certbot error module 'lib' has no attribute 'OpenSSL_add_all_algorithms'

bagas · Aug 31, 2023

Hello.
start certificate renewal.

Code:

 # certbot -q renew --allow-subset-of-names
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')())
  File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
    return next(matches).load()
  File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load
    module = import_module(match.group('module'))
  File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in <module>
    from certbot._internal import main as internal_main
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 21, in <module>
    import josepy as jose
  File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py", line 40, in <module>
    from josepy.json_util import (
  File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 14, in <module>
    from OpenSSL import crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/crypto.py", line 3279, in <module>
    _lib.OpenSSL_add_all_algorithms()
AttributeError: module 'lib' has no attribute 'OpenSSL_add_all_algorithms'

Code:

py39-certbot-2.6.0,1               =   up-to-date with index
py39-josepy-1.13.0                 =   up-to-date with index
py39-openssl-21.0.0,1              =   up-to-date with index
python39-3.9.17                    =   up-to-date with index
py39-cryptography-41.0.3,1         =   up-to-date with index

how to fix?

dweimer · Aug 31, 2023

I think it was the py-cryptography-41.0.3,1 update that broke it, looking around my systems for an older version of the package to roll it back and confirm. Didn't configure my Poudriere build to save old packages.

dweimer · Aug 31, 2023

Confirmed, rolled my systems py11-cryptography-41.0.3,1 back to py311-cryptography-3.4.8_1,1 and error is gone.

dweimer · Aug 31, 2023

I submitted a bug report, Bug 273474

dweimer · Aug 31, 2023

dweimer said:
I submitted a bug report, Bug 273474

Looks like a fix is already in the works, a py-openssl update coming soon to fix it, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266680

sko · Aug 31, 2023

I suggest switching to security/acme.sh to escape the python dependency-hell. It's purely written in shell and with default port options it only requires curl and socat (can be reduced to only curl or wget).
Been using it for years on everything that needs certificates - never had any issues (apart from one host I forgot to update when letsencrypt switched to ACME v2)

aepot · Sep 3, 2023

The problem is old py39-openssl-21.0.0,1 after updating of py39-cryptography to version 41.0.3,1
This version requires py39-openssl-23.2.0 but pkg repository for now contains the old version.

As "i-want-it-right-now" workaround it can be upgraded via python package manager pip.

pkg install py39-pip

Then download .whl the pip package from https://pypi.org/project/pyOpenSSL/#files or via command like

 curl https://files.pythonhosted.org/packages/f0/e2/f8b4f1c67933a4907e52228241f4bd52169f3196b70af04403b29c63238a/pyOpenSSL-23.2.0-py3-none-any.whl --output ./pyOpenSSL-23.2.0-py3-none-any.whl

Then install the package

pip install ./pyOpenSSL-23.2.0-py3-none-any.whl

Then you may delete pip package manager if needed.

Note: pkg is still displaying the old py39-openssl-21.0.0,1 via pkg info | grep py39-openssl but that's fine, certbot will work as expected.

elgrande · Sep 4, 2023

aepot said:
The problem is old py39-openssl-21.0.0,1 after updating of py39-cryptography to version 41.0.3,1
This version requires py39-openssl-23.2.0 but pkg repository for now contains the old version.

As "i-want-it-right-now" workaround it can be upgraded via python package manager pip.

pkg install py39-pip

Then download .whl the pip package from https://pypi.org/project/pyOpenSSL/#files or via command like

curl https://files.pythonhosted.org/packages/f0/e2/f8b4f1c67933a4907e52228241f4bd52169f3196b70af04403b29c63238a/pyOpenSSL-23.2.0-py3-none-any.whl --output ./pyOpenSSL-23.2.0-py3-none-any.whl

Then install the package

pip install ./pyOpenSSL-23.2.0-py3-none-any.whl

Then you may delete pip package manager if needed.

Note: pkg is still displaying the old py39-openssl-21.0.0,1 via pkg info | grep py39-openssl but that's fine, certbot will work as expected.

A new version is also in ports tree now, so installing from there is another alternative.