[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#887399: marked as done (stretch-pu: package python-certbot/0.10.2-1)

Your message dated Sat, 16 Feb 2019 11:36:33 +0000
with message-id <1550316993.21192.50.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.8
has caused the Debian Bug report #887399,
regarding stretch-pu: package python-certbot/0.10.2-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
887399: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887399
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hello Release Team,

Due to a security issue in the underlying Let's Encrypt protocol, one of the main methods of getting certificates from Let's Encrypt has been disabled (the TLS-SNI-01 protocol; https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-most-new-issuance/50316 for more info).

This puts us in a bit of an awkward spot.  The upstream certbot provider is preparing to do a new release that has support for HTTP-01 inside the python-certbot-apache and python-certbot-nginx plugins, as well as the required work in python-acme and python-certbot (and certbot), but I'm not sure backporting the patches is realistic.  A lot of development has been done in the interim, both in the certbot packaging and in the upstream software.  Without those patches, users with the apache or nginx plugins will fail to update their certificates starting 2018-04-09.

I can talk to the certbot upstream to see if they'd be willing to help backport the patches (CCed), but initial conversations seem to indicate that doing so will be difficult.

The other approach that we can take is to backport the next version that supports the new challenge through to s-p-u and into stable.  I'm guessing that you will ask me to unwind the work I did to convert to python3 in the last release (sadface), but I can do that if that's what it needs to get this fixed in stable.

Gurus and Wise Ones, I beseech you for guidance!

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Version: 9.8

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---
Reply to: