Solved certbot does not work : OpenSSL 3.0's legacy provider failed to load

sixpiece

sixpiece

Code: 
root@videotron:/usr/ports/security/openssl # @CRYPTOGRAPHY_OPENSSL_NO_LEGACY
@CRYPTOGRAPHY_OPENSSL_NO_LEGACY: Command not found.
root@videotron:/usr/ports/security/openssl # setenv CRYPTOGRAPHY_OPENSSL_NO_LEGACY=yes ; certbot
setenv: Variable name must contain alphanumeric characters.
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.8.0', 'console_scripts', 'certbot')())
  File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
    return next(matches).load()
  File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load
    module = import_module(match.group('module'))
  File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in <module>
    from certbot._internal import main as internal_main
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 21, in <module>
    import josepy as jose
  File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py", line 40, in <module>
    from josepy.json_util import (
  File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 24, in <module>
    from OpenSSL import crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import SSL, crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module>
    from OpenSSL._util import (
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 167, in <module>
    Binding.init_static_locks()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 134, in init_static_locks
    cls._ensure_ffi_initialized()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 123, in _ensure_ffi_initialized
    _legacy_provider_error(cls._legacy_provider_loaded)
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 43, in _legacy_provider_error
    raise RuntimeError(
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.
root@videotron:/usr/ports/security/openssl # setenv CRYPTOGRAPHY_OPENSSL_NO_LEGACY=yes ; certbot
setenv: Variable name must contain alphanumeric characters.
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.8.0', 'console_scripts', 'certbot')())
  File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
    return next(matches).load()
  File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load
    module = import_module(match.group('module'))
  File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in <module>
    from certbot._internal import main as internal_main
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 21, in <module>
    import josepy as jose
  File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py", line 40, in <module>
    from josepy.json_util import (
  File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 24, in <module>
    from OpenSSL import crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import SSL, crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module>
    from OpenSSL._util import (
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 167, in <module>
    Binding.init_static_locks()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 134, in init_static_locks
    cls._ensure_ffi_initialized()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 123, in _ensure_ffi_initialized
    _legacy_provider_error(cls._legacy_provider_loaded)
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 43, in _legacy_provider_error
    raise RuntimeError(
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.
root@videotron:/usr/ports/security/openssl #
 
I assume this is with 14.0?

You have two options:

1. Reinstall certbot: Using a 13.X package on a 14.X or 15-CURRENT system will result in this error. Alternatively you can rebuild the port (make && make deinstall install clean).

2. You can configure openssl.cnf to load the legacy provider by default. But the caveat here is you will re-enable legacy (read that as vulnerable or unsafe) crypto for everything, reverting back to unsafe ciphers.

You could probably do option two in order to get over the hump but you'd need to upgrade your packages to sooner than later anyway.
 
Still does not work

PROOF:
Code: 
root@videotron:~ # pkg search certbot
py39-certbot-2.8.0,1           Let's Encrypt client
py39-certbot-apache-2.8.0      Apache plugin for Certbot
py39-certbot-dns-cloudflare-2.8.0 Cloudflare DNS plugin for Certbot
py39-certbot-dns-cpanel-0.4.0  CPanel DNS Authenticator plugin for Certbot
py39-certbot-dns-digitalocean-2.8.0 DigitalOcean DNS Authenticator plugin for Certbot
py39-certbot-dns-dnsimple-2.8.0 DNSimple DNS Authenticator plugin for Certbot
py39-certbot-dns-dnsmadeeasy-2.8.0 DNS Made Easy DNS Authenticator plugin for Certbot
py39-certbot-dns-gandi-1.4.3   Gandi LiveDNS plugin for Certbot
py39-certbot-dns-gehirn-2.8.0  Gehirn Infrastructure Service DNS Authenticator plugin for Certbot
py39-certbot-dns-google-2.8.0  Google Cloud DNS Authenticator plugin for Certbot
py39-certbot-dns-linode-2.8.0  Linode DNS Authenticator plugin for Certbot
py39-certbot-dns-luadns-2.8.0  LuaDNS Authenticator plugin for Certbot
py39-certbot-dns-nsone-2.8.0   NS1 DNS Authenticator plugin for Certbot
py39-certbot-dns-ovh-2.8.0     OVH DNS Authenticator plugin for Certbot
py39-certbot-dns-powerdns-0.2.1 PowerDNS DNS Authenticator plugin for Certbot
py39-certbot-dns-rfc2136-2.8.0 RFC 2136 DNS Authenticator plugin for Certbot
py39-certbot-dns-route53-2.8.0 Route53 DNS Authenticator plugin for Certbot
py39-certbot-dns-sakuracloud-2.8.0 Sakura Cloud DNS Authenticator plugin for Certbot
py39-certbot-dns-standalone-1.1 Standalone DNS Authenticator plugin for Certbot
py39-certbot-nginx-2.8.0       NGINX plugin for Certbot
root@videotron:~ # pkg install py39-certbot-2.8.0,1
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
root@videotron:~ # pkg install -f py39-certbot-2.8.0,1
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
pkg: py38-ldap has a missing dependency: openldap-client
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
        py39-certbot-2.8.0,1

