Your message dated Sat, 28 Nov 2020 11:17:08 +0000
with message-id <e1kiye0-000dl6...@fasolo.debian.org>
and subject line Bug#975862: fixed in lacme 0.5-1+deb10u2
has caused the Debian Bug report #975862,
regarding lacme: Upcoming changes in the Let's Encrypt chain of trust break
lacme
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
975862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975862
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lacme
Version: 0.6.1-1
Severity: grave
Justification: renders package unusable
Two upcoming changes in the Let's Encrypt chain of trust severely impact
lacme and will break new issuance when they're rolled out in December /
January.
1. The existing issuer, namely “Let's Encrypt Authority X3”, which
expires on 2021-03-17, will be phased out in December and
progressively replaced with “Let's Encrypt Authority R3”.
https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018
2. The existing trust root, namely “IdenTrust DST Root CA X3”, which
expires on 2021-09-30, will be replaced with ”ISRG Root X1” on
January 11 next year.
https://letsencrypt.org/2020/11/06/own-two-feet.html
Unfortunately lacme uses a configurable ‘CAfile’ (pointing to “Let's
Encrypt Authority X3” by default) as intermediate CA in the certificate
chain. This made sense for ACME v1, but for ACME v2 the issuing
certificate is provided as part of the response and gives more
flexibility for rotation, so we should definitely use that instead.
(ACME v2 is supported since lacme 0.5.)
In addition, the configurable ‘CAfile’ is used for client-side
validation after the issuance. Defaulting to a bundle containing all
known active Let's Encrypt certificates would give some flexibility
compared to hard coded key material and avoid having a period during
which issuance no longer works out of the box. Otherwise the cheap fix
is to download https://letsencrypt.org/certs/lets-encrypt-r3.pem and set
‘CAfile’ to its path once Let's Encrypt has finalized the transition in
mid January (and avoid making new certificate requests/renewals
meanwhile).
[Setting this RC already now since it's not clear exactly when this will
break; but at most 2 weeks.]
--
Guilhem.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: lacme
Source-Version: 0.5-1+deb10u2
Done: Guilhem Moulin <guil...@debian.org>
We believe that the bug you reported is fixed in the latest version of
lacme, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 975...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guil...@debian.org> (supplier of updated lacme package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 26 Nov 2020 01:14:50 +0100
Source: lacme
Architecture: source
Version: 0.5-1+deb10u2
Distribution: buster
Urgency: medium
Maintainer: Guilhem Moulin <guil...@debian.org>
Changed-By: Guilhem Moulin <guil...@debian.org>
Closes: 975862
Changes:
lacme (0.5-1+deb10u2) buster; urgency=medium
.
* Use upstream certificate chain instead of an hardcoded one.
This is a breaking change. The certificate indicated by 'CAfile' is no
longer used as is in 'certificate-chain' (along with the leaf cert).
The chain returned by the ACME v2 endpoint is used instead. This allows
for more flexbility with respect to key/CA rotation, cf.
https://letsencrypt.org/2020/11/06/own-two-feet.html and
https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018
* Additional current/planned CA certificates can be found under
/usr/local/share/lacme:
- lets-encrypt-e[12].pem
- lets-encrypt-r[34]-cross-signed.pem
- lets-encrypt-r[34].pem
- letsencryptauthorityx[34].pem
See https://letsencrypt.org/certificates/
* Moreover 'CAfile' now defaults to /usr/share/lacme/ca-certificates.crt
which is a concatenation of all known active CA certificates (which
includes the previous default).
Closes: #975862.
Checksums-Sha1:
39320ae344c9e41dea3b5ce6cbea52054d915f51 1866 lacme_0.5-1+deb10u2.dsc
b646198b3c879724e1ce695d532e35150b4feb0c 14376
lacme_0.5-1+deb10u2.debian.tar.xz
1d4abee2c63a9a7110709ad890b44cfb44f9986c 5858
lacme_0.5-1+deb10u2_amd64.buildinfo
Checksums-Sha256:
3ecff38492453ece6986102ad2101801fc952819d56f6890885506edd9184b24 1866
lacme_0.5-1+deb10u2.dsc
8ad78d20878c08fe79a3b6d3dd099dc2c686d390107e9082916c0afe22e0e4e0 14376
lacme_0.5-1+deb10u2.debian.tar.xz
44fe0d96b5a7f03110ae50fb3212faaf343eaa7782fb788bcbc8f89930529f49 5858
lacme_0.5-1+deb10u2_amd64.buildinfo
Files:
689456696b553a7d9d1912a4619faac7 1866 utils optional lacme_0.5-1+deb10u2.dsc
f4e3d464609ad1871f0a1db267611451 14376 utils optional
lacme_0.5-1+deb10u2.debian.tar.xz
11fcde80a57b9bedc2c82fd182582854 5858 utils optional
lacme_0.5-1+deb10u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAl+/AJ8ACgkQ05pJnDwh
pVLQ6w/+KM+gl1BYKIXGpnCGKusFukqjbeIXlNp9069p/YNoEuK7DEoQSnFhtXfk
AcWlc9+e4ubFWo6SqR1HBPit1LsfaGKLV526JIR95tvHvJdkHjgBPqWgGiJO8SKa
JM2vm7K22nrtnWzfigP9uVXTrKxvEy9g3d+Vx7Rc4bl3RK9W+m3eWm0n7eVP0z+Q
Exu3nuEY5QGU1ItmrZyYaXnKcqmAumyWEBgUPkO7JnuXSbx+HixbJCZAKjvUS7wp
KDoutK21bCtCp6pzpZEVvV/jrrcXMYQ55y5N+37ud8mZKNa01hg/XcscMFlw37bn
zIzCOfJH2Fu4EUfwV7e0VERZnSJFVTK160SL6FU0MjUc41eQ3hg/xkXqCFuZjeyY
u6YGyxVn7y1oBApomJJpJgPzzxEI6+mN7VveKlX44X7PmcFYmLgMPM0efIoktMw4
Fr8M60ZkQrI6PyR4zUzviLsFLT2fHSKDyZd4hZxOohxSL8FPZKI1Qc3ZPnhNIVRE
k8w4EqCmTFuIzniecKEKXV6UkovPggz8fSNBjt1qG06Y8k7p7Ec4jipzg/OR8t/t
wVqA5iAcW4+rV0JiE8pyFXC70/TvVSDs5H/hg7gZ5lbYRe4uZOe5At1nfsxfDIXs
wOBtqp+s3pvXYzwBPhbBoetqGJJpOm0GZ5QThMKG3b6g58w3jbw=
=qQkF
-----END PGP SIGNATURE-----
--- End Message ---
