Certbot claims OID Extension is invalid

Help
1

Certbot has started giving me the following error:

Attempting to renew cert (www.xxxx.yyy) from /usr/local/etc/letsencrypt/renewal/www.xxxx.yyy.conf produced an unexpected error: The <ObjectIdentifier(oid=1.3.6.1.4.1.11129.2.4.2, name=Unknown OID)> extension is invalid and can't be parsed. Skipping.                                                     
All renewal attempts failed. The following certs could not be renewed:
  /usr/local/etc/letsencrypt/live/www.xxxx.yyy/fullchain.pem (failure)

The certificate is still valid but overdue for renewal. I’m using certbot on FreeBSD with urllib3 and requests upgraded to the latest versions. The certificate dates from 4th April and is the 5th I’ve had for the domain.

How can I renew it?

2

Hi,

You'll need to provide us your domain name, error message (full) and the exact command you run...

Along with some server & software information.
So we could help you resolve the issue.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Thank you

3

Sorry if I appeared secretive. I tend to think it’s best not to disclose too much on a public forum, since software versions could give hackers clues about potential flaws. However, as you need them, here they are.

Domain: www.diversediversity.org.uk

Command and output:
]# !certbot
certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /usr/local/etc/letsencrypt/renewal/www.diversediversity.org.uk.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Attempting to renew cert (www.diversediversity.org.uk) from /usr/local/etc/letsencrypt/renewal/www.diversediversity.org.uk.conf produced an unexpected error: The <ObjectIdentifier(oid=1.3.6.1.4.1.11129.2.4.2, name=Unknown OID)> extension is invalid and can’t be parsed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/www.diversediversity.org.uk/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/www.diversediversity.org.uk/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

And this is how the log reported it:
2018-06-13 15:01:33,912:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2018-06-13 15:01:33,915:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2018-06-13 15:01:34,013:WARNING:certbot.renewal:Attempting to renew cert (www.diversediversity.org.uk) from /usr/local/etc/letsencrypt/renewal/www.diversediversity.org.uk.conf produced an unexpected error: The <ObjectIdentifier(oid=1.3.6.1.4.1.11129.2.4.2, name=Unknown OID)> extension is invalid and can’t be parsed. Skipping.

Server: apache24-2.4.33_1 (jailed)

python version: 2.7.15

certbot version: 0.25.0

urllib3 version: 1.23

python requests version: 2.19.0

OS: FreeBSD 11.1-RELEASE-p10

I was, as you can see, logged into a root shell to run the command. There is no control panel.

I can provide more versions if you need them.

4

I don't know enough to solve this. However...

Can you check /var/log/letsencrypt/letsencrypt.log or possibly /usr/local/var/log/letsencrypt/letsencrypt.log for the traceback? I'm curious what module it's coming from and, in particular, where it's installed.

I'm 90% sure it's coming from cryptography, but maybe it's pyasn1 or something.

It may be interesting to know what version it is, how it was installed, and whether it's newer or older than Certbot.

That's the extension used by Certificate Transparency, which Let's Encrypt enabled around 29 March.

I'm not sure when it was defined, but it was at least 5 years ago. A lot of software probably only added it quite recently. But I'm surprised, I would have expected either it to be successfully parsed as an unknown extension, or for tons of people to have reported this issue...

If it's this certificate from 1 April, other tools seem to have no problem parsing it. And it would be unusual but not impossible for Let's Encrypt to be issuing syntactically invalid certificates.

5

My guess is that you have an old version of OpenSSL and/or pycryptography on your system. In particular, they seem to not recognize the “SCT list” extension. It’s strange that they would reject the certificate for that, though. Normally unrecognized extensions are considered fine, so long as they are not marked critical.

Could you extract the certificate filename from /usr/local/etc/letsencrypt/renewal/www.diversediversity.org.uk.conf and run openssl x509 -noout -text -in on it? The results are public information, fine to share.

Can you also share the output openssl version, the method you used to install Certbot (certbot-auto, I’m guessing?), and the full command you ran to renew?

6

I’ll try again. I’m still getting to grips with this editor which doesn’t seem good with pre-formatted text.

7

@kjpetrie we’ve seen way more poorly formatted posts before so it wasn’t really an issue, but the best/easiest way is to enclose everything in three backticks

```
like this
```

Unfortunately this is not what the editor toolbar does unless you highlight a multiline section first. :frowning:️

8

It wasn’t just the format: chunks of output were missing! Let’s try again.

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/certbot/renewal.py", line 429, in ha
ndle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 1154, in rene
w_cert
    le_client = _init_le_client(config, auth, installer)
  File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 649, in _init
_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/local/lib/python2.7/site-packages/certbot/client.py", line 239, in __i
nit__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/local/lib/python2.7/site-packages/certbot/client.py", line 50, in acme
_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 721, in __init
__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 1054, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 1003, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 512, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 622, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 445, in send
    timeout=timeout
  File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 343, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 849, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python2.7/site-packages/urllib3/connection.py", line 367, in connect
    cert = self.sock.getpeercert()
  File "/usr/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 351, in getpeercert
    'subjectAltName': get_subj_alt_name(x509)
  File "/usr/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 202, in get_subj_alt_name
    ext = cert.extensions.get_extension_for_class(
  File "/usr/local/lib/python2.7/site-packages/cryptography/utils.py", line 159, in inner
    result = func(instance)
  File "/usr/local/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 134, in extensions
    self._backend, self._x509
  File "/usr/local/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 235, in parse
    "parsed".format(oid)
ValueError: The <ObjectIdentifier(oid=1.3.6.1.4.1.11129.2.4.2, name=Unknown OID)> extension is invalid and can't be parsed

# pkg info py27-cryptography
py27-cryptography-2.1.4
Name           : py27-cryptography
Version        : 2.1.4
Installed on   : Sun May 13 21:22:51 2018 BST

# pkg info py27-openssl     
py27-openssl-17.5.0_1
Name           : py27-openssl
Version        : 17.5.0_1
Installed on   : Mon Jan 29 11:56:24 2018 GMT

# openssl version
OpenSSL 1.0.2k-freebsd  26 Jan 2017

Now that looks rather old, so the guess might be right!
In fact, I wonder whether there are two types of openSSL on the system and it’s upgrading one but using the other?

# openssl x509 -noout -text -in /usr/local/etc/letsencrypt/archive/www.diversediversity.org.uk/fullchain5.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:6d:b2:3a:42:04:8a:77:f2:70:a8:f2:e7:07:f1:45:29:f7
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Mar 31 23:33:20 2018 GMT
            Not After : Jun 29 23:33:20 2018 GMT
        Subject: CN=www.diversediversity.org.uk
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ba:ad:84:a0:49:97:5d:e1:49:e9:02:aa:69:c3:
                    f4:31:6f:39:ed:25:00:65:91:87:c3:b9:4e:e2:b0:
                    04:eb:25:59:f2:ef:80:d8:26:9e:4e:4a:84:05:6d:
                    dd:79:1b:82:b5:1b:99:f5:2a:dd:18:7a:4d:aa:bf:
                    d8:5f:17:bc:1f:f4:43:3b:5d:93:a0:5e:b2:4f:bc:
                    2a:30:39:c1:40:2d:96:bf:ea:4c:56:98:99:92:5d:
                    e1:38:09:07:44:93:eb:85:dd:8a:6b:f9:69:c7:60:
                    29:a8:5b:5a:e6:de:ad:d8:95:79:7c:e5:91:ef:c6:
                    eb:d8:17:9b:bd:87:00:95:e0:7b:82:46:40:bd:11:
                    03:99:69:43:10:22:f1:a5:73:2f:ac:1b:0a:f9:92:
                    a9:b9:e3:3c:0f:4a:4b:0e:b6:7a:f7:49:f8:ef:96:
                    b1:9b:f1:da:5d:ae:55:74:f5:a2:13:24:61:80:17:
                    23:37:8b:64:a2:32:83:8c:56:92:cd:4f:88:8e:ce:
                    b1:3f:b4:7b:12:32:05:d8:ec:a0:9b:db:0d:01:72:
                    8d:c8:c4:41:3a:25:9f:fb:59:a7:3d:cd:39:88:e3:
                    07:a1:45:e7:cb:64:b2:14:69:ff:00:4f:37:70:b4:
                    2e:12:49:9b:dd:d1:7a:dc:b3:81:1d:ff:45:37:f1:
                    07:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B4:02:5C:0A:77:53:12:32:FE:6B:DF:25:C6:9F:64:22:7D:9D:A1:23
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:diversediversity.org.uk, DNS:diversity.kjpetrie.co.uk, DNS:www.diversediversity.org.uk, DNS:www.kjpetrie.co.uk
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9:
                                AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64
                    Timestamp : Apr  1 00:33:20.335 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:DF:39:7A:1E:B6:5A:22:A4:5C:DA:55:
                                08:72:84:8A:5F:45:8D:26:3D:3F:C9:61:C6:8A:75:2F:
                                4D:89:EA:0D:8A:02:21:00:CB:C5:49:AE:7E:9B:8D:04:
                                7B:9E:BF:02:DC:80:2F:2C:E2:E2:04:5F:9E:B5:E2:1F:
                                5B:8B:3B:F5:38:11:39:69
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
                                6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
                    Timestamp : Apr  1 00:33:20.355 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:A1:D5:48:68:EB:6E:2A:65:E4:E9:23:
                                29:52:88:AD:82:A8:CC:25:67:7A:7C:5D:CA:C5:27:7C:
                                DD:9B:E7:87:50:02:20:18:73:E5:FF:E6:EE:32:B8:34:
                                3C:75:8D:29:FB:01:23:57:10:83:E7:86:E7:06:39:17:
                                85:E9:64:95:36:2B:6E
    Signature Algorithm: sha256WithRSAEncryption
         66:1a:72:a1:7c:ec:80:44:fb:94:b8:ea:66:d9:0e:5a:08:d9:
         70:de:8d:f9:0b:1f:b6:50:6e:cd:62:34:07:ed:0c:ae:b1:3f:
         ab:d6:ec:3f:a9:8d:cf:29:d9:fd:a7:71:88:25:97:87:e7:ab:
         9f:45:e3:c5:ca:56:79:e3:ce:11:23:0a:c0:28:d6:fa:ae:1b:
         7c:e6:61:9f:28:71:cd:61:b5:1d:4f:20:1f:d9:ff:01:45:33:
         09:59:8b:fa:13:e5:62:5b:65:f9:9d:2a:56:33:e6:af:7d:19:
         d4:e6:bb:ac:8a:1a:00:2b:e7:4b:15:58:e0:ad:a2:92:83:4a:
         9f:ce:d9:fe:7b:0f:a7:4c:9b:df:40:54:91:cb:e8:ce:82:ab:
         c1:19:80:6e:1d:77:91:c1:32:a4:3c:83:e3:c5:41:8c:35:1d:
         36:e0:6b:c0:c9:88:06:17:9e:38:61:1a:67:98:d5:46:15:33:
         ca:36:a1:3f:52:f0:b1:aa:de:75:75:75:42:df:a7:29:c5:d5:
         36:e6:eb:c1:5e:37:19:92:23:b2:18:10:91:1a:c2:cf:3d:dd:
         93:c5:83:23:b3:cc:5a:68:ab:84:0a:cb:ef:2a:5f:79:9e:41:
         50:77:ec:83:f3:62:7c:bc:05:69:ed:04:04:4f:dc:e8:75:e5:
         49:73:e6:12

