Solved certbot python3.7 dependency error

Hi all,

I run the command certbot renew as a monthly cron job to update my certs, as I'm sure many of you do as well. I'm now getting an error message:
Code:
ImportError: Shared object "libffi.so.6" not found, required by "_cffi_backend.so"
(full Traceback below)

I have reinstalled security/certbot as well as lang/python37, to no avail. I'm afraid I've come to the end of my limited knowledge about these types of dependency issues. Can someone point me in the right direction?

TIA

Code:
pkg show py37-certbot
Name           : py37-certbot
Version        : 1.7.0,1

$ pkg show libffi     
Name           : libffi
Version        : 3.3_1

$ python3.7 --version
Python 3.7.9

$ uname -r
12.1-RELEASE-p8

Code:
$ sudo certbot renew
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot==1.7.0', 'console_scripts', 'certbot')()
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 489, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 2852, in load_entry_point
    return ep.load()
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 2443, in load
    return self.resolve()
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 2449, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/local/lib/python3.7/site-packages/certbot/main.py", line 2, in <module>
    from certbot._internal import main as internal_main
  File "/usr/local/lib/python3.7/site-packages/certbot/_internal/main.py", line 10, in <module>
    import josepy as jose
  File "/usr/local/lib/python3.7/site-packages/josepy/__init__.py", line 44, in <module>
    from josepy.interfaces import JSONDeSerializable
  File "/usr/local/lib/python3.7/site-packages/josepy/interfaces.py", line 7, in <module>
    from josepy import errors, util
  File "/usr/local/lib/python3.7/site-packages/josepy/util.py", line 7, in <module>
    import OpenSSL
  File "/usr/local/lib/python3.7/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/usr/local/lib/python3.7/site-packages/OpenSSL/crypto.py", line 12, in <module>
    from cryptography import x509
  File "/usr/local/lib/python3.7/site-packages/cryptography/x509/__init__.py", line 8, in <module>
    from cryptography.x509.base import (
  File "/usr/local/lib/python3.7/site-packages/cryptography/x509/base.py", line 16, in <module>
    from cryptography.x509.extensions import Extension, ExtensionType
  File "/usr/local/lib/python3.7/site-packages/cryptography/x509/extensions.py", line 18, in <module>
    from cryptography.hazmat.primitives import constant_time, serialization
  File "/usr/local/lib/python3.7/site-packages/cryptography/hazmat/primitives/constant_time.py", line 11, in <module>
    from cryptography.hazmat.bindings._constant_time import lib
ImportError: Shared object "libffi.so.6" not found, required by "_cffi_backend.so"
 
Last edited:
What is the output of pkg shlib -qR libffi.so.6 and pkg shlib -qR libffi.so.7
You have to rebuild and reinstall all ports that depend of the old libffi.so.6
Most likely your py37-cffi or py37-cairocffi are old version and it's still linked to libffi.so.6 so you have to rebuild it(them). My advise is to use portupgrade to manage your ports as you can rebuild all py37*

edit:
it should look like this:
portupgrade -f `pkg shlib -qR libffi.so.6`
 
I run the command certbot renew as a monthly cron job to update my certs,
Note that there's no need for this. Certbot supplies a weekly periodic script that will take care of renewals. You just have to enable it by adding weekly_certbot_enable="YES" to /etc/periodic.conf.

Code:
% ll /usr/local/etc/periodic/weekly/500.certbot-3.7
-r-xr-xr-x  1 root  wheel  2591 Dec  6 18:05 /usr/local/etc/periodic/weekly/500.certbot-3.7*
 
How is that ACME protocol actually used as a replacement?

I personally like certbot because it's really easy to use. There's just a lengthy list of python dependencies it has, that's certainly a downside of it. The acme.sh really only does the interaction with Letsencrypt, you have to script a few things around it to make it more "automated". But the upshot is that it has zero dependencies.
 
Note that there's no need for this. Certbot supplies a weekly periodic script that will take care of renewals. You just have to enable it by adding weekly_certbot_enable="YES" to /etc/periodic.conf.
What ? I always thought it goes to /etc/rc.conf?
Maybe that's why it was never working?
 
Maybe read the pkg-message?
Code:
% pkg info -D py39-certbot
py39-certbot-1.29.0,1:
On install:
This port installs the "standalone" client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.

The simplest form of usage to obtain certificates is:

 # sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]>

NOTE:

The client requires the ability to bind on TCP port 80 or 443 (depending
on the --preferred-challenges option used). If a server is running on that
port, it will need to be temporarily stopped so that the standalone server
can listen on that port to complete the challenge authentication process.

For more information on the 'standalone' mode, see:

  https://certbot.eff.org/docs/using.html#standalone

The certbot plugins to support apache and nginx certificate installation
will be made available in the following ports:

 * Apache plugin: security/py-certbot-apache
 * Nginx plugin: security/py-certbot-nginx

In order to automatically renew the certificates, add this line to
/etc/periodic.conf:

    weekly_certbot_enable="YES"

More config details in the certbot periodic script:

    /usr/local/etc/periodic/weekly/500.certbot-3.9

On upgrade from py39-certbot<1.5.0_2,1:
The certbot periodic script has new config options:

 * weekly_certbot_pre_hook
 * weekly_certbot_post_hook
 * weekly_certbot_deploy_hook
 * weekly_certbot_custom_args

For config details, see the certbot periodic script:

    /usr/local/etc/periodic/weekly/500.certbot-3.9
 
Back
Top