7

I'm trying to renew Let's Encrypt certificate with Certbot. It stopped working and i don't know why. Here is the error:

ImportError: /root/.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/
hazmat/bindings/_openssl.so: undefined symbol: OPENSSL_sk_num

I have newest OpenSSL version installed

OpenSSL 1.1.0d  26 Jan 2017

I tried debugging this problem by doing the following. First i just tried adding import OpenSSL in python console. It worked perfectly, no errors. But when i try

. ~/.local/share/letsencrypt/bin/activate

Then >>> import OpenSSl I get error:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/rand.py", line 12, in <module>
    from OpenSSL._util import (
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 14, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: /root/.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol: OPENSSL_sk_num

I tried removing the /root/.local/share/letsencrypt/ path then tried to run certbot-auto again. Still i get the same error. Is there anyone who faced this problem and know the solution? Please help me out here. Need to renew few certificates.

UPDATE:

I'v found the problem source that in /lib/x86_64-linux-gnu directory there is an old version of libssl.so.1.0.0 and it doesn't have OPENSSL_sk_num. When i try to replace with newer version libssl1.1 (it does have OPENSSL_sk_num) then i get an error that it requires OPENSSL_VERSION 1.0.1. Then after some struggle deleting libraries from /usr directories and local directories i get error ImportError: libssl.so.1.0.0: cannot open shared object file: No such file or directory. How can i change it so letsencrypt uses newer library?

SOLUTION

After some struggle. I just reinstalled openssl version 1.1.0c. Copied letsencrypt library from another project and it worked. I think some upgrade ruined it. So i suggest everyone when you are running letsencrypt just use --no-self-upgrade option.

SOLUTION UPDATE

After encountered this problem one more time i decided to resolve it the correct way. So basically you need to recompile openssl 1.1.0c with command:

./config -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)' and make

Copy the compiled libcrypto.so.1.1 and libssl.so.1.1 to /usr/lib/x86_64-linux-gnu

Then you need to redo or just modify libcrypto and libssl symlinks. By being in /usr/lib/x86_64-linux-gnu folder enter commands ln -s libssl.so.1.1 libssl and ln -s libcrypto.so.1.1 libcrypto.

Then enter following commands:

cd ~/.local/share/letsencrypt/bin/
./pip uninstall cryptography pyopenssl -y
./pip install --upgrade pip
rm -rf ~/.cache/
./pip install cryptography pyopenssl

And your'e done, everything should work correctly.

Žygimantas Baranauskas
  • 71
  • 1
  • 2
  • 7
  • Just a guess, but drop back to OpenSSL 1.0.2 line. A lot of symbols changed in 1.1.0, and some visibility changed. OpenSSL 1.0.2 and OpenSSL 1.1.0 are *not* binary compatible. – jww Feb 08 '17 at 13:23
  • I don't know how to completely delete the new version from distribution. Because i have deleted everything i found with command whereis openssl. Then ran command apt-get remove openssl. Then just installed with apt-get install openssl. Now my version is OpenSSL 1.0.1f 6 Jan 2014 still can't renew. Any ideas? – Žygimantas Baranauskas Feb 08 '17 at 13:46
  • @ŽygimantasBaranauskas Is it still the same error? – glibdud Feb 08 '17 at 13:55
  • @glibdud Yes error is still the same. Nothing changed. – Žygimantas Baranauskas Feb 08 '17 at 13:57
  • Looks like there's a [related issue](https://github.com/certbot/certbot/issues/1646) on certbot's github. – glibdud Feb 08 '17 at 13:59
  • @glibdud Tried every solution. Nothing helps. I don't know what they mean about libssl-dev. How can i install it matching? – Žygimantas Baranauskas Feb 08 '17 at 14:05
  • *" I don't know what they mean about libssl-dev. How can i install it matching..."* - See [How do I install the OpenSSL libraries on Ubuntu?](http://stackoverflow.com/q/3016956/608639) – jww Feb 08 '17 at 17:09
  • @jww Tried it yum doesn't have any repos in ubuntu somehow.. This is bumming me out. – Žygimantas Baranauskas Feb 09 '17 at 10:13
  • @jww - I found kind of problem source. It's the library in directory lib/x86_64-linux-gnu. When i try to replace it with newer version of libssl then error is changing to OPENSSL_VERSION1.0.1 not the SUM one. Is there any way to change default libssl that letsencrypt is using? LD_PATH_LIBRARY how to change it? – Žygimantas Baranauskas Feb 09 '17 at 11:34

3 Answers3

3

It looks like in version 1.1.0f of openssl the symbol OPENSSL_sk_num has moved to libcrypto.a. The build of python 3 didn't seem to link that in, hence the missing symbol. However, I was mistaken. When the file Modules/Setup.dist is modified to pick up your own version of openssl, you need to copy it to Modules/Setup, otherwise it will use the already installed ssl.

Dmitriy
  • 5,525
  • 12
  • 25
  • 38
AndrewMarlow
  • 31
  • 1
  • 3
0

I also had the undefined symbol: OPENSSL_sk_num error after compiling openssl myself. I could solve the problem by removing the openssl directory in~/.local/share which was created erlier and starting over. It has to be some caching and/or wrong library path issue.

SoJeN
  • 429
  • 5
  • 7
0

I met this error when install Python3.6.2 on Centos 7 ,it has been intalled openssl 1.0.1e,and I download openssl 1.1.0.e. after next steps it works correctly.

cd ${openssl_src_path}

in my case ${openssl_src_path} is '/usr/local/server/openssl-1.1.0e'

./configure --prefix=/usr/local --openssldir=/usr/local/openssl

make
make test
make install

after OpenSSL installed correctly, install Python3.6.2 

cd ${python_src_path}/Modules

modify 'Setup' file ,change log :

    SSL=/usr/local/openssl
_ssl _ssl.c \
    -DUSE_SSL -I/usr/local/openssl/include -I/usr/local/openssl/include/openssl \
    -L/usr/local/openssl/lib -lssl -lcryptoere

'SSL=/usr/local/openssl' is value of install OpenSSL parameter '--openssldir' .and make sure DUSE_SSL directory exist.

cd ${python_src_path}
./configure
make
make install

hope it help.

wu knife
  • 1
  • 2