Solved certbot python3.7 dependency error

cbrace

Well-Known Member

Reaction score: 13
Messages: 302

Hi all,

I run the command certbot renew as a monthly cron job to update my certs, as I'm sure many of you do as well. I'm now getting an error message:
Code:
ImportError: Shared object "libffi.so.6" not found, required by "_cffi_backend.so"
(full Traceback below)

I have reinstalled security/certbot as well as lang/python37, to no avail. I'm afraid I've come to the end of my limited knowledge about these types of dependency issues. Can someone point me in the right direction?

TIA

Code:
pkg show py37-certbot
Name           : py37-certbot
Version        : 1.7.0,1

$ pkg show libffi     
Name           : libffi
Version        : 3.3_1

$ python3.7 --version
Python 3.7.9

$ uname -r
12.1-RELEASE-p8

Code:
$ sudo certbot renew
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot==1.7.0', 'console_scripts', 'certbot')()
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 489, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 2852, in load_entry_point
    return ep.load()
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 2443, in load
    return self.resolve()
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 2449, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/local/lib/python3.7/site-packages/certbot/main.py", line 2, in <module>
    from certbot._internal import main as internal_main
  File "/usr/local/lib/python3.7/site-packages/certbot/_internal/main.py", line 10, in <module>
    import josepy as jose
  File "/usr/local/lib/python3.7/site-packages/josepy/__init__.py", line 44, in <module>
    from josepy.interfaces import JSONDeSerializable
  File "/usr/local/lib/python3.7/site-packages/josepy/interfaces.py", line 7, in <module>
    from josepy import errors, util
  File "/usr/local/lib/python3.7/site-packages/josepy/util.py", line 7, in <module>
    import OpenSSL
  File "/usr/local/lib/python3.7/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/usr/local/lib/python3.7/site-packages/OpenSSL/crypto.py", line 12, in <module>
    from cryptography import x509
  File "/usr/local/lib/python3.7/site-packages/cryptography/x509/__init__.py", line 8, in <module>
    from cryptography.x509.base import (
  File "/usr/local/lib/python3.7/site-packages/cryptography/x509/base.py", line 16, in <module>
    from cryptography.x509.extensions import Extension, ExtensionType
  File "/usr/local/lib/python3.7/site-packages/cryptography/x509/extensions.py", line 18, in <module>
    from cryptography.hazmat.primitives import constant_time, serialization
  File "/usr/local/lib/python3.7/site-packages/cryptography/hazmat/primitives/constant_time.py", line 11, in <module>
    from cryptography.hazmat.bindings._constant_time import lib
ImportError: Shared object "libffi.so.6" not found, required by "_cffi_backend.so"
 
Last edited:

VladiBG

Daemon

Reaction score: 454
Messages: 1,017

What is the output of pkg shlib -qR libffi.so.6 and pkg shlib -qR libffi.so.7
You have to rebuild and reinstall all ports that depend of the old libffi.so.6
Most likely your py37-cffi or py37-cairocffi are old version and it's still linked to libffi.so.6 so you have to rebuild it(them). My advise is to use portupgrade to manage your ports as you can rebuild all py37*

edit:
it should look like this:
portupgrade -f `pkg shlib -qR libffi.so.6`
 

micski

Active Member

Reaction score: 3
Messages: 116

#3: How is that ACME protocol actually used as a replacement?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,653
Messages: 36,383

I run the command certbot renew as a monthly cron job to update my certs,
Note that there's no need for this. Certbot supplies a weekly periodic script that will take care of renewals. You just have to enable it by adding weekly_certbot_enable="YES" to /etc/periodic.conf.

Code:
% ll /usr/local/etc/periodic/weekly/500.certbot-3.7
-r-xr-xr-x  1 root  wheel  2591 Dec  6 18:05 /usr/local/etc/periodic/weekly/500.certbot-3.7*
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,653
Messages: 36,383

How is that ACME protocol actually used as a replacement?

I personally like certbot because it's really easy to use. There's just a lengthy list of python dependencies it has, that's certainly a downside of it. The acme.sh really only does the interaction with Letsencrypt, you have to script a few things around it to make it more "automated". But the upshot is that it has zero dependencies.
 
Top