Your message dated Thu, 25 Feb 2021 20:48:31 +0000 with message-id <[email protected]> and subject line Bug#981449: fixed in dehydrated 0.7.0-2 has caused the Debian Bug report #981449, regarding dehydrated: certificate specific settings may affect other certificates to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 981449: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981449 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dehydrated Version: 0.7.0-1~bpo10+1 Severity: normal Dear Maintainer, Dehydrated supports two locations for config settings: - The main config file, /etc/dehydrated/config by default - Per-certificate config files, i.e. certs/*/config Settings defined in the per-certificate config files are expected to only affect that particular certificate. But, this doesn't seem to be the case - in particular, I noticed that PRIVATE_KEY_ROLLOVER was also affecting certificates that are processed later in the run. Looking at the code, I think I found the root cause. The per-certificate config files are loaded in command_sign_domains(); there is a case statement filtering the settings that are allowed in a per-certificate config file and transfering those settings into global shell variables. In my dehydrated installation, the supported per-certificate config settings are: KEY_ALGO|OCSP_MUST_STAPLE|OCSP_FETCH|OCSP_DAYS|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|PREFERRED_CHAIN|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS) The store_configvars() and reset_configvars() are expected to save the canonical (as per the global config file) settings and restore them before processing each certificate. But, the set of variables that are saved by these functions is only a subset of those that can be set in per-certificate config files; in particular the OCSP_FETCH, OCSP_DAYS, and PRIVATE_KEY_ROLLOVER settings are missing. -- System Information: Debian Release: 10.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.9.0-0.bpo.2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dehydrated depends on: ii ca-certificates 20200601~deb10u2 ii curl 7.64.0-4+deb10u1 ii openssl 1.1.1d-0+deb10u4 dehydrated recommends no packages. dehydrated suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: dehydrated Source-Version: 0.7.0-2 Done: Mattia Rizzolo <[email protected]> We believe that the bug you reported is fixed in the latest version of dehydrated, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mattia Rizzolo <[email protected]> (supplier of updated dehydrated package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 25 Feb 2021 21:20:55 +0100 Source: dehydrated Architecture: source Version: 0.7.0-2 Distribution: unstable Urgency: medium Maintainer: Debian Let's Encrypt Team <[email protected]> Changed-By: Mattia Rizzolo <[email protected]> Closes: 981449 Changes: dehydrated (0.7.0-2) unstable; urgency=medium . * Add some patches from upstream: + Fix CN extraction for older openssl versions. + New option to not revalidate authorizations on forced renewal. + Fixed small unassigned variable issue. + Update copyright year. + Per-certificate config fixes. Closes: #981449 + Add -t tls-alpn-01 to command line help. * Update d/copyright. Checksums-Sha1: 7768dc21dd9f4e049d5f991e840ad0f3e86c1191 2314 dehydrated_0.7.0-2.dsc cf1c9cff93daa12e5debc90ccd7c2eeb33bea9dc 15016 dehydrated_0.7.0-2.debian.tar.xz 69bed68694867aa521bc57daa6513fd816b5a464 6966 dehydrated_0.7.0-2_amd64.buildinfo Checksums-Sha256: 9be8f79db729e6af1e4819d2d0b4278691178b4b695a5ce63b1e7caa9f8804e7 2314 dehydrated_0.7.0-2.dsc 9fb91ac2d9e3ec5811a4c671b0d764e1db2073499210edb5cce6a7ba734d2800 15016 dehydrated_0.7.0-2.debian.tar.xz b6b95b0f1f1054005c4268f4b238c1733db92ea40d8831ee76d4dfff120fa0b7 6966 dehydrated_0.7.0-2_amd64.buildinfo Files: e968af16fd7a2182e949a5617965f4f1 2314 misc optional dehydrated_0.7.0-2.dsc 3db2b88c4800a622225deb2db1d6b73c 15016 misc optional dehydrated_0.7.0-2.debian.tar.xz a5c83c9836af19051bddc26c0bb82110 6966 misc optional dehydrated_0.7.0-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAmA4B0IACgkQCBa54Yx2 K621pRAAuYHsV9vzSBjxVJ0jDyXR//GPPzhpnsP0v3pddXIFAPvTC8qltVtDoGyR SmFNOKruQfQQt+Q3iE/9n8mXiv9gFj5LTdL76J8//zmeQEdgzLJ1vwi0awCls9qK OVWzIh5FDaF4qN3YjlAjQ0ZsjO2DRptGfxxcK/VuV1YB5oS/1SDy1ivaZ14nnEE6 toGbN61R/Y0qvAWMqF/3q3rP9Ey1YXps9E9uFkQ4v0Ez/ScrX7HHUkowYwYj9R+U +pwaT0Sd23u2AWspgiASYgvS4ekNkznRPJnJ3xNAkU8GXOfqE32AjnjmU32E4VqW gRdi6fA179yptSZTE5T+l1V9qY/BfNteSVsmt6Ks2tG4zhDjXwqcfXq9Mf3qN0aZ MwO1ySoLMbSm27fehNLdFhhRSF2/HahZHxgfS6p8LOzxCMdDoHvO9BuwIzTSMK6w iGJ4jt5nOdCgPj9Lyuv3K9uwGjKStPxh+TP2fpcDasWOeferd4ot/NXEn8PIEue1 7VIGOF+wkiQ1iftoIdYjXMajE/KUvxacM66pfieUfcSDmUa5JH4XYtRs3Ukjvkn2 qOUM523TjsgQFJfW9607BCUX7W+BjZIzvKQjv1cFmX8ZXphHgvYC2CJq0MGvSY2+ hhCQJ0PHgQRIXM+TwLtoMqls1/MH7ghJpYXe9ScQLOzQevEVdd4= =Hfgu -----END PGP SIGNATURE-----
--- End Message ---
