Update to cryptography 43.0.0: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated 2.11.0-ls313 Build-date:- 2024-07-27T03:23:38+00:00

GuiPoM commented 1 month ago

Is there an existing issue for this?

[X] I have searched the existing issues

Current Behavior

When running docker-swag and renewing the certificate, the following logs are displayed:

/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:238: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if not response_ocsp.this_update:
/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:240: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if response_ocsp.this_update > now + timedelta(minutes=5):
/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:242: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.
  if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5):

This is linked to certbot and cryptography being updated to 43.0.0 https://github.com/certbot/certbot/issues/9967#issuecomment-2246806307

Expected Behavior

No deprecation logs should be seen

Steps To Reproduce

I am running 2.11.0-ls313 Build-date:- 2024-07-27T03:23:38+00:00

Environment

- OS:Linux 6.1.0-23-amd64 (OMV 7.4.3-1)
- How docker service was installed: APT

CPU architecture

x86-64

Docker creation

swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=${PUID:?PUID is required}
      - PGID=${PGID:?PGID is required}
      - TZ=${TZ:?TZ is required}
      - EMAIL=${EMAIL:?EMAIL is required}
      - URL=${DOMAIN:?DOMAIN is required}
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - DNSPLUGIN=${DNSPLUGIN}
      # DOCKER MODS
      - DOCKER_MODS=linuxserver/mods:swag-dbip|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-crowdsec
      - DOCKER_MODS_DEBUG=false
      # Crowdsec
      - CROWDSEC_API_KEY=${CROWDSEC_BOUNCER_KEY_SWAG:?CROWDSEC_BOUNCER_KEY_SWAG is required}
      - CROWDSEC_LAPI_URL=http://crowdsec:8080
      - CROWDSEC_F2B_DISABLE=false
      # Google reCAPTCHA: https://www.google.com/recaptcha/admin
      # - CROWDSEC_CAPTCHA_PROVIDER=recaptcha
      # - CROWDSEC_SITE_KEY=${CROWDSEC_RECAPTCHA_SITE_KEY:?CROWDSEC_RECAPTCHA_SITE_KEY is required}
      # - CROWDSEC_SECRET_KEY=${CROWDSEC_RECAPTCHA_SECRET_KEY:?CROWDSEC_RECAPTCHA_SECRET_KEY is required}
    labels:
      - diun.enable=true
      - homepage.group=NAS
      - homepage.name=SWAG/nginx
      - homepage.weight=101
      - homepage.icon=nginx.svg
      - homepage.widget.type=swagdashboard
      - homepage.widget.fields=["proxied", "auth", "outdated", "banned"]
      - homepage.widget.url=http://swag:81
      #- homepage.widget.url=https://dashboard.${DOMAIN:?DOMAIN is required}
    volumes:
      - ${APPDATA_PATH:?APPDATA_PATH is required}/swag/config:/config
      - ${APPDATA_PATH:?APPDATA_PATH is required}/swag/custom-cont-init.d:/custom-cont-init.d:ro
      - ${APPDATA_PATH:?APPDATA_PATH is required}/authelia/config/authelia.log:/authelia/authelia.log:ro
      - ${APPDATA_PATH:?APPDATA_PATH is required}/nextcloud/data/nextcloud.log:/nextcloud/nextcloud.log:ro
      - ${APPDATA_PATH:?APPDATA_PATH is required}/jellyfin/log:/jellyfin/log:ro
    ports:
      - 443:443
      #- 81:81 #dashboard
      #- 8080:80 #optional
    extra_hosts:
     - nas.host:192.168.1.40
    security_opt:
      - no-new-privileges=true
    restart: unless-stopped
    networks:
      - crowdsec
      - dockge
      - duplicati
      - filebrowser
      - guacamole
      - homepage
      - jellyfin
      - librespeed
      - nextcloud
      - ollama
      - portainer
      - vaultwarden

Container logs

[custom-init] No custom services found, skipping...
[mod-init] Running Docker Modification Logic
[mod-init] Adding linuxserver/mods:swag-dbip to container
[mod-init] Downloading linuxserver/mods:swag-dbip from lscr.io
[mod-init] Installing linuxserver/mods:swag-dbip
[mod-init] linuxserver/mods:swag-dbip applied to container
[mod-init] Adding linuxserver/mods:swag-dashboard to container
[mod-init] Downloading linuxserver/mods:swag-dashboard from lscr.io
[mod-init] Installing linuxserver/mods:swag-dashboard
[mod-init] linuxserver/mods:swag-dashboard applied to container
[mod-init] Adding linuxserver/mods:swag-crowdsec to container
[mod-init] Downloading linuxserver/mods:swag-crowdsec from lscr.io
[mod-init] Installing linuxserver/mods:swag-crowdsec
[mod-init] linuxserver/mods:swag-crowdsec applied to container
[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] done
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    998
User GID:    100
───────────────────────────────────────
Linuxserver.io version: 2.11.0-ls313
Build-date: 2024-07-27T03:23:38+00:00
───────────────────────────────────────

using keys found in /config/keys
Variables set:
PUID=998
PGID=100
TZ=Europe/Paris
URL=<domain>
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=dns
CERTPROVIDER=
DNSPLUGIN=<plugin>
EMAIL=<email>
STAGING=

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for <domain> will be requested
E-mail address entered: <email>
dns validation via <plugin> plugin is selected
Certificate exists; parameters unchanged; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
**** Applying the SWAG dashboard mod... ****
Applying the dbip mod...
Applied the dbip mod
**** Configuring CrowdSec nginx Bouncer ****
**** Adding goaccess to package install list ****
**** libmaxminddb already installed, skipping ****
**** Applied the SWAG dashboard mod ****
**** Successfully configured CrowdSec nginx Bouncer v1.0.8 ****
[pkg-install-init] **** Installing all mod packages ****
fetch http://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.20/community/x86_64/APKINDEX.tar.gz
(1/17) Installing gettext-envsubst (0.22.5-r0)
(2/17) Installing libgomp (13.2.1_git20240309-r0)
(3/17) Installing gettext-libs (0.22.5-r0)
(4/17) Installing gettext (0.22.5-r0)
(5/17) Installing goaccess (1.9.2-r0)
(6/17) Installing lua5.1-libs (5.1.5-r13)
(7/17) Installing lua5.1 (5.1.5-r13)
(8/17) Installing lua-resty-http (0.17.2-r0)
(9/17) Installing luajit (2.1_p20240314-r0)
(10/17) Installing lua-resty-lrucache (0.13-r1)
(11/17) Installing lua-resty-core (0.1.28-r0)
(12/17) Installing nginx-mod-http-lua (1.26.1-r0)
(13/17) Installing lua-resty-string (0.15-r0)
(14/17) Installing lua-sec (1.3.2-r0)
(15/17) Installing lua5.1-socket (3.1.0-r1)
(16/17) Installing lua5.1-sec (1.3.2-r0)
(17/17) Installing lua5.1-cjson (2.1.0-r11)
Executing busybox-1.36.1-r29.trigger
OK: 206 MiB in 234 packages
[custom-init] Files found, executing
[custom-init] renew.sh: executing...
<------------------------------------------------->
[INIT] Running certbot renew on Thu Aug  1 22:14:16 CEST 2024
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Thu Aug  1 22:14:16 CEST 2024
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<domain>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:238: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if not response_ocsp.this_update:
/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:240: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if response_ocsp.this_update > now + timedelta(minutes=5):
/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:242: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.
  if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5):
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/<domain>/fullchain.pem expires on 2024-09-05 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[custom-init] renew.sh: exited 0
[ls.io-init] done.
nginx: [error] [lua] crowdsec.lua:62: init(): error loading captcha plugin: no recaptcha site key provided, can't use recaptcha
nginx: [alert] [lua] crowdsec_nginx.conf:4):8: [Crowdsec] Initialisation done
Server ready

j0nnymoe commented 1 month ago

https://github.com/linuxserver/docker-swag/blob/5b096a8a66442ee0cee05326985b75d98b399ccf/package_versions.txt#L94

This package is already on 43.0.0

GuiPoM commented 1 month ago

Yes ... this is indeed the problem. It creates the issue because it is too recent for the rest of the libs which are bundled together

edit: see my comment in the initial post

This is linked to certbot and cryptography being updated to 43.0.0 https://github.com/certbot/certbot/issues/9967#issuecomment-2246806307

LinuxServer-CI commented 1 week ago

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

2esq commented 1 day ago

I'm also having this issue. Running SWAG on latest.

/lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:238: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc. if not response_ocsp.this_update: /lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:240: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc. if response_ocsp.this_update > now + timedelta(minutes=5): /lsiopy/lib/python3.12/site-packages/certbot/ocsp.py:242: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc. if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5):

aptalca commented 1 day ago

This needs to be fixed on certbot's end. Based on the linked issue upstream, it's an incompatibility between certbot and cryptography 43.0.0, but certbot lists no maximum version in their install deps for cryptography, only a minimum so a pip install certbot results in installing cryptography 43.0.0.

Certbot can either make it compatible with the recent cryptography, or can define a maximum version.

https://github.com/certbot/certbot/blob/v2.11.0/certbot/setup.py#L33

linuxserver / docker-swag