Let's Encrypt Client on Amazon Linux - No module named _cffi_backend

tomwald · December 29, 2015, 8:55am

I’m having trouble getting the Let’s Encrypt official client to work on Amazon Linux. I got it to work once, but now a week or so later it won’t work. I’ve read this thread and tried everything in it, with no luck.

I’m trying to register multiple domains, all hosted on one server in AWS. DNS for most domains is pointing at the old server now this AWS server, so I believe have to use a standalone client as the challenge can’t succeed without DNS being pointed at this server.

This worked the first time I tried it
cd /opt
yum install git
cd letsencrypt
git checkout amazonlinux
git pull
service nginx stop
./letsencrypt-auto certonly -a standalone -d aws.photographerstechsupport.com

When I run that last command again I get the following output

[root@ip-1.2.3.4 letsencrypt]# ./letsencrypt-auto certonly -a standalone -d aws.photographerstechsupport.com
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly -a standalone -d aws.photographerstechsupport.com
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 7, in <module>
    from letsencrypt.cli import main
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 17, in <module>
    import OpenSSL
  File "/root/.local/share/letsencrypt/local/lib64/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/root/.local/share/letsencrypt/local/lib64/python2.7/site-packages/OpenSSL/rand.py", line 11, in <module>
    from OpenSSL._util import (
  File "/root/.local/share/letsencrypt/local/lib64/python2.7/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/root/.local/share/letsencrypt/local/lib64/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 13, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: No module named _cffi_backend

Can anyone help with this? Am I using the wrong command? Is a required dependency not installed?

I’ve also tried acme-tiny but it doesn’t have a standalone mode - if I can’t get this working I may try acmetool which apparently does. I’d prefer to use the official client though. I also have access to Ubuntu VMs, but having to transfer things around would probably be a bit more hassle.

pfg · December 29, 2015, 10:10am

I don't think this is necessary; the amazonlinux branch has been merged with master (and is 680 commits behind master, some of those might be bug fixes relevant to you). I would suggest reinstalling from the master branch.

If that doesn't help, another thread suggests issues with cffi can be fixed by running yum install python27-devel.

tomwald · December 29, 2015, 6:40pm

Thanks for the idea pfg. I switched to the master branch (git checkout master then git pull), made sure that python package was installed, but got the same error.

I'll give acmetool a go soon.

pfg · December 29, 2015, 6:44pm

One last thing I would try is deleting /root/.local/share/letsencrypt and then trying again. Not sure if reinstallation is working properly when you initially started on another branch. By deleting that folder, you make sure the dependency installation etc. runs again with the latest version.

tomwald · December 29, 2015, 8:00pm

Tried that, no luck. Here's what I did

rm (that directory)
yum install python-devel openssl-devel libffi-devel
pip install pyopenssl
./letsencrypt-auto certonly -a standalone -d aws.photographerstechsupport.com --debug --server https://acme-staging.api.letsencrypt.org/directory
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly -a standalone -d aws.photographerstechsupport.com --debug --server https://acme-staging.api.letsencrypt.org/directory
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 7, in <module>
    from letsencrypt.cli import main
  File "/root/.local/share/letsencrypt/local/lib/python2.7/dist-packages/letsencrypt/cli.py", line 17, in <module>
    import OpenSSL
ImportError: No module named OpenSSL

I think I'll have to abandon this, it's not worth the time when other clients should work. Happy to try things to help development, but anyone can get an EC2 instance to try themselves.

pfg · December 29, 2015, 8:37pm

Unfortunately, a lot of these issues seem to be caused by small differences in pre-existing configuration or packages. I did attempt to debug one of these issues before (coincidentally it's the one you're having now), and was unable to reproduce the issue. I just tried the same commands you are using on a clean instance (Amazon Linux AMI 2015.09.1 x86_64 HVM GP2) and they worked fine.

What's weird to me is that the client doesn't seem to be reinstalling dependencies when you run letsencrypt-auto, which it should do after you deleted /root/.local/share/letsencrypt. Specifically, you should see something like

Bootstrapping dependencies for Amazon Linux...

followed by some yum output. Just tried this myself, and that's what I got.

