When I run certbot like so:
sudo certbot --nginx
I get:
Traceback (most recent call last):
File "/bin/certbot", line 9, in <module>
load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 570, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2751, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2405, in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2411, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 21, in <module>
from certbot import client
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 16, in <module>
from acme import client as acme_client
File "/usr/lib/python2.7/site-packages/acme/client.py", line 39, in <module>
urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'
my python version is 2.7.12 and linux os : 7.4
I suspect this is due to conflict between Python packages installed from your OS package manager and pip
like in #6245.
Which Linux OS are you on and how did you install Certbot?
I've got the same (or mostly alike) error:
# yum install certbot
...
Running transaction
Installing : pyOpenSSL-0.13.1-3.el7.x86_64 1/6
Installing : python2-josepy-1.1.0-1.el7.noarch 2/6
Installing : python-ndg_httpsclient-0.3.2-1.el7.noarch 3/6
Installing : python2-acme-0.26.1-1.el7.noarch 4/6
Installing : python2-certbot-0.26.1-2.el7.noarch 5/6
Installing : certbot-0.26.1-2.el7.noarch 6/6
Verifying : pyOpenSSL-0.13.1-3.el7.x86_64 1/6
Verifying : python2-josepy-1.1.0-1.el7.noarch 2/6
Verifying : python2-acme-0.26.1-1.el7.noarch 3/6
Verifying : python2-certbot-0.26.1-2.el7.noarch 4/6
Verifying : certbot-0.26.1-2.el7.noarch 5/6
Verifying : python-ndg_httpsclient-0.3.2-1.el7.noarch 6/6
Installed:
certbot.noarch 0:0.26.1-2.el7
Dependency Installed:
pyOpenSSL.x86_64 0:0.13.1-3.el7 python-ndg_httpsclient.noarch 0:0.3.2-1.el7 python2-acme.noarch 0:0.26.1-1.el7 python2-certbot.noarch 0:0.26.1-2.el7 python2-josepy.noarch 0:1.1.0-1.el7
Complete!
# certbot --version
Traceback (most recent call last):
File "/bin/certbot", line 9, in <module>
load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 378, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2566, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
entry = __import__(self.module_name, globals(),globals(), ['__name__'])
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 21, in <module>
from certbot import client
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 16, in <module>
from acme import client as acme_client
File "/usr/lib/python2.7/site-packages/acme/client.py", line 39, in <module>
urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'
OS Version: CentOS Linux release 7.5.1804 (Core)
Edit2: With regards to https://github.com/certbot/certbot/issues/6245, python-urllib3 has been installed using yum, and the current version (1.10.2-5.el7) does not have the mentioned symlink in packages/ssl_match_hostname
but as a regular directory with files in it.
Trying to reproduce the issue lead me to this:
# python
Python 2.7.5 (default, Jul 13 2018, 13:06:57)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-28)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib3.contrib.pyopenssl
>>> urllib3.contrib.pyopenssl.inject_into_urllib3()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 118, in inject_into_urllib3
_validate_dependencies_met()
File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 153, in _validate_dependencies_met
raise ImportError("'pyOpenSSL' module missing required functionality. "
ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.
>>>
# yum info pyOpenSSL
...
Installed Packages
Name : pyOpenSSL
Arch : x86_64
Version : 0.13.1
Release : 3.el7
Size : 628 k
Repo : installed
So apparently there is a silent version dependency for urllib3.contrib.pyopenssl
on pyOpenSSL
v0.14, which is not provided by Centos7 at this point.
Edit: After installing a newer version (0.15.1) from https://cbs.centos.org/koji/buildinfo?buildID=1500 the above error goes away, but not the error generated by certbot.
Some trial-and-error with usr/lib/python2.7/site-packages/acme/client.py
lead me to the discovery that when I comment the from requests_toolbelt.adapters.source import SourceAddressAdapter
import, the error disappears!
Fortunately, this is used only once, so as long as I supply a source_address
I can get away with this not-so-subtle fix. :)
@github-abcde, I'd recommend posting at https://community.letsencrypt.org. On a fresh CentOS 7 install, both:
python -c 'import requests; requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()'
and
python -c 'import urllib3.contrib.pyopenssl; urllib3.contrib.pyopenssl.inject_into_urllib3()'
work for me.
Additionally, after installing python-urllib3 1.10.2-5.el7
, /usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py
does not contain code to raise an exception if the pyOpenSSL version is less than 0.14.
I think you have a mix of packages from various sources. There is a larger community at https://community.letsencrypt.org who should be able to help you track down the problem.
You are right. After some in-depth searching it appeared that something that should have been installing a module using pip3, actually installed it using python -m pip
...using python2.7 and overwriting the urllib3/conrtib/pyopenssl.py
...Thanks for your pointers, which forced me to look further :)
The same problem I have here.
File "/usr/lib/python2.7/site-packages/acme/client.py", line 39, in
urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'
centos 7.3
This is my solution:
pip install requests==2.6.0
easy_install --upgrade pip
I'm seeing this now, too. A fresh Centos 7 install, with nothing else installed via pip, and certbot installed via yum
Linux localhost.localdomain 3.10.0-862.2.3.el7.x86_64 #1 SMP Wed May 9 18:05:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
@monkeyWie's tip didn't work for me
[vagrant@localhost ~]$ pip install requests==2.6.0
Requirement already satisfied: requests==2.6.0 in /usr/lib/python2.7/site-packages
I was using certbot just fine until a few days ago when I can't get it to work at all on any of my new centos 7 builds.
vagrant@localhost ~]$ sudo certbot --nginx
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in <module>
load_entry_point('certbot==0.27.1', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 484, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2714, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2332, in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2338, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 21, in <module>
from certbot import client
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 16, in <module>
from acme import client as acme_client
File "/usr/lib/python2.7/site-packages/acme/client.py", line 36, in <module>
requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3() # type: ignore
File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 118, in inject_into_urllib3
_validate_dependencies_met()
File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 153, in _validate_dependencies_met
raise ImportError("'pyOpenSSL' module missing required functionality. "
ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.
Issues like this are caused by installing packages globally from both yum
and pip
. Unfortunately, I'm unable to help you clean up the Python environment on your system but if you post to https://community.letsencrypt.org there is a large user base there that will be able to help.
I had a clean install of Centos 7.6 and added Certbot from Epel repo caused the same problem. Fixed issue by running
pip install requests==2.6.0
I see this is still an issue.
Same.
CentOS Linux release 7.6.1810 (Core)
Install:
sudo yum install certbot python2-certbot-nginx
And run:
# certbot --help
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 378, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2566, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
entry = __import__(self.module_name, globals(),globals(), ['__name__'])
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 21, in <module>
from certbot import client
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 16, in <module>
from acme import client as acme_client
File "/usr/lib/python2.7/site-packages/acme/client.py", line 40, in <module>
urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'
This is my solution:
pip install requests==2.6.0 easy_install --upgrade pip
Worked for me on Centos 7
Agreed. Default install using yum is not working. Need to fix it after
initial install. One would want it to install in a working state.
On Sun, 14 Apr 2019, 07:54 Michael Lindner, notifications@github.com
wrote:
This is my solution:
pip install requests==2.6.0
easy_install --upgrade pipWorked for me on Centos 7
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/certbot/certbot/issues/6328#issuecomment-482922170,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AMsov79Wu4KJJLs0jJUN-fhs6WO2YROuks5vgsKzgaJpZM4WS5Gq
.
If anyone can provide instructions on how to reproduce this, ideally in something like Docker, I'd be happy to take another look, but I still believe this only occurs if you've installed Python packages from multiple sources.
This is usually caused by installing packages from both yum
and pip
and removing the packages you've installed with pip
and reinstalling them with yum
should resolve the issue.
I can confirm that it happens with a clean install of Centos 7.6 using the
EPEL repo to add certbot.
