On Fri, Jan 1, 2021 at 12:14 PM Adam D. Barratt <a...@adam-barratt.org.uk> wrote: > That version number is lower than the package currently in buster. You > want 0.31.0-1+deb10u1.
Indeed I do! New debdiff attached. > + * Switch to use of ACMEv2 API to prevent renewal failures. (Closes: > #971045) > > The metadata for that bug implies that it affects the package in > unstable. I'm assuming that's simply an oversight? If so, please add an > appropriate fixed version. (I'm not entirely sure why it was cloned > from #969126 either, but that's not directly relevant here.) Correct. I cloned the bug so I could track the fix in oldstable and the fix in stable separately, just to make sure I didn't miss one when the autoclose happened. I've updated the version numbers to show the fix in unstable (and to remove the reference to oldstable in the stable issue). > The next point release is likely to be in early February. Assuming the > plan outlined at > https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 > is still current, it sounds like there will be one brown-out for v1 before > that point, possibly two if we're unlikely with timing. Are we anticipating > that being enough of an issue to warrant pushing the update via > stable-updates before the point release? It's not great, but I also don't think it's necessarily worth fixing through s-u. I'll reach out to the ISRG folks and see what their specific timing is like for doing the brownouts. I may be able to encourage them to nudge it backwards into February. Sincerely, -- Harlan Lieberman-Berg ~hlieberman
diff -Nru python-certbot-0.31.0/debian/changelog python-certbot-0.31.0/debian/changelog --- python-certbot-0.31.0/debian/changelog 2019-02-09 19:39:59.000000000 -0500 +++ python-certbot-0.31.0/debian/changelog 2020-12-04 21:33:11.000000000 -0500 @@ -1,3 +1,15 @@ +python-certbot (0.31.0-1+deb10u1) buster; urgency=high + + * Switch to use of ACMEv2 API to prevent renewal failures. (Closes: #971045) + + Let's Encrypt's ACMEv1 API is deprecated and in the process of being + shut down. Beginning with brownouts in January 2021, and ending with a + total shutdown in June 2021, the Let's Encrypt APIs will become + unavailable. To prevent users having disruptions to their certificate + renewals, this update backports the switch over to the ACMEv2 API. + + -- Harlan Lieberman-Berg <hlieber...@debian.org> Fri, 04 Dec 2020 21:33:11 -0500 + python-certbot (0.31.0-1) unstable; urgency=medium * New upstream version 0.31.0 diff -Nru python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch --- python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch 1969-12-31 19:00:00.000000000 -0500 +++ python-certbot-0.31.0/debian/patches/0002-acmev2-api.patch 2020-12-04 21:33:11.000000000 -0500 @@ -0,0 +1,88 @@ +From 8a15bd7927e2b8956bb1f4d062423e471e473ccf Mon Sep 17 00:00:00 2001 +From: Alex Zorin <a...@zorin.id.au> +Date: Thu, 21 May 2020 22:58:40 +1000 +Subject: [PATCH 1/2] renewal: disregard acme-v01 in renewal configs + +Fixes #7979 +--- + certbot/_internal/constants.py | 2 ++ + certbot/_internal/renewal.py | 17 +++++++++++++++-- + certbot/tests/renewal_test.py | 8 ++++++++ + 3 files changed, 25 insertions(+), 2 deletions(-) + +Index: python-certbot/certbot/constants.py +=================================================================== +--- python-certbot.orig/certbot/constants.py ++++ python-certbot/certbot/constants.py +@@ -120,6 +120,8 @@ CLI_DEFAULTS = dict( + ) + STAGING_URI = "https://acme-staging-v02.api.letsencrypt.org/directory"; + ++V1_URI = "https://acme-v01.api.letsencrypt.org/directory"; ++ + # The set of reasons for revoking a certificate is defined in RFC 5280 in + # section 5.3.1. The reasons that users are allowed to submit are restricted to + # those accepted by the ACME server implementation. They are listed in +Index: python-certbot/certbot/renewal.py +=================================================================== +--- python-certbot.orig/certbot/renewal.py ++++ python-certbot/certbot/renewal.py +@@ -17,6 +17,7 @@ import OpenSSL + from acme.magic_typing import List # pylint: disable=unused-import, no-name-in-module + + from certbot import cli ++from certbot import constants + from certbot import crypto_util + from certbot import errors + from certbot import interfaces +@@ -247,16 +248,28 @@ def _restore_int(name, value): + raise errors.Error("Expected a numeric value for {0}".format(name)) + + +-def _restore_str(unused_name, value): ++def _restore_str(name, value): + """Restores an string key-value pair from a renewal config file. + +- :param str unused_name: option name ++ :param str name: option name + :param str value: option value + + :returns: converted option value to be stored in the runtime config + :rtype: str or None + + """ ++ # Previous to v0.5.0, Certbot always stored the `server` URL in the renewal config, ++ # resulting in configs which explicitly use the deprecated ACMEv1 URL, today ++ # preventing an automatic transition to the default modern ACME URL. ++ # (https://github.com/certbot/certbot/issues/7978#issuecomment-625442870) ++ # As a mitigation, this function reinterprets the value of the `server` parameter if ++ # necessary, replacing the ACMEv1 URL with the default ACME URL. It is still possible ++ # to override this choice with the explicit `--server` CLI flag. ++ if name == "server" and value == constants.V1_URI: ++ logger.info("Using server %s instead of legacy %s", ++ constants.CLI_DEFAULTS["server"], value) ++ return constants.CLI_DEFAULTS["server"] ++ + return None if value == "None" else value + + +Index: python-certbot/certbot/tests/renewal_test.py +=================================================================== +--- python-certbot.orig/certbot/tests/renewal_test.py ++++ python-certbot/certbot/tests/renewal_test.py +@@ -31,6 +31,15 @@ class RenewalTest(test_util.ConfigTestCa + renewal._restore_webroot_config(config, renewalparams) + self.assertEqual(config.webroot_path, ['/var/www/']) + ++ @mock.patch('certbot.renewal.cli.set_by_cli') ++ def test_ancient_server_renewal_conf(self, mock_set_by_cli): ++ from certbot import constants ++ self.config.server = None ++ mock_set_by_cli.return_value = False ++ from certbot.renewal import restore_required_config_elements ++ restore_required_config_elements(self.config, {'server': constants.V1_URI}) ++ self.assertEqual(self.config.server, constants.CLI_DEFAULTS['server']) ++ + + class RestoreRequiredConfigElementsTest(test_util.ConfigTestCase): + """Tests for certbot.renewal.restore_required_config_elements.""" diff -Nru python-certbot-0.31.0/debian/patches/series python-certbot-0.31.0/debian/patches/series --- python-certbot-0.31.0/debian/patches/series 2019-02-05 22:13:56.000000000 -0500 +++ python-certbot-0.31.0/debian/patches/series 2020-12-04 21:33:11.000000000 -0500 @@ -1 +1,2 @@ 0001-remove-external-images.patch +0002-acmev2-api.patch
