From nobody Wed Oct 25 09:51:54 2023 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SFkjS3BxPz4yHWt for ; Wed, 25 Oct 2023 09:51:56 +0000 (UTC) (envelope-from DutchDaemon@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SFkjS2l3Wz3Pw1 for ; Wed, 25 Oct 2023 09:51:56 +0000 (UTC) (envelope-from DutchDaemon@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698227516; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=y0uOi0/sgzdeYTNyHsIWz/rG7NhW46hSRFNRT7L4HJI=; b=kF33wOjWe4OtDqHcXVWt8KG0M8cykbfsWvWlqzEGgWb1IqZO4ckLabW0wUPN87Vmt2+Kcx AVVWzm752n1ztM/dvClZJADcUA0f2Yn73zLP95qBaBiYfe5VLxgCb2j07ouCsQ58uYjUZB 1SqWPRG0qKyIzOVFggehO5Ea5w1zQsztTdykibTPI4rkJbgmxVTzRT0Nk9EXzNbVrFx/YV 4xpegzeYEte3dB/5keJYlB82rytx35f5IAHBha5yyboElUrGg+Ipi+iV/Y32rI3EVDREC3 uq2h9YZQx4pIb7MTdLy2cKlBd9jyy3LretVUnx12Hvl2gFCzZ4Gy01kSfdmt7Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1698227516; a=rsa-sha256; cv=none; b=dgDjw+agTC7H6KSnKbmI9BpTQryxalNE+Kx7bom+a8ASfYqP+aqH+Nf4UN481HUDeC8OAg h3QDwDprfFEnjepokgQ0hqEA/pJ1oDK+REUp2PTmkjJOxsmNJWhiqPqV7lr3eo+Ri2Dv3r c2NkMm2n22KD9afVkz49663zzn1ibzoUFWkPmAmuiNlq71cFC8PPQmKSPmdOqPB1DE76Jd SKRyebXy800SvrLvWmxYkputuZDhw/YhEgOQmE1J/3KUTX4BoyaNv/VBmsGeetJeTKNhbW m+qMe9GmrQKcSxwoM5cr/63n/D1dpapNe9Wvw0N8/Fqe77uT2Y/kTMPDquu+5Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698227516; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=y0uOi0/sgzdeYTNyHsIWz/rG7NhW46hSRFNRT7L4HJI=; b=hxRlr8D4mimXJhM1kSZIbEEqk931VZ2cF1E7dWIa2Sk1ZHijpD/G0xcFvkZhqR9ZjKaX3D DATQ/iWiM9Pa+8NC0glRMOlttxC4u4SjCFjgFRIEBnUHuy+o5TeTYBuPIgFBCMLRCjLN6I gHvC4HTje4JtJLoCIEY3My/bGz14efu/r9upZ/GYrM68+REC3x2sCIlCJr+OGduvQ86Q9w Un2KHIJ53mGvExMazHpQysLE5qSedLuHylrmH/kIkiiNOFcveU3jdYbcqu8YczQ4hbWsJs gY78pcvxqiyHyJ0BsZKoFenAFCfRdh/Z3iVM90kCuSVIdM8oH5zOtQOqviJxng== Received: from [192.168.178.205] (unknown [85.148.89.7]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: dutchdaemon/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4SFkjS0gWnzmfw for ; Wed, 25 Oct 2023 09:51:55 +0000 (UTC) (envelope-from DutchDaemon@FreeBSD.org) Message-ID: <2f429a9d-d680-4925-8b99-34575ab955e9@FreeBSD.org> Date: Wed, 25 Oct 2023 11:51:54 +0200 List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: FreeBSD 13 + CertBot + OpenSSL 3 - status? Content-Language: nl, en-US To: ports@freebsd.org References: <76713a44-1fa4-41ee-a4f9-177907e9a57f@FreeBSD.org> <18b65b654d0.2818.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org> From: DutchDaemon - FreeBSD Forums Administrator Organization: The FreeBSD Forums In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------OPv8XywlxpjTia6O703xD0vH" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------OPv8XywlxpjTia6O703xD0vH Content-Type: multipart/mixed; boundary="------------qxnv3282y4HieYGX6clF5EK7"; protected-headers="v1" From: DutchDaemon - FreeBSD Forums Administrator To: ports@freebsd.org Message-ID: <2f429a9d-d680-4925-8b99-34575ab955e9@FreeBSD.org> Subject: Re: FreeBSD 13 + CertBot + OpenSSL 3 - status? References: <76713a44-1fa4-41ee-a4f9-177907e9a57f@FreeBSD.org> <18b65b654d0.2818.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org> In-Reply-To: --------------qxnv3282y4HieYGX6clF5EK7 Content-Type: multipart/alternative; boundary="------------IA0IX80NUExC0nh2ui93GNaX" --------------IA0IX80NUExC0nh2ui93GNaX Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 T24gMjUvMTAvMjAyMyAxMToxMiwgVmlkYXIgS2FybHNlbiB3cm90ZToNCj4gT24gV2VkLCBP Y3QgMjUsIDIwMjMgYXQgMDk6MjI6MTFBTSArMDIwMCwgRHV0Y2ggRGFlbW9uIC0gRnJlZUJT RCBGb3J1bXMgQWRtaW5pc3RyYXRvciB3cm90ZToNCj4+IE9uIE9jdG9iZXIgMjQsIDIwMjMg MTQ6NTQ6NDAgRHV0Y2hEYWVtb24gLSBGcmVlQlNEIEZvcnVtcyBBZG1pbmlzdHJhdG9yDQo+ PiA8RHV0Y2hEYWVtb25ARnJlZUJTRC5vcmc+ICB3cm90ZToNCj4+PiBEb2VzIGFueW9uZSBp biAncG9ydCBsYW5kJyBrbm93IHdoYXQgdGhlIGN1cnJlbnQgZGV2ZWxvcG1lbnRzIGFyZSB3 cnQNCj4+PiBDZXJ0Qm90IChvciBweS1jcnlwdG8gdW5kZXIgaXRzIGhvb2QpPw0KPj4+IENl cnRCb3QgaXMgaGFwcGlseSBjb21waWxpbmcgYWdhaW5zdCBPcGVuU1NMIDMgZnJvbSBwb3J0 cywgYnV0IHdoZW4NCj4+PiBydW5uaW5nICdjZXJ0Ym90JywgdGhlIGNyeXB0byBzaWRlIG9m IGl0IHRhbGtzIHRvIHRoZSBiYXNlIHN5c3RlbQ0KPj4+IE9wZW5TU0wgMS4xLjEsIGhlbmNl IGZhaWxpbmcgYmVjYXVzZSB0aGUgT3BlblNTTCAxLjEuMSBsaWJyYXJ5IGRvZXMgbm90DQo+ Pj4gdW5kZXJzdGFuZCB0aGUgT3BlblNTTCAzIGNhbGxzIG1hZGUgdG8gaXQuDQo+Pj4gIEZy b20gd2hhdCBJIHVuZGVyc3Rvb2QsIHRoaXMgd2FzIGR1ZSB0byBhbiBlcnJvci9yZWdyZXNz aW9uIGluDQo+Pj4gcGtnY29uZig/KSB3aGljaCBjYXVzZXMgc29tZSB0eXBlIG9mICdwYXRo IHJldmVyc2FsJyB0aGF0IGNhdXNlcw0KPj4+IHB5LWNyeXB0byB0byBpZ25vcmUgdGhlIE9w ZW5TU0wgaXQgd2FzIGNvbXBpbGVkIGFnYWluc3QsIGZhdm9yaW5nIHRoZQ0KPj4+IGJhc2Ug c3lzdGVtIGxpYnJhcnkuDQo+Pj4gSSBlaXRoZXIgaGF2ZSB0byByZXZlcnQgYSB3aG9sZSBs b3Qgb2Ygc2VydmVycyBiYWNrIHRvIE9wZW5TU0wgMS4xLjF3DQo+Pj4gZnJvbSBwb3J0cyBp biBvcmRlciB0byByZW5ldyBjZXJ0aWZpY2F0ZXMsIG9yIHdhaXQgZm9yICJhbnkgbW92ZW1l bnQiIGluDQo+Pj4gZ2V0dGluZyB0aGUgcGF0aCByZXZlcnNhbCBhZGRyZXNzZWQvZml4ZWQu