Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: hlieber...@debian.org, team+letsencr...@tracker.debian.org
Hello Release Team! As part of the deprecation of the Let's Encrypt v1 endpoint beginning in January, they are going to begin causing intermittant failures increasing to a complete shutdown June 2021. To prevent users from being affected by this transition, I've prepared a backport of the piece of code that switches renewals automatically to v2. In this version of the code, new certificates were already being issued through the v2 URL. A debdiff is attached. Sincerely, -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.9.0-4-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru python-certbot-0.31.0/debian/changelog python-certbot-0.31.0/debian/changelog --- python-certbot-0.31.0/debian/changelog 2019-02-09 19:39:59.000000000 -0500 +++ python-certbot-0.31.0/debian/changelog 2020-12-04 21:33:11.000000000 -0500 @@ -1,3 +1,15 @@ +python-certbot (0.31.0-1~deb10u1) buster; urgency=high + + * Switch to use of ACMEv2 API to prevent renewal failures. (Closes: #971045) + + Let's Encrypt's ACMEv1 API is deprecated and in the process of being + shut down. Beginning with brownouts in January 2021, and ending with a + total shutdown in June 2021, the Let's Encrypt APIs will become + unavailable. To prevent users having disruptions to their certificate + renewals, this update backports the switch over to the ACMEv2 API. + + -- Harlan Lieberman-Berg <hlieber...@debian.org> Fri, 04 Dec 2020 21:33:11 -0500 + python-certbot (0.31.0-1) unstable; urgency=medium * New upstream version 0.31.0 diff -Nru python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch --- python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch 1969-12-31 19:00:00.000000000 -0500 +++ python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch 2020-12-04 21:30:36.000000000 -0500 @@ -0,0 +1,88 @@ +From 8a15bd7927e2b8956bb1f4d062423e471e473ccf Mon Sep 17 00:00:00 2001 +From: Alex Zorin <a...@zorin.id.au> +Date: Thu, 21 May 2020 22:58:40 +1000 +Subject: [PATCH 1/2] renewal: disregard acme-v01 in renewal configs + +Fixes #7979 +--- + certbot/_internal/constants.py | 2 ++ + certbot/_internal/renewal.py | 17 +++++++++++++++-- + certbot/tests/renewal_test.py | 8 ++++++++ + 3 files changed, 25 insertions(+), 2 deletions(-) + +Index: python-certbot/certbot/constants.py +=================================================================== +--- python-certbot.orig/certbot/constants.py ++++ python-certbot/certbot/constants.py +@@ -120,6 +120,8 @@ CLI_DEFAULTS = dict( + ) + STAGING_URI = "https://acme-staging-v02.api.letsencrypt.org/directory"; + ++V1_URI = "https://acme-v01.api.letsencrypt.org/directory"; ++ + # The set of reasons for revoking a certificate is defined in RFC 5280 in + # section 5.3.1. The reasons that users are allowed to submit are restricted to + # those accepted by the ACME server implementation. They are listed in +Index: python-certbot/certbot/renewal.py +=================================================================== +--- python-certbot.orig/certbot/renewal.py ++++ python-certbot/certbot/renewal.py +@@ -17,6 +17,7 @@ import OpenSSL + from acme.magic_typing import List # pylint: disable=unused-import, no-name-in-module + + from certbot import cli ++from certbot import constants + from certbot import crypto_util + from certbot import errors + from certbot import interfaces +@@ -247,16 +248,28 @@ def _restore_int(name, value): + raise errors.Error("Expected a numeric value for {0}".format(name)) + + +-def _restore_str(unused_name, value): ++def _restore_str(name, value): + """Restores an string key-value pair from a renewal config file. + +- :param str unused_name: option name ++ :param str name: option name + :param str value: option value + + :returns: converted option value to be stored in the runtime config + :rtype: str or None + + """ ++ # Previous to v0.5.0, Certbot always stored the `server` URL in the renewal config, ++ # resulting in configs which explicitly use the deprecated ACMEv1 URL, today ++ # preventing an automatic transition to the default modern ACME URL. ++ # (https://github.com/certbot/certbot/issues/7978#issuecomment-625442870) ++ # As a mitigation, this function reinterprets the value of the `server` parameter if ++ # necessary, replacing the ACMEv1 URL with the default ACME URL. It is still possible ++ # to override this choice with the explicit `--server` CLI flag. ++ if name == "server" and value == constants.V1_URI: ++ logger.info("Using server %s instead of legacy %s", ++ constants.CLI_DEFAULTS["server"], value) ++ return constants.CLI_DEFAULTS["server"] ++ + return None if value == "None" else value + + +Index: python-certbot/certbot/tests/renewal_test.py +=================================================================== +--- python-certbot.orig/certbot/tests/renewal_test.py ++++ python-certbot/certbot/tests/renewal_test.py +@@ -31,6 +31,15 @@ class RenewalTest(test_util.ConfigTestCa + renewal._restore_webroot_config(config, renewalparams) + self.assertEqual(config.webroot_path, ['/var/www/']) + ++ @mock.patch('certbot.renewal.cli.set_by_cli') ++ def test_ancient_server_renewal_conf(self, mock_set_by_cli): ++ from certbot import constants ++ self.config.server = None ++ mock_set_by_cli.return_value = False ++ from certbot.renewal import restore_required_config_elements ++ restore_required_config_elements(self.config, {'server': constants.V1_URI}) ++ self.assertEqual(self.config.server, constants.CLI_DEFAULTS['server']) ++ + + class RestoreRequiredConfigElementsTest(test_util.ConfigTestCase): + """Tests for certbot.renewal.restore_required_config_elements.""" diff -Nru python-certbot-0.31.0/debian/patches/series python-certbot-0.31.0/debian/patches/series --- python-certbot-0.31.0/debian/patches/series 2019-02-05 22:13:56.000000000 -0500 +++ python-certbot-0.31.0/debian/patches/series 2020-12-04 21:30:27.000000000 -0500 @@ -1 +1,2 @@ 0001-remove-external-images.patch +0002-acmev2-api.patch
