0 ip 0000721f2a022245 sp 000074b40eab3dd0 error 6 in libffi.so.6.0.1[721f2a01c000+8000]

Jun 15 23:25:35 serverA kernel: grsec: From xxx.xxx.xxx.xxx: Segmentation fault occurred at            (nil) in /usr/lib64/python-exec/python2.7/certbot[certbot:9533] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9527] uid/euid:0/0 gid/egid:0/0

Jun 15 23:25:35 serverB kernel: grsec: From xxx.xxx.xxx.xxx: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/python-exec/python2.7/certbot[certbot:9533] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9527] uid/euid:0/0 gid/egid:0/0Last edited by dacr on Thu Jun 16, 2016 4:51 pm; edited 1 time in total

----------

## Syl20

 *dacr wrote:*   

> ServerA is working fine, but in ServerB is not OK.

 

Are both using the same Grsecurity parameters (particulary PaX ones) ? You can allow memory mapping to certbot by running 

```
# paxctl-ng -m /usr/lib64/python-exec/python2.7/certbot
```

----------

## dacr

This solution is not work because certbot is not an ELF executable.

I find a great client and I use this now:

https://github.com/Neilpang/acme.sh

Problem solved, thank you for your time.  :Smile: 

----------

