ImportError: cannot import name 'x509' from 'cryptography.hazmat.bindings._rust

bagas · October 10, 2022, 2:52pm

Hello.
I'm trying to renew my current certificates.

My system FreeBSD 12.3-RELEASE-p7 amd64.
My version soft:
rust-1.63.0 = up-to-date with index
py39-certbot-1.31.0,1 = up-to-date with index
py39-cryptography-38.0.1 = up-to-date with index
py39-josepy-1.13.0 = up-to-date with index
py39-openssl-20.0.1,1 = up-to-date with index

/usr/local/bin/certbot -q renew --allow-subset-of-names

Traceback (most recent call last):
File "/usr/local/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.31.0', 'console_scripts', 'certbot')())
File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
return next(matches).load()
File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load
module = import_module(match.group('module'))
File "/usr/local/lib/python3.9/importlib/init.py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1030, in _gcd_import
File "", line 1007, in _find_and_load
File "", line 986, in _find_and_load_unlocked
File "", line 680, in _load_unlocked
File "", line 850, in exec_module
File "", line 228, in _call_with_frames_removed
File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in
from certbot._internal import main as internal_main
File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 19, in
import josepy as jose
File "/usr/local/lib/python3.9/site-packages/josepy/init.py", line 40, in
from josepy.json_util import (
File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 14, in
from OpenSSL import crypto
File "/usr/local/lib/python3.9/site-packages/OpenSSL/init.py", line 8, in
from OpenSSL import crypto, SSL
File "/usr/local/lib/python3.9/site-packages/OpenSSL/crypto.py", line 14, in
from cryptography import utils, x509
File "/usr/local/lib/python3.9/site-packages/cryptography/x509/init.py", line 6, in
from cryptography.x509 import certificate_transparency
File "/usr/local/lib/python3.9/site-packages/cryptography/x509/certificate_transparency.py", line 10, in
from cryptography.hazmat.bindings._rust import x509 as rust_x509
ImportError: cannot import name 'x509' from 'cryptography.hazmat.bindings._rust' (unknown location)

How to fix?

Schamschula · October 10, 2022, 5:05pm

I just saw the same message under FreeBSD 13.1-RELEASE-p2.

It likely is an issue with a package certbot depends on.

Schamschula · October 10, 2022, 5:12pm

It looks like py-cryptography was recently updated to version 38.0.1. This may not be backward compatible.

bagas · October 10, 2022, 5:40pm

Hopefully the developers will fix the bug soon.

Schamschula · October 10, 2022, 5:51pm

See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266937

Osiris · October 10, 2022, 7:01pm

The dependency on cryptography.hazmat.bindings._rust.x509 was added in cryptography-35.0.0.

However, it seems FreeBSD compiles cryptography without the Rust modules.

So ultimately this is, I think, a decision of the FreeBSD ports (?) team not wanting to use Rust, whereas that is not optional any longer. Back in 3.4.8 there was a CRYPTOGRAPHY_DONT_BUILD_RUST option, which has been removed from cryptography apparently. And the FreeBSD ports (?) team just hacked away further at the setup.py so it doesn't require Rust. Except that has grave consequences if a module requiring Rust is required elsewhere in cryptography, essentially breaking it.

I believe this is not isolated to Certbot by the way. Just running from cryptography.x509 import certificate_transparency in a Python shell should also return this error. (Or from cryptography import x509 or simply from OpenSSL import crypto which ultimately import all the other stuff.)

You can probably get Certbot (and other applications depending on cryptography.x509.certificate_transparency and/or cryptography.hazmat.bindings._rust) working again by downgrading to cryptography-3.4.8.

And also the version of Certbot probably doesn't matter.

bagas · October 11, 2022, 3:08pm

What is rust for?
Of the ports, it is difficult to assemble it on the server.
Having fresh, fast hardware, it will take 30-40 minutes to assemble from rust ports.
Pretty heavy for a server.

Osiris · October 11, 2022, 4:27pm

Often, Python modules require non-Python code for certain functions. Rust is a popular programming language for security sensitive code, as it has many benefits such as memory safety, something C(++) cannot guarantee from the language point of view. Cryptography has decided to use Rust for certain parts of the module.

You mean, to compile the Rust toolchain itself? Or cryptography parts requiring Rust?

bagas · October 11, 2022, 5:13pm

lang/rust, it is assembled from ports for 30 minutes, while giving 100% load on the disk and processor.
With Intel Xeon E-2136 processor and nvme drives.

Osiris · October 11, 2022, 5:20pm

I'm not surprised. But when you've got the toolchain installed, you can just leave it available for other packages too

bagas · October 12, 2022, 5:48am

We decided to use security/acme.sh on new servers.
On older servers, we will continue to use certbot for now.

system · November 11, 2022, 6:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.