Your message dated Sat, 09 Jan 2021 22:33:43 +0000
with message-id <[email protected]>
and subject line Bug#971045: fixed in python-certbot 0.31.0-1+deb10u1
has caused the Debian Bug report #971045,
regarding Certbot will stop working for 2,220 users with upcoming Let's Encrypt
deprecation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
971045: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971045
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python3-certbot
Version: 0.28.0-1~deb9u2
Let’s Encrypt is in the process of shutting down ACMEv1. The full shutdown
process will be completed
in June 2021 with temporary brown-outs starting at the beginning of the year;
more specific details
are available at
https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430.
When ACMEv1 is shut down, many older versions of Certbot will be unable to get
new certificates.
ACMEv2 support was first made default in 0.26.0 for new certificates, but it
wasn’t until 1.6.0
that certificates which had originally been issued using ACMEv1 were
transitioned to ACMEv2.
The original update was supposed to move people off of ACMEv1, but due to some
old configuration
management code, we missed a small group of early Certbot users.
Based on recent counts, there are a total of 2,220 distinct non-EOL Debian
users still using ACMEv1
who use the version of Certbot packaged in their system’s package manager
(1,665 users of 0.28.0 on
debian 9 stretch and 555 users of 0.31.0 on debian 10 buster) that will
encounter this issue. These
users will no longer receive certs in June, but would be automatically upgraded
to ACMEv2 if the
package for their system were updated.
The commit that switches ACMEv1 users to ACMEv2 is here:
https://github.com/certbot/certbot/commit/340a4280eacc3eac8915996d89ff0c0a0cd023f9
One option to address the upcoming shutdown is to backport the commit into
older versions of Certbot.
Another option to address the shutdown, which is preferable from our
perspective, would be to update
Certbot to 1.6.0+. First, there’s the inherent risk in backporting an
individual change, especially
onto much older code. Released versions are tested extensively both on our
systems and by our users,
so we’re much more sure of their stability than a backported patch.
Additionally, Certbot continues
to improve over time, closing up bugs, supporting more edge cases, improving
usability, and offering
more robust and modern security practices.
Since we made backwards incompatible changes in 0.40.0 and 1.0.0, to update
Certbot to a newer version,
our other components will have to be updated as well. Certbot relies on our
other libraries `acme` and
`josepy`, and we have a series of plugins which will need to be updated as
well, including the
`certbot-nginx` and `certbot-apache` plugins, as well as our `certbot-dns-*`
plugins. Certbot 1.0.0
in particular contained significant API changes, and if any of our packages are
updated to 1.0.0 or newer,
it will probably be easiest to update all of them. josepy may be fine depending
on the version of certbot,
as certbot 1.0.0 relies on `josepy>=1.1.0`, which is already available packaged
on all relevant systems.
But Certbot 1.0.0 also requires `acme>=0.40.0`, which is only one release
behind 1.0.0, so it would
probably be easier to update it to a matching version. Basically, I would
recommend choosing a certbot
version, then updating `acme`, `certbot-nginx`, `certbot-apache`, and
`certbot-dns-*` to that version.
None of our 3rd party dependencies should need to be updated.
One thing to note when choosing a version is that Certbot 1.7.0 deprecated
Python 3.5 support, which may
be necessary on older systems, so 1.6.0 may be a better choice than later
versions on older systems.
Certbot 0.40.0 and 1.0.0 introduced backwards incompatible changes; these
include:
* CLI flags --tls-sni-01-port and --tls-sni-01-address have been removed.
* The values tls-sni and tls-sni-01 for the --preferred-challenges flag are no
longer accepted.
* Removed the flags: `--agree-dev-preview`, `--dialog`, and
`--apache-init-script`
* Certbot's `config_changes` subcommand has been removed
* `certbot.plugins.common.TLSSNI01` has been removed.
* Deprecated attributes related to the TLS-SNI-01 challenge in
`acme.challenges` and `acme.standalone` have been removed.
* The functions `certbot.client.view_config_changes`,
`certbot.main.config_changes`,
`certbot.plugins.common.Installer.view_config_changes`,
`certbot.reverter.Reverter.view_config_changes`, and
`certbot.util.get_systemd_os_info` have been removed
* Certbot's `register --update-registration` subcommand has been removed
* When possible, default to automatically configuring the webserver so all
requests
redirect to secure HTTPS access. This is mostly relevant when running Certbot
in non-interactive mode. Previously, the default was to not redirect all
requests.