DQo+Pj4gU286IGRvZXMgYW55b25lIGtub3cgd2hlcmUgd2UncmUgYXQgd2l0aCB0aGlzPw0K Pj4NCj4+IE1lbW9yeSBqb2c6DQo+Pg0KPj4NCj4+IFRyYWNlYmFjayAobW9zdCByZWNlbnQg Y2FsbCBsYXN0KToNCj4+IEZpbGUgIi91c3IvbG9jYWwvYmluL2NlcnRib3QiLCBsaW5lIDMz LCBpbiA8bW9kdWxlPg0KPj4gICAgc3lzLmV4aXQobG9hZF9lbnRyeV9wb2ludCgnY2VydGJv dD09Mi42LjAnLCAnY29uc29sZV9zY3JpcHRzJywgJ2NlcnRib3QnKSgpKQ0KPj4gRmlsZSAi L3Vzci9sb2NhbC9iaW4vY2VydGJvdCIsIGxpbmUgMjUsIGluIGltcG9ydGxpYl9sb2FkX2Vu dHJ5X3BvaW50DQo+PiAgICByZXR1cm4gbmV4dChtYXRjaGVzKS5sb2FkKCkNCj4gWy4uLl0N Cj4+IEZpbGUgIi91c3IvbG9jYWwvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2NyeXB0 b2dyYXBoeS9leGNlcHRpb25zLnB5IiwNCj4+IGxpbmUgOSwgaW4gPG1vZHVsZT4NCj4+ICAg IGZyb20gY3J5cHRvZ3JhcGh5Lmhhem1hdC5iaW5kaW5ncy5fcnVzdCBpbXBvcnQgZXhjZXB0 aW9ucyBhcyBydXN0X2V4Y2VwdGlvbnMNCj4+IEltcG9ydEVycm9yOiAvdXNyL2xvY2FsL2xp Yi9weXRob24zLjkvc2l0ZS1wYWNrYWdlcy9jcnlwdG9ncmFwaHkvaGF6bWF0L2JpbmRpbmdz L19ydXN0LmFiaTMuc286DQo+PiBVbmRlZmluZWQgc3ltYm9sICJFVlBfZGVmYXVsdF9wcm9w ZXJ0aWVzX2lzX2ZpcHNfZW5hYmxlZCINCj4gV2hhdCBzb2x2ZWQgdGhpcyBwcm9ibGVtIGZv ciBtZSB3YXMgdG8gYXBwbHkgdGhlIHYyIHBhdGNoIGZyb20gdGhlDQo+IHBrZ2NvbmYgUFIg MjczOTYxIFsxXS4NCj4NCj4gVGhlIG5leHQgaHVyZGx5IHlvdSdsbCBwcm9iYWJseSBydW4g aW50byBbMl0gY2FuIGJlIHNvbHZlZCBieSBydW5uaW5nDQo+IGNlcnRib3Qgd2l0aCB0aGUg Zm9sbG93aW5nIGVudiB2YXJpYWJsZToNCj4gQ1JZUFRPR1JBUEhZX09QRU5TU0xfTk9fTEVH QUNZPTENCj4NCj4gWzFdaHR0cHM6Ly9idWdzLmZyZWVic2Qub3JnL2J1Z3ppbGxhL3Nob3df YnVnLmNnaT9pZD0yNzM5NjENCj4gWzJdaHR0cHM6Ly9idWdzLmZyZWVic2Qub3JnL2J1Z3pp bGxhL3Nob3dfYnVnLmNnaT9pZD0yNzM2NTYNCj4NCj4gSG9wZSB0aGlzIGhlbHBzIQ0KDQpP bmNlIG15IGN1cnJlbnQgUG91ZHJpZXJlIHJ1biBlbmRzIEkgd2lsbCBhbWVuZCBwa2djb25m IHdpdGggdGhpcyBhbmQgDQpyZWJ1aWxkIGNlcnRib3QgYW5kIHJlbGF0ZWQuDQoNCkFsc28g Z2l2aW5nIHNlY3VyaXR5L2RlaHlkcmF0ZSBhbmQgcG9zc2libGUgYWNtZXRvb2wgYSB0cmlh bCBydW4gdG8gc2VlIA0KaWYgY2VydGJvdCBjYW4gYmUgYXZvaWRlZC4NCg0KVGhpcyBpcyBu b3QgdGhlIGZpcnN0IHRpbWUgSSd2ZSBlcnJvcmVkIG91dCBvbiBQeXRob24gZXJyb3JzIHRo YXQgdG9vayANCnF1aXRlIHNvbWUgdGltZSBhbmQgZWZmb3J0IHRvIGNoYXNlIGRvd24gYW5k IGdldCBmaXhlZC4NCg0KVGhhbmtzISBUaGF0IHdhcyBpbmRlZWQgdGhlIFBSIHRoYXQgcHV0 IG1lIG9uIHRoZSBzY2VudCBvZiBwa2djb25mLCBidXQgDQpJIHN0b3BwZWQgdHJhY2tpbmcg aXQgYmVjYXVzZSBvZiB0aGUgYmlja2VyaW5nLi4NCg0K --------------IA0IX80NUExC0nh2ui93GNaX Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On 25/10/2023 11:12, Vidar Karlsen wrote:
On Wed, Oct 25, 2023 at 09:2=
2:11AM +0200, Dutch Daemon - FreeBSD Forums Administrator wrote:

