Google SSO AttributeError: module 'OpenSSL.crypto' has no attribute 'sign'

thanisms · February 21, 2025, 5:38pm

I have Ubuntu 24.04.2 LTS, installed pritunl server with enterprise license

After i updated my os , i am getting the following error

Can you please help ?

tail -f /var/log/pritunl.log

[autumn-meadow-6140][2025-02-21 16:57:54,090][ERROR] Exception on /sso/callback [GET]
Traceback (most recent call last):
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py”, line 2190, in wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py”, line 1486, in full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py”, line 1484, in full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py”, line 1469, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/auth/app.py”, line 26, in _wrapped
return call(*args, **kwargs)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/handlers/sso.py”, line 664, in sso_callback_get
valid, google_groups = sso.verify_google(username)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/google.py”, line 42, in verify_google
data = service.users().get(userKey=user_email).execute()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/_helpers.py”, line 130, in positional_wrapper
return wrapped(*args, **kwargs)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/http.py”, line 923, in execute
resp, content = _retry_request(
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/http.py”, line 191, in _retry_request
resp, content = http.request(uri, method, *args, **kwargs)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/transport.py”, line 159, in new_request
credentials._refresh(orig_request_method)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/client.py”, line 749, in _refresh
self._do_refresh_request(http)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/client.py”, line 774, in _do_refresh_request
body = self._generate_refresh_request_body()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/client.py”, line 1484, in _generate_refresh_request_body
assertion = self._generate_assertion()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/service_account.py”, line 384, in _generate_assertion
return crypt.make_signed_jwt(self._signer, payload,
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/crypt.py”, line 97, in make_signed_jwt
signature = signer.sign(signing_input)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/_openssl_crypt.py”, line 97, in sign
return crypto.sign(self._key, message, ‘sha256’)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/cryptography/utils.py”, line 68, in getattr
obj = getattr(self._module, attr)
AttributeError: module ‘OpenSSL.crypto’ has no attribute ‘sign’
[autumn-meadow-6140][2025-02-21 16:57:54,090][ERROR] Exception on /sso/callback [GET]
Traceback (most recent call last):
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py”, line 2190, in wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py”, line 1486, in full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py”, line 1484, in full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py”, line 1469, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/auth/app.py”, line 26, in _wrapped
return call(*args, **kwargs)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/handlers/sso.py”, line 664, in sso_callback_get
valid, google_groups = sso.verify_google(username)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/google.py”, line 42, in verify_google
data = service.users().get(userKey=user_email).execute()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/_helpers.py”, line 130, in positional_wrapper
return wrapped(*args, **kwargs)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/http.py”, line 923, in execute
resp, content = _retry_request(
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/http.py”, line 191, in _retry_request
resp, content = http.request(uri, method, *args, **kwargs)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/transport.py”, line 159, in new_request
credentials._refresh(orig_request_method)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/client.py”, line 749, in _refresh
self._do_refresh_request(http)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/client.py”, line 774, in _do_refresh_request
body = self._generate_refresh_request_body()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/client.py”, line 1484, in _generate_refresh_request_body
assertion = self._generate_assertion()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/service_account.py”, line 384, in _generate_assertion
return crypt.make_signed_jwt(self._signer, payload,
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/crypt.py”, line 97, in make_signed_jwt
signature = signer.sign(signing_input)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oauth2client/_openssl_crypt.py”, line 97, in sign
return crypto.sign(self._key, message, ‘sha256’)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/cryptography/utils.py”, line 68, in getattr
obj = getattr(self._module, attr)
AttributeError: module ‘OpenSSL.crypto’ has no attribute ‘sign’

zach · February 22, 2025, 6:36am

The recent updated pyOpenSSL is incompatible with oauth2client. This will be fixed in an update in a few hours. It can be fixed on the server by editing sudo nano /usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/google.py holding ctrl+k to clear the file then replacing it with the code below. Once done run sudo systemctl restart pritunl.

from pritunl import settings
from pritunl import utils

import json
import io
from google.oauth2 import service_account
from googleapiclient import discovery

def verify_google(user_email):
    user_domain = user_email.split('@')[-1]

    if not isinstance(settings.app.sso_match, list):
        raise TypeError('Invalid sso match')

    if not user_domain in settings.app.sso_match:
        return False, []

    google_key = settings.app.sso_google_key
    google_email = settings.app.sso_google_email

    if not google_key or not google_email:
        return True, []

    data = json.loads(google_key)

    credentials = service_account.Credentials.from_service_account_info(
        data,
        scopes=[
            'https://www.googleapis.com/auth/admin.directory.user.readonly',
            'https://www.googleapis.com/auth/admin.directory.group.readonly',
        ],
    )

    delegated_credentials = credentials.with_subject(google_email)

    service = discovery.build(
        'admin', 'directory_v1', credentials=delegated_credentials)

    data = service.users().get(userKey=user_email).execute()
    if data.get('suspended'):
        return False, []

    results = service.groups().list(userKey=user_email,
        maxResults=settings.app.sso_google_groups_max).execute()

    groups = []
    for group in results.get('groups') or []:
        groups.append(utils.filter_unicode(group['name']))

    return True, groups

jim · February 22, 2025, 2:08pm

Thanks for posting this quick fix. Saved my bacon this morning!

zach · February 22, 2025, 2:17pm

The update is currently on the unstable repository and should be in the stable repository in about 30 minutes.