Install certbot step fails because of OpenSSL errors

[stam]

Hey, I'm unsure if there is an issue with ansible itself or with this role, but I only get this error whan I run this role.

Environment: ubuntu 18.0.4 ansible 2.10.3 geerlingguy.certbot 3.1.0

Full output of verbose mode:

TASK [geerlingguy.certbot : Install Certbot.] *************************************************************************************************************************************************************
task path: /Users/jasper.stam/.ansible/roles/geerlingguy.certbot/tasks/install-with-package.yml:2
<redacted-ip> ESTABLISH SSH CONNECTION FOR USER: borg
<redacted-ip> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="<redacted>.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="borg"' -o ConnectTimeout=10 -o ControlPath=/Users/jasper.stam/.ansible/cp/3461cb1e10 redacted-ip '/bin/sh -c '"'"'echo ~borg && sleep 0'"'"''
<redacted-ip> (0, b'/home/borg\n', b'')
<redacted-ip> ESTABLISH SSH CONNECTION FOR USER: borg
<redacted-ip> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="<redacted>.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="borg"' -o ConnectTimeout=10 -o ControlPath=/Users/jasper.stam/.ansible/cp/3461cb1e10 redacted-ip '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/borg/.ansible/tmp `"&& mkdir "` echo /home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814 `" && echo ansible-tmp-1607531632.149386-75288-58761553275814="` echo /home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814 `" ) && sleep 0'"'"''
<redacted-ip> (0, b'ansible-tmp-1607531632.149386-75288-58761553275814=/home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814\n', b'')
Using module file /usr/local/Cellar/ansible/2.10.3_1/libexec/lib/python3.9/site-packages/ansible/modules/apt.py
<redacted-ip> PUT /Users/jasper.stam/.ansible/tmp/ansible-local-750864sz46d3b/tmpobdw8wgf TO /home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/AnsiballZ_apt.py
<redacted-ip> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="<redacted>.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="borg"' -o ConnectTimeout=10 -o ControlPath=/Users/jasper.stam/.ansible/cp/3461cb1e10 '[redacted-ip]'
<redacted-ip> (0, b'sftp> put /Users/jasper.stam/.ansible/tmp/ansible-local-750864sz46d3b/tmpobdw8wgf /home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/AnsiballZ_apt.py\n', b'')
<redacted-ip> ESTABLISH SSH CONNECTION FOR USER: borg
<redacted-ip> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="<redacted>.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="borg"' -o ConnectTimeout=10 -o ControlPath=/Users/jasper.stam/.ansible/cp/3461cb1e10 redacted-ip '/bin/sh -c '"'"'chmod u+x /home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/ /home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/AnsiballZ_apt.py && sleep 0'"'"''
<redacted-ip> (0, b'', b'')
<redacted-ip> ESTABLISH SSH CONNECTION FOR USER: borg
<redacted-ip> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="<redacted>.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="borg"' -o ConnectTimeout=10 -o ControlPath=/Users/jasper.stam/.ansible/cp/3461cb1e10 -tt redacted-ip '/bin/sh -c '"'"'sudo -H -S -n  -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-ulyvgrbhwaieirpksxxctvsifjamwqvj ; /usr/bin/python3 /home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/AnsiballZ_apt.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
<redacted-ip> (1, b'Traceback (most recent call last):\r\n  File "/home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/AnsiballZ_apt.py", line 102, in <module>\r\n    _ansiballz_main()\r\n  File "/home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/AnsiballZ_apt.py", line 94, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File "/home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/AnsiballZ_apt.py", line 40, in invoke_module\r\n    runpy.run_module(mod_name=\'ansible.modules.apt\', init_globals=None, run_name=\'__main__\', alter_sys=True)\r\n  File "/usr/lib/python3.6/runpy.py", line 205, in run_module\r\n    return _run_module_code(code, init_globals, run_name, mod_spec)\r\n  File "/usr/lib/python3.6/runpy.py", line 96, in _run_module_code\r\n    mod_name, mod_spec, pkg_name, script_name)\r\n  File "/usr/lib/python3.6/runpy.py", line 85, in _run_code\r\n    exec(code, run_globals)\r\n  File "/tmp/ansible_ansible.legacy.apt_payload_n4ws_aw7/ansible_ansible.legacy.apt_payload.zip/ansible/modules/apt.py", line 291, in <module>\r\n  File "<frozen importlib._bootstrap>", line 971, in _find_and_load\r\n  File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked\r\n  File "<frozen importlib._bootstrap>", line 656, in _load_unlocked\r\n  File "<frozen importlib._bootstrap>", line 626, in _load_backward_compatible\r\n  File "/tmp/ansible_ansible.legacy.apt_payload_n4ws_aw7/ansible_ansible.legacy.apt_payload.zip/ansible/module_utils/urls.py", line 115, in <module>\r\n  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in <module>\r\n    import OpenSSL.SSL\r\n  File "/usr/lib/python3/dist-packages/OpenSSL/__init__.py", line 8, in <module>\r\n    from OpenSSL import crypto, SSL\r\n  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 675, in <module>\r\n    _lib.Cryptography_HAS_TLSEXT_HOSTNAME, "SNI not available"\r\nAttributeError: module \'lib\' has no attribute \'Cryptography_HAS_TLSEXT_HOSTNAME\'\r\n', b'Shared connection to redacted-ip closed.\r\n')
