[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#976432: marked as done (buster-pu: package python-certbot/0.31.0-1)

Your message dated Sat, 06 Feb 2021 10:39:26 +0000
with message-id <6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 10.8
has caused the Debian Bug report #976432,
regarding buster-pu: package python-certbot/0.31.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
976432: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976432
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: hlieberman@debian.org, team+letsencrypt@tracker.debian.org

Hello Release Team!

As part of the deprecation of the Let's Encrypt v1 endpoint beginning in
January, they are going to begin causing intermittant failures increasing to a
complete shutdown June 2021.

To prevent users from being affected by this transition, I've prepared a
backport of the piece of code that switches renewals automatically to v2. In
this version of the code, new certificates were already being issued through the
v2 URL.

A debdiff is attached.

Sincerely,

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.9.0-4-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru python-certbot-0.31.0/debian/changelog python-certbot-0.31.0/debian/changelog
--- python-certbot-0.31.0/debian/changelog	2019-02-09 19:39:59.000000000 -0500
+++ python-certbot-0.31.0/debian/changelog	2020-12-04 21:33:11.000000000 -0500
@@ -1,3 +1,15 @@
+python-certbot (0.31.0-1~deb10u1) buster; urgency=high
+
+  * Switch to use of ACMEv2 API to prevent renewal failures. (Closes: #971045)
+
+    Let's Encrypt's ACMEv1 API is deprecated and in the process of being
+    shut down. Beginning with brownouts in January 2021, and ending with a
+    total shutdown in June 2021, the Let's Encrypt APIs will become
+    unavailable. To prevent users having disruptions to their certificate
+    renewals, this update backports the switch over to the ACMEv2 API.
+
+ -- Harlan Lieberman-Berg <hlieberman@debian.org>  Fri, 04 Dec 2020 21:33:11 -0500
+
 python-certbot (0.31.0-1) unstable; urgency=medium
 
   * New upstream version 0.31.0
diff -Nru python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch
--- python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch	1969-12-31 19:00:00.000000000 -0500
+++ python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch	2020-12-04 21:30:36.000000000 -0500
@@ -0,0 +1,88 @@
+From 8a15bd7927e2b8956bb1f4d062423e471e473ccf Mon Sep 17 00:00:00 2001
+From: Alex Zorin <alex@zorin.id.au>
+Date: Thu, 21 May 2020 22:58:40 +1000
+Subject: [PATCH 1/2] renewal: disregard acme-v01 in renewal configs
+
+Fixes #7979
+---
+ certbot/_internal/constants.py |  2 ++
+ certbot/_internal/renewal.py   | 17 +++++++++++++++--
+ certbot/tests/renewal_test.py          |  8 ++++++++
+ 3 files changed, 25 insertions(+), 2 deletions(-)
+
+Index: python-certbot/certbot/constants.py
+===================================================================
+--- python-certbot.orig/certbot/constants.py
++++ python-certbot/certbot/constants.py
+@@ -120,6 +120,8 @@ CLI_DEFAULTS = dict(
+ )
+ STAGING_URI = "https://acme-staging-v02.api.letsencrypt.org/directory";
+ 
++V1_URI = "https://acme-v01.api.letsencrypt.org/directory";
++
+ # The set of reasons for revoking a certificate is defined in RFC 5280 in
+ # section 5.3.1. The reasons that users are allowed to submit are restricted to
+ # those accepted by the ACME server implementation. They are listed in
+Index: python-certbot/certbot/renewal.py
+===================================================================
+--- python-certbot.orig/certbot/renewal.py
++++ python-certbot/certbot/renewal.py
+@@ -17,6 +17,7 @@ import OpenSSL
+ from acme.magic_typing import List  # pylint: disable=unused-import, no-name-in-module
+ 
+ from certbot import cli
++from certbot import constants
+ from certbot import crypto_util
+ from certbot import errors
+ from certbot import interfaces
+@@ -247,16 +248,28 @@ def _restore_int(name, value):
+         raise errors.Error("Expected a numeric value for {0}".format(name))
+ 
+ 
+-def _restore_str(unused_name, value):
++def _restore_str(name, value):
+     """Restores an string key-value pair from a renewal config file.
+ 
+-    :param str unused_name: option name
++    :param str name: option name
+     :param str value: option value
+ 
+     :returns: converted option value to be stored in the runtime config
+     :rtype: str or None
+ 
+     """
++    # Previous to v0.5.0, Certbot always stored the `server` URL in the renewal config,
++    # resulting in configs which explicitly use the deprecated ACMEv1 URL, today
++    # preventing an automatic transition to the default modern ACME URL.
++    # (https://github.com/certbot/certbot/issues/7978#issuecomment-625442870)
++    # As a mitigation, this function reinterprets the value of the `server` parameter if
++    # necessary, replacing the ACMEv1 URL with the default ACME URL. It is still possible
++    # to override this choice with the explicit `--server` CLI flag.
++    if name == "server" and value == constants.V1_URI:
++        logger.info("Using server %s instead of legacy %s",
++                    constants.CLI_DEFAULTS["server"], value)
++        return constants.CLI_DEFAULTS["server"]
++
+     return None if value == "None" else value
+ 
+ 
+Index: python-certbot/certbot/tests/renewal_test.py
+===================================================================
+--- python-certbot.orig/certbot/tests/renewal_test.py
++++ python-certbot/certbot/tests/renewal_test.py
+@@ -31,6 +31,15 @@ class RenewalTest(test_util.ConfigTestCa
+         renewal._restore_webroot_config(config, renewalparams)
+         self.assertEqual(config.webroot_path, ['/var/www/'])
+ 
++    @mock.patch('certbot.renewal.cli.set_by_cli')
++    def test_ancient_server_renewal_conf(self, mock_set_by_cli):
++        from certbot import constants
++        self.config.server = None
++        mock_set_by_cli.return_value = False
++        from certbot.renewal import restore_required_config_elements
++        restore_required_config_elements(self.config, {'server': constants.V1_URI})
++        self.assertEqual(self.config.server, constants.CLI_DEFAULTS['server'])
++
+ 
+ class RestoreRequiredConfigElementsTest(test_util.ConfigTestCase):
+     """Tests for certbot.renewal.restore_required_config_elements."""
diff -Nru python-certbot-0.31.0/debian/patches/series python-certbot-0.31.0/debian/patches/series
--- python-certbot-0.31.0/debian/patches/series	2019-02-05 22:13:56.000000000 -0500
+++ python-certbot-0.31.0/debian/patches/series	2020-12-04 21:30:27.000000000 -0500
@@ -1 +1,2 @@
 0001-remove-external-images.patch
+0002-acmev2-api.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.8

Hi,

Each of the updates referenced by these bugs was included in today's
10.8 point release.

Regards,

Adam

--- End Message ---
Reply to: