Bug#935370: buster-pu: package lacme/0.5-1+deb10u1

Wed, 21 Aug 2019 15:57:34 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Dear release team,

Per RFC 8555 sec 6.3 the Let's Encrypt folks are deprecating
unauthenticated GETs from their v2 API.  Support for these requests will
be removed on *Nov 01 2019* (so likely between Debian 10.1 and 10.2) [0].

lacme uses the v2 API by default since 0.5, and removing support for
unauthenticated GETs means that applying for certificate issuance will
stop working.  Replacing GETs with POST-as-GETs is trivial (debdiff
attached), and I'd like to fix that in Buster via s-p-u.

(0.6 from Sid is not affected, and neither is 0.2 from Stretch as the
latter supports only the v1 API.)

Cheers,
-- 
Guilhem.

[0] 
https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets

diffstat for lacme-0.5 lacme-0.5

 changelog                                             |   10 +
 gbp.conf                                              |    2 
 patches/0002-Issue-GET-and-POST-as-GET-requests.patch |  121 ++++++++++++++++++
 patches/series                                        |    1 
 4 files changed, 133 insertions(+), 1 deletion(-)

diff -Nru lacme-0.5/debian/changelog lacme-0.5/debian/changelog
--- lacme-0.5/debian/changelog  2018-05-09 14:17:19.000000000 +0200
+++ lacme-0.5/debian/changelog  2019-08-22 00:14:42.000000000 +0200
@@ -1,3 +1,13 @@
+lacme (0.5-1+deb10u1) buster; urgency=medium
+
+  * Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the
+    ACME I-D URL.
+  * Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the
+    authorizations, order and certificate URLs.   Let's Encrypt will remove
+    support of unauthenticated GETs from the V2 API on 01 Nov 2019.
+
+ -- Guilhem Moulin <guil...@debian.org>  Thu, 22 Aug 2019 00:14:42 +0200
+
 lacme (0.5-1) unstable; urgency=medium
 
   * New upstream release, adding support for v2 ACME endpoints.
diff -Nru lacme-0.5/debian/gbp.conf lacme-0.5/debian/gbp.conf
--- lacme-0.5/debian/gbp.conf   2018-05-09 14:17:19.000000000 +0200
+++ lacme-0.5/debian/gbp.conf   2019-08-22 00:14:42.000000000 +0200
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = master
-debian-branch = debian
+debian-branch = debian-buster
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = False
diff -Nru 
lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch 
lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch
--- lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch      
1970-01-01 01:00:00.000000000 +0100
+++ lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch      
2019-08-22 00:14:42.000000000 +0200
@@ -0,0 +1,121 @@
+From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001
+From: Guilhem Moulin <guil...@fripost.org>
+Date: Wed, 21 Aug 2019 17:29:19 +0200
+Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)
+
+For the  authorizations, order and certificate URLs.
+See RFC 8555 sec. 7.1.
+---
+ client            |   22 +++++++++++-----------
+ lacme-accountd.md |    2 +-
+ lacme.md          |    2 +-
+ 3 files changed, 13 insertions(+), 13 deletions(-)
+
+--- a/client
++++ b/client
+@@ -165,16 +165,16 @@ sub request_json_decode($;$$) {
+ #############################################################################
+ # JSON-encode the hash reference $h and send it to the ACME server $uri
+ # encapsulated it in a JSON Web Signature (JWS).
+-# https://tools.ietf.org/html/draft-ietf-acme-acme-12
++# https://tools.ietf.org/html/rfc8555
+ #
+-sub acme($@) {
+-    my $uri = shift;
++sub acme($;$) {
++    my ($uri, $h) = @_;
+     die "Missing nonce\n" unless defined $NONCE;
+ 
+     # Produce the JSON Web Signature: RFC 7515 section 5
+     my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri );
+     defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK);
+-    my $payload = encode_base64url(json()->encode({ @_ }));
++    my $payload = defined $h ? encode_base64url(json()->encode($h)) : "";
+     my $protected = encode_base64url(json()->encode(\%header));
+     my $data = $protected .'.'. $payload;
+     $S->printflush($data, "\r\n");
+@@ -204,7 +204,7 @@ sub acme_resource($%) {
+         request(HEAD => $RES{newNonce});
+     }
+     my $uri = $RES{$r} // die "Unknown resource '$r'\n";
+-    acme($uri, @_);
++    acme($uri, {@_});
+ }
+ 
+ # Set the key ID (registration URI)
+@@ -237,7 +237,7 @@ if ($COMMAND eq 'account') {
+ 
+     if ($r->is_success()) {
+         $KID = $r->header('Location');
+-        $r = acme($KID, %h);
++        $r = acme($KID, \%h);
+         request_json_decode($r, 1, \*STDOUT)
+             if $r->is_success() and $r->content_type() eq 'application/json';
+     }
+@@ -264,7 +264,7 @@ elsif ($COMMAND eq 'newOrder') {
+     my $order = request_json_decode($r);
+ 
+     foreach (@{$order->{authorizations}}) {
+-        my $authz = request_json_decode(request(GET => $_));
++        my $authz = request_json_decode(acme($_));
+         next unless $authz->{status} eq 'pending';
+ 
+         my $identifier = $authz->{identifier}->{value};
+@@ -288,7 +288,7 @@ elsif ($COMMAND eq 'newOrder') {
+             die "Can't open $challenge->{token}: $!";
+         }
+ 
+-        $r = acme($challenge->{url});
++        $r = acme($challenge->{url}, {});
+ 
+         # poll until the status become 'valid'
+         # XXX poll the order URL instead, to get the status of all
+@@ -298,7 +298,7 @@ elsif ($COMMAND eq 'newOrder') {
+               $resp = request_json_decode($r),
+               $status = $resp->{status} // 'pending',
+               $status ne 'valid';
+-              $r = request('GET' => $challenge->{url})) {
++              $r = acme($challenge->{url}, {})) {
+             if (defined (my $problem = $resp->{error})) { # problem document 
(RFC 7807)
+                 my $msg = $problem->{status};
+                 $msg .= " " .$problem->{title}      if defined 
$problem->{title};
+@@ -321,7 +321,7 @@ elsif ($COMMAND eq 'newOrder') {
+         }
+     }
+ 
+-    $r = acme($order->{finalize}, csr => encode_base64url($csr));
++    $r = acme($order->{finalize}, {csr => encode_base64url($csr)});
+     my $resp = request_json_decode($r);
+ 
+     my $uri = $resp->{certificate};
+@@ -329,7 +329,7 @@ elsif ($COMMAND eq 'newOrder') {
+ 
+     # pool until the cert is available
+     for (my $i = 0;;) {
+-        $r = request('GET' => $uri);
++        $r = acme($uri);
+         die request_status_line($r), "\n" unless $r->is_success();
+         last unless $r->code == 202; # Accepted
+         my $retry_after = $r->header('Retry-After') // 1;
+--- a/lacme-accountd.md
++++ b/lacme-accountd.md
+@@ -141,7 +141,7 @@ See also
+ 
+ [`lacme`(1)], [`ssh`(1)]
+ 
+-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02
++[ACME]: https://tools.ietf.org/html/rfc8555
+ [`lacme`(1)]: lacme.1.html
+ [`signal`(7)]: http://linux.die.net/man/7/signal
+ [`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html
+--- a/lacme.md
++++ b/lacme.md
+@@ -412,7 +412,7 @@ See also
+ 
+ [`lacme-accountd`(1)]
+ 
+-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-12
++[ACME]: https://tools.ietf.org/html/rfc8555
+ [`lacme-accountd`(1)]: lacme-accountd.1.html
+ [`iptables`(8)]: http://linux.die.net/man/8/iptables
+ [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html
diff -Nru lacme-0.5/debian/patches/series lacme-0.5/debian/patches/series
--- lacme-0.5/debian/patches/series     2018-05-09 14:17:19.000000000 +0200
+++ lacme-0.5/debian/patches/series     2019-08-22 00:14:42.000000000 +0200
@@ -1 +1,2 @@
 0001-Mention-the-Debian-BTS-in-the-manpages.patch
+0002-Issue-GET-and-POST-as-GET-requests.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to