Package: acme-tiny
Version: 20160801-1
Severity: serious
openssl 1.1 slightly changed the way the Subject of a certificate
request is formated:
- Subject: CN=foobar.domain.net
+ Subject: CN = foobar.domain.net
This causes acme-tiny to fail to get the domain from certificate requests
without SAN. This in turns causes the certificate signing to be rejected
by letsencrypt with error urn:acme:error:unauthorized unless it has been
validated relatively recently.
Here is a possible patch to make it compatible with both openssl 1.0 and
1.1:
--- a/acme_tiny.py
+++ b/acme_tiny.py
@@ -69,7 +69,7 @@
if proc.returncode != 0:
raise IOError("Error loading {0}: {1}".format(csr, err))
domains = set([])
- common_name = re.search(r"Subject:.*? CN=([^\s,;/]+)", out.decode('utf8'))
+ common_name = re.search(r"Subject:.*? CN\s*=\s*([^\s,;/]+)",
out.decode('utf8'))
if common_name is not None:
domains.add(common_name.group(1))
subject_alt_names = re.search(r"X509v3 Subject Alternative Name: \n
+([^\n]+)\n", out.decode('utf8'), re.MULTILINE|re.DOTALL)
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages acme-tiny depends on:
ii openssl 1.1.0d-2
ii python3-pkg-resources 33.1.1-1
pn python3:any <none>
acme-tiny recommends no packages.
acme-tiny suggests no packages.
-- no debconf information
