Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to cryptography 43.0.0: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated 2.11.0-ls313 Build-date:- 2024-07-27T03:23:38+00:00 #495

Closed
1 task done
GuiPoM opened this issue Aug 1, 2024 · 6 comments

Comments

@GuiPoM
Copy link

GuiPoM commented Aug 1, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When running docker-swag and renewing the certificate, the following logs are displayed:

/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:238: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if not response_ocsp.this_update:
/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:240: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if response_ocsp.this_update > now + timedelta(minutes=5):
/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:242: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.
  if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5):

This is linked to certbot and cryptography being updated to 43.0.0
certbot/certbot#9967 (comment)

Expected Behavior

No deprecation logs should be seen

Steps To Reproduce

I am running 2.11.0-ls313 Build-date:- 2024-07-27T03:23:38+00:00

Environment

- OS:Linux 6.1.0-23-amd64 (OMV 7.4.3-1)
- How docker service was installed: APT

CPU architecture

x86-64

Docker creation

swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=${PUID:?PUID is required}
      - PGID=${PGID:?PGID is required}
      - TZ=${TZ:?TZ is required}
      - EMAIL=${EMAIL:?EMAIL is required}
      - URL=${DOMAIN:?DOMAIN is required}
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - DNSPLUGIN=${DNSPLUGIN}
      # DOCKER MODS
      - DOCKER_MODS=linuxserver/mods:swag-dbip|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-crowdsec
      - DOCKER_MODS_DEBUG=false
      # Crowdsec
      - CROWDSEC_API_KEY=${CROWDSEC_BOUNCER_KEY_SWAG:?CROWDSEC_BOUNCER_KEY_SWAG is required}
      - CROWDSEC_LAPI_URL=http://crowdsec:8080
      - CROWDSEC_F2B_DISABLE=false
      # Google reCAPTCHA: https://www.google.com/recaptcha/admin
      # - CROWDSEC_CAPTCHA_PROVIDER=recaptcha
      # - CROWDSEC_SITE_KEY=${CROWDSEC_RECAPTCHA_SITE_KEY:?CROWDSEC_RECAPTCHA_SITE_KEY is required}
      # - CROWDSEC_SECRET_KEY=${CROWDSEC_RECAPTCHA_SECRET_KEY:?CROWDSEC_RECAPTCHA_SECRET_KEY is required}
    labels:
      - diun.enable=true
      - homepage.group=NAS
      - homepage.name=SWAG/nginx
      - homepage.weight=101
      - homepage.icon=nginx.svg
      - homepage.widget.type=swagdashboard
      - homepage.widget.fields=["proxied", "auth", "outdated", "banned"]
      - homepage.widget.url=http://swag:81
      #- homepage.widget.url=https://dashboard.${DOMAIN:?DOMAIN is required}
    volumes:
      - ${APPDATA_PATH:?APPDATA_PATH is required}/swag/config:/config
      - ${APPDATA_PATH:?APPDATA_PATH is required}/swag/custom-cont-init.d:/custom-cont-init.d:ro
      - ${APPDATA_PATH:?APPDATA_PATH is required}/authelia/config/authelia.log:/authelia/authelia.log:ro
      - ${APPDATA_PATH:?APPDATA_PATH is required}/nextcloud/data/nextcloud.log:/nextcloud/nextcloud.log:ro
      - ${APPDATA_PATH:?APPDATA_PATH is required}/jellyfin/log:/jellyfin/log:ro
    ports:
      - 443:443
      #- 81:81 #dashboard
      #- 8080:80 #optional
    extra_hosts:
     - nas.host:192.168.1.40
    security_opt:
      - no-new-privileges=true
    restart: unless-stopped
    networks:
      - crowdsec
      - dockge
      - duplicati
      - filebrowser
      - guacamole
      - homepage
      - jellyfin
      - librespeed
      - nextcloud
      - ollama
      - portainer
      - vaultwarden

Container logs

[custom-init] No custom services found, skipping...
[mod-init] Running Docker Modification Logic
[mod-init] Adding linuxserver/mods:swag-dbip to container
[mod-init] Downloading linuxserver/mods:swag-dbip from lscr.io
[mod-init] Installing linuxserver/mods:swag-dbip
[mod-init] linuxserver/mods:swag-dbip applied to container
[mod-init] Adding linuxserver/mods:swag-dashboard to container
[mod-init] Downloading linuxserver/mods:swag-dashboard from lscr.io
[mod-init] Installing linuxserver/mods:swag-dashboard
[mod-init] linuxserver/mods:swag-dashboard applied to container
[mod-init] Adding linuxserver/mods:swag-crowdsec to container
[mod-init] Downloading linuxserver/mods:swag-crowdsec from lscr.io
[mod-init] Installing linuxserver/mods:swag-crowdsec
[mod-init] linuxserver/mods:swag-crowdsec applied to container
[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] done
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    998
User GID:    100
───────────────────────────────────────
Linuxserver.io version: 2.11.0-ls313
Build-date: 2024-07-27T03:23:38+00:00
───────────────────────────────────────

using keys found in /config/keys
Variables set:
PUID=998
PGID=100
TZ=Europe/Paris
URL=<domain>
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=dns
CERTPROVIDER=
DNSPLUGIN=<plugin>
EMAIL=<email>
STAGING=

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for <domain> will be requested
E-mail address entered: <email>
dns validation via <plugin> plugin is selected
Certificate exists; parameters unchanged; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
**** Applying the SWAG dashboard mod... ****
Applying the dbip mod...
Applied the dbip mod
**** Configuring CrowdSec nginx Bouncer ****
**** Adding goaccess to package install list ****
**** libmaxminddb already installed, skipping ****
**** Applied the SWAG dashboard mod ****
**** Successfully configured CrowdSec nginx Bouncer v1.0.8 ****
[pkg-install-init] **** Installing all mod packages ****
fetch http://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.20/community/x86_64/APKINDEX.tar.gz
(1/17) Installing gettext-envsubst (0.22.5-r0)
(2/17) Installing libgomp (13.2.1_git20240309-r0)
(3/17) Installing gettext-libs (0.22.5-r0)
(4/17) Installing gettext (0.22.5-r0)
(5/17) Installing goaccess (1.9.2-r0)
(6/17) Installing lua5.1-libs (5.1.5-r13)
(7/17) Installing lua5.1 (5.1.5-r13)
(8/17) Installing lua-resty-http (0.17.2-r0)
(9/17) Installing luajit (2.1_p20240314-r0)
(10/17) Installing lua-resty-lrucache (0.13-r1)
(11/17) Installing lua-resty-core (0.1.28-r0)
(12/17) Installing nginx-mod-http-lua (1.26.1-r0)
(13/17) Installing lua-resty-string (0.15-r0)
(14/17) Installing lua-sec (1.3.2-r0)
(15/17) Installing lua5.1-socket (3.1.0-r1)
(16/17) Installing lua5.1-sec (1.3.2-r0)
(17/17) Installing lua5.1-cjson (2.1.0-r11)
Executing busybox-1.36.1-r29.trigger
OK: 206 MiB in 234 packages
[custom-init] Files found, executing
[custom-init] renew.sh: executing...
<------------------------------------------------->
[INIT] Running certbot renew on Thu Aug  1 22:14:16 CEST 2024
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Thu Aug  1 22:14:16 CEST 2024
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<domain>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:238: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if not response_ocsp.this_update:
/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:240: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if response_ocsp.this_update > now + timedelta(minutes=5):
/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:242: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.
  if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5):
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/<domain>/fullchain.pem expires on 2024-09-05 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[custom-init] renew.sh: exited 0
[ls.io-init] done.
nginx: [error] [lua] crowdsec.lua:62: init(): error loading captcha plugin: no recaptcha site key provided, can't use recaptcha
nginx: [alert] [lua] crowdsec_nginx.conf:4):8: [Crowdsec] Initialisation done
Server ready
@j0nnymoe
Copy link
Member

j0nnymoe commented Aug 1, 2024

cryptography 43.0.0 python

This package is already on 43.0.0

@GuiPoM
Copy link
Author

GuiPoM commented Aug 1, 2024

Yes ... this is indeed the problem. It creates the issue because it is too recent for the rest of the libs which are bundled together

edit: see my comment in the initial post

This is linked to certbot and cryptography being updated to 43.0.0
certbot/certbot#9967 (comment)

@LinuxServer-CI
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

@2esq
Copy link

2esq commented Sep 7, 2024

I'm also having this issue. Running SWAG on latest.

/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:238: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc. if not response_ocsp.this_update: /lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:240: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc. if response_ocsp.this_update > now + timedelta(minutes=5): /lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:242: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc. if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5):

@aptalca
Copy link
Member

aptalca commented Sep 8, 2024

This needs to be fixed on certbot's end. Based on the linked issue upstream, it's an incompatibility between certbot and cryptography 43.0.0, but certbot lists no maximum version in their install deps for cryptography, only a minimum so a pip install certbot results in installing cryptography 43.0.0.

Certbot can either make it compatible with the recent cryptography, or can define a maximum version.

https://github.com/certbot/certbot/blob/v2.11.0/certbot/setup.py#L33

@LinuxServer-CI
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

@LinuxServer-CI LinuxServer-CI closed this as not planned Won't fix, can't repro, duplicate, stale Dec 8, 2024
@LinuxServer-CI LinuxServer-CI moved this from Issues to Done in Issue & PR Tracker Dec 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Archived in project
Development

No branches or pull requests

5 participants