Bug#887399: stretch-pu: package python-certbot/0.10.2-1

[Brad Warren <bmw@eff.org>]

What can be done to get this issue resolved?

This issue has jumped in priority now that domain validation through the TLS-SNI-01 challenge will be completely unsupported by Let’s Encrypt on February 13th, 2019. See https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209.

While the TLS-SNI-01 challenge was initially disabled by Let’s Encrypt over 10 months ago, an exception had been made for people renewing certificates they had previously obtained using the challenge. This exception is going away on the above date. This means that unless users manually intervene or are upgraded to a new version of Certbot, certificate renewal will fail.

I pulled some numbers on this from Let’s Encrypt and found that there were nearly 15,000 unique Debian Stretch installations that were currently relying on this exception. This is for over 32,000 certificates covering nearly 50,000 domains.

There are even more affected users on jessie-backports. Since the packages in jessie-backports cannot be upgraded to a newer version due to the version in Stretch, they are stuck on an incompatible version as well. This is nearly 20,000 unique installations for over 52,000 certificates covering nearly 85,000 domains.

I certainly would like to avoid having all of these renewals fail. Please let me know if there's anything I can do to help make a version of Certbot that is compatible with Let’s Encrypt’s changes available in Debian.