--- End Message ---
--- Begin Message ---
Source: python-certbot
Source-Version: 0.31.0-1+deb10u1
Done: Harlan Lieberman-Berg <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-certbot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Harlan Lieberman-Berg <[email protected]> (supplier of updated
python-certbot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 04 Dec 2020 21:33:11 -0500
Source: python-certbot
Architecture: source
Version: 0.31.0-1+deb10u1
Distribution: buster
Urgency: high
Maintainer: Debian Let's Encrypt <[email protected]>
Changed-By: Harlan Lieberman-Berg <[email protected]>
Closes: 971045
Changes:
python-certbot (0.31.0-1+deb10u1) buster; urgency=high
.
* Switch to use of ACMEv2 API to prevent renewal failures. (Closes: #971045)
.
Let's Encrypt's ACMEv1 API is deprecated and in the process of being
shut down. Beginning with brownouts in January 2021, and ending with a
total shutdown in June 2021, the Let's Encrypt APIs will become
unavailable. To prevent users having disruptions to their certificate
renewals, this update backports the switch over to the ACMEv2 API.
Checksums-Sha1:
12b3833b96d042ee24e7f6c8afc7285360cfed81 3153
python-certbot_0.31.0-1+deb10u1.dsc
fd9a77f81a6b38309ae6aac213ca86e066f91191 11432
python-certbot_0.31.0-1+deb10u1.debian.tar.xz
a480fc00ba2ed14aec07fd6ad1bfbca829956b2d 8946
python-certbot_0.31.0-1+deb10u1_amd64.buildinfo
Checksums-Sha256:
c6e3d838a2d8f7ea2de2307db2b339ea8dc7b87bcdbcba913d87504a40c9b4e8 3153
python-certbot_0.31.0-1+deb10u1.dsc
93db3b79d9a6d8b0d1cc25149c9fa7b8d83717e36404eb1a6afd1cf3bbad1a08 11432
python-certbot_0.31.0-1+deb10u1.debian.tar.xz
d764ffcc4b0c4e4b629242b3139dae71320746811674e20afd2989603d5237f4 8946
python-certbot_0.31.0-1+deb10u1_amd64.buildinfo
Files:
b992cef22ee15ea935921d39d58a1431 3153 python optional
python-certbot_0.31.0-1+deb10u1.dsc
96c84104c6b378d068ae6f6c8451da8f 11432 python optional
python-certbot_0.31.0-1+deb10u1.debian.tar.xz
2f488b40f77dac955905ad1b308fef71 8946 python optional
python-certbot_0.31.0-1+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKqBAEBCgCUFiEEYveV1JOn7SmlGhxBnX5VYE2Rn4MFAl/yPcBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
Rjc5NUQ0OTNBN0VEMjlBNTFBMUM0MTlEN0U1NTYwNEQ5MTlGODMWHGhsaWViZXJt
YW5AZGViaWFuLm9yZwAKCRCdflVgTZGfg+5IEACK+Cp99lVz0+GC/it7aUzj2tq2
WNywKKGQxDZIkHC+xgB8ARj1RHVyW9SPnWWJomvpbe0zKag+73G6zrJFBIZOImGc
w3RN01T5DTbEDMaPcRbQgvy5qFbpGmWByE40MoWizAARcm0AEAZbgFYW2mITSV5G
NonencumI0/Py/a4NDQ3QfLlX+zFc/IUhmWpNratRb9irFLvdDlhN59reNfvUV3y
8cIW+23xVAeCUUwDJmMAeot3aTjpWMiRv2cy78Sd3IpR5lX+mZymy4bHJUJ5DvaE
nmPlIg4RxTWRUdTL6yu+ypSsL1IJqCnqIS4TNYbDZuGOt6B1LdQKe9Rpx06ODgna
Rie7+C8t9Iv/8QlES8lhBCuSYfcKuH4kfw2JxVZkBb5DSAxIvIohJsycqQwalLNK
HEOWYTqkjZDyFi3H3mXT7YVJ/RF5V4z8KuwnpUUQRLBriLWZhZ28yvQ74BgSaeKC
kPLUC5bnGrX/BMS6pF+AO4KS4mvj60quD5mD9PBYdWZe00YbC1EgWtdj6xbIZFdD
FtyjTqR8mvN8jSAU04S2J6gjFRguUzL5OGPVY+JitcvCrBg7jcydgKBBhwr5Vyr7
KnczVGaFwUDAZq/lVcOr/nyJLG5xj23lCSWkED6m2GRVDwkMAwk8Q0DEaB5gEIWG
bieHOnkaxzNgfmCQmw==
=0sQY
-----END PGP SIGNATURE-----
--- End Message ---
