[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#935370: marked as done (buster-pu: package lacme/0.5-1+deb10u1)

Your message dated Sat, 07 Sep 2019 14:34:49 +0100
with message-id <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes including in 10.1 point release
has caused the Debian Bug report #935370,
regarding buster-pu: package lacme/0.5-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
935370: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935370
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

Per RFC 8555 sec 6.3 the Let's Encrypt folks are deprecating
unauthenticated GETs from their v2 API.  Support for these requests will
be removed on *Nov 01 2019* (so likely between Debian 10.1 and 10.2) [0].

lacme uses the v2 API by default since 0.5, and removing support for
unauthenticated GETs means that applying for certificate issuance will
stop working.  Replacing GETs with POST-as-GETs is trivial (debdiff
attached), and I'd like to fix that in Buster via s-p-u.

(0.6 from Sid is not affected, and neither is 0.2 from Stretch as the
latter supports only the v1 API.)

Cheers,
-- 
Guilhem.

[0] https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets

diffstat for lacme-0.5 lacme-0.5

 changelog                                             |   10 +
 gbp.conf                                              |    2 
 patches/0002-Issue-GET-and-POST-as-GET-requests.patch |  121 ++++++++++++++++++
 patches/series                                        |    1 
 4 files changed, 133 insertions(+), 1 deletion(-)

diff -Nru lacme-0.5/debian/changelog lacme-0.5/debian/changelog
--- lacme-0.5/debian/changelog	2018-05-09 14:17:19.000000000 +0200
+++ lacme-0.5/debian/changelog	2019-08-22 00:14:42.000000000 +0200
@@ -1,3 +1,13 @@
+lacme (0.5-1+deb10u1) buster; urgency=medium
+
+  * Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the
+    ACME I-D URL.
+  * Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the
+    authorizations, order and certificate URLs.   Let's Encrypt will remove
+    support of unauthenticated GETs from the V2 API on 01 Nov 2019.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Thu, 22 Aug 2019 00:14:42 +0200
+
 lacme (0.5-1) unstable; urgency=medium
 
   * New upstream release, adding support for v2 ACME endpoints.
diff -Nru lacme-0.5/debian/gbp.conf lacme-0.5/debian/gbp.conf
--- lacme-0.5/debian/gbp.conf	2018-05-09 14:17:19.000000000 +0200
+++ lacme-0.5/debian/gbp.conf	2019-08-22 00:14:42.000000000 +0200
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = master
-debian-branch = debian
+debian-branch = debian-buster
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = False
diff -Nru lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch
--- lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch	1970-01-01 01:00:00.000000000 +0100
+++ lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch	2019-08-22 00:14:42.000000000 +0200
@@ -0,0 +1,121 @@
+From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001
+From: Guilhem Moulin <guilhem@fripost.org>
+Date: Wed, 21 Aug 2019 17:29:19 +0200
+Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)
+
+For the  authorizations, order and certificate URLs.
+See RFC 8555 sec. 7.1.
+---
+ client            |   22 +++++++++++-----------
+ lacme-accountd.md |    2 +-
+ lacme.md          |    2 +-
+ 3 files changed, 13 insertions(+), 13 deletions(-)
+
+--- a/client
++++ b/client
+@@ -165,16 +165,16 @@ sub request_json_decode($;$$) {
+ #############################################################################
+ # JSON-encode the hash reference $h and send it to the ACME server $uri
+ # encapsulated it in a JSON Web Signature (JWS).
+-# https://tools.ietf.org/html/draft-ietf-acme-acme-12
++# https://tools.ietf.org/html/rfc8555
+ #
+-sub acme($@) {
+-    my $uri = shift;
++sub acme($;$) {
++    my ($uri, $h) = @_;
+     die "Missing nonce\n" unless defined $NONCE;
+ 
+     # Produce the JSON Web Signature: RFC 7515 section 5
+     my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri );
+     defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK);
+-    my $payload = encode_base64url(json()->encode({ @_ }));
++    my $payload = defined $h ? encode_base64url(json()->encode($h)) : "";
+     my $protected = encode_base64url(json()->encode(\%header));
+     my $data = $protected .'.'. $payload;
+     $S->printflush($data, "\r\n");
+@@ -204,7 +204,7 @@ sub acme_resource($%) {
+         request(HEAD => $RES{newNonce});
+     }
+     my $uri = $RES{$r} // die "Unknown resource '$r'\n";
+-    acme($uri, @_);
++    acme($uri, {@_});
+ }
+ 
+ # Set the key ID (registration URI)
+@@ -237,7 +237,7 @@ if ($COMMAND eq 'account') {
+ 
+     if ($r->is_success()) {
+         $KID = $r->header('Location');
+-        $r = acme($KID, %h);
++        $r = acme($KID, \%h);
+         request_json_decode($r, 1, \*STDOUT)
+             if $r->is_success() and $r->content_type() eq 'application/json';
+     }
+@@ -264,7 +264,7 @@ elsif ($COMMAND eq 'newOrder') {
+     my $order = request_json_decode($r);
+ 
+     foreach (@{$order->{authorizations}}) {
+-        my $authz = request_json_decode(request(GET => $_));
++        my $authz = request_json_decode(acme($_));
+         next unless $authz->{status} eq 'pending';
+ 
+         my $identifier = $authz->{identifier}->{value};
+@@ -288,7 +288,7 @@ elsif ($COMMAND eq 'newOrder') {
+             die "Can't open $challenge->{token}: $!";
+         }
+ 
+-        $r = acme($challenge->{url});
++        $r = acme($challenge->{url}, {});
+ 
+         # poll until the status become 'valid'
+         # XXX poll the order URL instead, to get the status of all
+@@ -298,7 +298,7 @@ elsif ($COMMAND eq 'newOrder') {
+               $resp = request_json_decode($r),
+               $status = $resp->{status} // 'pending',
+               $status ne 'valid';
+-              $r = request('GET' => $challenge->{url})) {
++              $r = acme($challenge->{url}, {})) {
+             if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807)
+                 my $msg = $problem->{status};
+                 $msg .= " " .$problem->{title}      if defined $problem->{title};
+@@ -321,7 +321,7 @@ elsif ($COMMAND eq 'newOrder') {
+         }
+     }
+ 
+-    $r = acme($order->{finalize}, csr => encode_base64url($csr));
++    $r = acme($order->{finalize}, {csr => encode_base64url($csr)});
+     my $resp = request_json_decode($r);
+ 
+     my $uri = $resp->{certificate};
+@@ -329,7 +329,7 @@ elsif ($COMMAND eq 'newOrder') {
+ 
+     # pool until the cert is available
+     for (my $i = 0;;) {
+-        $r = request('GET' => $uri);
++        $r = acme($uri);
+         die request_status_line($r), "\n" unless $r->is_success();
+         last unless $r->code == 202; # Accepted
+         my $retry_after = $r->header('Retry-After') // 1;
+--- a/lacme-accountd.md
++++ b/lacme-accountd.md
+@@ -141,7 +141,7 @@ See also
+ 
+ [`lacme`(1)], [`ssh`(1)]
+ 
+-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02
++[ACME]: https://tools.ietf.org/html/rfc8555
+ [`lacme`(1)]: lacme.1.html
+ [`signal`(7)]: http://linux.die.net/man/7/signal
+ [`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html
+--- a/lacme.md
++++ b/lacme.md
+@@ -412,7 +412,7 @@ See also
+ 
+ [`lacme-accountd`(1)]
+ 
+-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-12
++[ACME]: https://tools.ietf.org/html/rfc8555
+ [`lacme-accountd`(1)]: lacme-accountd.1.html
+ [`iptables`(8)]: http://linux.die.net/man/8/iptables
+ [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html
diff -Nru lacme-0.5/debian/patches/series lacme-0.5/debian/patches/series
--- lacme-0.5/debian/patches/series	2018-05-09 14:17:19.000000000 +0200
+++ lacme-0.5/debian/patches/series	2019-08-22 00:14:42.000000000 +0200
@@ -1 +1,2 @@
 0001-Mention-the-Debian-BTS-in-the-manpages.patch
+0002-Issue-GET-and-POST-as-GET-requests.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 10.1

Hi,

The fixes referenced by each of these bugs were included in today's
buster point release.

Regards,

Adam

--- End Message ---
Reply to: