Hi guys! I had my certificate ok on my debian jessie server, but now I get:
$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/mydomain.conf produced an unexpected error: cannot instantiate ctype 'EVP_MD_CTX' of unknown size. Skipping.
-------------------------------------------------------------------------------
The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/mydomain.conf
-------------------------------------------------------------------------------
This does sound related to a packaging or dependency problem of some kind, rather than something about the way you’re using Certbot. It would be great to see the logs from /var/log/letsencrypt in case they could help explain more about the circumstances of the error.
Also, can you provide the version of Certbot installed, and all versions of OpenSSL installed (including /usr/lib and /usr/local/lib), and what versions of the Python cryptography module are installed? Also, what method did you use to install Certbot?
certbot 0.19.0 installed with --apache before installing pound
python-cryptography 1.7.1-3
openssl 1.0.1t
libssl1.0.0 1.0.1t
libssl1.0.2 1.0.2l is installed too
$ vdir /usr/lib/ssl/
totale 4
lrwxrwxrwx 1 root root 14 ago 16 2012 certs -> /etc/ssl/certs
drwxr-xr-x 2 root root 4096 nov 7 13:49 misc
lrwxrwxrwx 1 root root 20 nov 2 15:07 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root 16 ago 16 2012 private -> /etc/ssl/private
no ssl in /usr/local/lib
# certbot certificates
writes this to letsencrypt.log:
2017-11-09 12:29:48,688:DEBUG:certbot.main:certbot version: 0.19.0
2017-11-09 12:29:48,688:DEBUG:certbot.main:Arguments: []
2017-11-09 12:29:48,688:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-11-09 12:29:48,704:DEBUG:certbot.log:Root logging level set at 20
2017-11-09 12:29:48,705:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-11-09 12:29:48,763:WARNING:certbot.cert_manager:Renewal configuration file /etc/letsencrypt/renewal/qumran2.conf produced an unexpected error: cannot instantiate ctype 'EVP_MD_CTX' of unknown size. Skipping.
2017-11-09 12:29:48,788:DEBUG:certbot.cert_manager:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/certbot/cert_manager.py", line 78, in certificates
crypto_util.verify_renewable_cert(renewal_candidate)
File "/usr/lib/python2.7/dist-packages/certbot/crypto_util.py", line 215, in verify_renewable_cert
verify_renewable_cert_sig(renewable_cert)
File "/usr/lib/python2.7/dist-packages/certbot/crypto_util.py", line 233, in verify_renewable_cert_sig
OpenSSL.crypto.verify(chain, cert.signature, cert.tbs_certificate_bytes, hash_name)
File "/usr/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 2605, in verify
md_ctx = _ffi.new("EVP_MD_CTX*")
TypeError: cannot instantiate ctype 'EVP_MD_CTX' of unknown size
There are no issues that I’m aware of, but when problems like this arise, the pyca folks who maintain cryptography and PyOpenSSL are quick to suggest that custom installed versions of OpenSSL is the problem. They often see issues with their libraries compiling and linking against different versions of OpenSSL due to the non-intuitive way compilers and linkers search for these libraries.
With that said, I have a couple more questions/suggestions:
How did you install Certbot 0.19.0 on Debian Jessie? If you want the latest version of Certbot on this platform, I’d strongly encourage that you use certbot-auto following the instructions here which is able to work around problems like this.
What version of python-openssl/pyOpenSSL do you have installed? The error is being raised from this library and some people who have seen this error have had success upgrading to a more recent version.