certbot ImportError: cannot import name 'x509' from 'cryptography.hazmat.bindings._rust'

bagas

bagas

Hello.
I'm trying to renew my current certificates.
My system FreeBSD 12.3-RELEASE-p7 amd64.
My version soft:
Code: 
rust-1.63.0 = up-to-date with index
py39-certbot-1.31.0,1 = up-to-date with index
py39-cryptography-38.0.1 = up-to-date with index
py39-josepy-1.13.0 = up-to-date with index
py39-openssl-20.0.1,1 = up-to-date with index
I'm running certificate updates.
Code: 
# certbot -q renew --allow-subset-of-names
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.31.0', 'console_scripts', 'certbot')())
File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
return next(matches).load()
File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load
module = import_module(match.group('module'))
File "/usr/local/lib/python3.9/importlib/[B]init[/B].py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1030, in _gcd_import
File "", line 1007, in _find_and_load
File "", line 986, in _find_and_load_unlocked
File "", line 680, in _load_unlocked
File "", line 850, in exec_module
File "", line 228, in _call_with_frames_removed
File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in
from certbot._internal import main as internal_main
File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 19, in
import josepy as jose
File "/usr/local/lib/python3.9/site-packages/josepy/[B]init[/B].py", line 40, in
from josepy.json_util import (
File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 14, in
from OpenSSL import crypto
File "/usr/local/lib/python3.9/site-packages/OpenSSL/[B]init[/B].py", line 8, in
from OpenSSL import crypto, SSL
File "/usr/local/lib/python3.9/site-packages/OpenSSL/crypto.py", line 14, in
from cryptography import utils, x509
File "/usr/local/lib/python3.9/site-packages/cryptography/x509/[B]init[/B].py", line 6, in
from cryptography.x509 import certificate_transparency
File "/usr/local/lib/python3.9/site-packages/cryptography/x509/certificate_transparency.py", line 10, in
from cryptography.hazmat.bindings._rust import x509 as rust_x509
ImportError: cannot import name 'x509' from 'cryptography.hazmat.bindings._rust' (unknown location)
Same error on the system, FreeBSD 13.1-RELEASE-p2 amd64.
How to fix?
 
You may have multiple python versions on your box; regardless, do ensure that your pkgs are all up-to-date. Do try upgrade all.
 
certbot is shit
it has 403423 dependencies and breaks from time to time
use acme.sh
Code: 
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 28 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    libffi33: 3.3_2
    py39-acme: 1.31.0,1
    py39-certbot: 1.31.0,1
    py39-certifi: 2022.6.15
    py39-cffi: 1.15.1
    py39-charset-normalizer: 2.1.1
    py39-configargparse: 1.5.3
    py39-configobj: 5.0.6_1
    py39-cryptography: 3.4.8
    py39-distro: 1.7.0
    py39-idna: 3.3
    py39-josepy: 1.13.0
    py39-openssl: 20.0.1,1
    py39-parsedatetime: 2.6
    py39-pycparser: 2.21
    py39-pyrfc3339: 1.1
    py39-pysocks: 1.7.1
    py39-pytz: 2022.2.1,1
    py39-requests: 2.28.1
    py39-requests-toolbelt: 0.9.1_1
    py39-setuptools: 63.1.0
    py39-six: 1.16.0
    py39-urllib3: 1.26.12,1
    py39-zope.component: 4.2.2
    py39-zope.event: 4.1.0
    py39-zope.interface: 5.3.0
    python39: 3.9.14

Installed packages to be UPGRADED:
    libffi: 3.3_1 -> 3.4.2

Number of packages to be installed: 27
Number of packages to be upgraded: 1

The process will require 144 MiB more space.
21 MiB to be downloaded.

Proceed with this action? [y/N]: ^C
[root@hpbsd]# pkg install acme.sh
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    acme.sh: 3.0.4
    socat: 1.7.4.3

Number of packages to be installed: 2

The process will require 2 MiB more space.
367 KiB to be downloaded.

Proceed with this action? [y/N]:
 
It seems when security/py-cryptography is build with Rust it would solve the issue. There is a patch (waiting for maintainer-feedback) in PR security/py-cryptography: Update to 37.0.2 to [patch] update to 38.0.1 with rust build .

Not sure how this will be received by the port maintainer taking following into account:
community.letsencrypt.org

ImportError: cannot import name 'x509' from 'cryptography.hazmat.bindings._rust

Hello. I'm trying to renew my current certificates. My system FreeBSD 12.3-RELEASE-p7 amd64. My version soft: rust-1.63.0 = up-to-date with index py39-certbot-1.31.0,1 = up-to-date with index py39-cryptography-38.0.1 = up-to-date with...
community.letsencrypt.org community.letsencrypt.org

Osiris October 10, 2022, 7:01pm #6

The dependency on cryptography.hazmat.bindings._rust.x509 was added in cryptography-35.0.0.

However, it seems FreeBSD compiles cryptography without the Rust modules.

So ultimately this is, I think, a decision of the FreeBSD ports (?) team not wanting to use Rust, whereas that is not optional any longer. Back in 3.4.8 there was a CRYPTOGRAPHY_DONT_BUILD_RUST option, which has been removed from cryptography apparently. And the FreeBSD ports (?) team just hacked away further at the setup.py so it doesn't require Rust. Except that has grave consequences if a module requiring Rust is required elsewhere in cryptography, essentially breaking it.
Click to expand...

Probably the changes must be reverted requiring Rust.
 
What is rust for?
Of the ports, it is difficult to assemble it on the server.
Having fresh, fast hardware, it will take 30-40 minutes to assemble from rust ports.
Pretty heavy for a server.
 
T-Daemon said:
Probably the changes must be reverted requiring Rust.
Click to expand...
That's what happened, Rust dependency will be added to fix the issue in PR security/py-certbot broken in v 1.31.0,1 .

Rich (BB code): 
Guido Falsi freebsd_committer 2022-10-11 15:55:07 UTC   Comment 15

Since I was needing ansible, I tested applying bug #254853 proposed patch (plus a
PORTREVISION bump) and can confirm it works fine and fixes the issue.

I'll add that bug here as a dependency, since it actually fixes the issue.

Proposed patch from bug #254853 is the one linked in post # 7 in this thread.
 
bagas said:
What is rust for?
Of the ports, it is difficult to assemble it on the server.
Having fresh, fast hardware, it will take 30-40 minutes to assemble from rust ports.
Pretty heavy for a server.
Click to expand...

Oh crap.
Code: 
$ cat */ports.*/*.*.build.L/rust.stt | egrep "^(ncpu|real)"
ncpu 16
real 4071.50
ncpu 14
real 3426.19
ncpu 16
real 3797.72
ncpu 4
real 8435.51
ncpu 4
real 7302.01
ncpu 8
real 4419.02
ncpu 5
real 6047.77

This rust dependencies seem to get a habit with the python folks. :(
 
You must log in or register to reply here.
Back
Top