AttributeError: module 'OpenSSL' has no attribute 'rand'

[zxvfxwing]

My operating system is (include version):

ArchLinux -- 4.12.13-1-ARCH

I installed Certbot with (certbot-auto, OS package manager, pip, etc):

pacaur -S certbot

All " openssl " installed on my system ( pacaur -Qs openssl ) :

local/libcurl-openssl-1.0 7.54.1-1
    An URL retrieval library (build against openssl-1.0)
local/lua51-sec 2:0.6-2
    Lua bindings for OpenSSL library to provide TLS/SSL communication.
local/openssl 1.1.0.f-2
    The Open Source toolkit for Secure Sockets Layer and Transport Layer Security
local/openssl-1.0 1.0.2.l-1
    The Open Source toolkit for Secure Sockets Layer and Transport Layer Security
local/pkcs11-helper 1.22-2
    A library that simplifies the interaction with PKCS11 providers for end-user applications using a
    simple API and optional OpenSSL engine
local/python-pyopenssl 17.3.0-1
    Python3 wrapper module around the OpenSSL library
local/python2-pyopenssl 17.3.0-1
    Python2 wrapper module around the OpenSSL library
local/python2-service-identity 17.0.0-1
    Service identity verification for pyOpenSSL

I ran this command and it produced this output:

certbot --nginx --rsa-key-size 4096 certonly

2017/09/20 18:43:06 [notice] 7251#7251: signal process started
An unexpected error occurred:
AttributeError: module 'OpenSSL' has no attribute 'rand'
Please see the logfiles in /var/log/letsencrypt for more details.

Certbot's behavior differed from what I expected because:

I just wanted to renew and create certificates :/

Here is a Certbot log showing the issue (if available):

Logs are stored in /var/log/letsencrypt by default. Feel free to redact domains, e-mail and IP addresses as you see fit.

2017-09-20 16:42:57,034:DEBUG:certbot.main:certbot version: 0.18.1
2017-09-20 16:42:57,038:DEBUG:certbot.main:Arguments: ['--nginx', '--rsa-key-size', '4096']
2017-09-20 16:42:57,040:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-09-20 16:42:57,108:DEBUG:certbot.log:Root logging level set at 20
2017-09-20 16:42:57,111:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-09-20 16:42:57,113:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2017-09-20 16:43:00,094:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7f9b2a5b2198>
Prep: True
2017-09-20 16:43:00,101:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7f9b2a5b2198>
Prep: True
2017-09-20 16:43:00,102:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7f9b2a5b2198> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7f9b2a5b2198>
2017-09-20 16:43:00,102:INFO:certbot.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2017-09-20 16:43:00,121:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f9b292a55f8>)>), contact=('mailto:zxvfxwing@protonmail.com',), agreement='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', status=None), uri='https://acme-v01.api.letsencrypt.org/acme/reg/17652395', new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), 03bc95c11156e67eca52dddadf24c025, Meta(creation_dt=datetime.datetime(2017, 6, 22, 14, 55, 47, tzinfo=), creation_host='sd-122362.dedibox.fr'))>
2017-09-20 16:43:00,127:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-09-20 16:43:00,136:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-09-20 16:43:00,447:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 561
2017-09-20 16:43:00,449:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 561
Replay-Nonce: Bzyp1XWBWGoJTqkfOPYSPXviyPYa7GIg8CcTQjLr9pA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 20 Sep 2017 16:43:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 20 Sep 2017 16:43:00 GMT
Connection: keep-alive

b'{\n "5a3xNMbOszI": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",\n "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",\n "meta": {\n "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"\n },\n "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2017-09-20 16:43:03,082:INFO:certbot.main:Obtaining a new certificate
2017-09-20 16:43:03,083:DEBUG:acme.client:Requesting fresh nonce
2017-09-20 16:43:03,083:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-09-20 16:43:03,283:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2017-09-20 16:43:03,285:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: ZyKM9z-jneYWHgK3R0ysxBdSCx1LM29ykYaWR9_U4Fg
Expires: Wed, 20 Sep 2017 16:43:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 20 Sep 2017 16:43:03 GMT
Connection: keep-alive

b''
2017-09-20 16:43:03,285:DEBUG:acme.client:Storing nonce: ZyKM9z-jneYWHgK3R0ysxBdSCx1LM29ykYaWR9_U4Fg
2017-09-20 16:43:03,286:DEBUG:acme.client:JWS payload:
b'{\n "identifier": {\n "type": "dns",\n "value": "cloud.spokonline.net"\n },\n "resource": "new-authz"\n}'
2017-09-20 16:43:03,302:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogInhnYTdvNmU4VUN0RUl4T0JOaFFwdVJXamdRaWU2UDdiVUNuNUpBaU9Sb1lzQTZqVUg2NHVsQUd1dTdJMDlKZEhnS0VxZHMydFBMUENPTFRTNFNPLVpLNFRNZGduLTRfajVXYUhUTS1xaXg4Q05oYl9peU5jSFljVU5ObDJzanhFTkNwbFVsa2NBaHhsU2xYaThVRkZEUUlzVlozeVhXbkpTeGFZaXVCQUZ6RTh4aTd1aVpuWlhJc3lkWnd2LTd2NGxldXlXTGxISGYxZENvdUFvSnNlOHRPcW8zc2V2OWh2dVp2ZnJwMUpyWVBENGt2UWFKNVlRTkFyWXpDNm1kNmE5bDlUSDRJV2VrLXZ1a2ZyYlNIUHlRUk9tYWhyMmJkT1Q5X2djdzhEVnRsOERELS03V0RjYm5uQkd3bngwSG5LLTVIX1p0OFE0YmtMRHZtendPSmhQdyIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAiWnlLTTl6LWpuZVlXSGdLM1IweXN4QmRTQ3gxTE0yOXlrWWFXUjlfVTRGZyJ9",
"signature": "i-2oENdfvSIK_wR__l_5FC_z2Brp_fsfx0ZyJk6S3s0lAU7xiduJ4nSvpQlcEF8j5b7syb0-GsucyVFJVQahZ2esCiFmuWtyWXCV-gAtFx9cbzNCAEuiwv31rjha0T7meg6ROZBTg0YS1JMTDTTUt8_j3Pznvf6x6ctwI_Iq-Ad59Wm-8qd6Np9FWtVtdI27oxyY6lji4awz1zmVC0A2gYe5WfjLF4gtPAiLc-DPIXTica3h252y7H2SI9WhvXvWPglK-whCfxUQbiNQh9qAk7Z77_m6wu1g-LoFGt7MUFyQ9Gz3uQjI3417n651wRxaREnATELHd9fiMYaGgzWywg",
"payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwKICAgICJ2YWx1ZSI6ICJjbG91ZC5zcG9rb25saW5lLm5ldCIKICB9LAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0"
}
2017-09-20 16:43:03,532:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 998
2017-09-20 16:43:03,534:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 998
Boulder-Requester: 17652395
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/qixxJ83cL6u6uQ4SieZh6aYLpQkb33n9P7ynfDkgbdw
Replay-Nonce: epBaoL0imfUvTvWr1jHQWyd1GWfSi2-4rBXFJP2TKUo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 20 Sep 2017 16:43:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 20 Sep 2017 16:43:03 GMT
Connection: keep-alive

b'{\n "identifier": {\n "type": "dns",\n "value": "cloud.spokonline.net"\n },\n "status": "pending",\n "expires": "2017-09-27T15:55:13Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/qixxJ83cL6u6uQ4SieZh6aYLpQkb33n9P7ynfDkgbdw/2027324128",\n "token": "KcHGpyG7lx3Te1ezbGiAQ_QgyftbAxJGbma_66ivYyg"\n },\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/qixxJ83cL6u6uQ4SieZh6aYLpQkb33n9P7ynfDkgbdw/2027324129",\n "token": "BbaMUfSLp3586o7NZKwsBUnxqmixDApYdSNxdvngqPw"\n },\n {\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/qixxJ83cL6u6uQ4SieZh6aYLpQkb33n9P7ynfDkgbdw/2027324130",\n "token": "s-6iIsxLdsbOYsUYpqPuI4dxrxABjV-NvBCyNoDWZY8"\n }\n ],\n "combinations": [\n [\n 1\n ],\n [\n 2\n ],\n [\n 0\n ]\n ]\n}'
2017-09-20 16:43:03,534:DEBUG:acme.client:Storing nonce: epBaoL0imfUvTvWr1jHQWyd1GWfSi2-4rBXFJP2TKUo
2017-09-20 16:43:03,536:INFO:certbot.auth_handler:Performing the following challenges:
2017-09-20 16:43:03,537:INFO:certbot.auth_handler:tls-sni-01 challenge for cloud.spokonline.net
2017-09-20 16:43:04,211:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 115, in _solve_challenges
resp = self.auth.perform(self.achalls)
File "/usr/lib/python3.6/site-packages/certbot_nginx/configurator.py", line 767, in perform
sni_response = chall_doer.perform()
File "/usr/lib/python3.6/site-packages/certbot_nginx/tls_sni_01.py", line 69, in perform
responses = [self._setup_challenge_cert(x) for x in self.achalls]
File "/usr/lib/python3.6/site-packages/certbot_nginx/tls_sni_01.py", line 69, in
responses = [self._setup_challenge_cert(x) for x in self.achalls]
File "/usr/lib/python3.6/site-packages/certbot/plugins/common.py", line 374, in _setup_challenge_cert
cert_key=cert_key)
File "/usr/lib/python3.6/site-packages/certbot/achallenges.py", line 54, in response_and_validation
self.account_key, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/acme/challenges.py", line 205, in response_and_validation
self.validation(account_key, *args, **kwargs))
File "/usr/lib/python3.6/site-packages/acme/challenges.py", line 506, in validation
return self.response(account_key).gen_cert(key=kwargs.get('cert_key'))
File "/usr/lib/python3.6/site-packages/acme/challenges.py", line 417, in gen_cert
'dummy', self.z_domain.decode()], force_san=True), key
File "/usr/lib/python3.6/site-packages/acme/crypto_util.py", line 246, in gen_ss_cert
cert.set_serial_number(int(binascii.hexlify(OpenSSL.rand.bytes(16)), 16))
AttributeError: module 'OpenSSL' has no attribute 'rand'

2017-09-20 16:43:04,212:DEBUG:certbot.error_handler:Calling registered functions
2017-09-20 16:43:04,212:INFO:certbot.auth_handler:Cleaning up challenges
2017-09-20 16:43:04,213:WARNING:certbot.reverter:File:

• Could not be found to be deleted /var/lib/letsencrypt/BbaMUfSLp3586o7NZKwsBUnxqmixDApYdSNxdvngqPw.pem - Certbot probably shut down unexpectedly
  2017-09-20 16:43:04,214:WARNING:certbot.reverter:File:
• Could not be found to be deleted /var/lib/letsencrypt/BbaMUfSLp3586o7NZKwsBUnxqmixDApYdSNxdvngqPw.crt - Certbot probably shut down unexpectedly
  2017-09-20 16:43:08,108:DEBUG:certbot.log:Exiting abnormally:
  Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in
  load_entry_point('certbot==0.18.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 755, in main
  return config.func(config, plugins)
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 694, in certonly
  lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 82, in _get_and_save_cert
  lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.6/site-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
  certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.6/site-packages/certbot/client.py", line 318, in obtain_certificate
  self.config.allow_subset_of_names)
  File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 74, in get_authorizations
  resp = self._solve_challenges()
  File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 115, in _solve_challenges
  resp = self.auth.perform(self.achalls)
  File "/usr/lib/python3.6/site-packages/certbot_nginx/configurator.py", line 767, in perform
  sni_response = chall_doer.perform()
  File "/usr/lib/python3.6/site-packages/certbot_nginx/tls_sni_01.py", line 69, in perform
  responses = [self._setup_challenge_cert(x) for x in self.achalls]
  File "/usr/lib/python3.6/site-packages/certbot_nginx/tls_sni_01.py", line 69, in
  responses = [self._setup_challenge_cert(x) for x in self.achalls]
  File "/usr/lib/python3.6/site-packages/certbot/plugins/common.py", line 374, in _setup_challenge_cert
  cert_key=cert_key)
  File "/usr/lib/python3.6/site-packages/certbot/achallenges.py", line 54, in response_and_validation
  self.account_key, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/acme/challenges.py", line 205, in response_and_validation
  self.validation(account_key, *args, **kwargs))
  File "/usr/lib/python3.6/site-packages/acme/challenges.py", line 506, in validation
  return self.response(account_key).gen_cert(key=kwargs.get('cert_key'))
  File "/usr/lib/python3.6/site-packages/acme/challenges.py", line 417, in gen_cert
  'dummy', self.z_domain.decode()], force_san=True), key
  File "/usr/lib/python3.6/site-packages/acme/crypto_util.py", line 246, in gen_ss_cert
  cert.set_serial_number(int(binascii.hexlify(OpenSSL.rand.bytes(16)), 16))
  AttributeError: module 'OpenSSL' has no attribute 'rand'

[cube-drone]

I, too, am experiencing this issue, on an Ubuntu 16.04 install.

