If I run certbot on 15-CURRENT amd64, run-time error happens as following. yasu@rolling-vm-freebsd5[1004]% uname -a FreeBSD rolling-vm-freebsd5.home.utahime.org 15.0-CURRENT FreeBSD 15.0-CURRENT amd64 1500000 #0 main-n265240-16218618101: Tue Sep 12 05:16:41 JST 2023 rootz@rolling-vm-freebsd5.home.utahime.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 yasu@rolling-vm-freebsd5[1005]% certbot Traceback (most recent call last): File "/usr/local/bin/certbot", line 33, in <module> sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')()) File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point return next(matches).load() File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load module = import_module(match.group('module')) File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "<frozen importlib._bootstrap>", line 1030, in _gcd_import File "<frozen importlib._bootstrap>", line 1007, in _find_and_load File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 680, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 850, in exec_module File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in <module> from certbot._internal import main as internal_main File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 21, in <module> import josepy as jose File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py", line 40, in <module> from josepy.json_util import ( File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 14, in <module> from OpenSSL import crypto File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import SSL, crypto File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module> from OpenSSL._util import ( File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module> from cryptography.hazmat.bindings.openssl.binding import Binding File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 167, in <module> Binding.init_static_locks() File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 134, in init_static_locks cls._ensure_ffi_initialized() File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 123, in _ensure_ffi_initialized _legacy_provider_error(cls._legacy_provider_loaded) File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 43, in _legacy_provider_error raise RuntimeError( RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration. yasu@rolling-vm-freebsd5[1006]% And different run-time error happens if I install certbot with 'DEFAULT_VERSIONS+=ssl=openssl30' and run it on 13.2-RELEASE amd64. yasu@rolling-vm-freebsd6[1002]% uname -a FreeBSD rolling-vm-freebsd6.home.utahime.org 13.2-RELEASE-p3 FreeBSD 13.2-RELEASE-p3 GENERIC amd64 yasu@rolling-vm-freebsd6[1003]% certbot Traceback (most recent call last): File "/usr/local/bin/certbot", line 33, in <module> sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')()) File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point return next(matches).load() File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load module = import_module(match.group('module')) File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "<frozen importlib._bootstrap>", line 1030, in _gcd_import File "<frozen importlib._bootstrap>", line 1007, in _find_and_load File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 680, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 850, in exec_module File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in <module> from certbot._internal import main as internal_main File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 21, in <module> import josepy as jose File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py", line 40, in <module> from josepy.json_util import ( File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 14, in <module> from OpenSSL import crypto File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import SSL, crypto File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module> from OpenSSL._util import ( File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module> from cryptography.hazmat.bindings.openssl.binding import Binding File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 15, in <module> from cryptography.exceptions import InternalError File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", line 9, in <module> from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "EVP_default_properties_is_fips_enabled" yasu@rolling-vm-freebsd6[1004]%
See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254853#c98
I have this issue too while running certbot File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", line 9, in <module> from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "EVP_default_properties_is_fips_enabled" $ ldd /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: libssl.so.111 => /usr/lib/libssl.so.111 (0x16975c81e000) libcrypto.so.111 => /lib/libcrypto.so.111 (0x16975cbc1000) libthr.so.3 => /lib/libthr.so.3 (0x16975cff9000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x16975da66000) libc.so.7 => /lib/libc.so.7 (0x16975a111000) Even though $ cat /etc/make.conf DEFAULT_VERSIONS+=ssl=openssl31
(In reply to Yasuhiro Kimura from comment #0) On 15-CURRENT the error is fixed fix base 1a18383a52bc. (In reply to Andrey Pevnev from comment #2) I applied attachment 245049 [details] of bug #273961 to ports tree and now _rust.abi3.so is correctly linked with libcrypto.so and libssl.so from security/openssl30 port. yasu@rolling-vm-freebsd5[1009]% ldd /usr0/freebsd/ports/work/usr/ports/security/py-cryptography/work-py39/stage/usr/local/lib /python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so /usr0/freebsd/ports/work/usr/ports/security/py-cryptography/work-py39/stage/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: libssl.so.12 => /usr/local/lib/libssl.so.12 (0x288ee7fb5000) libcrypto.so.12 => /usr/local/lib/libcrypto.so.12 (0x288ee8b8a000) libthr.so.3 => /lib/libthr.so.3 (0x288eea308000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x288ee9f88000) libc.so.7 => /lib/libc.so.7 (0x288ee3a23000) yasu@rolling-vm-freebsd5[1010]% But runtime error still happens and it changes to the one that is same as 15-CURRENT before base 1a18383a52bc.
On 13.2-RELEASE-p4 FreeBSD seems facing this issue as well. Does the base needs to be fixed as well for 13.2 ? Thank you.
(In reply to B.K. from comment #4) 13.2 needs to link to the right libraries, for start. I see solo% ldd /usr/local/lib/python3.11/site-packages/cryptography/hazmat/bindings/_rust.abi3.so /usr/local/lib/python3.11/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: libssl.so.111 => /usr/local/lib/compat/libssl.so.111 (0x801484000) libcrypto.so.111 => /usr/local/lib/compat/libcrypto.so.111 (0x8020b6000) libthr.so.3 => /lib/libthr.so.3 (0x80151b000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x801549000) libc.so.7 => /lib/libc.so.7 (0x801083000) while EVP_default_properties_is_fips_enabled is 3.0 symbol. I have ssl=openssl in make.conf for pourdriere.