Certbot was installed from a locally-built (using poudriere) package compiled from a FreeBSD port.

The command was:
# !certbot
certbot renew --dry-run

9

This is unexpected…

The “CT Precertificate SCTs” section in the “openssl x509” output shows that not only is OpenSSL capable of parsing the certificate, but it’s new enough that it knows what the extension means.

(An older version of OpenSSL would show unreadable garbage for that section, but would still successfully parse the certificate.)

Seems the failure is actually when Certbot tries to connect to https://acme-staging-v02.api.letsencrypt.org/ and parse its certificate, rather than when it parses your own certificate. (Though that might also fail, for all I know.)

Maybe there are two versions of OpenSSL installed…

I don’t know what to do about this though…

2 Likes
10

If that’s the case, the problem is either in the communication or at the other end!
Would Let’s Encrypt have logs to consult about this?

11

Are python-cryptography and your OpenSSL binary linked to the same libssl.so?

ldd /usr/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so | grep libssl
ldd $(which openssl) | grep libssl
2 Likes
12

No!
$ ldd /usr/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so |grep libssl
libssl.so.45 => /usr/local/lib/libssl.so.45 (0x286a8000)
$ ldd $(which openssl) | grep libssl
libssl.so.8 => /usr/lib/libssl.so.8 (0x280df000)

Hmmm.

Edit: I have both openssl (part of the FreeBSD base system) and libressl (from package libressl).

