group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #33177
[Bug 1837673] Re: Certbot will be unable to create new ACME accounts
This bug was fixed in the package python-certbot -
0.27.0-1~ubuntu16.04.1
---------------
python-certbot (0.27.0-1~ubuntu16.04.1) xenial; urgency=medium
* Backport to xenial (LP: #1837673):
- d/control, d/compat: go back to debhelper 9, and drop R³
- d/p/0002-revert-sphinx-1.6-requirement.patch: revert upstream change
that allows build with sphinx 1.6
- d/control: drop requirement on version 1.6 or higher of sphinx
- d/control, d/rules: go back to python2
- d/python-certbot-doc.doc-base: go back to the py2 package
- d/python-certbot.lintian-overrides: go back to python2
- d/rules: add systemd to debhelper, since it's not automatic on this
dh level
- d/control: build-dep on systemd
- d/rules: no need to explicitly install examples/docs
- d/rules: install certbot.timer as dh-systemd in Xenial doesn't do it
- d/rules: go back to dh_systemd_enable and dh_systemd_start since
dh_installsystemd is only available in debhelper 11 and later
- d/letsencrypt.postrm: purging the transitional package shouldn't
remove the logs (Closes: #921423)
python-certbot (0.27.0-1) unstable; urgency=medium
* New upstream version 0.27.0
* Refresh patch after upstream migration to codecov
* Bump python-sphinx requirement defensively; bump S-V with no changes
* Bump dep on python-acme to 0.26.0~
python-certbot (0.26.1-1) unstable; urgency=medium
* New upstream release.
python-certbot (0.26.0-1) unstable; urgency=medium
* New upstream version 0.26.0
* Bump S-V; add R-R-R: no
python-certbot (0.25.0-1) unstable; urgency=medium
* New upstream version 0.25.0
* Bump python-acme dep version.
python-certbot (0.24.0-2) unstable; urgency=medium
* Update team email address. (Closes: #899858)
python-certbot (0.24.0-1) unstable; urgency=medium
* Add OR to dep on python-distutils for stretch-bpo
* New upstream version 0.24.0
* Bump version dep on python3-acme
python-certbot (0.23.0-1) unstable; urgency=medium
* New upstream release.
* Add testdata back in to prevent test failure in RDeps. (Closes: #894025)
* Bump S-V; no changes needed.
-- Andreas Hasenack <andreas@xxxxxxxxxxxxx> Thu, 17 Oct 2019 21:03:01
+0000
** Changed in: python-certbot (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1837673
Title:
Certbot will be unable to create new ACME accounts
Status in python-certbot package in Ubuntu:
Fix Released
Status in python-certbot source package in Xenial:
Fix Released
Status in python-certbot source package in Bionic:
Fix Released
Status in python-certbot source package in Disco:
Fix Released
Status in python-certbot source package in Eoan:
Fix Released
Bug description:
[Impact]
To do almost anything in the ACME protocol used by Let's Encrypt and Certbot including obtaining and revoking certificates, you need to first create an account with the ACME server. Starting in November, Certbot will no longer be able to do that with its default configuration. This is because as part of pushing people towards the standardized version of the protocol, Let's Encrypt is no longer letting people create new accounts on their ACMEv1 endpoint. More details about this change can be found at https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430.
What this means for Ubuntu users is that new Certbot installations on
affected systems would need to be given the URL of an alternative ACME
server in order to work. Existing installations would be unaffected
for now as long as they don't deactivate their account or delete its
credentials. They will have additional problems in the future due to
the additional deprecations described in the link above.
To solve this problem, I recommend backporting the Certbot packages
from Cosmic to Bionic and Xenial. There are no breaking changes to the
public interfaces between versions and I think this results in the
smallest change to the packages that would resolve this problem while
sticking to well tested packages.
[Test Case]
The test case will be about requesting a real certificate from Let's Encrypt. You need to make sure the host where you are running these instructions:
- is reachable from the internet on port 80
- has a public IP
- said public IP has a valid DNS record under a public domain name
* install certbot with the apache plugin:
sudo apt install python-certbot-apache certbot
* run the certbot command:
sudo certbot run
* After the question about your email address, it will initiate a connection to an ACME server. The old packages will use a V1 server, like this:
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
* The new packages will use a v2 server, like this:
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
The above (use a v2 server) is the SRU verification in a nutshell. Of
course, obtaining the certificate at the end should still work, but we
want to verify with this update that the v2 server was used.
Depending on the date this test is run, the acme v1 server might have been deactivated, in which case you will get this error (with the old packages):
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
An unexpected error occurred:
The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
Please see the logfiles in /var/log/letsencrypt for more details.
* To complete the test, let's test renewing the certificate, and then revoke it:
sudo certbot --dry-run renew
* list certificates, taking note of the certificate path:
sudo certbot certificate
* revoke the certificate, using the certificate path obtained in the previous step:
sudo certbot --cert-path <path-from-previous-step> revoke
* As a final testing step, list the systemd timers, to make sure the certbot one is active:
$ sudo systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Fri 2019-10-11 04:38:08 UTC 8h left Thu 2019-10-10 19:24:55 UTC 1h 1min ago certbot.timer certbot.service
...
[Regression Potential]
The fix adopted for this bug is a backport from a newer package (cosmic). I included a fix that was found in debian's 0.28 package, but xenial needed more changes:
- not all python3 deps are in xenial, so I had to go back to py2. Upstream gave us their ok (see comment #8)
- debhelper 9 instead of 11, that required some changes too, specially around systemd
- build-depends on sphinx >= 1.6 had to be removed, and was done following upstream's guidance (see comment #6)
[Other Info]
This SRU depends on bug #1836823 being released first, as the newer python-acme is required.
[Original Description]
This bug affects the python-certbot packages in Xenial and Bionic.
Cosmic and newer is unaffected.
To do almost anything in the ACME protocol used by Let's Encrypt and
Certbot including obtaining and revoking certificates, you need to
first create an account with the ACME server. Starting in November,
Certbot will no longer be able to do that with its default
configuration. This is because as part of pushing people towards the
standardized version of the protocol, Let's Encrypt is no longer
letting people create new accounts on their ACMEv1 endpoint. More
details about this change can be found at
https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430.
What this means for Ubuntu users is that new Certbot installations on
affected systems would need to be given the URL of an alternative ACME
server in order to work. Existing installations would be unaffected
for now as long as they don't deactivate their account or delete its
credentials. They will have additional problems in the future due to
the additional deprecations described in the link above.
To solve this problem, I recommend backporting the Certbot packages
from Cosmic to Bionic and Xenial. There are no breaking changes to the
public interfaces between versions and I think this results in the
smallest change to the packages that would resolve this problem while
sticking to well tested packages.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions