Package: lacme Version: 0.6.1-1 Severity: grave Justification: renders package unusable
Two upcoming changes in the Let's Encrypt chain of trust severely impact
lacme and will break new issuance when they're rolled out in December /
January.
1. The existing issuer, namely “Let's Encrypt Authority X3”, which
expires on 2021-03-17, will be phased out in December and
progressively replaced with “Let's Encrypt Authority R3”.
https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018
2. The existing trust root, namely “IdenTrust DST Root CA X3”, which
expires on 2021-09-30, will be replaced with ”ISRG Root X1” on
January 11 next year.
https://letsencrypt.org/2020/11/06/own-two-feet.html
Unfortunately lacme uses a configurable ‘CAfile’ (pointing to “Let's
Encrypt Authority X3” by default) as intermediate CA in the certificate
chain. This made sense for ACME v1, but for ACME v2 the issuing
certificate is provided as part of the response and gives more
flexibility for rotation, so we should definitely use that instead.
(ACME v2 is supported since lacme 0.5.)
In addition, the configurable ‘CAfile’ is used for client-side
validation after the issuance. Defaulting to a bundle containing all
known active Let's Encrypt certificates would give some flexibility
compared to hard coded key material and avoid having a period during
which issuance no longer works out of the box. Otherwise the cheap fix
is to download https://letsencrypt.org/certs/lets-encrypt-r3.pem and set
‘CAfile’ to its path once Let's Encrypt has finalized the transition in
mid January (and avoid making new certificate requests/renewals
meanwhile).
[Setting this RC already now since it's not clear exactly when this will
break; but at most 2 weeks.]
--
Guilhem.
signature.asc
Description: PGP signature
