Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AttibuteError: 'module' object has no attribute 'rand' has occured at acme/acme/crypto_util.py with >=pyOpenSSL-17.2.0 #5111

Closed
darkcircle opened this issue Sep 14, 2017 · 19 comments

Comments

@darkcircle
Copy link
Contributor

darkcircle commented Sep 14, 2017

My operating system is (include version):

CentOS 6.9

I installed Certbot with (certbot-auto, OS package manager, pip, etc):

pip

I ran this command and it produced this output:

certbot certonly --standalone -d domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for domain.com
Cleaning up challenges
An unexpected error occurred:
AttributeError: 'module' object has no attribute 'rand'
Please see the logfiles in /var/log/letsencrypt for more details.

Certbot's behavior differed from what I expected because:

There should not be any message related on error.

Here is a Certbot log showing the issue (if available):

167 2017-09-14 07:14:31,235:DEBUG:certbot.error_handler:Calling registered functions
168 2017-09-14 07:14:31,235:INFO:certbot.auth_handler:Cleaning up challenges
169 2017-09-14 07:14:31,235:DEBUG:certbot.plugins.standalone:Stopping server at :::443...
170 2017-09-14 07:14:31,727:DEBUG:certbot.log:Exiting abnormally:
171 Traceback (most recent call last):
172   File "/usr/bin/certbot", line 11, in <module>
173     sys.exit(main())
174   File "/usr/lib/python2.7/site-packages/certbot/main.py", line 755, in main
175     return config.func(config, plugins)
176   File "/usr/lib/python2.7/site-packages/certbot/main.py", line 694, in certonly
177     lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
178   File "/usr/lib/python2.7/site-packages/certbot/main.py", line 77, in _get_and_save_cert
179     renewal.renew_cert(config, domains, le_client, lineage)
180   File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 297, in renew_cert
181     new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
182   File "/usr/lib/python2.7/site-packages/certbot/client.py", line 318, in obtain_certificate
183     self.config.allow_subset_of_names)
184   File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 74, in get_authorizations
185     resp = self._solve_challenges()
186   File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 115, in _solve_challenges
187     resp = self.auth.perform(self.achalls)
188   File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 221, in perform
189     return [self._try_perform_single(achall) for achall in achalls]
190   File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 226, in _try_perform_single
191     return self._perform_single(achall)
192   File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 234, in _perform_single
193     servers, response = self._perform_tls_sni_01(achall)
194   File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 252, in _perform_tls_sni_01
195     response, (cert, _) = achall.response_and_validation(cert_key=self.key)
196   File "/usr/lib/python2.7/site-packages/certbot/achallenges.py", line 54, in response_and_validation
197     self.account_key, *args, **kwargs)
198   File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 205, in response_and_validation
199     self.validation(account_key, *args, **kwargs))
200   File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 506, in validation
201     return self.response(account_key).gen_cert(key=kwargs.get('cert_key'))
202   File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 417, in gen_cert
203     'dummy', self.z_domain.decode()], force_san=True), key
204   File "/usr/lib/python2.7/site-packages/acme/crypto_util.py", line 246, in gen_ss_cert
205     cert.set_serial_number(int(binascii.hexlify(OpenSSL.rand.bytes(16)), 16))
206 AttributeError: 'module' object has no attribute 'rand'

Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:

darkcircle pushed a commit to darkcircle/certbot that referenced this issue Sep 14, 2017
@eko
Copy link

eko commented Sep 14, 2017

I have the same issue, thank you for your report 👍

@margeson
Copy link

likewise

@SwartzCr
Copy link
Contributor

@bmw wanna review the associated PR?

@bmw bmw closed this as completed in f6be07d Sep 15, 2017
bmw pushed a commit that referenced this issue Sep 19, 2017
bmw added a commit that referenced this issue Sep 20, 2017
@bmw bmw added this to the 0.18.2 milestone Sep 20, 2017
uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Sep 25, 2017
certbot produces an error [1] when used with versions of pyOpenSSL > 17.2.0,
who's port was recently updated [2] to 17.3.0.

This version update contains a fix for that issue.

While I'm here, improve pkg-message usage invocation example and provide
a link to documentation

[1] certbot/certbot#5111
[2] http://svnweb.freebsd.org/changeset/ports/450350

Reported by:	Daniel Boothby (via private email)
Approved by:	cpm (py-acme maintainer)


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@450577 35697150-7ecd-e111-bb59-0022644237b5
uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Sep 25, 2017
certbot produces an error [1] when used with versions of pyOpenSSL > 17.2.0,
who's port was recently updated [2] to 17.3.0.

This version update contains a fix for that issue.

While I'm here, improve pkg-message usage invocation example and provide
a link to documentation

[1] certbot/certbot#5111
[2] http://svnweb.freebsd.org/changeset/ports/450350

Reported by:	Daniel Boothby (via private email)
Approved by:	cpm (py-acme maintainer)
@lc-thomas
Copy link

This is a quickfix :

Crypto_utils.py, line 246 (check your error log for details)

# hotfix - replace :
#    cert.set_serial_number(int(binascii.hexlify(OpenSSL.rand.bytes(16)), 16))
# with :
import os
cert.set_serial_number(int(binascii.hexlify(os.urandom(16)), 16))

rsaeks added a commit to rsaeks/certbot-asa that referenced this issue Nov 6, 2017
Reference to issue: certbot/certbot#5111
Replacing OpenSSL.rand.bytes with os.urandom
@yhvicey
Copy link

yhvicey commented Nov 27, 2017

Still exists in python-certbot-nginx installed via apt

@SwartzCr
Copy link
Contributor

@yhvicey on what OS? Can you give us an output of all of the associated package/library versions?

@wandering213
Copy link

wandering213 commented Nov 28, 2017

@SwartzCr In my case anyway it's in Ubuntu 16.04, 0.19.0-1+ubuntu16.04.1+certbot+1

@SwartzCr
Copy link
Contributor

@wandering213 do you think you could re-install certbot from the ppa to get the 17.10 version and then see if this persists?

@wandering213
Copy link

Whoops I misspoke on that server I'm running 16.04 (Corrected in my comment)

@wandering213
Copy link

wandering213 commented Nov 29, 2017

Reinstalling gets me VersionConflict (acme 0.19.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('acme==0.15.0')). manually updating certbo-nginx with pip fixed the problem

@SwartzCr
Copy link
Contributor

Could you do me a favor and compare the versions of the certbot related packages in the output of pip freeze to the corresponding system packages (installed via the PPA)?
You'll probably want to take the packages output in via pip freeze and run dpkg -l | grep PKGNAME
Assuming certbot is the only thing installed via pip, you can take all of the packages listed, if not I can help you find a list of our dependencies

@SwartzCr
Copy link
Contributor

I think the issue is that you had old packages held in pip that didn't have this issue resolved. While updating certbot in pip has gotten you newer versions of these packages with this issue fixed, we generally don't recommend that people install certbot via pip, since that will have you end up with two versions of all of the python libraries we rely on, one set managed by pip and another managed by your package manager.
Considering you already have the apt version installed, I would uninstall the pip version and all of it's dependencies, which should fix your issue, and ensure that this doesn't happen again - since the apt version will update your dependencies when you run update/upgrade on your machine.
pip uninstall unfortunately doesn't remove dependencies, so you may want to use pip-autoremove: https://github.com/invl/pip-autoremove

@FrankWouda
Copy link

Okay I understand that certbot 0.10.2 is too old and results in this issue, however, there is no backports to jessie available of a version that works correct? So how should I proceed on my RPi 3?

@SwartzCr
Copy link
Contributor

@FrankWouda Are you getting the same error on your raspberry pi? Or do you just think that you will?
The version of pyOpenSSL in jessie backports is 16, so it shouldn't have this problem

@FrankWouda
Copy link

I was getting the error, however I bypassed it using the virtual environment implementation

@SwartzCr
Copy link
Contributor

SwartzCr commented Dec 1, 2017

Great!

@Sese-Schneider
Copy link

Same issue still existing here

@SwartzCr
Copy link
Contributor

@Sese-Schneider have you tried any of the solutions discussed above?

@xeyownt
Copy link

xeyownt commented Sep 3, 2018

@lux-lth Thanks for the tip, that did it for me.

In my case, I had to edit the file /usr/lib/python2.7/dist-packages/acme/crypto_util.py.

Otherwise, I noticed that I had indeed package python-openssl=18.0.0-1 from Debian/testing, whereas on another server with a working certbot setup (also on Jessie + backports), I had only python-openssl=16.0.0-1~bpo8+1. So I'm reverting to that older version, and hopefully this should fix it for next renewal.

@FrankWouda certbot from jessie-backports should work fine (0.10.2-1~bpo8+1), however you need to make sure you don't have packages contaminated with newer version.

svmhdvn pushed a commit to svmhdvn/freebsd-ports that referenced this issue Jan 10, 2024
certbot produces an error [1] when used with versions of pyOpenSSL > 17.2.0,
who's port was recently updated [2] to 17.3.0.

This version update contains a fix for that issue.

While I'm here, improve pkg-message usage invocation example and provide
a link to documentation

[1] certbot/certbot#5111
[2] http://svnweb.freebsd.org/changeset/ports/450350

Reported by:	Daniel Boothby (via private email)
Approved by:	cpm (py-acme maintainer)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests