Your message dated Thu, 26 Nov 2020 00:11:20 +0000 with message-id <e1ki4sa-000bow...@fasolo.debian.org> and subject line Bug#975862: fixed in lacme 0.7-1 has caused the Debian Bug report #975862, regarding lacme: Upcoming changes in the Let's Encrypt chain of trust break lacme to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 975862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975862 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: lacme Version: 0.6.1-1 Severity: grave Justification: renders package unusable Two upcoming changes in the Let's Encrypt chain of trust severely impact lacme and will break new issuance when they're rolled out in December / January. 1. The existing issuer, namely “Let's Encrypt Authority X3”, which expires on 2021-03-17, will be phased out in December and progressively replaced with “Let's Encrypt Authority R3”. https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 2. The existing trust root, namely “IdenTrust DST Root CA X3”, which expires on 2021-09-30, will be replaced with ”ISRG Root X1” on January 11 next year. https://letsencrypt.org/2020/11/06/own-two-feet.html Unfortunately lacme uses a configurable ‘CAfile’ (pointing to “Let's Encrypt Authority X3” by default) as intermediate CA in the certificate chain. This made sense for ACME v1, but for ACME v2 the issuing certificate is provided as part of the response and gives more flexibility for rotation, so we should definitely use that instead. (ACME v2 is supported since lacme 0.5.) In addition, the configurable ‘CAfile’ is used for client-side validation after the issuance. Defaulting to a bundle containing all known active Let's Encrypt certificates would give some flexibility compared to hard coded key material and avoid having a period during which issuance no longer works out of the box. Otherwise the cheap fix is to download https://letsencrypt.org/certs/lets-encrypt-r3.pem and set ‘CAfile’ to its path once Let's Encrypt has finalized the transition in mid January (and avoid making new certificate requests/renewals meanwhile). [Setting this RC already now since it's not clear exactly when this will break; but at most 2 weeks.] -- Guilhem.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: lacme Source-Version: 0.7-1 Done: Guilhem Moulin <guil...@debian.org> We believe that the bug you reported is fixed in the latest version of lacme, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 975...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin <guil...@debian.org> (supplier of updated lacme package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 26 Nov 2020 00:05:55 +0100 Source: lacme Architecture: source Version: 0.7-1 Distribution: unstable Urgency: high Maintainer: Guilhem Moulin <guil...@debian.org> Changed-By: Guilhem Moulin <guil...@debian.org> Closes: 975862 Changes: lacme (0.7-1) unstable; urgency=high . * New upstream release. Closes: #975862. Checksums-Sha1: 4c34f26b7ec5f72f359d0e43c0a7fae976060808 1838 lacme_0.7-1.dsc 820dbe8d92c7062c3c29d88e05595c1e120bf8d1 53989 lacme_0.7.orig.tar.gz 2915243c11362396ed1fb7b35a7218ca1ed803e1 4104 lacme_0.7-1.debian.tar.xz e99a0462d83e08b3b56f6cfa2057d381d630a959 6158 lacme_0.7-1_amd64.buildinfo Checksums-Sha256: 6613db395c4209f991d6d499d34d879e3c60c6efa73a9b6e4d00bdb86f231c92 1838 lacme_0.7-1.dsc b709d7a642137e7dfb62cde83540a02e82eeb6203f3242f339d7f0526b5033f0 53989 lacme_0.7.orig.tar.gz 1916d24382d34d29f433a922605d2d5741d45c3fd96983d5b0313e9fcce37c54 4104 lacme_0.7-1.debian.tar.xz c8bc33d2ac72d19c0a13a5d7128bce9873daecea785d00b0010b537046cafb15 6158 lacme_0.7-1_amd64.buildinfo Files: c8cb11ba785cb43c74a5afc1a2529040 1838 utils optional lacme_0.7-1.dsc 6912202e0b2b57a5dcf1f2f0a7cc8fe7 53989 utils optional lacme_0.7.orig.tar.gz 0391ccf6630c341cb56e95cfdf9723aa 4104 utils optional lacme_0.7-1.debian.tar.xz 1eb63963bad6cbc5e1a622e41e7900b6 6158 utils optional lacme_0.7-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAl++5oYACgkQ05pJnDwh pVLDsQ//U01vX1UeDKJJrejMyELxA6vwnx+R8ljz2w5NvAOZYf2l+f0DVZCatkKN oL7Zg+DLOsDIkpMrUiqtaL+JMKSe6Owf0ikBWKO/jkmh9DLIJFrCVGbIhgWf7Lyd 9N3Zmq/Zk2VKraWlH4tP5r3HC9qQUw/51NbGWS/7cqEntS0b4ntMrGaBanC2ZVDb MdxVFe5GFsa39PZQdIKtEjnv22I/Rew2oEvva9MQQkOYLiMS91yKPu0lL0m9qRZ2 fT0M2QyYi6d7f+8B0QpETuIIBke3RKL+oLC9Gdvedh89XuaME/AjYwFw0Nw80NzX F1Us+Mk568UJBkB2f8e7w6WEOF94CqyPkq2rzw7vONZITfomFCiu9z/z64VRNo7U dhKwGl/Y3BrlBggniNKI113yvaMFkgalqYglwLLYmhOdiiGzUm7Gifik0wbH5xvO ll321zdhN9LQwzYvHN6cQSvR7MiAjDJ1RXc0+oNLlNpV2bY4BMPxkTh81r1m+gbR yptNS1sdRnm+QksosIV16f+8ATUCZDCaNm6xAlrCMaZRnnRQ9brV6ZMxEy2PJURk 5jeT+d+vq2aPQ0K2Ub4GvFBIGZzDhA1p6KLBk1EwJbyz63jD7/TNuHGCzwcW8LZI 3pHzK/itC8EeoGKA/sM03vZaeBMfSWorY5yWV8gyND2Jed1Kf8Q= =ZErl -----END PGP SIGNATURE-----
--- End Message ---
