Date: Wed, 25 Oct 2023 14:37:59 +0200 From: DutchDaemon - FreeBSD Forums Administrator <DutchDaemon@FreeBSD.org> To: ports@freebsd.org Subject: Re: FreeBSD 13 + CertBot + OpenSSL 3 - status? Message-ID: <38ac50b2-3148-4f8a-9506-76023d01b332@FreeBSD.org> In-Reply-To: <l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2aq> References: <76713a44-1fa4-41ee-a4f9-177907e9a57f@FreeBSD.org> <18b65b654d0.2818.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org> <l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2aq>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------2wW04riKTWHZR4GXI3bErbcp
Content-Type: multipart/mixed; boundary="------------V1CKQi2cAfbtwXADb0cjpRCh";
protected-headers="v1"
From: DutchDaemon - FreeBSD Forums Administrator <DutchDaemon@FreeBSD.org>
To: ports@freebsd.org
Message-ID: <38ac50b2-3148-4f8a-9506-76023d01b332@FreeBSD.org>
Subject: Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?
References: <76713a44-1fa4-41ee-a4f9-177907e9a57f@FreeBSD.org>
<18b65b654d0.2818.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org>
<l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2aq>
In-Reply-To: <l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2aq>
--------------V1CKQi2cAfbtwXADb0cjpRCh
Content-Type: multipart/alternative;
boundary="------------C20b816FAmd3QjiZ8pNFyFER"
--------------C20b816FAmd3QjiZ8pNFyFER
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64
T24gMjUvMTAvMjAyMyAxMToxMiwgVmlkYXIgS2FybHNlbiB3cm90ZToNCj4gT24gV2VkLCBP
Y3QgMjUsIDIwMjMgYXQgMDk6MjI6MTFBTSArMDIwMCwgRHV0Y2ggRGFlbW9uIC0gRnJlZUJT
RCBGb3J1bXMgQWRtaW5pc3RyYXRvciB3cm90ZToNCj4+IE9uIE9jdG9iZXIgMjQsIDIwMjMg
MTQ6NTQ6NDAgRHV0Y2hEYWVtb24gLSBGcmVlQlNEIEZvcnVtcyBBZG1pbmlzdHJhdG9yDQo+
PiA8RHV0Y2hEYWVtb25ARnJlZUJTRC5vcmc+ICB3cm90ZToNCj4+PiBEb2VzIGFueW9uZSBp
biAncG9ydCBsYW5kJyBrbm93IHdoYXQgdGhlIGN1cnJlbnQgZGV2ZWxvcG1lbnRzIGFyZSB3
cnQNCj4+PiBDZXJ0Qm90IChvciBweS1jcnlwdG8gdW5kZXIgaXRzIGhvb2QpPw0KPj4+IENl
cnRCb3QgaXMgaGFwcGlseSBjb21waWxpbmcgYWdhaW5zdCBPcGVuU1NMIDMgZnJvbSBwb3J0
cywgYnV0IHdoZW4NCj4+PiBydW5uaW5nICdjZXJ0Ym90JywgdGhlIGNyeXB0byBzaWRlIG9m
IGl0IHRhbGtzIHRvIHRoZSBiYXNlIHN5c3RlbQ0KPj4+IE9wZW5TU0wgMS4xLjEsIGhlbmNl
IGZhaWxpbmcgYmVjYXVzZSB0aGUgT3BlblNTTCAxLjEuMSBsaWJyYXJ5IGRvZXMgbm90DQo+
Pj4gdW5kZXJzdGFuZCB0aGUgT3BlblNTTCAzIGNhbGxzIG1hZGUgdG8gaXQuDQo+Pj4gIEZy
b20gd2hhdCBJIHVuZGVyc3Rvb2QsIHRoaXMgd2FzIGR1ZSB0byBhbiBlcnJvci9yZWdyZXNz
aW9uIGluDQo+Pj4gcGtnY29uZig/KSB3aGljaCBjYXVzZXMgc29tZSB0eXBlIG9mICdwYXRo
IHJldmVyc2FsJyB0aGF0IGNhdXNlcw0KPj4+IHB5LWNyeXB0byB0byBpZ25vcmUgdGhlIE9w
ZW5TU0wgaXQgd2FzIGNvbXBpbGVkIGFnYWluc3QsIGZhdm9yaW5nIHRoZQ0KPj4+IGJhc2Ug
c3lzdGVtIGxpYnJhcnkuDQo+Pj4gSSBlaXRoZXIgaGF2ZSB0byByZXZlcnQgYSB3aG9sZSBs
b3Qgb2Ygc2VydmVycyBiYWNrIHRvIE9wZW5TU0wgMS4xLjF3DQo+Pj4gZnJvbSBwb3J0cyBp
biBvcmRlciB0byByZW5ldyBjZXJ0aWZpY2F0ZXMsIG9yIHdhaXQgZm9yICJhbnkgbW92ZW1l
bnQiIGluDQo+Pj4gZ2V0dGluZyB0aGUgcGF0aCByZXZlcnNhbCBhZGRyZXNzZWQvZml4ZWQu
DQo+Pj4gU286IGRvZXMgYW55b25lIGtub3cgd2hlcmUgd2UncmUgYXQgd2l0aCB0aGlzPw0K
Pj4NCj4+IE1lbW9yeSBqb2c6DQo+Pg0KPj4NCj4+IFRyYWNlYmFjayAobW9zdCByZWNlbnQg
Y2FsbCBsYXN0KToNCj4+IEZpbGUgIi91c3IvbG9jYWwvYmluL2NlcnRib3QiLCBsaW5lIDMz
LCBpbiA8bW9kdWxlPg0KPj4gICAgc3lzLmV4aXQobG9hZF9lbnRyeV9wb2ludCgnY2VydGJv
dD09Mi42LjAnLCAnY29uc29sZV9zY3JpcHRzJywgJ2NlcnRib3QnKSgpKQ0KPj4gRmlsZSAi
L3Vzci9sb2NhbC9iaW4vY2VydGJvdCIsIGxpbmUgMjUsIGluIGltcG9ydGxpYl9sb2FkX2Vu
dHJ5X3BvaW50DQo+PiAgICByZXR1cm4gbmV4dChtYXRjaGVzKS5sb2FkKCkNCj4gWy4uLl0N
Cj4+IEZpbGUgIi91c3IvbG9jYWwvbGliL3B5dGhvbjMuOS9zaXRlLXBhY2thZ2VzL2NyeXB0
b2dyYXBoeS9leGNlcHRpb25zLnB5IiwNCj4+IGxpbmUgOSwgaW4gPG1vZHVsZT4NCj4+ICAg
IGZyb20gY3J5cHRvZ3JhcGh5Lmhhem1hdC5iaW5kaW5ncy5fcnVzdCBpbXBvcnQgZXhjZXB0
aW9ucyBhcyBydXN0X2V4Y2VwdGlvbnMNCj4+IEltcG9ydEVycm9yOiAvdXNyL2xvY2FsL2xp
Yi9weXRob24zLjkvc2l0ZS1wYWNrYWdlcy9jcnlwdG9ncmFwaHkvaGF6bWF0L2JpbmRpbmdz
L19ydXN0LmFiaTMuc286DQo+PiBVbmRlZmluZWQgc3ltYm9sICJFVlBfZGVmYXVsdF9wcm9w
ZXJ0aWVzX2lzX2ZpcHNfZW5hYmxlZCINCj4gV2hhdCBzb2x2ZWQgdGhpcyBwcm9ibGVtIGZv
ciBtZSB3YXMgdG8gYXBwbHkgdGhlIHYyIHBhdGNoIGZyb20gdGhlDQo+IHBrZ2NvbmYgUFIg
MjczOTYxIFsxXS4NCj4NCj4gVGhlIG5leHQgaHVyZGx5IHlvdSdsbCBwcm9iYWJseSBydW4g
aW50byBbMl0gY2FuIGJlIHNvbHZlZCBieSBydW5uaW5nDQo+IGNlcnRib3Qgd2l0aCB0aGUg
Zm9sbG93aW5nIGVudiB2YXJpYWJsZToNCj4gQ1JZUFRPR1JBUEhZX09QRU5TU0xfTk9fTEVH
QUNZPTENCj4NCj4gWzFdaHR0cHM6Ly9idWdzLmZyZWVic2Qub3JnL2J1Z3ppbGxhL3Nob3df
YnVnLmNnaT9pZD0yNzM5NjENCj4gWzJdaHR0cHM6Ly9idWdzLmZyZWVic2Qub3JnL2J1Z3pp
bGxhL3Nob3dfYnVnLmNnaT9pZD0yNzM2NTYNCj4NCj4gSG9wZSB0aGlzIGhlbHBzIQ0KDQoN
ClRoaXMgcGF0Y2ggY2VydGFpbmx5IGRpZCBpdCBmb3IgbWUsIGhvcGUgaXQgZ2V0cyBjb21t
aXR0ZWQgc29vbiAoaWYgaXQgDQpkb2Vzbid0IHBvc2UgYSByZWdyZXNzaW9uIGhhemFyZCku
IEkgZGlkIG5vdCBydW4gaW50byB0aGUgb3RoZXIgcHJvYmxlbS4NCg0K
--------------C20b816FAmd3QjiZ8pNFyFER
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html>
<html data-lt-installed=3D"true">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF=
-8">
</head>
<body style=3D"padding-bottom: 1px;" text=3D"#000000" bgcolor=3D"#FFFFF=
F">
<div class=3D"moz-cite-prefix">On 25/10/2023 11:12, Vidar Karlsen
wrote:<br>
</div>
<blockquote type=3D"cite"
cite=3D"mid:l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2=
aq">
<pre class=3D"moz-quote-pre" wrap=3D"">On Wed, Oct 25, 2023 at 09:2=
2:11AM +0200, Dutch Daemon - FreeBSD Forums Administrator wrote:
</pre>
<blockquote type=3D"cite">
<pre class=3D"moz-quote-pre" wrap=3D"">On October 24, 2023 14:54:=
40 DutchDaemon - FreeBSD Forums Administrator
<a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:DutchDaemon@FreeBSD.org=
"><DutchDaemon@FreeBSD.org></a> wrote:
</pre>
<blockquote type=3D"cite">
<pre class=3D"moz-quote-pre" wrap=3D"">Does anyone in 'port lan=
d' know what the current developments are wrt
CertBot (or py-crypto under its hood)?
CertBot is happily compiling against OpenSSL 3 from ports, but when
running 'certbot', the crypto side of it talks to the base system
OpenSSL 1.1.1, hence failing because the OpenSSL 1.1.1 library does not
understand the OpenSSL 3 calls made to it.
=46rom what I understood, this was due to an error/regression in
pkgconf(?) which causes some type of 'path reversal' that causes
py-crypto to ignore the OpenSSL it was compiled against, favoring the
base system library.
I either have to revert a whole lot of servers back to OpenSSL 1.1.1w
from ports in order to renew certificates, or wait for "any movement" in
getting the path reversal addressed/fixed.
So: does anyone know where we're at with this?
</pre>
</blockquote>
<pre class=3D"moz-quote-pre" wrap=3D"">
Memory jog:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 33, in <module>
sys.exit(load_entry_point('certbot=3D=3D2.6.0', 'console_scripts', 'cer=
tbot')())
File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
return next(matches).load()
</pre>
</blockquote>
<pre class=3D"moz-quote-pre" wrap=3D"">[...]
</pre>
<blockquote type=3D"cite">
<pre class=3D"moz-quote-pre" wrap=3D"">File "/usr/local/lib/pytho=
n3.9/site-packages/cryptography/exceptions.py",
line 9, in <module>
from cryptography.hazmat.bindings._rust import exceptions as rust_excep=
tions
ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/b=
indings/_rust.abi3.so:
Undefined symbol "EVP_default_properties_is_fips_enabled"
</pre>
</blockquote>
<pre class=3D"moz-quote-pre" wrap=3D"">
What solved this problem for me was to apply the v2 patch from the
pkgconf PR 273961 [1].
The next hurdly you'll probably run into [2] can be solved by running
certbot with the following env variable:
CRYPTOGRAPHY_OPENSSL_NO_LEGACY=3D1
[1] <a class=3D"moz-txt-link-freetext" href=3D"https://bugs.freebsd.org/b=
ugzilla/show_bug.cgi?id=3D273961">https://bugs.freebsd.org/bugzilla/show_=
bug.cgi?id=3D273961</a>
[2] <a class=3D"moz-txt-link-freetext" href=3D"https://bugs.freebsd.org/b=
ugzilla/show_bug.cgi?id=3D273656">https://bugs.freebsd.org/bugzilla/show_=
bug.cgi?id=3D273656</a>
Hope this helps!
</pre>
</blockquote>
<p><br>
</p>
<p>This patch certainly did it for me, hope it gets committed soon
(if it doesn't pose a regression hazard). I did not run into the
other problem.<br>
</p>
<blockquote type=3D"cite"
cite=3D"mid:l66f3jilr3gjiqoxhnjmlydogn2e6lo7xyd5tpe3gasb6v2yby@pwrrw3r4r2=
aq">
<pre class=3D"moz-quote-pre" wrap=3D""></pre>
</blockquote>
</body>
<lt-container></lt-container>
</html>
--------------C20b816FAmd3QjiZ8pNFyFER--
--------------V1CKQi2cAfbtwXADb0cjpRCh--
--------------2wW04riKTWHZR4GXI3bErbcp
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEE9AWUvcZu/lO5r3wZ0R2eb0cya6gFAmU5DCgFAwAAAAAACgkQ0R2eb0cya6iC
mBAAl4oolVy00o8QZnNkshvp6yDZqTUOQtkDnIzZ5kiMLFBUWbEbd4HD/qIAP5VraDh7EoVxGkGu
MFYNkpBY0J2OF/XJVHq5nejbYTjbVTPkfMKO+GVInDE6GaJO5eMKmJ+vfqpbfGgYnDn6jwXl8hOj
o0GhKhcCU11uSMlTKWxRD624xclR6YyfwAOrA30XvtlrIe+1M1NtrfQifBTimB3vld0OL/KjI74r
hBWPcgpbylaH+Yrkvx2IdY/il5vQwpeyky5Jr1WgjtcHc2BIfdjg8k+1a9wZjBsOnbnlZW6C5YPG
kxHdrNElyApmNivnehfZC84ZJsFXusN+f1C21i5OQ112HjeGWodUPaKYbSQ0VJkjCRVtOKrCxE5/
gznLtdMClzDzSyP/kacxDfwOW3X3WBA092KjTPZFjqjpO7OvsfKWt3vzqvE/fSOG1wcEgyan0sxt
6csDhfBFngAFUHvSCiMlkRJa6fCEkVKm1we08GHOsZV/CDJzSELUbp/hb98IWhQwFIRUdDPodnXE
94dxvVxx7QcQX9vAfeZ0CrRJk6Sxjas/cPUtVvmkZ7XiPXFw6+o2Q2g9juVjWftFSAE0ETt/gjf2
/aJUESei7NQQfSZ1feG6KXLDzXozb2T6VVZuusYzCTmHAH2PtzqcNBn/6zi/n1110/C6AxnhuiG0
d1M=
=XyCH
-----END PGP SIGNATURE-----
--------------2wW04riKTWHZR4GXI3bErbcp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38ac50b2-3148-4f8a-9506-76023d01b332>