Your message dated Sun, 16 Jun 2024 20:33:49 +0000
with message-id <e1siwzr-00dp53...@fasolo.debian.org>
and subject line Bug#1072847: fixed in lacme 0.8.2-1+deb12u1
has caused the Debian Bug report #1072847,
regarding lacme: Post-issuance validation fails in the default configuration
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1072847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072847
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lacme
Version: 0.8.2-1
Severity: grave
Justification: renders package unusable
Let's Encrypt has recently rotated its intermediate certificates [0].
The previous intermediate certificates (lets-encrypt-r[34].pem and
lets-encrypt-e[12].pem) are concatenated along side the roots
(isrgrootx1.pem and isrg-root-x2.pem) and used as trust anchors for
validation of the issued X.509 certificate before its deployment.
The new intermediates means the validation step now fails. A quick fix
is to add R1[0-4].pem and E[5-9].pem to the certificate bundle, however
that will cease to work once Let's Encrypt rotates its intermediates
again.
A proper fix would be to use the intermediate(s) provided during the
issuance step as -untrusted (for chain building).
--
Guilhem.
[0] https://letsencrypt.org/2024/03/19/new-intermediate-certificates
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: lacme
Source-Version: 0.8.2-1+deb12u1
Done: Guilhem Moulin <guil...@debian.org>
We believe that the bug you reported is fixed in the latest version of
lacme, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1072...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guil...@debian.org> (supplier of updated lacme package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Jun 2024 01:20:13 +0200
Source: lacme
Architecture: source
Version: 0.8.2-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Guilhem Moulin <guil...@debian.org>
Changed-By: Guilhem Moulin <guil...@debian.org>
Closes: 1072847
Changes:
lacme (0.8.2-1+deb12u1) bookworm; urgency=medium
.
* Backport upstream patches to fix post-issuance validation logic. We avoid
pinning the intermediate certificates in the bundle and instead validate
the leaf certificate with intermediates supplied during issuance as
untrusted (used for chain building only). Only the root certificates are
used as trust anchor.
Not pinning intermediate certificates is in line with Let's Encrypt's
latest recommendations.
Closes: #1072847
* Adjust test suite against current Let's Encrypt staging environment.
* d/gbp.conf: Set 'debian-branch = debian/bookworm'.
Checksums-Sha1:
051e827418d8770dd035dec70908a8c20f8442ec 1924 lacme_0.8.2-1+deb12u1.dsc
6dd086cc20310c19d03d6d5e7cdb6a6ec97b93bd 20416
lacme_0.8.2-1+deb12u1.debian.tar.xz
fbc6baf0c58dc3d3b35f8b7d327f609d7a2b74c7 6629
lacme_0.8.2-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
7ea7374110fa43c0e2b3244cbe5367a24970b86dc776a0e2127a6de8c751b93c 1924
lacme_0.8.2-1+deb12u1.dsc
8deb6fd49826fb1f5a22064501625036f5b1ccf02d30ef49c15ad77e9109c59b 20416
lacme_0.8.2-1+deb12u1.debian.tar.xz
f44f990308e9c4a02b1f697912802878ba067cbd78252f65113a09a4ad7dc7aa 6629
lacme_0.8.2-1+deb12u1_amd64.buildinfo
Files:
b0e13e4cd251c3cd42e7224866f2ac03 1924 utils optional lacme_0.8.2-1+deb12u1.dsc
843e36466c83ebae55d92dac6a74df3c 20416 utils optional
lacme_0.8.2-1+deb12u1.debian.tar.xz
6baa3274b0144a91dd07e57de5b32821 6629 utils optional
lacme_0.8.2-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmZuEZMACgkQ05pJnDwh
pVJ40Q/+IIcWUd9+C3WWyVz2ED/DSJraTZhSHf20Z37wxki4LoERdw/2cfJiHcSc
mLPGutrvmDQ6mh4hM0j7o7ObD8jX7JBM5LOhrc9/D3QvQo06uL94grxl2zzYrlPw
8aG6zf8Wp+QGCpBBvo7bq7P4ToEBsyJhQ6Dwqo6p7E8YHrRECUQ/bAiDE62ApTAI
JYl406u6H4o1jJXhVnnAyuY0o+txr89pssmtx/k2scgQPBYM/Zyr5HmiV0Dtr4kS
YfyM16x5U1bgJ6Pf0HMPr3x14jDfQl8rmE9x9yjrMQCOCyRHrVM6V3Adoup/IuCK
5He3ng+cpLsPAKdci3hAdryzmstbqlxdvaMGtvH0cbnekOJyHqNOO6zl8b5m6NrQ
Vm6Wq9FhmPtqxSsnVZueyzG8bvBYPTap+Wf6R4sn2bt/gxIyWBaglyXr1FOBcOSW
CVW0jZkQBFxM4eWcjARiqoTQSh7lkdT9LreDox14RuJzcLQ6LpJwZwfvwKCNXdyc
bEFd6fapWZYKARdzFNo7spcrYdQUQRerW2430UI5fncUOhpIKuTMXyUxjXbdSHWQ
t6gqfJv0qTzBDQJH2BMm+QLTvJ/vshoc24bwlVVhehMF5zDr3iQXF8aPbKgvD3BY
w7lGy6zlodXVVoHr5SUIgtak7UT8Nyez/FslHUd08fbIGyejYLY=
=CeM8
-----END PGP SIGNATURE-----
pgpvLBuxf163k.pgp
Description: PGP signature
--- End Message ---