On October 24, 2023 14:54:=
40 DutchDaemon - FreeBSD Forums Administrator
<DutchDaemon@FreeBSD.org> wrote:

Does anyone in 'port lan=
d' know what the current developments are wrt
CertBot (or py-crypto under its hood)?
CertBot is happily compiling against OpenSSL 3 from ports, but when
running 'certbot', the crypto side of it talks to the base system
OpenSSL 1.1.1, hence failing because the OpenSSL 1.1.1 library does not
understand the OpenSSL 3 calls made to it.
=46rom what I understood, this was due to an error/regression in
pkgconf(?) which causes some type of 'path reversal' that causes
py-crypto to ignore the OpenSSL it was compiled against, favoring the
base system library.
I either have to revert a whole lot of servers back to OpenSSL 1.1.1w
from ports in order to renew certificates, or wait for "any movement" in
getting the path reversal addressed/fixed.
So: does anyone know where we're at with this?


Memory jog:


Traceback (most recent call last):
File "/usr/local/bin/certbot", line 33, in <module>
  sys.exit(load_entry_point('certbot=3D=3D2.6.0', 'console_scripts', 'cer=
tbot')())
File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
  return next(matches).load()

[...]

File "/usr/local/lib/pytho=
n3.9/site-packages/cryptography/exceptions.py",
line 9, in <module>
  from cryptography.hazmat.bindings._rust import exceptions as rust_excep=
tions
ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/b=
indings/_rust.abi3.so:
Undefined symbol "EVP_default_properties_is_fips_enabled"

What solved this problem for me was to apply the v2 patch from the
pkgconf PR 273961 [1].

The next hurdly you'll probably run into [2] can be solved by running
certbot with the following env variable:
CRYPTOGRAPHY_OPENSSL_NO_LEGACY=3D1

[1] https://bugs.freebsd.org/bugzilla/show_=
bug.cgi?id=3D273961
[2] https://bugs.freebsd.org/bugzilla/show_=
bug.cgi?id=3D273656

Hope this helps!

Once my current Poudriere run ends I will amend pkgconf with this and rebuild certbot and related.=C2=A0

Also giving security/dehydrate and possible acmetool a trial run to see if certbot can be avoided.=C2=A0

This is not the first time I've errored out on Python errors that took quite some time and effort to chase down and get fixed.=C2=A0<= /p>

Thanks! That was indeed the PR that put me on the scent of pkgconf, but I stopped tracking it because of the bickering..


    

  
  


--------------IA0IX80NUExC0nh2ui93GNaX--

--------------qxnv3282y4HieYGX6clF5EK7--

--------------OPv8XywlxpjTia6O703xD0vH
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEE9AWUvcZu/lO5r3wZ0R2eb0cya6gFAmU45ToFAwAAAAAACgkQ0R2eb0cya6j8
2Q//Ry0njcX6yj7FOSWm/81yr7VZK5El/O4aa5O1hJ569zYqi2kDYS7R5zwTwOonwz9cE32lNdqc
FizUCjB/Xl8UANIChyar0Z7LnoJI5riuWEX0xuyrBerJ7jmwtzG+M0wU7HsFVLAENjx/4nCPz4dJ
nww3erJqYf0rTaIotgCooxU3GdPKxadDG46Oey2HHJ165HRD6KOKkcwGLNBdFjC8luYdpgLYJGmg
gLGCt1pKcVL2En1cBMzNesZldVXqndfEfZ0Ii1IsydrHqR9ow7+5eVRu0uaNIomVnb8GqtRagA01
bcmudBiFZ4Z2FcTFBDmpfSP4u6FXeoxaKbH3F/mnELnnXq1kDrQ1hRGj6YCe9m5kf92Bv9EwbpYC
m8vKNzV7BykNwL3srvb8DNjxSgZ/gkdPb2SNHeUxe5MPeCikOblGTxvNqQv936NCcjX3JUlRElIj
Lnw7rZ5G55tTEn9AhRfid99CQfvPgMm2kaQY225WXLcACtGC8nB4wkccTXS48hWCYo64Y7ZyoayF
7CqQPHii3jKY/plkbRRe98/p4GuAyhuP6a3dRWcPDb+7PS+FiatMyXhxL0vzQhqd/CG6C1TKayFe
hXNedWFDOqr2D4hsCmwSImfNgzk/3bFdoMOVK75P1kGL60WZQ0Q7umGc9KkpEe9JpzMrJfYTMnWD
3kE=
=btsO
-----END PGP SIGNATURE-----

--------------OPv8XywlxpjTia6O703xD0vH--