2019-07-17 00:54:12 |
Brad Warren |
bug |
|
|
added bug |
2019-07-17 09:02:43 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2019-07-17 09:06:24 |
Robie Basak |
nominated for series |
|
Ubuntu Bionic |
|
2019-07-17 09:06:24 |
Robie Basak |
bug task added |
|
python-acme (Ubuntu Bionic) |
|
2019-07-17 09:06:24 |
Robie Basak |
nominated for series |
|
Ubuntu Xenial |
|
2019-07-17 09:06:24 |
Robie Basak |
bug task added |
|
python-acme (Ubuntu Xenial) |
|
2019-07-17 09:06:24 |
Robie Basak |
nominated for series |
|
Ubuntu Disco |
|
2019-07-17 09:06:24 |
Robie Basak |
bug task added |
|
python-acme (Ubuntu Disco) |
|
2019-07-17 09:06:24 |
Robie Basak |
nominated for series |
|
Ubuntu Cosmic |
|
2019-07-17 09:06:24 |
Robie Basak |
bug task added |
|
python-acme (Ubuntu Cosmic) |
|
2019-07-17 09:06:33 |
Robie Basak |
python-acme (Ubuntu Xenial): importance |
Undecided |
High |
|
2019-07-17 09:06:36 |
Robie Basak |
python-acme (Ubuntu Bionic): importance |
Undecided |
High |
|
2019-07-17 09:06:39 |
Robie Basak |
python-acme (Ubuntu Cosmic): importance |
Undecided |
High |
|
2019-07-17 09:06:42 |
Robie Basak |
python-acme (Ubuntu Disco): importance |
Undecided |
High |
|
2019-07-17 09:06:45 |
Robie Basak |
python-acme (Ubuntu Xenial): status |
New |
Triaged |
|
2019-07-17 09:06:47 |
Robie Basak |
python-acme (Ubuntu Bionic): status |
New |
Triaged |
|
2019-07-17 09:06:50 |
Robie Basak |
python-acme (Ubuntu Cosmic): status |
New |
Triaged |
|
2019-07-17 09:06:53 |
Robie Basak |
python-acme (Ubuntu Disco): status |
New |
Triaged |
|
2019-07-17 19:06:47 |
Brad Warren |
python-acme (Ubuntu): status |
New |
Fix Released |
|
2019-07-19 15:15:14 |
Joshua Powers |
bug |
|
|
added subscriber Joshua Powers |
2019-07-26 23:34:17 |
James Hebden |
python-acme (Ubuntu): assignee |
|
James Hebden (ec0) |
|
2019-07-26 23:34:25 |
James Hebden |
python-acme (Ubuntu Xenial): assignee |
|
James Hebden (ec0) |
|
2019-07-26 23:34:29 |
James Hebden |
python-acme (Ubuntu Bionic): assignee |
|
James Hebden (ec0) |
|
2019-07-26 23:34:32 |
James Hebden |
python-acme (Ubuntu Cosmic): assignee |
|
James Hebden (ec0) |
|
2019-07-26 23:34:35 |
James Hebden |
python-acme (Ubuntu Disco): assignee |
|
James Hebden (ec0) |
|
2019-08-24 22:01:09 |
James Hebden |
attachment added |
|
Package debdiff for building on all current Ubuntu versions https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1836823/+attachment/5284405/+files/ubuntu-certbot-0.31.0-2.debdiff |
|
2019-09-04 11:43:30 |
James Hebden |
description |
This bug affects the python-acme package in all released versions of Ubuntu.
The python-acme package will no longer work with Let’s Encrypt’s “ACMEv2” endpoint which is their RFC 8555 compliant endpoint starting November 1st. See https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more details about this change.
After November 1st of this year, the python-acme packages will be unusable with Let's Encrypt's endpoint which will break any software using the library for this purpose. The primary concern here is that users of the library will no longer be able to obtain new certificates. Certificates which are currently being automatically renewed will suddenly become unable to do so which will likely result in broken TLS configurations for many users.
As one of the upstream maintainers of this library, I think the safest way to start to resolve this problem would be to backport the python-acme 0.31.0-2 package from Debian Buster to Disco. The python-acme package in Disco is version 0.31.0-1 and the only code differences should be some minor patches that were applied to the package in Buster to avoid this problem before it was released. I think taking this package would result in the smallest diff while sticking to a well tested package.
Alternatively, if taking a package from Debian at this point is awkward, I can either provide info on the changes that were backported to create 0.31.0-2 in Debian so we could do something similar to the package in Disco or we could backport python-acme 0.34.0+.
After the package in Disco is updated to resolve this, I think we should backport the updated package to every non-EOL'd release of Ubuntu back to Xenial.
There are no breaking API changes between python-acme 0.31.0-2 and the version of python-acme in any Ubuntu release and no dependencies need to be updated. |
[Impact]
This bug affects the python-acme package in all released versions of Ubuntu, with the exception of Eoan Ermine which uses a newer version of python-acme.
After November 1, the current python-acme package will no longer work with Let’s Encrypt’s “ACMEv2” endpoint, which is their RFC 8555 compliant endpoint for issuing and renewing TLS certificates.
See https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more details about this change.
The primary concern here is that users of the library, most commonly users of the certbot package, will no longer be able to obtain new certificates and existing certificates issued via certbot will no longer be able to renew, resulting in broken TLS configurations for many users and sites hosted on Ubuntu where certbot is used to request and renew TLS certificates.
[Test Case]
Given the breaking change will not occur until November the first, it is not easy to reproduce the failure case. However, testing this package should include verifying that a certificate can be successfully issued from the current live letsencrypt endpoints via the certbot command line utility, installable via the certbot package.
[Regression Potential]
As opposed to upgrading to the newer version of python-acme (0.36.0-1) from Eoan Ermine, and advantage of SRU'ing the 0.31.0-2 version to Xenial, Bionic, Cosmic and Disco, is that there are no breaking API changes between python-acme 0.31.0-2 and the version of python-acme currently in the repositories. Therfore, SRU'ing 0.31.0-2 carries the least risk of regression while enabling the library to function correctly after November 1st.
The regression potential of backporting 0.36.0-1 and associated newer dependencies would be higher, as more packages would need to be backported and the risk of introducing breaking API changes to dependant applications would therefore be increased.
[Other Information]
* The package being tested is being introduced from Debian Buster and is currently in use
* The package being SRU'd has minimal changes required to allow building the package on older versions of Ubuntu |
|
2019-09-04 12:02:53 |
James Hebden |
description |
[Impact]
This bug affects the python-acme package in all released versions of Ubuntu, with the exception of Eoan Ermine which uses a newer version of python-acme.
After November 1, the current python-acme package will no longer work with Let’s Encrypt’s “ACMEv2” endpoint, which is their RFC 8555 compliant endpoint for issuing and renewing TLS certificates.
See https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more details about this change.
The primary concern here is that users of the library, most commonly users of the certbot package, will no longer be able to obtain new certificates and existing certificates issued via certbot will no longer be able to renew, resulting in broken TLS configurations for many users and sites hosted on Ubuntu where certbot is used to request and renew TLS certificates.
[Test Case]
Given the breaking change will not occur until November the first, it is not easy to reproduce the failure case. However, testing this package should include verifying that a certificate can be successfully issued from the current live letsencrypt endpoints via the certbot command line utility, installable via the certbot package.
[Regression Potential]
As opposed to upgrading to the newer version of python-acme (0.36.0-1) from Eoan Ermine, and advantage of SRU'ing the 0.31.0-2 version to Xenial, Bionic, Cosmic and Disco, is that there are no breaking API changes between python-acme 0.31.0-2 and the version of python-acme currently in the repositories. Therfore, SRU'ing 0.31.0-2 carries the least risk of regression while enabling the library to function correctly after November 1st.
The regression potential of backporting 0.36.0-1 and associated newer dependencies would be higher, as more packages would need to be backported and the risk of introducing breaking API changes to dependant applications would therefore be increased.
[Other Information]
* The package being tested is being introduced from Debian Buster and is currently in use
* The package being SRU'd has minimal changes required to allow building the package on older versions of Ubuntu |
[Impact]
Not directly applicable; see the exception policy document.
[Major Changes]
This bug affects the python-acme package in all released versions of Ubuntu, with the exception of Eoan Ermine which uses a newer version of python-acme.
The major change in the package is the backporting of fixes to allow the python-acme package to continue to work with Let’s Encrypt’s “ACMEv2” endpoint, which is their RFC 8555 compliant endpoint for issuing and renewing TLS certificates, after service changes are made on November 1st. See https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more details about this change.
The primary concern here is that users of the library, most commonly users of the certbot package, will no longer be able to obtain new certificates and existing certificates issued via certbot will no longer be able to renew, resulting in broken TLS configurations for many users and sites hosted on Ubuntu where certbot is used to request and renew TLS certificates.
[Test Plan]
See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
As opposed to upgrading to the newer version of python-acme (0.36.0-1) from Eoan Ermine, and advantage of SRU'ing the 0.31.0-2 version to Xenial, Bionic, Cosmic and Disco, is that there are no breaking API changes between python-acme 0.31.0-2 and the version of python-acme currently in the repositories. Therfore, SRU'ing 0.31.0-2 carries the least risk of regression while enabling the library to function correctly after November 1st.
The regression potential of backporting 0.36.0-1 and associated newer dependencies would be higher, as more packages would need to be backported and the risk of introducing breaking API changes to dependant applications would therefore be increased. |
|
2019-09-12 14:26:37 |
Robie Basak |
description |
[Impact]
Not directly applicable; see the exception policy document.
[Major Changes]
This bug affects the python-acme package in all released versions of Ubuntu, with the exception of Eoan Ermine which uses a newer version of python-acme.
The major change in the package is the backporting of fixes to allow the python-acme package to continue to work with Let’s Encrypt’s “ACMEv2” endpoint, which is their RFC 8555 compliant endpoint for issuing and renewing TLS certificates, after service changes are made on November 1st. See https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more details about this change.
The primary concern here is that users of the library, most commonly users of the certbot package, will no longer be able to obtain new certificates and existing certificates issued via certbot will no longer be able to renew, resulting in broken TLS configurations for many users and sites hosted on Ubuntu where certbot is used to request and renew TLS certificates.
[Test Plan]
See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
As opposed to upgrading to the newer version of python-acme (0.36.0-1) from Eoan Ermine, and advantage of SRU'ing the 0.31.0-2 version to Xenial, Bionic, Cosmic and Disco, is that there are no breaking API changes between python-acme 0.31.0-2 and the version of python-acme currently in the repositories. Therfore, SRU'ing 0.31.0-2 carries the least risk of regression while enabling the library to function correctly after November 1st.
The regression potential of backporting 0.36.0-1 and associated newer dependencies would be higher, as more packages would need to be backported and the risk of introducing breaking API changes to dependant applications would therefore be increased. |
[Impact]
Not directly applicable; see the exception policy document: https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
[Major Changes]
This bug affects the python-acme package in all released versions of Ubuntu, with the exception of Eoan Ermine which uses a newer version of python-acme.
The major change in the package is the backporting of fixes to allow the python-acme package to continue to work with Let’s Encrypt’s “ACMEv2” endpoint, which is their RFC 8555 compliant endpoint for issuing and renewing TLS certificates, after service changes are made on November 1st. See https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more details about this change.
The primary concern here is that users of the library, most commonly users of the certbot package, will no longer be able to obtain new certificates and existing certificates issued via certbot will no longer be able to renew, resulting in broken TLS configurations for many users and sites hosted on Ubuntu where certbot is used to request and renew TLS certificates.
