Certbot failing with problem with openSSL Configuration

akc42 · November 13, 2024, 1:43pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.chandlerfamily.org.uk

I ran this command:
certbot list

It produced this output:
Traceback (most recent call last):
File "/snap/certbot/4183/bin/certbot", line 5, in
from certbot.main import main
File "/snap/certbot/4183/lib/python3.12/site-packages/certbot/main.py", line 6, in
from certbot._internal import main as internal_main
File "/snap/certbot/4183/lib/python3.12/site-packages/certbot/_internal/main.py", line 20, in
import josepy as jose
File "/snap/certbot/4183/lib/python3.12/site-packages/josepy/init.py", line 40, in
from josepy.json_util import (
File "/snap/certbot/4183/lib/python3.12/site-packages/josepy/json_util.py", line 24, in
from OpenSSL import crypto
File "/snap/certbot/4183/lib/python3.12/site-packages/OpenSSL/init.py", line 8, in
from OpenSSL import SSL, crypto
File "/snap/certbot/4183/lib/python3.12/site-packages/OpenSSL/SSL.py", line 11, in
from OpenSSL._util import (
File "/snap/certbot/4183/lib/python3.12/site-packages/OpenSSL/_util.py", line 6, in
from cryptography.hazmat.bindings.openssl.binding import Binding
File "/snap/certbot/4183/lib/python3.12/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 15, in
from cryptography.exceptions import InternalError
File "/snap/certbot/4183/lib/python3.12/site-packages/cryptography/exceptions.py", line 9, in
from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.

My web server is (include version):
nginx 1.18.0 (but not relevant)

The operating system my web server runs on is (include version):

debian 12 (Raspberry Pi Version)

My hosting provider, if applicable, is:
None

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no control panel.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Can't tell as crash stops that output NOTE recently installed from snap.
snap install --classic certbot (after I removed it).

This raspberry pi is a mail server and the certificate is used to enable my clients within my home connect to the mail server. the dns within the home points mail.chandlerfamily.org.ok to the local network ip address of the raspberry pi. I normally manually change port forwarding of port 80 on my router temporarily, run certbot renew; and then change it back (it normally points to an internal synology nas running both internal and external web sites and this device also regularly renews certificates) just before the certificate expires. I came to just try and find when that was due today and found certbot completely failing to even start.

I'm not sure what to do next

MikeMcQ · November 13, 2024, 4:26pm

Wow "... their last post was 9 years ago."

Welcome back

I have never seen this error so not sure what to suggest. There is an issue with Certbot v3.0 and a crypto package and maybe this openssl problem is another similar issue.

Even though you can't run certbot --version you said you use snap install. Can you check the version with
sudo snap list | grep -i certbot

For the crypto package problems people have reverted to the prior. Or, for fresh snap installs have instructed snap to install a specific version. You might try either of these. If that works-around the problem you might be better off posting this at the EFF's github for Certbot (link here). The devs will likely need to get involved.

For reverting and re-install certbot snap see this github post and the following ones

github.com/certbot/certbot

CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc. if not response_ocsp.this_update:

opened 09:25PM - 21 Jul 24 UTC

akuzminsky

## My operating system is (include version): ``` $ lsb_release -a No LSB mo…dules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.4 LTS Release: 22.04 Codename: jammy ``` ## I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc): ``` $ pip show certbot Name: certbot Version: 2.11.0 Summary: ACME client Home-page: https://github.com/certbot/certbot Author: Certbot Project Author-email: certbot-dev@eff.org License: Apache License 2.0 Location: /home/aleks/code/infrahouse-toolkit/.venv/lib/python3.10/site-packages Requires: acme, ConfigArgParse, configobj, cryptography, distro, josepy, parsedatetime, pyrfc3339, pytz, setuptools Required-by: certbot-dns-route53, infrahouse-toolkit ``` ## I ran this command and it produced this output: ``` $ certbot --quiet renew /home/aleks/code/infrahouse-toolkit/.venv/lib/python3.10/site-packages/certbot/ocsp.py:238: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc. if not response_ocsp.this_update: /home/aleks/code/infrahouse-toolkit/.venv/lib/python3.10/site-packages/certbot/ocsp.py:240: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc. if response_ocsp.this_update > now + timedelta(minutes=5): /home/aleks/code/infrahouse-toolkit/.venv/lib/python3.10/site-packages/certbot/ocsp.py:242: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc. if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5): ``` ## Certbot's behavior differed from what I expected because: The issue is about the deprecation messages.

akc42 · November 13, 2024, 5:21pm

sudo snap list | grep -i certbot
gives

certbot 3.0.0 4183 latest/stable certbot-eff** classic

MikeMcQ · November 13, 2024, 5:25pm

Oops, I should have had you do sudo snap list --all | grep -i certbot

But, that would only help determine whether you could "revert" or would need to install a different version. If you have been using snap certbot for a while you probably have version 2.11.0 (3834) available to revert to.

Did you try that as described in that github thread?

akc42 · November 13, 2024, 5:32pm

same output

I didn't try reverting yet. It looks like activity is happening.

github.com/certbot/certbot

ssl.SSLError: [CRYPTO] unknown error (_ssl.c:3076) on Ubuntu Pro 20.04 LTS

opened 07:35PM - 07 Nov 24 UTC

mttjohnson-jf

The latest version `3.0.0` of certbot is producing an error, where the previousl…y installed version `2.11.0` was not. The error is produced even when just trying to output the version (`certbot --version`). ## My operating system is (include version): Ubuntu 20.04.6 LTS (with Ubuntu Pro license and fips-updates enabled) ## I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc): snap ## I ran these commands: ``` certbot --version certbot --help certbot ``` ...and they all produced this same output: ``` Traceback (most recent call last): File "/snap/certbot/4182/bin/certbot", line 5, in <module> from certbot.main import main File "/snap/certbot/4182/lib/python3.12/site-packages/certbot/main.py", line 6, in <module> from certbot._internal import main as internal_main File "/snap/certbot/4182/lib/python3.12/site-packages/certbot/_internal/main.py", line 23, in <module> from acme import client as acme_client File "/snap/certbot/4182/lib/python3.12/site-packages/acme/client.py", line 20, in <module> import requests File "/snap/certbot/4182/lib/python3.12/site-packages/requests/__init__.py", line 164, in <module> from .api import delete, get, head, options, patch, post, put, request File "/snap/certbot/4182/lib/python3.12/site-packages/requests/api.py", line 11, in <module> from . import sessions File "/snap/certbot/4182/lib/python3.12/site-packages/requests/sessions.py", line 15, in <module> from .adapters import HTTPAdapter File "/snap/certbot/4182/lib/python3.12/site-packages/requests/adapters.py", line 80, in <module> _preloaded_ssl_context = create_urllib3_context() ^^^^^^^^^^^^^^^^^^^^^^^^ File "/snap/certbot/4182/lib/python3.12/site-packages/urllib3/util/ssl_.py", line 299, in create_urllib3_context context = SSLContext(ssl_version) ^^^^^^^^^^^^^^^^^^^^^^^ File "/snap/certbot/4182/usr/lib/python3.12/ssl.py", line 438, in __new__ self = _SSLContext.__new__(cls, protocol) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ssl.SSLError: [CRYPTO] unknown error (_ssl.c:3076) ``` ## Certbot's behavior differed from what I expected because: The latest version (`3.0.0`) of the snap that was just installed automatically, produces an error when running any `certbot` command. ``` $ sudo snap list certbot --all Name Version Rev Tracking Publisher Notes certbot 2.11.0 3834 latest/stable certbot-eff✓ disabled,classic certbot 3.0.0 4182 latest/stable certbot-eff✓ classic ``` I was able to temporarily workaround the issue by reverting the installed version: ```bash sudo snap revert certbot ``` ...or installing an older revision (version 2.11.0) on a new system ```bash sudo snap refresh certbot --channel=latest/stable --revision 3834 ``` ...and then setting a 1 week hold on auto updating the snap: ```bash sudo snap refresh --hold=168h certbot ``` After reverting the installed version back to 2.11.0 the `certbot --version` command output the version number as expected. ``` $ sudo snap revert certbot Stop snap "certbot" services | certbot reverted to 2.11.0 $ sudo snap refresh --hold=168h certbot General refreshes of "certbot" held until 2024-11-14T14:30:17-05:00 $ sudo snap list certbot --all Name Version Rev Tracking Publisher Notes certbot 2.11.0 3834 latest/stable certbot-eff✓ classic,held certbot 3.0.0 4182 latest/stable certbot-eff✓ disabled,classic,held $ certbot --version certbot 2.11.0 ``` ## Here is a Certbot log showing the issue (if available): ###### Logs are stored in `/var/log/letsencrypt` by default. Feel free to redact domains, e-mail and IP addresses as you see fit. No log data was written to `/var/log/letsencrypt/letsencrypt.log` when running `certbot --version`.

This issue seems to closely match my experience, although its on ubuntu whilst Im on raspbian

akc42 · November 13, 2024, 5:37pm

I'm going to hold on for a few days, since my current certificate doesn't expire until 15th Jan and hopefully this mess will get cleared up by then

MikeMcQ · November 13, 2024, 5:39pm

It is also a different package so if reverting to 2.11 resolves it you should post a new issue on the EFF github for your error message. Your message specifically says openssl which might be a different packaging issue.

We can only hope Personally I would post an issue at the github but your call.

MikeMcQ · November 14, 2024, 7:37pm

Cerbot update just came out to fix the crypto deprecation warning: Certbot 3.0.1 Release

Hopefully that resolves your openssl issue too

Topic		Replies	Views
Certbot updated failed Help	3	901	April 17, 2018
Raspberry Pi / Certbot failure Help	3	505	June 11, 2023
Error while usinf certbot-auto Help	2	3331	March 30, 2019
Certbot Fails? SSL routines fail? Help	3	3141	February 6, 2020
Issue installing Certbot Help	5	1744	January 7, 2021

Certbot failing with problem with openSSL Configuration

Related topics