Troubleshooting

[Fix] ImportError: ‘pyOpenSSL’ module missing required functionality. Try upgrading to v0.14 or newer.

by , , revisited on


Basically a quick fix for renewing certificates via Certbot on CentOS 7.4 machines.

The Problem

When running certbot commands, you get an error like the following:

ImportError: ‘pyOpenSSL’ module missing required functionality. Try upgrading to v0.14 or newer.

The Research

In multiple places all over the web, you would see engineers reporting that pyOpenSSL package which comes with CentOS 7 is too old for certbot.

But due to my line of work, I know for sure it’s not. There are dozens of CentOS 7 servers where certbot runs just fine and I had an issue only on one particular server of my own.

Of course, you can check that your pyOpenSSL is of version 0.13.1, and the error wants you to get a newer one 0.14. Thus those “engineers” even go as far as building custom RPM packages for newer pyOpenSSL 😀

The Reason

As a torrent lover, I have once installed the wonderful Flexget via pip. This, of course, mixed the pip install packages via system ones. So the problem getting this error is not the outdated pyOpenSSL. It is the other pip installed packages which rely on it.

The Solution

I have simply removed pip installed packages, then reinstalled the system ones:

pip uninstall requests
yum reinstall python-requests

pip uninstall six
yum reinstall python-six

pip uninstall urllib3
yum reinstall python-urllib3

Bonus Tip

You may find yourself having to fix more packages. So you can just remove everything you had installed via pip and reinstall everything that you had installed via yum. BEWARE. The following uninstalls yum itself:

pip  freeze --local | xargs pip uninstall -y

# Actually clear out ALL python stuff:
rm -rf /usr/lib/python2.7/site-packages

# Install yum:
rpm -ihv --force --replacepkgs http://mirror.centos.org/centos/7/os/x86_64/Packages/yum-3.4.3-154.el7.centos.noarch.rpm
rpm -ihv --force --replacepkgs http://mirror.centos.org/centos/7/os/x86_64/Packages/python-urlgrabber-3.10-8.el7.noarch.rpm

# Fix yum:
yum info yum --show-duplicates
yum reinstall yum-3.4.3-154.el7.centos.1
yum reinstall yum-*

# Reinstall everything:
yum -y upgrade # in case reinstall isn't possible for older version packages which are no longer available
yum -y reinstall \*

If may seem a little harsh to reinstall everything but this will definitely fix the system and whatever Python packages you had “broken” via pip (example pyOpenSSL or MySQL-python).

The certbot is now back to work renewing its certificates.

Conclusion?

Never mix system Python packages with the ones coming from pip. Use virtualenv.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.