Can't install let's encrypt: «undefined symbol: OPENSSL_sk_num»

Help
1

Please fill out the fields below so we can help you better.

My domain is: moto.courses

I ran this command:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto

It produced this output:

Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
Get:1 http://security.ubuntu.com/ubuntu zesty-security InRelease [89.2 kB]
Hit:2 http://mirrors.linode.com/ubuntu zesty InRelease    
Get:3 http://mirrors.linode.com/ubuntu zesty-updates InRelease [89.2 kB]
Hit:4 http://mirrors.linode.com/ubuntu zesty-backports InRelease
Get:5 http://mirrors.linode.com/ubuntu zesty-updates/main amd64 Packages [42.3 kB]
Get:6 http://mirrors.linode.com/ubuntu zesty-updates/main i386 Packages [41.2 kB]
Get:7 http://mirrors.linode.com/ubuntu zesty-updates/main Translation-en [18.2 kB]
Get:8 http://security.ubuntu.com/ubuntu zesty-security/main i386 Packages [35.5 kB]
Get:9 http://security.ubuntu.com/ubuntu zesty-security/main amd64 Packages [36.3 kB]
Get:10 http://security.ubuntu.com/ubuntu zesty-security/main Translation-en [15.5 kB]
Fetched 367 kB in 0s (824 kB/s)              
Reading package lists... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
augeas-lenses is already the newest version (1.6.0-0ubuntu3).
ca-certificates is already the newest version (20161130).
gcc is already the newest version (4:6.3.0-2ubuntu1).
libaugeas0 is already the newest version (1.6.0-0ubuntu3).
libffi-dev is already the newest version (3.2.1-6).
libssl-dev is already the newest version (1.0.2g-1ubuntu11).
openssl is already the newest version (1.0.2g-1ubuntu11).
python is already the newest version (2.7.13-2).
python-dev is already the newest version (2.7.13-2).
python-virtualenv is already the newest version (15.1.0+ds-1).
virtualenv is already the newest version (15.1.0+ds-1).
0 upgraded, 0 newly installed, 0 to remove and 6 not upgraded.
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 9, in <module>
    from acme import jose
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/jose/__init__.py", line 37, in <module>
    from acme.jose.interfaces import JSONDeSerializable
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/jose/interfaces.py", line 9, in <module>
    from acme.jose import util
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/jose/util.py", line 5, in <module>
    import OpenSSL
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/rand.py", line 12, in <module>
    from OpenSSL._util import (
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 14, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: /root/.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol: OPENSSL_sk_num

My operating system is (include version):

# uname -a
Linux li350-157 4.9.15-x86_64-linode81 #1 SMP Fri Mar 17 09:47:36 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux

# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 17.04
Release:	17.04
Codename:	zesty

OpenSSL:

# openssl version
OpenSSL 1.1.1-dev  xx XXX xxxx

Python thing (look like it’s using old openssl, have no idea how to fix it…):

# ldd /root/.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so
	linux-vdso.so.1 =>  (0x00007fff5fa2b000)
	libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fa091526000)
	libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fa0910e2000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fa090ec4000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa090afd000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa0908f9000)
	/lib64/ld-linux-x86-64.so.2 (0x0000557777716000)

My web server is (include version):

# nginx -V
nginx version: nginx/1.13.0
built by gcc 6.3.0 20170406 (Ubuntu 6.3.0-12ubuntu2) 
built with OpenSSL 1.1.1-dev  xx XXX xxxx
TLS SNI support enabled
configure arguments: --conf-path=/websites/nginx/nginx.conf --with-http_ssl_module --with-zlib=/root/Downloads/zlib-1.2.11 --with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --add-module=/root/Downloads/ngx_brotli/ --with-stream --with-stream_ssl_module --with-stream_geoip_module=dynamic --with-threads --with-http_gunzip_module --with-http_gzip_static_module --with-pcre=/root/Downloads/pcre-8.40/ --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --with-openssl=/root/Downloads/openssl

My hosting provider, if applicable, is:

Linode

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no
2

hi @SilentImp

Issue has cropped up before. Review

Andrei

3

the way I would fix it (and thanks for the detailed descriptions of your system)

A) virtualenv path to a location
B) path to a location\scripts\activate
C) pip install certbot

This should give you a virtual env with certbot working and should allow you not rely on operating system configs

Andrei

4

@ahaw021 May you please specify “path to a location” — location of what?
It’s just random path I create, right?

# virtualenv /letsencrypt/
Running virtualenv with interpreter /usr/bin/python2
New python executable in /letsencrypt/bin/python2
Also creating executable in /letsencrypt/bin/python
Installing setuptools, pkg_resources, pip, wheel...done.
/# cd /letsencrypt
root@li350-157:/letsencrypt# ls
bin  include  lib  local  share

there are no scripts folder inside. I try to use pip

/letsencrypt# pip
-bash: /usr/bin/pip: No such file or directory

If I trying to do it manually

/letsencrypt/bin# ./pip install certbot
pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
Collecting certbot
  Could not find a version that satisfies the requirement certbot (from versions: )
No matching distribution found for certbot

Thanks for answering. With all best regards, Anton.

5

Sure, I have googled solution, but never find anything that’s work.
Event here: Getting “Error: couldn’t get currently installed version for letsencrypt” when trying to renew my certificates

6

hi @SilentImp

Are you open to use other clients?

There are a couple of good Bash Clients (GetSSL and ACME.sh) which do not have python dependencies and have a high level of automation

https://letsencrypt.org/docs/client-options/

The reason why I mention this is that by the looks of it your servers python configs need a bit of work and there is a benefit vs reward analysis which can be done here

If you want to carry on fixing python in the virtual environment then that’s ok as well.

I believe your issue is that you do not have the intermediate required for downloading packages over SSL from PYPI.

Have a look at this article on how I built certbot on windows: Running Certbot on Windows - Phase 1

A lot of the steps are not relevant to your setup as you are on linux but there is a note about missing intermediate certificate

Andrei

7

Thanks, I have used https://github.com/srvrco/getssl and look like it work.
Well, not quite, but it look like now I have problem with nginx configuration, and certificates is OK.

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.