Unable to renew my certificates

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: historybits.vk7krj.com & vk7krj.com

I ran this command: certbot renew

It produced this output: Traceback (most recent call last):
File "/snap/certbot/4194/bin/certbot", line 5, in
from certbot.main import main
File "/snap/certbot/4194/lib/python3.12/site-packages/certbot/main.py", line 6, in
from certbot._internal import main as internal_main
File "/snap/certbot/4194/lib/python3.12/site-packages/certbot/_internal/main.py", line 20, in
import josepy as jose
File "/snap/certbot/4194/lib/python3.12/site-packages/josepy/init.py", line 40, in
from josepy.json_util import (
File "/snap/certbot/4194/lib/python3.12/site-packages/josepy/json_util.py", line 24, in
from OpenSSL import crypto
File "/snap/certbot/4194/lib/python3.12/site-packages/OpenSSL/init.py", line 8, in
from OpenSSL import SSL, crypto
File "/snap/certbot/4194/lib/python3.12/site-packages/OpenSSL/SSL.py", line 11, in
from OpenSSL._util import (
File "/snap/certbot/4194/lib/python3.12/site-packages/OpenSSL/_util.py", line 6, in
from cryptography.hazmat.bindings.openssl.binding import Binding
File "/snap/certbot/4194/lib/python3.12/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 15, in
from cryptography.exceptions import InternalError
File "/snap/certbot/4194/lib/python3.12/site-packages/cryptography/exceptions.py", line 9, in
from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.

My web server is (include version): Server version: Apache/2.4.29 (Ubuntu)
Server built: 2023-03-08T17:34:33

The operating system my web server runs on is (include version): Ubuntu 18.04.6 LTS

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.0.1 4194 latest/stable certbot-eff** classic
Note- the above output was produced by "sudo snap list | grep -i certbot
" - your two listed commands produced errors.

1 Like
2

Hello @vk7krj, welcome to the Let's Encrypt community. :slightly_smiling_face:

Did you do what is in bold?

Please show the output of each of these

  • openssl version
  • sudo certbot --version
  • sudo apachectl -t -D DUMP_VHOSTS
2 Likes
3

That is a known bug. And setting that variable is one work-around.

There is another work-around described in the thread below. Please see that github thread for more details. You can subscribe to that thread to be informed of its final fix. Note that "bmw" is a Certbot dev.

3 Likes
4

Hi Bruce, thanks for the reply. I did a bit of googling to try to find where to put the enviroment variable and I think I have set it- I put the line-

CRYPTOGRAPHY OPENSSL NO LEGACY

in /etc/apache2/envvars

and in

/etc/enviroment

as I wasn't sure which was correct.

The openssl version reports as-

OpenSSL 1.1.1 11 Sep 2018

The output from
sudo certbot --version

is-

Traceback (most recent call last):
File "/snap/certbot/4194/bin/certbot", line 5, in <module>
from certbot.main import main
File "/snap/certbot/4194/lib/python3.12/site-packages/certbot/main.py", line 6, in <module>
from certbot._internal import main as internal_main
File "/snap/certbot/4194/lib/python3.12/site-packages/certbot/_internal/main.py", line 20, in <module>
import josepy as jose
File "/snap/certbot/4194/lib/python3.12/site-packages/josepy/__init__.py", line 40, in <module>
from josepy.json_util import (
File "/snap/certbot/4194/lib/python3.12/site-packages/josepy/json_util.py", line 24, in <module>
from OpenSSL import crypto
File "/snap/certbot/4194/lib/python3.12/site-packages/OpenSSL/__init__.py", line 8, in <module>
from OpenSSL import SSL, crypto
File "/snap/certbot/4194/lib/python3.12/site-packages/OpenSSL/SSL.py", line 11, in <module>
from OpenSSL._util import (
File "/snap/certbot/4194/lib/python3.12/site-packages/OpenSSL/_util.py", line 6, in <module>
from cryptography.hazmat.bindings.openssl.binding import Binding
File "/snap/certbot/4194/lib/python3.12/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 15, in <module>
from cryptography.exceptions import InternalError
File "/snap/certbot/4194/lib/python3.12/site-packages/cryptography/exceptions.py", line 9, in <module>
from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.

The output from
sudo apachectl -t -D DUMP_VHOSTS

is-

Traceback (most recent call last):
File "/snap/certbot/4194/bin/certbot", line 5, in
from certbot.main import main
File "/snap/certbot/4194/lib/python3.12/site-packages/certbot/main.py", line 6, in
from certbot._internal import main as internal_main
File "/snap/certbot/4194/lib/python3.12/site-packages/certbot/_internal/main.py", line 20, in
import josepy as jose
File "/snap/certbot/4194/lib/python3.12/site-packages/josepy/init.py", line 40, in
from josepy.json_util import (
File "/snap/certbot/4194/lib/python3.12/site-packages/josepy/json_util.py", line 24, in
from OpenSSL import crypto
File "/snap/certbot/4194/lib/python3.12/site-packages/OpenSSL/init.py", line 8, in
from OpenSSL import SSL, crypto
File "/snap/certbot/4194/lib/python3.12/site-packages/OpenSSL/SSL.py", line 11, in
from OpenSSL._util import (
File "/snap/certbot/4194/lib/python3.12/site-packages/OpenSSL/_util.py", line 6, in
from cryptography.hazmat.bindings.openssl.binding import Binding
File "/snap/certbot/4194/lib/python3.12/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 15, in
from cryptography.exceptions import InternalError
File "/snap/certbot/4194/lib/python3.12/site-packages/cryptography/exceptions.py", line 9, in
from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.

1 Like
5

Please see Mikes response.

1 Like
6

Thanks Osiris, that fixed it.

1 Like
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.