Date: Wed, 25 Oct 2023 11:51:54 +0200 From: DutchDaemon - FreeBSD Forums Administrator <DutchDaemon@FreeBSD.org> To: ports@freebsd.org Subject: Re: FreeBSD 13 + CertBot + OpenSSL 3 - status? Message-ID: <2f429a9d-d680-4925-8b99-34575ab955e9@FreeBSD.org> In-Reply-To: <l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2aq> References: <76713a44-1fa4-41ee-a4f9-177907e9a57f@FreeBSD.org> <18b65b654d0.2818.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org> <l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2aq>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------OPv8XywlxpjTia6O703xD0vH
Content-Type: multipart/mixed; boundary="------------qxnv3282y4HieYGX6clF5EK7";
protected-headers="v1"
From: DutchDaemon - FreeBSD Forums Administrator <DutchDaemon@FreeBSD.org>
To: ports@freebsd.org
Message-ID: <2f429a9d-d680-4925-8b99-34575ab955e9@FreeBSD.org>
Subject: Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?
References: <76713a44-1fa4-41ee-a4f9-177907e9a57f@FreeBSD.org>
<18b65b654d0.2818.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org>
<l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2aq>
In-Reply-To: <l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2aq>
--------------qxnv3282y4HieYGX6clF5EK7
Content-Type: multipart/alternative;
boundary="------------IA0IX80NUExC0nh2ui93GNaX"
--------------IA0IX80NUExC0nh2ui93GNaX
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64
T24gMjUvMTAvMjAyMyAxMToxMiwgVmlkYXIgS2FybHNlbiB3cm90ZToNCj4gT24gV2VkLCBP
Y3QgMjUsIDIwMjMgYXQgMDk6MjI6MTFBTSArMDIwMCwgRHV0Y2ggRGFlbW9uIC0gRnJlZUJT
RCBGb3J1bXMgQWRtaW5pc3RyYXRvciB3cm90ZToNCj4+IE9uIE9jdG9iZXIgMjQsIDIwMjMg
MTQ6NTQ6NDAgRHV0Y2hEYWVtb24gLSBGcmVlQlNEIEZvcnVtcyBBZG1pbmlzdHJhdG9yDQo+
PiA8RHV0Y2hEYWVtb25ARnJlZUJTRC5vcmc+ICB3cm90ZToNCj4+PiBEb2VzIGFueW9uZSBp
biAncG9ydCBsYW5kJyBrbm93IHdoYXQgdGhlIGN1cnJlbnQgZGV2ZWxvcG1lbnRzIGFyZSB3
cnQNCj4+PiBDZXJ0Qm90IChvciBweS1jcnlwdG8gdW5kZXIgaXRzIGhvb2QpPw0KPj4+IENl
cnRCb3QgaXMgaGFwcGlseSBjb21waWxpbmcgYWdhaW5zdCBPcGVuU1NMIDMgZnJvbSBwb3J0
cywgYnV0IHdoZW4NCj4+PiBydW5uaW5nICdjZXJ0Ym90JywgdGhlIGNyeXB0byBzaWRlIG9m
IGl0IHRhbGtzIHRvIHRoZSBiYXNlIHN5c3RlbQ0KPj4+IE9wZW5TU0wgMS4xLjEsIGhlbmNl
IGZhaWxpbmcgYmVjYXVzZSB0aGUgT3BlblNTTCAxLjEuMSBsaWJyYXJ5IGRvZXMgbm90DQo+
Pj4gdW5kZXJzdGFuZCB0aGUgT3BlblNTTCAzIGNhbGxzIG1hZGUgdG8gaXQuDQo+Pj4gIEZy
b20gd2hhdCBJIHVuZGVyc3Rvb2QsIHRoaXMgd2FzIGR1ZSB0byBhbiBlcnJvci9yZWdyZXNz
aW9uIGluDQo+Pj4gcGtnY29uZig/KSB3aGljaCBjYXVzZXMgc29tZSB0eXBlIG9mICdwYXRo
IHJldmVyc2FsJyB0aGF0IGNhdXNlcw0KPj4+IHB5LWNyeXB0byB0byBpZ25vcmUgdGhlIE9w
ZW5TU0wgaXQgd2FzIGNvbXBpbGVkIGFnYWluc3QsIGZhdm9yaW5nIHRoZQ0KPj4+IGJhc2Ug
c3lzdGVtIGxpYnJhcnkuDQo+Pj4gSSBlaXRoZXIgaGF2ZSB0byByZXZlcnQgYSB3aG9sZSBs
b3Qgb2Ygc2VydmVycyBiYWNrIHRvIE9wZW5TU0wgMS4xLjF3DQo+Pj4gZnJvbSBwb3J0cyBp
biBvcmRlciB0byByZW5ldyBjZXJ0aWZpY2F0ZXMsIG9yIHdhaXQgZm9yICJhbnkgbW92ZW1l
bnQiIGluDQo+Pj4gZ2V0dGluZyB0aGUgcGF0aCByZXZlcnNhbCBhZGRyZXNzZWQvZml4ZWQu
DQo+Pj4gU286IGRvZXMgYW55b25lIGtub3cgd2hlcmUgd2UncmUgYXQgd2l0aCB0aGlzPw0K
Pj4NCj4+IE1lbW9yeSBqb2c6DQo+Pg0KPj4NCj4+IFRyYWNlYmFjayAobW9zdCByZWNlbnQg
Y2FsbCBsYXN0KToNCj4+IEZpbGUgIi91c3IvbG9jYWwvYmluL2NlcnRib3QiLCBsaW5lIDMz
LCBpbiA8bW9kdWxlPg0KPj4gICAgc3lzLmV4aXQobG9hZF9lbnRyeV9wb2ludCgnY2VydGJv
dD09Mi42LjAnLCAnY29uc29sZV9zY3JpcHRzJywgJ2NlcnRib3QnKSgpKQ0KPj4gRmlsZSAi
L3Vzci9sb2NhbC9iaW4vY2VydGJvdCIsIGxpbmUgMjUsIGluIGltcG9ydGxpYl9sb2FkX2Vu
dHJ5X3BvaW50DQo+PiAgICByZXR1cm4gbmV4dChtYXRjaGVzKS5sb2FkKCkNCj4gWy4uLl0N
Cj4+IEZpbGUgIi91c3IvbG9jYWwvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2NyeXB0
b2dyYXBoeS9leGNlcHRpb25zLnB5IiwNCj4+IGxpbmUgOSwgaW4gPG1vZHVsZT4NCj4+ICAg
IGZyb20gY3J5cHRvZ3JhcGh5Lmhhem1hdC5iaW5kaW5ncy5fcnVzdCBpbXBvcnQgZXhjZXB0
aW9ucyBhcyBydXN0X2V4Y2VwdGlvbnMNCj4+IEltcG9ydEVycm9yOiAvdXNyL2xvY2FsL2xp
Yi9weXRob24zLjkvc2l0ZS1wYWNrYWdlcy9jcnlwdG9ncmFwaHkvaGF6bWF0L2JpbmRpbmdz
L19ydXN0LmFiaTMuc286DQo+PiBVbmRlZmluZWQgc3ltYm9sICJFVlBfZGVmYXVsdF9wcm9w
ZXJ0aWVzX2lzX2ZpcHNfZW5hYmxlZCINCj4gV2hhdCBzb2x2ZWQgdGhpcyBwcm9ibGVtIGZv
ciBtZSB3YXMgdG8gYXBwbHkgdGhlIHYyIHBhdGNoIGZyb20gdGhlDQo+IHBrZ2NvbmYgUFIg
MjczOTYxIFsxXS4NCj4NCj4gVGhlIG5leHQgaHVyZGx5IHlvdSdsbCBwcm9iYWJseSBydW4g
aW50byBbMl0gY2FuIGJlIHNvbHZlZCBieSBydW5uaW5nDQo+IGNlcnRib3Qgd2l0aCB0aGUg
Zm9sbG93aW5nIGVudiB2YXJpYWJsZToNCj4gQ1JZUFRPR1JBUEhZX09QRU5TU0xfTk9fTEVH
QUNZPTENCj4NCj4gWzFdaHR0cHM6Ly9idWdzLmZyZWVic2Qub3JnL2J1Z3ppbGxhL3Nob3df
YnVnLmNnaT9pZD0yNzM5NjENCj4gWzJdaHR0cHM6Ly9idWdzLmZyZWVic2Qub3JnL2J1Z3pp
bGxhL3Nob3dfYnVnLmNnaT9pZD0yNzM2NTYNCj4NCj4gSG9wZSB0aGlzIGhlbHBzIQ0KDQpP
bmNlIG15IGN1cnJlbnQgUG91ZHJpZXJlIHJ1biBlbmRzIEkgd2lsbCBhbWVuZCBwa2djb25m
IHdpdGggdGhpcyBhbmQgDQpyZWJ1aWxkIGNlcnRib3QgYW5kIHJlbGF0ZWQuDQoNCkFsc28g
Z2l2aW5nIHNlY3VyaXR5L2RlaHlkcmF0ZSBhbmQgcG9zc2libGUgYWNtZXRvb2wgYSB0cmlh
bCBydW4gdG8gc2VlIA0KaWYgY2VydGJvdCBjYW4gYmUgYXZvaWRlZC4NCg0KVGhpcyBpcyBu
b3QgdGhlIGZpcnN0IHRpbWUgSSd2ZSBlcnJvcmVkIG91dCBvbiBQeXRob24gZXJyb3JzIHRo
