Certbot-auto stopped working on amazon-linux

Have updated a certificate yesterday, without any issues. Wanted to make sure it will be automatically updated from now on, so started checking this out, but now certbot-auto wants to update from 1.0.0 to 1.3.0 and this breaks the whole process… Have been searching around for solutions, but the solutions found (linking files, using pip to install extra packages, removing certbot and install from scratch) all do not work for me.

My domain is:
chromecast-rte.24imedia.tv

I ran this command:
certbot-auto --no-bootstrap

It produced this output:
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in
from certbot.main import main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py”, line 2, in
from certbot._internal import main as internal_main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py”, line 10, in
import josepy as jose
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/init.py”, line 41, in
from josepy.interfaces import JSONDeSerializable
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py”, line 7, in
from josepy import errors, util
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py”, line 7, in
import OpenSSL
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/init.py”, line 8, in
from OpenSSL import crypto, SSL
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py”, line 12, in
from cryptography import x509
ImportError: No module named cryptography

My web server is (include version):
Server version: Apache/2.2.34 (Unix)
Server built: Nov 1 2017 18:47:16

The operating system my web server runs on is (include version):
Amazon Linux AMI release 2018.03

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
/usr/local/bin/certbot-auto --version produces :
Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in
from certbot.main import main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py”, line 2, in
from certbot._internal import main as internal_main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py”, line 10, in
import josepy as jose
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/init.py”, line 41, in
from josepy.interfaces import JSONDeSerializable
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py”, line 7, in
from josepy import errors, util
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py”, line 7, in
import OpenSSL
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/init.py”, line 8, in
from OpenSSL import crypto, SSL
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py”, line 12, in
from cryptography import x509
ImportError: No module named cryptography

When using the old version from certbot-auto (and after removing the certbot installation) :
Upgrading certbot-auto 1.0.0 to 1.3.0…
Replacing certbot-auto…
Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in
from certbot.main import main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py”, line 2, in
from certbot._internal import main as internal_main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py”, line 10, in
import josepy as jose
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/init.py”, line 41, in
from josepy.interfaces import JSONDeSerializable
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py”, line 7, in
from josepy import errors, util
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py”, line 7, in
import OpenSSL
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/init.py”, line 8, in
from OpenSSL import crypto, SSL
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py”, line 12, in
from cryptography import x509
ImportError: No module named cryptography

I don’t really get why all of a sudden Amazon Linux is “FATAL: Amazon Linux support is very experimental at present…” as it worked before (even yesterday) without this warning and we’re also running this on other servers which now also might be in trouble (guess we have about 6 other servers which make use of let’s encrypt for SSL certs… Not going to check them now as they have valid certificated and don’t want more production issues but they will definitely experience the same issues…

1 Like

It looks related to Python 2 being EOL to me. (since 2020-01-01)

I think you have two options: install python3 and reinstall certbot-auto, or switch clients (the bash ones are popular and have a lot fewer dependencies than certbot).

Or a third option: install certbot from EPEL, since AmazonLinux is compatible with rhel/centos (my bad, this only works for version 7, not 8)

1 Like

Thanks for the info. One of the soluton tried was this one. This is using Python3.6 but, in the end, it resulted in the same errors… Will look into the suggested clients. Still strange it worked yesterday (so the cert is now valid for another 90 days) and this morning the certbot script wants to update to a new version and, since then, creating all kind of issues :frowning:

1 Like

Yeah, my rationalization made sense but war probably not true: cryptography still supports python 2.7.

It’s probably only missing in that virtualenv, must be some typo or some build failure maybe?

can this apply to you? https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment

1 Like

Thanks @9peppe. Have tried 2 “clients” and the second one (acme.sh) seems to work for me. Have to update the Apache config myself, but that also means I have more control. First test certificates requested, now waiting for some time to see whether updating will also work as suggested. If this works, not caring about the certbot stuff anymore :wink:

2 Likes

since you chosen acme.sh, remember to use it to install the certs somewhere and with --reloadcmd so it can reload the webserver on renewals.

1 Like

Yes, will do. Thanks !

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.