Your message dated Thu, 13 Jun 2024 17:50:40 +0000
with message-id <e1shoau-00fmvu...@fasolo.debian.org>
and subject line Bug#1072847: fixed in lacme 0.8.3-1
has caused the Debian Bug report #1072847,
regarding lacme: Post-issuance validation fails in the default configuration
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1072847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072847
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lacme
Version: 0.8.2-1
Severity: grave
Justification: renders package unusable
Let's Encrypt has recently rotated its intermediate certificates [0].
The previous intermediate certificates (lets-encrypt-r[34].pem and
lets-encrypt-e[12].pem) are concatenated along side the roots
(isrgrootx1.pem and isrg-root-x2.pem) and used as trust anchors for
validation of the issued X.509 certificate before its deployment.
The new intermediates means the validation step now fails. A quick fix
is to add R1[0-4].pem and E[5-9].pem to the certificate bundle, however
that will cease to work once Let's Encrypt rotates its intermediates
again.
A proper fix would be to use the intermediate(s) provided during the
issuance step as -untrusted (for chain building).
--
Guilhem.
[0] https://letsencrypt.org/2024/03/19/new-intermediate-certificates
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: lacme
Source-Version: 0.8.3-1
Done: Guilhem Moulin <guil...@debian.org>
We believe that the bug you reported is fixed in the latest version of
lacme, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1072...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guil...@debian.org> (supplier of updated lacme package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 13 Jun 2024 17:56:33 +0200
Source: lacme
Architecture: source
Version: 0.8.3-1
Distribution: unstable
Urgency: high
Maintainer: Guilhem Moulin <guil...@debian.org>
Changed-By: Guilhem Moulin <guil...@debian.org>
Closes: 1072847
Changes:
lacme (0.8.3-1) unstable; urgency=high
.
* New upstream bugfix release.
+ Fix post-issuance validation logic. We avoid pining the intermediate
certificates in the bundle and instead validate the leaf certificate
with intermediates supplied during issuance as untrusted (used for chain
building only). Only the root certificates are used as trust anchor.
Not pining intermediate certificates is in line with Let's Encrypt's
latest recommendations.
Closes: #1072847
+ Pass `-in /dev/stdin` option to openssl(1) to avoid warning with OpenSSL
3.2 or later.
+ Fix test suite to account for Let's Encrypt's (staging) ACME server
changes.
* d/control: Update Standards-Version to 4.7.0 (no changes necessary).
Checksums-Sha1:
c9ff63c41a0c3def597952bc896f3f6af44053b8 1892 lacme_0.8.3-1.dsc
2db8df4d1e2df5f2a5c86eea41d47692c58fe0d6 69628 lacme_0.8.3.orig.tar.gz
70337fb516eec94905ea090da8445da1be8fc2ec 16212 lacme_0.8.3-1.debian.tar.xz
1dc15b22cc4d3250c18993acf22e9a77649cdc09 6198 lacme_0.8.3-1_amd64.buildinfo
Checksums-Sha256:
0d241578e3024fe7755fa243c812ed17d1550d0cbd29a10dba2329611a29596d 1892
lacme_0.8.3-1.dsc
28b98f89b57c045e36d9d5534143d92d2a4f760bc503f5f37b4bfafc26d176c5 69628
lacme_0.8.3.orig.tar.gz
5012eae0198af3989e9cb4fcf9060a0fba0164f0fa57be17679ade49f28100fd 16212
lacme_0.8.3-1.debian.tar.xz
fc357e9f96f65115612fcad8821fc9aeddef267058fb5eb545254430e8042798 6198
lacme_0.8.3-1_amd64.buildinfo
Files:
d896b9fa05598525bf7daf3555aa84a6 1892 utils optional lacme_0.8.3-1.dsc
23a05ee2eaf89565274611c6dcae275f 69628 utils optional lacme_0.8.3.orig.tar.gz
ba6fc4fde9b7b4e1683abe0ae0b0c0b4 16212 utils optional
lacme_0.8.3-1.debian.tar.xz
97abbcc94c97257cbada5fc3459f2d8c 6198 utils optional
lacme_0.8.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmZrGDIACgkQ05pJnDwh
pVKsnBAAuQ8Ck39HrWEMMoqkx3JxvKlGGDhocbo3HSYCIAdTG2EIaJardlRAW2S4
GeDeZ+6v1vwZBOz73OJkQA2F9/xBr2E8Hjl1C5tXsTmaai7Soq8gD5/qg6firjq1
P1uKMxERllxln2TT8dh1vUD67qIIHimEE3riZn5TxpFd1BZDhwV0fMmEUIdCikg5
KDBkYWhMBHjToo+j2PnO9N2tyshDurxyp/Pr8QIKXC9NwWStIwa0cBxCqyF8wjwX
y5t0RkT2J5ZsqrU7ITQwjzk1wzTyS549qtNqgxwolpL/DMBYFaO+SJ6m2lLa+yp5
bxCzeb2YjljM75/i6JtMSMYVklwR+II5ga6S2jANUcqyVdmOiHLyWPuwKr2/Xls9
x5BeluyGdZDMACFeo/vTe1tqGkIotWR2b+fK58llsKQJGs1q0+mM04vHwDXoxHLz
0mnGbw2w/ygSJrooOfCQipkgJ1Rt/xJw4qCNgxhS9TW4PT2Bwdxv/7mFg55k/nlT
hga0+mErpSPAHzfT9jZ9iCSgR1FEJvTFwLAYuv+NO00ycEozlx6XkaY0dBFBqhCy
ruKlBilvzJrNnMYjQVvxWa4KKL3vVIbJAs2BJIQCjV86vwU/hqorMnBH9ziSLEoI
pNnafx/rI54UxCi2TLMj/RK4vGONPvxxW/QXKxSEZK9fEi4/+1M=
=xdcx
-----END PGP SIGNATURE-----
pgpJ7sAw6gyKG.pgp
Description: PGP signature
--- End Message ---