YXQgdG9vayANCnF1aXRlIHNvbWUgdGltZSBhbmQgZWZmb3J0IHRvIGNoYXNlIGRvd24gYW5k
IGdldCBmaXhlZC4NCg0KVGhhbmtzISBUaGF0IHdhcyBpbmRlZWQgdGhlIFBSIHRoYXQgcHV0
IG1lIG9uIHRoZSBzY2VudCBvZiBwa2djb25mLCBidXQgDQpJIHN0b3BwZWQgdHJhY2tpbmcg
aXQgYmVjYXVzZSBvZiB0aGUgYmlja2VyaW5nLi4NCg0K
--------------IA0IX80NUExC0nh2ui93GNaX
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html>
<html data-lt-installed=3D"true">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF=
-8">
</head>
<body style=3D"padding-bottom: 1px;" text=3D"#000000" bgcolor=3D"#FFFFF=
F">
<div class=3D"moz-cite-prefix">On 25/10/2023 11:12, Vidar Karlsen
wrote:<br>
</div>
<blockquote type=3D"cite"
cite=3D"mid:l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2=
aq">
<pre class=3D"moz-quote-pre" wrap=3D"">On Wed, Oct 25, 2023 at 09:2=
2:11AM +0200, Dutch Daemon - FreeBSD Forums Administrator wrote:
</pre>
<blockquote type=3D"cite">
<pre class=3D"moz-quote-pre" wrap=3D"">On October 24, 2023 14:54:=
40 DutchDaemon - FreeBSD Forums Administrator
<a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:DutchDaemon@FreeBSD.org=
"><DutchDaemon@FreeBSD.org></a> wrote:
</pre>
<blockquote type=3D"cite">
<pre class=3D"moz-quote-pre" wrap=3D"">Does anyone in 'port lan=
d' know what the current developments are wrt
CertBot (or py-crypto under its hood)?
CertBot is happily compiling against OpenSSL 3 from ports, but when
running 'certbot', the crypto side of it talks to the base system
OpenSSL 1.1.1, hence failing because the OpenSSL 1.1.1 library does not
understand the OpenSSL 3 calls made to it.
=46rom what I understood, this was due to an error/regression in
pkgconf(?) which causes some type of 'path reversal' that causes
py-crypto to ignore the OpenSSL it was compiled against, favoring the
base system library.
I either have to revert a whole lot of servers back to OpenSSL 1.1.1w
from ports in order to renew certificates, or wait for "any movement" in
getting the path reversal addressed/fixed.
So: does anyone know where we're at with this?
</pre>
</blockquote>
<pre class=3D"moz-quote-pre" wrap=3D"">
Memory jog:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 33, in <module>
sys.exit(load_entry_point('certbot=3D=3D2.6.0', 'console_scripts', 'cer=
tbot')())
File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
return next(matches).load()
</pre>
</blockquote>
<pre class=3D"moz-quote-pre" wrap=3D"">[...]
