Your message dated Mon, 22 Feb 2021 03:03:29 +0000 with message-id <[email protected]> and subject line Bug#970800: fixed in lacme 0.8.0-1 has caused the Debian Bug report #970800, regarding lacme: allow direct use challenge-directory .well-known/acme-challenge to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 970800: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970800 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: lacme Version: 0.5-1 Severity: wishlist Tags: patch upstream Dear Maintainer, in our setup multiple http-servers can be used to serve a random file. For the static files, the storage is syncronized filesystem replication. When lacme creates a challenge-response for a new certificate, it is unclear, which of the external servers will serve that request. Due to the replication, all of the servers could have access to the challenge file, but currently lacme only creates a symlink into a temporary directory. The attached patch adds a new configuration option `hard-copy-challenge-directory`, which will drop the temporary file and handles the acme-challenge directory directly. best regards -- System Information: Debian Release: 10.5 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-10-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lacme depends on: ii libconfig-tiny-perl 2.23-1 ii libjson-perl 4.02000-1 ii libnet-ssleay-perl 1.85-2+b1 ii libtypes-serialiser-perl 1.0-1 ii libwww-perl 6.36-2 ii openssl 1.1.1d-1+0~20191009.15+debian9~1.gbpd6badf ii perl 5.28.1-6+deb10u1 Versions of packages lacme recommends: ii lacme-accountd 0.6-1 ii liblwp-protocol-https-perl 6.07-2 lacme suggests no packages. -- Configuration Files: /etc/lacme/lacme.conf changed [not included] -- no debconf information --- a/config/lacme.conf 2020-09-23 14:14:46.274311863 +0200 +++ b/config/lacme.conf 2020-09-23 14:16:19.324643678 +0200 @@ -86,6 +86,10 @@ # #challenge-directory = +# Do not symlink the challenge-directory, but copy the challenge-files +# explictly +#hard-copy-challenge-directory = Yes + # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty (not recommended). # --- a/lacme 2020-09-23 14:16:28.124864204 +0200 +++ b/lacme 2020-09-23 16:14:21.456006087 +0200 @@ -28,6 +28,7 @@ use Errno 'EINTR'; use Fcntl qw/F_GETFD F_SETFD FD_CLOEXEC SEEK_SET/; use File::Temp (); +use File::Path 'remove_tree'; use Getopt::Long qw/:config posix_default no_ignore_case gnu_getopt auto_version/; use List::Util 'first'; use POSIX (); @@ -100,6 +101,7 @@ webserver => { listen => '/var/run/lacme-www.socket', 'challenge-directory' => undef, + 'hard-copy-challenge-directory' => 'No', user => 'www-data', group => 'www-data', command => '/usr/lib/lacme/webserver', @@ -315,10 +317,26 @@ # serve ACME challenge reponses). if (defined (my $dir = $conf->{'challenge-directory'})) { print STDERR "[$$] Using existing webserver on $dir\n" if $OPTS{debug}; - symlink $tmpdir, $dir or die "Can't symlink $dir -> $tmpdir: $!"; - push @CLEANUP, sub() { - print STDERR "Unlinking $dir\n" if $OPTS{debug}; - unlink $dir or warn "Warning: Can't unlink $dir: $!"; + if (lc ($conf->{'hard-copy-challenge-directory'} // 'No') eq 'yes') { + mkdir $dir or die "Can't create directory $dir: $!"; + $tmpdir = $dir; + push @CLEANUP, sub() { + my $error = undef; + remove_tree($dir, { safe => 1, error => \$error }); + if($error && @$error) { + for(@$error) { + my ($file, $message) = %$_; + my $msghead = $file?"Error removing $file in":"Error while removing"; + warn "$msghead challenge dir $dir: $message\n"; + } + } + } + } else { + symlink $tmpdir, $dir or die "Can't symlink $dir -> $tmpdir: $!"; + push @CLEANUP, sub() { + print STDERR "Unlinking $dir\n" if $OPTS{debug}; + unlink $dir or warn "Warning: Can't unlink $dir: $!"; + } } } elsif (!@sockaddr) {--- a/config/lacme.conf 2020-09-23 14:14:46.274311863 +0200 +++ b/config/lacme.conf 2020-09-23 14:16:19.324643678 +0200 @@ -86,6 +86,10 @@ # #challenge-directory = +# Do not symlink the challenge-directory, but copy the challenge-files +# explictly +#hard-copy-challenge-directory = Yes + # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty (not recommended). # --- a/lacme 2020-09-23 14:16:28.124864204 +0200 +++ b/lacme 2020-09-23 16:14:21.456006087 +0200 @@ -28,6 +28,7 @@ use Errno 'EINTR'; use Fcntl qw/F_GETFD F_SETFD FD_CLOEXEC SEEK_SET/; use File::Temp (); +use File::Path 'remove_tree'; use Getopt::Long qw/:config posix_default no_ignore_case gnu_getopt auto_version/; use List::Util 'first'; use POSIX (); @@ -100,6 +101,7 @@ webserver => { listen => '/var/run/lacme-www.socket', 'challenge-directory' => undef, + 'hard-copy-challenge-directory' => 'No', user => 'www-data', group => 'www-data', command => '/usr/lib/lacme/webserver', @@ -315,10 +317,26 @@ # serve ACME challenge reponses). if (defined (my $dir = $conf->{'challenge-directory'})) { print STDERR "[$$] Using existing webserver on $dir\n" if $OPTS{debug}; - symlink $tmpdir, $dir or die "Can't symlink $dir -> $tmpdir: $!"; - push @CLEANUP, sub() { - print STDERR "Unlinking $dir\n" if $OPTS{debug}; - unlink $dir or warn "Warning: Can't unlink $dir: $!"; + if (lc ($conf->{'hard-copy-challenge-directory'} // 'No') eq 'yes') { + mkdir $dir or die "Can't create directory $dir: $!"; + $tmpdir = $dir; + push @CLEANUP, sub() { + my $error = undef; + remove_tree($dir, { safe => 1, error => \$error }); + if($error && @$error) { + for(@$error) { + my ($file, $message) = %$_; + my $msghead = $file?"Error removing $file in":"Error while removing"; + warn "$msghead challenge dir $dir: $message\n"; + } + } + } + } else { + symlink $tmpdir, $dir or die "Can't symlink $dir -> $tmpdir: $!"; + push @CLEANUP, sub() { + print STDERR "Unlinking $dir\n" if $OPTS{debug}; + unlink $dir or warn "Warning: Can't unlink $dir: $!"; + } } } elsif (!@sockaddr) {
--- End Message ---
--- Begin Message ---Source: lacme Source-Version: 0.8.0-1 Done: Guilhem Moulin <[email protected]> We believe that the bug you reported is fixed in the latest version of lacme, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin <[email protected]> (supplier of updated lacme package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 22 Feb 2021 03:31:23 +0100 Source: lacme Architecture: source Version: 0.8.0-1 Distribution: unstable Urgency: low Maintainer: Guilhem Moulin <[email protected]> Changed-By: Guilhem Moulin <[email protected]> Closes: 970458 970800 972456 Changes: lacme (0.8.0-1) unstable; urgency=low . * New upstream release (closes: #970458, #970800, #972456). * The internal webserver now runs as a dedicated system user _lacme-www (and group nogroup) instead of www-data:www-data. This is configurable in the [webserver] section of the lacme(8) configuration file. * The internal ACME client now runs as a dedicated system user _lacme-client (and group nogroup) instead of nobody:nogroup. This is configurable in the [client] section of the lacme(8) configuration file. * The _lacme-www and _lacme-client system users are created automatically by lacme.postinst (hence a new Depends: adduser), and deleted on purge. (So make sure not to chown any file to these internal users.) * d/control: New lacme-accountd Suggests: openssl, gpg (for account key generation and decryption). * Add d/upstream/signing-key.asc, the OpenPGP used to signed upstream tags. * d/control: Bump Standards-Version to 4.5.1 (no changes necessary). * Add d/watch pointing to the upstream repository. * d/gbp.conf: Update upstream tag template. * d/gbp.conf: Update debian and upstream branches in compliance with DEP-14. * d/control: Point Vcs-* to salsa. * Add debian/salsa-ci.yml file. * d/.gitattributes: New file to merge d/changelog with dpkg-mergechangelogs. * Add d/upstream/metadata with Repository and Repository-Browse. * d/control: Remove libtypes-serialiser-perl from lacme's Depends. * d/control: lacme now require openssl 1.1.0 or later. * d/copyright: Bump copyright years. * d/copyright: Point Source: to the upstream repository. * d/control: lacme recommends lacme-accountd 0.8.0-1 or later. * d/lacme.links: Remove /etc/apache2/conf-available/lacme.conf, now part of the upstream build system. * d/lacme.install: include new configuration files and snippets. Checksums-Sha1: 72d2a3941191b17c6b78063294eae12365f1a495 1892 lacme_0.8.0-1.dsc 844750230de19237db28aaf9a3c0eac29ba00b14 81281 lacme_0.8.0.orig.tar.gz 3282952b1517389dc79252a00b64612c6bae2308 15580 lacme_0.8.0-1.debian.tar.xz 3836c68866b949f7c89b2238477b4c8c68130104 6076 lacme_0.8.0-1_amd64.buildinfo Checksums-Sha256: 28a279f459d4a67a182d234baddb7305572f458a87f4bae4b36e731aac80f2bd 1892 lacme_0.8.0-1.dsc 9612497a6808d1d9780a6028241e233e78eb10f1ff1efe53f81f6c860708ecd0 81281 lacme_0.8.0.orig.tar.gz 0d689c9fdff6d35b75f7fd2479d2a3694e84d35f0b596d5861e13b87c40308e1 15580 lacme_0.8.0-1.debian.tar.xz d26211ddd701ac6961232c819118e206959b8016c31580228a1a9dd0c832e7c7 6076 lacme_0.8.0-1_amd64.buildinfo Files: 41d2defaad25a5c7b98d2316db97842a 1892 utils optional lacme_0.8.0-1.dsc 5b3bde7a93b1dcf42c318fa430dfff89 81281 utils optional lacme_0.8.0.orig.tar.gz 75721feea2f550d49bec17194510a74f 15580 utils optional lacme_0.8.0-1.debian.tar.xz 4698a4cd712475695a593a8b714b2f68 6076 utils optional lacme_0.8.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmAzF9wACgkQ05pJnDwh pVL6JA//egrTQMGtjKKoj+PE+cF9yq0XSeYhwRlTtSlgL87SwlTjFSHZaVO62Sf8 jCunlLsG2f134OdUeOthkDlLlnb25gPTE1m2GlOf0ZYjWhAdVN2JFNHB+CCtUELw iDa6N8Kco7bO0lM3BzO6Jkc8QHetjFyt3PwP4SYk0aTDNeb9krdakzt5ZkzM2yZd frhYiOEhRaHPd5+G09Q657tQiqNO2a/VNzMML4vwYtvgtvx93HMpcIPHfy/nHS/3 Mn6b1yt4krxioLnqR01Z/T9grD0L6ZTvYyhTDYH1eEsoIXN2iEcEKcc5K9sbO/QP Ox+UJ8cxwvt7MhrqUfQPlbw02aT+pghs7JJ6KE9kVgu+fNWB3cyOtoys+yJTGc5D CtBopp1YufVmLNWe2+PNX0Ay0kTfbUEc91YIjfZLG+LrddJscTGetWjNaaswZAY+ ZLuqxFvDgc2alBHlcgZedPFiEdjsnriCqYET7RmJMQqaEtpIGuIBwgdqZ2xfjeQz jy8xkIG4nqSUm+IK6iz3zXk7uB3ek5T+O3IZfoti+RABe+iTjcFTtSx1ud8OjBPK jf52wD9J1dsyqJ95JSuc/bct4PXtLgdp5IE/+qauQcCmND5QKxOu93/yRcKiuNOF cYZGLe/5DGyNUQm3yMR0/1LHi/L8X2eLLgTDj/CyZN6Q5B7A1D4= =eXyl -----END PGP SIGNATURE-----
--- End Message ---
