On 25/10/2023 11:12, Vidar Karlsen wrote:
On Wed, Oct 25, 2023 at 09:22:11AM +0200, Dutch Daemon - FreeBSD Forums Administrator wrote:On October 24, 2023 14:54:40 DutchDaemon - FreeBSD Forums Administrator <dutchdae...@freebsd.org> wrote:Does anyone in 'port land' know what the current developments are wrt CertBot (or py-crypto under its hood)? CertBot is happily compiling against OpenSSL 3 from ports, but when running 'certbot', the crypto side of it talks to the base system OpenSSL 1.1.1, hence failing because the OpenSSL 1.1.1 library does not understand the OpenSSL 3 calls made to it. From what I understood, this was due to an error/regression in pkgconf(?) which causes some type of 'path reversal' that causes py-crypto to ignore the OpenSSL it was compiled against, favoring the base system library. I either have to revert a whole lot of servers back to OpenSSL 1.1.1w from ports in order to renew certificates, or wait for "any movement" in getting the path reversal addressed/fixed. So: does anyone know where we're at with this?Memory jog: Traceback (most recent call last): File "/usr/local/bin/certbot", line 33, in <module> sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')()) File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point return next(matches).load()[...]File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", line 9, in <module> from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "EVP_default_properties_is_fips_enabled"What solved this problem for me was to apply the v2 patch from the pkgconf PR 273961 [1]. The next hurdly you'll probably run into [2] can be solved by running certbot with the following env variable: CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 [1]https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273961 [2]https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273656 Hope this helps!
This patch certainly did it for me, hope it gets committed soon (if it doesn't pose a regression hazard). I did not run into the other problem.
OpenPGP_signature.asc
Description: OpenPGP digital signature