Your message dated Sat, 07 Sep 2019 14:34:49 +0100 with message-id <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk> and subject line Closing bugs for fixes including in 10.1 point release has caused the Debian Bug report #935370, regarding buster-pu: package lacme/0.5-1+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 935370: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935370 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package lacme/0.5-1+deb10u1
- From: Guilhem Moulin <guilhem@debian.org>
- Date: Thu, 22 Aug 2019 00:54:04 +0200
- Message-id: <20190821225403.GA13141@debian.org>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Dear release team, Per RFC 8555 sec 6.3 the Let's Encrypt folks are deprecating unauthenticated GETs from their v2 API. Support for these requests will be removed on *Nov 01 2019* (so likely between Debian 10.1 and 10.2) [0]. lacme uses the v2 API by default since 0.5, and removing support for unauthenticated GETs means that applying for certificate issuance will stop working. Replacing GETs with POST-as-GETs is trivial (debdiff attached), and I'd like to fix that in Buster via s-p-u. (0.6 from Sid is not affected, and neither is 0.2 from Stretch as the latter supports only the v1 API.) Cheers, -- Guilhem. [0] https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-getsdiffstat for lacme-0.5 lacme-0.5 changelog | 10 + gbp.conf | 2 patches/0002-Issue-GET-and-POST-as-GET-requests.patch | 121 ++++++++++++++++++ patches/series | 1 4 files changed, 133 insertions(+), 1 deletion(-) diff -Nru lacme-0.5/debian/changelog lacme-0.5/debian/changelog --- lacme-0.5/debian/changelog 2018-05-09 14:17:19.000000000 +0200 +++ lacme-0.5/debian/changelog 2019-08-22 00:14:42.000000000 +0200 @@ -1,3 +1,13 @@ +lacme (0.5-1+deb10u1) buster; urgency=medium + + * Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the + ACME I-D URL. + * Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the + authorizations, order and certificate URLs. Let's Encrypt will remove + support of unauthenticated GETs from the V2 API on 01 Nov 2019. + + -- Guilhem Moulin <guilhem@debian.org> Thu, 22 Aug 2019 00:14:42 +0200 + lacme (0.5-1) unstable; urgency=medium * New upstream release, adding support for v2 ACME endpoints. diff -Nru lacme-0.5/debian/gbp.conf lacme-0.5/debian/gbp.conf --- lacme-0.5/debian/gbp.conf 2018-05-09 14:17:19.000000000 +0200 +++ lacme-0.5/debian/gbp.conf 2019-08-22 00:14:42.000000000 +0200 @@ -1,6 +1,6 @@ [DEFAULT] upstream-branch = master -debian-branch = debian +debian-branch = debian-buster upstream-tag = upstream/%(version)s debian-tag = debian/%(version)s pristine-tar = False diff -Nru lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch --- lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch 1970-01-01 01:00:00.000000000 +0100 +++ lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch 2019-08-22 00:14:42.000000000 +0200 @@ -0,0 +1,121 @@ +From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001 +From: Guilhem Moulin <guilhem@fripost.org> +Date: Wed, 21 Aug 2019 17:29:19 +0200 +Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) + +For the authorizations, order and certificate URLs. +See RFC 8555 sec. 7.1. +--- + client | 22 +++++++++++----------- + lacme-accountd.md | 2 +- + lacme.md | 2 +- + 3 files changed, 13 insertions(+), 13 deletions(-) + +--- a/client ++++ b/client +@@ -165,16 +165,16 @@ sub request_json_decode($;$$) { + ############################################################################# + # JSON-encode the hash reference $h and send it to the ACME server $uri + # encapsulated it in a JSON Web Signature (JWS). +-# https://tools.ietf.org/html/draft-ietf-acme-acme-12 ++# https://tools.ietf.org/html/rfc8555 + # +-sub acme($@) { +- my $uri = shift; ++sub acme($;$) { ++ my ($uri, $h) = @_; + die "Missing nonce\n" unless defined $NONCE; + + # Produce the JSON Web Signature: RFC 7515 section 5 + my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri ); + defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK); +- my $payload = encode_base64url(json()->encode({ @_ })); ++ my $payload = defined $h ? encode_base64url(json()->encode($h)) : ""; + my $protected = encode_base64url(json()->encode(\%header)); + my $data = $protected .'.'. $payload; + $S->printflush($data, "\r\n"); +@@ -204,7 +204,7 @@ sub acme_resource($%) { + request(HEAD => $RES{newNonce}); + } + my $uri = $RES{$r} // die "Unknown resource '$r'\n"; +- acme($uri, @_); ++ acme($uri, {@_}); + } + + # Set the key ID (registration URI) +@@ -237,7 +237,7 @@ if ($COMMAND eq 'account') { + + if ($r->is_success()) { + $KID = $r->header('Location'); +- $r = acme($KID, %h); ++ $r = acme($KID, \%h); + request_json_decode($r, 1, \*STDOUT) + if $r->is_success() and $r->content_type() eq 'application/json'; + } +@@ -264,7 +264,7 @@ elsif ($COMMAND eq 'newOrder') { + my $order = request_json_decode($r); + + foreach (@{$order->{authorizations}}) { +- my $authz = request_json_decode(request(GET => $_)); ++ my $authz = request_json_decode(acme($_)); + next unless $authz->{status} eq 'pending'; + + my $identifier = $authz->{identifier}->{value}; +@@ -288,7 +288,7 @@ elsif ($COMMAND eq 'newOrder') { + die "Can't open $challenge->{token}: $!"; + } + +- $r = acme($challenge->{url}); ++ $r = acme($challenge->{url}, {}); + + # poll until the status become 'valid' + # XXX poll the order URL instead, to get the status of all +@@ -298,7 +298,7 @@ elsif ($COMMAND eq 'newOrder') { + $resp = request_json_decode($r), + $status = $resp->{status} // 'pending', + $status ne 'valid'; +- $r = request('GET' => $challenge->{url})) { ++ $r = acme($challenge->{url}, {})) { + if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807) + my $msg = $problem->{status}; + $msg .= " " .$problem->{title} if defined $problem->{title}; +@@ -321,7 +321,7 @@ elsif ($COMMAND eq 'newOrder') { + } + } + +- $r = acme($order->{finalize}, csr => encode_base64url($csr)); ++ $r = acme($order->{finalize}, {csr => encode_base64url($csr)}); + my $resp = request_json_decode($r); + + my $uri = $resp->{certificate}; +@@ -329,7 +329,7 @@ elsif ($COMMAND eq 'newOrder') { + + # pool until the cert is available + for (my $i = 0;;) { +- $r = request('GET' => $uri); ++ $r = acme($uri); + die request_status_line($r), "\n" unless $r->is_success(); + last unless $r->code == 202; # Accepted + my $retry_after = $r->header('Retry-After') // 1; +--- a/lacme-accountd.md ++++ b/lacme-accountd.md +@@ -141,7 +141,7 @@ See also + + [`lacme`(1)], [`ssh`(1)] + +-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02 ++[ACME]: https://tools.ietf.org/html/rfc8555 + [`lacme`(1)]: lacme.1.html + [`signal`(7)]: http://linux.die.net/man/7/signal + [`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html +--- a/lacme.md ++++ b/lacme.md +@@ -412,7 +412,7 @@ See also + + [`lacme-accountd`(1)] + +-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-12 ++[ACME]: https://tools.ietf.org/html/rfc8555 + [`lacme-accountd`(1)]: lacme-accountd.1.html + [`iptables`(8)]: http://linux.die.net/man/8/iptables + [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html diff -Nru lacme-0.5/debian/patches/series lacme-0.5/debian/patches/series --- lacme-0.5/debian/patches/series 2018-05-09 14:17:19.000000000 +0200 +++ lacme-0.5/debian/patches/series 2019-08-22 00:14:42.000000000 +0200 @@ -1 +1,2 @@ 0001-Mention-the-Debian-BTS-in-the-manpages.patch +0002-Issue-GET-and-POST-as-GET-requests.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 930795-done@bugs.debian.org, 931126-done@bugs.debian.org, 931198-done@bugs.debian.org, 931199-done@bugs.debian.org, 931358-done@bugs.debian.org, 931596-done@bugs.debian.org, 931608-done@bugs.debian.org, 931615-done@bugs.debian.org, 931616-done@bugs.debian.org, 931724-done@bugs.debian.org, 931817-done@bugs.debian.org, 931967-done@bugs.debian.org, 932009-done@bugs.debian.org, 932030-done@bugs.debian.org, 932069-done@bugs.debian.org, 932111-done@bugs.debian.org, 932193-done@bugs.debian.org, 932318-done@bugs.debian.org, 932335-done@bugs.debian.org, 932441-done@bugs.debian.org, 932448-done@bugs.debian.org, 932518-done@bugs.debian.org, 932522-done@bugs.debian.org, 932588-done@bugs.debian.org, 932606-done@bugs.debian.org, 932684-done@bugs.debian.org, 932790-done@bugs.debian.org, 932945-done@bugs.debian.org, 933036-done@bugs.debian.org, 933125-done@bugs.debian.org, 933147-done@bugs.debian.org, 933175-done@bugs.debian.org, 933369-done@bugs.debian.org, 933379-done@bugs.debian.org, 933392-done@bugs.debian.org, 933535-done@bugs.debian.org, 933754-done@bugs.debian.org, 933764-done@bugs.debian.org, 933769-done@bugs.debian.org, 933787-done@bugs.debian.org, 933899-done@bugs.debian.org, 933911-done@bugs.debian.org, 933976-done@bugs.debian.org, 934094-done@bugs.debian.org, 934163-done@bugs.debian.org, 934183-done@bugs.debian.org, 934308-done@bugs.debian.org, 934311-done@bugs.debian.org, 934329-done@bugs.debian.org, 934343-done@bugs.debian.org, 934345-done@bugs.debian.org, 934507-done@bugs.debian.org, 934537-done@bugs.debian.org, 934650-done@bugs.debian.org, 934689-done@bugs.debian.org, 934704-done@bugs.debian.org, 934826-done@bugs.debian.org, 934827-done@bugs.debian.org, 934928-done@bugs.debian.org, 934934-done@bugs.debian.org, 934956-done@bugs.debian.org, 935137-done@bugs.debian.org, 935165-done@bugs.debian.org, 935200-done@bugs.debian.org, 935253-done@bugs.debian.org, 935261-done@bugs.debian.org, 935265-done@bugs.debian.org, 935308-done@bugs.debian.org, 935370-done@bugs.debian.org, 935386-done@bugs.debian.org, 935411-done@bugs.debian.org, 935465-done@bugs.debian.org, 935474-done@bugs.debian.org, 935479-done@bugs.debian.org, 935480-done@bugs.debian.org, 935576-done@bugs.debian.org, 935583-done@bugs.debian.org, 935704-done@bugs.debian.org, 935707-done@bugs.debian.org, 935719-done@bugs.debian.org, 935746-done@bugs.debian.org, 935770-done@bugs.debian.org, 935776-done@bugs.debian.org, 935809-done@bugs.debian.org, 935815-done@bugs.debian.org, 935827-done@bugs.debian.org, 935888-done@bugs.debian.org, 935957-done@bugs.debian.org, 935988-done@bugs.debian.org, 936022-done@bugs.debian.org, 936056-done@bugs.debian.org, 938954-done@bugs.debian.org, 938975-done@bugs.debian.org, 939019-done@bugs.debian.org
- Cc: 935588@bugs.debian.org
- Subject: Closing bugs for fixes including in 10.1 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 07 Sep 2019 14:34:49 +0100
- Message-id: <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk>
Version: 10.1 Hi, The fixes referenced by each of these bugs were included in today's buster point release. Regards, Adam
--- End Message ---