[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
This bug was fixed in the package python-certbot - 0.27.0-1~ubuntu16.04.1 --- python-certbot (0.27.0-1~ubuntu16.04.1) xenial; urgency=medium * Backport to xenial (LP: #1837673): - d/control, d/compat: go back to debhelper 9, and drop R³ - d/p/0002-revert-sphinx-1.6-requirement.patch: revert upstream change that allows build with sphinx 1.6 - d/control: drop requirement on version 1.6 or higher of sphinx - d/control, d/rules: go back to python2 - d/python-certbot-doc.doc-base: go back to the py2 package - d/python-certbot.lintian-overrides: go back to python2 - d/rules: add systemd to debhelper, since it's not automatic on this dh level - d/control: build-dep on systemd - d/rules: no need to explicitly install examples/docs - d/rules: install certbot.timer as dh-systemd in Xenial doesn't do it - d/rules: go back to dh_systemd_enable and dh_systemd_start since dh_installsystemd is only available in debhelper 11 and later - d/letsencrypt.postrm: purging the transitional package shouldn't remove the logs (Closes: #921423) python-certbot (0.27.0-1) unstable; urgency=medium * New upstream version 0.27.0 * Refresh patch after upstream migration to codecov * Bump python-sphinx requirement defensively; bump S-V with no changes * Bump dep on python-acme to 0.26.0~ python-certbot (0.26.1-1) unstable; urgency=medium * New upstream release. python-certbot (0.26.0-1) unstable; urgency=medium * New upstream version 0.26.0 * Bump S-V; add R-R-R: no python-certbot (0.25.0-1) unstable; urgency=medium * New upstream version 0.25.0 * Bump python-acme dep version. python-certbot (0.24.0-2) unstable; urgency=medium * Update team email address. (Closes: #899858) python-certbot (0.24.0-1) unstable; urgency=medium * Add OR to dep on python-distutils for stretch-bpo * New upstream version 0.24.0 * Bump version dep on python3-acme python-certbot (0.23.0-1) unstable; urgency=medium * New upstream release. * Add testdata back in to prevent test failure in RDeps. (Closes: #894025) * Bump S-V; no changes needed. -- Andreas Hasenack Thu, 17 Oct 2019 21:03:01 + ** Changed in: python-certbot (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
This bug was fixed in the package python-certbot - 0.27.0-1~ubuntu18.04.1 --- python-certbot (0.27.0-1~ubuntu18.04.1) bionic; urgency=medium * Backport to bionic (LP: #1837673): - d/letsencrypt.postrm: purging the transitional package shouldn't remove the logs (Closes: #921423) python-certbot (0.27.0-1) unstable; urgency=medium * New upstream version 0.27.0 * Refresh patch after upstream migration to codecov * Bump python-sphinx requirement defensively; bump S-V with no changes * Bump dep on python-acme to 0.26.0~ python-certbot (0.26.1-1) unstable; urgency=medium * New upstream release. python-certbot (0.26.0-1) unstable; urgency=medium * New upstream version 0.26.0 * Bump S-V; add R-R-R: no python-certbot (0.25.0-1) unstable; urgency=medium * New upstream version 0.25.0 * Bump python-acme dep version. python-certbot (0.24.0-2) unstable; urgency=medium * Update team email address. (Closes: #899858) python-certbot (0.24.0-1) unstable; urgency=medium * Add OR to dep on python-distutils for stretch-bpo * New upstream version 0.24.0 * Bump version dep on python3-acme -- Andreas Hasenack Thu, 10 Oct 2019 20:57:31 + ** Changed in: python-certbot (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
Just a reminder that in https://community.letsencrypt.org/t/end-of-life- plan-for-acmev1/88430/3, Let's Encrypt moved the date where they would be making this change permanently to October 31st instead of November 1st. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
** Tags removed: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
Please remember that this update can only be released after #1836823 is released as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
bionic verification Verifying current version uses the v1 endpoint: $ sudo certbot run ... In bionic, for some reason (debug level?) the acme url is not shown in the normal output, so I checked the log at /var/log/letsencrypt/letsencrypt.log and there it was, v1 was used: 2019-10-25 21:15:35,657:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Now let's update to the packages in proposed: *** 0.27.0-1~ubuntu18.04.1 500 500 http://us.archive.ubuntu.com/ubuntu bionic-proposed/universe amd64 Packages And run again: $ sudo certbot run (...) This time the log shows v2 was used: 2019-10-25 21:22:33,050:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Testing fake renew also uses v02 and works: $ sudo certbot --dry-run renew (...) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) (...) Revoking: $ sudo certbot revoke --cert-path /etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you like to delete the cert(s) you just revoked? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es (recommended)/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Deleted all files relating to certificate certbot-test.justgohome.co.uk. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully revoked the certificate that was located at /etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem Bionic verification succeeded. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
My xenial verification First, reproducing the problem: $ sudo certbot run Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): andr...@canonical.com Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org (...) I stopped there, as today the v1 endpoint is working, but this bug is about changing certbot to use v2, so the above, even though it didn't fail, is enough to confirm it's using v1. So I cancel, and upgrade to the version in proposed: *** 0.27.0-1~ubuntu16.04.1 500 500 http://us.archive.ubuntu.com/ubuntu xenial-proposed/universe amd64 Packages And now it uses v2: $ sudo certbot run Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): andr...@canonical.com Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org (...) Testing fake renewal works: $ sudo certbot --dry-run renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/certbot-test.justgohome.co.uk.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator apache, Installer apache Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for certbot-test.justgohome.co.uk Enabled Apache rewrite module Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. Now let's revoke it (note it also uses the v2 endpoint): $ sudo certbot --cert-path /etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem revoke Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you like to delete the cert(s) you just revoked? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es (recommended)/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Deleted all files relating to certificate certbot-test.justgohome.co.uk. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully revoked the certificate that was located at /etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem And the systemd timer is active: $ sudo systemctl list-timers NEXT LEFT LAST PASSED UNIT ACTIVATES Sat 2019-10-26 01:02:54 UTC 4h 12min left Fri 2019-10-25 20:37:10 UTC 13min ago certbot.timercertbot.service xenial verification succeeded. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
I tested this finding no problems using the same approach described in https://bugs.launchpad.net/ubuntu/+source/python- certbot/+bug/1837673/comments/11. The output of dpkg-query about the relevant installed packages was: Xenial: certbot 0.27.0-1~ubuntu16.04.1 letsencrypt 0.27.0-1~ubuntu16.04.1 python-acme 0.31.0-2~ubuntu16.04.1 python-certbot 0.27.0-1~ubuntu16.04.1 python-certbot-apache 0.23.0-1~ubuntu16.04.1 python-josepy 1.1.0-1~ubuntu16.04.1 python-letsencrypt 0.7.0-0ubuntu0.16.04.1 python-letsencrypt-apache 0.7.0-0ubuntu0.16.04.1 Bionic: certbot 0.27.0-1~ubuntu18.04.1 letsencrypt 0.27.0-1~ubuntu18.04.1 python3-acme0.31.0-2~ubuntu18.04.1 python3-certbot 0.27.0-1~ubuntu18.04.1 python3-certbot-apache 0.23.0-1 python3-certbot-nginx 0.23.0-1 python3-josepy 1.1.0-1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
Hello Brad, or anyone else affected, Accepted python-certbot into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python- certbot/0.27.0-1~ubuntu18.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: python-certbot (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-bionic ** Changed in: python-certbot (Ubuntu Xenial) Status: In Progress => Fix Committed ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/python-certbot/+git/python-certbot/+merge/374375 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/python-certbot/+git/python-certbot/+merge/374376 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/python-certbot/+git/python-certbot/+merge/374373 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
I tested the packages in the PPA on Ubuntu 16.04 and 18.04 using the steps described at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process. When testing, if you start with a clean /var/log/letsencrypt directory and don't include any flags to change the default server such as --staging, --test-cert, --server, the following command should have no output: grep 'acme-v01.api.letsencrypt.org' /var/log/letsencrypt/* I successfully ran https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript on each system, but if anyone else wants to do this, you first have to install all Certbot packages and set the environment variable CERTBOT_PREINSTALLED=1 otherwise the script will try to install from proposed-updates. I also had to introduce an environment variable into the script to pin the version of boulder (Let's Encrypt's ACME server software) used for testing. Their most recent version has dropped support for features that are still included in Certbot and tested in the current script. The value I used here is BOULDERBRANCH="release-2019-03-11" which I believe is the most recent tag that works. The output of dpkg-query at the end of the script about tested packages was: On 18.04: certbot 0.27.0-1~ubuntu18.04.1~ppa3 letsencrypt 0.27.0-1~ubuntu18.04.1~ppa3 python3-acme0.31.0-2~ubuntu18.04.1~ppa3 python3-certbot 0.27.0-1~ubuntu18.04.1~ppa3 python3-certbot-apache 0.23.0-1 python3-certbot-nginx 0.23.0-1 python3-josepy 1.1.0-1 On 16.04: certbot 0.27.0-1~ubuntu16.04.1~ppa3 letsencrypt 0.27.0-1~ubuntu16.04.1~ppa3 python-acme 0.31.0-2~ubuntu16.04.1~ppa2 python-certbot 0.27.0-1~ubuntu16.04.1~ppa3 python-certbot-apache 0.23.0-1~ubuntu16.04.1 python-josepy 1.1.0-1~ubuntu16.04.1 python-letsencrypt 0.7.0-0ubuntu0.16.04.1 python-letsencrypt-apache 0.7.0-0ubuntu0.16.04.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
** Description changed: [Impact] To do almost anything in the ACME protocol used by Let's Encrypt and Certbot including obtaining and revoking certificates, you need to first create an account with the ACME server. Starting in November, Certbot will no longer be able to do that with its default configuration. This is because as part of pushing people towards the standardized version of the protocol, Let's Encrypt is no longer letting people create new accounts on their ACMEv1 endpoint. More details about this change can be found at https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430. What this means for Ubuntu users is that new Certbot installations on affected systems would need to be given the URL of an alternative ACME server in order to work. Existing installations would be unaffected for now as long as they don't deactivate their account or delete its credentials. They will have additional problems in the future due to the additional deprecations described in the link above. To solve this problem, I recommend backporting the Certbot packages from Cosmic to Bionic and Xenial. There are no breaking changes to the public interfaces between versions and I think this results in the smallest change to the packages that would resolve this problem while sticking to well tested packages. [Test Case] The test case will be about requesting a real certificate from Let's Encrypt. You need to make sure the host where you are running these instructions: - is reachable from the internet on port 80 - has a public IP - said public IP has a valid DNS record under a public domain name * install certbot with the apache plugin: sudo apt install python-certbot-apache certbot * run the certbot command: sudo certbot run * After the question about your email address, it will initiate a connection to an ACME server. The old packages will use a V1 server, like this: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org * The new packages will use a v2 server, like this: Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org The above (use a v2 server) is the SRU verification in a nutshell. Of course, obtaining the certificate at the end should still work, but we want to verify with this update that the v2 server was used. Depending on the date this test is run, the acme v1 server might have been deactivated, in which case you will get this error (with the old packages): Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org An unexpected error occurred: The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details. Please see the logfiles in /var/log/letsencrypt for more details. * To complete the test, let's test renewing the certificate, and then revoke it: sudo certbot --dry-run renew * list certificates, taking note of the certificate path: sudo certbot certificate * revoke the certificate, using the certificate path obtained in the previous step: sudo certbot --cert-path revoke * As a final testing step, list the systemd timers, to make sure the certbot one is active: $ sudo systemctl list-timers NEXT LEFT LAST PASSED UNIT ACTIVATES Fri 2019-10-11 04:38:08 UTC 8h left Thu 2019-10-10 19:24:55 UTC 1h 1min ago certbot.timercertbot.service ... [Regression Potential] - The fix adopted for this bug is a backport from a newer package (cosmic). No changes at all for bionic, but xenial needed some: - - no python3 in xenial, so I had to go back to py2. Upstream gave us their ok (see comment #8) + The fix adopted for this bug is a backport from a newer package (cosmic). I included a fix that was found in debian's 0.28 package, but xenial needed more changes: + - not all python3 deps are in xenial, so I had to go back to py2. Upstream gave us their ok (see comment #8) - debhelper 9 instead of 11, that required some changes too, specially around systemd - build-depends on sphinx >= 1.6 had to be removed, and was done following upstream's guidance (see comment #6) [Other Info] This SRU depends on bug #1836823 being released first, as the newer python-acme is required. - [Original Description] This bug affects the python-certbot packages in Xenial and Bionic. Cosmic and newer is unaffected. To do almost anything in the ACME protocol used by Let's Encrypt and Certbot including obtaining and revoking certificates, you need to first create an account with the ACME server. Starting in November, Certbot will no longer be able to do that with its default configuration. This is because as part of pushing people towards the
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
** Description changed: [Impact] To do almost anything in the ACME protocol used by Let's Encrypt and Certbot including obtaining and revoking certificates, you need to first create an account with the ACME server. Starting in November, Certbot will no longer be able to do that with its default configuration. This is because as part of pushing people towards the standardized version of the protocol, Let's Encrypt is no longer letting people create new accounts on their ACMEv1 endpoint. More details about this change can be found at https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430. What this means for Ubuntu users is that new Certbot installations on affected systems would need to be given the URL of an alternative ACME server in order to work. Existing installations would be unaffected for now as long as they don't deactivate their account or delete its credentials. They will have additional problems in the future due to the additional deprecations described in the link above. To solve this problem, I recommend backporting the Certbot packages from Cosmic to Bionic and Xenial. There are no breaking changes to the public interfaces between versions and I think this results in the smallest change to the packages that would resolve this problem while sticking to well tested packages. [Test Case] The test case will be about requesting a real certificate from Let's Encrypt. You need to make sure the host where you are running these instructions: - is reachable from the internet on port 80 - has a public IP - said public IP has a valid DNS record under a public domain name * install certbot with the apache plugin: sudo apt install python-certbot-apache certbot * run the certbot command: sudo certbot run * After the question about your email address, it will initiate a connection to an ACME server. The old packages will use a V1 server, like this: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org * The new packages will use a v2 server, like this: Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org The above (use a v2 server) is the SRU verification in a nutshell. Of course, obtaining the certificate at the end should still work, but we want to verify with this update that the v2 server was used. Depending on the date this test is run, the acme v1 server might have been deactivated, in which case you will get this error (with the old packages): Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org An unexpected error occurred: The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details. Please see the logfiles in /var/log/letsencrypt for more details. * To complete the test, let's test renewing the certificate, and then revoke it: sudo certbot --dry-run renew * list certificates, taking note of the certificate path: sudo certbot certificate * revoke the certificate, using the certificate path obtained in the previous step: sudo certbot --cert-path revoke * As a final testing step, list the systemd timers, to make sure the certbot one is active: $ sudo systemctl list-timers NEXT LEFT LAST PASSED UNIT ACTIVATES Fri 2019-10-11 04:38:08 UTC 8h left Thu 2019-10-10 19:24:55 UTC 1h 1min ago certbot.timercertbot.service ... - [Regression Potential] The fix adopted for this bug is a backport from a newer package (cosmic). No changes at all for bionic, but xenial needed some: - no python3 in xenial, so I had to go back to py2. Upstream gave us their ok (see comment #8) - debhelper 9 instead of 11, that required some changes too, specially around systemd - build-depends on sphinx >= 1.6 had to be removed, and was done following upstream's guidance (see comment #6) [Other Info] + This SRU depends on bug #1836823 being released first, as the newer python-acme is required. - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance [Original Description] This bug affects the python-certbot packages in Xenial and Bionic. Cosmic and newer is unaffected. To do almost anything in the ACME protocol used by Let's Encrypt and Certbot including obtaining and revoking certificates, you need to first create an account with the ACME server. Starting in November, Certbot will no longer be able to do that with its default configuration. This is because as part of pushing people towards the standardized version of the protocol, Let's Encrypt is no longer letting people c
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