So:

# /usr/local/bin/openssl x509 -noout -text -in /usr/local/etc/letsencrypt/archive/www.diversediversity.org.uk/fullchain5.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:6d:b2:3a:42:04:8a:77:f2:70:a8:f2:e7:07:f1:45:29:f7
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Mar 31 23:33:20 2018 GMT
            Not After : Jun 29 23:33:20 2018 GMT
        Subject: CN=www.diversediversity.org.uk
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ba:ad:84:a0:49:97:5d:e1:49:e9:02:aa:69:c3:
                    f4:31:6f:39:ed:25:00:65:91:87:c3:b9:4e:e2:b0:
                    04:eb:25:59:f2:ef:80:d8:26:9e:4e:4a:84:05:6d:
                    dd:79:1b:82:b5:1b:99:f5:2a:dd:18:7a:4d:aa:bf:
                    d8:5f:17:bc:1f:f4:43:3b:5d:93:a0:5e:b2:4f:bc:
                    2a:30:39:c1:40:2d:96:bf:ea:4c:56:98:99:92:5d:
                    e1:38:09:07:44:93:eb:85:dd:8a:6b:f9:69:c7:60:
                    29:a8:5b:5a:e6:de:ad:d8:95:79:7c:e5:91:ef:c6:
                    eb:d8:17:9b:bd:87:00:95:e0:7b:82:46:40:bd:11:
                    03:99:69:43:10:22:f1:a5:73:2f:ac:1b:0a:f9:92:
                    a9:b9:e3:3c:0f:4a:4b:0e:b6:7a:f7:49:f8:ef:96:
                    b1:9b:f1:da:5d:ae:55:74:f5:a2:13:24:61:80:17:
                    23:37:8b:64:a2:32:83:8c:56:92:cd:4f:88:8e:ce:
                    b1:3f:b4:7b:12:32:05:d8:ec:a0:9b:db:0d:01:72:
                    8d:c8:c4:41:3a:25:9f:fb:59:a7:3d:cd:39:88:e3:
                    07:a1:45:e7:cb:64:b2:14:69:ff:00:4f:37:70:b4:
                    2e:12:49:9b:dd:d1:7a:dc:b3:81:1d:ff:45:37:f1:
                    07:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B4:02:5C:0A:77:53:12:32:FE:6B:DF:25:C6:9F:64:22:7D:9D:A1:23
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:diversediversity.org.uk, DNS:diversity.kjpetrie.co.uk, DNS:www.diversediversity.org.uk, DNS:www.kjpetrie.co.uk
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

            1.3.6.1.4.1.11129.2.4.2: 
                ......w..t...)....>qm,....6..q..].O7...d...b~.m......H0F.!..9z..Z"...!...I.~...{...../,..._....[.;.8.9i.v.)<Q.T.9e..P.X...o.Xz)r......EG.x...b~.m......G0E.!...Hh.n*e..#)R.....%gz|]..'|....P. .s....2.4<u.)..#W......9...d.6+n
    Signature Algorithm: sha256WithRSAEncryption
         66:1a:72:a1:7c:ec:80:44:fb:94:b8:ea:66:d9:0e:5a:08:d9:
         70:de:8d:f9:0b:1f:b6:50:6e:cd:62:34:07:ed:0c:ae:b1:3f:
         ab:d6:ec:3f:a9:8d:cf:29:d9:fd:a7:71:88:25:97:87:e7:ab:
         9f:45:e3:c5:ca:56:79:e3:ce:11:23:0a:c0:28:d6:fa:ae:1b:
         7c:e6:61:9f:28:71:cd:61:b5:1d:4f:20:1f:d9:ff:01:45:33:
         09:59:8b:fa:13:e5:62:5b:65:f9:9d:2a:56:33:e6:af:7d:19:
         d4:e6:bb:ac:8a:1a:00:2b:e7:4b:15:58:e0:ad:a2:92:83:4a:
         9f:ce:d9:fe:7b:0f:a7:4c:9b:df:40:54:91:cb:e8:ce:82:ab:
         c1:19:80:6e:1d:77:91:c1:32:a4:3c:83:e3:c5:41:8c:35:1d:
         36:e0:6b:c0:c9:88:06:17:9e:38:61:1a:67:98:d5:46:15:33:
         ca:36:a1:3f:52:f0:b1:aa:de:75:75:75:42:df:a7:29:c5:d5:
         36:e6:eb:c1:5e:37:19:92:23:b2:18:10:91:1a:c2:cf:3d:dd:
         93:c5:83:23:b3:cc:5a:68:ab:84:0a:cb:ef:2a:5f:79:9e:41:
         50:77:ec:83:f3:62:7c:bc:05:69:ed:04:04:4f:dc:e8:75:e5:
         49:73:e6:12

Now I need to find out why libressl is installed and whether we can use openssl instead.

13

This explains how to switch:

https://wiki.freebsd.org/LibreSSL

It also says:

security/py-cryptography: Claimed to not be fully functional by the developers

Still, you might want to report the specific issue with certbot and libressl to the freebsd bugzilla so they're aware of the incompatibility.

3 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.