Certbot renew fails (no attribute 'X509_V_FLAG_NOTIFY_POLICY')

My domain is:
s7fideo7a6wxus6y.myfritz.net

I ran this command:
sudo certbot renew

It produced this output:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 489, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2793, in load_entry_point
return ep.load()
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2411, in load
return self.resolve()
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2417, in resolve
module = import(self.module_name, fromlist=['name'], level=0)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 10, in
import josepy as jose
File "/usr/lib/python3/dist-packages/josepy/init.py", line 44, in
from josepy.interfaces import JSONDeSerializable
File "/usr/lib/python3/dist-packages/josepy/interfaces.py", line 8, in
from josepy import errors, util
File "/usr/lib/python3/dist-packages/josepy/util.py", line 4, in
import OpenSSL
File "/usr/lib/python3/dist-packages/OpenSSL/init.py", line 8, in
from OpenSSL import crypto, SSL
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1553, in
class X509StoreFlags(object):
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1571, in X509StoreFlags
NOTIFY_POLICY = _lib.X509_V_FLAG_NOTIFY_POLICY
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_NOTIFY_POLICY'

My web server is (include version):
nginx/1.14.2

The operating system my web server runs on is (include version):
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster

I can login to a root shell on my machine (yes or no, or I don't know):
YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
command 'certbot --version' does not work ether. Same output as above. I already uninstalled an installed certbot. I also updated everything. No success ....

This error is not caused by Certbot itself, but by a mismatch between the Python OpenSSL library and the Python cryptography library.

The X509_V_FLAG_NOTIFY_POLICY flag was removed from PyOpenSSL version 23.2.0 and afterwards also removed from cryptography version 42.0.0.

Thus, if your Raspbian is running a PyOpenSSL version before 23.2.0, but a cryptography version of 42.0.0, there's a mismatch. One solution would be to either upgrade PyOpenSSL to 23.2.0 or later or downgrade cryptography to a version before 42.0.0.

Or, if possible, use snap to install Certbot to begin with as recommended by the Certbot team. But I don't know of snap is available on Raspbian.

Also note that Certbot 0.31.0 is very old. Is possible, please upgrade Certbot too. My own Raspberry Pi 4B runs on Raspbian Bullseye currently, which is version 11.

4 Likes

The cerbot and nginx versions correspond with Debian Buster, which is oldoldstable and is three months away from the end of its Long Term Support coverage. I encourage upgrading to Debian stable, which is currently version 12.

After moving to a Bookworm release, uninstalling the Debian packaged version of certbot and moving to the Snap version is the easiest way to get current and stay current with cerbot.

3 Likes

@linkp I'm not sure if Raspbian capable of being upgraded to Bookworm.

1 Like

Raspbian was replaced by the also Debian derived Raspberry Pi OS

The latest version of Raspberry Pi OS is based on Debian Bookworm.

https://www.raspberrypi.com/documentation/computers/os.html

2 Likes

Unfortunately it does not mention a way or guide to upgrade Raspbian to Raspberry Pi OS.

1 Like

I expect it should just be a standard in place Debian upgrade. It would take two to get to the current Debian release. Raspberry Pi recommend a fresh install, but don't indicate that it cannot be upgraded. I think either of those options is preferable in advance of any efforts spent troubleshooting obsolete versions of everything, but ultimately, that call belongs to @ogli.

3 Likes

Raspbian and Raspberry Pi OS are the same thing, it's just a rebrand. The 32 bit mirrors are still named "raspbian".

Raspbian/Raspberry Pi OS has never officially supported upgrades, which is a shame IMHO. However, especially modern RPI releases are only slightly modified Debian's, so Debian's official upgrade guide is mostly applicable.

4 Likes

I've had no problems with installing Ubuntu on RPi.

2 Likes

Updated PyOpenSSL and certbot to newest version and used different version of cryptography (before 42.0.0 and newer) -> does not work. Same Problem

Upgrade to bullseye fixed the problem.

4 Likes