Letsencypt (certbot) 設定をアップデートしてから、この前にしたUbuntuの大規模システムアップデートがあれこれ壊したことに気づいた。

実はLinuxのほとんどの部分はpythonコードを支えていると言っても過言ではないほどだが(yumとapt-getを含めるらしい)、certbotも例外ではなかった。

ただ起動しただけなのに、よく働いていたアプリがこんな大変な状態になっていた。


:~$ sudo certbot
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in 
    load_entry_point('certbot==0.21.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 561, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2631, in load_entry_point
    return ep.load()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2291, in load
    return self.resolve()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2297, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 10, in 
    import josepy as jose
  File "/usr/lib/python3/dist-packages/josepy/__init__.py", line 41, in 
    from josepy.interfaces import JSONDeSerializable
  File "/usr/lib/python3/dist-packages/josepy/interfaces.py", line 8, in 
    from josepy import errors, util
  File "/usr/lib/python3/dist-packages/josepy/util.py", line 4, in 
    import OpenSSL
  File "/usr/lib/python3/dist-packages/OpenSSL/__init__.py", line 8, in 
    from OpenSSL import crypto, SSL
  File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 16, in 
    from OpenSSL._util import (
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 6, in 
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 156, in 
    Binding.init_static_locks()
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 137, in init_static_locks
    cls._ensure_ffi_initialized()
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 124, in _ensure_ffi_initialized
    cls.lib = build_conditional_library(lib, CONDITIONAL_NAMES)
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 84, in build_conditional_library
    if not getattr(lib, condition):
AttributeError: cffi library '_openssl' has no function, constant or global variable named 'Cryptography_HAS_MEM_FUNCTIONS'

cffi library ‘_openssl’ has no function, constant or global variable named ‘Cryptography_HAS_MEM_FUNCTIONS’

普段の場合、関数でエラーが発生し、ライブラリーをインストールするだけで解決になるはずだが、

$ pip install cryptography

今はどうやら、pipの中の問題ではなさそうだ。cryptographyを何度もインストールしなおしても解決の見込みはない。

-Uオプションで強制アップデートをしても変化はなかった。

そして、python 2.7とpython3という表記に注目をした。すでに2.7と3で、3.5まで様々なバージョンが共存している今の状態を考えると、これは不思議なことでもない。

pipの起動ファイルはpython 2.7に対しての設定しか行われないが、certbotはpython 3で起動するため、次のようなスクリプトになっている。

#!/usr/bin/python3
# EASY-INSTALL-ENTRY-SCRIPT: 'certbot==0.21.1','console_scripts','certbot'
__requires__ = 'certbot==0.21.1'
import re
import sys
from pkg_resources import load_entry_point

if __name__ == '__main__':
    sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0])
    sys.exit(
        load_entry_point('certbot==0.21.1', 'console_scripts', 'certbot')()
    )

それで、問題が見えてきた。pipが2.7のpythonにモジュールを無意味にインストールしたり、アンインストールしたりを繰り返していたのだ。

これでは、python 3の問題は全然解決にならない。

$ sudo apt-get install python3-setuptools
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  python-setuptools-doc
The following NEW packages will be installed:
  python3-setuptools
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 215 kB of archives.
After this operation, 944 kB of additional disk space will be used.
Get:1 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 python3-setuptools all 33.1.1-1+certbot~xenial+1 [215 kB]
Fetched 215 kB in 1s (109 kB/s)
Selecting previously unselected package python3-setuptools.
(Reading database ... 109834 files and directories currently installed.)
Preparing to unpack .../python3-setuptools_33.1.1-1+certbot~xenial+1_all.deb ...
Unpacking python3-setuptools (33.1.1-1+certbot~xenial+1) ...
Setting up python3-setuptools (33.1.1-1+certbot~xenial+1) ...

easy_install python3 バージョンをインストールするためには、ubuntuでこのようなコマンドが必要だ。インストールしたばかりのeasy_install3を使って、pipも一緒にインストールしよう。