** Description changed: [Impact] To do almost anything in the ACME protocol used by Let's Encrypt and Certbot including obtaining and revoking certificates, you need to first create an account with the ACME server. Starting in November, Certbot will no longer be able to do that with its default configuration. This is because as part of pushing people towards the standardized version of the protocol, Let's Encrypt is no longer letting people create new accounts on their ACMEv1 endpoint. More details about this change can be found at https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430. What this means for Ubuntu users is that new Certbot installations on affected systems would need to be given the URL of an alternative ACME server in order to work. Existing installations would be unaffected for now as long as they don't deactivate their account or delete its credentials. They will have additional problems in the future due to the additional deprecations described in the link above. To solve this problem, I recommend backporting the Certbot packages from Cosmic to Bionic and Xenial. There are no breaking changes to the public interfaces between versions and I think this results in the smallest change to the packages that would resolve this problem while sticking to well tested packages. [Test Case] + The test case will be about requesting a real certificate from Let's Encrypt. You need to make sure the host where you are running these instructions: + - is reachable from the internet on port 80 + - has a public IP + - said public IP has a valid DNS record under a public domain name - * detailed instructions how to reproduce the bug + * install certbot with the apache plugin: + sudo apt install python-certbot-apache certbot - * these should allow someone who is not familiar with the affected - package to reproduce the bug and verify that the updated package fixes - the problem. + * run the certbot command: + sudo certbot run + + * After the question about your email address, it will initiate a connection to an ACME server. The old packages will use a V1 server, like this: + Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org + + * The new packages will use a v2 server, like this: + Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org + + The above (use a v2 server) is the SRU verification in a nutshell. Of + course, obtaining the certificate at the end should still work, but we + want to verify with this update that the v2 server was used. + + Depending on the date this test is run, the acme v1 server might have been deactivated, in which case you will get this error (with the old packages): + Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org + An unexpected error occurred: + The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details. + Please see the logfiles in /var/log/letsencrypt for more details. + [Regression Potential] * discussion of how regressions are most likely to manifest as a result of this change. * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance [Original Description] This bug affects the python-certbot packages in Xenial and Bionic. Cosmic and newer is unaffected. To do almost anything in the ACME protocol used by Let's Encrypt and Certbot including obtaining and revoking certificates, you need to first create an account with the ACME server. Starting in November, Certbot will no longer be able to do that with its default configuration. This is because as part of pushing people towards the standardized version of the protocol, Let's Encrypt is no longer letting people create new accounts on their ACMEv1 endpoint. More details about this change can be found at https://community.letsencrypt.org/t/end-of-life-plan-for- acmev1/88430. What this means for Ubuntu users is that new Certbot installations on affected systems would need to be given the URL of an alternative ACME server in order to work. Existing installations would be unaffected for now as long as they don't deactivate their account or delete its credentials. They will have additional problems in the future due to the additional d
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
** Changed in: python-certbot (Ubuntu Xenial) Assignee: James Hebden (ec0) => Andreas Hasenack (ahasenack) ** Changed in: python-certbot (Ubuntu Bionic) Assignee: James Hebden (ec0) => Andreas Hasenack (ahasenack) ** Changed in: python-certbot (Ubuntu Xenial) Status: Triaged => In Progress ** Changed in: python-certbot (Ubuntu Bionic) Status: Triaged => In Progress ** Description changed: + [Impact] + + * An explanation of the effects of the bug on users and + + * justification for backporting the fix to the stable release. + + * In addition, it is helpful, but not required, to include an +explanation of how the upload fixes this bug. + + [Test Case] + + * detailed instructions how to reproduce the bug + + * these should allow someone who is not familiar with the affected +package to reproduce the bug and verify that the updated package fixes +the problem. + + [Regression Potential] + + * discussion of how regressions are most likely to manifest as a result + of this change. + + * It is assumed that any SRU candidate patch is well-tested before +upload and has a low overall risk of regression, but it's important +to make the effort to think about what ''could'' happen in the +event of a regression. + + * This both shows the SRU team that the risks have been considered, +and provides guidance to testers in regression-testing the SRU. + + [Other Info] + + * Anything else you think is useful to include + * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board + * and address these questions in advance + + + [Original Description] + This bug affects the python-certbot packages in Xenial and Bionic. Cosmic and newer is unaffected. To do almost anything in the ACME protocol used by Let's Encrypt and Certbot including obtaining and revoking certificates, you need to first create an account with the ACME server. Starting in November, Certbot will no longer be able to do that with its default configuration. This is because as part of pushing people towards the standardized version of the protocol, Let's Encrypt is no longer letting people create new accounts on their ACMEv1 endpoint. More details about this change can be found at https://community.letsencrypt.org/t/end-of-life-plan-for- acmev1/88430. What this means for Ubuntu users is that new Certbot installations on affected systems would need to be given the URL of an alternative ACME server in order to work. Existing installations would be unaffected for now as long as they don't deactivate their account or delete its credentials. They will have additional problems in the future due to the additional deprecations described in the link above. To solve this problem, I recommend backporting the Certbot packages from Cosmic to Bionic and Xenial. There are no breaking changes to the public interfaces between versions and I think this results in the smallest change to the packages that would resolve this problem while sticking to well tested packages. ** Description changed: [Impact] + To do almost anything in the ACME protocol used by Let's Encrypt and Certbot including obtaining and revoking certificates, you need to first create an account with the ACME server. Starting in November, Certbot will no longer be able to do that with its default configuration. This is because as part of pushing people towards the standardized version of the protocol, Let's Encrypt is no longer letting people create new accounts on their ACMEv1 endpoint. More details about this change can be found at https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430. - * An explanation of the effects of the bug on users and + What this means for Ubuntu users is that new Certbot installations on + affected systems would need to be given the URL of an alternative ACME + server in order to work. Existing installations would be unaffected for + now as long as they don't deactivate their account or delete its + credentials. They will have additional problems in the future due to the + additional deprecations described in the link above. - * justification for backporting the fix to the stable release. - - * In addition, it is helpful, but not required, to include an -explanation of how the upload fixes this bug. + To solve this problem, I recommend backporting the Certbot packages from + Cosmic to Bionic and Xenial. There are no breaking changes to the public + interfaces between versions and I think this results in the smallest + change to the packages that would resolve this problem while sticking to + well tested packages. [Test Case] - * detailed instructions how to reproduce the bug + * detailed instructions how to reproduce the bug - * these should allow someone who is not familiar with the affected -package to reproduce the bug and verify that the updated package fi
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
Ok, this ppa is ready for testing: https://launchpad.net/~ahasenack/+archive/ubuntu/october-certbot-sru/ Or: sudo add-apt-repository ppa:ahasenack/october-certbot-sru I was able to verify today that the existing xenial client indeed stopped working (we are in the first brown-out day): Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org An unexpected error occurred: The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details. Please see the logfiles in /var/log/letsencrypt for more details. I then upgraded to the packages from the ppa, re-ran "certbot run", and then it used the acmev2 endpoint and worked. For the actual sru verification I'll just have the verifier check the url that is used, as the v1 endpoint will probably be active by then again (unless this update misses the deadline). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
py2 build updated and uploaded to the ppa -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
> Their py2 counterparts are of course available, but this means we won't be producing python3-certbot packages, just python-certbot (if 0.27.0 works with py2, that is). I personally think this is fine. We just have to make sure the "certbot" package depends on and uses python-certbot rather than python3-certbot in Xenial. 0.27.0 still works with Python 2. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
There are other changes needed in the backport from cosmic. Specifically, python3 support. The xenial certbot packages are py2 currently, and not all py3 dependencies needed by the cosmic package are available in xenial. These two are missing: - python3-parsedatetime - python3-repoze.sphinx.autointerface Their py2 counterparts are of course available, but this means we won't be producing python3-certbot packages, just python-certbot (if 0.27.0 works with py2, that is). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
To fix the issues building the python-certbot-doc package on Xenial, you essentially want to revert the commit https://github.com/certbot/certbot/commit/d8057f0e17dc757fae662dad91a6fedc96ad6a2d. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
PPA with test packages (still building certbot for bionic atm): https://launchpad.net/~ahasenack/+archive/ubuntu/october-certbot-sru/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
> To solve this problem, I recommend backporting the Certbot packages from > Cosmic to Bionic > and Xenial. Cosmic, which is EOL now, had 0.27.0-1: python-certbot (0.27.0-1) unstable; urgency=medium * New upstream version 0.27.0 * Refresh patch after upstream migration to codecov * Bump python-sphinx requirement defensively; bump S-V with no changes * Bump dep on python-acme to 0.26.0~ -- Harlan Lieberman-Berg Wed, 05 Sep 2018 20:29:44 -0400 Noted the python-acme >= 0.26.0~ requirement. B and X have 0.22.2-1something, and also as noted, but #1836823 is bumping that to 0.31.0-2. ** Also affects: python-certbot (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: python-certbot (Ubuntu Eoan) Importance: Undecided Assignee: James Hebden (ec0) Status: New ** Changed in: python-certbot (Ubuntu Disco) Status: New => Fix Released ** Changed in: python-certbot (Ubuntu Eoan) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
Let's Encrypt just announced brown-outs where they will be temporarily making this change at https://community.letsencrypt.org/t/end-of-life- plan-for-acmev1/88430/3. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
James, have you managed to make any progress on these SRUs yet please? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
** Changed in: python-certbot (Ubuntu) Assignee: (unassigned) => James Hebden (ec0) ** Changed in: python-certbot (Ubuntu Xenial) Assignee: (unassigned) => James Hebden (ec0) ** Changed in: python-certbot (Ubuntu Bionic) Assignee: (unassigned) => James Hebden (ec0) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
I forgot to mention two potential hurdles: 1. python-acme needs to be updated before backporting python-certbot. This needs to be done anyway by November though as described at https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1836823. 2. One potential problem for Xenial is that the version of the python-certbot-doc package in Cosmic built from this python-certbot package requires Sphinx >= 1.6 which is not available in Xenial. If continuing to offer this python-certbot-doc package on Xenial is important, I can probably suggest how to change the upstream code in this package to keep the docs building with the old version of Sphinx. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
** Also affects: python-certbot (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: python-certbot (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: python-certbot (Ubuntu Xenial) Status: New => Triaged ** Changed in: python-certbot (Ubuntu Bionic) Status: New => Triaged ** Changed in: python-certbot (Ubuntu Xenial) Importance: Undecided => High ** Changed in: python-certbot (Ubuntu Bionic) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837673 Title: Certbot will be unable to create new ACME accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
