Your message dated Fri, 27 Aug 2021 15:33:47 +0200 with message-id <3857765.gJaRSux1Jz@odyx.org> and subject line Re: Bug#992378: /etc/apparmor.d/usr.sbin.cupsd: Prevents Let's Encrypt certificates from being used has caused the Debian Bug report #992378, regarding /etc/apparmor.d/usr.sbin.cupsd: Prevents Let's Encrypt certificates from being used to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 992378: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992378 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: /etc/apparmor.d/usr.sbin.cupsd: Prevents Let's Encrypt certificates from being used
- From: Roger Lynn <roger@rilynn.me.uk>
- Date: Wed, 18 Aug 2021 00:30:00 +0100
- Message-id: <[🔎] 162924300034.30925.16399418544737982221.reportbug@castle.rilynn.me.uk>
Package: cups-daemon Version: 2.3.3op2-3+deb11u1 Severity: normal File: /etc/apparmor.d/usr.sbin.cupsd Adding /etc/letsencrypt/archive/** r, seems to fix this. I only discovered what was causing the problem when I stumbled across https://askubuntu.com/questions/1079957 Thanks, Roger -- System Information: Debian Release: 11.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages cups-daemon depends on: ii adduser 3.118 ii bc 1.07.1-2+b2 ii init-system-helpers 1.60 ii libavahi-client3 0.8-5 ii libavahi-common3 0.8-5 ii libc6 2.31-13 ii libcups2 2.3.3op2-3+deb11u1 ii libdbus-1-3 1.12.20-2 ii libelogind0 [libsystemd0] 246.9.1-1+debian1 ii libgssapi-krb5-2 1.18.3-6 ii libpam0g 1.4.0-9 ii libpaper1 1.1.28+b1 ii lsb-base 11.1.0 ii procps 2:3.3.17-5 ii ssl-cert 1.1.0+nmu1 Versions of packages cups-daemon recommends: pn avahi-daemon <none> pn colord <none> pn cups-browsed <none> pn ipp-usb <none> Versions of packages cups-daemon suggests: ii cups 2.3.3op2-3+deb11u1 ii cups-bsd 2.3.3op2-3+deb11u1 ii cups-client 2.3.3op2-3+deb11u1 ii cups-common 2.3.3op2-3+deb11u1 ii cups-filters 1.28.7-1 pn cups-pdf <none> ii cups-ppdc 2.3.3op2-3+deb11u1 ii cups-server-common 2.3.3op2-3+deb11u1 ii foomatic-db-compressed-ppds [foomatic-db] 20200820-1 ii ghostscript 9.53.3~dfsg-7 ii poppler-utils 20.09.0-3.1 pn smbclient <none> ii udev 247.3-6 -- Configuration Files: /etc/cups/cups-files.conf changed: CreateSelfSignedCerts no SystemGroup lpadmin LogFileGroup adm AccessLog /var/log/cups/access_log ErrorLog /var/log/cups/error_log PageLog /var/log/cups/page_log -- no debconf information
--- End Message ---
--- Begin Message ---
- To: Roger Lynn <roger@rilynn.me.uk>, 992378-done@bugs.debian.org
- Subject: Re: Bug#992378: /etc/apparmor.d/usr.sbin.cupsd: Prevents Let's Encrypt certificates from being used
- From: Didier 'OdyX' Raboud <odyx@debian.org>
- Date: Fri, 27 Aug 2021 15:33:47 +0200
- Message-id: <3857765.gJaRSux1Jz@odyx.org>
- In-reply-to: <[🔎] 162924300034.30925.16399418544737982221.reportbug@castle.rilynn.me.uk>
- References: <[🔎] 162924300034.30925.16399418544737982221.reportbug@castle.rilynn.me.uk>
Control: tags -1 +wontfix Hello Roger, and thanks for your bugreport. Le mercredi, 18 août 2021, 01.30:00 h CEST Roger Lynn a écrit : > Package: cups-daemon > Version: 2.3.3op2-3+deb11u1 > Severity: normal > File: /etc/apparmor.d/usr.sbin.cupsd > > Adding > /etc/letsencrypt/archive/** r, > seems to fix this. > > I only discovered what was causing the problem when I stumbled across > https://askubuntu.com/questions/1079957 Using Let's Encrypt is fine, allowed, and (apparently) working with CUPS, but as that's clearly not a default way of working for CUPS, I'd be _very_ reluctant to allow CUPS to access "all the Let's Encrypt certificates" on all systems it gets installed to. Furthermore, /etc/apparmor.d/usr.sbin.cupsd is a configuration file, freely modifiable by the local system administrator. In other words, imposing that a local system administrator needs to update that file to enable a specific type of certificates is reasonable. I'll therefore close this bug as +wontfix. That said, if you think a patch making the documentation clearer could be useful; feel free to reopen this bug and provide said patch. Best regards, OdyXAttachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---