Since 4/9 I’ve started receiving CryptographyDeprecationWarning from certbot-auto on an i686 CentOS 6 box:
[root@host ~]# certbot-auto --version
/opt/eff.org/certbot/venv/lib/python3.4/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. A future version of cryptography will drop support for it.
utils.CryptographyDeprecationWarning
certbot 0.38.0
According to https://github.com/certbot/certbot/issues/7184, a similar message will supposedly appear when certbot-auto has its cryptography dependency upgraded to 2.8, which hadn’t yet happened. However, I notice that the message for cryptography 2.8 reads “[t]he next version” but the one I got states “[a] future version”.
Is there any particular reason for me to be getting this message now?
The last release of OpenSSL 1.0.1 is in 2016, which is already 3 years old. (Even if CentOS project ported the patches from future releases, it’s still really old and vulnerable to attacks)
The last update for CentOS 6 is in 2018, which is pretty old… In both ways (and CentOS 8 is around the corner)
Why will you receive this message?
Because although you are running certbot-auto from CentOS 6, your server is (as you said) x86, not x64 so you’ll not be able to compile the cryptography with OpenSSL (latest version).
Also, the error message is similar to the one in the issue thread, and yours look legitimate.
Please consider upgrade your CentOS box to new version, or as the issue mentioned, downgrade without future upgrade.
Pinging @schoen, @bmw for confirmation (in case I missed anything)
Thanks @stevenzhu. Everything in your explanation is correct.
We’ll continue to use older versions of cryptography in certbot-auto as long as we reasonably can, but in order to ensure things like security fixes for our users, we will likely need to upgrade to a version of the project without OpenSSL 1.0.1 support in the future. When we do this, newer versions of certbot-auto will no longer work on RHEL 6 based systems that aren’t running on x86-64. (We can continue to support x86-64 because cryptography offers a precompiled package that bundles its own version of OpenSSL.)
To avoid certbot-auto breaking, you could include --no-self-upgrade on certbot-auto's command line, but doing so will prevent you from getting all future fixes including security fixes, compatibility fixes with Let’s Encrypt’s servers, etc. The better option is to upgrade to a newer version of CentOS and reinstall Certbot by following the instructions at https://certbot.eff.org/instructions. CentOS 6 loses all security support from its maintainers in November of next year.
Thanks for your replies. I am well aware that CentOS 6 is approaching EOL late next year and I have plans to migrate the applications to a new setup, but I cannot just upgrade the server now.
But regarding my original question, it seems that @bmw wasn’t exactly right that upgrading to cryptography 2.8 will cause the message to be printed – apparently it’s already there in cryptography 2.7.
For anyone interested, the warning can be suppressed by setting the following environment variable: