| 2020-04-27 18:58:27 |
Brad Warren |
bug |
|
|
added bug |
| 2020-04-28 08:16:43 |
Launchpad Janitor |
python-certbot-nginx (Ubuntu): status |
New |
Confirmed |
|
| 2020-04-28 10:49:10 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
| 2020-04-28 10:49:17 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Server |
| 2020-04-28 15:29:35 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
| 2020-04-28 16:48:19 |
Andreas Hasenack |
python-certbot-nginx (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2020-04-28 16:48:21 |
Andreas Hasenack |
python-certbot-nginx (Ubuntu): importance |
Undecided |
High |
|
| 2020-04-28 16:48:29 |
Andreas Hasenack |
python-certbot-nginx (Ubuntu): status |
Confirmed |
In Progress |
|
| 2020-05-03 15:48:56 |
Tom |
bug |
|
|
added subscriber Tom |
| 2020-05-05 05:40:19 |
Octavia Togami |
bug |
|
|
added subscriber Kenzie Togami |
| 2020-05-05 05:56:43 |
nyet |
bug |
|
|
added subscriber nyet |
| 2020-05-06 17:52:24 |
Andreas Hasenack |
description |
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Not directly applicable; see the exception policy document at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project.
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
TODO: add testscript.sh run results
TODO: add manual registration results with nginx and apache against staging
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
|
| 2020-05-06 18:00:48 |
Andreas Hasenack |
description |
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Not directly applicable; see the exception policy document at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project.
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
TODO: add testscript.sh run results
TODO: add manual registration results with nginx and apache against staging
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Not directly applicable; see the exception policy document at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project.
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
TODO: add testscript.sh run results
TODO: add manual registration results with nginx and apache against staging
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
|
| 2020-05-06 18:12:01 |
Andreas Hasenack |
description |
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Not directly applicable; see the exception policy document at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project.
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
TODO: add testscript.sh run results
TODO: add manual registration results with nginx and apache against staging
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Not directly applicable; see the exception policy document at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project.
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
a) See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
b) Request a registration with nginx:
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --nginx
c) Request a registration using apache:
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --apache
Comment #19 shows a successful manual registration using nginx and packages from a test PPA
TODO: add testscript.sh run results
TODO: add manual registration results with nginx and apache against staging
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
|
| 2020-05-06 18:14:38 |
Andreas Hasenack |
description |
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Not directly applicable; see the exception policy document at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project.
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
a) See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
b) Request a registration with nginx:
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --nginx
c) Request a registration using apache:
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --apache
Comment #19 shows a successful manual registration using nginx and packages from a test PPA
TODO: add testscript.sh run results
TODO: add manual registration results with nginx and apache against staging
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Not directly applicable; see the exception policy document at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project.
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
a) See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process. Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript (script updated by Brad Warren for this update, thank you!). Sample trailer output in comment #18.
b) Request a registration with nginx (example shown in comment #19):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --nginx
c) Request a registration using apache (example shown in comment #21):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --apache
TODO: add testscript.sh run results
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
|
| 2020-05-06 18:15:09 |
Andreas Hasenack |
description |
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Not directly applicable; see the exception policy document at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project.
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
a) See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process. Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript (script updated by Brad Warren for this update, thank you!). Sample trailer output in comment #18.
b) Request a registration with nginx (example shown in comment #19):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --nginx
c) Request a registration using apache (example shown in comment #21):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --apache
TODO: add testscript.sh run results
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project.
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
a) See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process. Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript (script updated by Brad Warren for this update, thank you!). Sample trailer output in comment #18.
b) Request a registration with nginx (example shown in comment #19):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --nginx
c) Request a registration using apache (example shown in comment #21):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --apache
TODO: add testscript.sh run results
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
|
| 2020-05-06 18:26:28 |
Andreas Hasenack |
description |
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project.
