Comment 0 for bug 1836823

This bug affects the python-acme package in all released versions of Ubuntu.

The python-acme package will no longer work with Let’s Encrypt’s “ACMEv2” endpoint which is their RFC 8555 compliant endpoint starting November 1st. See https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380 for more details about this change.

After November 1st of this year, the python-acme packages will be unusable with Let's Encrypt's endpoint which will break any software using the library for this purpose. The primary concern here is that users of the library will no longer be able to obtain new certificates. Certificates which are currently being automatically renewed will suddenly become unable to do so which will likely result in broken TLS configurations for many users.

As one of the upstream maintainers of this library, I think the safest way to start to resolve this problem would be to backport the python-acme 0.31.0-2 package from Debian Buster to Disco. The python-acme package in Disco is version 0.31.0-1 and the only code differences should be some minor patches that were applied to the package in Buster to avoid this problem before it was released. I think taking this package would result in the smallest diff while sticking to a well tested package.

Alternatively, if taking a package from Debian at this point is awkward, I can either provide info on the changes that were backported to create 0.31.0-2 in Debian so we could do something similar to the package in Disco or we could backport python-acme 0.34.0+.

After the package in Disco is updated to resolve this, I think we should backport the updated package to every non-EOL'd release of Ubuntu back to Xenial.

There are no breaking API changes between python-acme 0.31.0-2 and the version of python-acme in any Ubuntu release and no dependencies need to be updated.