Cryptography 35.0.0 breaks certbot

Schamschula · October 3, 2021, 6:25pm

This morning I got informed about a MacPorts ticket for an issue loading certbot #63567 (certbot execution failed) – MacPorts. The error is

An unexpected error occurred:
pkg_resources.ContextualVersionConflict: (cryptography 35.0.0 (/opt/local/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages), Requirement.parse('cryptography<4,>=2'), {'dns-lexicon'})

I can reproduce it on my machine, even after rebuilding py-acme and certbot.

On Github I see py-cryptography was updated from 3.4.8 to 35.0.0 two days ago py-cryptography: update to 35.0.0 · macports/macports-ports@c7bb4cf · GitHub

and broke the Requirement.parse.

Osiris · October 3, 2021, 6:36pm

Well, it seems the dependency requirements are from dns-lexicon. While dns-lexicon is indeed a dependency of certain certbot DNS, it's not certbot itself with the incorrect cryptography dependency.

See the certbot cryptography dependency here:

github.com

certbot/certbot/blob/cde3e1fa9774d508159812b96dc56b2f302d16e0/certbot/setup.py#L53

    
      
          install_requires = [
              # We specify the minimum acme version as the current Certbot version for
              # simplicity. See https://github.com/certbot/certbot/issues/8761 for more
              # info.
              f'acme>={version}',
              # We technically need ConfigArgParse 0.10.0 for Python 2.6 support, but
              # saying so here causes a runtime error against our temporary fork of 0.9.3
              # in which we added 2.6 support (see #2243), so we relax the requirement.
              'ConfigArgParse>=0.9.3',
              'configobj>=5.0.6',
              'cryptography>=2.1.4',
              'distro>=1.0.1',
              'josepy>=1.9.0',
              'parsedatetime>=2.4',
              'pyrfc3339',
              'pytz',
              # This dependency needs to be added using environment markers to avoid its
              # installation on Linux.
              'pywin32>=300 ; sys_platform == "win32"',
              f'setuptools>={min_setuptools_version}',
              'zope.component',

Should work fine with 35.0.0.

Same goes for the acme library:

github.com

certbot/certbot/blob/cde3e1fa9774d508159812b96dc56b2f302d16e0/acme/setup.py#L9

    
      
          import sys
          
          
from setuptools import find_packages
          from setuptools import setup
          
          
version = '1.20.0.dev0'
          
          
install_requires = [
              'cryptography>=2.1.4',
              'josepy>=1.9.0',
              'PyOpenSSL>=17.3.0',
              'pyrfc3339',
              'pytz',
              'requests>=2.14.2',
              'requests-toolbelt>=0.3.0',
              'setuptools>=39.0.1',
          ]
          
          
docs_extras = [

It's probably better to directly open an issue at Issues · AnalogJ/lexicon · GitHub

Osiris · October 3, 2021, 6:52pm

By the way, doesn't MacPorts have a system in place which prevents breaking commits such as py-cryptography: update to 35.0.0 · macports/macports-ports@c7bb4cf · GitHub ?

It's obvious that commit broke dns-lexicon, but I don't see any checks next to that commit in the commit history. Some commits do have successful checks, some commits have broken checks, but are still committed.. Doesn't really look like a fool-proof system if you'd ask me.

Schamschula · October 3, 2021, 7:18pm

Thanks for the quick response!

Indeed, after deactivating dns-lexicon and dns-namecheap, certbot loads. I'll open an issue with dns-lexicon.

MacPorts only checks if library links are broken. However, this rarely catches python issues. I usually find python dependency errors when attempting to execute a package.

Osiris · October 3, 2021, 7:23pm

In the mean time, I've already opened a PR to remove the <4 constraint: Remove cryptography<4 constraint by osirisinferi · Pull Request #968 · AnalogJ/lexicon · GitHub

Indeed, I don't think checking library links suffices for Python packages.

solsticedhiver · October 14, 2021, 9:51am

I am seeing this error on archlinux-arm too.

@Schamschula how do you deactivate dns-lexicon and dns-namecheap?

Schamschula · October 14, 2021, 10:07am

Under MacPorts you deactivate a package (e.g. the Python 3.9 version) by running

sudo port deactivate py39-dns-lexicon

archlinux uses a different package manager, so you'll need to check the documentation.

solsticedhiver · October 14, 2021, 10:19am

oh, that's what you meant by deactivate; I thought it was a plugin to deactivate in certbot

Thanks

Osiris · October 14, 2021, 10:38am

Usually the DNS plugins are provided separately from the main certbot program and acme library. So if you don't use those DNS plugins, you should be able to uninstall them.

solsticedhiver · October 14, 2021, 11:06am

Well, I am using certbot-dns-ovh, that depends on dns-lexicon; so I can't do that?

Osiris · October 14, 2021, 12:25pm

True, if you use that plugin you can't indeed. But in that case I don't really understand why you asked on how to disable dns-lexicon in the first place.

Anyway, in any case it seems Arch bumped the version for cryptography, but didn't bump the version of dns-lexicon to 3.7.1. (Which is the version where this issue was fixed.)

So your best move would be to a
point out this matter to the Arch maintainer for dns-lexicon, so he/she can bump the version to 3.7.1.

jvanasco · October 14, 2021, 4:59pm

FWIW, I just want to warn people this will likely continue to break and this install method (macports) is not officially supported - so you should keep an eye out with tests on your system to catch future breakage.

TLDR: The distro/macport ports are all ports/patches of the official certbot (and other package) source and are often designed to pick up other ports from the system first. the breaking packages could be installed from the distro package manager, or from the pypi/pip package manager (or even vendored); and could be installed into a user space, shared system space, or even vendored into the package. The Certbot devs have been pushing towards the snap installation method, in part, because that creates a nice and easily maintained sandboxed environment where the requirements can all be nicely managed. Currently Certbot supports Homebrew over Macports - at least for directions - but I don't know how long that will be for. Their team does not seem to want to support anything other than snapd, ASAP.

I often use a pip installed Certbot for local use of DNS-01 challenges. For my local usage pattern, and Python skill level, I'm not worried about potential breaks. If my usage pattern involved anything automated, I would absolutely have CI tests covering a build and a dry-run against staging of certbot and the necessary plugins.

system · November 13, 2021, 5:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cryptography 39 breaks certbot Help	4	625	March 20, 2023
Certbot command Error ContextualVersionConflict Help	5	1566	April 5, 2019
Why does certbot fail when installed with pip on Debian 10? Help	3	966	July 23, 2021
Certbot - Cryptography Package Version Raising Errors Help	2	1790	June 21, 2017
Centos7 certbot python2-cryptography version mismatch Help	2	3455	January 28, 2019

Cryptography 35.0.0 breaks certbot

Related topics