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
a) See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process. Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript (script updated by Brad Warren for this update, thank you!). Sample trailer output in comment #18.
b) Request a registration with nginx (example shown in comment #19):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --nginx
c) Request a registration using apache (example shown in comment #21):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --apache
TODO: add testscript.sh run results
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project. You can try, though: https://github.com/certbot/certbot/compare/v0.39.0...v0.40.0 and search for "certbot-nginx"
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
a) See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process. Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript (script updated by Brad Warren for this update, thank you!). Sample trailer output in comment #18.
b) Request a registration with nginx (example shown in comment #19):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --nginx
c) Request a registration using apache (example shown in comment #21):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --apache
TODO: add testscript.sh run results
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
|
| 2020-05-06 18:36:18 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/python-certbot-nginx/+git/python-certbot-nginx/+merge/383528 |
|
| 2020-05-06 18:39:13 |
Andreas Hasenack |
description |
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project. You can try, though: https://github.com/certbot/certbot/compare/v0.39.0...v0.40.0 and search for "certbot-nginx"
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
a) See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process. Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript (script updated by Brad Warren for this update, thank you!). Sample trailer output in comment #18.
b) Request a registration with nginx (example shown in comment #19):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --nginx
c) Request a registration using apache (example shown in comment #21):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --apache
TODO: add testscript.sh run results
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project. You can try, though: https://github.com/certbot/certbot/compare/v0.39.0...v0.40.0 and search for "certbot-nginx"
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
a) See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process. Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript (script updated by Brad Warren for this update, thank you!). Sample trailer output in comment #18.
b) Request a registration with nginx (example shown in comment #19):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --nginx
c) Request a registration using apache (example shown in comment #21):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --apache
d) Search build logs for "dh_auto_test" and confirm it was called and that the build-time tests were run. In launchpad, you can find these by going to https://launchpad.net/ubuntu/+source/python-certbot-nginx and clicking through the version of this package in focal-proposed and the builds on the right hand side of the screen.
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc. |
|
| 2020-05-06 18:40:39 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/python-certbot-nginx/+git/python-certbot-nginx/+merge/383529 |
|
| 2020-05-07 00:25:15 |
Darian Anthony Patrick |
bug |
|
|
added subscriber Darian Anthony Patrick |
| 2020-05-09 17:16:10 |
Jean-Luc Peterschmitt |
bug |
|
|
added subscriber Jean-Luc Peterschmitt |
| 2020-05-11 06:29:40 |
Saumya Kanta Swain |
bug |
|
|
added subscriber Saumya Kanta Swain |
| 2020-05-12 00:20:39 |
YamiKaitou |
bug |
|
|
added subscriber YamiKaitou |
| 2020-05-12 15:33:47 |
Robie Basak |
tags |
|
focal regression-release |
|
| 2020-05-12 15:42:14 |
Robie Basak |
nominated for series |
|
Ubuntu Focal |
|
| 2020-05-12 15:42:14 |
Robie Basak |
bug task added |
|
python-certbot-nginx (Ubuntu Focal) |
|
| 2020-05-12 15:42:45 |
Robie Basak |
python-certbot-nginx (Ubuntu): status |
In Progress |
Fix Released |
|
| 2020-05-12 15:45:25 |
Robie Basak |
python-certbot-nginx (Ubuntu Focal): status |
New |
Fix Committed |
|
| 2020-05-12 15:45:27 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2020-05-12 15:45:30 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
| 2020-05-12 15:45:37 |
Robie Basak |
tags |
focal regression-release |
focal regression-release verification-needed verification-needed-focal |
|
| 2020-05-13 11:35:44 |
savic |
bug |
|
|
added subscriber savic |
| 2020-05-14 16:25:20 |
Richard Hansen |
bug |
|
|
added subscriber Richard Hansen |
| 2020-05-14 21:23:48 |
Andreas Hasenack |
attachment added |
|
sru-1875471-test-a-log.txt https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+attachment/5371730/+files/sru-1875471-test-a-log.txt |
|
| 2020-05-14 21:24:39 |
Andreas Hasenack |
tags |
focal regression-release verification-needed verification-needed-focal |
focal regression-release verification-done-focal verification-needed |
|
| 2020-05-14 21:54:29 |
Steve Piercy |
bug |
|
|
added subscriber Steve Piercy |
| 2020-05-15 15:30:32 |
Ben |
bug |
|
|
added subscriber Ben |
| 2020-05-16 08:12:56 |
Gary Clark |
bug |
|
|
added subscriber Gary Clark |
| 2020-05-18 10:51:42 |
Johan Ehnberg |
bug |
|
|
added subscriber Johan Ehnberg |
| 2020-05-19 14:09:13 |
Launchpad Janitor |
python-certbot-nginx (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2020-05-19 14:09:17 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
