Privacyidea venv with apache via wsgi - ImportError: PyO3 modules do not yet support subinterpreters,

Alexander_K · October 1, 2025, 1:09pm

So i have installed PI (3.12) via pip (debian 13, python 3.13) and trying to make it work with apache/wsgi.

(starting the ‘pi-manage startserver’ works fine, can be reached via :5000, can login and issue tokens and such, no prob there)

In the apache pi.conf i have

WSGIPythonHome /opt/privacyidea
<VirtualHost *:443>
   SSL and such...

   WSGIScriptAlias /      /etc/privacyidea/privacyideaapp.wsgi
   WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
   WSGIProcessGroup privacyidea
   WSGIPassAuthorization On

When accessing apache i get 500 Internal Server Error, and see this in error.log

[Wed Oct 01 14:49:51.394479 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590] mod_wsgi (pid=253862): Failed to exec Python script file '/etc/privacyidea/privacyideaapp.wsgi'.
[Wed Oct 01 14:49:51.394546 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590] mod_wsgi (pid=253862): Exception occurred processing WSGI script '/etc/privacyidea/privacyideaapp.wsgi'.
[Wed Oct 01 14:49:51.395526 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590] Traceback (most recent call last):
[Wed Oct 01 14:49:51.396257 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]   File "/etc/privacyidea/privacyideaapp.wsgi", line 3, in <module>
[Wed Oct 01 14:49:51.396278 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]     from privacyidea.app import create_app
[Wed Oct 01 14:49:51.396287 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]   File "/opt/privacyidea/lib/python3.13/site-packages/privacyidea/app.py", line 48, in <module>
[Wed Oct 01 14:49:51.396290 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]     import privacyidea.api.before_after  # noqa: F401
[Wed Oct 01 14:49:51.396292 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Wed Oct 01 14:49:51.396297 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]   File "/opt/privacyidea/lib/python3.13/site-packages/privacyidea/api/before_after.py", line 30, in <module>
[Wed Oct 01 14:49:51.396300 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]     from .lib.utils import (send_error, get_all_params, verify_auth_token, get_optional)
[Wed Oct 01 14:49:51.396305 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]   File "/opt/privacyidea/lib/python3.13/site-packages/privacyidea/api/lib/utils.py", line 34, in <module>
[Wed Oct 01 14:49:51.396307 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]     import jwt
[Wed Oct 01 14:49:51.396312 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]   File "/opt/privacyidea/lib/python3.13/site-packages/jwt/__init__.py", line 1, in <module>
[Wed Oct 01 14:49:51.396323 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]     from .api_jwk import PyJWK, PyJWKSet
[Wed Oct 01 14:49:51.396327 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]   File "/opt/privacyidea/lib/python3.13/site-packages/jwt/api_jwk.py", line 7, in <module>
[Wed Oct 01 14:49:51.396335 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]     from .algorithms import get_default_algorithms, has_crypto, requires_cryptography
[Wed Oct 01 14:49:51.396340 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]   File "/opt/privacyidea/lib/python3.13/site-packages/jwt/algorithms.py", line 11, in <module>
[Wed Oct 01 14:49:51.396342 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]     from .utils import (
[Wed Oct 01 14:49:51.396343 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]     ...<9 lines>...
[Wed Oct 01 14:49:51.396345 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]     )
[Wed Oct 01 14:49:51.396348 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]   File "/opt/privacyidea/lib/python3.13/site-packages/jwt/utils.py", line 7, in <module>
[Wed Oct 01 14:49:51.396350 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]     from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurve
[Wed Oct 01 14:49:51.396354 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]   File "/opt/privacyidea/lib/python3.13/site-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 11, in <module>
[Wed Oct 01 14:49:51.396356 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]     from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
[Wed Oct 01 14:49:51.396360 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]   File "/opt/privacyidea/lib/python3.13/site-packages/cryptography/exceptions.py", line 9, in <module>
[Wed Oct 01 14:49:51.396362 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590]     from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
[Wed Oct 01 14:49:51.396380 2025] [wsgi:error] [pid 253862:tid 253895] [remote 10.10.1.2:35590] ImportError: PyO3 modules do not yet support subinterpreters, see https://github.com/PyO3/pyo3/issues/576

Any hints?

cornelinux · October 19, 2025, 6:24am

No idea. Just some wild gueses:

Did you use the requirements.txt - otherwise your cryptography might be too new.
Did you try to chage process=1 and threads=15 ?
Can you “downgrade” to Python 3.12 (although 3.13 seems officially supported)
Did you try to use an nginx setup with uwsgi?