certbot fails - LibreSSL suspected

[kjpetrie]

In the last few days of March, Lets Encrypt introduced a new field into their certificates which is not recognised by LibreSSL, only by OpenSSL. This means renewal of certificates issued since then can fail with security/py-certbot on FreeBSD, because it cannot parse the certificate correctly to communicate with Let's Encrypt's server. See My posts on the Let's Encrypt forum for more details.

Is it possible to use the native OpenSSL with certbot and, if so, how could that be done?

 

[SirDice]

Looking at the port itself it seems to use whatever SSL you have set with DEFAULT_VERSIONS.

 

[kjpetrie]

I've changed the setting in ports-mgmt/poudriere configuration file from "ssl=libressl" to "ssl=openssl", but it's still not using the native OpenSSL. Rather it installed security/py-openssl instead (or is that a wrapper for the native library?)

Still, it's fixed the problem in that I could now renew my certificate.

I've also made a bug report against security/libressl.

 

[SirDice]

At a quick glance it looks like certbot simply depends on py-openssl and it's the latter that's actually linked to LibreSSL or OpenSSL.