Your message dated Mon, 17 Jun 2024 16:47:34 +0000
with message-id <[email protected]>
and subject line Bug#1072847: fixed in lacme 0.8.0-2+deb11u2
has caused the Debian Bug report #1072847,
regarding lacme: Post-issuance validation fails in the default configuration
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1072847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072847
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: lacme
Version: 0.8.2-1
Severity: grave
Justification: renders package unusable
Let's Encrypt has recently rotated its intermediate certificates [0].
The previous intermediate certificates (lets-encrypt-r[34].pem and
lets-encrypt-e[12].pem) are concatenated along side the roots
(isrgrootx1.pem and isrg-root-x2.pem) and used as trust anchors for
validation of the issued X.509 certificate before its deployment.
The new intermediates means the validation step now fails. A quick fix
is to add R1[0-4].pem and E[5-9].pem to the certificate bundle, however
that will cease to work once Let's Encrypt rotates its intermediates
again.
A proper fix would be to use the intermediate(s) provided during the
issuance step as -untrusted (for chain building).
--
Guilhem.
[0] https://letsencrypt.org/2024/03/19/new-intermediate-certificates
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: lacme
Source-Version: 0.8.0-2+deb11u2
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
lacme, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated lacme package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 13 Jun 2024 19:19:07 +0200
Source: lacme
Architecture: source
Version: 0.8.0-2+deb11u2
Distribution: bullseye
Urgency: medium
Maintainer: Guilhem Moulin <[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1072847
Changes:
lacme (0.8.0-2+deb11u2) bullseye; urgency=medium
.
* Backport upstream patches to fix post-issuance validation logic. We avoid
pinning the intermediate certificates in the bundle and instead validate
the leaf certificate with intermediates supplied during issuance as
untrusted (used for chain building only). Only the root certificates are
used as trust anchor.
Not pinning intermediate certificates is in line with Let's Encrypt's
latest recommendations.
Closes: #1072847
* Adjust test suite against current Let's Encrypt staging environment.
Checksums-Sha1:
0d271783d6a808bc85ce44f7883087b348bad183 1924 lacme_0.8.0-2+deb11u2.dsc
850c8a5ab446ef6a0a26b1682d27d2041a4d5e49 20848
lacme_0.8.0-2+deb11u2.debian.tar.xz
55daa909dc6ea4698a6b5b027e95ff188ec2994e 6546
lacme_0.8.0-2+deb11u2_amd64.buildinfo
Checksums-Sha256:
46db26d15c7717c96e26cf10e22df41d8dda6affbf2bcb4eb3bbd2b6ec0b5b44 1924
lacme_0.8.0-2+deb11u2.dsc
bb2acb43e92e0cd48712644535cfceb3cbbbc86c412e30f614b9b719d42a1f2c 20848
lacme_0.8.0-2+deb11u2.debian.tar.xz
fd63350f932bd59c155ba0590a1ee4b9b2c9d2586ef4710d4e23f8b61eecb150 6546
lacme_0.8.0-2+deb11u2_amd64.buildinfo
Files:
d5df633a3c5af23efe9d8448f7cc1ac2 1924 utils optional lacme_0.8.0-2+deb11u2.dsc
ae2a34e62e9ef21a3e42f5ec7791968d 20848 utils optional
lacme_0.8.0-2+deb11u2.debian.tar.xz
3805bc773a9fa600769b9fdacc6af2a7 6546 utils optional
lacme_0.8.0-2+deb11u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmZt608ACgkQ05pJnDwh
pVLh2RAAk7HR8pPXDKJ80pZSYAxT8LeMqmCk741C8re/xinZ5iqLpB9kDH/Wd/Pp
0TODeVlqxV98aaw2FnMs4WaTLy3wL5wKc3FXHsH+J+HFDia56M9ns12gNS66AlFj
+VWm1m91OCMd9cSG/AAkIoGMPZQXx+SY4YAji0e58wERg5WGrbZfG3EZM3mixFyb
12dWL0HfqN2GNXGIGwu5WfW1KonN6o4qdmQKVOGMWP945vhtihmvuID6p9BnKNho
0DivbHSjbzXLOMLvf1sJAgm4WDfRknZfxtYQPQNU3KpIDKmXZE28WSN5/XUmDPZ6
WF6uqjotNGqa7kTQCD+8vqTOWqX+UNLzgBziz++8IBD9dolBQzrkwwkfjB6jaTdW
HYqZH4Vxh9DCoG5xS4jytNwn+LVf1+/FI1XoRNuEh7WZRZcQ0wTx1LulTJW/oVPp
9wpPgxSJxrBpCOcyn4iif4bFzOvv9AnIOIZ0fT/dE+ihKbN/RzZtmKlbsXkVQpcS
TzT50rBmeCqlHRwDW33IduaOaLpxRas1YBwbMxTqrRfj0qjzWO475iGw23yKJUU3
/Fb/5X5UAMkZKrZaVp4QYSw1sn3FEO/22aYxBtS0K131aUmI3OU5sME2kPKz5QL+
a7zxpoiTga/NbALUFi0CCY/R6JoHAyK6ADmwWhFQOCVe3nFd/Hw=
=f9JI
-----END PGP SIGNATURE-----
pgplInHpAVJ2d.pgp
Description: PGP signature
--- End Message ---
