Certbot: Amazon Linux: ImportError: No module named cryptography.hazmat.bindings.openssl.binding

Created on 24 Feb 2016  路  48Comments  路  Source: certbot/certbot

While attempting to run on Amazon Linux: Linux ip #1 SMP Sat Oct 24 01:31:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Git commit hash: 6950dbd0708d3ba16b717ad1097332fc37e33f15

I get the following error:

[ec2-user@ip letsencrypt]$ ./letsencrypt-auto
Checking for new version...
Creating virtual environment...
Installing Python packages...
Requesting root privileges to run letsencrypt...
   sudo /home/ec2-user/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade
Traceback (most recent call last):
  File "/home/ec2-user/.local/share/letsencrypt/bin/letsencrypt", line 7, in <module>
    from letsencrypt.cli import main
  File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/letsencrypt/cli.py", line 21, in <modul
e>
    import OpenSSL
  File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <modul
e>
    from OpenSSL import rand, crypto, SSL
  File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/OpenSSL/rand.py", line 11, in <module>
    from OpenSSL._util import (
  File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
ImportError: No module named cryptography.hazmat.bindings.openssl.binding

This was working as of Feb 8th... however when trying to checkout an old version to find where things broke, letsencrypt-auto keeps re-upgrading itself to the latest version!

certbot-auto pyca

Most helpful comment

@utdrmac I ran into the same error a moment ago deploying a new certificate - your comment inspired the following hacky fix, gathered by peeling the onion and linking the dependencies back to the local/lib/python2.7 path:

ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cryptography /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cryptography
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cryptography-2.0.2.dist-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cryptography-2.0.2.dist-info
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cffi /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cffi
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cffi-1.10.0.dist-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cffi-1.10.0.dist-info
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/_cffi_backend.so /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/_cffi_backend.so
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/.libs_cffi_backend /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/.libs_cffi_backend
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/zope.interface-4.1.3-py2.7-nspkg.pth /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope.interface-4.1.3-py2.7-nspkg.pth
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/zope.interface-4.1.3-py2.7.egg-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope.interface-4.1.3-py2.7.egg-info
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/zope/interface /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/interface

All 48 comments

Any update.. I am also facing the same issue..
Below are the logs (environment - amazon linux)
Command issued : ./letsencrypt-auto --help

Checking for new version... Creating virtual environment... Installing Python packages... Installation succeeded. Requesting root privileges to run letsencrypt... sudo /home/ec2-user/.local/share/letsencrypt/bin/letsencrypt --help Traceback (most recent call last): File "/home/ec2-user/.local/share/letsencrypt/bin/letsencrypt", line 7, in <module> from letsencrypt.cli import main File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/letsencrypt/cli.py", line 21, in <module> import OpenSSL File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import rand, crypto, SSL File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/OpenSSL/rand.py", line 11, in <module> from OpenSSL._util import ( File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/OpenSSL/_util.py", line 6, in <module> from cryptography.hazmat.bindings.openssl.binding import Binding ImportError: No module named cryptography.hazmat.bindings.openssl.binding

try this
sudo ./letsencrypt-auto --help
Tried the above command at it worked.

Same issue, also resolved by prefixing sudo. How come this is the fix?

Same issue occurred and fixed using sudo, thanks

I'm experiencing this issue too after updating to the latest certbot on Amazon Linux (Linux ip-172-31-10-255 4.9.75-25.55.amzn1.x86_64 #1 SMP Fri Jan 5 23:50:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux)

It seems that the cryptography package is being installed under /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cryptography/

but python is not finding it because it is not looking/operating out of the lib64 path. Notice all the paths below are /lib/ and not /lib64/

I've completely removed this env rm -rf /opt/eff.org and have re-installed cert-bot and still getting same error/issue.

` [root@ip-172-31-10-255 venv]# /certbot/certbot-auto --debug renew Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module> from certbot.main import main File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 10, in <module> import josepy as jose File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 41, in <module> from josepy.interfaces import JSONDeSerializable File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 8, in <module> from josepy import errors, util File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 4, in <module> import OpenSSL File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import rand, crypto, SSL File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/rand.py", line 12, in <module> from OpenSSL._util import ( File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/_util.py", line 6, in <module> from cryptography.hazmat.bindings.openssl.binding import Binding ImportError: No module named cryptography.hazmat.bindings.openssl.binding

@utdrmac I ran into the same error a moment ago deploying a new certificate - your comment inspired the following hacky fix, gathered by peeling the onion and linking the dependencies back to the local/lib/python2.7 path:

ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cryptography /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cryptography
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cryptography-2.0.2.dist-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cryptography-2.0.2.dist-info
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cffi /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cffi
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cffi-1.10.0.dist-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cffi-1.10.0.dist-info
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/_cffi_backend.so /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/_cffi_backend.so
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/.libs_cffi_backend /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/.libs_cffi_backend
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/zope.interface-4.1.3-py2.7-nspkg.pth /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope.interface-4.1.3-py2.7-nspkg.pth
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/zope.interface-4.1.3-py2.7.egg-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope.interface-4.1.3-py2.7.egg-info
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/zope/interface /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/interface

@HinchK I thought about that too but yes, very hack-y indeed. Check out this solution instead: https://github.com/certbot/certbot/issues/1680#issuecomment-358728515 I verify it works on latest elastic beanstalk.

@HinchK Thanks. That (temporarily) fixed it for me. (AWS)

@HinchK, you solution was amazing. Thanks.

Chiming in that @HinchK's solution similarly fixed my AWS Linux server.

It broke when I went to update my cert today and certbot updated from 0.19.0 to 0.21.1.

Just ran into the problem myself, for the second time. Seems to be a problem when certbot runs upgrades without sufficient permissions. The update is failing silently, leaving the software in a bad state detected when certbot tries to actually run. Better error detection in the library installation / update routine might help prevent future confusion.

The solution that @utdrmac linked to above worked to fix this for me (but had to run it as root). Got the same error when certbot tried to upgrade to 0.22.0 just now (on AWS EC2).

Just ran into this issue again in a different AWS region; and can confirm @utdrmac's installation via pip worked for me! https://github.com/certbot/certbot/issues/1680#issuecomment-358728515

Rolling out the pip certbot across my instances; as my previous symlink workaround was a pretty gross hack that worked but might not work down the road.

I ran into the same problem. Here's what solved it for me:

/opt/eff.org/certbot/venv/local/bin/pip install cryptography interface

after trying everything else, @HinchK 's hack was the only thing that worked for me

I can also confirm awls99 - encountered the same issue last few days, tried everything, all solutions had 0 affect on the issue.
@HinchK way has fixed the issue.

@gmegidish solution worked great for me. i'm running it on an amazon linux ec2 instance.

@HinchK one shot one kill! :-)

@gmegidish is the man!!!
Thank you!!

/opt/eff.org/certbot/venv/local/bin/pip install cryptography interface

worked for me!

@alex, any idea what could be going on here?

We're currently using cryptography 2.0.2, pyOpenSSL 16.2.0, and the other pinnings in https://github.com/certbot/certbot/blob/master/letsencrypt-auto-source/pieces/dependency-requirements.txt.

If this is about Amazon Linux, I guess it's https://github.com/pypa/pip/issues/4464

cc: @reaperhulk

hey there,

I found a solution that worked for me by CTRL-F the web with my eyes.

On this link @utdrmac installs certbot in with pip directly.
https://github.com/certbot/certbot/issues/1680#issuecomment-358728515
I worked for me at least.

And oh, think about installing certbot plugins using pip also to manage automatic configuration of let say nginx (by @bmw ):
https://github.com/certbot/certbot/issues/1736#issuecomment-165189246

Good luck !

edit: I am also installing certificates on Amazon linux.

Hit this problem again, followed the simple steps on @eregnier 's post's links, worked first try, now my crontab looks like:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/bin/certbot renew --no-bootstrap --nginx 1> /var/log/cerbot.log 2>&1

I've the same problem today, the solution of @HinchK works fine, I just have to replace the

ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cryptography-2.0.2.dist-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cryptography-2.0.2.dist-info

by
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cryptography-2.2.2.dist-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cryptography-2.2.2.dist-info

and worked as a charm.

I faced this issue today.
My workaround for certbot 0.26.1 on Amazon Linux AMI 4.4.30-32.54.amzn1.x86_64 was:

cd /opt/eff.org/certbot/venv/lib64/python2.7
rmdir site-packages (in my case, this directory was empty)
ln -s dist-packages site-packages

And that's all, it worked for me.

Confirm @smartITNinja solution worked for me as well.

Are those having issues on Amazon Linux 1 or 2? If it's Amazon Linux 2, you can and should use the EPEL7 packages over certbot-auto. How to install these packages is described at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html#letsencrypt.

@smartITNinja @lpkirby
When I trying to ln dist-packages site-packages, I got hard link not allowed for directory .

You really hard linked dist-packages to site-packages?

@saiday - fwiw - No, I did a sym link.

@bmw - That's interesting. Some places in AWS docs say you shouldn't install EPEL in Amazon Linux 2, and some show you how to do it.

@bmw Amazon Linux 1

@saiday sorry, it's a "soft link" instead of a hard link. The comment is fixed now, including the correct steps. Thanks!

/opt/eff.org/certbot/venv/lib64/python2.7

drwxr-xr-x 9 root root  4096 Jul 18 14:14 dist-packages
lrwxrwxrwx 1 root root    13 Jul 18 14:26 site-packages -> dist-packages

That's interesting. Some places in AWS docs say you shouldn't install EPEL in Amazon Linux 2, and some show you how to do it.

Huh. I unfortunately don't know enough about Amazon Linux 2 to provide a recommendation one way or another then. All I can say is:

  1. Up to date OS packages should be preferred over certbot-auto.
  2. At least for getting Certbot working, EPEL7 packages have worked for people on Amazon Linux 2 including us during testing.

