Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hello Release Team, Due to a security issue in the underlying Let's Encrypt protocol, one of the main methods of getting certificates from Let's Encrypt has been disabled (the TLS-SNI-01 protocol; https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-most-new-issuance/50316 for more info). This puts us in a bit of an awkward spot. The upstream certbot provider is preparing to do a new release that has support for HTTP-01 inside the python-certbot-apache and python-certbot-nginx plugins, as well as the required work in python-acme and python-certbot (and certbot), but I'm not sure backporting the patches is realistic. A lot of development has been done in the interim, both in the certbot packaging and in the upstream software. Without those patches, users with the apache or nginx plugins will fail to update their certificates starting 2018-04-09. I can talk to the certbot upstream to see if they'd be willing to help backport the patches (CCed), but initial conversations seem to indicate that doing so will be difficult. The other approach that we can take is to backport the next version that supports the new challenge through to s-p-u and into stable. I'm guessing that you will ask me to unwind the work I did to convert to python3 in the last release (sadface), but I can do that if that's what it needs to get this fixed in stable. Gurus and Wise Ones, I beseech you for guidance! -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