</pre>
<blockquote type=3D"cite">
<pre class=3D"moz-quote-pre" wrap=3D"">File "/usr/local/lib/pytho=
n3.9/site-packages/cryptography/exceptions.py",
line 9, in <module>
from cryptography.hazmat.bindings._rust import exceptions as rust_excep=
tions
ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/b=
indings/_rust.abi3.so:
Undefined symbol "EVP_default_properties_is_fips_enabled"
</pre>
</blockquote>
<pre class=3D"moz-quote-pre" wrap=3D"">
What solved this problem for me was to apply the v2 patch from the
pkgconf PR 273961 [1].
The next hurdly you'll probably run into [2] can be solved by running
certbot with the following env variable:
CRYPTOGRAPHY_OPENSSL_NO_LEGACY=3D1
[1] <a class=3D"moz-txt-link-freetext" href=3D"https://bugs.freebsd.org/b=
ugzilla/show_bug.cgi?id=3D273961">https://bugs.freebsd.org/bugzilla/show_=
bug.cgi?id=3D273961</a>
[2] <a class=3D"moz-txt-link-freetext" href=3D"https://bugs.freebsd.org/b=
ugzilla/show_bug.cgi?id=3D273656">https://bugs.freebsd.org/bugzilla/show_=
bug.cgi?id=3D273656</a>
Hope this helps!
</pre>
</blockquote>
<p>Once my current Poudriere run ends I will amend pkgconf with this
and rebuild certbot and related.=C2=A0</p>
<p>Also giving security/dehydrate and possible acmetool a trial run
to see if certbot can be avoided.=C2=A0</p>
<p>This is not the first time I've errored out on Python errors that
took quite some time and effort to chase down and get fixed.=C2=A0<=
/p>
<p>Thanks! That was indeed the PR that put me on the scent of
pkgconf, but I stopped tracking it because of the bickering..<br>
</p>
<blockquote type=3D"cite"
cite=3D"mid:l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2=
aq">
<pre class=3D"moz-quote-pre" wrap=3D"">
</pre>
</blockquote>
</body>
<lt-container></lt-container>
</html>
--------------IA0IX80NUExC0nh2ui93GNaX--
--------------qxnv3282y4HieYGX6clF5EK7--
--------------OPv8XywlxpjTia6O703xD0vH
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEE9AWUvcZu/lO5r3wZ0R2eb0cya6gFAmU45ToFAwAAAAAACgkQ0R2eb0cya6j8
2Q//Ry0njcX6yj7FOSWm/81yr7VZK5El/O4aa5O1hJ569zYqi2kDYS7R5zwTwOonwz9cE32lNdqc
FizUCjB/Xl8UANIChyar0Z7LnoJI5riuWEX0xuyrBerJ7jmwtzG+M0wU7HsFVLAENjx/4nCPz4dJ
nww3erJqYf0rTaIotgCooxU3GdPKxadDG46Oey2HHJ165HRD6KOKkcwGLNBdFjC8luYdpgLYJGmg
gLGCt1pKcVL2En1cBMzNesZldVXqndfEfZ0Ii1IsydrHqR9ow7+5eVRu0uaNIomVnb8GqtRagA01
bcmudBiFZ4Z2FcTFBDmpfSP4u6FXeoxaKbH3F/mnELnnXq1kDrQ1hRGj6YCe9m5kf92Bv9EwbpYC
m8vKNzV7BykNwL3srvb8DNjxSgZ/gkdPb2SNHeUxe5MPeCikOblGTxvNqQv936NCcjX3JUlRElIj
Lnw7rZ5G55tTEn9AhRfid99CQfvPgMm2kaQY225WXLcACtGC8nB4wkccTXS48hWCYo64Y7ZyoayF
7CqQPHii3jKY/plkbRRe98/p4GuAyhuP6a3dRWcPDb+7PS+FiatMyXhxL0vzQhqd/CG6C1TKayFe
hXNedWFDOqr2D4hsCmwSImfNgzk/3bFdoMOVK75P1kGL60WZQ0Q7umGc9KkpEe9JpzMrJfYTMnWD
3kE=
=btsO
-----END PGP SIGNATURE-----
--------------OPv8XywlxpjTia6O703xD0vH--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2f429a9d-d680-4925-8b99-34575ab955e9>