Bug 239992 - security/py-certbot@py27: script crashes with traceback
Summary: security/py-certbot@py27: script crashes with traceback
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Kubilay Kocak
URL:
Keywords: needs-qa
Depends on:
Blocks:
 
Reported: 2019-08-20 14:54 UTC by jsmith
Modified: 2020-01-14 08:06 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description jsmith 2019-08-20 14:54:29 UTC
I recently discovered that two changes to the py27-certbot port cause the Let's Encrypt renewal script to break. The first issue is the name of the executable changed from /usr/local/bin/certbot to /usr/local/bin/certbot-2.7. This results in scripts and crontabs that call the script to not find the certbot executable.

The second, more serious, issue is running the new path of the script results in a Python traceback error and no certificates being fetched. This can be reproduced on each of my FreeBSD 11.2 machines by running "certbot renew".

The output from the crashed script indicates the error happens here:

"from pkg_resources import load_entry_point"

I found that the bug can be worked around by removing the Python 2.7 version of the Let's Encrypt certbot tool and installing the Python 3.6 version. With the updated version installed running "/usr/local/bin/certbot renew" works.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-01-13 03:19:46 UTC
@jsmith Is this still an issue with the latest version of the port/package? If so, could you please provide:

- A full traceback as an attachment
- pkg version -v output (as an attachment)
Comment 2 jsmith 2020-01-13 15:17:34 UTC
(In reply to Kubilay Kocak from comment #1)

Since Python 2.7 is no longer supported, I think this bug can be closed. Certbot is working with Python 3, giving us a reasonable workaround.
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2020-01-14 02:46:03 UTC
(In reply to jsmith from comment #2)

Python is EoL (as of Jan 1 2020), but is in sunset with a final release still to come (April, 2020 [1])

Nevertheless, Python 2.7 is set to be deprecated December 2020 in FreeBSD, with work taking place to upgrade, or retire unmaintained an deprecated packages in the meantime.

What this means is that if an upstream package supports 2.7 and is maintained  (upstream and downstream), that it still ought to work, work meaning: gets bugfixes if they are reproducible and resolvable

based on the description of the issue provided so far:

The first issue is the name of the executable changed from /usr/local/bin/certbot to /usr/local/bin/certbot-2.7

This sounds like the default version of Python on that system is not 2.7. Since only the default version of Python ports/packages get canonical (not version-suffixed script names, the lack of a certbot scriptname is intended. It is up to the administrator to either:

 - Invoke python scripts using their script-X.Y version, OR
 - Ensure that if/when invoking <script> without a version suffix, ensure that the systems configured default Python version is the one that's expected

On the second issue:

issue is running the new path of the script results in a Python traceback error and no certificates being fetched

If this is still an issue, in any Python version of the certbot port, a full command line invocation and traceback is what's required to isolate the issue, along with information about where exactly said command points to (if one is using 'certbot', not 'certbot-X.Y' as the invoking command

[1] "As a final service to the community, python-dev will bundle those fixes -- and only those fixes -- into a final 2.7.18 release," the Python Foundation noted in an update. "The release date for 2.7.18 will be in April 2020, because that allows time for the release managers to complete a release candidate and final release."