I've got a warning today from let's encrypt that one of my certificates was about to expire in 20 days, and indeed, the certbot.unit failed due to segmentation faults. Manually running certbot -v renew -------------------------8<------------------------_ Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f4aa900deb8>)>), contact=('*************',), agreement='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', status='valid', terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/31281933', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), 22ee6059f3fd794a489051ef1cf76180, Meta(creation_dt=datetime.datetime(2018, 3, 16, 19, 38, 37, tzinfo=<UTC>), creation_host='saturn.midworld.de'))> Sending GET request to https://acme-v02.api.letsencrypt.org/directory. Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443 Segmentation fault (core dumped) ----------------------->8------------------------------ With both python 3.7 and 3.6, downgrading certbot from 0.37 do 0.36 didn't do the trick, either. Only after eselecting python 2.7 certbot renew worked without any problem
I haven't had any issues. running on python3.6 now. I assume acme is at 0.37.0 as well? can you run this to make sure your system is in a consistent state? emerge -uDNav --complete-graph=y @world && emerge -a --depclean && emerge -av --usepkg=n --getbinpkg=n --selective=n @preserved-rebuild
(In reply to Matthew Thode ( prometheanfire ) from comment #1) > I haven't had any issues. running on python3.6 now. > > I assume acme is at 0.37.0 as well? > > can you run this to make sure your system is in a consistent state? > > emerge -uDNav --complete-graph=y @world && emerge -a --depclean && emerge > -av --usepkg=n --getbinpkg=n --selective=n @preserved-rebuild You assume right - I regularly do a emerge -UDN @world @system plus depclean afterwards. Here's the output of your command: jupiter ~ # emerge -uDNav --complete-graph=y @world && emerge -a --depclean && emerge -av --usepkg=n --getbinpkg=n --selective=n @preserved-rebuild These are the packages that would be merged, in order: Calculating dependencies... done! Total: 0 packages, Size of downloads: 0 KiB Nothing to merge; quitting. * Always study the list of packages to be cleaned for any obvious * mistakes. Packages that are part of the world set will always * be kept. They can be manually added to this set with * `emerge --noreplace <atom>`. Packages that are listed in * package.provided (see portage(5)) will be removed by * depclean, even if they are part of the world set. * * As a safety measure, depclean will not remove any packages * unless *all* required dependencies have been resolved. As a * consequence of this, it often becomes necessary to run * `emerge --update --newuse --deep @world` prior to depclean. Calculating dependencies... done! >>> No packages selected for removal by depclean >>> To see reverse dependencies, use --verbose Packages installed: 560 Packages in world: 46 Packages in system: 43 Required packages: 560 Number removed: 0 These are the packages that would be merged, in order: Calculating dependencies... done! Total: 0 packages, Size of downloads: 0 KiB Nothing to merge; quitting. jupiter ~ #
Oh, I've found a hint - another Gentoo user with a similar problem with the same workaround (using python 2.7): https://github.com/pyca/cryptography/issues/4795 (See the last comment)
ok, using cryptography 2.6.1 then?
I just added cryptography 2.7 to the tree as well, if you want to test with that
(In reply to Matthew Thode ( prometheanfire ) from comment #5) > I just added cryptography 2.7 to the tree as well, if you want to test with > that Updated. Well, obtaining a new certificate didn't result in any segfault, neither did a --force-renewal of an existing one. Unfortunately this isn't conclusive yet - since the segfault only occured at a standard renewal operation. The next certificated which will be renewed is still valid 42 days, so I would suggest wait and see if the problem has been resolved by upgrading cryptography
Upgrading to cryptography 2.7 resolved the issue for me
(In reply to cyberbat from comment #7) > Upgrading to cryptography 2.7 resolved the issue for me Already had that...certbot still fails: Root logging level set at -30 Saving debug log to /var/log/letsencrypt/letsencrypt.log Requested authenticator manual and installer None Single candidate plugin: * manual Description: Manual configuration or run your own shell scripts Interfaces: IAuthenticator, IPlugin Entry point: manual = certbot.plugins.manual:Authenticator Initialized: <certbot.plugins.manual.Authenticator object at 0x7fa5f97550> Prep: True Selected authenticator <certbot.plugins.manual.Authenticator object at 0x7fa5f97550> and installer None Plugins selected: Authenticator manual, Installer None Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/53179548', new_authzr_uri=None, terms_of_service=None), 4b4a6ceccea370fc3358107b442c9e18, Meta(creation_host=u'printer', creation_dt=datetime.datetime(2019, 3, 12, 20, 43, 7, tzinfo=<UTC>)))> Sending GET request to https://acme-v02.api.letsencrypt.org/directory. Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443 Segmentation fault I've also had problems getting OctoPrint to run on the same system since a recent emerge -uNDV @world; it segfaults as well when it tries to listen on a network port. I found that certbot was also FUBAR when I started getting expired-certificate warnings and tried to renew. The host in question is a Raspberry Pi 3 B+, for which I normally cross-compile binary packages on a faster host. I've tried recompiling Python 2.7 and dev-python/cryptography-2.7 on the RPi; that made no difference.
Old version, gone from the tree.