--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package python-certbot/0.31.0-1
- From: Harlan Lieberman-Berg <hlieberman@debian.org>
- Date: Fri, 04 Dec 2020 21:45:10 -0500
- Message-id: <160713631075.84664.10314120395068706921.reportbug@aztlan>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: hlieberman@debian.org, team+letsencrypt@tracker.debian.org
Hello Release Team!
As part of the deprecation of the Let's Encrypt v1 endpoint beginning in
January, they are going to begin causing intermittant failures increasing to a
complete shutdown June 2021.
To prevent users from being affected by this transition, I've prepared a
backport of the piece of code that switches renewals automatically to v2. In
this version of the code, new certificates were already being issued through the
v2 URL.
A debdiff is attached.
Sincerely,
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.9.0-4-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru python-certbot-0.31.0/debian/changelog python-certbot-0.31.0/debian/changelog
--- python-certbot-0.31.0/debian/changelog 2019-02-09 19:39:59.000000000 -0500
+++ python-certbot-0.31.0/debian/changelog 2020-12-04 21:33:11.000000000 -0500
@@ -1,3 +1,15 @@
+python-certbot (0.31.0-1~deb10u1) buster; urgency=high
+
+ * Switch to use of ACMEv2 API to prevent renewal failures. (Closes: #971045)
+
+ Let's Encrypt's ACMEv1 API is deprecated and in the process of being
+ shut down. Beginning with brownouts in January 2021, and ending with a
+ total shutdown in June 2021, the Let's Encrypt APIs will become
+ unavailable. To prevent users having disruptions to their certificate
+ renewals, this update backports the switch over to the ACMEv2 API.
+
+ -- Harlan Lieberman-Berg <hlieberman@debian.org> Fri, 04 Dec 2020 21:33:11 -0500
+
python-certbot (0.31.0-1) unstable; urgency=medium
* New upstream version 0.31.0
diff -Nru python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch
--- python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch 1969-12-31 19:00:00.000000000 -0500
+++ python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch 2020-12-04 21:30:36.000000000 -0500
@@ -0,0 +1,88 @@
+From 8a15bd7927e2b8956bb1f4d062423e471e473ccf Mon Sep 17 00:00:00 2001
+From: Alex Zorin <alex@zorin.id.au>
+Date: Thu, 21 May 2020 22:58:40 +1000
+Subject: [PATCH 1/2] renewal: disregard acme-v01 in renewal configs
+
+Fixes #7979
+---
+ certbot/_internal/constants.py | 2 ++
+ certbot/_internal/renewal.py | 17 +++++++++++++++--
+ certbot/tests/renewal_test.py | 8 ++++++++
+ 3 files changed, 25 insertions(+), 2 deletions(-)
+
+Index: python-certbot/certbot/constants.py
+===================================================================
+--- python-certbot.orig/certbot/constants.py
++++ python-certbot/certbot/constants.py
+@@ -120,6 +120,8 @@ CLI_DEFAULTS = dict(
+ )
+ STAGING_URI = "https://acme-staging-v02.api.letsencrypt.org/directory"
+
++V1_URI = "https://acme-v01.api.letsencrypt.org/directory"
++
+ # The set of reasons for revoking a certificate is defined in RFC 5280 in
+ # section 5.3.1. The reasons that users are allowed to submit are restricted to
+ # those accepted by the ACME server implementation. They are listed in
+Index: python-certbot/certbot/renewal.py
+===================================================================
+--- python-certbot.orig/certbot/renewal.py
++++ python-certbot/certbot/renewal.py
+@@ -17,6 +17,7 @@ import OpenSSL
+ from acme.magic_typing import List # pylint: disable=unused-import, no-name-in-module
+
+ from certbot import cli
++from certbot import constants
+ from certbot import crypto_util
+ from certbot import errors
+ from certbot import interfaces
+@@ -247,16 +248,28 @@ def _restore_int(name, value):
+ raise errors.Error("Expected a numeric value for {0}".format(name))
+
+
+-def _restore_str(unused_name, value):
++def _restore_str(name, value):
+ """Restores an string key-value pair from a renewal config file.
+
+- :param str unused_name: option name
++ :param str name: option name
+ :param str value: option value
+
+ :returns: converted option value to be stored in the runtime config
+ :rtype: str or None
+
+ """
++ # Previous to v0.5.0, Certbot always stored the `server` URL in the renewal config,
++ # resulting in configs which explicitly use the deprecated ACMEv1 URL, today
++ # preventing an automatic transition to the default modern ACME URL.
++ # (https://github.com/certbot/certbot/issues/7978#issuecomment-625442870)
++ # As a mitigation, this function reinterprets the value of the `server` parameter if
++ # necessary, replacing the ACMEv1 URL with the default ACME URL. It is still possible
++ # to override this choice with the explicit `--server` CLI flag.
++ if name == "server" and value == constants.V1_URI:
++ logger.info("Using server %s instead of legacy %s",
++ constants.CLI_DEFAULTS["server"], value)
++ return constants.CLI_DEFAULTS["server"]
++
+ return None if value == "None" else value
+
+
+Index: python-certbot/certbot/tests/renewal_test.py
+===================================================================
+--- python-certbot.orig/certbot/tests/renewal_test.py
++++ python-certbot/certbot/tests/renewal_test.py
+@@ -31,6 +31,15 @@ class RenewalTest(test_util.ConfigTestCa
+ renewal._restore_webroot_config(config, renewalparams)
+ self.assertEqual(config.webroot_path, ['/var/www/'])
+
++ @mock.patch('certbot.renewal.cli.set_by_cli')
++ def test_ancient_server_renewal_conf(self, mock_set_by_cli):
++ from certbot import constants
++ self.config.server = None
++ mock_set_by_cli.return_value = False
++ from certbot.renewal import restore_required_config_elements
++ restore_required_config_elements(self.config, {'server': constants.V1_URI})
++ self.assertEqual(self.config.server, constants.CLI_DEFAULTS['server'])
++
+
+ class RestoreRequiredConfigElementsTest(test_util.ConfigTestCase):
+ """Tests for certbot.renewal.restore_required_config_elements."""
diff -Nru python-certbot-0.31.0/debian/patches/series python-certbot-0.31.0/debian/patches/series
--- python-certbot-0.31.0/debian/patches/series 2019-02-05 22:13:56.000000000 -0500
+++ python-certbot-0.31.0/debian/patches/series 2020-12-04 21:30:27.000000000 -0500
@@ -1 +1,2 @@
0001-remove-external-images.patch
+0002-acmev2-api.patch
--- End Message ---