Certbot security update (Bug #969126)
Hello LTS team!
The security team pointed me in your direction as the ones holding
ownership of oldstable.
As part of the deprecation of the Let's Encrypt v1 API starting in
January, we need to enable automatic conversion of the use of the v1
endpoints to v2 endpoints in the version of certbot currently used in
stretch.
I have backported the minimal set of patches required to do so, and
I'm attaching the debdiff to this email. If you give the thumbs up, I
can work with the security team to put it down the stretch-security
path for updates, unless you have a better approach.
Please let me know if you have any questions.
--
Harlan Lieberman-Berg
~hlieberman
diff -Nru python-certbot-0.28.0/debian/changelog python-certbot-0.28.0/debian/changelog
--- python-certbot-0.28.0/debian/changelog 2019-03-10 13:36:06.000000000 -0400
+++ python-certbot-0.28.0/debian/changelog 2020-09-26 14:25:09.000000000 -0400
@@ -1,3 +1,15 @@
+python-certbot (0.28.0-1~deb9u3) stretch-security; urgency=high
+
+ * Switch to use of ACMEv2 API to prevent renewal failures. (Closes: #969126)
+
+ Let's Encrypt's ACMEv1 API is deprecated and in the process of being
+ shut down. Beginning with brownouts in January 2021, and ending with a
+ total shutdown in June 2021, the Let's Encrypt APIs will become
+ unavailable. To prevent users having disruptions to their certificate
+ renewals, this update backports the switch over to the ACMEv2 API.
+
+ -- Harlan Lieberman-Berg <hlieberman@debian.org> Sat, 26 Sep 2020 14:25:09 -0400
+
python-certbot (0.28.0-1~deb9u2) stretch; urgency=high
* The previous stable update incorrectly disabled systemd timer due to a
diff -Nru python-certbot-0.28.0/debian/patches/0002-acmev2-api.patch python-certbot-0.28.0/debian/patches/0002-acmev2-api.patch
--- python-certbot-0.28.0/debian/patches/0002-acmev2-api.patch 1969-12-31 19:00:00.000000000 -0500
+++ python-certbot-0.28.0/debian/patches/0002-acmev2-api.patch 2020-09-26 14:25:09.000000000 -0400
@@ -0,0 +1,88 @@
+From 8a15bd7927e2b8956bb1f4d062423e471e473ccf Mon Sep 17 00:00:00 2001
+From: Alex Zorin <alex@zorin.id.au>
+Date: Thu, 21 May 2020 22:58:40 +1000
+Subject: [PATCH 1/2] renewal: disregard acme-v01 in renewal configs
+
+Fixes #7979
+---
+ certbot/_internal/constants.py | 2 ++
+ certbot/_internal/renewal.py | 17 +++++++++++++++--
+ certbot/tests/renewal_test.py | 8 ++++++++
+ 3 files changed, 25 insertions(+), 2 deletions(-)
+
+Index: python-certbot/certbot/constants.py
+===================================================================
+--- python-certbot.orig/certbot/constants.py
++++ python-certbot/certbot/constants.py
+@@ -117,6 +117,8 @@ CLI_DEFAULTS = dict(
+ )
+ STAGING_URI = "https://acme-staging-v02.api.letsencrypt.org/directory";
+
++V1_URI = "https://acme-v01.api.letsencrypt.org/directory";
++
+ # The set of reasons for revoking a certificate is defined in RFC 5280 in
+ # section 5.3.1. The reasons that users are allowed to submit are restricted to
+ # those accepted by the ACME server implementation. They are listed in
+Index: python-certbot/certbot/renewal.py
+===================================================================
+--- python-certbot.orig/certbot/renewal.py
++++ python-certbot/certbot/renewal.py
+@@ -14,6 +14,7 @@ import OpenSSL
+ from acme.magic_typing import List # pylint: disable=unused-import, no-name-in-module
+
+ from certbot import cli
++from certbot import constants
+ from certbot import crypto_util
+ from certbot import errors
+ from certbot import interfaces
+@@ -244,16 +245,28 @@ def _restore_int(name, value):
+ raise errors.Error("Expected a numeric value for {0}".format(name))
+
+
+-def _restore_str(unused_name, value):
++def _restore_str(name, value):
+ """Restores an string key-value pair from a renewal config file.
+
+- :param str unused_name: option name
++ :param str name: option name
+ :param str value: option value
+
+ :returns: converted option value to be stored in the runtime config
+ :rtype: str or None
+
+ """
++ # Previous to v0.5.0, Certbot always stored the `server` URL in the renewal config,
++ # resulting in configs which explicitly use the deprecated ACMEv1 URL, today
++ # preventing an automatic transition to the default modern ACME URL.
++ # (https://github.com/certbot/certbot/issues/7978#issuecomment-625442870)
++ # As a mitigation, this function reinterprets the value of the `server` parameter if
++ # necessary, replacing the ACMEv1 URL with the default ACME URL. It is still possible
++ # to override this choice with the explicit `--server` CLI flag.
++ if name == "server" and value == constants.V1_URI:
++ logger.info("Using server %s instead of legacy %s",
++ constants.CLI_DEFAULTS["server"], value)
++ return constants.CLI_DEFAULTS["server"]
++
+ return None if value == "None" else value
+
+
+Index: python-certbot/certbot/tests/renewal_test.py
+===================================================================
+--- python-certbot.orig/certbot/tests/renewal_test.py
++++ python-certbot/certbot/tests/renewal_test.py
+@@ -31,6 +31,15 @@ class RenewalTest(test_util.ConfigTestCa
+ renewal._restore_webroot_config(config, renewalparams)
+ self.assertEqual(config.webroot_path, ['/var/www/'])
+
++ @mock.patch('certbot.renewal.cli.set_by_cli')
++ def test_ancient_server_renewal_conf(self, mock_set_by_cli):
++ from certbot import constants
++ self.config.server = None
++ mock_set_by_cli.return_value = False
++ from certbot.renewal import restore_required_config_elements
++ restore_required_config_elements(self.config, {'server': constants.V1_URI})
++ self.assertEqual(self.config.server, constants.CLI_DEFAULTS['server'])
++
+
+ class RestoreRequiredConfigElementsTest(test_util.ConfigTestCase):
+ """Tests for certbot.renewal.restore_required_config_elements."""
diff -Nru python-certbot-0.28.0/debian/patches/series python-certbot-0.28.0/debian/patches/series
--- python-certbot-0.28.0/debian/patches/series 2019-03-10 13:36:06.000000000 -0400
+++ python-certbot-0.28.0/debian/patches/series 2020-09-26 14:25:09.000000000 -0400
@@ -1,2 +1,3 @@
f5aad1440f8143f003698670177fabfc5fa7bb9c.patch
0001-remove-external-images.patch
+0002-acmev2-api.patch
Reply to: