Bug 273656 - security/py-certbot: needs export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 in ${LOCALBASE}/etc/periodic/weekly/500.certbot-3.9 on systems with OpenSSL 3
Summary: security/py-certbot: needs export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 in ${LOCAL...
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-python (Nobody)
URL: https://www.freshports.org/security/p...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-09 15:01 UTC by Trond Endrestøl
Modified: 2023-11-20 16:34 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (python)

Attachments
Patch for security/py-certbot/files/500.certbot.in (819 bytes, patch)
2023-09-11 16:23 UTC, Trond Endrestøl 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Trond Endrestøl 2023-09-09 15:01:11 UTC 
System is stable/14 as of today. OpenSSL comes from base. Installed version is py39-certbot-2.6.0,1 built from ports.

# certbot renew --standalone

Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')())
  File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
    return next(matches).load()
  File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load
    module = import_module(match.group('module'))
  File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in <module>
    from certbot._internal import main as internal_main
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 21, in <module>
    import josepy as jose
  File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py", line 40, in <module>
    from josepy.json_util import (
  File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 14, in <module>
    from OpenSSL import crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import SSL, crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module>
    from OpenSSL._util import (
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 167, in <module>
    Binding.init_static_locks()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 134, in init_static_locks
    cls._ensure_ffi_initialized()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 123, in _ensure_ffi_initialized
    _legacy_provider_error(cls._legacy_provider_loaded)
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 43, in _legacy_provider_error
    raise RuntimeError(
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.
Comment 1 Trond Endrestøl 2023-09-11 16:23:58 UTC 
Created attachment 244772 [details]
Patch for security/py-certbot/files/500.certbot.in
Comment 2 Weldon Godfrey 2023-09-14 20:24:25 UTC 
I have the same issue with py39-certbot-2.6.0,1  running on
releng/14.0-n265061-5e5854520ee (14.0-BETA1)
Comment 3 Franco Fichtner 2023-11-20 14:08:11 UTC 
It appears that crypto parts of Python simply require legacy.so to be present for OpenSSL 3 by default.  In security/openssl that is the LEGACY option, which is also off by default.

Should each Python port be modified to add CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 ?

The comment in the patch is misleading: "If you did not expect this error, you have likely made a mistake with your OpenSSL configuration."


Cheers,
Franco
Comment 4 Trond Endrestøl 2023-11-20 16:16:42 UTC 
(In reply to Franco Fichtner from comment #3)
I copied certbot's error message verbatim just to give sufficient context.
Comment 5 Franco Fichtner 2023-11-20 16:34:04 UTC 
The error is from py-crpytography and appears to refer to FreeBSD specific setup of OpenSSL in base and ports alike that the user did not make a mistake with: 

https://cryptography.io/en/latest/openssl/#legacy-provider-in-openssl-3-x

It might be better to fix it at the source port.  A lot of ports depend on it and that would be an uphill battle.

python@ is subscribed. I don't mean to hijack this PR but I couldn't find another one yet and I didn't want to create one myself for the same topic.


Cheers,
Franco