** Changed in: python-certbot (Ubuntu Xenial)
Assignee: James Hebden (ec0) => Andreas Hasenack (ahasenack)
** Changed in: python-certbot (Ubuntu Bionic)
Assignee: James Hebden (ec0) => Andreas Hasenack (ahasenack)
** Changed in: python-certbot (Ubuntu Xenial)
Status: Triaged => In Progress
** Changed in: python-certbot (Ubuntu Bionic)
Status: Triaged => In Progress
** Description changed:
+ [Impact]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+ explanation of how the upload fixes this bug.
+
+ [Test Case]
+
+ * detailed instructions how to reproduce the bug
+
+ * these should allow someone who is not familiar with the affected
+ package to reproduce the bug and verify that the updated package fixes
+ the problem.
+
+ [Regression Potential]
+
+ * discussion of how regressions are most likely to manifest as a result
+ of this change.
+
+ * It is assumed that any SRU candidate patch is well-tested before
+ upload and has a low overall risk of regression, but it's important
+ to make the effort to think about what ''could'' happen in the
+ event of a regression.
+
+ * This both shows the SRU team that the risks have been considered,
+ and provides guidance to testers in regression-testing the SRU.
+
+ [Other Info]
+
+ * Anything else you think is useful to include
+ * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
+ * and address these questions in advance
+
+
+ [Original Description]
+
This bug affects the python-certbot packages in Xenial and Bionic.
Cosmic and newer is unaffected.
To do almost anything in the ACME protocol used by Let's Encrypt and
Certbot including obtaining and revoking certificates, you need to first
create an account with the ACME server. Starting in November, Certbot
will no longer be able to do that with its default configuration. This
is because as part of pushing people towards the standardized version of
the protocol, Let's Encrypt is no longer letting people create new
accounts on their ACMEv1 endpoint. More details about this change can be
found at https://community.letsencrypt.org/t/end-of-life-plan-for-
acmev1/88430.
What this means for Ubuntu users is that new Certbot installations on
affected systems would need to be given the URL of an alternative ACME
server in order to work. Existing installations would be unaffected for
now as long as they don't deactivate their account or delete its
credentials. They will have additional problems in the future due to the
additional deprecations described in the link above.
To solve this problem, I recommend backporting the Certbot packages from
Cosmic to Bionic and Xenial. There are no breaking changes to the public
interfaces between versions and I think this results in the smallest
change to the packages that would resolve this problem while sticking to
well tested packages.
** Description changed:
[Impact]
+ To do almost anything in the ACME protocol used by Let's Encrypt and Certbot
including obtaining and revoking certificates, you need to first create an
account with the ACME server. Starting in November, Certbot will no longer be
able to do that with its default configuration. This is because as part of
pushing people towards the standardized version of the protocol, Let's Encrypt
is no longer letting people create new accounts on their ACMEv1 endpoint. More
details about this change can be found at
https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430.
- * An explanation of the effects of the bug on users and
+ What this means for Ubuntu users is that new Certbot installations on
+ affected systems would need to be given the URL of an alternative ACME
+ server in order to work. Existing installations would be unaffected for
+ now as long as they don't deactivate their account or delete its
+ credentials. They will have additional problems in the future due to the
+ additional deprecations described in the link above.
- * justification for backporting the fix to the stable release.
-
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
+ To solve this problem, I recommend backporting the Certbot packages from
+ Cosmic to Bionic and Xenial. There are no breaking changes to the public
+ interfaces between versions and I think this results in the smallest
+ change to the packages that would resolve this problem while sticking to
+ well tested packages.
[Test Case]
- * detailed instructions how to reproduce the bug
+ * detailed instructions how to reproduce the bug
- * these should allow someone who is not familiar with the affected
- package to reproduce the bug and verify that the updated package fixes
- the problem.
+ * these should allow someone who is not familiar with the affected
+ package to reproduce the bug and verify that the updated package fixes
+ the problem.
[Regression Potential]
- * discussion of how regressions are most likely to manifest as a result
+ * discussion of how regressions are most likely to manifest as a result
of this change.
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
+ * It is assumed that any SRU candidate patch is well-tested before
+ upload and has a low overall risk of regression, but it's important
+ to make the effort to think about what ''could'' happen in the
+ event of a regression.
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
+ * This both shows the SRU team that the risks have been considered,
+ and provides guidance to testers in regression-testing the SRU.
[Other Info]
-
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
- * and address these questions in advance
+ * Anything else you think is useful to include
+ * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
+ * and address these questions in advance
[Original Description]
This bug affects the python-certbot packages in Xenial and Bionic.
Cosmic and newer is unaffected.
To do almost anything in the ACME protocol used by Let's Encrypt and
Certbot including obtaining and revoking certificates, you need to first
create an account with the ACME server. Starting in November, Certbot
will no longer be able to do that with its default configuration. This
is because as part of pushing people towards the standardized version of
the protocol, Let's Encrypt is no longer letting people create new
accounts on their ACMEv1 endpoint. More details about this change can be
found at https://community.letsencrypt.org/t/end-of-life-plan-for-
acmev1/88430.
What this means for Ubuntu users is that new Certbot installations on
affected systems would need to be given the URL of an alternative ACME
server in order to work. Existing installations would be unaffected for
now as long as they don't deactivate their account or delete its
credentials. They will have additional problems in the future due to the
additional deprecations described in the link above.
To solve this problem, I recommend backporting the Certbot packages from
Cosmic to Bionic and Xenial. There are no breaking changes to the public
interfaces between versions and I think this results in the smallest
change to the packages that would resolve this problem while sticking to
well tested packages.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1837673
Title:
Certbot will be unable to create new ACME accounts
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1837673/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
