Thank you for resolving this well before Let's Encrypt's brownouts!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1893274
Title:
Certbot will stop working for 23,847 users with upcoming Let's
Testing this is pretty tricky because it's specific to the setup of
Let's Encrypt's production ACMEv1 endpoint which no longer lets people
create accounts or obtain certificates for new domains and we hardcoded
the server URL.
The way I'd test it is:
1. Obtain a real, trusted certificate from
> Brad, I'd appreciate your review wrt. your comment in
https://bugs.launchpad.net/ubuntu/+source/python-certbot-
nginx/+bug/1875471/comments/8 please. AIUI, I'm not breaking python-
certbot-apache itself, just its tests, right? In other words, with my
proposed fix I'm just moving a test failure
Thanks again for quickly helping with this issue everyone.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1875471
Title:
python3-certbot-nginx is incompatible with its dependencies
To manage
I tested the proposed package successfully without any issues.
I also examined the changes to our upstream files included in the
package they are what I expected. It's our 0.40.0 certbot-nginx package
with one test change backported from a newer version.
--
You received this bug notification
The package I tested was python3-certbot-nginx 0.40.0-0ubuntu0.1.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1875471
Title:
python3-certbot-nginx is incompatible with its dependencies
To manage
Fantastic! Thanks again Andreas.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1875471
Title:
python3-certbot-nginx is incompatible with its dependencies
To manage notifications about this bug go
To offer one other option based on my previous comments while trying to
keep things simple, I think in the short term you could also go with:
d) Update just python-certbot-nginx to 0.40.0 and apply this patch to
python-certbot-nginx's tests:
I think changing the build-dep to python3-idna << 2.9 is acceptable. It
looks like we hit a similar problem with the last SRU and I described
the problem and how to fix the specific issue at the time at
https://bugs.launchpad.net/ubuntu/+source/python-
acme/+bug/1836823/comments/23.
In this case,
Thanks a lot for quickly working on this issue Andreas.
Applying that commit to python-certbot 0.40.0-1 in addition to the
python-certbot-nginx changes would fix both python-certbot and python-
certbot-nginx's tests, however, it would break python-certbot-apache in
normal usage outside of tests
At the risk of sending the discussion in this issue off topic, I looked
into other potential problems with the Certbot packages in Focal/Groovy
since they've been being held back. I'm happy to move this discussion
somewhere else if people prefer.
In the current state in Focal/Groovy, the tests we
Public bug reported:
This issue only affects version 0.39.0-1 of the python-certbot-nginx
package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a
command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-
without-email --nginx
This
Just a reminder that in https://community.letsencrypt.org/t/end-of-life-
plan-for-acmev1/88430/3, Let's Encrypt moved the date where they would
be making this change permanently to October 31st instead of November
1st.
--
You received this bug notification because you are a member of Ubuntu
We also uploaded very similar packages to the SRU here to our PPA [1]
that has tens/hundreds of thousands of users on Friday and received no
bug reports.
[1] https://launchpad.net/~certbot/+archive/ubuntu/certbot
--
You received this bug notification because you are a member of Ubuntu
Bugs,
I tested this finding no problems using the same approach described in
https://bugs.launchpad.net/ubuntu/+source/python-
certbot/+bug/1837673/comments/11.
The output of dpkg-query about the relevant installed packages was:
Xenial:
certbot 0.27.0-1~ubuntu16.04.1
letsencrypt 0.27.0-1~ubuntu16.04.1
I tested this finding no problems using the same approach described in
https://bugs.launchpad.net/ubuntu/+source/python-
acme/+bug/1836823/comments/32.
The output of dpkg-query about the relevant installed packages was:
Xenial:
certbot 0.27.0-1~ubuntu16.04.1
letsencrypt 0.27.0-1~ubuntu16.04.1
I tested the packages in the PPA on Ubuntu 16.04 and 18.04 using the
steps described at
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process.
When testing, if you start with a clean /var/log/letsencrypt directory
and don't include any flags to change the default server
I tested the packages in the PPA on Ubuntu 16.04, 18.04, and 19.04 using
the steps described at
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process.
When testing against Let's Encrypt's ACMEv2 server (which is the default
if you use the Certbot package from the PPA or
> * The ndg-httpsclient and pyasn1 dependency should be added back.
I would recommend having the python(3)-ndg-httpsclient and
python(3)-pyasn1 dependency. It looks like the python(3)-ndg-httpsclient
dependency is already there in
> Their py2 counterparts are of course available, but this means we
won't be producing python3-certbot packages, just python-certbot (if
0.27.0 works with py2, that is).
I personally think this is fine. We just have to make sure the "certbot"
package depends on and uses python-certbot rather than
To summarize some conversation that happened in the #certbot-dev IRC
channel on Freenode to make sure everyone sees it, the python-
cryptography and python-idna requirements come from python-acme's
dependency on requests "security" extras which we declare at
I also think it's worth noting that the version of python-acme currently
in Xenial has this same requirement on requests "security" extras:
https://github.com/certbot/certbot/blob/v0.22.2/acme/setup.py#L21
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
To fix the issues building the python-certbot-doc package on Xenial, you
essentially want to revert the commit
https://github.com/certbot/certbot/commit/d8057f0e17dc757fae662dad91a6fedc96ad6a2d.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
I'm not sure where those requirements are coming from in the .deb
packages, but neither of those dependencies should need to be updated.
We test with both cryptography 1.2.3 and idna 2.0 for the purpose of
keeping compatibility with the packages in Xenial.
--
You received this bug notification
Let's Encrypt just announced brown-outs where they will be temporarily
making this change at https://community.letsencrypt.org/t/end-of-life-
plan-for-acmev1/88430/3.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
> fill out Major Changes based on upstream release notes and
understanding. Could Brad perhaps help with this?
Happy to help here.
There are no backwards incompatible API changes being made. All changes are
either new features or fixes to keep the library's behavior compatible with the
ACME
I trust your judgement here, but for what it's worth, from the
standpoint of our code upstream, 0.36.0 should contain all the changes
made in 0.31.0-2.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I forgot to mention two potential hurdles:
1. python-acme needs to be updated before backporting python-certbot. This
needs to be done anyway by November though as described at
https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1836823.
2. One potential problem for Xenial is that the
Public bug reported:
This bug affects the python-certbot packages in Xenial and Bionic.
Cosmic and newer is unaffected.
To do almost anything in the ACME protocol used by Let's Encrypt and
Certbot including obtaining and revoking certificates, you need to first
create an account with the ACME
** Changed in: python-acme (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836823
Title:
python-acme will break on November 1st
To manage notifications
Public bug reported:
This bug affects the python-acme package in all released versions of
Ubuntu.
The python-acme package will no longer work with Let’s Encrypt’s
“ACMEv2” endpoint which is their RFC 8555 compliant endpoint starting
November 1st. See
I successfully ran the integration tests described at
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
The packages that were used for testing were:
certbot 0.23.0-1~ubuntu16.04.1
letsencrypt 0.23.0-1~ubuntu16.04.1
python-acme 0.22.2-1ubuntu0.1~16.04.1
python-certbot
Test script passes on the new packages in the PPA.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1640978
Title:
[SRU] Backport letsencrypt from bionic
To manage notifications about this bug go to:
I tried manually installing packages from the PPA and running
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript but the
script failed because the Certbot systemd timer wasn't found.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
> I assume that the patch from 0.22.2-1ubuntu0.1 needs to be included.
Yes, I think this patch should be included. The packages in 18.04
included support Let's Encrypt's newer endpoint, however, this feature
is broken without this patch.
Thanks for catching this. The updated tests now test
I updated and added additional checks to the test script at
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript
including tests for all four of the areas Robie flagged in his most
recent post.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Unless we want this package to suddenly break for approximately 10,000
users in February, I think we probably want to do an SRU to Certbot
version 0.21.1 or higher. I wrote more about the problem in the relevant
issue at https://bugs.launchpad.net/ubuntu/+source/python-
letsencrypt/+bug/1745126.
I work at EFF and am an upstream developer of Certbot.
This issue has jumped in priority now that TLS-SNI support will be
dropped on February 13th, 2019. See
https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-
all-tls-sni-01-validation-support/74209.
While the TLS-SNI challenge
As a developer of letsencrypt/certbot, it'll be pretty disappointing to
us if we can't some kind of update here. In addition to the many bugs
listed in the original description that would be fixed by this SRU, the
python-letsencrypt-apache package has been unable to obtain new
certificates since
> Simon tells me this is already fixed in Cosmic.
That is correct. The only affected versions of python-acme are in the
range [0.22.0 - 0.25.0).
Thanks for helping us resolve this quickly!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
What still needs to be done to get this released?
Let's Encrypt's change went live yesterday and this bug can be easily
reproduced. Probably the easiest way to do this is to set up an Ubuntu
18.04 server that is reachable on port 80 with nothing currently
listening to the port and a public domain
I agree that this should be released early if possible.
The diff at https://launchpadlibrarian.net/374731991/python-
acme_0.22.2-1_0.22.2-1ubuntu0.1.diff.gz looks good and I tested this
successfully using a modified version of
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript. The
Public bug reported:
I am the upstream maintainer of python-acme. This bug only affects
python-acme in Ubuntu 18.04.
Starting on June 19th, this library will start failing when used with
Let's Encrypt's new ACMEv2 endpoint. This is because the library does
not recognize the changes described in
While I didn't look any more into the build failure for the letsencrypt
package (let me know if you'd like me to), I added a check to
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript testing
that a symlink is properly created in the user's PATH. The test passes
on the letsencrypt
Thanks for approving the binary.
Tests passed for the proposed Xenial packages using
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Unfortunately the test script at
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript cannot
be used to test the Xenial packages yet because the python-certbot-nginx
binary still needs to be accepted. See
https://launchpad.net/ubuntu/xenial/+queue.
Is someone able to approve this
I just successfully ran the test script I provided earlier on the
proposed Ubuntu Zesty packages. I had to make a couple modifications to
properly install the packages from the proposed archive. An updated
version of the script is attached.
** Attachment added: "ubuntu-test.sh"
Sorry for the 2nd message.
I just noticed I missed the shebang line when I copied my script and
having `set -e` is important. I was using `#!/bin/bash -xe`.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Below is a draft of the instructions for how to run integration tests on
the proposed Certbot packages. Two comments about this script:
1. I'm not sure if there's a better way to get the Ubuntu codename or how
reliable the method I'm using is.
2. I don't know if the way I'm installing the
Small update: If we go with mitigation 0, we won't be using python-
filelock. We'll either use an existing Python file locking module
packaged in Ubuntu or add our own code that implements lockfiles to
Certbot.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
Here's a link to the changelog:
https://github.com/certbot/certbot/blob/master/CHANGELOG.md
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1640978
Title:
[SRU] Backport letsencrypt 0.9.3
To manage
51 matches
Mail list logo
