Let’s Encrypt Certbot error on Amazon EC2

"ImportError: No module named cryptography".


I suppose that you came to my website, because you are the manager of an Amazon EC2 instance and you are triying to create, extend and / or renew a free SSL certificate, through the Let’s Encrypt service, with the “certbot-auto” command, but you got the annoying error related with the missing "cryptography" module. I have also suffered frequently with this issue, until I found the solution that I will explain here.

Important: I work with Apache as a web server.

I will assume that you know the basics about the Let’s Encrypt service. As you know, this service is marked in experimental mode for the Amazon Linux 2 version, known as AMI (Amazon Machine Image). This Linux version has been modified to optimize performance in a EC2 instance and its integration with the AWS (Amazon Web Service).

In January 2018, one of the engineers working on the Certbot project, explained that they have not been able to make this software reliable on Amazon Linux, because this distribution is a bit different from the others and they have not found support from the Amazon side to achieve it. Why? I don't know why. Maybe Amazon prefers that we use its SSL certificate service that can only be implemented in their ELB (Elastic Load Balancing).

Source:
Let's Encrypt Community

Error detail:

  Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: 
  Traceback (most recent call last):
    File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
      from certbot.main import main
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 10, in <module>
      import josepy as jose
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 44, in <module>
      from josepy.interfaces import JSONDeSerializable
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 8, in <module>
      from josepy import errors, util
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 4, in <module>
      import OpenSSL
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
      from OpenSSL import crypto, SSL
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 12, in <module>
      from cryptography import x509
  ImportError: No module named cryptography

  

Some of the AMI's versions with which the error occurs:

  • Amazon Linux AMI release 2017.03
  • Amazon Linux AMI release 2017.09
  • Amazon Linux AMI release 2018.03

The proposed solution has been tested in the AMI's versions mentioned above. If you have a different version, I would like to receive a message from you, through any of my social networks telling me if it also worked for you.

If you want to know your AMI version:

      $ cat /etc/system-release
    

Solution

The best solution I have found is to remove the certbot-auto directory that you downloaded at the beginning and then you must install the Certbot for Python's 3.6 version .

First, you must remove everything that relates to the old packages:

      $ sudo rm -rf /opt/eff.org/*
    

Second, install the Python's 3.6 version:

      $ sudo yum -y install python36 python36-pip python36-libs python36-tools python36-virtualenv
    

Third, install Cerbot for the Python's 3.6 version:

      $ sudo /usr/bin/pip-3.6 install -U certbot
    

And finally, install the Apache's package:

      $ sudo /usr/bin/pip-3.6 install certbot-apache
    

From this point, you should not create, extend or renew the certificates with the cerbot-auto command, but with the absolute path, for example:

      $ sudo /usr/local/bin/certbot --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d midominio.com -d www.midominio.com