Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?

From: Ronald Klop <ronald-lists_at_klop.ws>
Date: Wed, 25 Oct 2023 09:12:35 UTC
Hi,

I see that you are compiling certbot to openssl from ports. Apparently you are running a not often used configuration of the port.
Did you try reaching out to the maintainer of the port (python@FreeBSD.org)?
And there are also other implementations of the ACME protocol in the ports tree like security/acmetool. I have no experience with them but they might fit your use case.

Sorry I can't help you further for now. Maybe others have more handson experience with running python with openssl111 from ports.

PS: as you have the name "Dutch" in your email please check out the upcoming Dutch BSD event in November: https://bsdnl.nl/

Regards,
Ronald.

 
Van: Dutch Daemon - FreeBSD Forums Administrator <dutchdaemon@freebsd.org>
Datum: woensdag, 25 oktober 2023 09:22
Aan: freebsd-ports@freebsd.org
Onderwerp: Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?
> 
>  
> 
> On October 24, 2023 14:54:40 DutchDaemon - FreeBSD Forums Administrator <DutchDaemon@FreeBSD.org> wrote:
>> 
>> Does anyone in 'port land' know what the current developments are wrt CertBot (or py-crypto under its hood)? 
>> 
>> CertBot is happily compiling against OpenSSL 3 from ports, but when running 'certbot', the crypto side of it talks to the base system OpenSSL 1.1.1, hence failing because the OpenSSL 1.1.1 library does not understand the OpenSSL 3 calls made to it.
>> 
>> From what I understood, this was due to an error/regression in pkgconf(?) which causes some type of 'path reversal' that causes py-crypto to ignore the OpenSSL it was compiled against, favoring the base system library.
>> 
>> I either have to revert a whole lot of servers back to OpenSSL 1.1.1w from ports in order to renew certificates, or wait for "any movement" in getting the path reversal addressed/fixed.
>> 
>> So: does anyone know where we're at with this?
> 
> Memory jog:
>  
>  
> Traceback (most recent call last):
>  File "/usr/local/bin/certbot", line 33, in <module>
>    sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')())
>  File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
>    return next(matches).load()
>  File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load
>    module = import_module(match.group('module'))
>  File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module
>    return _bootstrap._gcd_import(name[level:], package, level)
>  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
>  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
>  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
>  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
>  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
>  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
>  File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in <module>
>    from certbot._internal import main as internal_main
>  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 21, in <module>
>    import josepy as jose
>  File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py", line 40, in <module>
>    from josepy.json_util import (
>  File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 14, in <module>
>    from OpenSSL import crypto
>  File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
>    from OpenSSL import SSL, crypto
>  File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module>
>    from OpenSSL._util import (
>  File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module>
>    from cryptography.hazmat.bindings.openssl.binding import Binding
>  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 15, in <module>
>    from cryptography.exceptions import InternalError
>  File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", line 9, in <module>
>    from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
> ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "EVP_default_properties_is_fips_enabled"