snap: disable FIPS detection (#10067)

This is needed because the Python + OpenSSL bundled in core24 don't include an OpenSSL FIPS provider, which causes crashes on host systems with OpenSSL 1.1.1f (e.g. Ubuntu Pro 20.04). For some reason, core24's OpenSSL also looks in a non-standard location for the provider, which also causes crashes on systems with OpenSSL 3.x (e.g. RHEL 9). If you need FIPS functionality in certbot, install via pip.
2026-05-28 04:34:11 -04:00 · 2024-12-19 10:55:53 -08:00 · 2024-12-19 10:55:53 -08:00 · 25a1933e01
commit 25a1933e01
parent 0f500e8010
1 changed files with 12 additions and 0 deletions
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@ -27,6 +27,18 @@ environment:
  OPENSSL_MODULES: "$SNAP/usr/lib/$CRAFT_ARCH_TRIPLET_BUILD_FOR/ossl-modules"
  PATH: "$SNAP/bin:$SNAP/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"
  PYTHONPATH: "$SNAP/lib/python3.12/site-packages:${PYTHONPATH}"
+  # Disable FIPS mode detection. See
+  # https://git.launchpad.net/ubuntu/+source/openssl/tree/debian/patches/fips/crypto-Add-kernel-FIPS-mode-detection.patch?h=applied/ubuntu/noble
+  # for more on this flag, and https://github.com/certbot/certbot/issues/10044
+  # for more on the issue.
+  #
+  # This is needed because the Python + OpenSSL bundled in core24 don't include
+  # an OpenSSL FIPS provider, which causes crashes on host systems with OpenSSL
+  # 1.1.1f (e.g. Ubuntu Pro 20.04). For some reason, core24's OpenSSL also looks
+  # in a non-standard location for the provider, which also causes crashes on
+  # systems with OpenSSL 3.x (e.g. RHEL 9). If you need FIPS functionality in
+  # certbot, install via pip.
+  OPENSSL_FORCE_FIPS_MODE: "0"

 apps:
  certbot: