Certificate renewal issue: OpenSSL legacy provider failed to load

I received an email stating that my certificate expires in 19 days. I set it up to auto-renew. I've tried "certbot renew" but get errors.

My domain is: etcate.com
My web server is Apache
I am hosting on my own machine
I ran this command: "certbot renew" (no quotes)
It produced this output:

Traceback (most recent call last):
File "/snap/certbot/4194/bin/certbot", line 5, in
from certbot.main import main
File "/snap/certbot/4194/lib/python3.12/site-packages/certbot/main.py", line 6, in
from certbot._internal import main as internal_main
File "/snap/certbot/4194/lib/python3.12/site-packages/certbot/_internal/main.py", line 20, in
import josepy as jose
File "/snap/certbot/4194/lib/python3.12/site-packages/josepy/init.py", line 40, in
from josepy.json_util import (
File "/snap/certbot/4194/lib/python3.12/site-packages/josepy/json_util.py", line 24, in
from OpenSSL import crypto
File "/snap/certbot/4194/lib/python3.12/site-packages/OpenSSL/init.py", line 8, in
from OpenSSL import SSL, crypto
File "/snap/certbot/4194/lib/python3.12/site-packages/OpenSSL/SSL.py", line 11, in
from OpenSSL._util import (
File "/snap/certbot/4194/lib/python3.12/site-packages/OpenSSL/_util.py", line 6, in
from cryptography.hazmat.bindings.openssl.binding import Binding
File "/snap/certbot/4194/lib/python3.12/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 15, in
from cryptography.exceptions import InternalError
File "/snap/certbot/4194/lib/python3.12/site-packages/cryptography/exceptions.py", line 9, in
from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.

The operating system my web server runs on is: Raspbian GNU/Linux 10 (buster)

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: no

The version of my client is: Don't know; 'certbot --version" results in same output as above.

Server version: Apache/2.4.59 (Raspbian)
Server built: 2024-05-24T22:36:21

@wo1fmane I've moved your posts into a new thread. Please don't post in other users threads if the issue is not the same (which 99.9999 % of cases isn't).

Further more, this is a known bug an has been fixed in a future (as of writing this) release of Certbot: Crash when calling certbot list with new certbot on raspbian · Issue #10055 · certbot/certbot · GitHub. In that issue a temporary workaround is also posted.

Try upgrading to the latest certbot version.

Thanks for your quick response. Sorry, this is my first time on this forum and it looked to me like that thread was pinned for people to reply the way I did. Thank you for setting me straight. Also, thank you for pointing me to the temporary solution. The workaround worked. I don't know if I want to switch to the nightly Certbot builds, but at least I can keep renewing manually until the solution either trickles down to mainstream or I get tired of renewing myself and change to nightly.

You can "Subscribe" to that issue, as bmw has promised to post in that issue when the stable channel has been updated. So you can keep the nightly builds for now and once the stable channel has been updated too (of which you should get a notification from Github once bmw has posted as such), you can switch back. There isn't much harm in running the nightly build I guess.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.