@smartITNinja thx,this solved my problem in my amazon EC2

@smartITNinja that worked for me on an Amazon Linux 1 EC2 today.

Cheers 馃憤

The only thing that worked was @smartITNinja's hack. I run into this problem all the time. The certbot script needs to be updated to "catch" this and either work around it or provide a useful error message. AWS EC2 is a major distribution and Let's Encrypt should work out of the box with it. PERIOD.

Was running into the same issue on an Amazon Linux AMI.

Ended up just using the certbot docker container. Took all of about 90 seconds.

Assuming you have docker installed and running:

docker pull certbot/certbot

docker run -it --rm --name certbot \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/certbot \
certonly --manual --preferred-challenges dns-01 --agree-tos -d "example.com" -d "*.example.com" --server https://acme-v02.api.letsencrypt.org/directory

I had this issue on my base AMI I use. I did this to solve the issue. (symlink did not work for me)

sudo rm -Rf /opt/eff.org
sudo /opt/letsencrypt/letsencrypt-auto --help --debug

Now that the base is fixed, I can use it for any website as expected. This way is good if you do not have a cert already and are only working on your base.

If you already have a cert or need to renew:
First remove the bad package:

sudo rm -Rf /opt/eff.org

The append --debug to the command you are running.

Thanks to @gmegidish I came to the solution which worked for me:

  1. unset PYTHON_INSTALL_LAYOUT
  2. sudo rm -rf /opt/eff.org/certbot/
  3. pip install cryptography interface
  4. ./certbot-auto renew -v --debug

/opt/letsencrypt/letsencrypt-auto --help (testing if it works)

To update:
I just did a base install of Amazon Linux 2 and the latest certbot worked almost out of the box. The only thing I had to install was python-virtualenv from the AWS yum repos.

Closing in favor of tracking support & recommended installation paths at #6505 for Amazon Linux 1 and #6506 for Amazon Linux 2.

This did the trick: sudo /opt/eff.org/certbot/venv/local/bin/pip install cryptography interface zope

This did the trick: sudo /opt/eff.org/certbot/venv/local/bin/pip install cryptography interface zope

This did the trick for me also.

AND ... the latest certbot update crashed with:

Requesting to rerun ./certbot-auto with root privileges...
Upgrading certbot-auto 0.40.0 to 0.40.1...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 10, in <module>
    import josepy as jose
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 41, in <module>
    from josepy.interfaces import JSONDeSerializable
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 7, in <module>
    from josepy import errors, util
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 7, in <module>
    import OpenSSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 12, in <module>
    from cryptography import x509
ImportError: No module named cryptography

Used the following to fix it:

sudo /opt/eff.org/certbot/venv/local/bin/pip install cryptography interface zope

And that got me working again ... maybe it shouldn't auto update?

And that got me working again ... maybe it shouldn't auto update?

If you want that behavior you can use the flag --no-self-upgrade, however, keep in mind that will opt you out of all changes for security or those that keep you compatible with Let's Encrypt's servers.

Also remember that when you first run certbot-auto with no flags on Amazon Linux it exits with the message:

FATAL: Amazon Linux support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!

Until that changes (which is tracked by https://github.com/certbot/certbot/issues/6505), I think you should continue to expect to have issues like these.

I have an solution for Ec2 Amazon Linux AMI instance:

Install all packages in venv:
/opt/eff.org/certbot/venv/bin/pip2 install cryptography zope interface /opt/eff.org/certbot/venv/bin/pip2 install --upgrade pip
next you need sync lib64/ and lib/ folders:
rsync -avz /opt/eff.org/certbot/venv/lib64/python2.7/dist-packages/ /opt/eff.org/certbot/venv/lib/python2.7/dist-packages/

test:
/usr/local/bin/certbot-auto certonly --debug --webroot

Working for me in two instances AMI. =)

For what it's worth, I decided to abandon the certbot-auto script and got it working on Amazon Linux with the following steps:

pip install -y python36 python36-devel python36-tools augeas-libs libffi-devel
pip-3.6 install certbot certbot-dns-route53

I know it's not recommended -- but it worked for me!

By the way, on Amazon Linux 2, it's in the package manager, all you need to do there is

amazon-linux-extras install epel
yum -y install certbot certbot-dns-route53

The solution is to enable EPEL , simply run sudo yum-config-manager --enable epel , this is mentioned both in certbot docs/instructions and aws docs see:

  1. (aws docs) https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-ami.html -> scroll to "To install and run Certbot" -> step 1
  1. (certbot docs) https://certbot.eff.org/lets-encrypt/centosrhel7-other , step 2 (Enable EPEL repo)

The certbot-auto script on my sever just automatically updated itself (I didn't realize it would do that and now I know about the --no-self-upgrade flag) and the "ImportError: No module named cryptography" issue came back.

I managed to find a solution that worked here: https://aws.nz/best-practice/letsencrypt-amazon-linux/

Was this page helpful?
0 / 5 - 0 ratings