Number of packages to be reinstalled: 1

Proceed with this action? [y/N]: y
[1/1] Reinstalling py39-certbot-2.8.0,1...
[1/1] Extracting py39-certbot-2.8.0,1: 100%
root@videotron:~ # certbot
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.8.0', 'console_scripts', 'certbot')())
  File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
    return next(matches).load()
  File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load
    module = import_module(match.group('module'))
  File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in <module>
    from certbot._internal import main as internal_main
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 21, in <module>
    import josepy as jose
  File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py", line 40, in <module>
    from josepy.json_util import (
  File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 24, in <module>
    from OpenSSL import crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import SSL, crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module>
    from OpenSSL._util import (
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 167, in <module>
    Binding.init_static_locks()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 134, in init_static_locks
    cls._ensure_ffi_initialized()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 123, in _ensure_ffi_initialized
    _legacy_provider_error(cls._legacy_provider_loaded)
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 43, in _legacy_provider_error
    raise RuntimeError(
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.
root@videotron:~ #
Alternatively you can rebuild the port (make && make deinstall install clean).
Click to expand...
Make and Deinstall do not work

2. You can configure openssl.cnf to load the legacy provider by default. But the caveat here is you will re-enable legacy (read that as vulnerable or unsafe) crypto for everything, reverting back to unsafe ciphers.
Click to expand...


The option is not to load the legacy provider by default but rather to disable the legacy provider by default.
 
sixpiece said:
setenv: Variable name must contain alphanumeric characters.
Click to expand...
Code: 
% setenv TESTME=fred
setenv: Variable name must contain alphanumeric characters.
% setenv TESTME fred
%
Don't know anything about the actual problem (or even what setenv does), but there's an error that might need to be addressed?
 
richardtoohey2 said:
Code: 
% setenv TESTME=fred
setenv: Variable name must contain alphanumeric characters.
% setenv TESTME fred
%
Don't know anything about the actual problem (or even what setenv does), but there's an error that might need to be addressed?
Click to expand...
it does not solve the issue however but yes, thank you, I wrote set env CRYPTOGRAPHY_OPENSSL_NO_LEGACY and do not understand enough about it either but certbot still does not work...
 
thank you Darius again the solution is as follows:

vi /usr/local/bin/certbot

after import sys:
import os
os.environ['CRYPTOGRAPHY_OPENSSL_NO_LEGACY'] = '1'
 
sixpiece Knock it off with the all caps and big bold fonts. It's super rude.

With the C shells it's setenv CRYPTOGRAPHY_OPENSSL_NO_LEGACY 1, for the Bourne (and compatible) shells; export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
 
Ok thank you for the clarification, I am sorry and didn't mean to be rude, I was attempting to make my post more readable and clear. Thank you Richard as well.
 
sixpiece said:
I was attempting to make my post more readable and clear.
Click to expand...
Writing in all caps in akin to shouting, and in this case it was more like screaming. Please don't do that, it's not going to help you state your case.
 
You must log in or register to reply here.
Back
Top