Your message dated Sat, 07 Sep 2019 14:34:49 +0100
with message-id
<f49e2985d8466065c49c03185c24465a32228fb5.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes including in 10.1 point release
has caused the Debian Bug report #935370,
regarding buster-pu: package lacme/0.5-1+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
935370: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935370
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Dear release team,
Per RFC 8555 sec 6.3 the Let's Encrypt folks are deprecating
unauthenticated GETs from their v2 API. Support for these requests will
be removed on *Nov 01 2019* (so likely between Debian 10.1 and 10.2) [0].
lacme uses the v2 API by default since 0.5, and removing support for
unauthenticated GETs means that applying for certificate issuance will
stop working. Replacing GETs with POST-as-GETs is trivial (debdiff
attached), and I'd like to fix that in Buster via s-p-u.
(0.6 from Sid is not affected, and neither is 0.2 from Stretch as the
latter supports only the v1 API.)
Cheers,
--
Guilhem.
[0]
https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets
diffstat for lacme-0.5 lacme-0.5
changelog | 10 +
gbp.conf | 2
patches/0002-Issue-GET-and-POST-as-GET-requests.patch | 121 ++++++++++++++++++
patches/series | 1
4 files changed, 133 insertions(+), 1 deletion(-)
diff -Nru lacme-0.5/debian/changelog lacme-0.5/debian/changelog
--- lacme-0.5/debian/changelog 2018-05-09 14:17:19.000000000 +0200
+++ lacme-0.5/debian/changelog 2019-08-22 00:14:42.000000000 +0200
@@ -1,3 +1,13 @@
+lacme (0.5-1+deb10u1) buster; urgency=medium
+
+ * Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the
+ ACME I-D URL.
+ * Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the
+ authorizations, order and certificate URLs. Let's Encrypt will remove
+ support of unauthenticated GETs from the V2 API on 01 Nov 2019.
+
+ -- Guilhem Moulin <[email protected]> Thu, 22 Aug 2019 00:14:42 +0200
+
lacme (0.5-1) unstable; urgency=medium
* New upstream release, adding support for v2 ACME endpoints.
diff -Nru lacme-0.5/debian/gbp.conf lacme-0.5/debian/gbp.conf
--- lacme-0.5/debian/gbp.conf 2018-05-09 14:17:19.000000000 +0200
+++ lacme-0.5/debian/gbp.conf 2019-08-22 00:14:42.000000000 +0200
@@ -1,6 +1,6 @@
[DEFAULT]
upstream-branch = master
-debian-branch = debian
+debian-branch = debian-buster
upstream-tag = upstream/%(version)s
debian-tag = debian/%(version)s
pristine-tar = False
diff -Nru
lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch
lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch
--- lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch
1970-01-01 01:00:00.000000000 +0100
+++ lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch
2019-08-22 00:14:42.000000000 +0200
@@ -0,0 +1,121 @@
+From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001
+From: Guilhem Moulin <[email protected]>
+Date: Wed, 21 Aug 2019 17:29:19 +0200
+Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)
+
+For the authorizations, order and certificate URLs.
+See RFC 8555 sec. 7.1.
+---
+ client | 22 +++++++++++-----------
+ lacme-accountd.md | 2 +-
+ lacme.md | 2 +-
+ 3 files changed, 13 insertions(+), 13 deletions(-)
+
+--- a/client
++++ b/client
+@@ -165,16 +165,16 @@ sub request_json_decode($;$$) {
+ #############################################################################
+ # JSON-encode the hash reference $h and send it to the ACME server $uri
+ # encapsulated it in a JSON Web Signature (JWS).
+-# https://tools.ietf.org/html/draft-ietf-acme-acme-12
++# https://tools.ietf.org/html/rfc8555
+ #
+-sub acme($@) {
+- my $uri = shift;
++sub acme($;$) {
++ my ($uri, $h) = @_;
+ die "Missing nonce\n" unless defined $NONCE;
+
+ # Produce the JSON Web Signature: RFC 7515 section 5
+ my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri );
+ defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK);
+- my $payload = encode_base64url(json()->encode({ @_ }));
++ my $payload = defined $h ? encode_base64url(json()->encode($h)) : "";
+ my $protected = encode_base64url(json()->encode(\%header));
+ my $data = $protected .'.'. $payload;
+ $S->printflush($data, "\r\n");
+@@ -204,7 +204,7 @@ sub acme_resource($%) {
+ request(HEAD => $RES{newNonce});
+ }
+ my $uri = $RES{$r} // die "Unknown resource '$r'\n";
+- acme($uri, @_);
++ acme($uri, {@_});
+ }
+
+ # Set the key ID (registration URI)
+@@ -237,7 +237,7 @@ if ($COMMAND eq 'account') {
+
+ if ($r->is_success()) {
+ $KID = $r->header('Location');
+- $r = acme($KID, %h);
++ $r = acme($KID, \%h);
+ request_json_decode($r, 1, \*STDOUT)
+ if $r->is_success() and $r->content_type() eq 'application/json';
+ }
+@@ -264,7 +264,7 @@ elsif ($COMMAND eq 'newOrder') {
+ my $order = request_json_decode($r);
+
+ foreach (@{$order->{authorizations}}) {
+- my $authz = request_json_decode(request(GET => $_));
++ my $authz = request_json_decode(acme($_));
+ next unless $authz->{status} eq 'pending';
+
+ my $identifier = $authz->{identifier}->{value};
+@@ -288,7 +288,7 @@ elsif ($COMMAND eq 'newOrder') {
+ die "Can't open $challenge->{token}: $!";
+ }
+
+- $r = acme($challenge->{url});
++ $r = acme($challenge->{url}, {});
+
+ # poll until the status become 'valid'
+ # XXX poll the order URL instead, to get the status of all
+@@ -298,7 +298,7 @@ elsif ($COMMAND eq 'newOrder') {
+ $resp = request_json_decode($r),
+ $status = $resp->{status} // 'pending',
+ $status ne 'valid';
+- $r = request('GET' => $challenge->{url})) {
++ $r = acme($challenge->{url}, {})) {
+ if (defined (my $problem = $resp->{error})) { # problem document
(RFC 7807)
+ my $msg = $problem->{status};
+ $msg .= " " .$problem->{title} if defined
$problem->{title};
+@@ -321,7 +321,7 @@ elsif ($COMMAND eq 'newOrder') {
+ }
+ }
+
+- $r = acme($order->{finalize}, csr => encode_base64url($csr));
++ $r = acme($order->{finalize}, {csr => encode_base64url($csr)});
+ my $resp = request_json_decode($r);
+
+ my $uri = $resp->{certificate};
+@@ -329,7 +329,7 @@ elsif ($COMMAND eq 'newOrder') {
+
+ # pool until the cert is available
+ for (my $i = 0;;) {
+- $r = request('GET' => $uri);
++ $r = acme($uri);
+ die request_status_line($r), "\n" unless $r->is_success();
+ last unless $r->code == 202; # Accepted
+ my $retry_after = $r->header('Retry-After') // 1;
+--- a/lacme-accountd.md
++++ b/lacme-accountd.md
+@@ -141,7 +141,7 @@ See also
+
+ [`lacme`(1)], [`ssh`(1)]
+
+-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02
++[ACME]: https://tools.ietf.org/html/rfc8555
+ [`lacme`(1)]: lacme.1.html
+ [`signal`(7)]: http://linux.die.net/man/7/signal
+ [`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html
+--- a/lacme.md
++++ b/lacme.md
+@@ -412,7 +412,7 @@ See also
+
+ [`lacme-accountd`(1)]
+
+-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-12
++[ACME]: https://tools.ietf.org/html/rfc8555
+ [`lacme-accountd`(1)]: lacme-accountd.1.html
+ [`iptables`(8)]: http://linux.die.net/man/8/iptables
+ [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html
diff -Nru lacme-0.5/debian/patches/series lacme-0.5/debian/patches/series
--- lacme-0.5/debian/patches/series 2018-05-09 14:17:19.000000000 +0200
+++ lacme-0.5/debian/patches/series 2019-08-22 00:14:42.000000000 +0200
@@ -1 +1,2 @@
0001-Mention-the-Debian-BTS-in-the-manpages.patch
+0002-Issue-GET-and-POST-as-GET-requests.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 10.1
Hi,
The fixes referenced by each of these bugs were included in today's
buster point release.
Regards,
Adam
--- End Message ---
