Certbot snap brotli error

Same here. I am on Ubuntu 18.04. Activated Ubuntu Pro ESM Apps yesterday to receive continous security updates. Now certbot fails:

# certbot --version
Traceback (most recent call last):
  File "/snap/certbot/4412/bin/certbot", line 5, in <module>
    from certbot.main import main
  File "/snap/certbot/4412/lib/python3.12/site-packages/certbot/main.py", line 6, in <module>
    from certbot._internal import main as internal_main
  File "/snap/certbot/4412/lib/python3.12/site-packages/certbot/_internal/main.py", line 23, in <module>
    from acme import client as acme_client
  File "/snap/certbot/4412/lib/python3.12/site-packages/acme/client.py", line 23, in <module>
    import requests
  File "/snap/certbot/4412/lib/python3.12/site-packages/requests/__init__.py", line 43, in <module>
    import urllib3
  File "/snap/certbot/4412/lib/python3.12/site-packages/urllib3/__init__.py", line 18, in <module>
    from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, connection_from_url
  File "/snap/certbot/4412/lib/python3.12/site-packages/urllib3/connectionpool.py", line 15, in <module>
    from ._request_methods import RequestMethods
  File "/snap/certbot/4412/lib/python3.12/site-packages/urllib3/_request_methods.py", line 10, in <module>
    from .response import BaseHTTPResponse
  File "/snap/certbot/4412/lib/python3.12/site-packages/urllib3/response.py", line 301, in <module>
    class BaseHTTPResponse(io.IOBase):
  File "/snap/certbot/4412/lib/python3.12/site-packages/urllib3/response.py", line 311, in BaseHTTPResponse
    DECODER_ERROR_CLASSES += (brotli.error,)
                              ^^^^^^^^^^^^
AttributeError: module 'brotli' has no attribute 'error'

# whereis certbot
certbot: /usr/bin/certbot /snap/bin/certbot
# ll /usr/bin/certbot 
lrwxrwxrwx 1 root root 17 Jan  4  2021 /usr/bin/certbot -> /snap/bin/certbot*

shouldn't the brotli module be included in the snap package? Running

# find /snap/certbot/ | grep brotli

gives no results.

I removed the symbolic link from /usr/bin/certbot, installed certbot using pip and created a new symbolic link /usr/bin/certbot -> /opt/certbot/bin/certbot. This works as expected.

Not sure if this is related but now certbot's pip installed version cannot renew or create a certificate:

# certbot renew  --dry-run 
/opt/certbot/lib/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
  from cryptography.hazmat.bindings.openssl.binding import Binding
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Python 3.6 support will be dropped in the next release of Certbot - please upgrade your Python version.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for mydomain.com and 4 more domains
Failed to renew certificate mydomain.com with error: Invalid version. The only valid version for X509Req is 0.

Logfile:

2025-02-21 11:49:35,039:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.6/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.6/site-packages/certbot/_internal/main.py", line 1683, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.6/site-packages/certbot/_internal/main.py", line 1389, in run
    certname, lineage)
  File "/opt/certbot/lib/python3.6/site-packages/certbot/_internal/main.py", line 139, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/lib/python3.6/site-packages/certbot/_internal/client.py", line 513, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/lib/python3.6/site-packages/certbot/_internal/client.py", line 439, in obtain_certificate
    self.config.must_staple, self.config.strict_permissions)
  File "/opt/certbot/lib/python3.6/site-packages/certbot/crypto_util.py", line 155, in generate_csr
    privkey.pem, names, must_staple=must_staple)
  File "/opt/certbot/lib/python3.6/site-packages/acme/crypto_util.py", line 252, in make_csr
    csr.set_version(2)
  File "/opt/certbot/lib/python3.6/site-packages/OpenSSL/crypto.py", line 1017, in set_version
    "Invalid version. The only valid version for X509Req is 0."
ValueError: Invalid version. The only valid version for X509Req is 0.
2025-02-21 11:49:35,040:ERROR:certbot._internal.log:An unexpected error occurred:
2025-02-21 11:49:35,041:ERROR:certbot._internal.log:ValueError: Invalid version. The only valid version for X509Req is 0.

Manually changing that line to csr.set_version(0) solves it. Of course, this is not the way it should be solved.

You should probably post this at the github for Certbot. The EFF developer team will more likely reply to it there.

Re-reading your last several posts I still think your Certbot snap problem should be reviewed at the EFF github unless some other volunteer offers ideas.

But, Certbot's current version requires python 3.9 or later. They will want you to upgrade before accepting error reports against older versions: certbot/certbot/CHANGELOG.md at main · certbot/certbot · GitHub

I also moved your posts into their own thread. We like each person to have their own in general and your problems are diverging from the original post.