Certbot Shared object "libffi.so.6" not found Errors After Recent FreeBSD Upgrade

I am encountering a number of errors whenever I run the certbot command. Errors are listed below. This just started happening recently after performing an upgrade. Any help or guidance on how to proceed would be greatly appreciated. The issue seems similar to this one but wanted to confirm before trying to recompile anything or mixing ports and packages on FreeBSD.

Thanks in advance!

My domain is: samirparikh.com

I ran this command: certbot --version or certbot renew

It produced this output:

$ certbot --version
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.39.0', 'console_scripts', 'certbot')()
  File "/usr/local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 489, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2852, in load_entry_point
    return ep.load()
  File "/usr/local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2443, in load
    return self.resolve()
  File "/usr/local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2449, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/local/lib/python3.6/site-packages/certbot/main.py", line 10, in <module>
    import josepy as jose
  File "/usr/local/lib/python3.6/site-packages/josepy/__init__.py", line 41, in <module>
    from josepy.interfaces import JSONDeSerializable
  File "/usr/local/lib/python3.6/site-packages/josepy/interfaces.py", line 7, in <module>
    from josepy import errors, util
  File "/usr/local/lib/python3.6/site-packages/josepy/util.py", line 7, in <module>
    import OpenSSL
  File "/usr/local/lib/python3.6/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/usr/local/lib/python3.6/site-packages/OpenSSL/crypto.py", line 12, in <module>
    from cryptography import x509
  File "/usr/local/lib/python3.6/site-packages/cryptography/x509/__init__.py", line 8, in <module>
    from cryptography.x509.base import (
  File "/usr/local/lib/python3.6/site-packages/cryptography/x509/base.py", line 16, in <module>
    from cryptography.x509.extensions import Extension, ExtensionType
  File "/usr/local/lib/python3.6/site-packages/cryptography/x509/extensions.py", line 18, in <module>
    from cryptography.hazmat.primitives import constant_time, serialization
  File "/usr/local/lib/python3.6/site-packages/cryptography/hazmat/primitives/constant_time.py", line 11, in <module>
    from cryptography.hazmat.bindings._constant_time import lib
ImportError: Shared object "libffi.so.6" not found, required by "_cffi_backend.so"

My web server is (include version):

$ nginx -v       
nginx version: nginx/1.18.0

The operating system my web server runs on is (include version):

$ uname -a
FreeBSD bozeman 12.1-RELEASE-p10 FreeBSD 12.1-RELEASE-p10 GENERIC  amd64

My hosting provider, if applicable, is: Not applicable

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Not sure as I can't run certbot --version

In addition, here is the output of the letsencrypt.log:

$ sudo more /var/log/letsencrypt/letsencrypt.log
2020-10-13 14:00:00,664:DEBUG:certbot.main:certbot version: 0.39.0
2020-10-13 14:00:00,665:DEBUG:certbot.main:Arguments: []
2020-10-13 14:00:00,665:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-10-13 14:00:00,688:DEBUG:certbot.log:Root logging level set at 20
2020-10-13 14:00:00,689:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-10-13 14:00:00,717:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x803766860> and installer <certbot.cli._Default object at 0x803766860>
2020-10-13 14:00:00,745:INFO:certbot.renewal:Cert not yet due for renewal
2020-10-13 14:00:00,746:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2020-10-13 14:00:00,751:DEBUG:certbot.plugins.selection:Selecting plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x803753470>
2020-10-13 14:00:00,752:DEBUG:certbot.renewal:no renewal failures

Welcome to the community!

From the

I believe some of the underlying components may need updating.
Is the system up-to-date?

Also, if your system can run snapd, that might be an even better fit.
See: https://certbot.eff.org/lets-encrypt/snap-nginx

I'm honestly not sure if snap will work here.

1 Like

You could try to update py-cffi and/or libffi.

3 Likes

Thanks for all of the comments and suggestions. I think I may have resolved this through some trial and error but will have to wait until my certificate is due for renewal to really know for sure.

@rg305: As griffin mentioned, I don't think snapd will be an option on FreeBSD as I believe that this would require systemd which I don't have.

@Osiris: Thank you for your reply but I already have the latest version of py-cffi and libffi.

What I ended up doing:

I uninstalled the version of security/py-certbot-nginx that I had and then ran

$ sudo pkg install py37-certbot # not sure I really need this
$ sudo pkg install py37-certbot-nginx

I can now run some certbot commands, for example:

$ certbot --version
certbot 1.8.0

as well as:

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/samirparikh.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for samirparikh.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/usr/local/etc/letsencrypt/live/samirparikh.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /usr/local/etc/letsencrypt/live/samirparikh.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Again, I won't know for sure whether this is the right permanent solution but I seem to be in a slightly better situation than I was 24 hours earlier.

Thanks again to the very helpful people in this great community for providing such a valuable service!

Samir

2 Likes

Ah, my next thing would be to suggest reinstalling those packages, but I read that's not necessary any longer :stuck_out_tongue:

That's the base certbot program. It should also be a dependency of py37-certbot-nginx, the nginx plugin, so you'd end up with it anyway.

But good to know you've got things working by reinstalling certbot again, although I can't really explain it.

Without knowing what exactly went wrong earlier, it's hard to tell. But I don't have any reason to believe it will stop working within a short time period. However, the "thing" that caused this before could also happen in the future of course, as we don't know what the "thing" really is.

1 Like