Cannot instantiate ctype ‘EVP_MD_CTX’ of unknown size

Hi guys! I had my certificate ok on my debian jessie server, but now I get:

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/mydomain.conf produced an unexpected error: cannot instantiate ctype 'EVP_MD_CTX' of unknown size. Skipping.

-------------------------------------------------------------------------------

The following renewal configuration files were invalid:
  /etc/letsencrypt/renewal/mydomain.conf
-------------------------------------------------------------------------------

I saw Unexpected error: cannot instantiate ctype ‘EVP_MD_CTX’ of unknown size , but it doesn’t help me…

In the mean while, trying to add a domain to the certicate with

sudo certbot certonly --standalone --cert-name mydomain -d domain1.com,domain2.com,...

do not update the certificate, do not report any error on the cli, only exits with status 1

Not sure about the error.

Without the exact domain name there is not much more anyone can do for you.

Just one note, as you are using certonly maybe the additional domain certs are being issued.
Try checking at: https://crt.sh/

This does sound related to a packaging or dependency problem of some kind, rather than something about the way you’re using Certbot. It would be great to see the logs from /var/log/letsencrypt in case they could help explain more about the circumstances of the error.

1 Like

Also, can you provide the version of Certbot installed, and all versions of OpenSSL installed (including /usr/lib and /usr/local/lib), and what versions of the Python cryptography module are installed? Also, what method did you use to install Certbot?

1 Like

certbot 0.19.0 installed with --apache before installing pound
python-cryptography 1.7.1-3
openssl 1.0.1t
libssl1.0.0 1.0.1t
libssl1.0.2 1.0.2l is installed too

$ vdir /usr/lib/ssl/
totale 4
lrwxrwxrwx 1 root root   14 ago 16  2012 certs -> /etc/ssl/certs
drwxr-xr-x 2 root root 4096 nov  7 13:49 misc
lrwxrwxrwx 1 root root   20 nov  2 15:07 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root   16 ago 16  2012 private -> /etc/ssl/private

no ssl in /usr/local/lib

# certbot certificates

writes this to letsencrypt.log:

2017-11-09 12:29:48,688:DEBUG:certbot.main:certbot version: 0.19.0
2017-11-09 12:29:48,688:DEBUG:certbot.main:Arguments: []
2017-11-09 12:29:48,688:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-11-09 12:29:48,704:DEBUG:certbot.log:Root logging level set at 20
2017-11-09 12:29:48,705:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-11-09 12:29:48,763:WARNING:certbot.cert_manager:Renewal configuration file /etc/letsencrypt/renewal/qumran2.conf produced an unexpected error: cannot instantiate ctype 'EVP_MD_CTX' of unknown size. Skipping.
2017-11-09 12:29:48,788:DEBUG:certbot.cert_manager:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/certbot/cert_manager.py", line 78, in certificates
    crypto_util.verify_renewable_cert(renewal_candidate)
  File "/usr/lib/python2.7/dist-packages/certbot/crypto_util.py", line 215, in verify_renewable_cert
    verify_renewable_cert_sig(renewable_cert)
  File "/usr/lib/python2.7/dist-packages/certbot/crypto_util.py", line 233, in verify_renewable_cert_sig
    OpenSSL.crypto.verify(chain, cert.signature, cert.tbs_certificate_bytes, hash_name)
  File "/usr/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 2605, in verify
    md_ctx = _ffi.new("EVP_MD_CTX*")
TypeError: cannot instantiate ctype 'EVP_MD_CTX' of unknown size

@bmw @erica, are there any known issues with the above installed versions of OpenSSL and cryptography?

There are no issues that I’m aware of, but when problems like this arise, the pyca folks who maintain cryptography and PyOpenSSL are quick to suggest that custom installed versions of OpenSSL is the problem. They often see issues with their libraries compiling and linking against different versions of OpenSSL due to the non-intuitive way compilers and linkers search for these libraries.

With that said, I have a couple more questions/suggestions:

  1. How did you install Certbot 0.19.0 on Debian Jessie? If you want the latest version of Certbot on this platform, I’d strongly encourage that you use certbot-auto following the instructions here which is able to work around problems like this.
  2. What version of python-openssl/pyOpenSSL do you have installed? The error is being raised from this library and some people who have seen this error have had success upgrading to a more recent version.

I hope this helps!

1 Like

In installed certbot 0.19 on my debian jessie server with apt pinning: sudo apt install -t sid certbot

python-openssl: 16.0.0

using certbot-auto everything seems ok. Thank you for the support!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.