Date: Wed, 25 Oct 2023 11:12:18 +0200 From: Vidar Karlsen <vidar@karlsen.tech> To: freebsd-ports@freebsd.org Subject: Re: FreeBSD 13 + CertBot + OpenSSL 3 - status? Message-ID: <l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2aq> In-Reply-To: <18b65b654d0.2818.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org> References: <76713a44-1fa4-41ee-a4f9-177907e9a57f@FreeBSD.org> <18b65b654d0.2818.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 25, 2023 at 09:22:11AM +0200, Dutch Daemon - FreeBSD Forums Administrator wrote: > On October 24, 2023 14:54:40 DutchDaemon - FreeBSD Forums Administrator > <DutchDaemon@FreeBSD.org> wrote: > > Does anyone in 'port land' know what the current developments are wrt > > CertBot (or py-crypto under its hood)? > > CertBot is happily compiling against OpenSSL 3 from ports, but when > > running 'certbot', the crypto side of it talks to the base system > > OpenSSL 1.1.1, hence failing because the OpenSSL 1.1.1 library does not > > understand the OpenSSL 3 calls made to it. > > From what I understood, this was due to an error/regression in > > pkgconf(?) which causes some type of 'path reversal' that causes > > py-crypto to ignore the OpenSSL it was compiled against, favoring the > > base system library. > > I either have to revert a whole lot of servers back to OpenSSL 1.1.1w > > from ports in order to renew certificates, or wait for "any movement" in > > getting the path reversal addressed/fixed. > > So: does anyone know where we're at with this? > > > Memory jog: > > > Traceback (most recent call last): > File "/usr/local/bin/certbot", line 33, in <module> > sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')()) > File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point > return next(matches).load() [...] > File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", > line 9, in <module> > from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions > ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: > Undefined symbol "EVP_default_properties_is_fips_enabled" What solved this problem for me was to apply the v2 patch from the pkgconf PR 273961 [1]. The next hurdly you'll probably run into [2] can be solved by running certbot with the following env variable: CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273961 [2] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273656 Hope this helps! -- Vidar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby>