certbot fails as "SSL module is not available"

[firetree]

A certbot renew command reports error (domain name replaced):

Failed to renew certificate <my domain>.com with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available."))

Not had this before and have made no recent changes to apache or my ssl.

Since my last certificate renewal, I've changed my DNS servers and updated to FreeBSD 14.1 but now't else significant;
All ports are up to date;
http.conf contains: LoadModule ssl_module libexec/apache24/mod_ssl.so (as it always has);
/usr/local/libexec/apache24/mod_ssl.so is in place.

I have removed and reinstalled apache and apr but the error remains.
The "url: /directory" looks a bit odd to me but apache starts fine with no httpd.conf warnings.

Any help much appreciated.
M'thanks.

 

[SirDice]

All ports are up to date;
http.conf contains: LoadModule ssl_module libexec/apache24/mod_ssl.so (as it always has);
/usr/local/libexec/apache24/mod_ssl.so is in place.

The error doesn't refer to an issue on your server. It's failing with an SSL error on the letsencrypt website.

Certbot uses Python. The default python version got upgraded to 3.11 some time ago. Maybe you still have certbot with the old Python installed?

 

[firetree]

The error doesn't refer to an issue on your server. It's failing with an SSL error on the letsencrypt website.

Certbot uses Python. The default python version got upgraded to 3.11 some time ago. Maybe you still have certbot with the old Python installed?

Aha!
I saw Python311 mentioned in the log and wondered if that had something to do with it.
Yes, both py39 and py311 installed.
Apologies for being dense but should I just remove py39 and certbot; update and reinstall or is there a better approach?

M'thanks.

 

[ralphbsz]

Aha!
I saw Python311 mentioned in the log and wondered if that had something to do with it.
Yes, both py39 and py311 installed.
Apologies for being dense but should I just remove py39 and certbot; update and reinstall or is there a better approach?

M'thanks.

If you are not using any 3.9 stuff in production, and can handle short outages and having to upgrade, and don't have a large corpus of home-written python code that may have to be upgraded for any 3.9 -> 3.11 incompatibilities, then I would do this: Make a list of all 3.9 stuff, delete it all, and install the corresponding 3.11 stuff. When I say "stuff", I mean both FreeBSD packages and ports, and pip packages. Do the FreeBSD part first, since it will usually populate pip.

If you need the 3.9 stuff to continue working while you migrate things to 3.11, then ... things get more complicated.

 

[SirDice]

Apologies for being dense but should I just remove py39 and certbot

Do pkg install py311-certbot, that will replace your installed py39-certbot. Then run pkg autoremove to remove the old python modules and versions.

 

[firetree]

Thanks all,

py311-certbot was already installed so I nuked py39-* ; removed py311-certbot ; re-installed py311-certbot ; and all was well.
I run a small server (pretty much) for my own use so don't delve too deep unless forced to.
(Historically) most of my applications problems have been python version related, my heart sinks when I see a new version :- )

Many thanks again to y'all for your help, lifesavers!

 

[VladiBG]

For those who are using pkg the official way is the following:

# sh
  # for i in $(pkg query -g %n 'py39-*'); do pkg set -yn ${i}:py311-${i#py39-}; done
  # pkg upgrade

I personally upgrade it like this:
Take notes of the prime-origins pkgs then i delete the python39 which will cause of removal all pkgs that depend of it including py39-certbot, py39-fail2ban etc which are in my prime-origins pkgs. Then i run pkg autoremove and install again all missing prime-origins like py311-certbot py311-fail2ban which will install pyton311 as it's dependency. It's like removing all py* and install them again for

 

[unixbsdshell]

You don't need to delete. Just use Python environment to place Python dependencies. Use environment according to the version of Python you are using. Each version of Python you put in the following environment pip