<redacted-ip> Failed to connect to the host via ssh: Shared connection to redacted-ip closed.
<redacted-ip> ESTABLISH SSH CONNECTION FOR USER: borg
<redacted-ip> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="<redacted>.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="borg"' -o ConnectTimeout=10 -o ControlPath=/Users/jasper.stam/.ansible/cp/3461cb1e10 redacted-ip '/bin/sh -c '"'"'rm -f -r /home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/ > /dev/null 2>&1 && sleep 0'"'"''
<redacted-ip> (0, b'', b'')
The full traceback is:
Traceback (most recent call last):
  File "/home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/AnsiballZ_apt.py", line 102, in <module>
    _ansiballz_main()
  File "/home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/AnsiballZ_apt.py", line 94, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/AnsiballZ_apt.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible.modules.apt', init_globals=None, run_name='__main__', alter_sys=True)
  File "/usr/lib/python3.6/runpy.py", line 205, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib/python3.6/runpy.py", line 96, in _run_module_code
    mod_name, mod_spec, pkg_name, script_name)
  File "/usr/lib/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_ansible.legacy.apt_payload_n4ws_aw7/ansible_ansible.legacy.apt_payload.zip/ansible/modules/apt.py", line 291, in <module>
  File "<frozen importlib._bootstrap>", line 971, in _find_and_load
  File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 656, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 626, in _load_backward_compatible
  File "/tmp/ansible_ansible.legacy.apt_payload_n4ws_aw7/ansible_ansible.legacy.apt_payload.zip/ansible/module_utils/urls.py", line 115, in <module>
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in <module>
    import OpenSSL.SSL
  File "/usr/lib/python3/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 675, in <module>
    _lib.Cryptography_HAS_TLSEXT_HOSTNAME, "SNI not available"
AttributeError: module 'lib' has no attribute 'Cryptography_HAS_TLSEXT_HOSTNAME'
fatal: [canesten]: FAILED! => {
    "changed": false,
    "module_stderr": "Shared connection to redacted-ip closed.\r\n",
    "module_stdout": "Traceback (most recent call last):\r\n  File \"/home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/AnsiballZ_apt.py\", line 102, in <module>\r\n    _ansiballz_main()\r\n  File \"/home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/AnsiballZ_apt.py\", line 94, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File \"/home/borg/.ansible/tmp/ansible-tmp-1607531632.149386-75288-58761553275814/AnsiballZ_apt.py\", line 40, in invoke_module\r\n    runpy.run_module(mod_name='ansible.modules.apt', init_globals=None, run_name='__main__', alter_sys=True)\r\n  File \"/usr/lib/python3.6/runpy.py\", line 205, in run_module\r\n    return _run_module_code(code, init_globals, run_name, mod_spec)\r\n  File \"/usr/lib/python3.6/runpy.py\", line 96, in _run_module_code\r\n    mod_name, mod_spec, pkg_name, script_name)\r\n  File \"/usr/lib/python3.6/runpy.py\", line 85, in _run_code\r\n    exec(code, run_globals)\r\n  File \"/tmp/ansible_ansible.legacy.apt_payload_n4ws_aw7/ansible_ansible.legacy.apt_payload.zip/ansible/modules/apt.py\", line 291, in <module>\r\n  File \"<frozen importlib._bootstrap>\", line 971, in _find_and_load\r\n  File \"<frozen importlib._bootstrap>\", line 955, in _find_and_load_unlocked\r\n  File \"<frozen importlib._bootstrap>\", line 656, in _load_unlocked\r\n  File \"<frozen importlib._bootstrap>\", line 626, in _load_backward_compatible\r\n  File \"/tmp/ansible_ansible.legacy.apt_payload_n4ws_aw7/ansible_ansible.legacy.apt_payload.zip/ansible/module_utils/urls.py\", line 115, in <module>\r\n  File \"/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py\", line 46, in <module>\r\n    import OpenSSL.SSL\r\n  File \"/usr/lib/python3/dist-packages/OpenSSL/__init__.py\", line 8, in <module>\r\n    from OpenSSL import crypto, SSL\r\n  File \"/usr/lib/python3/dist-packages/OpenSSL/SSL.py\", line 675, in <module>\r\n    _lib.Cryptography_HAS_TLSEXT_HOSTNAME, \"SNI not available\"\r\nAttributeError: module 'lib' has no attribute 'Cryptography_HAS_TLSEXT_HOSTNAME'\r\n",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

[stam]

I also get this issue with certbot manually through apt, this installs certbot 0.31.0 which returns this error even at certbot --version

Installing certbot using snap (following their docs) works.

[stale[bot]]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[stam]

I'm unsure of why it was broken in the first place, but with newer installs I don't have this issue anymore.