I attached a docker-compose.yml file and a Dockerfile packed as a tarball that allow you to reproduce this issue.
The docker-compose.yml file starts pebble (the ACMEv2 demo server provided by Lets Encrypt) and is copied from [1] and extended to also add a Dockerfile that can start certbot. It requires that you need to have Docker Compose installed[2].
To reproduce, first extract the tarball and cd to ubuntu-2018252/:
$ tar xf ubuntu-2018252.tar.gz
$ cd ubuntu-2018252/
Then, start the setup with Ubuntu Jammy. A certificate will be retrieved automatically after five seconds in csr/:
$ DIST=jammy docker compose build
$ docker compose up
Quit the container and try the same with lunar:
$ DIST=lunar docker compose build
$ docker compose up
Now see the (ordered) CSRs retrieved:
$ ls csr/
0000_csr-certbot.pem 0001_csr-certbot.pem
... and see that the CSR version created differs from the first (Jammy) and second (Lunar):
Hi,
I attached a docker-compose.yml file and a Dockerfile packed as a tarball that allow you to reproduce this issue.
The docker-compose.yml file starts pebble (the ACMEv2 demo server provided by Lets Encrypt) and is copied from [1] and extended to also add a Dockerfile that can start certbot. It requires that you need to have Docker Compose installed[2].
To reproduce, first extract the tarball and cd to ubuntu-2018252/:
$ tar xf ubuntu- 2018252. tar.gz
$ cd ubuntu-2018252/
Then, start the setup with Ubuntu Jammy. A certificate will be retrieved automatically after five seconds in csr/:
$ DIST=jammy docker compose build
$ docker compose up
Quit the container and try the same with lunar:
$ DIST=lunar docker compose build
$ docker compose up
Now see the (ordered) CSRs retrieved:
$ ls csr/ csr-certbot. pem 0001_csr- certbot. pem
0000_
... and see that the CSR version created differs from the first (Jammy) and second (Lunar):
$ openssl req -in csr/0000_ csr-certbot. pem -noout -text | head -n 3
Certificate Request:
Data:
Version: Unknown (2)
$ openssl req -in csr/0001_ csr-certbot. pem -noout -text | head -n 3
Certificate Request:
Data:
Version: 1 (0x0)
You can then also start the container manually and run certbot (e.g. after applying a patch):
$ docker compose run certbot /bin/bash /pebble: 14000/dir
# certbot certonly --standalone -n -d example.com -m <email address hidden> --agree-tos --server https:/
...
I hope this helps and we can finally get this trivial patch into affected distributions.
Thanks, Mat
[1] https:/ /github. com/letsencrypt /pebble /docs.docker. com/compose/ install/
[2] https:/