On Mon, 15 Apr 2019, 19:35 Brad Warren, notifications@github.com wrote:
If anyone can provide instructions on how to reproduce this, ideally in
something like Docker, I'd be happy to take another look, but I still
believe this only occurs if you've installed Python packages from multiple
sources.This is usually caused by installing packages from both yum and pip and
removing the packages you've installed with pip and reinstalling them
with yum should resolve the issue.—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/certbot/certbot/issues/6328#issuecomment-483346939,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AMsovzeRLjz2j0odmgWGxyyAVy9VBp3Tks5vhLhLgaJpZM4WS5Gq
.
I had this issue (centos)
[bob@bla ~]# certbot renew 2>&1 | tail -2
urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'
and pip is not installed
[bob@bla ~]# pip install requests==2.6.0
-bash: pip: command not found
I can confirm that it happens with a clean install of Centos 7.6 using the EPEL repo to add certbot.
Unfortunately, I cannot reproduce it in Docker or a VPS.
I'd still love to see someone manage to reproduce this in something easily repeatable like Docker, but in the meantime for someone hitting the issue, what is the output of the following commands
python -c 'import certbot, requests, urllib3, OpenSSL; print("certbot :", certbot.__version__); print("requests: ", requests.__version__); print("urllib3 :", urllib3.__version__); print("OpenSSL :", OpenSSL.__version__)'
ls /usr/lib/python2.7/site-packages/urllib3/contrib
Interesting. This is the second clean install I made for Centos 7.
This time around I did a clean install using the minimal ISO and it is working. I see the Centos requests package installed is 2.6 as well. Possible that requests was updated since originally having this problem.
python2-requests-2.6.0-0.el7.noarch
[root@centos7 ~]# python -c 'import certbot, requests, urllib3, OpenSSL; print("certbot :", certbot.__version__); print("requests: ", requests.__version__); print("urllib3 :", urllib3.__version__); print("OpenSSL :", OpenSSL.__version__)'
('certbot :', '0.31.0')
('requests: ', '2.6.0')
('urllib3 :', '1.10.2')
('OpenSSL :', '0.13.1')
[root@centos7 ~]# ls /usr/lib/python2.7/site-packages/urllib3/contrib
__init__.py __init__.pyc __init__.pyo ntlmpool.py ntlmpool.pyc ntlmpool.pyo pyopenssl.py pyopenssl.pyc pyopenssl.pyo
[root@centos7 ~]# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
This problem happens for me on centos 7.6 together with ovirt 4.3. Package versions are
from EPEL:
certbot-0.31.0-2.el7.noarch
from ovirt-4.3-centos-opstools:
python2-requests-2.19.1-4.el7.noarch
python2-pyOpenSSL-17.3.0-3.el7.noarch
It seems something weird happens with the urllib3.contrib
namespace or something?
>>> import requests
>>> requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
AttributeError: 'module' object has no attribute 'pyopenssl'
>>> import urllib3.contrib.pyopenssl
>>> urllib3.contrib.pyopenssl.inject_into_urllib3()
>>> dir(urllib3.contrib)
['__builtins__', '__doc__', '__file__', '__name__', '__package__', '__path__', 'pyopenssl', 'socks']
>>> from acme import client as acme_client
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/acme/client.py", line 40, in <module>
urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'
>>> dir(urllib3.contrib)
['__builtins__', '__doc__', '__file__', '__name__', '__package__', '__path__', 'appengine']
The problem goes away when I do this in acme/client.py
:
if sys.version_info < (2, 7, 9): # pragma: no cover
import requests.packages.urllib3.contrib.pyopenssl # pylint: disable=import-error
requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3() # type: ignore
This is my solution:
pip install requests==2.6.0 easy_install --upgrade pip
worked for me on CentOS 7
Thanks @monkeyWie - worked for me on CentOS7
This is my solution:
pip install requests==2.6.0 easy_install --upgrade pip
pip install acme
worked for me on Centos 7 after I saw this error
ERROR: certbot 1.0.0 requires acme>=0.40.0, which is not installed.
P.S. Install everything from pip, rather than Centos packages, they are old sometimes
I can confirm that it happens with a clean install of Centos 7.6 using the EPEL repo to add certbot.
Unfortunately, I cannot reproduce it in Docker or a VPS.
I'd still love to see someone manage to reproduce this in something easily repeatable like Docker, but in the meantime for someone hitting the issue, what is the output of the following commands
python -c 'import certbot, requests, urllib3, OpenSSL; print("certbot :", certbot.__version__); print("requests: ", requests.__version__); print("urllib3 :", urllib3.__version__); print("OpenSSL :", OpenSSL.__version__)' ls /usr/lib/python2.7/site-packages/urllib3/contrib
@bmw my results are as follows:
('certbot :', '1.0.0')
('requests: ', '2.6.0')
('urllib3 :', '1.25.7')
('OpenSSL :', '0.13.1')
_appengine_environ.py appengine.py __init__.py ntlmpool.py pyopenssl.py _securetransport securetransport.pyc socks.pyc
_appengine_environ.pyc appengine.pyc __init__.pyc ntlmpool.pyc pyopenssl.pyc securetransport.py socks.py
which seems okay to me. but these other tests seems failing:
$ python -c 'import requests; requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()'
Traceback (most recent call last):
File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute 'packages'
$ python -c 'import urllib3.contrib.pyopenssl; urllib3.contrib.pyopenssl.inject_into_urllib3()'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 118, in inject_into_urllib3
_validate_dependencies_met()
File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 160, in _validate_dependencies_met
"'pyOpenSSL' module missing required functionality. "
ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.
The version of urllib3
packaged in RHEL 7 based systems is 1.10.2 but you have 1.25.7. This was probably installed through pip
. Removing urllib3
and reinstalling it through yum
should resolve this problem.
If you need additional help with this, I recommend posting to https://community.letsencrypt.org where there is a large group of people familiar with Certbot and server administration who should be able to help you.
JFYI. I had same issue but I don't have pip
/pip2
or any pip packages installed manually.
In my case I had centos-release-opstools
which brought python2-urllib3 1.21.1-1.el7and
python2-requests 2.19.1-4.el7`.
After I disabled that repo and reinstalled relevant packages (they are renamed to python-urllib3 1.10.2-7.el7
and python-requests 2.6.0-8.el7_7
as of CentOS 7.7) issue disappeared.
@grossws, thanks for the info. Do you remember what your error message was?
When I try and recreate that setup Certbot crashes with:
# certbot --help
Traceback (most recent call last):
File "/usr/bin/certbot", line 5, in <module>
from pkg_resources import load_entry_point
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 3011, in <module>
parse_requirements(__requires__), Environment()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 630, in resolve
raise VersionConflict(dist,req) # XXX put more info here
pkg_resources.VersionConflict: (cryptography 1.7.2 (/usr/lib64/python2.7/site-packages), Requirement.parse('cryptography>=1.9'))
This is because the python2-pyOpenSSL 17.3.0-3.el7
package claims it requires python-cryptography >= 1.3.0
, but the dependency as specified in Python is cryptography>=1.9
which is not installed.
@bmw, I had similar stacktrace to one in https://github.com/certbot/certbot/issues/6328#issuecomment-482531925
I tried to reproduce it in container with just epel-release
+ centos-release-opstools
but get same version conflict about cryptography
. I looked at original system where I got error and found that I have newer python2-cryptography
from centos-release-ovirt42
repo.
So to reproduce you can run docker container with centos:7
and do
yum install -y epel-release centos-release-opstools centos-release-ovirt42
yum install -y certbot
certbot --help`
That's a fun one (depending on your definition of fun).
On the centos:7
Docker image, if you run:
yum install -y epel-release centos-release-opstools centos-release-ovirt42
yum install -y python-requests-toolbelt python2-urllib3
python -c 'import urllib3.contrib.pyopenssl; urllib3.contrib.pyopenssl.inject_into_urllib3()'
python -c 'from requests_toolbelt.adapters.source import SourceAddressAdapter; import urllib3.contrib.pyopenssl; urllib3.contrib.pyopenssl.inject_into_urllib3()'
The first Python command will succeed while the second will fail. The only difference is the from requests_toolbelt.adapters.source import SourceAddressAdapter
import.
