Date: Wed, 25 Oct 2023 14:37:59 +0200 From: DutchDaemon - FreeBSD Forums Administrator <DutchDaemon@FreeBSD.org> To: ports@freebsd.org Subject: Re: FreeBSD 13 + CertBot + OpenSSL 3 - status? Message-ID: <38ac50b2-3148-4f8a-9506-76023d01b332@FreeBSD.org> In-Reply-To: <l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2aq> References: <76713a44-1fa4-41ee-a4f9-177907e9a57f@FreeBSD.org> <18b65b654d0.2818.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org> <l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2aq>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------2wW04riKTWHZR4GXI3bErbcp Content-Type: multipart/mixed; boundary="------------V1CKQi2cAfbtwXADb0cjpRCh"; protected-headers="v1" From: DutchDaemon - FreeBSD Forums Administrator <DutchDaemon@FreeBSD.org> To: ports@freebsd.org Message-ID: <38ac50b2-3148-4f8a-9506-76023d01b332@FreeBSD.org> Subject: Re: FreeBSD 13 + CertBot + OpenSSL 3 - status? References: <76713a44-1fa4-41ee-a4f9-177907e9a57f@FreeBSD.org> <18b65b654d0.2818.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org> <l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2aq> In-Reply-To: <l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2aq> --------------V1CKQi2cAfbtwXADb0cjpRCh Content-Type: multipart/alternative; boundary="------------C20b816FAmd3QjiZ8pNFyFER" --------------C20b816FAmd3QjiZ8pNFyFER Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 T24gMjUvMTAvMjAyMyAxMToxMiwgVmlkYXIgS2FybHNlbiB3cm90ZToNCj4gT24gV2VkLCBP Y3QgMjUsIDIwMjMgYXQgMDk6MjI6MTFBTSArMDIwMCwgRHV0Y2ggRGFlbW9uIC0gRnJlZUJT RCBGb3J1bXMgQWRtaW5pc3RyYXRvciB3cm90ZToNCj4+IE9uIE9jdG9iZXIgMjQsIDIwMjMg MTQ6NTQ6NDAgRHV0Y2hEYWVtb24gLSBGcmVlQlNEIEZvcnVtcyBBZG1pbmlzdHJhdG9yDQo+ PiA8RHV0Y2hEYWVtb25ARnJlZUJTRC5vcmc+ICB3cm90ZToNCj4+PiBEb2VzIGFueW9uZSBp biAncG9ydCBsYW5kJyBrbm93IHdoYXQgdGhlIGN1cnJlbnQgZGV2ZWxvcG1lbnRzIGFyZSB3 cnQNCj4+PiBDZXJ0Qm90IChvciBweS1jcnlwdG8gdW5kZXIgaXRzIGhvb2QpPw0KPj4+IENl cnRCb3QgaXMgaGFwcGlseSBjb21waWxpbmcgYWdhaW5zdCBPcGVuU1NMIDMgZnJvbSBwb3J0 cywgYnV0IHdoZW4NCj4+PiBydW5uaW5nICdjZXJ0Ym90JywgdGhlIGNyeXB0byBzaWRlIG9m IGl0IHRhbGtzIHRvIHRoZSBiYXNlIHN5c3RlbQ0KPj4+IE9wZW5TU0wgMS4xLjEsIGhlbmNl IGZhaWxpbmcgYmVjYXVzZSB0aGUgT3BlblNTTCAxLjEuMSBsaWJyYXJ5IGRvZXMgbm90DQo+ Pj4gdW5kZXJzdGFuZCB0aGUgT3BlblNTTCAzIGNhbGxzIG1hZGUgdG8gaXQuDQo+Pj4gIEZy b20gd2hhdCBJIHVuZGVyc3Rvb2QsIHRoaXMgd2FzIGR1ZSB0byBhbiBlcnJvci9yZWdyZXNz aW9uIGluDQo+Pj4gcGtnY29uZig/KSB3aGljaCBjYXVzZXMgc29tZSB0eXBlIG9mICdwYXRo IHJldmVyc2FsJyB0aGF0IGNhdXNlcw0KPj4+IHB5LWNyeXB0byB0byBpZ25vcmUgdGhlIE9w ZW5TU0wgaXQgd2FzIGNvbXBpbGVkIGFnYWluc3QsIGZhdm9yaW5nIHRoZQ0KPj4+IGJhc2Ug c3lzdGVtIGxpYnJhcnkuDQo+Pj4gSSBlaXRoZXIgaGF2ZSB0byByZXZlcnQgYSB3aG9sZSBs b3Qgb2Ygc2VydmVycyBiYWNrIHRvIE9wZW5TU0wgMS4xLjF3DQo+Pj4gZnJvbSBwb3J0cyBp biBvcmRlciB0byByZW5ldyBjZXJ0aWZpY2F0ZXMsIG9yIHdhaXQgZm9yICJhbnkgbW92ZW1l bnQiIGluDQo+Pj4gZ2V0dGluZyB0aGUgcGF0aCByZXZlcnNhbCBhZGRyZXNzZWQvZml4ZWQu DQo+Pj4gU286IGRvZXMgYW55b25lIGtub3cgd2hlcmUgd2UncmUgYXQgd2l0aCB0aGlzPw0K Pj4NCj4+IE1lbW9yeSBqb2c6DQo+Pg0KPj4NCj4+IFRyYWNlYmFjayAobW9zdCByZWNlbnQg Y2FsbCBsYXN0KToNCj4+IEZpbGUgIi91c3IvbG9jYWwvYmluL2NlcnRib3QiLCBsaW5lIDMz LCBpbiA8bW9kdWxlPg0KPj4gICAgc3lzLmV4aXQobG9hZF9lbnRyeV9wb2ludCgnY2VydGJv dD09Mi42LjAnLCAnY29uc29sZV9zY3JpcHRzJywgJ2NlcnRib3QnKSgpKQ0KPj4gRmlsZSAi L3Vzci9sb2NhbC9iaW4vY2VydGJvdCIsIGxpbmUgMjUsIGluIGltcG9ydGxpYl9sb2FkX2Vu dHJ5X3BvaW50DQo+PiAgICByZXR1cm4gbmV4dChtYXRjaGVzKS5sb2FkKCkNCj4gWy4uLl0N Cj4+IEZpbGUgIi91c3IvbG9jYWwvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2NyeXB0 b2dyYXBoeS9leGNlcHRpb25zLnB5IiwNCj4+IGxpbmUgOSwgaW4gPG1vZHVsZT4NCj4+ICAg IGZyb20gY3J5cHRvZ3JhcGh5Lmhhem1hdC5iaW5kaW5ncy5fcnVzdCBpbXBvcnQgZXhjZXB0 aW9ucyBhcyBydXN0X2V4Y2VwdGlvbnMNCj4+IEltcG9ydEVycm9yOiAvdXNyL2xvY2FsL2xp Yi9weXRob24zLjkvc2l0ZS1wYWNrYWdlcy9jcnlwdG9ncmFwaHkvaGF6bWF0L2JpbmRpbmdz L19ydXN0LmFiaTMuc286DQo+PiBVbmRlZmluZWQgc3ltYm9sICJFVlBfZGVmYXVsdF9wcm9w ZXJ0aWVzX2lzX2ZpcHNfZW5hYmxlZCINCj4gV2hhdCBzb2x2ZWQgdGhpcyBwcm9ibGVtIGZv ciBtZSB3YXMgdG8gYXBwbHkgdGhlIHYyIHBhdGNoIGZyb20gdGhlDQo+IHBrZ2NvbmYgUFIg MjczOTYxIFsxXS4NCj4NCj4gVGhlIG5leHQgaHVyZGx5IHlvdSdsbCBwcm9iYWJseSBydW4g aW50byBbMl0gY2FuIGJlIHNvbHZlZCBieSBydW5uaW5nDQo+IGNlcnRib3Qgd2l0aCB0aGUg Zm9sbG93aW5nIGVudiB2YXJpYWJsZToNCj4gQ1JZUFRPR1JBUEhZX09QRU5TU0xfTk9fTEVH QUNZPTENCj4NCj4gWzFdaHR0cHM6Ly9idWdzLmZyZWVic2Qub3JnL2J1Z3ppbGxhL3Nob3df YnVnLmNnaT9pZD0yNzM5NjENCj4gWzJdaHR0cHM6Ly9idWdzLmZyZWVic2Qub3JnL2J1Z3pp bGxhL3Nob3dfYnVnLmNnaT9pZD0yNzM2NTYNCj4NCj4gSG9wZSB0aGlzIGhlbHBzIQ0KDQoN ClRoaXMgcGF0Y2ggY2VydGFpbmx5IGRpZCBpdCBmb3IgbWUsIGhvcGUgaXQgZ2V0cyBjb21t aXR0ZWQgc29vbiAoaWYgaXQgDQpkb2Vzbid0IHBvc2UgYSByZWdyZXNzaW9uIGhhemFyZCku IEkgZGlkIG5vdCBydW4gaW50byB0aGUgb3RoZXIgcHJvYmxlbS4NCg0K --------------C20b816FAmd3QjiZ8pNFyFER Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <!DOCTYPE html> <html data-lt-installed=3D"true"> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF= -8"> </head> <body style=3D"padding-bottom: 1px;" text=3D"#000000" bgcolor=3D"#FFFFF= F"> <div class=3D"moz-cite-prefix">On 25/10/2023 11:12, Vidar Karlsen wrote:<br> </div> <blockquote type=3D"cite" cite=3D"mid:l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2= aq"> <pre class=3D"moz-quote-pre" wrap=3D"">On Wed, Oct 25, 2023 at 09:2= 2:11AM +0200, Dutch Daemon - FreeBSD Forums Administrator wrote: </pre> <blockquote type=3D"cite"> <pre class=3D"moz-quote-pre" wrap=3D"">On October 24, 2023 14:54:= 40 DutchDaemon - FreeBSD Forums Administrator <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:DutchDaemon@FreeBSD.org= "><DutchDaemon@FreeBSD.org></a> wrote: </pre> <blockquote type=3D"cite"> <pre class=3D"moz-quote-pre" wrap=3D"">Does anyone in 'port lan= d' know what the current developments are wrt CertBot (or py-crypto under its hood)? CertBot is happily compiling against OpenSSL 3 from ports, but when running 'certbot', the crypto side of it talks to the base system OpenSSL 1.1.1, hence failing because the OpenSSL 1.1.1 library does not understand the OpenSSL 3 calls made to it. =46rom what I understood, this was due to an error/regression in pkgconf(?) which causes some type of 'path reversal' that causes py-crypto to ignore the OpenSSL it was compiled against, favoring the base system library. I either have to revert a whole lot of servers back to OpenSSL 1.1.1w from ports in order to renew certificates, or wait for "any movement" in getting the path reversal addressed/fixed. So: does anyone know where we're at with this? </pre> </blockquote> <pre class=3D"moz-quote-pre" wrap=3D""> Memory jog: Traceback (most recent call last): File "/usr/local/bin/certbot", line 33, in <module> sys.exit(load_entry_point('certbot=3D=3D2.6.0', 'console_scripts', 'cer= tbot')()) File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point return next(matches).load() </pre> </blockquote> <pre class=3D"moz-quote-pre" wrap=3D"">[...] </pre> <blockquote type=3D"cite"> <pre class=3D"moz-quote-pre" wrap=3D"">File "/usr/local/lib/pytho= n3.9/site-packages/cryptography/exceptions.py", line 9, in <module> from cryptography.hazmat.bindings._rust import exceptions as rust_excep= tions ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/b= indings/_rust.abi3.so: Undefined symbol "EVP_default_properties_is_fips_enabled" </pre> </blockquote> <pre class=3D"moz-quote-pre" wrap=3D""> What solved this problem for me was to apply the v2 patch from the pkgconf PR 273961 [1]. The next hurdly you'll probably run into [2] can be solved by running certbot with the following env variable: CRYPTOGRAPHY_OPENSSL_NO_LEGACY=3D1 [1] <a class=3D"moz-txt-link-freetext" href=3D"https://bugs.freebsd.org/b= ugzilla/show_bug.cgi?id=3D273961">https://bugs.freebsd.org/bugzilla/show_= bug.cgi?id=3D273961</a> [2] <a class=3D"moz-txt-link-freetext" href=3D"https://bugs.freebsd.org/b= ugzilla/show_bug.cgi?id=3D273656">https://bugs.freebsd.org/bugzilla/show_= bug.cgi?id=3D273656</a> Hope this helps! </pre> </blockquote> <p><br> </p> <p>This patch certainly did it for me, hope it gets committed soon (if it doesn't pose a regression hazard). I did not run into the other problem.<br> </p> <blockquote type=3D"cite" cite=3D"mid:l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2= aq"> <pre class=3D"moz-quote-pre" wrap=3D""></pre> </blockquote> </body> <lt-container></lt-container> </html> --------------C20b816FAmd3QjiZ8pNFyFER-- --------------V1CKQi2cAfbtwXADb0cjpRCh-- --------------2wW04riKTWHZR4GXI3bErbcp Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEE9AWUvcZu/lO5r3wZ0R2eb0cya6gFAmU5DCgFAwAAAAAACgkQ0R2eb0cya6iC mBAAl4oolVy00o8QZnNkshvp6yDZqTUOQtkDnIzZ5kiMLFBUWbEbd4HD/qIAP5VraDh7EoVxGkGu MFYNkpBY0J2OF/XJVHq5nejbYTjbVTPkfMKO+GVInDE6GaJO5eMKmJ+vfqpbfGgYnDn6jwXl8hOj o0GhKhcCU11uSMlTKWxRD624xclR6YyfwAOrA30XvtlrIe+1M1NtrfQifBTimB3vld0OL/KjI74r hBWPcgpbylaH+Yrkvx2IdY/il5vQwpeyky5Jr1WgjtcHc2BIfdjg8k+1a9wZjBsOnbnlZW6C5YPG kxHdrNElyApmNivnehfZC84ZJsFXusN+f1C21i5OQ112HjeGWodUPaKYbSQ0VJkjCRVtOKrCxE5/ gznLtdMClzDzSyP/kacxDfwOW3X3WBA092KjTPZFjqjpO7OvsfKWt3vzqvE/fSOG1wcEgyan0sxt 6csDhfBFngAFUHvSCiMlkRJa6fCEkVKm1we08GHOsZV/CDJzSELUbp/hb98IWhQwFIRUdDPodnXE 94dxvVxx7QcQX9vAfeZ0CrRJk6Sxjas/cPUtVvmkZ7XiPXFw6+o2Q2g9juVjWftFSAE0ETt/gjf2 /aJUESei7NQQfSZ1feG6KXLDzXozb2T6VVZuusYzCTmHAH2PtzqcNBn/6zi/n1110/C6AxnhuiG0 d1M= =XyCH -----END PGP SIGNATURE----- --------------2wW04riKTWHZR4GXI3bErbcp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38ac50b2-3148-4f8a-9506-76023d01b332>