group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1836823] Re: python-acme will break on November 1st

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1836823@xxxxxxxxxxxxxxxxxx>
Date: Tue, 29 Oct 2019 17:21:44 -0000
Reply-to: Bug 1836823 <1836823@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package python-acme - 0.31.0-2~ubuntu19.04.1

---------------
python-acme (0.31.0-2~ubuntu19.04.1) disco; urgency=medium

  [ James Hebden ]
  * Backport packaging to build on Ubuntu Disco (LP: #1836823)

  [ Andreas Hasenack ]
  * d/p/series: drop unused -p1

python-acme (0.31.0-2) unstable; urgency=medium

  * Backport POST-as-GET support (Closes: #928452)

 -- James Hebden <james@xxxxxx>  Sat, 07 Sep 2019 16:15:04 +1000

** Changed in: python-acme (Ubuntu Disco)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1836823

Title:
  python-acme will break on November 1st

Status in python-acme package in Ubuntu:
  Fix Released
Status in python-acme source package in Xenial:
  Fix Released
Status in python-acme source package in Bionic:
  Fix Released
Status in python-acme source package in Cosmic:
  Won't Fix
Status in python-acme source package in Disco:
  Fix Released

Bug description:
  [Impact]

  This bug affects the python-acme package in all released versions of
  Ubuntu, with the exception of Eoan Ermine which uses a newer version
  of python-acme.

  The major change in the package is the backporting of fixes to allow
  the python-acme package to continue to work with Let’s Encrypt’s
  “ACMEv2” endpoint, which is their RFC 8555 compliant endpoint for
  issuing and renewing TLS certificates, after service changes are made
  on November 1st. See https://community.letsencrypt.org/t/acme-v2
  -scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more
  details about this change.

  The primary concern here is that users of the library, most commonly
  users of the certbot package, will no longer be able to obtain new
  certificates and existing certificates issued via certbot will no
  longer be able to renew, resulting in broken TLS configurations for
  many users and sites hosted on Ubuntu where certbot is used to request
  and renew TLS certificates.

  For further reference, see
  https://wiki.ubuntu.com/StableReleaseUpdates/Certbot

  [Major Changes]

  There are no backwards incompatible API changes being introduced by
  the backported changes to this library, as such interoperability with
  existing packages should not be impacted. All changes being introduced
  are either new features or fixes to ensure the library's behaviour
  remains compatible with the ACME protocol, which was only finalised in
  March of this year. These changes are required to maintain
  compatibility with the ACMEv2 servers operated by LetsEncrypt per the
  Impact section.

  Key changes being introduced by this backport:

  The changelog entries for the update from 0.31.0-1 to 0.31.0-2 are:

  * The acme module uses now a POST-as-GET request to retrieve the registration from an ACMEv2 server.
  * The acme module now avoids sending the keyAuthorization field in the JWS payload when responding to a challenge as the field is not included in the current ACME protocol. To ease the migration path for ACME CA servers, Certbot and its acme module will first try the request without the keyAuthorization field but will temporarily retry the request with the field included if a malformed error is received. 
  * The Content-Type in the POST-as-GET request to retrieve a certificate was corrected from "application/pkix-cert" to "application/jose+json".

  In addition to those changes, the relevant changelog entries when
  updating from 0.23.0 are:

  * Added support for initiating (but not solving end-to-end) TLS-ALPN-01 challenges with the acme module.
  * Added External Account Binding support.
  * Use the ACMEv2 newNonce endpoint when a new nonce is needed, and newNonce is available in the directory.
  * Warn when using deprecated acme.challenges.TLSSNI01
  * When using acme.client.ClientV2 (or acme.client.BackwardsCompatibleClientV2 with an ACME server that supports a newer version of the ACME protocol), an acme.errors.ConflictError will be raised if you try to create an ACME account with a key that has already been used. Previously, a JSON parsing error was raised in this scenario when using the library with Let's Encrypt's ACMEv2 endpoint.
  * You can now call query_registration without having to first call new_account on acme.client.ClientV2 objects.
  * Support for the ready status type was added to acme. Without this change, Certbot and acme users will begin encountering errors when using Let's Encrypt's ACMEv2 API starting on June 19th for the staging environment and July 5th for production. See https://community.letsencrypt.org/t/acmev2-order-ready-status/62866 for more information.
  * acme now supports specifying the source address to bind to when sending outgoing connections.
  * acme now parses the wildcard field included in authorisations so it can be used by users of the library.

  [Test Plan]

  See
  https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process

  [Regression Potential]

  Upstream performs extensive testing before release, giving us a high
  degree of confidence in the general case. There problems are most
  likely to manifest in Ubuntu-specific integrations, such as in
  relation to the versions of dependencies available and other
  packaging-specific matters.

  As opposed to upgrading to the newer version of python-acme (0.36.0-1)
  from Eoan Ermine, and advantage of SRU'ing the 0.31.0-2 version to
  Xenial, Bionic, Cosmic and Disco, is that there are no breaking API
  changes between python-acme 0.31.0-2 and the version of python-acme
  currently in the repositories. Therfore, SRU'ing 0.31.0-2 carries the
  least risk of regression while enabling the library to function
  correctly after November 1st.

  The regression potential of backporting 0.36.0-1 and associated newer
  dependencies would be higher, as more packages would need to be
  backported and the risk of introducing breaking API changes to
  dependant applications would therefore be increased.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1836823/+subscriptions