--- Begin Message ---
Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock
Dear RT,
please consider unblocking this revision of dehydrated.
I cherry-picked a few patches from upstream, fixing bugs in a few corner
cases, plus doc updates.
Full debdiff attached.
unblock dehydrated/0.6.2-2
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
diffstat for dehydrated-0.6.2 dehydrated-0.6.2
changelog | 14 +++
control | 2
patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch | 34 +++++++
patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch | 24 +++++
patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch | 25 +++++
patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch | 22 +++++
patches/implement-POST-as-GET-closes-626.patch | 43 ++++++++++
patches/series | 6 +
patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch | 21 ++++
9 files changed, 190 insertions(+), 1 deletion(-)
diff -Nru dehydrated-0.6.2/debian/changelog dehydrated-0.6.2/debian/changelog
--- dehydrated-0.6.2/debian/changelog 2018-05-08 12:14:45.000000000 +0200
+++ dehydrated-0.6.2/debian/changelog 2019-03-11 16:25:53.000000000 +0100
@@ -1,3 +1,17 @@
+dehydrated (0.6.2-2) unstable; urgency=medium
+
+ * Add a number of patches from upstream.
+ Fixing the following bugs:
+ + HTTP/2 support, where header names are lowercase
+ + Avoid over matching, checking for the Replay-Nonce header only at BOL
+ + A bug causing deletion of domains.txt when incorrect parameters are used
+ + Document the DOMAINS_D config option
+ + Impoent POST-as-GET, for the upcoming change in LE's API
+ + Document PRIVATE_KEY_ROLLOVER per-cert config option
+ * d/control: bump Standards-Version to 4.3.0, no changes needed.
+
+ -- Mattia Rizzolo <mat...@debian.org> Mon, 11 Mar 2019 16:25:53 +0100
+
dehydrated (0.6.2-1) unstable; urgency=medium
* New upstream release 0.6.2.
diff -Nru dehydrated-0.6.2/debian/control dehydrated-0.6.2/debian/control
--- dehydrated-0.6.2/debian/control 2018-05-08 12:10:08.000000000 +0200
+++ dehydrated-0.6.2/debian/control 2019-03-11 16:25:53.000000000 +0100
@@ -10,7 +10,7 @@
debhelper (>= 11),
dh-apache2,
dh-exec,
-Standards-Version: 4.1.4
+Standards-Version: 4.3.0
Rules-Requires-Root: no
Vcs-Git: https://salsa.debian.org/letsencrypt-team/dehydrated.git
Vcs-Browser: https://salsa.debian.org/letsencrypt-team/dehydrated
diff -Nru dehydrated-0.6.2/debian/patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch dehydrated-0.6.2/debian/patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch
--- dehydrated-0.6.2/debian/patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch 1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch 2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,25 @@
+From: Lukas Schauer <lu...@schauer.so>
+Date: Sat, 20 Oct 2018 13:05:20 +0200
+Subject: document DOMAINS_D parameter in example config (fixes #575,
+ closes #582)
+
+---
+ docs/examples/config | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/docs/examples/config b/docs/examples/config
+index 665704d..c1f9276 100644
+--- a/docs/examples/config
++++ b/docs/examples/config
+@@ -40,6 +40,11 @@
+ # default: <unset>
+ #CONFIG_D=
+
++# Directory for per-domain configuration files.
++# If not set, per-domain configurations are sourced from each certificates output directory.
++# default: <unset>
++#DOMAINS_D=
++
+ # Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
+ #BASEDIR=$SCRIPTDIR
+
diff -Nru dehydrated-0.6.2/debian/patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch dehydrated-0.6.2/debian/patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch
--- dehydrated-0.6.2/debian/patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch 1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch 2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,22 @@
+From: Lukas Schauer <lu...@schauer.so>
+Date: Sat, 20 Oct 2018 12:27:23 +0200
+Subject: fixed a bug that resulted in a deleted domains.txt when using
+ incorrect parameters in combination with signcsr (fixes #597)
+
+---
+ dehydrated | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dehydrated b/dehydrated
+index c27706a..2cefc6d 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -557,7 +557,7 @@ http_request() {
+ rm -f "${tempheaders}"
+
+ # remove temporary domains.txt file if used
+- [[ -n "${PARAM_DOMAIN:-}" && -n "${DOMAINS_TXT:-}" ]] && rm "${DOMAINS_TXT}"
++ [[ "${COMMAND:-}" = "sign_domains" && -n "${PARAM_DOMAIN:-}" && -n "${DOMAINS_TXT:-}" ]] && rm "${DOMAINS_TXT}"
+ exit 1
+ fi
+ fi
diff -Nru dehydrated-0.6.2/debian/patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch dehydrated-0.6.2/debian/patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch
--- dehydrated-0.6.2/debian/patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch 1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch 2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,34 @@
+From: Florent <>
+Date: Wed, 9 May 2018 19:29:21 +0200
+Subject: Fixes #559 : when HTTP/2 is used,
+ header names are lower case. So adding ignore case option (-i) to grep's.
+
+---
+ dehydrated | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dehydrated b/dehydrated
+index adc3dca..ba0f5a0 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -407,7 +407,7 @@ init_system() {
+ if [[ ${API} -eq 1 ]]; then
+ _exiterr "This is not implemented for ACMEv1! Consider switching to ACMEv2 :)"
+ else
+- ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep ^Location: | awk '{print $2}' | tr -d '\r\n')"
++ ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep -i ^Location: | awk '{print $2}' | tr -d '\r\n')"
+ ACCOUNT_INFO="$(signed_request "${ACCOUNT_URL}" '{}')"
+ fi
+ ACCOUNT_ID="${ACCOUNT_URL##*/}"
+@@ -577,9 +577,9 @@ signed_request() {
+
+ # Retrieve nonce from acme-server
+ if [[ ${API} -eq 1 ]]; then
+- nonce="$(http_request head "${CA}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
++ nonce="$(http_request head "${CA}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+ else
+- nonce="$(http_request head "${CA_NEW_NONCE}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
++ nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+ fi
+
+ # Build header with just our public key and algorithm information
diff -Nru dehydrated-0.6.2/debian/patches/implement-POST-as-GET-closes-626.patch dehydrated-0.6.2/debian/patches/implement-POST-as-GET-closes-626.patch
--- dehydrated-0.6.2/debian/patches/implement-POST-as-GET-closes-626.patch 1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/implement-POST-as-GET-closes-626.patch 2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,43 @@
+From: Lukas Schauer <lu...@schauer.so>
+Date: Sun, 3 Mar 2019 19:58:04 +0100
+Subject: implement POST-as-GET (closes #626)
+
+---
+ dehydrated | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/dehydrated b/dehydrated
+index 2cefc6d..69057e7 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -705,7 +705,7 @@ sign_csr() {
+ for authorization in ${authorizations[*]}; do
+ if [[ "${API}" -eq 2 ]]; then
+ # Receive authorization ($authorization is authz uri)
+- response="$(http_request get "$(echo "${authorization}" | _sed -e 's/\"(.*)".*/\1/')" | clean_json)"
++ response="$(signed_request "$(echo "${authorization}" | _sed -e 's/\"(.*)".*/\1/')" "" | clean_json)"
+ identifier="$(echo "${response}" | get_json_dict_value identifier | get_json_string_value value)"
+ echo " + Handling authorization for ${identifier}"
+ else
+@@ -793,7 +793,11 @@ sign_csr() {
+
+ while [[ "${reqstatus}" = "pending" ]]; do
+ sleep 1
+- result="$(http_request get "${challenge_uris[${idx}]}")"
++ if [[ "${API}" -eq 2 ]]; then
++ result="$(signed_request "${challenge_uris[${idx}]}" "")"
++ else
++ result="$(http_request get "${challenge_uris[${idx}]}")"
++ fi
+ reqstatus="$(printf '%s\n' "${result}" | get_json_string_value status)"
+ done
+
+@@ -838,7 +842,7 @@ sign_csr() {
+ crt="$( printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" )"
+ else
+ result="$(signed_request "${finalize}" '{"csr": "'"${csr64}"'"}' | clean_json | get_json_string_value certificate)"
+- crt="$(http_request get "${result}")"
++ crt="$(signed_request "${result}" "")"
+ fi
+
+ # Try to load the certificate to detect corruption
diff -Nru dehydrated-0.6.2/debian/patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch dehydrated-0.6.2/debian/patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch
--- dehydrated-0.6.2/debian/patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch 1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch 2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,24 @@
+From: Lukas Schauer <lu...@schauer.so>
+Date: Wed, 9 May 2018 21:01:57 +0200
+Subject: Only match Replace-Nonce header at beginning of line
+
+---
+ dehydrated | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/dehydrated b/dehydrated
+index ba0f5a0..c27706a 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -577,9 +577,9 @@ signed_request() {
+
+ # Retrieve nonce from acme-server
+ if [[ ${API} -eq 1 ]]; then
+- nonce="$(http_request head "${CA}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
++ nonce="$(http_request head "${CA}" | grep -i ^Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+ else
+- nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
++ nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i ^Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+ fi
+
+ # Build header with just our public key and algorithm information
diff -Nru dehydrated-0.6.2/debian/patches/series dehydrated-0.6.2/debian/patches/series
--- dehydrated-0.6.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/series 2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,6 @@
+Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch
+Only-match-Replace-Nonce-header-at-beginning-of-line.patch
+fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch
+document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch
+implement-POST-as-GET-closes-626.patch
+tiny-documentation-fix-per-certificate-config-can-overrid.patch
diff -Nru dehydrated-0.6.2/debian/patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch dehydrated-0.6.2/debian/patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch
--- dehydrated-0.6.2/debian/patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch 1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch 2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,21 @@
+From: Lukas Schauer <lu...@schauer.so>
+Date: Sun, 3 Mar 2019 20:38:38 +0100
+Subject: tiny documentation fix: per-certificate-config can override
+ PRIVATE_KEY_ROLLOVER (closes #614)
+
+---
+ docs/per-certificate-config.md | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/docs/per-certificate-config.md b/docs/per-certificate-config.md
+index da88838..457a41a 100644
+--- a/docs/per-certificate-config.md
++++ b/docs/per-certificate-config.md
+@@ -7,6 +7,7 @@ To use this feature create a `config` file in the certificates output directory
+ Currently supported options:
+
+ - PRIVATE_KEY_RENEW
++- PRIVATE_KEY_ROLLOVER
+ - KEY_ALGO
+ - KEYSIZE
+ - OCSP_MUST_STAPLE
signature.asc
Description: PGP signature
--- End Message ---