We're planning on dropping Python 2 support in the next few months at which point we get to delete this code. Because of that, the small team that maintains Certbot probably won't be spending much time on this ourselves, but if someone wants to dig into it, I think it'd be good to get whatever is causing this problem reported to the package maintainers.
I'm reopening this for now.
I think the supposition of some form of corruption is correct. I did not have a python2 pip installed, so I'm not sure what I broke. However, this sorted things out:
yum remove python-urllib3
rm -rf /usr/lib/python2.7/site-packages/urllib3 # yes, you need this too
yum reinstall $(yum list installed | grep python | grep -v python3 | awk '{print $1}')
yum install python-urllib3
yum install certbot
Hope that helps somebody.
This worked in my environment (centos 7 with upgraded urllib3 from pip as @bmw described above.. my "pip" command was also returning errors, so needed reinstall):
sudo yum install -y python2-pip
sudo pip uninstall urllib3
sudo yum install -y python-urllib3
Fedora/CentOS certbot maintainer here: Please NEVER install modules to /usr/lib
using pip
. Some CentOS packages are modified so they don't duplicate existing code or to strengthen security settings. The distro packagers should make sure that all required packages are installed.
You can check your installation for unmanaged Python packages with this command:
LANG=C rpm -qf /usr/lib/python2.7/site-packages/* | grep 'is not owned by any package'
You should not get any output.
Also adding other yum repos can be problematic. Fedora EPEL should work 100% with the base repos from Red Hat/CentOS but we can not take any other repos into account.
If you just have the default CentOS repos (+ EPEL) enabled and you still crashes please let us know. The best method is to create a Bugzilla issue but @-mentioning me here works as well (for now - certbot maintainers in Fedora/EPEL may change).
@FelixSchwarz, what about CentOS SIG repo packages like centos-release-opstools
? I usually use standard repos + epel but fluentd
is available only in opstools
(
In some cases I just ended creating virtual env using python3 -mvenv /path/to/new/venv
and installing required software there (say certbot
+ required dns verifier). Thankfully it doesn't pollute /usr/lib
.
@grossws Fedora EPEL should work with everything from RHEL Base (so there might be other layered Red Hat products which cause conflicts). All other sources can be incompatible unless these repos are very careful so they don't ship the same stuff as RHEL/EPEL.
I justed checked the repos of centos-opstools and immediately noticed a few conflicts with Fedora EPEL:
0.5.6-5.el7
, opstools 0.4.6-3.el7
(not relevant for certbot
but for borgbackup which I also maintain in Fedora/EPEL.2.6.0-0.el7
, opstools 2.19.1-4.el7
1.10.2-7.el7
(python-urllib3
), opstools 1.21.1-1.el7
2.4-1.el7
, opstools 2.5-1.el7
(python2-idna
)That doesn't mean the centos-opstools
repo does not work with EPEL's certbot
packages but there are some conflicts and this is definitively an untested configuration. Also centos-opstools
replaces a package in RHEL base which means you should be extra careful as this could also break a lot of stuff in the main distro.
tl;dr: If you use EPEL's certbot packages you should not use other yum/dnf repos as these are likely incompatible. Ask the repo provider for compatibility with RHEL base and Fedora EPEL.
Also I found it was not that hard to contribute to Fedora EPEL so if you are missing a package please consider becoming a package maintainer (ping me if you need guidance).
I think the supposition of some form of corruption is correct. I did not have a python2 pip installed, so I'm not sure what I broke. However, this sorted things out:
yum remove python-urllib3 rm -rf /usr/lib/python2.7/site-packages/urllib3 # yes, you need this too yum reinstall $(yum list installed | grep python | grep -v python3 | awk '{print $1}') yum install python-urllib3 yum install certbot
Hope that helps somebody.
This helped in my case (other solutions from this topic didn't). Thank you.
Most helpful comment
This is my solution: