APT-GET UPDATE warnings when attempting to install Certbot on Ubuntu 14.04 LTS

Good day
I am attempting to install Certbot on my Ubuntu 14.04LTS server by following the instructions on the Certbot site. After adding the PPA and running APT-GET UPDATE, the below warning messages are displayed:

Reading package lists… Done
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-min
W: You may want to run apt-get update to correct these problems

I’ve Googled high and low and read different opinions re. the above. Some suggest that the warnings may be safely ignored while others are unable to proceed with their package installations as a result. I’m playing it safe while it’s a production server and I’ve decided to ask here first before taking the gung-ho approach.

My Let’s Encrypt certs expire in 15 days and I’m unable to renew them until I have the new Certbot installed. Would greatly appreciate any advice re. the above… how to fix it or if I may safely ignore the warnings.

Thanks a mil,

S

Hi @syfret,

As far as I know, we haven’t encountered this particular problem before. cffi is the C Foreign Function Interface which the Python cryptography library uses to call cryptographic functions in openssl to perform cryptographic operations like digital signing. So, it’s important for Certbot to be able to use it. However, these warnings don’t really make clear whether cffi will work or not work on your system.

If cffi is actually broken as a result, I believe that the worst case is simply that Certbot will stop running with an error message (such as an ImportError) related to being unable to use a library that it needs. It shouldn’t damage your certificates or anything. So I would encourage you to go ahead with the installation and with running certbot renew, and then report back whether you encountered a further error as a result of this packaging problem.

If you do have a problem, you can also try certbot-auto, which is a wrapper script that provides a different means of installing a current version of Certbot, outside of your operating system’s package manager (that is, outside of dpkg/apt in this case).

The certbot-auto method would give you a separate, parallel installation of Certbot and some of its dependencies, which typically would not be the same library versions or have the same packaging problems as those provided by your operating systems. Of course, they can potentially turn out to have other packaging problems, but typically not the same ones. :slight_smile:

1 Like

Hi Seth

Thanks a stack for the info!

Strangely, the CFFI warning only occurs when I add the Certbot PPA and disappears when I remove the Certbot PPA.

I have done as you’ve suggested and downloaded certbot-auto. When I perform a dry run to test the certificate renewal, it crashes with the below error:

ImportError: libssl.so.1.0.2: cannot open shared object file: No such file or directory

The above error is the same error that I’m receiving with our currently installed Let’sEncrypt software and it’s the reason that I was trying to install the Certbot package for Ubuntu 14.04 LTS instead.

We used to have libssl.so.1.0.2 installed on the server up until 2 or 3 weeks ago and all functioned beautifully w.r.t. new certificates and certificate renewals. The libssl.so.1.0.2 library was automatically removed 2 or 3 weeks ago during maintenance when the server removed “unnecessary” packages and libraries.

The server now has the following libssl.so libraries installed:

/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
/usr/lib/x86_64-linux-gnu/libssl.so.1.1

Ubuntu 14.04 LTS uses the updated libssl version 1.1 as the default package maintainers version and, as such, I’m unable to use apt-get to install libssl.so.1.0.2 which is the version that Certbot is calling for.

Any thoughts or suggestions?

Best regards,

S

@SwartzCr, are you still willing to look into packaging and dependency stuff?

Hi @syfret - did you abandon your attempt to install certbot from the PPA or were you not able to complete it?
The PPA should provide the correct version of libssl, if you go through with the installation. The warning about Provides and DepCompareOp is harmless. If you can complete the installation form the PPA be fine.
That said, I’m curious if @bmw has any thoughts on what can be done about certbot-auto specifying a version of libssl that doesn’t exist in ubuntu

@syfret, packages from the PPA should be preferred, but to respond to @SwartzCr’s comment, what is the output of grep -m1 LE_AUTO_VERSION /path/to/certbot-auto?

If there’s no output, I strongly encourage you to run rm -rf ${XDG_DATA_HOME:-~/.local/share}/letsencrypt, download a new version of certbot-auto using the instructions Seth linked above, and try running the script again.

If there is output but it’s not LE_AUTO_VERSION="0.17.0", you should run the script again without --no-self-upgrade and see if you hit the problem.

If there is output, it’s LE_AUTO_VERSION="0.17.0", and the output from certbot-auto --version is certbot 0.17.0, please provide:

  1. The output of ls -d ${XDG_DATA_HOME:-~/.local/share}/letsencrypt/lib/python2.7/site-packages/cryptography*.
  2. The full traceback of the problem which should be available in your logs which are stored at /var/log/letsencrypt by default.

Hi Noah

Thanks for the info!

I didn’t ever try to complete the Certbot package installation after I added the Certbot PPA and received the CFFI warnings. I instead tried to go the certbot-auto route but that yielded the libssl error.

I’ll give the Certbot package installation via apt-get a try this evening and let you gents know if it has worked despite the warning messages. We’re using the Certbot package on our Ubuntu 16.04 LTS servers and everything functions perfectly on those machines.

Will post feedback here once I’ve proceeded with the Certbot package installation on the 14.04 LTS machine.

Thanks to your team and yourself for all of the help thus far.

Best regards,

S

Hi Brad

Thanks for the information below.

