Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?

Reply: Alexander Leidinger : "Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?"
In reply to: Ronald Klop : "Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: DutchDaemon - FreeBSD Forums Administrator <DutchDaemon_at_FreeBSD.org>
Date: Wed, 25 Oct 2023 09:57:28 UTC
On 25/10/2023 11:12, Ronald Klop wrote:
> Hi,
>
> I see that you are compiling certbot to openssl from ports. Apparently 
> you are running a not often used configuration of the port.

I'm not so sure about that. OpenSSL in ports is usually quite a lot 
ahead of base system OpenSSL, which is why I build everything against 
it. I'm sure I'm not the only one.

> Did you try reaching out to the maintainer of the port 
> (python@FreeBSD.org)?

This bug is pretty well-known, and since it originates in pkgconf (not 
Python) and there is a lengthy PR about it (with a tentative patch, 
which I was told about just now), I decided to just post here to get 
some eyeballs, Successfully ;)

> And there are also other implementations of the ACME protocol in the 
> ports tree like security/acmetool. I have no experience with them but 
> they might fit your use case.

dehydrate and acmetools are currently on the radar to avoid the next 
(unavoidable) issue with certbot.

>
> Sorry I can't help you further for now. Maybe others have more handson 
> experience with running python with openssl111 from ports.
>
> PS: as you have the name "Dutch" in your email please check out the 
> upcoming Dutch BSD event in November: https://bsdnl.nl/

I can't, but I'll alert the FreeBSD Forums about it; plenty of Dutchies 
on there as well.


> *Van:* Dutch Daemon - FreeBSD Forums Administrator 
> <dutchdaemon@freebsd.org>
> *Datum:* woensdag, 25 oktober 2023 09:22
> *Aan:* freebsd-ports@freebsd.org
> *Onderwerp:* Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?
>
>     ------------------------------------------------------------------------
>
>     On October 24, 2023 14:54:40 DutchDaemon - FreeBSD Forums
>     Administrator <DutchDaemon@FreeBSD.org> wrote:
>
>         Does anyone in 'port land' know what the current developments
>         are wrt CertBot (or py-crypto under its hood)?
>
>         CertBot is happily compiling against OpenSSL 3 from ports, but
>         when running 'certbot', the crypto side of it talks to the
>         base system OpenSSL 1.1.1, hence failing because the OpenSSL
>         1.1.1 library does not understand the OpenSSL 3 calls made to it.
>
>         From what I understood, this was due to an error/regression in
>         pkgconf(?) which causes some type of 'path reversal' that
>         causes py-crypto to ignore the OpenSSL it was compiled
>         against, favoring the base system library.
>
>         I either have to revert a whole lot of servers back to OpenSSL
>         1.1.1w from ports in order to renew certificates, or wait for
>         "any movement" in getting the path reversal addressed/fixed.
>
>         So: does anyone know where we're at with this?
>
>     Memory jog:
>     Traceback (most recent call last):
>      File "/usr/local/bin/certbot", line 33, in <module>
>      sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts',
>     'certbot')())
>      File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
>      return next(matches).load()
>      File "/usr/local/lib/python3.9/importlib/metadata.py", line 86,
>     in load
>      module = import_module(match.group('module'))
>      File "/usr/local/lib/python3.9/importlib/__init__.py", line 127,
>     in import_module
>      return _bootstrap._gcd_import(name[level:], package, level)
>      File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
>      File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
>      File "<frozen importlib._bootstrap>", line 986, in
>     _find_and_load_unlocked
>      File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
>      File "<frozen importlib._bootstrap_external>", line 850, in
>     exec_module
>      File "<frozen importlib._bootstrap>", line 228, in
>     _call_with_frames_removed
>      File "/usr/local/lib/python3.9/site-packages/certbot/main.py",
>     line 6, in <module>
>      from certbot._internal import main as internal_main
>      File
>     "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py",
>     line 21, in <module>
>      import josepy as jose
>      File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py",
>     line 40, in <module>
>      from josepy.json_util import (
>      File
>     "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line
>     14, in <module>
>      from OpenSSL import crypto
>      File
>     "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line
>     8, in <module>
>      from OpenSSL import SSL, crypto
>      File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py",
>     line 9, in <module>
>      from OpenSSL._util import (
>      File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py",
>     line 6, in <module>
>      from cryptography.hazmat.bindings.openssl.binding import Binding
>      File
>     "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
>     line 15, in <module>
>      from cryptography.exceptions import InternalError
>      File
>     "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py",
>     line 9, in <module>
>      from cryptography.hazmat.bindings._rust import exceptions as
>     rust_exceptions
>     ImportError:
>     /*usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so*:
>     Undefined symbol "EVP_default_properties_is_fips_enabled"
>
>