Here's the thread I was referring to - the OP did find a fix eventually, maybe it'll be of use to you:

tomwald · December 29, 2015, 10:13pm

I ran it a couple of times, so it probably did do the reinitialization, I only posted the last output. I tried to fix it before posting. Here it is again

./letsencrypt-auto certonly -a standalone -d aws.photographerstechsupport.com --server https://acme-staging.api.letsencrypt.org/directory --debug
Bootstrapping dependencies for Amazon Linux...
yum is /usr/bin/yum
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main/latest                                                                                           | 2.1 kB     00:00
amzn-updates/latest                                                                                        | 2.3 kB     00:00
951 packages excluded due to repository priority protections
Package python26-2.6.9-2.84.amzn1.x86_64 already installed and latest version
Package python26-devel-2.6.9-2.84.amzn1.x86_64 already installed and latest version
Package python-virtualenv-1.10.1-1.el6.noarch is obsoleted by python26-virtualenv-12.0.7-1.10.amzn1.noarch which is already installed
Nothing to do
Loaded plugins: priorities, update-motd, upgrade-helper
951 packages excluded due to repository priority protections
Package gcc-4.8.3-3.20.amzn1.noarch already installed and latest version
Package dialog-1.1-9.20080819.1.5.amzn1.x86_64 already installed and latest version
Package augeas-libs-1.0.0-5.7.amzn1.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.1k-13.88.amzn1.x86_64 already installed and latest version
Package libffi-devel-3.0.13-11.4.amzn1.x86_64 already installed and latest version
Package system-rpm-config-9.0.3-42.27.amzn1.noarch already installed and latest version
Package ca-certificates-2015.2.4-65.0.1.14.amzn1.noarch already installed and latest version
Nothing to do
Creating virtual environment...
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly -a standalone -d aws.photographerstechsupport.com --server https://acme-staging.api.letsencrypt.org/directory --debug
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 7, in <module>
    from letsencrypt.cli import main
  File "/root/.local/share/letsencrypt/local/lib/python2.7/dist-packages/letsencrypt/cli.py", line 17, in <module>
    import OpenSSL
ImportError: No module named OpenSSL

I can see it installs OpenSSL, but then it says it can’t find it. Oh well

shreyanshsanghani · February 2, 2016, 5:11am

Hello,

I am getting the same error.

Running it on Amazon linux.

Any luck with anyone solving the issue ?

It worked for me 1 week ago and now it isn’t working.

Regards,
Shreyansh Sanghani

tomwald · February 2, 2016, 6:28am

Use Acme instead of the LE Client. It’s far more reliable.

fweno84 · February 7, 2016, 8:01pm

Hello guys, updated my LE-script today and I use AML so I though to give some feedback:

Here my report from my tests! Cheers!

`This has been tested in a fresh Amazon Linux instance.

sudo yum update
sudo su
yum install git

cd /opt
git clone GitHub - certbot/certbot: Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

cd letsencrypt
./letsencrypt-auto --help

WARNING: Amazon Linux support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!

./letsencrypt-auto --help --debug

Installed:
augeas-libs.x86_64 0:1.0.0-5.7.amzn1 dialog.x86_64 0:1.1-9.20080819.1.5.amzn1
gcc.noarch 0:4.8.3-3.20.amzn1 libffi-devel.x86_64 0:3.0.13-11.4.amzn1
openssl-devel.x86_64 1:1.0.1k-13.88.amzn1 system-rpm-config.noarch 0:9.0.3-42.27.amzn1

Dependency Installed:
cpp48.x86_64 0:4.8.3-9.109.amzn1 gcc48.x86_64 0:4.8.3-9.109.amzn1
glibc-devel.x86_64 0:2.17-106.163.amzn1 glibc-headers.x86_64 0:2.17-106.163.amzn1
kernel-headers.x86_64 0:4.1.13-19.31.amzn1 keyutils-libs-devel.x86_64 0:1.5.8-3.12.amzn1
krb5-devel.x86_64 0:1.13.2-10.39.amzn1 libcom_err-devel.x86_64 0:1.42.12-4.40.amzn1
libgomp.x86_64 0:4.8.3-9.109.amzn1 libmpc.x86_64 0:1.0.1-3.3.amzn1
libselinux-devel.x86_64 0:2.1.10-3.22.amzn1 libsepol-devel.x86_64 0:2.1.7-3.12.amzn1
libverto-devel.x86_64 0:0.2.5-4.9.amzn1 mpfr.x86_64 0:3.1.1-4.14.amzn1
zlib-devel.x86_64 0:1.2.8-7.18.amzn1

Creating virtual environment...
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --help --debug

letsencrypt-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...