[Test Plan]
See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
As opposed to upgrading to the newer version of python-acme (0.36.0-1) from Eoan Ermine, and advantage of SRU'ing the 0.31.0-2 version to Xenial, Bionic, Cosmic and Disco, is that there are no breaking API changes between python-acme 0.31.0-2 and the version of python-acme currently in the repositories. Therfore, SRU'ing 0.31.0-2 carries the least risk of regression while enabling the library to function correctly after November 1st.
The regression potential of backporting 0.36.0-1 and associated newer dependencies would be higher, as more packages would need to be backported and the risk of introducing breaking API changes to dependant applications would therefore be increased. |
|
2019-09-12 14:46:46 |
Robie Basak |
python-acme (Ubuntu Cosmic): status |
Triaged |
Won't Fix |
|
2019-09-21 12:08:25 |
James Hebden |
description |
[Impact]
Not directly applicable; see the exception policy document: https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
[Major Changes]
This bug affects the python-acme package in all released versions of Ubuntu, with the exception of Eoan Ermine which uses a newer version of python-acme.
The major change in the package is the backporting of fixes to allow the python-acme package to continue to work with Let’s Encrypt’s “ACMEv2” endpoint, which is their RFC 8555 compliant endpoint for issuing and renewing TLS certificates, after service changes are made on November 1st. See https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more details about this change.
The primary concern here is that users of the library, most commonly users of the certbot package, will no longer be able to obtain new certificates and existing certificates issued via certbot will no longer be able to renew, resulting in broken TLS configurations for many users and sites hosted on Ubuntu where certbot is used to request and renew TLS certificates.
[Test Plan]
See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
As opposed to upgrading to the newer version of python-acme (0.36.0-1) from Eoan Ermine, and advantage of SRU'ing the 0.31.0-2 version to Xenial, Bionic, Cosmic and Disco, is that there are no breaking API changes between python-acme 0.31.0-2 and the version of python-acme currently in the repositories. Therfore, SRU'ing 0.31.0-2 carries the least risk of regression while enabling the library to function correctly after November 1st.
The regression potential of backporting 0.36.0-1 and associated newer dependencies would be higher, as more packages would need to be backported and the risk of introducing breaking API changes to dependant applications would therefore be increased. |
[Impact]
This bug affects the python-acme package in all released versions of Ubuntu, with the exception of Eoan Ermine which uses a newer version of python-acme.
The major change in the package is the backporting of fixes to allow the python-acme package to continue to work with Let’s Encrypt’s “ACMEv2” endpoint, which is their RFC 8555 compliant endpoint for issuing and renewing TLS certificates, after service changes are made on November 1st. See https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more details about this change.
The primary concern here is that users of the library, most commonly users of the certbot package, will no longer be able to obtain new certificates and existing certificates issued via certbot will no longer be able to renew, resulting in broken TLS configurations for many users and sites hosted on Ubuntu where certbot is used to request and renew TLS certificates.
For further reference, see https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
[Major Changes]
There are no backwards incompatible API changes being introduced by the backported changes to this library, as such interoperability with existing packages should not be impacted. All changes being introduced are either new features or fixes to ensure the library's behaviour remains compatible with the ACME protocol, which was only finalised in March of this year. These changes are required to maintain compatibility with the ACMEv2 servers operated by LetsEncrypt per the Impact section.
Key changes being introduced by this backport:
The changelog entries for the update from 0.31.0-1 to 0.31.0-2 are:
* The acme module uses now a POST-as-GET request to retrieve the registration from an ACMEv2 server.
* The acme module now avoids sending the keyAuthorization field in the JWS payload when responding to a challenge as the field is not included in the current ACME protocol. To ease the migration path for ACME CA servers, Certbot and its acme module will first try the request without the keyAuthorization field but will temporarily retry the request with the field included if a malformed error is received.
* The Content-Type in the POST-as-GET request to retrieve a certificate was corrected from "application/pkix-cert" to "application/jose+json".
In addition to those changes, the relevant changelog entries when updating from 0.23.0 are:
* Added support for initiating (but not solving end-to-end) TLS-ALPN-01 challenges with the acme module.
* Added External Account Binding support.
* Use the ACMEv2 newNonce endpoint when a new nonce is needed, and newNonce is available in the directory.
* Warn when using deprecated acme.challenges.TLSSNI01
* When using acme.client.ClientV2 (or acme.client.BackwardsCompatibleClientV2 with an ACME server that supports a newer version of the ACME protocol), an acme.errors.ConflictError will be raised if you try to create an ACME account with a key that has already been used. Previously, a JSON parsing error was raised in this scenario when using the library with Let's Encrypt's ACMEv2 endpoint.
* You can now call query_registration without having to first call new_account on acme.client.ClientV2 objects.
* Support for the ready status type was added to acme. Without this change, Certbot and acme users will begin encountering errors when using Let's Encrypt's ACMEv2 API starting on June 19th for the staging environment and July 5th for production. See https://community.letsencrypt.org/t/acmev2-order-ready-status/62866 for more information.
* acme now supports specifying the source address to bind to when sending outgoing connections.
* acme now parses the wildcard field included in authorisations so it can be used by users of the library.
[Test Plan]
See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
As opposed to upgrading to the newer version of python-acme (0.36.0-1) from Eoan Ermine, and advantage of SRU'ing the 0.31.0-2 version to Xenial, Bionic, Cosmic and Disco, is that there are no breaking API changes between python-acme 0.31.0-2 and the version of python-acme currently in the repositories. Therfore, SRU'ing 0.31.0-2 carries the least risk of regression while enabling the library to function correctly after November 1st.
The regression potential of backporting 0.36.0-1 and associated newer dependencies would be higher, as more packages would need to be backported and the risk of introducing breaking API changes to dependant applications would therefore be increased. |
|
2019-10-03 21:41:37 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
2019-10-13 13:27:49 |
Malte Swart |
bug |
|
|
added subscriber Malte Swart |
2019-10-21 17:16:18 |
Robie Basak |
python-acme (Ubuntu Disco): status |
Triaged |
Fix Committed |
|
2019-10-21 17:16:20 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2019-10-21 17:16:21 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
2019-10-21 17:16:25 |
Robie Basak |
tags |
|
verification-needed verification-needed-disco |
|
2019-10-21 17:16:38 |
Robie Basak |
python-acme (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
2019-10-21 17:16:47 |
Robie Basak |
tags |
verification-needed verification-needed-disco |
verification-needed verification-needed-bionic verification-needed-disco |
|
2019-10-21 17:17:27 |
Robie Basak |
python-acme (Ubuntu Xenial): status |
Triaged |
Fix Committed |
|
2019-10-21 17:17:32 |
Robie Basak |
tags |
verification-needed verification-needed-bionic verification-needed-disco |
verification-needed verification-needed-bionic verification-needed-disco verification-needed-xenial |
|
2019-10-28 14:27:51 |
Andreas Hasenack |
tags |
verification-needed verification-needed-bionic verification-needed-disco verification-needed-xenial |
verification-done-xenial verification-needed verification-needed-bionic verification-needed-disco |
|
2019-10-28 14:28:47 |
Andreas Hasenack |
tags |
verification-done-xenial verification-needed verification-needed-bionic verification-needed-disco |
verification-done-bionic verification-done-xenial verification-needed verification-needed-disco |
|
2019-10-28 14:57:00 |
Andreas Hasenack |
tags |
verification-done-bionic verification-done-xenial verification-needed verification-needed-disco |
verification-done-bionic verification-done-disco verification-done-xenial verification-needed |
|
2019-10-29 03:01:13 |
Mathew Hodson |
tags |
verification-done-bionic verification-done-disco verification-done-xenial verification-needed |
verification-done-bionic verification-done-disco verification-done-xenial |
|
2019-10-29 17:21:44 |
Launchpad Janitor |
python-acme (Ubuntu Disco): status |
Fix Committed |
Fix Released |
|
2019-10-29 17:21:49 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2019-10-29 17:22:12 |
Launchpad Janitor |
python-acme (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2019-10-29 17:22:49 |
Launchpad Janitor |
python-acme (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|