From nobody Wed Oct 25 09:12:18 2023 X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SFjqv25mTz4yG10 for ; Wed, 25 Oct 2023 09:12:27 +0000 (UTC) (envelope-from SRS0=5lLz=GH=karlsen.tech=vidar@nivlheim.karlsen.tech) Received: from nivlheim.karlsen.tech (nivlheim.karlsen.tech [178.62.212.206]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4SFjqt3BlLz3KkK for ; Wed, 25 Oct 2023 09:12:26 +0000 (UTC) (envelope-from SRS0=5lLz=GH=karlsen.tech=vidar@nivlheim.karlsen.tech) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=karlsen.tech header.s=mail header.b="y6maZ/Wr"; spf=pass (mx1.freebsd.org: domain of "SRS0=5lLz=GH=karlsen.tech=vidar@nivlheim.karlsen.tech" designates 178.62.212.206 as permitted sender) smtp.mailfrom="SRS0=5lLz=GH=karlsen.tech=vidar@nivlheim.karlsen.tech"; dmarc=pass (policy=quarantine) header.from=karlsen.tech Received: from sleipner (sleipner.karlsen.tech [93.103.120.7]) by nivlheim.karlsen.tech (Postfix) with ESMTPSA id 5A3ED892BF for ; Wed, 25 Oct 2023 11:12:19 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=karlsen.tech; s=mail; t=1698225139; bh=n0vBr1EI4Heb1/RvDqsJdsOatFKVRZ1SEVLtL2ujaVg=; h=Date:From:To:Subject:References:In-Reply-To; b=y6maZ/WroO8cOxrS5fYlAC2vo53iARTOI7+Xiz7OlLTBidKhY7BlIIHUZr1D8Q17D b6VipN55Yd8wHUpjW9DCg6Ivh/4vMg6L80VS/v0NTdokUY3O+np3CyWxkX9e3R2F5y 5EZJODbaP4VkYHI6NdlPx7YZtct9Xyj0PscYz/L0= Date: Wed, 25 Oct 2023 11:12:18 +0200 From: Vidar Karlsen To: freebsd-ports@freebsd.org Subject: Re: FreeBSD 13 + CertBot + OpenSSL 3 - status? Message-ID: References: <76713a44-1fa4-41ee-a4f9-177907e9a57f@FreeBSD.org> <18b65b654d0.2818.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org> List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <18b65b654d0.2818.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (nivlheim.karlsen.tech [0.0.0.0]); Wed, 25 Oct 2023 11:12:19 +0200 (CEST) X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.09 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.988]; DMARC_POLICY_ALLOW(-0.50)[karlsen.tech,quarantine]; MID_RHS_NOT_FQDN(0.50)[]; FORGED_SENDER(0.30)[vidar@karlsen.tech,SRS0=5lLz=GH=karlsen.tech=vidar@nivlheim.karlsen.tech]; R_DKIM_ALLOW(-0.20)[karlsen.tech:s=mail]; R_SPF_ALLOW(-0.20)[+ip4:178.62.212.206/32]; ONCE_RECEIVED(0.10)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; FROM_NEQ_ENVFROM(0.00)[vidar@karlsen.tech,SRS0=5lLz=GH=karlsen.tech=vidar@nivlheim.karlsen.tech]; ASN(0.00)[asn:14061, ipnet:178.62.192.0/18, country:US]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ports@freebsd.org]; RCVD_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; MLMMJ_DEST(0.00)[freebsd-ports@freebsd.org]; RCVD_TLS_ALL(0.00)[]; DKIM_TRACE(0.00)[karlsen.tech:+]; RCVD_VIA_SMTP_AUTH(0.00)[] X-Rspamd-Queue-Id: 4SFjqt3BlLz3KkK On Wed, Oct 25, 2023 at 09:22:11AM +0200, Dutch Daemon - FreeBSD Forums Administrator wrote: > On October 24, 2023 14:54:40 DutchDaemon - FreeBSD Forums Administrator > wrote: > > Does anyone in 'port land' know what the current developments are wrt > > CertBot (or py-crypto under its hood)? > > CertBot is happily compiling against OpenSSL 3 from ports, but when > > running 'certbot', the crypto side of it talks to the base system > > OpenSSL 1.1.1, hence failing because the OpenSSL 1.1.1 library does not > > understand the OpenSSL 3 calls made to it. > > From what I understood, this was due to an error/regression in > > pkgconf(?) which causes some type of 'path reversal' that causes > > py-crypto to ignore the OpenSSL it was compiled against, favoring the > > base system library. > > I either have to revert a whole lot of servers back to OpenSSL 1.1.1w > > from ports in order to renew certificates, or wait for "any movement" in > > getting the path reversal addressed/fixed. > > So: does anyone know where we're at with this? > > > Memory jog: > > > Traceback (most recent call last): > File "/usr/local/bin/certbot", line 33, in > sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')()) > File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point > return next(matches).load() [...] > File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", > line 9, in > from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions > ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: > Undefined symbol "EVP_default_properties_is_fips_enabled" What solved this problem for me was to apply the v2 patch from the pkgconf PR 273961 [1]. The next hurdly you'll probably run into [2] can be solved by running certbot with the following env variable: CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273961 [2] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273656 Hope this helps! -- Vidar