Ran without any issues.
If you are having trouble, this is a fix I have to use on my current install of Amazon Linux.
If you use another user then root, you may pay attention to the paths, absolute paths here.
You can proceed just like the example above, but you are mostly to get a error like this:

./letsencrypt-auto --debug
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --debug
Traceback (most recent call last):
File "/root/.local/share/letsencrypt/bin/letsencrypt", line 7, in
from letsencrypt.cli import main
File "/root/.local/share/letsencrypt/local/lib/python2.7/dist-packages/letsencrypt/cli.py", line 19, in
import OpenSSL
ImportError: No module named OpenSSL

This may vary, the module can be pretty much any other. (in my experience I had at least four modules failing to load to just cffi_backend)
Let's do some fixing.

cd /root/.local/share/letsencrypt/lib/python2.7/dist-packages
What you will notice is that the module that failed to load will not be is this directory, and here is where our nasty Python is looking

cd /root/.local/share/letsencrypt/local/lib64/python2.7/dist-packages
Here you probably have the missing module.

What I'm gonna do is to create symlinks to the former directory:
Pay attention to not starting creating the symlinks out of this directory below:

cd /root/.local/share/letsencrypt/lib/python2.7/dist-packages

ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/cffi cffi
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/cffi-1.5.0-py2.7.egg-info cffi-1.5.0-py2.7.egg-info
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/_cffi_backend.so _cffi_backend.so
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/cryptography cryptography
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/cryptography-1.2.2-py2.7.egg-info cryptography-1.2.2-py2.7.egg-info
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/OpenSSL OpenSSL
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/psutil psutil
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/psutil-3.4.2-py2.7.egg-info psutil-3.4.2-py2.7.egg-info
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/pyOpenSSL-0.15.1.dist-info pyOpenSSL-0.15.1.dist-info
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/pyrfc3339 pyrfc3339
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/pyRFC3339-1.0.dist-info pyRFC3339-1.0.dist-info
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/werkzeug werkzeug
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/Werkzeug-0.11.3.dist-info Werkzeug-0.11.3.dist-info
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/zope/interface zope/interface
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/zope.interface-4.1.3-py2.7.egg-info zope.interface-4.1.3-py2.7.egg-info
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/zope.interface-4.1.3-py2.7-nspkg.pth zope.interface-4.1.3-py2.7-nspkg.pth`

Should be a better way to fix this, but as both directory have modules (they are the dist-packages Python uses) I confused if I suppose to let everything inside one or other, I know that this is a 64 bit Linux. Well hope that helps. And just to enforce, this is not happening in fresh installs of AML, the LE is script just warning you about being experimental but it ran without any issues.

I got to my machine and updated again, I had this issue of not finding required modules. This is happen to us because the modules are split between lib and lib64. This is not happening in a fresh install of AML. Don't know why this behaviour.

Let me give you guys some fix, this should clear the missing modules:

cd /root/.local/share/letsencrypt/lib/python2.7/dist-packages/
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/cffi cffi
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/cffi-1.4.2-py2.7.egg-info cffi-1.4.2-py2.7.egg-info
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/_cffi_backend.so _cffi_backend.so
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/cryptography
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/cryptography cryptography
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/cryptography-1.1.2-py2.7.egg-info cryptography-1.1.2-py2.7.egg-info
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/psutil psutil
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/psutil-3.3.0-py2.7.egg-info psutil-3.3.0-py2.7.egg-info
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/zope/interface zope/interface
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/zope.interface-4.1.3-py2.7.egg-info zope.interface-4.1.3-py2.7.egg-info
ln -s /root/.local/share/letsencrypt/lib64/python2.7/dist-packages/zope.interface-4.1.3-py2.7-nspkg.pth zope.interface-4.1.3-py2.7-nspkg.pth

Hope this help. If you are trying to understand, do not just run the symlink cmds, take a look into the dist-packages inside:

/root/.local/share/letsencrypt/lib/python2.7/dist-packages/
/root/.local/share/letsencrypt/lib64/python2.7/dist-packages/

LE will try to meet the modules inside the lib only, that is why it is falling for us.

felco