# certbot ImportError: cannot import name 'x509' from 'cryptography.hazmat.bindings._rust'



## bagas (Oct 10, 2022)

Hello.
I'm trying to renew my current certificates.
My system FreeBSD 12.3-RELEASE-p7 amd64.
My version soft:

```
rust-1.63.0 = up-to-date with index
py39-certbot-1.31.0,1 = up-to-date with index
py39-cryptography-38.0.1 = up-to-date with index
py39-josepy-1.13.0 = up-to-date with index
py39-openssl-20.0.1,1 = up-to-date with index
```
I'm running certificate updates.

```
# certbot -q renew --allow-subset-of-names
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.31.0', 'console_scripts', 'certbot')())
File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
return next(matches).load()
File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load
module = import_module(match.group('module'))
File "/usr/local/lib/python3.9/importlib/[B]init[/B].py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1030, in _gcd_import
File "", line 1007, in _find_and_load
File "", line 986, in _find_and_load_unlocked
File "", line 680, in _load_unlocked
File "", line 850, in exec_module
File "", line 228, in _call_with_frames_removed
File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in
from certbot._internal import main as internal_main
File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 19, in
import josepy as jose
File "/usr/local/lib/python3.9/site-packages/josepy/[B]init[/B].py", line 40, in
from josepy.json_util import (
File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 14, in
from OpenSSL import crypto
File "/usr/local/lib/python3.9/site-packages/OpenSSL/[B]init[/B].py", line 8, in
from OpenSSL import crypto, SSL
File "/usr/local/lib/python3.9/site-packages/OpenSSL/crypto.py", line 14, in
from cryptography import utils, x509
File "/usr/local/lib/python3.9/site-packages/cryptography/x509/[B]init[/B].py", line 6, in
from cryptography.x509 import certificate_transparency
File "/usr/local/lib/python3.9/site-packages/cryptography/x509/certificate_transparency.py", line 10, in
from cryptography.hazmat.bindings._rust import x509 as rust_x509
ImportError: cannot import name 'x509' from 'cryptography.hazmat.bindings._rust' (unknown location)
```
Same error on the system, FreeBSD 13.1-RELEASE-p2 amd64.
How to fix?


----------



## Lamia (Oct 11, 2022)

You may have multiple python versions on your box; regardless, do ensure that your pkgs are all up-to-date. Do try upgrade all.


----------



## bagas (Oct 11, 2022)

Lamia said:


> You may have multiple python versions on your box; regardless, do ensure that your pkgs are all up-to-date. Do try upgrade all.


all ports updated.
Python only version py39.


----------



## covacat (Oct 11, 2022)

certbot is shit
it has 403423 dependencies and breaks from time to time
use acme.sh 

```
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 28 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    libffi33: 3.3_2
    py39-acme: 1.31.0,1
    py39-certbot: 1.31.0,1
    py39-certifi: 2022.6.15
    py39-cffi: 1.15.1
    py39-charset-normalizer: 2.1.1
    py39-configargparse: 1.5.3
    py39-configobj: 5.0.6_1
    py39-cryptography: 3.4.8
    py39-distro: 1.7.0
    py39-idna: 3.3
    py39-josepy: 1.13.0
    py39-openssl: 20.0.1,1
    py39-parsedatetime: 2.6
    py39-pycparser: 2.21
    py39-pyrfc3339: 1.1
    py39-pysocks: 1.7.1
    py39-pytz: 2022.2.1,1
    py39-requests: 2.28.1
    py39-requests-toolbelt: 0.9.1_1
    py39-setuptools: 63.1.0
    py39-six: 1.16.0
    py39-urllib3: 1.26.12,1
    py39-zope.component: 4.2.2
    py39-zope.event: 4.1.0
    py39-zope.interface: 5.3.0
    python39: 3.9.14

Installed packages to be UPGRADED:
    libffi: 3.3_1 -> 3.4.2

Number of packages to be installed: 27
Number of packages to be upgraded: 1

The process will require 144 MiB more space.
21 MiB to be downloaded.

Proceed with this action? [y/N]: ^C
[root@hpbsd]# pkg install acme.sh
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    acme.sh: 3.0.4
    socat: 1.7.4.3

Number of packages to be installed: 2

The process will require 2 MiB more space.
367 KiB to be downloaded.

Proceed with this action? [y/N]:
```


----------



## bagas (Oct 11, 2022)

266937 – security/py-certbot broken in v 1.31.0,1
					






					bugs.freebsd.org
				




Need to go back to version py39-cryptography-3.4.8.


----------



## Lamia (Oct 11, 2022)

bagas said:


> 266937 – security/py-certbot broken in v 1.31.0,1
> 
> 
> 
> ...


Going back isn't as easy as before. Gone are those days of the port portdowngrade. Gitup can do the same though I have not been trying it out.

Hurray, it is back!

Edit: Better to edit than wait a min. before adding another post.


----------



## T-Daemon (Oct 11, 2022)

It seems when security/py-cryptography is build with Rust it would solve the issue. There is a  patch (waiting for maintainer-feedback) in PR security/py-cryptography: Update to 37.0.2 to [patch] update to 38.0.1 with rust build .

Not sure how this will be received by the port maintainer taking following into account:








						ImportError: cannot import name 'x509' from 'cryptography.hazmat.bindings._rust
					

Hello.  I'm trying to renew my current certificates.  My system FreeBSD 12.3-RELEASE-p7 amd64.  My version soft:  rust-1.63.0                        =   up-to-date with index  py39-certbot-1.31.0,1              =   up-to-date with index  py39-cryptography-38.0.1           =   up-to-date with...




					community.letsencrypt.org
				






> Osiris                                                                        October 10, 2022,  7:01pm                                      #6
> 
> The dependency on cryptography.hazmat.bindings._rust.x509 was added in cryptography-35.0.0.
> 
> ...



Probably the changes must be reverted requiring Rust.


----------



## bagas (Oct 11, 2022)

What is rust for?
Of the ports, it is difficult to assemble it on the server.
Having fresh, fast hardware, it will take 30-40 minutes to assemble from rust ports.
Pretty heavy for a server.


----------



## T-Daemon (Oct 11, 2022)

bagas said:


> Having fresh, fast hardware, it will take 30-40 minutes to assemble from rust ports.
> Pretty heavy for a server.


True. Then use, as already suggested, security/acme.sh instead.


----------



## T-Daemon (Oct 11, 2022)

T-Daemon said:


> Probably the changes must be reverted requiring Rust.


That's what happened, Rust dependency will be added to fix the issue in PR security/py-certbot broken in v 1.31.0,1 . 


```
Guido Falsi freebsd_committer 2022-10-11 15:55:07 UTC   Comment 15

Since I was needing ansible, I tested applying bug #254853 proposed patch (plus a
PORTREVISION bump) and can confirm it works fine and fixes the issue.

I'll add that bug here as a dependency, since it actually fixes the issue.
```

Proposed patch from bug #254853 is the one linked in post # 7 in this thread.


----------



## PMc (Oct 11, 2022)

bagas said:


> What is rust for?
> Of the ports, it is difficult to assemble it on the server.
> Having fresh, fast hardware, it will take 30-40 minutes to assemble from rust ports.
> Pretty heavy for a server.



Oh crap.

```
$ cat */ports.*/*.*.build.L/rust.stt | egrep "^(ncpu|real)"
ncpu 16
real 4071.50
ncpu 14
real 3426.19
ncpu 16
real 3797.72
ncpu 4
real 8435.51
ncpu 4
real 7302.01
ncpu 8
real 4419.02
ncpu 5
real 6047.77
```

This rust dependencies seem to get a habit with the python folks.


----------



## bagas (Oct 12, 2022)

T-Daemon said:


> True. Then use, as already suggested, security/acme.sh instead.


On new servers I will use security/acme.sh.
On older servers, I will continue to use certbot for now.


----------



## bagas (Oct 13, 2022)

When will there be an official fix in the ports?


----------

