Centos7 certbot python2-cryptography version mismatch


#1

i’ve recently discovered my LE cert hasn’t been renewing (expiring later today - i guess that means broken for 3months) so i’ve taken a look and found that it’s upset with my python versions.

$ certbot
Traceback (most recent call last):
File “/usr/bin/certbot”, line 5, in
from pkg_resources import load_entry_point
File “/usr/lib/python2.7/site-packages/pkg_resources/init.py”, line 3126, in
@_call_aside
File “/usr/lib/python2.7/site-packages/pkg_resources/init.py”, line 3110, in _call_aside
f(*args, **kwargs)
File “/usr/lib/python2.7/site-packages/pkg_resources/init.py”, line 3139, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File “/usr/lib/python2.7/site-packages/pkg_resources/init.py”, line 583, in _build_master
return cls._build_from_requirements(requires)
File “/usr/lib/python2.7/site-packages/pkg_resources/init.py”, line 596, in _build_from_requirements
dists = ws.resolve(reqs, Environment())
File “/usr/lib/python2.7/site-packages/pkg_resources/init.py”, line 789, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (cryptography 1.7.2 (/usr/lib64/python2.7/site-packages), Requirement.parse(‘cryptography>=1.9’), set([‘PyOpenSSL’]))

best i can tell is the last line is the important bit - the latest version on centos7 python2-cryptography package is 1.7.2, but the letsencrypt ‘certbot’ tool needs >=1.9. A quick search online and here isn’t being very fruitful with a resolution.
i’m running centos 7.6.1810, elrepo & rpmfusion repos.

short of compiling myself (and no doubt hitting a load of python version headaches), can anyone sugest a solution?
it’s certainly worked in the past, as i have a cert already issued. I’m fairly sure i’ve had 2-3 automatic renewals with a cron certbot job.


#2

got it sussed.
a sugestion on another forum hinted at pip being the issue so i removed it. Took a read of the phython crytopgraphy documentation (https://cryptography.io/en/latest/faq/#cryptography-failed-to-install). Reinstalled pip then upgraded from within pip.
sudo pip install -U pip

then i went with an upgrade of the cryptography package from the 1.7.2 epel version, to whatever pip put me on (currently 2.4.2)
sudo pip install cryptography --upgrade

re-ran certbot and all is good - cert has now been renewed.

i completely forgot how my home server was setup; centos host with 4 centos guest VM’s on it. Some of those guests also have certbot running but i haven’t got round to configuring yum-cron updates properly on them yet. those still ran certbot 0.26 rather than 0.29.1 that the host does so they’ve obviously changed the base levels which aren’t satisfied with repo dependencies.