I’ve done as requested. Output below:

blah@wp1:~$ grep -m1 LE_AUTO_VERSION /usr/local/bin/certbot-auto
LE_AUTO_VERSION=“0.17.0”

blah@wp1:~$ grep -m1 LE_AUTO_VERSION certbot-auto
LE_AUTO_VERSION=“0.16.0”

So evidently there are 2 versions of certbot-auto installed on the machine. Strangely though, even when calling the latest and most recently installed certbot-auto file (/usr/local/bin/certbot-auto), the output is the same:

blah@wp1:~$ sudo /usr/local/bin/certbot-auto renew --dry-run
Error: couldn’t get currently installed version for /home/blah/.local/share/letsencrypt/bin/letsencrypt:
Traceback (most recent call last):
File “/home/blah/.local/share/letsencrypt/bin/letsencrypt”, line 7, in
from certbot.main import main
File “/home/blah/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 9, in
from acme import jose
File “/home/blah/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/jose/init.py”, line 37, in
from acme.jose.interfaces import JSONDeSerializable
File “/home/blah/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/jose/interfaces.py”, line 9, in
from acme.jose import util
File “/home/blah/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/jose/util.py”, line 5, in
import OpenSSL
File “/home/blah/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/init.py”, line 8, in
from OpenSSL import rand, crypto, SSL
File “/home/blah/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/rand.py”, line 12, in
from OpenSSL._util import (
File “/home/blah/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/_util.py”, line 6, in
from cryptography.hazmat.bindings.openssl.binding import Binding
File “/home/blah/.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py”, line 13, in
from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: libssl.so.1.0.2: cannot open shared object file: No such file or directory

W.R.T. the installation of the Certbot package on Ubuntu 14.04 LTS, I’ve always installed it in the past, on our 16.04 LTS servers, with the below command:

sudo apt-get install certbot

As per the Certbot installation instructions on the website however, the suggested installation command for Ubuntu 14.04 LTS is:

sudo apt-get install python-certbot-nginx

Do I have to use the latter command to install the Certbot package on Ubuntu 14.04 LTS or may I use the former command as I’ve always done in the past on our 16.04 LTS installations?

We’ve automated the certificate installation and Nginx VHOST creation, etc., so we have no need to use the built-in Certbot functionality for this.

Best regards,

S

Thanks for the info.

Can you confirm the output of certbot-auto --version is certbot 0.17.0 and include the output of ls -d ${XDG_DATA_HOME:-~/.local/share}/letsencrypt/lib/python2.7/site-packages/cryptography*?

Do I have to use the latter command to install the Certbot package on Ubuntu 14.04 LTS or may I use the former command as I’ve always done in the past on our 16.04 LTS installations?

We’ve automated the certificate installation and Nginx VHOST creation, etc., so we have no need to use the built-in Certbot functionality for this.

If you don’t want to use the Certbot functionality for installing certificates and managing TLS settings for you, then you can just run apt-get install certbot. If you go this route, I’d recommend changing the dropdown on https://certbot.eff.org where you chose “Nginx” to “None of the above” for more accurate instructions.

Hi Brad

I’m extremely pleased to report that I proceeded with the installation of the Certbot package on our Ubuntu 14.04 LTS server and, despite the CFFI warnings, all wen’t swimmingly.

I have run the Certbot renewal command and I’ve verified that all of the certificates were successfully renewed.

A massive thanks to Seth, Noah and yourself for all of the assistance in helping us to get everything working!! It’s greatly appreciated.

Best regards,

S

1 Like

Same error messages here. Official Ubuntu 14.04 on Azure.
apt-get update works well before adding the certbot ppa, and breaks afterwards with:

W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-min
W: You may want to run apt-get update to correct these problems

Which is a loop since it is the result of apt-get update

Linux linnovate-base-ubuntu-14 4.4.0-92-generic #115~14.04.1-Ubuntu SMP Thu Aug 10 15:06:53 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
deb http://ppa.launchpad.net/certbot/certbot/ubuntu trusty main

Hi Zohar - is it actually broken?
I believe that you can safely ignore these warnings. Have packages broken for you? Or is there another thing preventing you from finishing an apt-get update?

Thanks for replying Noah.

Nothing seems to be broken really. Per your reply here - I understand it’s harmless.

Still, it made me choose not to include certbot in a base image I prepared for a commercial solution, since I want everything to be nice and clean at boot time.

Just throwing in my 2¢, I’m seeing this same error. The issue popped up when I added the Certbot PPA.

It seems to be cosmetic because Certbot works and apt-get seems to update/upgrade just fine, but there’s no way to really know if its causing something else to break in the background.

Ubuntu 14.04.5 LTS
3.13.0-129-generic #178-Ubuntu SMP Fri Aug 11 12:49:13 UTC 2017 i686 i686 i686 GNU/Linux

Reading package lists... Done
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-min
W: You may want to run apt-get update to correct these problems

Maybe you want to follow this bug in https://github.com/certbot/certbot/issues/5063 as it seems to have more details on what is happening.

I would always recommend running certbot-auto over the packaged. It seems to do a better job at figuring out dependencies and certbot updates.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.