[SRU] Backport letsencrypt from bionic
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
python-acme (Ubuntu) |
Fix Released
|
High
|
Unassigned | |||
Xenial |
Fix Released
|
High
|
Michael Casadevall | |||
python-certbot (Ubuntu) |
Fix Released
|
High
|
Unassigned | |||
Xenial |
Fix Released
|
High
|
Michael Casadevall | |||
python-certbot-apache (Ubuntu) |
Fix Released
|
High
|
Unassigned | |||
Xenial |
Fix Released
|
High
|
Michael Casadevall | |||
python-certbot-nginx (Ubuntu) |
Fix Released
|
High
|
Unassigned | |||
Xenial |
Won't Fix
|
High
|
Unassigned | |||
python-josepy (Ubuntu) |
Fix Released
|
High
|
Unassigned | |||
Xenial |
Fix Released
|
High
|
Unassigned | |||
python-letsencrypt (Ubuntu) | ||||||
Xenial |
Fix Released
|
High
|
Michael Casadevall | |||
python-letsencrypt-apache (Ubuntu) | ||||||
Xenial |
Fix Released
|
High
|
Michael Casadevall |
Bug Description
[Impact]
Certbot (formerly called Let's Encrypt, as released in Xenial) will stop working on 13 March 2019 when TLS-SNI-01 validation is turned off by the primary Let's Encrypt CA. This will make the package effectively useless for just about all users.
[Development Fix]
Newer validation options are present in the packages in Bionic onwards, including Disco.
[Stable Fix]
For Xenial, we are backporting the version of Certbot in Bionic.
Note that this update includes two important functional changes:
1) Automatic renewal is being enabled.
2) Log rotation is switching to being handled by logrotate.
See the discussion in this bug for details.
Since the upstream project has been renamed from "Let's Encrypt" to "Certbot" to better differentiate between the tooling and the CA, the /usr/bin/certbot command will become available. However, a compatibility symlink is provided under the old name /usr/bin/
[Test Case]
Upstream have an extensive test suite and are participating in this SRU to help us validate and land it.
[Test Plan]
See https:/
In addition, we will test the upgrade path from the Xenial release pocket to proposed explicitly.
[Regression Potential]
The Certbot team has viewed breakage of existing workflows (especially ones that may be automated) as a serious issue, has strived to avoid them, and has treated workflow changes as regressions where it has occurred.
We have the following test suites in place for Certbot:
* Nosetest unit tests with coverage for each module between 97% and 100%; *test.py in the relevant tree.
* Integration tests that run Certbot against the current copy of Let's Encrypt's serverside boulder codebase. These require docker and are a little more involved to run. See tests/boulder_
* "Compatibility tests" that run the Apache and Nginx plugins against corpora of configuration files for those webservers; these live in certbot-
* Test farm tests, which we use to check that our releases run correctly on a wide range of platforms. These spin up Amazon EC2 instances for numerous OSes and run various tests on them. They live in tests/letstest
We recommend that Ubuntu run the first of these test suites during build (but we believe the Debian packages already do that).
All of these tests mitigate the risk of regressions in our releases; nonetheless, some regressions do slip past. Because many of our users auto-update, these tend to be reported and fixed quickly in point releases. For instance, regressions in 0.9.0 were fixed in 0.9.1, 0.9.2 and 0.9.3. Certbot 0.9.3 has been used to issue hundreds of thousands of Certs in the field, so we are fairly confident that no further significant regressions exist in it, and that release is likely to be safe as a Xenial SRU.
At least two changes in functionality between 0.4.1 and 0.9.3 do bear specific consideration for Xenial though:
Debian has added a "certbot renew" twice-daily cron job to their packages between 0.4.1 and 0.9.3; we believe this is low regression risk (having secondary renewal mechanisms in place is a NOOP) but Xenial packages may want to increase the debconf verbosity to get consent for this from Xenial users who are upgrading?
We had a custom log rotation scheme (rotate logs after every run), we now act like a more typical daemon, so packages need to be rotating our logs:
https:/
Changed in python-letsencrypt (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in python-acme (Ubuntu): | |
status: | New → Fix Released |
Changed in python-letsencrypt-apache (Ubuntu): | |
status: | New → Fix Released |
Changed in python-certbot-nginx (Ubuntu): | |
status: | New → Fix Released |
Changed in python-certbot-apache (Ubuntu Yakkety): | |
status: | In Progress → Incomplete |
Changed in python-certbot (Ubuntu Yakkety): | |
status: | In Progress → Incomplete |
Changed in python-acme (Ubuntu Yakkety): | |
status: | In Progress → Incomplete |
summary: |
- [SRU] Backport letsencrypt 0.9.3 + [SRU] Backport letsencrypt 0.14.1 |
Changed in python-acme (Ubuntu Zesty): | |
status: | New → Fix Committed |
tags: | added: verification-needed verification-needed-zesty |
Changed in python-acme (Ubuntu Yakkety): | |
status: | Incomplete → Won't Fix |
Changed in python-certbot (Ubuntu Yakkety): | |
status: | Incomplete → Won't Fix |
Changed in python-certbot (Ubuntu Zesty): | |
status: | New → Fix Committed |
Changed in python-certbot-nginx (Ubuntu Yakkety): | |
status: | In Progress → Won't Fix |
Changed in python-certbot-nginx (Ubuntu Zesty): | |
status: | New → Fix Committed |
Changed in python-certbot-apache (Ubuntu Zesty): | |
status: | New → Fix Committed |
Changed in python-certbot-apache (Ubuntu Yakkety): | |
status: | Incomplete → Won't Fix |
summary: |
- [SRU] Backport letsencrypt 0.14.1 + [SRU] Backport letsencrypt 0.14.2 |
Changed in python-acme (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
tags: | added: verification-needed-xenial |
Changed in python-certbot-apache (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in python-certbot (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in python-certbot-nginx (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in python-letsencrypt (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in python-letsencrypt-apache (Ubuntu Xenial): | |
status: | Invalid → Fix Committed |
no longer affects: | python-letsencrypt (Ubuntu Yakkety) |
no longer affects: | python-letsencrypt (Ubuntu) |
no longer affects: | python-letsencrypt-apache (Ubuntu) |
no longer affects: | python-letsencrypt-apache (Ubuntu Yakkety) |
tags: | added: upgrade-software-version |
no longer affects: | python-acme (Ubuntu Yakkety) |
no longer affects: | python-acme (Ubuntu Zesty) |
Changed in python-acme (Ubuntu Xenial): | |
assignee: | nobody → Michael Casadevall (mcasadevall) |
status: | Fix Committed → In Progress |
no longer affects: | python-certbot (Ubuntu Yakkety) |
no longer affects: | python-certbot (Ubuntu Zesty) |
Changed in python-certbot (Ubuntu Xenial): | |
assignee: | nobody → Michael Casadevall (mcasadevall) |
status: | Fix Committed → In Progress |
no longer affects: | python-certbot-apache (Ubuntu Yakkety) |
no longer affects: | python-certbot-apache (Ubuntu Zesty) |
Changed in python-certbot-apache (Ubuntu Xenial): | |
assignee: | nobody → Michael Casadevall (mcasadevall) |
status: | Fix Committed → In Progress |
no longer affects: | python-certbot-nginx (Ubuntu Yakkety) |
no longer affects: | python-certbot-nginx (Ubuntu Zesty) |
Changed in python-certbot-nginx (Ubuntu Xenial): | |
assignee: | nobody → Michael Casadevall (mcasadevall) |
importance: | Undecided → High |
milestone: | none → xenial-updates |
status: | Fix Committed → In Progress |
Changed in python-letsencrypt (Ubuntu Xenial): | |
assignee: | nobody → Michael Casadevall (mcasadevall) |
importance: | Undecided → High |
milestone: | none → xenial-updates |
status: | Fix Committed → In Progress |
Changed in python-letsencrypt-apache (Ubuntu Xenial): | |
importance: | Undecided → High |
milestone: | none → xenial-updates |
status: | Fix Committed → In Progress |
Changed in python-certbot-apache (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in python-certbot (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in python-acme (Ubuntu Xenial): | |
importance: | Undecided → High |
summary: |
- [SRU] Backport letsencrypt 0.14.2 + [SRU] Backport letsencrypt from bionic |
tags: | removed: verification-needed-zesty |
Changed in python-letsencrypt-apache (Ubuntu Xenial): | |
assignee: | nobody → Michael Casadevall (mcasadevall) |
Changed in python-certbot-apache (Ubuntu Xenial): | |
milestone: | none → xenial-updates |
Changed in python-certbot (Ubuntu Xenial): | |
milestone: | none → xenial-updates |
Changed in python-acme (Ubuntu Xenial): | |
milestone: | none → xenial-updates |
Changed in python-acme (Ubuntu): | |
importance: | Undecided → High |
Changed in python-certbot (Ubuntu): | |
importance: | Undecided → High |
Changed in python-certbot-apache (Ubuntu): | |
importance: | Undecided → High |
Changed in python-certbot-nginx (Ubuntu): | |
importance: | Undecided → High |
tags: | added: patch |
description: | updated |
description: | updated |
description: | updated |
Changed in python-josepy (Ubuntu): | |
importance: | Undecided → High |
Changed in python-josepy (Ubuntu Xenial): | |
importance: | Undecided → High |
tags: |
added: verification-done verification-done-xenial removed: verification-needed verification-needed-xenial |
Changed in python-certbot-nginx (Ubuntu Xenial): | |
status: | Invalid → Won't Fix |
Also fixes: Launchpad bug #1608214