Bug#977350: certbot: Version in Debian Stable gets certificates by R3 issuer which might fail to validate

[Brad Warren]

Hi,

Upstream Certbot maintainer here.

It looks like these logs have been modified, removing things like the server 
responses which would have included things like certificate chain obtained from 
Let’s Encrypt or the reason Certbot “exited abnormally”. I doubt the latter is 
related to this problem and is instead related to the renewal failure for your 
other certificate, but you never know. Can you verify that the remainder of the 
log file is about the certificate for dida.ibsquare.be?

Also, can you provide the output of the following command (or these 4 files 
directly)?

sudo tail -n +1 /etc/letsencrypt/archive/nrgcoin.org/{fullchain,chain}{5,6}.pem

Thanks,
Brad Warren

Bug#977350: certbot: Version in Debian Stable gets certificates by R3 issuer which might fail to validate

[Harlan Lieberman-Berg]

fixed 977350 1.10.1-1
thanks

On Mon, Dec 14, 2020 at 5:06 AM Frederik  wrote:
> The new certificate is now issued by C=US, O=Let's Encrypt, CN=R3, while
> the previous one was issued by C=US, O=Let's Encrypt, CN=Let's Encrypt 
> Authority X3
> This change is documented here: 
> https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018

Hi Frederik!

Hm.  We wouldn't expect the R3 change to affect anything; certbot
doesn't ignore the intermediary like the post is warning about.  How
do you renew the certificates? (Are you using certonly?)

Would it be possible for you to upload the log of the renewal that
occurred with the old version and the new version?  The certbot client
version will be one of the first lines in the file.

Thanks for your help!

Sincerely,

-- 
Harlan Lieberman-Berg
~hlieberman

Bug#977350: certbot: Version in Debian Stable gets certificates by R3 issuer which might fail to validate

[Frederik]

Package: certbot
Version: 0.31.0-1
Severity: normal

Yesterday I started getting certificate validation errors on one domain
in the DAVx5 client on Android and in Evolution 3.38 running on Debian
testing. The error here was that the issuer of the certificate is
unknown. I noticed that certbot had renewed the certificate yesterday.

The new certificate is now issued by C=US, O=Let's Encrypt, CN=R3, while
the previous one was issued by C=US, O=Let's Encrypt, CN=Let's Encrypt 
Authority X3
This change is documented here: 
https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018

They mention that some ACME clients might have a problem with this change,
and in that case the new certificate can fail to validate. I updated the
certbot package to 1.10.1 from Testing, and renewed the certificate for
the problematic domain. The certificate validation error went away in
both DAVx5 and Evolution. So it appears that the old certbot version in
Stable is suffering from this problem.

-- System Information:
Debian Release: 10.7
  APT prefers stable
  APT policy: (700, 'stable'), (650, 'proposed-updates'), (600, 'oldstable'), 
(500, 'oldoldstable'), (500, 'testing'), (200, 'unstable'), (160, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages certbot depends on:
ii  python3  3.7.3-1
ii  python3-certbot  0.31.0-1

certbot recommends no packages.

Versions of packages certbot suggests:
pn  python-certbot-doc  
pn  python3-certbot-apache  
pn  python3-certbot-nginx   

-- Configuration Files:
/etc/cron.d/certbot [Errno 2] No such file or directory: '/etc/cron.d/certbot'

-- no debconf information