Bug#1072847: marked as done (lacme: Post-issuance validation fails in the default configuration)
Your message dated Mon, 17 Jun 2024 16:47:34 + with message-id and subject line Bug#1072847: fixed in lacme 0.8.0-2+deb11u2 has caused the Debian Bug report #1072847, regarding lacme: Post-issuance validation fails in the default configuration to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1072847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072847 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: lacme Version: 0.8.2-1 Severity: grave Justification: renders package unusable Let's Encrypt has recently rotated its intermediate certificates [0]. The previous intermediate certificates (lets-encrypt-r[34].pem and lets-encrypt-e[12].pem) are concatenated along side the roots (isrgrootx1.pem and isrg-root-x2.pem) and used as trust anchors for validation of the issued X.509 certificate before its deployment. The new intermediates means the validation step now fails. A quick fix is to add R1[0-4].pem and E[5-9].pem to the certificate bundle, however that will cease to work once Let's Encrypt rotates its intermediates again. A proper fix would be to use the intermediate(s) provided during the issuance step as -untrusted (for chain building). -- Guilhem. [0] https://letsencrypt.org/2024/03/19/new-intermediate-certificates signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Source: lacme Source-Version: 0.8.0-2+deb11u2 Done: Guilhem Moulin We believe that the bug you reported is fixed in the latest version of lacme, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1072...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin (supplier of updated lacme package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 13 Jun 2024 19:19:07 +0200 Source: lacme Architecture: source Version: 0.8.0-2+deb11u2 Distribution: bullseye Urgency: medium Maintainer: Guilhem Moulin Changed-By: Guilhem Moulin Closes: 1072847 Changes: lacme (0.8.0-2+deb11u2) bullseye; urgency=medium . * Backport upstream patches to fix post-issuance validation logic. We avoid pinning the intermediate certificates in the bundle and instead validate the leaf certificate with intermediates supplied during issuance as untrusted (used for chain building only). Only the root certificates are used as trust anchor. Not pinning intermediate certificates is in line with Let's Encrypt's latest recommendations. Closes: #1072847 * Adjust test suite against current Let's Encrypt staging environment. Checksums-Sha1: 0d271783d6a808bc85ce44f7883087b348bad183 1924 lacme_0.8.0-2+deb11u2.dsc 850c8a5ab446ef6a0a26b1682d27d2041a4d5e49 20848 lacme_0.8.0-2+deb11u2.debian.tar.xz 55daa909dc6ea4698a6b5b027e95ff188ec2994e 6546 lacme_0.8.0-2+deb11u2_amd64.buildinfo Checksums-Sha256: 46db26d15c7717c96e26cf10e22df41d8dda6affbf2bcb4eb3bbd2b6ec0b5b44 1924 lacme_0.8.0-2+deb11u2.dsc bb2acb43e92e0cd48712644535cfceb3cbbbc86c412e30f614b9b719d42a1f2c 20848 lacme_0.8.0-2+deb11u2.debian.tar.xz fd63350f932bd59c155ba0590a1ee4b9b2c9d2586ef4710d4e23f8b61eecb150 6546 lacme_0.8.0-2+deb11u2_amd64.buildinfo Files: d5df633a3c5af23efe9d8448f7cc1ac2 1924 utils optional lacme_0.8.0-2+deb11u2.dsc ae2a34e62e9ef21a3e42f5ec7791968d 20848 utils optional lacme_0.8.0-2+deb11u2.debian.tar.xz 3805bc773a9fa600769b9fdacc6af2a7 6546 utils optional lacme_0.8.0-2+deb11u2_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmZt608ACgkQ05pJnDwh pVLh2RAAk7HR8pPXDKJ80pZSYAxT8LeMqmCk741C8re/xinZ5iqLpB9kDH/Wd/Pp 0TODeVlqxV98aaw2FnMs4WaTLy3wL5wKc3FXHsH+J+HFDia56M9ns12gNS66AlFj +VWm1m91OCMd9cSG/AAkIoGMPZQXx+SY4YAji0e58wERg5WGrbZfG3EZM3mixFyb 12dWL0HfqN2GNXGIGwu5WfW1KonN6o4qdmQKVOGMWP945vhtihmvuID6p9BnKNho 0DivbHSjbzXLOMLvf1sJAgm4WDfRknZfxtYQPQNU3KpIDKmXZE28WSN5/XUmDPZ6 WF6uqjotNGqa7kTQCD+8vqTOWqX+UNLzgBziz++8IBD9dolBQzrkwwkfjB6jaTdW HYqZH4Vxh9DCoG5xS4jytNwn+LVf1+/FI1XoRNuEh7WZRZcQ0wTx1LulTJW/oVPp 9wpPgxSJxrBpCOcyn4iif4bFzOvv9AnIOIZ0fT/dE+ihKbN/RzZtmKlbsXkVQpcS TzT50rBmeCqlHRwDW33IduaOaLpxRas1YBwbMxTqrRfj0qjzWO475iGw23yKJUU3