Now at this time - FreeBSD 13.2. everything is installed from the latest ports. # certbot Traceback (most recent call last): File "/usr/local/bin/certbot", line 33, in <module> sys.exit(load_entry_point('certbot==2.7.4', 'console_scripts', 'certbot')()) File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point return next(matches).load() File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load module = import_module(match.group('module')) File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "<frozen importlib._bootstrap>", line 1030, in _gcd_import File "<frozen importlib._bootstrap>", line 1007, in _find_and_load File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 680, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 850, in exec_module File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in <module> from certbot._internal import main as internal_main File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 21, in <module> import josepy as jose File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py", line 40, in <module> from josepy.json_util import ( File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 14, in <module> from OpenSSL import crypto File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import SSL, crypto File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module> from OpenSSL._util import ( File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module> from cryptography.hazmat.bindings.openssl.binding import Binding File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 15, in <module> from cryptography.exceptions import InternalError File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", line 9, in <module> from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "EVP_default_properties_is_fips_enabled"
ssl=openssl does not work for many important ports. Short list from my w/s gstreamer1-plugins-bad is missing a required shared library: libcrypto.so.111 gstreamer1-plugins-good is missing a required shared library: libcrypto.so.111 hexchat is missing a required shared library: libssl.so.111 libevent is missing a required shared library: libssl.so.111 libevent is missing a required shared library: libcrypto.so.111 libnice is missing a required shared library: libcrypto.so.111 pkg is missing a required shared library: libssl.so.111 pkg is missing a required shared library: libcrypto.so.111 poudriere is missing a required shared library: libcrypto.so.111 pulseaudio is missing a required shared library: libcrypto.so.111 py311-cryptography is missing a required shared library: libssl.so.111 py311-cryptography is missing a required shared library: libcrypto.so.111 wavpack is missing a required shared library: libcrypto.so.111
Temporary... # cd /usr/ports/devel/py-pip/ && make install clean # pip install "cryptography==40.0.2" if you roll back cryptography lo 40.0.2 - then cerbot works - perhaps something was done in the fips check
(In reply to Konstantin Belousov from comment #7) I have so: make.conf DEFAULT_VERSIONS+=ssl=openssl DEFAULT_VERSIONS+=perl5=5.36 DEFAULT_VERSIONS+=python=3.9 python3=3.9 Doesn't it work if you rebuild with the latest fresh ports?
Use this workaround: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273961#c58 Or this patch: https://bz-attachments.freebsd.org/attachment.cgi?id=245049 Or both :) But for me it does not link with libressl 3.8.2 - need changes from upstream (py-cryptography) to support 3.8x. With libressl 3.7 - ok.
Certbot works now for me on FreeBSD 13.2 with today's ports. However, I had to manually rebuild security/py-cryptography.
@c(In reply to Dmitry from comment #8) Thank you, reverting back to cryptography-40.0.2 works. I was hoping that latest cryptography 41.0.7 would help but it did not.
With py39-cryptography-41.0.4,1 on 14.0-RELEASE-p4 With "DEFAULT_VERSIONS+=ssl=openssl": --- <exception caught here> --- File "/usr/local/lib/python3.9/site-packages/twisted/application/app.py", line 446, in getApplication application = service.loadApplication(filename, style, passphrase) File "/usr/local/lib/python3.9/site-packages/twisted/application/service.py", line 404, in loadApplication application = sob.loadValueFromFile(filename, "application") File "/usr/local/lib/python3.9/site-packages/twisted/persisted/sob.py", line 177, in loadValueFromFile eval(codeObj, d, d) File "<private>", line 2, in <module> from twisted.internet import protocol, ssl File "/usr/local/lib/python3.9/site-packages/twisted/internet/ssl.py", line 60, in <module> from OpenSSL import SSL File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import SSL, crypto File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module> from OpenSSL._util import ( File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module> from cryptography.hazmat.bindings.openssl.binding import Binding File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 15, in <module> from cryptography.exceptions import InternalError File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", line 9, in <module> from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions builtins.ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "FIPS_mode" Failed to load application: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "FIPS_mode"
(In reply to Yasuhiro Kimura from comment #3) I have the referenced base change and it doesn't help me.
When I switch from openssl111 to openssl30 then it works as expected. Is a fix to openssl111 missing? /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: libssl.so.12 => /usr/local/lib/libssl.so.12 (0xc907a9b5000) libcrypto.so.12 => /usr/local/lib/libcrypto.so.12 (0xc907c90f000)
I think my problem (on 2023Q4) is actually https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273961 # pkg-config openssl --libs --path /usr/libdata/pkgconfig/openssl.pc Comparing the logs of a working py39-cryptography the working one has a proper `-L native=/usr/local/lib` in the openssl_sys crate build lines. So ignore my updates.