I can't install letsencrypt with openssl 1.0.2


#1

My environment:
Ubuntu 14.04
apache 2.4.17
openssl 1.0.2e

openssl is update from 1.0.1f

wget www.openssl.org/source/openssl-1.0.2e.tar.gz
tar zxvf openssl-1.0.2e.tar.gz
cd  openssl-1.0.2e/
./config --prefix=/usr/local/openssl-1.0.2e shared zlib
make && make install
ln -s /usr/local/openssl-1.0.2e/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl-1.0.2e/include/openssl /usr/include/openssl
echo /usr/local/openssl-1.0.2e/lib > /etc/ld.so.conf.d/openssl102e.conf
ldconfig

I use

git clone github.com/letsencrypt/letsencrypt
./letsencrypt/letsencrypt-auto certonly -d www.xxx

and error occur

File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/rand.py", line 11, in <module>
from OpenSSL._util import (
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 6, in <module>
from cryptography.hazmat.bindings.openssl.binding import Binding
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 13, in <module>
from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: /root/.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: symbol EC_GFp_nistp521_method, version OPENSSL_1.0.1 not defined in file libcrypto.so.1.0.0 with link time reference

but I don’t use openssl 1.0.1

ldconfig -p | grep libcrypto

   libcrypto.so.1.0.0 (libc6,x86-64) => /usr/local/openssl-1.0.2e/lib/libcrypto.so.1.0.0
   libcrypto.so.1.0.0 (libc6,x86-64) => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
   libcrypto.so (libc6,x86-64) => /usr/local/openssl-1.0.2e/lib/libcrypto.so
   libcrypto.so (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libcrypto.so

openssl version -a

OpenSSL 1.0.2e 3 Dec 2015
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/openssl-1.0.2e/ssl"

could u help me


#2

You really shouldn’t update core libraries from source. Your issue is that the Ubuntu-supplied crypto libraries for Python are based on OpenSSL 1.0.1 and you just replaced it with a possibly-incompatible update. You have a few options:

  1. Remove your custom compiled OpenSSL and use the system-provided version. (best option)
  2. Build custom versions of all the libraries that relied on the old OpenSSL versions so they use the new version. (possible but a huge pain and maintenance issue)
  3. Try symlinking the new OpenSSL library so to the name that the other component is expecting. (probably won’t work, might cause major issues)