Update for TLS-SNI-01 - now certbot fails on 'Cryptography_HAS_DTLS'


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

blog.nurtureit.io

I ran this command:

updated following instructions:
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210/4
then ran certbot --version

It produced this output:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 561, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2631, in load_entry_point
    return ep.load()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2291, in load
    return self.resolve()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2297, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 10, in <module>
    import josepy as jose
  File "/usr/lib/python3/dist-packages/josepy/__init__.py", line 44, in <module>
    from josepy.interfaces import JSONDeSerializable
  File "/usr/lib/python3/dist-packages/josepy/interfaces.py", line 8, in <module>
    from josepy import errors, util
  File "/usr/lib/python3/dist-packages/josepy/util.py", line 4, in <module>
    import OpenSSL
  File "/usr/lib/python3/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 16, in <module>
    from OpenSSL._util import (
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 156, in <module>
    Binding.init_static_locks()
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 137, in init_static_locks
    cls._ensure_ffi_initialized()
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 124, in _ensure_ffi_initialized
    cls.lib = build_conditional_library(lib, CONDITIONAL_NAMES)
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 84, in build_conditional_library
    if not getattr(lib, condition):
AttributeError: cffi library '_openssl' has no function, constant or global variable named 'Cryptography_HAS_DTLS'

My web server is (include version):

Apache/2.4.18

The operating system my web server runs on is (include version):

Ubuntu 16.04.5 LTS

My hosting provider, if applicable, is:

Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot==0.28.0

this seems to be the bug here:

I’m wondering if there is any insight on how I might clean up dependencies to make things work. I’d rather not resort to a custom install of certbot-auto


#2

Which version of OpenSSL are you running?
[I believe 1.0.2+ may be required for DTLS]

Is the entire system up-to-date?

What do these show:
apt update
apt-get update


#3

thanks for responding.

OpenSSL 1.0.2g 1 Mar 2016

apt update is new to me

1 package can be upgraded.

(it is cloud-init)

sudo apt-get upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  cloud-init
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

so, nothing left to upgrade other than cloud-init and I’m assuming that isn’t relevant here.


#4

yeah, that was a dead-end…


#5

@bmw @joohoi any ideas why this dependency version skew would happen?

@ConfusedVorlon you didn’t use pip to manually update any system packages, did you?


#6

I’m pretty sure I have never used pip on any server for anything!

I can’t be 100% sure what happened in the ‘origin story’ of this server though. This was a one-click install of ubuntu+apache+wordpress from DigitalOcean

I fired it up about 18 months ago


#7

@ConfusedVorlon, I’ve responded on GitHub at https://github.com/certbot/certbot/issues/5651#issuecomment-463800522.


#8

thank you.

must be at least 20 char


#9

Wild guess…:
apt-get install --reinstall python3-certifi python3-openssl ssl-cert


#10

still no change. Thanks though.


#11

I see that it isn’t the exact same error message thou:

AttributeError: cffi library ‘_openssl’ has no function, constant or global variable named
‘Cryptography_HAS_DTLS’

AttributeError: cffi library ‘_openssl’ has no function, constant or global variable named
‘Cryptography_HAS_SCT’

Not a victory by any means, but it seems that it is somehow being “changed” / “affected”…

Try:
apt-get install --reinstall python3-josepy


#12

I have an exact same system (or very similar):

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.5 LTS
Release:        16.04
Codename:       xenial
dpkg -l python3-{cryptography,openssl,cffi,cffi-backend,certbot,certbot-nginx,acme} openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                             Version               Architecture          Description
+++-================================-=====================-=====================-======================================================================
ii  openssl                          1.0.2g-1ubuntu4.14    amd64                 Secure Sockets Layer toolkit - cryptographic utility
ii  python3-acme                     0.28.0-1+ubuntu16.04. all                   ACME protocol library for Python 3
ii  python3-certbot                  0.28.0-1+ubuntu16.04. all                   main library for certbot
un  python3-certbot-nginx            <none>                <none>                (no description available)
un  python3-cffi                     <none>                <none>                (no description available)
ii  python3-cffi-backend             1.10.0-0.1+ubuntu16.0 amd64                 Foreign Function Interface for Python 3 calling C code - runtime
ii  python3-cryptography             1.9-1+ubuntu16.04.1+c amd64                 Python library exposing cryptographic recipes and primitives (Python 3
ii  python3-openssl                  17.3.0-1~0+ubuntu16.0 all                   Python 3 wrapper around the OpenSSL library

Which works perfectly well:
# certbot --version
certbot 0.28.0

Please compare:
which certbot
/usr/bin/certbot

# set | grep -i path=
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games


#13
which certbot

/usr/bin/certbot

You have new mail in /var/mail/root

**root@nurtureit-blog-2** : **~** # set | grep -i path=

**PATH=** /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

snap_bin_ **path=** /snap/bin

snap_xdg_ **path=** /var/lib/snapd/desktop

local cmd **PATH=** $PATH:/sbin;

**PATH=** $PATH:/usr/sbin:/sbin:/usr/local/sbin type $1 &amp;&gt; /dev/null

COMPREPLY=($( compgen -W "$( **PATH=** "$PATH:/sbin" lsmod | awk '{if (NR != 1) print $1}' )" -- "$1" ))

local **PATH=** $PATH:/sbin;

local **PATH=** "$PATH:/sbin:/usr/sbin";

mod **path=** /lib/modules/$1;

COMPREPLY+=($( compgen -W "$( **PATH=** "$PATH:/sbin" lspci -n | awk '{print $3}')" -- "$cur" ))

local **PATH=** $PATH:/sbin:/usr/sbin:/usr/local/sbin;

COMPREPLY+=($( compgen -W "$( **PATH=** "$PATH:/sbin" lsusb | awk '{print $6}' )" -- "$cur" ))

#14

I’m running out of guesses - lol


#15

thanks for trying

must be 20 chars