← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1640978] Re: [SRU] Backport letsencrypt from bionic

 

This bug was fixed in the package python-certbot -
0.23.0-1~ubuntu16.04.1

---------------
python-certbot (0.23.0-1~ubuntu16.04.1) xenial; urgency=medium

  [ Robie Basak ]
  * This update is part of the set of major updates moving Let's
    Encrypt/Certbot to version 0.23 in 16.04 in order to allow it to
    continue working following the general shutdown of TLS-SNI-01
    validation (LP: #1640978).
  * This new source package takes over the function of
    the previous source package python-letsencrypt, with binary packages
    certbot, python-certbot and python-certbot-doc taking over
    respectively.
  * The following two functional changes are additionally made:
    - Log rotation is switched to logrotate via
      /etc/logrotate.d/certbot, and /etc/letsencrypt/cli.ini is
      introduced to disable internal log rotation to avoid collision.
    - Automatic renewal is enabled via the certbot.timer and
      certbot.service systemd units.

  [ Michael Casadevall ]
  * Backport to Xenial

 -- Robie Basak <robie.basak@xxxxxxxxxx>  Fri, 22 Feb 2019 12:41:51
+0000

** Changed in: python-certbot-apache (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1640978

Title:
  [SRU] Backport letsencrypt from bionic

Status in python-acme package in Ubuntu:
  Fix Released
Status in python-certbot package in Ubuntu:
  Fix Released
Status in python-certbot-apache package in Ubuntu:
  Fix Released
Status in python-certbot-nginx package in Ubuntu:
  Fix Released
Status in python-josepy package in Ubuntu:
  Fix Released
Status in python-acme source package in Xenial:
  Fix Released
Status in python-certbot source package in Xenial:
  Fix Released
Status in python-certbot-apache source package in Xenial:
  Fix Released
Status in python-certbot-nginx source package in Xenial:
  In Progress
Status in python-josepy source package in Xenial:
  Fix Released
Status in python-letsencrypt source package in Xenial:
  Fix Released
Status in python-letsencrypt-apache source package in Xenial:
  Fix Released

Bug description:
  [Impact]

  Certbot (formerly called Let's Encrypt, as released in Xenial) will
  stop working on 13 March 2019 when TLS-SNI-01 validation is turned off
  by the primary Let's Encrypt CA. This will make the package
  effectively useless for just about all users.

  [Development Fix]

  Newer validation options are present in the packages in Bionic
  onwards, including Disco.

  [Stable Fix]

  For Xenial, we are backporting the version of Certbot in Bionic.

  Note that this update includes two important functional changes:

  1) Automatic renewal is being enabled.

  2) Log rotation is switching to being handled by logrotate.

  See the discussion in this bug for details.

  Since the upstream project has been renamed from "Let's Encrypt" to
  "Certbot" to better differentiate between the tooling and the CA, the
  /usr/bin/certbot command will become available. However, a
  compatibility symlink is provided under the old name
  /usr/bin/letsencrypt.

  [Test Case]

  Upstream have an extensive test suite and are participating in this
  SRU to help us validate and land it.

  [Test Plan]

  See
  https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
  and https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript

  In addition, we will test the upgrade path from the Xenial release
  pocket to proposed explicitly.

  [Regression Potential]

  The Certbot team has viewed breakage of existing workflows (especially
  ones that may be automated) as a serious issue, has strived to avoid
  them, and has treated workflow changes as regressions where it has
  occurred.

  We have the following test suites in place for Certbot:

  * Nosetest unit tests with coverage for each module between 97% and 100%;   *test.py in the relevant tree.
  * Integration tests that run Certbot against the current copy of Let's   Encrypt's serverside boulder codebase. These require docker and are a little more involved to run. See tests/boulder_integration.sh for instructions.
  * "Compatibility tests" that run the Apache and Nginx plugins against corpora of configuration files for those webservers; these live in certbot-compatibility-test/
  * Test farm tests, which we use to check that our releases run correctly on a wide range of platforms. These spin up Amazon EC2 instances for numerous OSes and run various tests on them. They live in tests/letstest

  We recommend that Ubuntu run the first of these test suites during
  build (but we believe the Debian packages already do that).

  All of these tests mitigate the risk of regressions in our releases;
  nonetheless, some regressions do slip past.  Because many of our users
  auto-update, these tend to be reported and fixed quickly in point
  releases. For instance, regressions in 0.9.0 were fixed in 0.9.1,
  0.9.2 and 0.9.3. Certbot 0.9.3 has been used to issue hundreds of
  thousands of Certs in the field, so we are fairly confident that no
  further significant regressions exist in it, and that release is
  likely to be safe as a Xenial SRU.

  At least two changes in functionality between 0.4.1 and 0.9.3 do bear
  specific consideration for Xenial though:

  Debian has added a "certbot renew" twice-daily cron job to their
  packages between 0.4.1 and 0.9.3; we believe this is low regression
  risk (having secondary renewal mechanisms in place is a NOOP) but
  Xenial packages may want to increase the debconf verbosity to get
  consent for this from Xenial users who are upgrading?

  We had a custom log rotation scheme (rotate logs after every run), we now act like a more typical daemon, so packages need to be rotating our logs:
  https://github.com/certbot/certbot/issues/3382

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions