Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:python-certbot User: [email protected] Usertags: pu
Hello release team! As per #1125267, currently the version of certbot in trixie does not properly handle renewals when you have requested a particular profile of certificate (e.g., a shortlived cert). This imports a patch from upstream which fixes this bug. I've tested the patch and verified both that the renewal does not happen correctly in the current version, and does correctly happen with the proposed update. In addition, the autopkgtest suite runs an automated check that goes through the entire certificate issuance lifecycle for both the http-01, apache, and nginx workflows. [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable Sincerely, -- Harlan Lieberman-Berg ~hlieberman
diff -Nru python-certbot-4.0.0/debian/changelog python-certbot-4.0.0/debian/changelog --- python-certbot-4.0.0/debian/changelog 2025-05-25 11:27:29.000000000 -0400 +++ python-certbot-4.0.0/debian/changelog 2026-04-04 20:36:10.000000000 -0400 @@ -1,3 +1,9 @@ +python-certbot (4.0.0-2+deb13u1) trixie; urgency=medium + + * Import patch to store profile in renewal (Closes: #1125267) + + -- Harlan Lieberman-Berg <[email protected]> Sat, 04 Apr 2026 20:36:10 -0400 + python-certbot (4.0.0-2) unstable; urgency=medium * autopkgtests: drop manual IP flag no longer used diff -Nru python-certbot-4.0.0/debian/patches/0002-store-profile.patch python-certbot-4.0.0/debian/patches/0002-store-profile.patch --- python-certbot-4.0.0/debian/patches/0002-store-profile.patch 1969-12-31 19:00:00.000000000 -0500 +++ python-certbot-4.0.0/debian/patches/0002-store-profile.patch 2026-04-04 20:33:56.000000000 -0400 @@ -0,0 +1,53 @@ +From 6a590e970efb7ba6c51bc74708c6507ae3a511d3 Mon Sep 17 00:00:00 2001 +From: Jacob Hoffman-Andrews <[email protected]> +Date: Mon, 5 May 2025 17:15:56 -0700 +Subject: [PATCH] store preferred/required_profile in renewal config + +This ensures that renewals of certificates will use the same profile settings. +--- + CHANGELOG.md | 2 ++ + certbot/_internal/renewal.py | 3 ++- + certbot/_internal/tests/storage_test.py | 6 ++++++ + 3 files changed, 10 insertions(+), 1 deletion(-) + +Index: python-certbot/certbot/_internal/renewal.py +=================================================================== +--- python-certbot.orig/certbot/_internal/renewal.py ++++ python-certbot/certbot/_internal/renewal.py +@@ -45,7 +45,8 @@ logger = logging.getLogger(__name__) + STR_CONFIG_ITEMS = ["config_dir", "logs_dir", "work_dir", "user_agent", + "server", "account", "authenticator", "installer", + "renew_hook", "pre_hook", "post_hook", "http01_address", +- "preferred_chain", "key_type", "elliptic_curve"] ++ "preferred_chain", "key_type", "elliptic_curve", ++ "preferred_profile", "required_profile"] + INT_CONFIG_ITEMS = ["rsa_key_size", "http01_port"] + BOOL_CONFIG_ITEMS = ["must_staple", "allow_subset_of_names", "reuse_key", + "autorenew"] +Index: python-certbot/certbot/_internal/tests/storage_test.py +=================================================================== +--- python-certbot.orig/certbot/_internal/tests/storage_test.py ++++ python-certbot/certbot/_internal/tests/storage_test.py +@@ -122,16 +122,22 @@ class RelevantValuesTest(unittest.TestCa + namespace = cli.prepare_and_parse_args(PLUGINS, [ + '--allow-subset-of-names', + '--authenticator', 'apache', ++ '--preferred-profile', 'fancyprofile', + ]) + expected_relevant_values = { + 'server': constants.CLI_DEFAULTS['server'], + 'key_type': 'ecdsa', + 'allow_subset_of_names': True, + 'authenticator': 'apache', ++ 'preferred_profile': 'fancyprofile', + } + + assert relevant_values(namespace) == expected_relevant_values + ++ def test_with_required_profile(self): ++ self.values["required_profile"] = "shortlived" ++ expected_relevant_values = self.values.copy() ++ assert self._call(self.values) == expected_relevant_values + + class BaseRenewableCertTest(test_util.ConfigTestCase): + """Base class for setting up Renewable Cert tests. diff -Nru python-certbot-4.0.0/debian/patches/series python-certbot-4.0.0/debian/patches/series --- python-certbot-4.0.0/debian/patches/series 2025-05-24 15:24:46.000000000 -0400 +++ python-certbot-4.0.0/debian/patches/series 2026-04-04 20:33:16.000000000 -0400 @@ -1 +1,2 @@ 0001-remove-external-images.patch +0002-store-profile.patch
