subject:"Bug#935370\: buster\-pu\: package lacme\/0.5\-1\+deb10u1"

Bug#935370: buster-pu: package lacme/0.5-1+deb10u1

2019-08-26 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Thu, 2019-08-22 at 00:54 +0200, Guilhem Moulin wrote:
> Per RFC 8555 sec 6.3 the Let's Encrypt folks are deprecating
> unauthenticated GETs from their v2 API.  Support for these requests
> will
> be removed on *Nov 01 2019* (so likely between Debian 10.1 and 10.2)
> [0].
> 
> lacme uses the v2 API by default since 0.5, and removing support for
> unauthenticated GETs means that applying for certificate issuance
> will
> stop working.  Replacing GETs with POST-as-GETs is trivial (debdiff
> attached), and I'd like to fix that in Buster via s-p-u.
> 

Please go ahead; thanks.

Regards,

Adam

Bug#935370: buster-pu: package lacme/0.5-1+deb10u1

2019-08-26 Thread Guilhem Moulin

Hi KiBi,

On Mon, 26 Aug 2019 at 08:22:47 +0200, Cyril Brulebois wrote:
> I'll let someone else comment on that point, to ensure I'm not making
> you jump through hoops needlessly…

I vaguely recall seeing debdiffs without ‘Closes: #XXX’, but better safe
than sorry ^^  It makes sense to track the deprecation in our BTS anyway
(#935799).  New debdiff attached.

Thanks!
Cheers,
-- 
Guilhem.
diffstat for lacme-0.5 lacme-0.5

 changelog |   11 +
 gbp.conf  |2 
 patches/0002-Issue-GET-and-POST-as-GET-requests.patch |  121 ++
 patches/series|1 
 4 files changed, 134 insertions(+), 1 deletion(-)

diff -Nru lacme-0.5/debian/changelog lacme-0.5/debian/changelog
--- lacme-0.5/debian/changelog  2018-05-09 14:17:19.0 +0200
+++ lacme-0.5/debian/changelog  2019-08-22 00:14:42.0 +0200
@@ -1,3 +1,14 @@
+lacme (0.5-1+deb10u1) buster; urgency=medium
+
+  * Link to RFC 8555  instead of the
+ACME I-D URL.
+  * Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the
+authorizations, order and certificate URLs.   Let's Encrypt will remove
+support of unauthenticated GETs from the V2 API on 01 Nov 2019.
+Closes: #935799.
+
+ -- Guilhem Moulin   Thu, 22 Aug 2019 00:14:42 +0200
+
 lacme (0.5-1) unstable; urgency=medium
 
   * New upstream release, adding support for v2 ACME endpoints.
diff -Nru lacme-0.5/debian/gbp.conf lacme-0.5/debian/gbp.conf
--- lacme-0.5/debian/gbp.conf   2018-05-09 14:17:19.0 +0200
+++ lacme-0.5/debian/gbp.conf   2019-08-22 00:14:42.0 +0200
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = master
-debian-branch = debian
+debian-branch = debian-buster
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = False
diff -Nru 
lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch 
lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch
--- lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch  
1970-01-01 01:00:00.0 +0100
+++ lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch  
2019-08-22 00:14:42.0 +0200
@@ -0,0 +1,121 @@
+From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001
+From: Guilhem Moulin 
+Date: Wed, 21 Aug 2019 17:29:19 +0200
+Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)
+
+For the  authorizations, order and certificate URLs.
+See RFC 8555 sec. 7.1.
+---
+ client|   22 +++---
+ lacme-accountd.md |2 +-
+ lacme.md  |2 +-
+ 3 files changed, 13 insertions(+), 13 deletions(-)
+
+--- a/client
 b/client
+@@ -165,16 +165,16 @@ sub request_json_decode($;$$) {
+ #
+ # JSON-encode the hash reference $h and send it to the ACME server $uri
+ # encapsulated it in a JSON Web Signature (JWS).
+-# https://tools.ietf.org/html/draft-ietf-acme-acme-12
++# https://tools.ietf.org/html/rfc8555
+ #
+-sub acme($@) {
+-my $uri = shift;
++sub acme($;$) {
++my ($uri, $h) = @_;
+ die "Missing nonce\n" unless defined $NONCE;
+ 
+ # Produce the JSON Web Signature: RFC 7515 section 5
+ my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri );
+ defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK);
+-my $payload = encode_base64url(json()->encode({ @_ }));
++my $payload = defined $h ? encode_base64url(json()->encode($h)) : "";
+ my $protected = encode_base64url(json()->encode(\%header));
+ my $data = $protected .'.'. $payload;
+ $S->printflush($data, "\r\n");
+@@ -204,7 +204,7 @@ sub acme_resource($%) {
+ request(HEAD => $RES{newNonce});
+ }
+ my $uri = $RES{$r} // die "Unknown resource '$r'\n";
+-acme($uri, @_);
++acme($uri, {@_});
+ }
+ 
+ # Set the key ID (registration URI)
+@@ -237,7 +237,7 @@ if ($COMMAND eq 'account') {
+ 
+ if ($r->is_success()) {
+ $KID = $r->header('Location');
+-$r = acme($KID, %h);
++$r = acme($KID, \%h);
+ request_json_decode($r, 1, \*STDOUT)
+ if $r->is_success() and $r->content_type() eq 'application/json';
+ }
+@@ -264,7 +264,7 @@ elsif ($COMMAND eq 'newOrder') {
+ my $order = request_json_decode($r);
+ 
+ foreach (@{$order->{authorizations}}) {
+-my $authz = request_json_decode(request(GET => $_));
++my $authz = request_json_decode(acme($_));
+ next unless $authz->{status} eq 'pending';
+ 
+ my $identifier = $authz->{identifier}->{value};
+@@ -288,7 +288,7 @@ elsif ($COMMAND eq 'newOrder') {
+ die "Can't open $challenge->{token}: $!";
+ }
+ 
+-$r = acme($challenge->{url});
++$r = acme($challenge->{url}, {});
+ 
+ # poll until the status become 'valid'
+ # XXX poll the

Bug#935370: buster-pu: package lacme/0.5-1+deb10u1

2019-08-26 Thread Cyril Brulebois

Hi Guilhem,

Guilhem Moulin  (2019-08-22):
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Dear release team,
> 
> Per RFC 8555 sec 6.3 the Let's Encrypt folks are deprecating
> unauthenticated GETs from their v2 API.  Support for these requests will
> be removed on *Nov 01 2019* (so likely between Debian 10.1 and 10.2) [0].
> 
> lacme uses the v2 API by default since 0.5, and removing support for
> unauthenticated GETs means that applying for certificate issuance will
> stop working.  Replacing GETs with POST-as-GETs is trivial (debdiff
> attached), and I'd like to fix that in Buster via s-p-u.
> 
> (0.6 from Sid is not affected, and neither is 0.2 from Stretch as the
> latter supports only the v1 API.)

That seems like a welcome change indeed but I'm not entirely sure we're
accepting pu requests that have no matching bug reports against the
affected package; admittedly, it's been a while since I've last handled
pu requests, so I need to get my memory refreshed a little…

I'll let someone else comment on that point, to ensure I'm not making
you jump through hoops needlessly…


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#935370: buster-pu: package lacme/0.5-1+deb10u1

2019-08-21 Thread Guilhem Moulin

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

Per RFC 8555 sec 6.3 the Let's Encrypt folks are deprecating
unauthenticated GETs from their v2 API.  Support for these requests will
be removed on *Nov 01 2019* (so likely between Debian 10.1 and 10.2) [0].

lacme uses the v2 API by default since 0.5, and removing support for
unauthenticated GETs means that applying for certificate issuance will
stop working.  Replacing GETs with POST-as-GETs is trivial (debdiff
attached), and I'd like to fix that in Buster via s-p-u.

(0.6 from Sid is not affected, and neither is 0.2 from Stretch as the
latter supports only the v1 API.)

Cheers,
-- 
Guilhem.

[0] 
https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets
diffstat for lacme-0.5 lacme-0.5

 changelog |   10 +
 gbp.conf  |2 
 patches/0002-Issue-GET-and-POST-as-GET-requests.patch |  121 ++
 patches/series|1 
 4 files changed, 133 insertions(+), 1 deletion(-)

diff -Nru lacme-0.5/debian/changelog lacme-0.5/debian/changelog
--- lacme-0.5/debian/changelog  2018-05-09 14:17:19.0 +0200
+++ lacme-0.5/debian/changelog  2019-08-22 00:14:42.0 +0200
@@ -1,3 +1,13 @@
+lacme (0.5-1+deb10u1) buster; urgency=medium
+
+  * Link to RFC 8555  instead of the
+ACME I-D URL.
+  * Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the
+authorizations, order and certificate URLs.   Let's Encrypt will remove
+support of unauthenticated GETs from the V2 API on 01 Nov 2019.
+
+ -- Guilhem Moulin   Thu, 22 Aug 2019 00:14:42 +0200
+
 lacme (0.5-1) unstable; urgency=medium
 
   * New upstream release, adding support for v2 ACME endpoints.
diff -Nru lacme-0.5/debian/gbp.conf lacme-0.5/debian/gbp.conf
--- lacme-0.5/debian/gbp.conf   2018-05-09 14:17:19.0 +0200
+++ lacme-0.5/debian/gbp.conf   2019-08-22 00:14:42.0 +0200
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = master
-debian-branch = debian
+debian-branch = debian-buster
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = False
diff -Nru 
lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch 
lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch
--- lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch  
1970-01-01 01:00:00.0 +0100
+++ lacme-0.5/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch  
2019-08-22 00:14:42.0 +0200
@@ -0,0 +1,121 @@
+From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001
+From: Guilhem Moulin 
+Date: Wed, 21 Aug 2019 17:29:19 +0200
+Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)
+
+For the  authorizations, order and certificate URLs.
+See RFC 8555 sec. 7.1.
+---
+ client|   22 +++---
+ lacme-accountd.md |2 +-
+ lacme.md  |2 +-
+ 3 files changed, 13 insertions(+), 13 deletions(-)
+
+--- a/client
 b/client
+@@ -165,16 +165,16 @@ sub request_json_decode($;$$) {
+ #
+ # JSON-encode the hash reference $h and send it to the ACME server $uri
+ # encapsulated it in a JSON Web Signature (JWS).
+-# https://tools.ietf.org/html/draft-ietf-acme-acme-12
++# https://tools.ietf.org/html/rfc8555
+ #
+-sub acme($@) {
+-my $uri = shift;
++sub acme($;$) {
++my ($uri, $h) = @_;
+ die "Missing nonce\n" unless defined $NONCE;
+ 
+ # Produce the JSON Web Signature: RFC 7515 section 5
+ my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri );
+ defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK);
+-my $payload = encode_base64url(json()->encode({ @_ }));
++my $payload = defined $h ? encode_base64url(json()->encode($h)) : "";
+ my $protected = encode_base64url(json()->encode(\%header));
+ my $data = $protected .'.'. $payload;
+ $S->printflush($data, "\r\n");
+@@ -204,7 +204,7 @@ sub acme_resource($%) {
+ request(HEAD => $RES{newNonce});
+ }
+ my $uri = $RES{$r} // die "Unknown resource '$r'\n";
+-acme($uri, @_);
++acme($uri, {@_});
+ }
+ 
+ # Set the key ID (registration URI)
+@@ -237,7 +237,7 @@ if ($COMMAND eq 'account') {
+ 
+ if ($r->is_success()) {
+ $KID = $r->header('Location');
+-$r = acme($KID, %h);
++$r = acme($KID, \%h);
+ request_json_decode($r, 1, \*STDOUT)
+ if $r->is_success() and $r->content_type() eq 'application/json';
+ }
+@@ -264,7 +264,7 @@ elsif ($COMMAND eq 'newOrder') {
+ my $order = request_json_decode($r);
+ 
+ foreach (@{$order->{authorizations}}) {
+-my $authz = request_json_decode(request(GET => $_));
++my $authz =

Bug#935370: buster-pu: package lacme/0.5-1+deb10u1

Bug#935370: buster-pu: package lacme/0.5-1+deb10u1

Bug#935370: buster-pu: package lacme/0.5-1+deb10u1

Bug#935370: buster-pu: package lacme/0.5-1+deb10u1

4 matches

Site Navigation

Mail list logo

Footer information