Python error upon letsencrypt install


#1

Upon doing a “/root/letsencrypt/certbot-auto renew -nvv --standalone > /var/log/letsencrypt/renew.log”, I am getting the Python error below. Letsencrypt works on another server I have. The difference in the first servers is that the good install is using OpenSSL: 1.0.1e 11 Feb 2013, whereas the second server that is failing to renew the cert is using OpenSSL: 1.0.2h 3 May 2016. The second server used to renew the cert without problems up until I updated OpenSSL to 1.0.2h. Any suggestions on how to fix this? Thanks.

Log error messages:

Creating virtual environment…
The --no-site-packages flag is deprecated; it is now the default behavior.
New python executable in /root/.local/share/letsencrypt/bin/python2.7
Also creating executable in /root/.local/share/letsencrypt/bin/python
Installing distribute…$
Installing pip…done.
Running virtualenv with interpreter /usr/bin/python2.7
Installing Python packages…
Installation succeeded.
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 7, in
from certbot.main import main
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 13, in
from acme import jose
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/jose/init.py”, line 37, in
from acme.jose.interfaces import JSONDeSerializable
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/jose/interfaces.py”, line 9, in
from acme.jose import util
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/jose/util.py”, line 5, in
import OpenSSL
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/init.py”, line 8, in
from OpenSSL import rand, crypto, SSL
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/rand.py”, line 11, in
from OpenSSL._util import (
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/_util.py”, line 6, in
from cryptography.hazmat.bindings.openssl.binding import Binding
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py”, line 14, in
from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: /root/.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol: X509_VERIFY_PARAM_set1_ip_asc


#2

Been digging around all day on this and it seems to be caused by certbot-auto trying to install its own python. It is not finding this parameter - X509_VERIFY_PARAM_set1_ip_asc - that is located in /.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/_conditional.pyc
I am assuming that OpenSSL: 1.0.2h is no longer using that string or that the string has been changed in OpenSSL: 1.0.2h


#3

Did some short tests on 3 new VPSs and think I found the problem. I have to config OpenSSL in special folders when installing:

cd openssl-1.0.2h
./config --prefix=/usr/local --openssldir=/usr/local/openssl
make depend
make
make test
sudo make install

This different configuration is causing certbot-auto to not find the X509… file/parameter.


#4

how did you solve the problem…


#5

Since November 2016 the old client does not accept anymore the old OpenSSL 1.01*. I upgraded to 1.02j and installed Certbot-auto on my Ubuntu 12.04 server.

I have the same problem: the letsencrypt executable fails with something like:

from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: /home/xipexi/.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol: X509_get_signature_nid