Sets invalid CSR version in focal and kinetic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-acme (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Focal |
New
|
Undecided
|
Unassigned | ||
Jammy |
New
|
Undecided
|
Unassigned | ||
python-certbot (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Focal |
New
|
Undecided
|
Unassigned | ||
Jammy |
New
|
Undecided
|
Unassigned |
Bug Description
Dear Maintainer,
This is a follow up of the matching Debian bug[1].
The python3-acme library included in Ubuntu Focal and Kinetic sets an invalid CSR version 3 when creating CSRs. The issue has been solved upstream in version 1.29.0 and 2.1.0 [2], so Ubuntu Lunar is no longer affected.
The cryptography library implemented validation of the CSR version in 38.0.0 [3], so ACMEv2 server implementations based on this cryptography version no longer work with older versions of certbot (which ofc uses python3-acme).
The PR from the certbot repo[1] gives the (trivial) fix. Several other affected clients also link to the PR. I have verified that applying the patch solves the issue.
kr, Mathias Ertl
[1] https:/
[2] https:/
[3] https:/
Status changed to 'Confirmed' because the bug affects multiple users.