$ sudo easy_install3 pip
Searching for pip
Reading https://pypi.python.org/simple/pip/
Downloading https://pypi.python.org/packages/11/b6/abcb525026a4be042b486df43905d6893fb04f05aac21c32c638e939e447/pip-9.0.1.tar.gz#md5=35f01da33009719497f01a4ba69d63c9
Best match: pip 9.0.1
Processing pip-9.0.1.tar.gz
Writing /tmp/easy_install-wmqoi3hf/pip-9.0.1/setup.cfg
Running pip-9.0.1/setup.py -q bdist_egg --dist-dir /tmp/easy_install-wmqoi3hf/pip-9.0.1/egg-dist-tmp-b7xxe23x
warning: no previously-included files found matching '.coveragerc'
warning: no previously-included files found matching '.mailmap'
warning: no previously-included files found matching '.travis.yml'
warning: no previously-included files found matching '.landscape.yml'
warning: no previously-included files found matching 'pip/_vendor/Makefile'
warning: no previously-included files found matching 'tox.ini'
warning: no previously-included files found matching 'dev-requirements.txt'
warning: no previously-included files found matching 'appveyor.yml'
no previously-included directories found matching '.github'
no previously-included directories found matching '.travis'
no previously-included directories found matching 'docs/_build'
no previously-included directories found matching 'contrib'
no previously-included directories found matching 'tasks'
no previously-included directories found matching 'tests'
creating /usr/local/lib/python3.5/dist-packages/pip-9.0.1-py3.5.egg
Extracting pip-9.0.1-py3.5.egg to /usr/local/lib/python3.5/dist-packages
Adding pip 9.0.1 to easy-install.pth file
Installing pip script to /usr/local/bin
Installing pip3 script to /usr/local/bin
Installing pip3.5 script to /usr/local/bin

Installed /usr/local/lib/python3.5/dist-packages/pip-9.0.1-py3.5.egg
Processing dependencies for pip
Finished processing dependencies for pip

うまくインストールが完了したら、シェルで起動できるか確かめてみる。

$ which pip3
/usr/local/bin/pip3

このように、バイナリーの絶対パスをしっかり表示してくれている。

pip3コマンドを通じて、cryptographyモジュールも一緒に設定すると一件落着だ。バージョンで騒ぎにならないように、Uオプションも忘れずに入れて進もう。

$ sudo pip3 install -U cryptography
The directory '/home/yeon/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/yeon/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting cryptography
  Downloading cryptography-2.1.4-cp35-cp35m-manylinux1_x86_64.whl (2.2MB)
    100% |████████████████████████████████| 2.2MB 451kB/s
Collecting idna>=2.1 (from cryptography)
  Downloading idna-2.6-py2.py3-none-any.whl (56kB)
    100% |████████████████████████████████| 61kB 3.7MB/s
Collecting asn1crypto>=0.21.0 (from cryptography)
  Downloading asn1crypto-0.24.0-py2.py3-none-any.whl (101kB)
    100% |████████████████████████████████| 102kB 3.1MB/s
Collecting cffi>=1.7; platform_python_implementation != "PyPy" (from cryptography)
  Downloading cffi-1.11.4-cp35-cp35m-manylinux1_x86_64.whl (419kB)
    100% |████████████████████████████████| 419kB 833kB/s
Requirement already up-to-date: six>=1.4.1 in /usr/lib/python3/dist-packages (from cryptography)
Collecting pycparser (from cffi>=1.7; platform_python_implementation != "PyPy"->cryptography)
  Downloading pycparser-2.18.tar.gz (245kB)
    100% |████████████████████████████████| 256kB 1.8MB/s
Installing collected packages: idna, asn1crypto, pycparser, cffi, cryptography
  Found existing installation: idna 2.5
    Uninstalling idna-2.5:
      Successfully uninstalled idna-2.5
  Found existing installation: asn1crypto 0.22.0
    Uninstalling asn1crypto-0.22.0:
      Successfully uninstalled asn1crypto-0.22.0
  Running setup.py install for pycparser ... done
  Found existing installation: cryptography 1.9
    Uninstalling cryptography-1.9:
      Successfully uninstalled cryptography-1.9
Successfully installed asn1crypto-0.24.0 cffi-1.11.4 cryptography-2.1.4 idna-2.6 pycparser-2.18

なにか、うまく進行できている。

$ sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------

以降、何もなかったのように、動作できている。