I think the solution might be merged into master already, but it won't go live until they release 0.18.2?

[bmw]

Yes. This is a duplicate of #5111 and we're planning on releasing 0.18.2 in the next couple hours with a fix for this issue.

Sorry for the trouble!

[eusonlito]

@bmw, is available the relase on main Ubuntu repository? http://ppa.launchpad.net/certbot/certbot/ubuntu

Last available version is 0.17.0

Thanks.

[bmw]

Our PPA is maintained by Debian maintainers who take the Certbot packages from Debian unstable which is still at 0.17.0 as well.

How did you install pyOpenSSL 17.3.0 on your system? That version isn't packaged in any Ubuntu release according to https://packages.ubuntu.com/search?suite=all&section=all&arch=any&keywords=python-openssl&searchon=names.

[eusonlito]

python-openssl was installed by certbot installation:

$ apt list -a --installed python-openssl

Listing... Done
python-openssl/xenial,xenial,now 17.0.0-0+certbot~xenial+1 all [installed,automatic]
python-openssl/xenial,xenial,xenial,xenial 0.15.1-2build1 all

$ apt-cache policy python-openssl

python-openssl:
  Installed: 17.0.0-0+certbot~xenial+1
  Candidate: 17.0.0-0+certbot~xenial+1
  Version table:
 *** 17.0.0-0+certbot~xenial+1 500
        500 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 Packages
        500 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main i386 Packages
        100 /var/lib/dpkg/status
     0.15.1-2build1 500
        500 http://mirror.hetzner.de/ubuntu/packages xenial/main amd64 Packages
        500 http://mirror.hetzner.de/ubuntu/packages xenial/main i386 Packages
        500 http://de.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        500 http://de.archive.ubuntu.com/ubuntu xenial/main i386 Packages

[bmw]

But the version of python-openssl available in our PPA isn't affected by this issue. Only pyOpenSSL 17.3.0+ is affected and our PPA contains version 17.0.0.

If you're seeing this issue, I think you have another version of pyOpenSSL installed on your system. Possibly a version installed from pip?

[cube-drone]

setup.py

install_requires = [
    'acme=={0}'.format(version),
    # We technically need ConfigArgParse 0.10.0 for Python 2.6 support, but
    # saying so here causes a runtime error against our temporary fork of 0.9.3
    # in which we added 2.6 support (see #2243), so we relax the requirement.
    'ConfigArgParse>=0.9.3',
    'configobj',
    'cryptography>=1.2',  # load_pem_x509_certificate
    'mock',
    'parsedatetime>=1.3',  # Calendar.parseDT
    'PyOpenSSL',
    'pyrfc3339',
    'pytz',
    # For pkg_resources. >=1.0 so pip resolves it to a version cryptography
    # will tolerate; see #2599:
    'setuptools>=1.0',
    'six',
    'zope.component',
    'zope.interface',
]

Won't that just pull the most recent version of PyOpenSSL if you pip install?

[bmw]

Won't that just pull the most recent version of PyOpenSSL if you pip install?

Since our 0.18.2 release that fixed this bug earlier this week, if you pip install certbot (which we usually don't recommend) you'll get a version of Certbot that works with any version of pyOpenSSL (that is also new enough to satisfy our ACME library). If you install Certbot through your OS package manager, you'll get the version of Certbot and its dependencies that are packaged for your system. The only system that I'm aware of that has packaged pyOpenSSL 17.3.0 that causes this bug when used with older versions of Certbot is Arch Linux which already packaged Certbot 0.18.2 solving the problem.

[eusonlito]

@bwm, ok sorry, maybe a installation mix. First time was installed with apt-get but after some time seems to be upgraded using pip.

pip-review --local --interactive has solved the problem.

Thanks :)