Certbot: ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

centos-release-7-4.1708.el7.centos.x86_64

ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

upgrade pyOpenSSL 0.13.1 from to pyOpenSSL 17.5.0

when downgrade:

sudo pip install pyOpenSSL==0.15.1

same error

ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

try pip install --upgrade --force-reinstall 'requests==2.6.0'

Do not mix yum installed packages via pip ones. The proper fix involves removing pip packages and install everything from yum. I have outlined it here.

You do not need newer pyOpenSSL on CentOS 7 to run certbot!

pip uninstall requests
yum reinstall python-requests

pip uninstall six
yum reinstall python-six

pip uninstall urllib3
yum reinstall python-urllib3

This bug still persists in RHEL 7

Traceback (most recent call last):
  File "/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.22.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 558, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2682, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2355, in load
    return self.resolve()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2361, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 20, in <module>
    from certbot import client
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 13, in <module>
    from acme import client as acme_client
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 33, in <module>
    requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()  # type: ignore
  File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 112, in inject_into_urllib3
    _validate_dependencies_met()
  File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 147, in _validate_dependencies_met
    raise ImportError("'pyOpenSSL' module missing required functionality. "
ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

So aggravating. I'm beginning to hate Centos.

Tried updating pyOpenSSL on CentOS, get the following error:

sudo pip install pyOpenSSL==0.15.1
Collecting pyOpenSSL==0.15.1
Downloading https://files.pythonhosted.org/packages/37/2f/840f2656e4bcf257cb814825bb751a9197ca6f39f1fa036ab111920ac7ef/pyOpenSSL-0.15.1-py2.py3-none-any.whl (102kB)
100% |████████████████████████████████| 112kB 1.9MB/s
Requirement already satisfied: six>=1.5.2 in /usr/lib/python2.7/site-packages (from pyOpenSSL==0.15.1) (1.9.0)
Requirement already satisfied: cryptography>=0.7 in /usr/lib64/python2.7/site-packages (from pyOpenSSL==0.15.1) (2.3.1)
Requirement already satisfied: idna>=2.1 in /usr/lib/python2.7/site-packages (from cryptography>=0.7->pyOpenSSL==0.15.1) (2.7)
Requirement already satisfied: enum34; python_version < "3" in /usr/lib/python2.7/site-packages (from cryptography>=0.7->pyOpenSSL==0.15.1) (1.0.4)
Requirement already satisfied: cffi!=1.11.3,>=1.7 in /usr/lib64/python2.7/site-packages (from cryptography>=0.7->pyOpenSSL==0.15.1) (1.11.5)
Requirement already satisfied: asn1crypto>=0.21.0 in /usr/lib/python2.7/site-packages (from cryptography>=0.7->pyOpenSSL==0.15.1) (0.24.0)
Requirement already satisfied: ipaddress; python_version < "3" in /usr/lib/python2.7/site-packages (from cryptography>=0.7->pyOpenSSL==0.15.1) (1.0.16)
Requirement already satisfied: pycparser in /usr/lib/python2.7/site-packages (from cffi!=1.11.3,>=1.7->cryptography>=0.7->pyOpenSSL==0.15.1) (2.14)
Installing collected packages: pyOpenSSL
Found existing installation: pyOpenSSL 0.13.1
Cannot uninstall 'pyOpenSSL'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.

A bit of context: the dist package for pyOpenSSL is at 0.13.1. to uninstall it in order to update it through pip - Yum makes me uninstall certbot. Considering certbot was the whole reason I need to update pyOpenSSL - kind of puts us in a catch 22.

yum info pyOpenSSL
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile

• base: repos.dfw.quadranet.com
• epel: mirror.nodesdirect.com
• extras: reflector.westga.edu
• updates: repo1.dal.innoscale.net
  Installed Packages
  Name : pyOpenSSL
  Arch : x86_64
  Version : 0.13.1
  Release : 3.el7
  Size : 628 k
  Repo : installed
  From repo : base
  Summary : Python wrapper module around the OpenSSL library
  URL : http://pyopenssl.sourceforge.net/
  License : ASL 2.0
  Description : High-level wrapper around a subset of the OpenSSL library, includes among others
  : * SSL.Connection objects, wrapping the methods of Python's portable
  : sockets
  : * Callbacks written in Python
  : * Extensive error-handling mechanism, mirroring OpenSSL's error codes

For both debugging's sake as well as for the hell of it, I uninstalled the dist pyOpenSSL (and thusly certbot), did a pip install of pyOpenSSL, and reinstalled certbot. Yum overwrote pyOpenSSL 0.15.1 with 0.13.1....and same result when I try to renew with certbot.

I then attempted a sudo pip install --upgrade pyopenssl - and same error message about the distutils installed version.

No workaround today - guess my certs are going to expire then

acme.sh works, I've given up on certbot ;)

Guys, actually found a fix for this. I can't take credit for doing anything other than stumbling upon the article: https://medium.com/@getpagespeed/fix-importerror-pyopenssl-module-missing-required-functionality-e1c514797204

All credit to Danila Vershinin for finding the fix!

I can only add that if you have certbot and aws cli installed then it is very likely to have that issue.
from my quick research it seems that installing system packages as suggested break aws cli. fixing aws cli breaks certbot and etc so not fun really :)

Guys, actually found a fix for this. I can't take credit for doing anything other than stumbling upon the article: https://medium.com/@getpagespeed/fix-importerror-pyopenssl-module-missing-required-functionality-e1c514797204

All credit to Danila Vershinin for finding the fix!

Fix does not work for me - no pip packages installed and all the ones listed yum reports as already installed and up to date.

Regarding having aws cli and certbot on the same system.

It comes down to a conflicting version of urllib3.
awscli-1.16.81 requires urllib3-1.24.1 and python2-certbot-0.27.1-1.el7.noarch.rpm works with urllib3-1.10.2.
The newer version gives the aformentioned error.

I cannot get them to work together, even installing awscli with --user gives the same issues, as the newer urllib then gets placed in /root/.local/lib and certbot goes looking here as well ...

I cannot get them to work together, even installing awscli with --user gives the same issues, as the newer urllib then gets placed in /root/.local/lib and certbot goes looking here as well ...

Had the same problem with conflicting versions of urllib3 after installing aws cli. Eventually, after fixing certbot I installed aws cli using virtualenv.
https://docs.aws.amazon.com/cli/latest/userguide/install-virtualenv.html
Now, certbot and aws cli are both fine.

I also installed awscli using the bundled installer they provide, so that it is self-contained.

https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html

Another way around the the conflict between awscli and certbot is to install python36 and run awscli using it.

Can certbot package not install its python modules in its own environment or be less strict when it comes to version requirements?