Sudhakar Rayavaram
Problem solver (And maker),
Inquisitive (Root to most of my problems),
Software craftsman (Don't ask for estimates)

Works at TarkaLabs

Tech guy behind

01 Feb 2018
Battle with certbot auto in amazon linux instance

One of my cloud server is an amazon linux instance with certbot installed for letsencrypt certificates. Unfortunately, certbot is not fully supported in amazon linux and the suggestion is to run certbot in --debug mode

I was quite successful for around an year to renew certifiates without much problems. But, not today

I started the ritual by running the following command. sudo is needed as certbot needs to have more control to modify, edit files, start & stop servers

sudo /usr/local/bin/certbot-auto --nginx certonly --debug

Bam! Greeted with this cryptic (for me) error

 1 Error: couldn't get currently installed version for /opt/
 2 Traceback (most recent call last):
 3   File "/opt/", line 7, in <module>
 4     from certbot.main import main
 5   File "/opt/", line 10, in <module>
 6     import josepy as jose
 7   File "/opt/", line 41, in <module>
 8     from josepy.interfaces import JSONDeSerializable
 9   File "/opt/", line 8, in <module>
10     from josepy import errors, util
11   File "/opt/", line 4, in <module>
12     import OpenSSL
13   File "/opt/", line 8, in <module>
14     from OpenSSL import rand, crypto, SSL
15   File "/opt/", line 12, in <module>
16     from OpenSSL._util import (
17   File "/opt/", line 6, in <module>
18     from cryptography.hazmat.bindings.openssl.binding import Binding
19 ImportError: No module named cryptography.hazmat.bindings.openssl.binding

Ok, I don't understand what I can do about certbot not able to get currently installed version. But the last line gave the clue. After some googling I found that cryptography package is missing! But how did it work the last time (3 months before)? I still do not know

Amazon linux instance comes installed with python 2.7 and based on the error, I went ahead and installed the cryptography package. But, it did not fix the issue. This is where it got super confusing

After breaking my head with google for a very long time, I realized that certbot will not use the default python installation but downloads its own copy to this location


After installing the cryptography package for this python, things started to look bright.

cd to /opt/
sudo ./pip install cryptography

It did not work, but it atleast showed a different error message :)

 1 sudo /usr/local/bin/certbot-auto --nginx certonly --debug
 2 Error: couldn't get currently installed version for /opt/
 3 Traceback (most recent call last):
 4   File "/opt/", line 7, in <module>
 5     from certbot.main import main
 6   File "/opt/", line 11, in <module>
 7     import zope.component
 8   File "/opt/", line 16, in <module>
 9     from zope.interface import Interface
10 ImportError: No module named interface
11 [ec2-user@ip-172-31-20-177 bin]$ /usr/local/bin/certbot-auto --nginx certonly --debug
12 Requesting to rerun /usr/local/bin/certbot-auto with root privileges...
13 Error: couldn't get currently installed version for /opt/
14 Traceback (most recent call last):
15   File "/opt/", line 7, in <module>
16     from certbot.main import main
17   File "/opt/", line 11, in <module>
18     import zope.component
19   File "/opt/", line 16, in <module>
20     from zope.interface import Interface
21 ImportError: No module named interface

This time it is zope.interface package. Again, I have no clue how it is gone

sudo ./pip install zope.interface

After this, I was able to get the certificate renewed from letsencrypt.

Was one hell of a ride. But, with a happy ending! :)