Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?

In reply to: Vidar Karlsen : "Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: DutchDaemon - FreeBSD Forums Administrator <DutchDaemon_at_FreeBSD.org>
Date: Wed, 25 Oct 2023 09:51:54 UTC

On 25/10/2023 11:12, Vidar Karlsen wrote:
> On Wed, Oct 25, 2023 at 09:22:11AM +0200, Dutch Daemon - FreeBSD Forums Administrator wrote:
>> On October 24, 2023 14:54:40 DutchDaemon - FreeBSD Forums Administrator
>> <DutchDaemon@FreeBSD.org>  wrote:
>>> Does anyone in 'port land' know what the current developments are wrt
>>> CertBot (or py-crypto under its hood)?
>>> CertBot is happily compiling against OpenSSL 3 from ports, but when
>>> running 'certbot', the crypto side of it talks to the base system
>>> OpenSSL 1.1.1, hence failing because the OpenSSL 1.1.1 library does not
>>> understand the OpenSSL 3 calls made to it.
>>>  From what I understood, this was due to an error/regression in
>>> pkgconf(?) which causes some type of 'path reversal' that causes
>>> py-crypto to ignore the OpenSSL it was compiled against, favoring the
>>> base system library.
>>> I either have to revert a whole lot of servers back to OpenSSL 1.1.1w
>>> from ports in order to renew certificates, or wait for "any movement" in
>>> getting the path reversal addressed/fixed.
>>> So: does anyone know where we're at with this?
>>
>> Memory jog:
>>
>>
>> Traceback (most recent call last):
>> File "/usr/local/bin/certbot", line 33, in <module>
>>    sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')())
>> File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
>>    return next(matches).load()
> [...]
>> File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py",
>> line 9, in <module>
>>    from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
>> ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so:
>> Undefined symbol "EVP_default_properties_is_fips_enabled"
> What solved this problem for me was to apply the v2 patch from the
> pkgconf PR 273961 [1].
>
> The next hurdly you'll probably run into [2] can be solved by running
> certbot with the following env variable:
> CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
>
> [1]https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273961
> [2]https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273656
>
> Hope this helps!

Once my current Poudriere run ends I will amend pkgconf with this and 
rebuild certbot and related.

Also giving security/dehydrate and possible acmetool a trial run to see 
if certbot can be avoided.

This is not the first time I've errored out on Python errors that took 
quite some time and effort to chase down and get fixed.

Thanks! That was indeed the PR that put me on the scent of pkgconf, but 
I stopped tracking it because of the bickering..