On 25/10/2023 11:12, Vidar Karlsen wrote:
On Wed, Oct 25, 2023 at 09:22:11AM +0200, Dutch Daemon - FreeBSD Forums Administrator wrote:On October 24, 2023 14:54:40 DutchDaemon - FreeBSD Forums Administrator <dutchdae...@freebsd.org> wrote:Does anyone in 'port land' know what the current developments are wrt CertBot (or py-crypto under its hood)? CertBot is happily compiling against OpenSSL 3 from ports, but when running 'certbot', the crypto side of it talks to the base system OpenSSL 1.1.1, hence failing because the OpenSSL 1.1.1 library does not understand the OpenSSL 3 calls made to it. From what I understood, this was due to an error/regression in pkgconf(?) which causes some type of 'path reversal' that causes py-crypto to ignore the OpenSSL it was compiled against, favoring the base system library. I either have to revert a whole lot of servers back to OpenSSL 1.1.1w from ports in order to renew certificates, or wait for "any movement" in getting the path reversal addressed/fixed. So: does anyone know where we're at with this?Memory jog: Traceback (most recent call last): File "/usr/local/bin/certbot", line 33, in <module> sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')()) File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point return next(matches).load()[...]File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", line 9, in <module> from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "EVP_default_properties_is_fips_enabled"What solved this problem for me was to apply the v2 patch from the pkgconf PR 273961 [1]. The next hurdly you'll probably run into [2] can be solved by running certbot with the following env variable: CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 [1]https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273961 [2]https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273656 Hope this helps!
Once my current Poudriere run ends I will amend pkgconf with this and rebuild certbot and related.
Also giving security/dehydrate and possible acmetool a trial run to see if certbot can be avoided.
This is not the first time I've errored out on Python errors that took quite some time and effort to chase down and get fixed.
Thanks! That was indeed the PR that put me on the scent of pkgconf, but I stopped tracking it because of the bickering..
OpenPGP_signature.asc
Description: OpenPGP digital signature
