Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: python-a...@packages.debian.org, hlieber...@debian.org Control: affects -1 + src:python-acme
Hello SRMs! A bug, #1025891, was recently reported about the certbot package failing to produce certificates when run against certain strictly-RFC-complying instances of the ACME API. A fix is present upstream in later versions, however, stable is still affected. This is a simple backport, changing only the version number (and its associated test), taken from upstream. I have tested the updated version of certbot against the Let's Encrypt test instances directly, and through the apache and nginx plugins. All were successful. Note: the Let's Encrypt API is not strictly-RFC-complying in this regard, so this proves only that the package is not broken further. However, considering the simplicity of the patch, I'm not concerned about testing against a stricter endpoint. A source debdiff is attached. I await your thumbs-up before uploading. Sincerely, -- Harlan Lieberman-Berg ~hlieberman
diff -Nru python-acme-1.12.0/debian/changelog python-acme-1.12.0/debian/changelog --- python-acme-1.12.0/debian/changelog 2021-02-02 16:37:28.000000000 -0500 +++ python-acme-1.12.0/debian/changelog 2022-12-11 16:44:00.000000000 -0500 @@ -1,3 +1,10 @@ +python-acme (1.12.0-2+deb11u1) bullseye; urgency=medium + + * Fix CSR version to prevent problems with strictly RFC-complying + implementations of the ACME API (Closes: #1025891) + + -- Harlan Lieberman-Berg <hlieber...@debian.org> Sun, 11 Dec 2022 16:44:00 -0500 + python-acme (1.12.0-2) unstable; urgency=medium * Commit missed changes to control file. diff -Nru python-acme-1.12.0/debian/control python-acme-1.12.0/debian/control --- python-acme-1.12.0/debian/control 2021-02-02 16:37:28.000000000 -0500 +++ python-acme-1.12.0/debian/control 2022-12-11 16:26:05.000000000 -0500 @@ -7,7 +7,6 @@ Build-Depends: debhelper-compat (= 13), dh-python, python3, - python3-chardet, python3-cryptography (>= 2.1.4), python3-docutils, python3-josepy, @@ -18,6 +17,7 @@ python3-requests-toolbelt, python3-rfc3339, python3-setuptools (>= 11.3), + python3-six (>= 1.9), python3-sphinx (>= 1.3.1-1~), python3-sphinx-rtd-theme, python3-tz diff -Nru python-acme-1.12.0/debian/patches/fix-csr-version.patch python-acme-1.12.0/debian/patches/fix-csr-version.patch --- python-acme-1.12.0/debian/patches/fix-csr-version.patch 1969-12-31 19:00:00.000000000 -0500 +++ python-acme-1.12.0/debian/patches/fix-csr-version.patch 2022-12-11 16:42:50.000000000 -0500 @@ -0,0 +1,40 @@ +Description: Fix incorrect CSR version + Certain strict implementations of the ACME API deny all version numbers except + that defined in the RFC (version 0). To accommodate, unilaterally set it to 0. +Author: Amir Omidi +Origin: https://github.com/certbot/certbot/pull/9334/ +Bug-Debian: https://bugs.debian.org/1025891 +Acked-By: Harlan Lieberman-Berg <hlieber...@debian.org> +Index: python-acme/acme/crypto_util.py +=================================================================== +--- python-acme.orig/acme/crypto_util.py ++++ python-acme/acme/crypto_util.py +@@ -213,7 +213,8 @@ def make_csr(private_key_pem, domains, m + value=b"DER:30:03:02:01:05")) + csr.add_extensions(extensions) + csr.set_pubkey(private_key) +- csr.set_version(2) ++ # RFC 2986 Section 4.1 only defines version 0 ++ csr.set_version(0) + csr.sign(private_key, 'sha256') + return crypto.dump_certificate_request( + crypto.FILETYPE_PEM, csr) +Index: python-acme/tests/crypto_util_test.py +=================================================================== +--- python-acme.orig/tests/crypto_util_test.py ++++ python-acme/tests/crypto_util_test.py +@@ -244,6 +244,14 @@ class MakeCSRTest(unittest.TestCase): + self.assertEqual(len(must_staple_exts), 1, + "Expected exactly one Must Staple extension") + ++ def test_make_csr_correct_version(self): ++ csr_pem = self._call_with_key(["a.example"]) ++ csr = OpenSSL.crypto.load_certificate_request( ++ OpenSSL.crypto.FILETYPE_PEM, csr_pem) ++ ++ self.assertEqual(csr.get_version(), 0, ++ "Expected CSR version to be v1 (encoded as 0), per RFC 2986, section 4") ++ + + class DumpPyopensslChainTest(unittest.TestCase): + """Test for dump_pyopenssl_chain.""" diff -Nru python-acme-1.12.0/debian/patches/series python-acme-1.12.0/debian/patches/series --- python-acme-1.12.0/debian/patches/series 2021-01-10 14:56:16.000000000 -0500 +++ python-acme-1.12.0/debian/patches/series 2022-12-11 16:38:15.000000000 -0500 @@ -1 +1,2 @@ disable-tls-alpn-test.patch +fix-csr-version.patch