Comment 11 for bug 2018252

Hi,

I attached a docker-compose.yml file and a Dockerfile packed as a tarball that allow you to reproduce this issue.

The docker-compose.yml file starts pebble (the ACMEv2 demo server provided by Lets Encrypt) and is copied from [1] and extended to also add a Dockerfile that can start certbot. It requires that you need to have Docker Compose installed[2].

To reproduce, first extract the tarball and cd to ubuntu-2018252/:

  $ tar xf ubuntu-2018252.tar.gz
  $ cd ubuntu-2018252/

Then, start the setup with Ubuntu Jammy. A certificate will be retrieved automatically after five seconds in csr/:

  $ DIST=jammy docker compose build
  $ docker compose up

Quit the container and try the same with lunar:

  $ DIST=lunar docker compose build
  $ docker compose up

Now see the (ordered) CSRs retrieved:

  $ ls csr/
  0000_csr-certbot.pem 0001_csr-certbot.pem

... and see that the CSR version created differs from the first (Jammy) and second (Lunar):

  $ openssl req -in csr/0000_csr-certbot.pem -noout -text | head -n 3
  Certificate Request:
      Data:
          Version: Unknown (2)

  $ openssl req -in csr/0001_csr-certbot.pem -noout -text | head -n 3
  Certificate Request:
      Data:
          Version: 1 (0x0)

You can then also start the container manually and run certbot (e.g. after applying a patch):

  $ docker compose run certbot /bin/bash
  # certbot certonly --standalone -n -d example.com -m <email address hidden> --agree-tos --server https://pebble:14000/dir
  ...

I hope this helps and we can finally get this trivial patch into affected distributions.

Thanks, Mat

[1] https://github.com/letsencrypt/pebble
[2] https://docs.docker.com/compose/install/