ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

[pahapoika]

My operating system is (include version):

CentOS 7.4.1708 (64bit)

I installed Certbot with (certbot-auto, OS package manager, pip, etc):

centos 7 yum

I ran this command and it produced this output:

sudo certbot --authenticator standalone --installer nginx --pre-hook "nginx -s stop" --post-hook "nginx"

output:
Traceback (most recent call last): File "/bin/certbot", line 9, in <module> load_entry_point('certbot==0.20.0', 'console_scripts', 'certbot')() File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 572, i n load_entry_point return get_distribution(dist).load_entry_point(group, name) File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2755, in load_entry_point return ep.load() File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2408, in load return self.resolve() File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2414, in resolve module = __import__(self.module_name, fromlist=['__name__'], level=0) File "/usr/lib/python2.7/site-packages/certbot/main.py", line 19, in <module> from certbot import client File "/usr/lib/python2.7/site-packages/certbot/client.py", line 11, in <module > from acme import client as acme_client File "/usr/lib/python2.7/site-packages/acme/client.py", line 32, in <module> requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3() # type: i gnore File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 112 , in inject_into_urllib3 _validate_dependencies_met() File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 147 , in _validate_dependencies_met raise ImportError("'pyOpenSSL' module missing required functionality. " ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

Certbot's behavior differed from what I expected because:

i excepted it to give me cert but it gave that error. already tried updating pyOpenSSL, but it didnt work

Here is a Certbot log showing the issue (if available):

Logs are stored in /var/log/letsencrypt by default. Feel free to redact domains, e-mail and IP addresses as you see fit.

Folder doesnt exist

Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:

upstream backend {
# the netdata server
server 127.0.0.1:19999;
keepalive 64;
}

server {
# nginx listens to this
listen 80;

# the virtual host name of this
server_name netdata.mydomain.fi;

location / {
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://backend;
    proxy_http_version 1.1;
    proxy_pass_request_headers on;
    proxy_set_header Connection "keep-alive";
    proxy_store off;
}

}

[uwang]

centos-release-7-4.1708.el7.centos.x86_64

ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

upgrade pyOpenSSL 0.13.1 from to pyOpenSSL 17.5.0

when downgrade:

sudo pip install pyOpenSSL==0.15.1

same error

ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

[itsnotv]

try pip install --upgrade --force-reinstall 'requests==2.6.0'

[dvershinin]

Do not mix yum installed packages via pip ones. The proper fix involves removing pip packages and install everything from yum. I have outlined it here.

You do not need newer pyOpenSSL on CentOS 7 to run certbot!

pip uninstall requests
yum reinstall python-requests

pip uninstall six
yum reinstall python-six

pip uninstall urllib3
yum reinstall python-urllib3

[calston]

This bug still persists in RHEL 7

Traceback (most recent call last):
  File "/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.22.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 558, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2682, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2355, in load
    return self.resolve()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2361, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 20, in <module>
    from certbot import client
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 13, in <module>
    from acme import client as acme_client
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 33, in <module>
    requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()  # type: ignore
  File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 112, in inject_into_urllib3
    _validate_dependencies_met()
  File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 147, in _validate_dependencies_met
    raise ImportError("'pyOpenSSL' module missing required functionality. "
ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

[Zageron]

So aggravating. I'm beginning to hate Centos.

[LordPsycho202]

Tried updating pyOpenSSL on CentOS, get the following error:

sudo pip install pyOpenSSL==0.15.1
Collecting pyOpenSSL==0.15.1
Downloading https://files.pythonhosted.org/packages/37/2f/840f2656e4bcf257cb814825bb751a9197ca6f39f1fa036ab111920ac7ef/pyOpenSSL-0.15.1-py2.py3-none-any.whl (102kB)
100% |████████████████████████████████| 112kB 1.9MB/s
Requirement already satisfied: six>=1.5.2 in /usr/lib/python2.7/site-packages (from pyOpenSSL==0.15.1) (1.9.0)
Requirement already satisfied: cryptography>=0.7 in /usr/lib64/python2.7/site-packages (from pyOpenSSL==0.15.1) (2.3.1)
Requirement already satisfied: idna>=2.1 in /usr/lib/python2.7/site-packages (from cryptography>=0.7->pyOpenSSL==0.15.1) (2.7)
Requirement already satisfied: enum34; python_version < "3" in /usr/lib/python2.7/site-packages (from cryptography>=0.7->pyOpenSSL==0.15.1) (1.0.4)
Requirement already satisfied: cffi!=1.11.3,>=1.7 in /usr/lib64/python2.7/site-packages (from cryptography>=0.7->pyOpenSSL==0.15.1) (1.11.5)
Requirement already satisfied: asn1crypto>=0.21.0 in /usr/lib/python2.7/site-packages (from cryptography>=0.7->pyOpenSSL==0.15.1) (0.24.0)
Requirement already satisfied: ipaddress; python_version < "3" in /usr/lib/python2.7/site-packages (from cryptography>=0.7->pyOpenSSL==0.15.1) (1.0.16)
Requirement already satisfied: pycparser in /usr/lib/python2.7/site-packages (from cffi!=1.11.3,>=1.7->cryptography>=0.7->pyOpenSSL==0.15.1) (2.14)
Installing collected packages: pyOpenSSL
Found existing installation: pyOpenSSL 0.13.1
Cannot uninstall 'pyOpenSSL'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.

[LordPsycho202]

A bit of context: the dist package for pyOpenSSL is at 0.13.1. to uninstall it in order to update it through pip - Yum makes me uninstall certbot. Considering certbot was the whole reason I need to update pyOpenSSL - kind of puts us in a catch 22.

yum info pyOpenSSL
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile

• base: repos.dfw.quadranet.com
• epel: mirror.nodesdirect.com
• extras: reflector.westga.edu
• updates: repo1.dal.innoscale.net
  Installed Packages
  Name : pyOpenSSL
  Arch : x86_64
  Version : 0.13.1
  Release : 3.el7
  Size : 628 k
  Repo : installed
  From repo : base
  Summary : Python wrapper module around the OpenSSL library
  URL : http://pyopenssl.sourceforge.net/
  License : ASL 2.0
  Description : High-level wrapper around a subset of the OpenSSL library, includes among others
  : * SSL.Connection objects, wrapping the methods of Python's portable
  : sockets
  : * Callbacks written in Python
  : * Extensive error-handling mechanism, mirroring OpenSSL's error codes

[LordPsycho202]

For both debugging's sake as well as for the hell of it, I uninstalled the dist pyOpenSSL (and thusly certbot), did a pip install of pyOpenSSL, and reinstalled certbot. Yum overwrote pyOpenSSL 0.15.1 with 0.13.1....and same result when I try to renew with certbot.

I then attempted a sudo pip install --upgrade pyopenssl - and same error message about the distutils installed version.

No workaround today - guess my certs are going to expire then

[calston]

acme.sh works, I've given up on certbot ;)

[LordPsycho202]

Guys, actually found a fix for this. I can't take credit for doing anything other than stumbling upon the article: https://medium.com/@getpagespeed/fix-importerror-pyopenssl-module-missing-required-functionality-e1c514797204

All credit to Danila Vershinin for finding the fix!

[drekinov]

I can only add that if you have certbot and aws cli installed then it is very likely to have that issue.
from my quick research it seems that installing system packages as suggested break aws cli. fixing aws cli breaks certbot and etc so not fun really :)

[sagron]

Guys, actually found a fix for this. I can't take credit for doing anything other than stumbling upon the article: https://medium.com/@getpagespeed/fix-importerror-pyopenssl-module-missing-required-functionality-e1c514797204

All credit to Danila Vershinin for finding the fix!

Fix does not work for me - no pip packages installed and all the ones listed yum reports as already installed and up to date.

[aairey]

Regarding having aws cli and certbot on the same system.

It comes down to a conflicting version of urllib3.
awscli-1.16.81 requires urllib3-1.24.1 and python2-certbot-0.27.1-1.el7.noarch.rpm works with urllib3-1.10.2.
The newer version gives the aformentioned error.

I cannot get them to work together, even installing awscli with --user gives the same issues, as the newer urllib then gets placed in /root/.local/lib and certbot goes looking here as well ...

[vanstokes]

I cannot get them to work together, even installing awscli with --user gives the same issues, as the newer urllib then gets placed in /root/.local/lib and certbot goes looking here as well ...

Had the same problem with conflicting versions of urllib3 after installing aws cli. Eventually, after fixing certbot I installed aws cli using virtualenv.
https://docs.aws.amazon.com/cli/latest/userguide/install-virtualenv.html
Now, certbot and aws cli are both fine.

[aairey]

I also installed awscli using the bundled installer they provide, so that it is self-contained.

https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html

[krabsheva]

Another way around the the conflict between awscli and certbot is to install python36 and run awscli using it.

[daniejstriata]

Can certbot package not install its python modules in its own environment or be less strict when it comes to version requirements?

[github-actions]

We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed.

[github-actions]

This issue has been closed due to lack of activity, but if you think it should be reopened, please open a new issue with a link to this one and we'll take a look.