Certbot: AttributeError: 'module' object has no attribute 'pyopenssl'

I suspect this is due to conflict between Python packages installed from your OS package manager and pip like in #6245.

Which Linux OS are you on and how did you install Certbot?

I've got the same (or mostly alike) error:

# yum install certbot
...
Running transaction
  Installing : pyOpenSSL-0.13.1-3.el7.x86_64                                                                                                                                                            1/6
  Installing : python2-josepy-1.1.0-1.el7.noarch                                                                                                                                                        2/6
  Installing : python-ndg_httpsclient-0.3.2-1.el7.noarch                                                                                                                                                3/6
  Installing : python2-acme-0.26.1-1.el7.noarch                                                                                                                                                         4/6
  Installing : python2-certbot-0.26.1-2.el7.noarch                                                                                                                                                      5/6
  Installing : certbot-0.26.1-2.el7.noarch                                                                                                                                                              6/6
  Verifying  : pyOpenSSL-0.13.1-3.el7.x86_64                                                                                                                                                            1/6
  Verifying  : python2-josepy-1.1.0-1.el7.noarch                                                                                                                                                        2/6
  Verifying  : python2-acme-0.26.1-1.el7.noarch                                                                                                                                                         3/6
  Verifying  : python2-certbot-0.26.1-2.el7.noarch                                                                                                                                                      4/6
  Verifying  : certbot-0.26.1-2.el7.noarch                                                                                                                                                              5/6
  Verifying  : python-ndg_httpsclient-0.3.2-1.el7.noarch                                                                                                                                                6/6

Installed:
  certbot.noarch 0:0.26.1-2.el7

Dependency Installed:
  pyOpenSSL.x86_64 0:0.13.1-3.el7    python-ndg_httpsclient.noarch 0:0.3.2-1.el7    python2-acme.noarch 0:0.26.1-1.el7    python2-certbot.noarch 0:0.26.1-2.el7    python2-josepy.noarch 0:1.1.0-1.el7     

Complete!
# certbot --version
Traceback (most recent call last):
  File "/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 378, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2566, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
    entry = __import__(self.module_name, globals(),globals(), ['__name__'])
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 21, in <module>
    from certbot import client
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 16, in <module>
    from acme import client as acme_client
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 39, in <module>
    urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'

OS Version: CentOS Linux release 7.5.1804 (Core)

Edit2: With regards to https://github.com/certbot/certbot/issues/6245, python-urllib3 has been installed using yum, and the current version (1.10.2-5.el7) does not have the mentioned symlink in packages/ssl_match_hostname but as a regular directory with files in it.

Trying to reproduce the issue lead me to this:

# python
Python 2.7.5 (default, Jul 13 2018, 13:06:57)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-28)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib3.contrib.pyopenssl
>>> urllib3.contrib.pyopenssl.inject_into_urllib3()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 118, in inject_into_urllib3                                                                                                   
    _validate_dependencies_met()
  File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 153, in _validate_dependencies_met                                                                                            
    raise ImportError("'pyOpenSSL' module missing required functionality. "
ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.
>>>
# yum info pyOpenSSL
...
Installed Packages
Name        : pyOpenSSL
Arch        : x86_64
Version     : 0.13.1
Release     : 3.el7
Size        : 628 k
Repo        : installed

So apparently there is a silent version dependency for urllib3.contrib.pyopenssl on pyOpenSSL v0.14, which is not provided by Centos7 at this point.

Edit: After installing a newer version (0.15.1) from https://cbs.centos.org/koji/buildinfo?buildID=1500 the above error goes away, but not the error generated by certbot.

Some trial-and-error with usr/lib/python2.7/site-packages/acme/client.py lead me to the discovery that when I comment the from requests_toolbelt.adapters.source import SourceAddressAdapter import, the error disappears!
Fortunately, this is used only once, so as long as I supply a source_address I can get away with this not-so-subtle fix. :)

@github-abcde, I'd recommend posting at https://community.letsencrypt.org. On a fresh CentOS 7 install, both:

python -c 'import requests; requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()'

and

python -c 'import urllib3.contrib.pyopenssl; urllib3.contrib.pyopenssl.inject_into_urllib3()'

work for me.

Additionally, after installing python-urllib3 1.10.2-5.el7, /usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py does not contain code to raise an exception if the pyOpenSSL version is less than 0.14.

I think you have a mix of packages from various sources. There is a larger community at https://community.letsencrypt.org who should be able to help you track down the problem.

You are right. After some in-depth searching it appeared that something that should have been installing a module using pip3, actually installed it using python -m pip...using python2.7 and overwriting the urllib3/conrtib/pyopenssl.py...Thanks for your pointers, which forced me to look further :)

The same problem I have here.

File "/usr/lib/python2.7/site-packages/acme/client.py", line 39, in
urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'

centos 7.3

This is my solution:

pip install requests==2.6.0
easy_install --upgrade pip

I'm seeing this now, too. A fresh Centos 7 install, with nothing else installed via pip, and certbot installed via yum

Linux localhost.localdomain 3.10.0-862.2.3.el7.x86_64 #1 SMP Wed May 9 18:05:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

@monkeyWie's tip didn't work for me

[vagrant@localhost ~]$ pip install requests==2.6.0
Requirement already satisfied: requests==2.6.0 in /usr/lib/python2.7/site-packages

I was using certbot just fine until a few days ago when I can't get it to work at all on any of my new centos 7 builds.

vagrant@localhost ~]$ sudo certbot --nginx
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.27.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 484, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2714, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2332, in load
    return self.resolve()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2338, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 21, in <module>
    from certbot import client
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 16, in <module>
    from acme import client as acme_client
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 36, in <module>
    requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()  # type: ignore
  File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 118, in inject_into_urllib3
    _validate_dependencies_met()
  File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 153, in _validate_dependencies_met
    raise ImportError("'pyOpenSSL' module missing required functionality. "
ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

Issues like this are caused by installing packages globally from both yum and pip. Unfortunately, I'm unable to help you clean up the Python environment on your system but if you post to https://community.letsencrypt.org there is a large user base there that will be able to help.

I had a clean install of Centos 7.6 and added Certbot from Epel repo caused the same problem. Fixed issue by running
pip install requests==2.6.0

I see this is still an issue.

Same.
CentOS Linux release 7.6.1810 (Core)
Install:

sudo yum install certbot python2-certbot-nginx

And run:

# certbot --help
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 378, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2566, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
    entry = __import__(self.module_name, globals(),globals(), ['__name__'])
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 21, in <module>
    from certbot import client
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 16, in <module>
    from acme import client as acme_client
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 40, in <module>
    urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'

This is my solution:

pip install requests==2.6.0
easy_install --upgrade pip

Worked for me on Centos 7

Agreed. Default install using yum is not working. Need to fix it after
initial install. One would want it to install in a working state.

On Sun, 14 Apr 2019, 07:54 Michael Lindner, notifications@github.com
wrote:

This is my solution:

pip install requests==2.6.0
easy_install --upgrade pip

Worked for me on Centos 7

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/certbot/certbot/issues/6328#issuecomment-482922170,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AMsov79Wu4KJJLs0jJUN-fhs6WO2YROuks5vgsKzgaJpZM4WS5Gq
.

If anyone can provide instructions on how to reproduce this, ideally in something like Docker, I'd be happy to take another look, but I still believe this only occurs if you've installed Python packages from multiple sources.

This is usually caused by installing packages from both yum and pip and removing the packages you've installed with pip and reinstalling them with yum should resolve the issue.

I can confirm that it happens with a clean install of Centos 7.6 using the
EPEL repo to add certbot.

On Mon, 15 Apr 2019, 19:35 Brad Warren, notifications@github.com wrote:

If anyone can provide instructions on how to reproduce this, ideally in
something like Docker, I'd be happy to take another look, but I still
believe this only occurs if you've installed Python packages from multiple
sources.

This is usually caused by installing packages from both yum and pip and
removing the packages you've installed with pip and reinstalling them
with yum should resolve the issue.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/certbot/certbot/issues/6328#issuecomment-483346939,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AMsovzeRLjz2j0odmgWGxyyAVy9VBp3Tks5vhLhLgaJpZM4WS5Gq
.

I had this issue (centos)
[bob@bla ~]# certbot renew 2>&1 | tail -2 urllib3.contrib.pyopenssl.inject_into_urllib3() AttributeError: 'module' object has no attribute 'pyopenssl'
and pip is not installed
[bob@bla ~]# pip install requests==2.6.0 -bash: pip: command not found

I can confirm that it happens with a clean install of Centos 7.6 using the EPEL repo to add certbot.

Unfortunately, I cannot reproduce it in Docker or a VPS.

I'd still love to see someone manage to reproduce this in something easily repeatable like Docker, but in the meantime for someone hitting the issue, what is the output of the following commands

python -c 'import certbot, requests, urllib3, OpenSSL; print("certbot :", certbot.__version__); print("requests: ", requests.__version__); print("urllib3 :", urllib3.__version__); print("OpenSSL :", OpenSSL.__version__)'
ls /usr/lib/python2.7/site-packages/urllib3/contrib

Interesting. This is the second clean install I made for Centos 7.

This time around I did a clean install using the minimal ISO and it is working. I see the Centos requests package installed is 2.6 as well. Possible that requests was updated since originally having this problem.
python2-requests-2.6.0-0.el7.noarch

[root@centos7 ~]# python -c 'import certbot, requests, urllib3, OpenSSL; print("certbot :", certbot.__version__); print("requests: ", requests.__version__); print("urllib3 :", urllib3.__version__); print("OpenSSL :", OpenSSL.__version__)'
('certbot :', '0.31.0')
('requests: ', '2.6.0')
('urllib3 :', '1.10.2')
('OpenSSL :', '0.13.1')
[root@centos7 ~]# ls /usr/lib/python2.7/site-packages/urllib3/contrib
__init__.py  __init__.pyc  __init__.pyo  ntlmpool.py  ntlmpool.pyc  ntlmpool.pyo  pyopenssl.py  pyopenssl.pyc  pyopenssl.pyo
[root@centos7 ~]# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

This problem happens for me on centos 7.6 together with ovirt 4.3. Package versions are

from EPEL:
certbot-0.31.0-2.el7.noarch

from ovirt-4.3-centos-opstools:
python2-requests-2.19.1-4.el7.noarch 
python2-pyOpenSSL-17.3.0-3.el7.noarch

It seems something weird happens with the urllib3.contrib namespace or something?

>>> import requests
>>> requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
AttributeError: 'module' object has no attribute 'pyopenssl'
>>> import urllib3.contrib.pyopenssl
>>> urllib3.contrib.pyopenssl.inject_into_urllib3()
>>> dir(urllib3.contrib)
['__builtins__', '__doc__', '__file__', '__name__', '__package__', '__path__', 'pyopenssl', 'socks']
>>> from acme import client as acme_client
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/acme/client.py", line 40, in <module>
    urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'
>>> dir(urllib3.contrib)
['__builtins__', '__doc__', '__file__', '__name__', '__package__', '__path__', 'appengine']

The problem goes away when I do this in acme/client.py:

if sys.version_info < (2, 7, 9):  # pragma: no cover
    import requests.packages.urllib3.contrib.pyopenssl  # pylint: disable=import-error
    requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()  # type: ignore

This is my solution:

pip install requests==2.6.0
easy_install --upgrade pip

worked for me on CentOS 7

Thanks @monkeyWie - worked for me on CentOS7

This is my solution:

pip install requests==2.6.0
easy_install --upgrade pip

pip install acme
worked for me on Centos 7 after I saw this error

ERROR: certbot 1.0.0 requires acme>=0.40.0, which is not installed.

P.S. Install everything from pip, rather than Centos packages, they are old sometimes

I can confirm that it happens with a clean install of Centos 7.6 using the EPEL repo to add certbot.

Unfortunately, I cannot reproduce it in Docker or a VPS.

I'd still love to see someone manage to reproduce this in something easily repeatable like Docker, but in the meantime for someone hitting the issue, what is the output of the following commands

python -c 'import certbot, requests, urllib3, OpenSSL; print("certbot :", certbot.__version__); print("requests: ", requests.__version__); print("urllib3 :", urllib3.__version__); print("OpenSSL :", OpenSSL.__version__)'
ls /usr/lib/python2.7/site-packages/urllib3/contrib

@bmw my results are as follows:

('certbot :', '1.0.0')
('requests: ', '2.6.0')
('urllib3 :', '1.25.7')
('OpenSSL :', '0.13.1')

_appengine_environ.py   appengine.py   __init__.py   ntlmpool.py   pyopenssl.py   _securetransport    securetransport.pyc  socks.pyc
_appengine_environ.pyc  appengine.pyc  __init__.pyc  ntlmpool.pyc  pyopenssl.pyc  securetransport.py  socks.py

which seems okay to me. but these other tests seems failing:

$ python -c 'import requests; requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute 'packages'

$ python -c 'import urllib3.contrib.pyopenssl; urllib3.contrib.pyopenssl.inject_into_urllib3()'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 118, in inject_into_urllib3
    _validate_dependencies_met()
  File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 160, in _validate_dependencies_met
    "'pyOpenSSL' module missing required functionality. "
ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

The version of urllib3 packaged in RHEL 7 based systems is 1.10.2 but you have 1.25.7. This was probably installed through pip. Removing urllib3 and reinstalling it through yum should resolve this problem.

If you need additional help with this, I recommend posting to https://community.letsencrypt.org where there is a large group of people familiar with Certbot and server administration who should be able to help you.

JFYI. I had same issue but I don't have pip/pip2 or any pip packages installed manually.

In my case I had centos-release-opstools which brought python2-urllib3 1.21.1-1.el7andpython2-requests 2.19.1-4.el7`.

After I disabled that repo and reinstalled relevant packages (they are renamed to python-urllib3 1.10.2-7.el7 and python-requests 2.6.0-8.el7_7 as of CentOS 7.7) issue disappeared.

@grossws, thanks for the info. Do you remember what your error message was?

When I try and recreate that setup Certbot crashes with:

# certbot --help
Traceback (most recent call last):
  File "/usr/bin/certbot", line 5, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 3011, in <module>
    parse_requirements(__requires__), Environment()
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 630, in resolve
    raise VersionConflict(dist,req) # XXX put more info here
pkg_resources.VersionConflict: (cryptography 1.7.2 (/usr/lib64/python2.7/site-packages), Requirement.parse('cryptography>=1.9'))

This is because the python2-pyOpenSSL 17.3.0-3.el7 package claims it requires python-cryptography >= 1.3.0, but the dependency as specified in Python is cryptography>=1.9 which is not installed.

@bmw, I had similar stacktrace to one in https://github.com/certbot/certbot/issues/6328#issuecomment-482531925

I tried to reproduce it in container with just epel-release + centos-release-opstools but get same version conflict about cryptography. I looked at original system where I got error and found that I have newer python2-cryptography from centos-release-ovirt42 repo.

So to reproduce you can run docker container with centos:7 and do

yum install -y epel-release centos-release-opstools centos-release-ovirt42
yum install -y certbot
certbot --help`

That's a fun one (depending on your definition of fun).

On the centos:7 Docker image, if you run:

yum install -y epel-release centos-release-opstools centos-release-ovirt42
yum install -y python-requests-toolbelt python2-urllib3
python -c 'import urllib3.contrib.pyopenssl; urllib3.contrib.pyopenssl.inject_into_urllib3()'
python -c 'from requests_toolbelt.adapters.source import SourceAddressAdapter; import urllib3.contrib.pyopenssl; urllib3.contrib.pyopenssl.inject_into_urllib3()'

The first Python command will succeed while the second will fail. The only difference is the from requests_toolbelt.adapters.source import SourceAddressAdapter import.

We're planning on dropping Python 2 support in the next few months at which point we get to delete this code. Because of that, the small team that maintains Certbot probably won't be spending much time on this ourselves, but if someone wants to dig into it, I think it'd be good to get whatever is causing this problem reported to the package maintainers.

I'm reopening this for now.

I think the supposition of some form of corruption is correct. I did not have a python2 pip installed, so I'm not sure what I broke. However, this sorted things out:

yum remove python-urllib3
rm -rf /usr/lib/python2.7/site-packages/urllib3 # yes, you need this too
yum reinstall $(yum list installed | grep python | grep -v python3 | awk '{print $1}')
yum install python-urllib3
yum install certbot

Hope that helps somebody.

This worked in my environment (centos 7 with upgraded urllib3 from pip as @bmw described above.. my "pip" command was also returning errors, so needed reinstall):

sudo yum install -y python2-pip
sudo pip uninstall urllib3
sudo yum install -y python-urllib3

Fedora/CentOS certbot maintainer here: Please NEVER install modules to /usr/lib using pip. Some CentOS packages are modified so they don't duplicate existing code or to strengthen security settings. The distro packagers should make sure that all required packages are installed.

You can check your installation for unmanaged Python packages with this command:

LANG=C rpm -qf /usr/lib/python2.7/site-packages/* | grep 'is not owned by any package'

You should not get any output.

Also adding other yum repos can be problematic. Fedora EPEL should work 100% with the base repos from Red Hat/CentOS but we can not take any other repos into account.

If you just have the default CentOS repos (+ EPEL) enabled and you still crashes please let us know. The best method is to create a Bugzilla issue but @-mentioning me here works as well (for now - certbot maintainers in Fedora/EPEL may change).

@FelixSchwarz, what about CentOS SIG repo packages like centos-release-opstools? I usually use standard repos + epel but fluentd is available only in opstools(

In some cases I just ended creating virtual env using python3 -mvenv /path/to/new/venv and installing required software there (say certbot + required dns verifier). Thankfully it doesn't pollute /usr/lib.

@grossws Fedora EPEL should work with everything from RHEL Base (so there might be other layered Red Hat products which cause conflicts). All other sources can be incompatible unless these repos are very careful so they don't ship the same stuff as RHEL/EPEL.

I justed checked the repos of centos-opstools and immediately noticed a few conflicts with Fedora EPEL:

• python2-msgpack: EPEL 7 has 0.5.6-5.el7, opstools 0.4.6-3.el7 (not relevant for certbot but for borgbackup which I also maintain in Fedora/EPEL.
• python2-requests: EPEL 7 has 2.6.0-0.el7, opstools 2.19.1-4.el7
• python2-urllib3: EPEL 7 1.10.2-7.el7 (python-urllib3), opstools 1.21.1-1.el7
• python-idna: RHEL Base ships 2.4-1.el7, opstools 2.5-1.el7 (python2-idna)

That doesn't mean the centos-opstools repo does not work with EPEL's certbot packages but there are some conflicts and this is definitively an untested configuration. Also centos-opstools replaces a package in RHEL base which means you should be extra careful as this could also break a lot of stuff in the main distro.

tl;dr: If you use EPEL's certbot packages you should not use other yum/dnf repos as these are likely incompatible. Ask the repo provider for compatibility with RHEL base and Fedora EPEL.

Also I found it was not that hard to contribute to Fedora EPEL so if you are missing a package please consider becoming a package maintainer (ping me if you need guidance).

I think the supposition of some form of corruption is correct. I did not have a python2 pip installed, so I'm not sure what I broke. However, this sorted things out:

yum remove python-urllib3
rm -rf /usr/lib/python2.7/site-packages/urllib3 # yes, you need this too
yum reinstall $(yum list installed | grep python | grep -v python3 | awk '{print $1}')
yum install python-urllib3
yum install certbot

Hope that helps somebody.

This helped in my case (other solutions from this topic didn't). Thank you.