Sudhakar Rayavaram
Problem solver (And maker),
Inquisitive (Root to most of my problems),
Software craftsman (Don't ask for estimates)

Works at TarkaLabs

Tech guy behind SportIndia.in

Battle with certbot auto in amazon linux instance
01 Feb 2018

One of my cloud server is an amazon linux instance with certbot installed for letsencrypt certificates. Unfortunately, certbot is not fully supported in amazon linux and the suggestion is to run certbot in –debug mode

I was quite successful for around an year to renew certifiates without much problems. But, not today

I started the ritual by running the following command. sudo is needed as certbot needs to have more control to modify, edit files, start & stop servers

sudo /usr/local/bin/certbot-auto --nginx certonly --debug

Bam! Greeted with this cryptic (for me) error

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 10, in <module>
    import josepy as jose
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 41, in <module>
    from josepy.interfaces import JSONDeSerializable
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 8, in <module>
    from josepy import errors, util
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 4, in <module>
    import OpenSSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/rand.py", line 12, in <module>
    from OpenSSL._util import (
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
ImportError: No module named cryptography.hazmat.bindings.openssl.binding

Ok, I don’t understand what I can do about certbot not able to get currently installed version. But the last line gave the clue. After some googling I found that cryptography package is missing! But how did it work the last time (3 months before)? I still do not know

Amazon linux instance comes installed with python 2.7 and based on the error, I went ahead and installed the cryptography package. But, it did not fix the issue. This is where it got super confusing

After breaking my head with google for a very long time, I realized that certbot will not use the default python installation but downloads its own copy to this location

/opt/eff.org/certbot/venv/bin

After installing the cryptography package for this python, things started to look bright.

cd to /opt/eff.org/certbot/venv/local/bin
sudo ./pip install cryptography

It did not work, but it atleast showed a different error message :)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

sudo /usr/local/bin/certbot-auto --nginx certonly --debug
Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 11, in <module>
    import zope.component
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 16, in <module>
    from zope.interface import Interface
ImportError: No module named interface
[ec2-user@ip-172-31-20-177 bin]$ /usr/local/bin/certbot-auto --nginx certonly --debug
Requesting to rerun /usr/local/bin/certbot-auto with root privileges...
Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 11, in <module>
    import zope.component
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 16, in <module>
    from zope.interface import Interface
ImportError: No module named interface

This time it is zope.interface package. Again, I have no clue how it is gone

sudo ./pip install zope.interface

After this, I was able to get the certificate renewed from letsencrypt.

Was one hell of a ride. But, with a happy ending! :)