Bug#1072847: marked as done (lacme: Post-issuance validation fails in the default configuration)
Your message dated Sun, 16 Jun 2024 20:33:49 + with message-id and subject line Bug#1072847: fixed in lacme 0.8.2-1+deb12u1 has caused the Debian Bug report #1072847, regarding lacme: Post-issuance validation fails in the default configuration to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1072847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072847 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: lacme Version: 0.8.2-1 Severity: grave Justification: renders package unusable Let's Encrypt has recently rotated its intermediate certificates [0]. The previous intermediate certificates (lets-encrypt-r[34].pem and lets-encrypt-e[12].pem) are concatenated along side the roots (isrgrootx1.pem and isrg-root-x2.pem) and used as trust anchors for validation of the issued X.509 certificate before its deployment. The new intermediates means the validation step now fails. A quick fix is to add R1[0-4].pem and E[5-9].pem to the certificate bundle, however that will cease to work once Let's Encrypt rotates its intermediates again. A proper fix would be to use the intermediate(s) provided during the issuance step as -untrusted (for chain building). -- Guilhem. [0] https://letsencrypt.org/2024/03/19/new-intermediate-certificates signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Source: lacme Source-Version: 0.8.2-1+deb12u1 Done: Guilhem Moulin We believe that the bug you reported is fixed in the latest version of lacme, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1072...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin (supplier of updated lacme package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 14 Jun 2024 01:20:13 +0200 Source: lacme Architecture: source Version: 0.8.2-1+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Guilhem Moulin Changed-By: Guilhem Moulin Closes: 1072847 Changes: lacme (0.8.2-1+deb12u1) bookworm; urgency=medium . * Backport upstream patches to fix post-issuance validation logic. We avoid pinning the intermediate certificates in the bundle and instead validate the leaf certificate with intermediates supplied during issuance as untrusted (used for chain building only). Only the root certificates are used as trust anchor. Not pinning intermediate certificates is in line with Let's Encrypt's latest recommendations. Closes: #1072847 * Adjust test suite against current Let's Encrypt staging environment. * d/gbp.conf: Set 'debian-branch = debian/bookworm'. Checksums-Sha1: 051e827418d8770dd035dec70908a8c20f8442ec 1924 lacme_0.8.2-1+deb12u1.dsc 6dd086cc20310c19d03d6d5e7cdb6a6ec97b93bd 20416 lacme_0.8.2-1+deb12u1.debian.tar.xz fbc6baf0c58dc3d3b35f8b7d327f609d7a2b74c7 6629 lacme_0.8.2-1+deb12u1_amd64.buildinfo Checksums-Sha256: 7ea7374110fa43c0e2b3244cbe5367a24970b86dc776a0e2127a6de8c751b93c 1924 lacme_0.8.2-1+deb12u1.dsc 8deb6fd49826fb1f5a22064501625036f5b1ccf02d30ef49c15ad77e9109c59b 20416 lacme_0.8.2-1+deb12u1.debian.tar.xz f44f990308e9c4a02b1f697912802878ba067cbd78252f65113a09a4ad7dc7aa 6629 lacme_0.8.2-1+deb12u1_amd64.buildinfo Files: b0e13e4cd251c3cd42e7224866f2ac03 1924 utils optional lacme_0.8.2-1+deb12u1.dsc 843e36466c83ebae55d92dac6a74df3c 20416 utils optional lacme_0.8.2-1+deb12u1.debian.tar.xz 6baa3274b0144a91dd07e57de5b32821 6629 utils optional lacme_0.8.2-1+deb12u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmZuEZMACgkQ05pJnDwh pVJ40Q/+IIcWUd9+C3WWyVz2ED/DSJraTZhSHf20Z37wxki4LoERdw/2cfJiHcSc mLPGutrvmDQ6mh4hM0j7o7ObD8jX7JBM5LOhrc9/D3QvQo06uL94grxl2zzYrlPw 8aG6zf8Wp+QGCpBBvo7bq7P4ToEBsyJhQ6Dwqo6p7E8YHrRECUQ/bAiDE62ApTAI JYl406u6H4o1jJXhVnnAyuY0o+txr89pssmtx/k2scgQPBYM/Zyr5HmiV0Dtr4kS YfyM16x5U1bgJ6Pf0HMPr3x14jDfQl8rmE9x9yjrMQCOCyRHrVM6V3Adoup/IuCK 5He3ng+cpLsPAKdci3hAdryzmstbqlxdvaMGtvH0cbnekOJyHqNOO6zl8b5m6NrQ Vm6Wq9FhmPtqxSsnVZueyzG8bvBYPTap+Wf6R4sn2bt/gxIyWBaglyXr1FOBcOSW CVW0jZkQBFxM4eWcjARiqoTQSh7lkdT9LreDox14RuJzcLQ6LpJwZwfvwKCNXdyc
Bug#1072847: marked as done (lacme: Post-issuance validation fails in the default configuration)
Your message dated Thu, 13 Jun 2024 17:50:40 + with message-id and subject line Bug#1072847: fixed in lacme 0.8.3-1 has caused the Debian Bug report #1072847, regarding lacme: Post-issuance validation fails in the default configuration to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1072847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072847 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: lacme Version: 0.8.2-1 Severity: grave Justification: renders package unusable Let's Encrypt has recently rotated its intermediate certificates [0]. The previous intermediate certificates (lets-encrypt-r[34].pem and lets-encrypt-e[12].pem) are concatenated along side the roots (isrgrootx1.pem and isrg-root-x2.pem) and used as trust anchors for validation of the issued X.509 certificate before its deployment. The new intermediates means the validation step now fails. A quick fix is to add R1[0-4].pem and E[5-9].pem to the certificate bundle, however that will cease to work once Let's Encrypt rotates its intermediates again. A proper fix would be to use the intermediate(s) provided during the issuance step as -untrusted (for chain building). -- Guilhem. [0] https://letsencrypt.org/2024/03/19/new-intermediate-certificates signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Source: lacme Source-Version: 0.8.3-1 Done: Guilhem Moulin We believe that the bug you reported is fixed in the latest version of lacme, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1072...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin (supplier of updated lacme package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 13 Jun 2024 17:56:33 +0200 Source: lacme Architecture: source Version: 0.8.3-1 Distribution: unstable Urgency: high Maintainer: Guilhem Moulin Changed-By: Guilhem Moulin Closes: 1072847 Changes: lacme (0.8.3-1) unstable; urgency=high . * New upstream bugfix release. + Fix post-issuance validation logic. We avoid pining the intermediate certificates in the bundle and instead validate the leaf certificate with intermediates supplied during issuance as untrusted (used for chain building only). Only the root certificates are used as trust anchor. Not pining intermediate certificates is in line with Let's Encrypt's latest recommendations. Closes: #1072847 + Pass `-in /dev/stdin` option to openssl(1) to avoid warning with OpenSSL 3.2 or later. + Fix test suite to account for Let's Encrypt's (staging) ACME server changes. * d/control: Update Standards-Version to 4.7.0 (no changes necessary). Checksums-Sha1: c9ff63c41a0c3def597952bc896f3f6af44053b8 1892 lacme_0.8.3-1.dsc 2db8df4d1e2df5f2a5c86eea41d47692c58fe0d6 69628 lacme_0.8.3.orig.tar.gz 70337fb516eec94905ea090da8445da1be8fc2ec 16212 lacme_0.8.3-1.debian.tar.xz 1dc15b22cc4d3250c18993acf22e9a77649cdc09 6198 lacme_0.8.3-1_amd64.buildinfo Checksums-Sha256: 0d241578e3024fe7755fa243c812ed17d1550d0cbd29a10dba2329611a29596d 1892 lacme_0.8.3-1.dsc 28b98f89b57c045e36d9d5534143d92d2a4f760bc503f5f37b4bfafc26d176c5 69628 lacme_0.8.3.orig.tar.gz 5012eae0198af3989e9cb4fcf9060a0fba0164f0fa57be17679ade49f28100fd 16212 lacme_0.8.3-1.debian.tar.xz fc357e9f96f65115612fcad8821fc9aeddef267058fb5eb545254430e8042798 6198 lacme_0.8.3-1_amd64.buildinfo Files: d896b9fa05598525bf7daf3555aa84a6 1892 utils optional lacme_0.8.3-1.dsc 23a05ee2eaf89565274611c6dcae275f 69628 utils optional lacme_0.8.3.orig.tar.gz ba6fc4fde9b7b4e1683abe0ae0b0c0b4 16212 utils optional lacme_0.8.3-1.debian.tar.xz 97abbcc94c97257cbada5fc3459f2d8c 6198 utils optional lacme_0.8.3-1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmZrGDIACgkQ05pJnDwh pVKsnBAAuQ8Ck39HrWEMMoqkx3JxvKlGGDhocbo3HSYCIAdTG2EIaJardlRAW2S4 GeDeZ+6v1vwZBOz73OJkQA2F9/xBr2E8Hjl1C5tXsTmaai7Soq8gD5/qg6firjq1 P1uKMxERllxln2TT8dh1vUD67qIIHimEE3riZn5TxpFd1BZDhwV0fMmEUIdCikg5 KDBkYWhMBHjToo+j2PnO9N2tyshDurxyp/Pr8QIKXC9NwWStIwa0cBxCqyF8wjwX