Re: Certbot, Ring in Debian Stretch

To: Daniel Pocock <daniel@pocock.pro>
Cc: debian-devel@lists.debian.org
Subject: Re: Certbot, Ring in Debian Stretch
From: Peter Eckersley <pde@eff.org>
Date: Tue, 22 Nov 2016 14:26:43 -0800
Message-id: <[🔎] 20161122222643.GI4414@eff.org>
Mail-followup-to: Daniel Pocock <daniel@pocock.pro>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 6f5af334-266c-9967-908b-d7e0454c7f42@pocock.pro>
References: <[🔎] 20161122014022.GB6935@eff.org> <[🔎] 6f5af334-266c-9967-908b-d7e0454c7f42@pocock.pro>

On Tue, Nov 22, 2016 at 08:23:59AM +0100, Daniel Pocock wrote:
> 
> I'd like to suggest an additional point relevant to all of the options: how
> well does the certbot client react when it is no longer usable?  Does the
> protocol include a mechanism to check the version?  Does the client give an
> explicit error telling the user to update the client and can it be tweaked
> so that Debian users are shown a message about getting the latest package
> from stable-backports?  Or will the user see some random error that doesn't
> mention the client version at all?
>

ACME includes an explicit versioning mechanism for inherently-breaking
protocol changes, and also a User Agent string that an be employed for
finer-grained conditional responses.

To date, we have never incremented the explicit versioning mechanism, but
there have been a couple of incompatibilities that could be characterised as
Certbot bugs which the Let's Encrypt servers initially tolerated, but
eventually stopped tolerating.

In this case: https://github.com/certbot/certbot/issues/2528 the server will
today send an error message, and buggy clients would print that error
instructing the user to upgrade Certbot and/or OpenSSL to fix the problem.
Note, however, that if Certbot is running in a renewal cron job, the sys admin
might miss that message.

In this case: https://github.com/certbot/certbot/issues/2768
the server was able to use the User Agent string to avoid sending incompatible
messages to older Certbot versions.

For cases in the future where ACME is intentionally being revised in an inherently
incompatible way, we would change the protocol's endpoint URI, and begin a 6-12
month compatibility window with the previous version.

In all cases we do have the option of sending email to the registered account
email addresses associated with older clients that are about to be
incompatible, provided that sys admins chose to give us an email address when
they created their Let's Encrypt accounts.

-- 
Peter Eckersley                            pde@eff.org
Chief Computer Scientist          Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

Reply to:

References:
- Certbot in Debian Stretch
  - From: Peter Eckersley <pde@eff.org>
- Re: Certbot, Ring in Debian Stretch
  - From: Daniel Pocock <daniel@pocock.pro>

Prev by Date: Bug#845371: ITP: libdnssecjava-java -- A DNSSEC validating stub resolver for Java
Next by Date: Bug#845389: ITP: libpgobject-type-bytestring-perl -- Wrapper for raw strings mapping to BYTEA columns
Previous by thread: Re: Certbot, Ring in Debian Stretch
Next by thread: Re: Certbot in Debian Stretch
Index(es):
- Date
- Thread