[Bug 1640978] Re: [SRU] Backport letsencrypt 0.14.2
What are next steps here? Is the Zesty SRU ready to go? Does Robie (or someone else) need to make a python-certbot package for Xenial? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: [SRU] Backport letsencrypt 0.14.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: [SRU] Backport letsencrypt 0.14.1
@racb the exception document looks good to me. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: [SRU] Backport letsencrypt 0.14.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: [SRU] Backport letsencrypt 0.14.1
Also, a more generic template for any future SRUs: https://docs.google.com/document/d/1oQOV_kw-gs0ZeNFLyd- nIzpsaoMW5zMLlooaQkoKnF0/edit -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: [SRU] Backport letsencrypt 0.14.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: [SRU] Backport letsencrypt 0.14.1
The updated SRU request documentation is here: https://docs.google.com/document/d/1mhmBt6umfdWEqvvnc17ILl5xbW4xSLlFhEG85ZAUYhg/edit -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: [SRU] Backport letsencrypt 0.14.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: [SRU] Backport letsencrypt 0.14.1
The Certbot team has had a couple of calls with rbasak to sort out progress on this. Lask week we met and concluded that we should SRU 0.14.1 because it's well-tested and has additional bugfixes, as well as creating a streamlined process for the Certbot team to get well-tested releases SRU'd quickly in the future. Rbasak took the task of preparing packages; he would work with Nish to get them reviewed and uploaded; Peter will write a draft/template SRU document for Certbot updates; and Brad will see if he can recruit a member of the upstream Certbot team to be more involved in Ubuntu packaging in the future. This week, we met again. Rbasak had packages for us to test: https://launchpad.net/~racb/+archive/ubuntu/experimental/+packages ; he's going to ping Harlan and offer those to Debian experimental, as well as updating them to include a notice about the renewal cron job. We'll meet again in a week to coordinate the actual SRU. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: [SRU] Backport letsencrypt 0.14.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: [SRU] Backport letsencrypt 0.14.1
** Summary changed: - [SRU] Backport letsencrypt 0.9.3 + [SRU] Backport letsencrypt 0.14.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: [SRU] Backport letsencrypt 0.14.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: [SRU] Backport letsencrypt 0.9.3
Apologies for the delay here :( The Certbot locking patch turned out to be more subtle to implement correctly than we had expected, but we finalised and version and shipped it in Certbot 0.14.0 last week. The patch is here: https://github.com/certbot/certbot/pull/4449#issuecomment-299802507 Since that release, there have around 200,000 certificates issued with Certbot 0.14.0. We have had one user report that the locking patch caused a problem for them; that user was intentionally running multiple Certbot instances in parallel for performance reasons. There are probably no great solutions for such users, since their current practices are subject to race conditions that might eventually cause corruption of cert files or even webserver configs. My instinct is that we should apply the locking patch (perhaps augmenting the error message to explain that users who want to run multiple Certbots safely in parallel should supply --config-dir, --work- dir and --log-dir arguments to each instance), and ship Certbot 0.10.2 to Xenial users ASAP. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: [SRU] Backport letsencrypt 0.9.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: [SRU] Backport letsencrypt 0.9.3
Here's a slightly better link: https://github.com/certbot/certbot/pull/4369 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: [SRU] Backport letsencrypt 0.9.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: [SRU] Backport letsencrypt 0.9.3
We have the mitigation in our git master tree (https://github.com/certbot/certbot/pull/4394/files) and are shipping it in an 0.12.1 release today to get field testing. Once that patch has been used to issue ~100K certs I'd be okay with it going into an SRU. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: [SRU] Backport letsencrypt 0.9.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: [SRU] Backport letsencrypt 0.9.3
Hi Chris! I think your todo list looks accurate. On the question of cron jobs, here are the answers as we understand them upstream: What happens if the user runs two multiple cron jobs? Answer 0: probably nothing. "certbot renew" is designed to be run as often as you like, and is normally a no-op. Answer 1: with some small probability, the user might have two "certbot renew" commands that are executed at the same time. In that case, it would be fairly common for one or both of those to fail with an error, that would produce cron email. The baseline probability of this is collision is about once per 5,000 cert renewals if the hour in the user's cron job is uniform-random, and one in 200 cert renewals if they picked the same two hours (noon and midnight) that are baked into Debian's cron job. Answer 2: with some much smaller probability, two overlapping "certbot renew" commands could experience a race condition in writing cert lineage files in /etc/letsencrypt/archive, or symlinks in /etc/letsencrypt/live. These would cause a configuration problem (certs and privkeys don't match) about 75 - 80% of the time. I just measured this race condition window on a AWS tiny instance, and estimate that a cert writing race might happen about once every 36,000 cert renewals if the cron job hours line up, or once every 864,000 renewals if users have cron jobs at uniform-random hours. It is however possible that there are other race conditions in some of our plugins (apache, nginx) that are more likely to occur. We have a few mitigation options: Mitigation 0: write a patch to add locking to Certbot 0.10.2 / 0.10.3. This would add a new dependency on python-filelock, and we'd have to make a choice about how much field testing we want for this patch before SRUing it. Mitigation 1: change the cron job, which picks random times in the hours after noon and midnight, to a systemd timer that runs at two uniform- random hours, or a cron job that has two hours that are less likely to be chosen by sys admins. We can probably use LE serverside data to pick the two least common hours. Mitigation 2: study the plugin code to ensure that problematic race conditions are really as rare as we think. We could probably tolerate a temporary risk of failure that's one in a million cert renewals on the subset of systems which have two cron processes and where the admin ignored the notice about it -- hard disks fail faster than that. I think the upstream team favours mitigation 0 :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: [SRU] Backport letsencrypt 0.9.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: [SRU] Backport letsencrypt 0.9.3
This has been stuck for a while, I suspect because it hasn't been clearly on anyone's plate :(. Let's fix that: * Brad Warren on the Certbot team is going to construct a retrospective changelog.txt, and post a link here. * RAOF should probably revise the packages to include that and the news file. * Anything else? Separately, this has taken so long that it might be advisable to switch to an 0.10.2 SRU, since that version is now well-tested, and is also the one that's frozen into Debian Stretch. Thoughts for and against? What extra steps would we need for an 0.10.2 SRU? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: [SRU] Backport letsencrypt 0.9.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: letsencrypt 0.4.1 contains numerous bugs fixed upstream
Harlan and the other Debian developers have git trees here: https://alioth.debian.org/plugins/scmgit/cgi- bin/gitweb.cgi?a=project_list;pf=letsencrypt Maybe Chris should also get access to those repos? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: letsencrypt 0.4.1 contains numerous bugs fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: letsencrypt 0.4.1 contains numerous bugs fixed upstream
That's great Chris! We had some discussions yesterday about whether this has taken long enough that 0.10.x should be considered for the SRU instead. 0.10.1 has been in the field for 13 days; people found a couple of bugs in it, but they only affected new 0.10.x functionality rather than being regressions. 0.10.2 was released yesterday to fix those things and Harlan is working to get it into Debian in time to make the stretch freeze 11 days from now. Our conclusion was the best thing to do is probably make the 0.9.3 SRU now, and start work on a 0.10.2+ SRU in around 3 weeks, once the 0.10.2 debian packages have received some testing and we've had time to sweep for any final bugs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: letsencrypt 0.4.1 contains numerous bugs fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: letsencrypt 0.4.1 contains numerous bugs fixed upstream
I think it's my job to gently nudge whoever it is that's making the slightly tweaked packages here, but I'm not sure whether it should be Chris or Harlan... if all else is equal perhaps it should be Chris, since we also have a new 0.10.1 release that needs to be packaged for sid and that would be in Harlan's wheelhouse. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: letsencrypt 0.4.1 contains numerous bugs fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: letsencrypt 0.4.1 contains numerous bugs fixed upstream
* nod. We haven't changed any of the preexisting API calls or semantics, so even unpackaged clients should be fine. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: letsencrypt 0.4.1 contains numerous bugs fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: letsencrypt 0.4.1 contains numerous bugs fixed upstream
The changes in python-acme were comparatively minor. A few bugs were fixed; one new feature was added to the API (support for DNS-01 challenges); some protocol messages were removed (because they were believed to have security problems, were never used by Let's Encrypt, and were removed from the IETF ACME draft). None of those changes should negatively impact non-Certbot ACME clients that use python-acme. It also does not appear that any of those ACME clients are packaged in Debian unstable: apt-cache rdepends python-acme python-acme Reverse Depends: python-certbot python-certbot-nginx python-certbot-apache -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: letsencrypt 0.4.1 contains numerous bugs fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: letsencrypt 0.4.1 contains numerous bugs fixed upstream
I don't think so. We would want 0.10.0 to have at least several weeks of field testing before stable distributions include it as an update, and any regressions in that release would mean we do 0.10.x bugfix releases that would stretch the timeline further. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: letsencrypt 0.4.1 contains numerous bugs fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-letsencrypt/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: letsencrypt 0.4.1 contains numerous bugs fixed upstream
.format(*x), sorry :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: letsencrypt 0.4.1 contains numerous bugs fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-letsencrypt/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: letsencrypt 0.4.1 contains numerous bugs fixed upstream
>>> import random >>> x = ["RAOF", "rbasak"] >>> random.shuffle(x) >>> print "{0} should upload and {1} should review".format(x) RAOF should upload and rbasak should review -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: letsencrypt 0.4.1 contains numerous bugs fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-letsencrypt/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: letsencrypt 0.4.1 contains numerous bugs fixed upstream
> Does this mean that users who currently won't get auto-renewed will > start getting auto-renewed after this proposed update? If so, will that > also include users who currently have expired (languishing) old > certificates? Yes. Each certificate (or more precisely, each lineage of certificates, where a lineage is a series of certificates that replace each other with new validity dates and possibly new domains added) gets a renewal configuration file in /etc/letsencrypt/renewal/ ; the "certbot renew" command walks through those and tries to renew any that are within 30 days of expiry. The Debian packages run that task twice a day out of the box. I think we've concluded that we'll add a note-upon-installation telling the sys admin that that's going to start happening, and point to where it can be turned off or tweaked. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: letsencrypt 0.4.1 contains numerous bugs fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-letsencrypt/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: letsencrypt 0.4.1 contains numerous bugs fixed upstream
@hlieberman My understanding is that the package name change shouldn't affect any workflows, because "sudo apt-get install letsencrypt" will still work and the "letsencrypt" command will still work. Anything I might have missed? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: letsencrypt 0.4.1 contains numerous bugs fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-letsencrypt/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: letsencrypt 0.4.1 contains numerous bugs fixed upstream
* "a compatible but less buggy" I should also note that most of our users have been running the certbot- auto script which automatically upgrades them to the latest release of Certbot as soon as it's public, so the odds of us getting bug reports about workflow changes is fairly high. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: letsencrypt 0.4.1 contains numerous bugs fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-letsencrypt/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: letsencrypt 0.4.1 contains numerous bugs fixed upstream
On IRC, rbasak asked: From an SRU review perspective, what I most want spelled out the exact list of any behaviour changes you expect Xenial users to receive, and your confirmation that you don't believe that there are any other changes. Your word as upstream carries a great deal of weight on this. What you've written is great and sound like it covers most of this already - it's just a clear summary of what the final upload to Xenial will do is what I feel is missing - though of course I know you haven't finalised that yet. Debian's certbot 0.9.3 packages are a close approximation to what we expect users to get. They Provide: and Replace: letsencrypt, and include aliases for all previous "letsencrypt" commands. With the exception of the two (an auto-renewal cron job and slightly different log rotation) points noted above, we believe that the functionality and workflows supported by certbot 0.9.3 should be an but less buggy, super-set of the functionality and workflows supported by letsencrypt 0.4.1. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: letsencrypt 0.4.1 contains numerous bugs fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-letsencrypt/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1610030] Re: certbot improperly encodes CSRs
Sorry Launchpad #1640978 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1610030 Title: certbot improperly encodes CSRs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1610030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1610030] Re: certbot improperly encodes CSRs
(Third time lucky) This CSR bug was actually fixed in letsencrypt 0.4.1, so it isn't live in Xenial. However there are numerous other bugs that would warrant an SRU, as documented here: https://bugs.launchpad.net/ubuntu/+source/python- letsencrypt/+bug/1640978 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1610030 Title: certbot improperly encodes CSRs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1610030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1610030] Re: certbot improperly encodes CSRs
This CSR bug was actually fixed in letsencrypt 0.4.1, so it isn't live in Xenial. However there are numerous other bugs that would warrant an SRU, as documented here: #1640978 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1610030 Title: certbot improperly encodes CSRs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1610030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634001] Re: Unable to launch letsencrypt process due to missing SSLv3
You have a buggy version of urllib3 installed in /usr/local/lib. See https://github.com/certbot/certbot/issues/3346 ** Bug watch added: github.com/certbot/certbot/issues #3346 https://github.com/certbot/certbot/issues/3346 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634001 Title: Unable to launch letsencrypt process due to missing SSLv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-letsencrypt/+bug/1634001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] Re: letsencrypt 0.4.1 contains numerous bugs fixed upstream
Also fixes: Launchpad bug #1608214 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1640978 Title: letsencrypt 0.4.1 contains numerous bugs fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-letsencrypt/+bug/1640978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1640978] [NEW] letsencrypt 0.4.1 contains numerous bugs fixed upstream
Public bug reported: This bug contains a list of known major and other issues fixed between upstream letsencrypt 0.4.1 and the latest version, certbot 0.9.3 (the project has also been renamed to avoid confusion between the python client software and the Let's Encrypt CA service). [Impact] MAJOR BUGS FIXED https://github.com/certbot/certbot/issues/2750 letsencrypt < 0.5.0 was not compatible with future configuration files, so users who run certbot-auto then downgrade to the Xenial packages will encounter errors. https://github.com/certbot/certbot/issues/2709 Failure to remember choices of authenticator plugins for renewal operation. This would essentially make "letsencrypt renew" useless on Xenial. Numerous less severe automated renewal-related bugs fixed in subsequent releases: https://github.com/certbot/certbot/issues?utf8=%E2%9C%93=is%3Aissue%20milestone%3A0.5.0%20is%3Aclosed%20label%3Arenewal%20 https://github.com/certbot/certbot/issues?q=is%3Aissue+milestone%3A0.7.0+is%3Aclosed+label%3Arenewal https://github.com/certbot/certbot/issues?utf8=%E2%9C%93=is%3Aissue%20milestone%3A0.6.0%20is%3Aclosed%20label%3Arenewal%20 https://github.com/certbot/certbot/issues?utf8=%E2%9C%93=is%3Aissue%20milestone%3A0.8.1%20is%3Aclosed%20label%3Arenewal%20 https://github.com/certbot/certbot/issues?utf8=%E2%9C%93=is%3Aissue%20milestone%3A0.9.0%20is%3Aclosed%20label%3Arenewal%20 https://github.com/certbot/certbot/issues/2613 Failure to handle IPv6 Virtual hosts in Apache configurations https://github.com/certbot/certbot/issues/2320 Erroneous behaviour with Apache configs that have multiple vhosts in a single file (these are still not supported for cert installation in 0.9.3, but at least produce clear error messages) https://github.com/certbot/certbot/issues/2768 Incompatibility with the specified version of the ACME protocol, preventing the Let's Encrypt serverside code from following it correctly https://github.com/certbot/certbot/issues/2731 Failure to parse Plesk's apache config files https://github.com/certbot/certbot/issues/1243 Apache plugin errors out when transformations to a configuration turn out to be a no-op. https://github.com/certbot/certbot/issues/3210 Incorrect handling of RewriteCond directives when trying to avoid Apache inifinite redirect loops https://github.com/certbot/certbot/issues/1833 Problems running Apache renewal in cron due to cron's default PATH UX: fail to re-ask for email address if the first one seems invalid: https://github.com/certbot/certbot/issues/2675 UX: when re-running is a NOOP (due to renewal not being needed yet), print an explanation: https://github.com/certbot/certbot/issues/1918 OTHER BUGS FIXED Reduce the risk of incorrect or corrupt state in case of control-C interrupts: https://github.com/certbot/certbot/issues/3219 Failure to correctly parse certain rewrite directives in Apache configs: https://github.com/certbot/certbot/issues/2735 Failure to correctly enable HTTP -> HTTPS redirects in some Apache configs: https://github.com/certbot/certbot/issues/3003 Failure to provide a sensible error if the user requests a Unicode domain: (support for those is being added in 0.10.0) https://github.com/certbot/certbot/issues/2661 Directory deletion permission errors are fatal when using the webroot plugin for non-root users (but shouldn't be): https://github.com/certbot/certbot/issues/2678 UX: provide helpful guidance for people who want to run Certbot as a non-root user: https://github.com/certbot/certbot/issues/2306 SIGNIFICANT NEW FEATURES WARRANTING AN SRU: Support --quiet / -q https://github.com/certbot/certbot/issues/2512 User interface for requesting certificates for multiple domain names with the webroot plugin: https://github.com/certbot/certbot/issues/1393 Support for DNS based authentication: https://github.com/certbot/certbot/issues/1826 [Test Case] All or almost all of the pull requests for the bugs above include unit test coverage. Some also include integration or compatibility test coverage. [Regression Potential] The Certbot team has viewed breakage of existing workflows (especially ones that may be automated) as a serious issue, has strived to avoid them, and has treated workflow changes as regressions where it has occurred. We have the following test suites in place for Certbot: * Nosetest unit tests with coverage for each module between 97% and 100%; *test.py in the relevant tree. * Integration tests that run Certbot against the current copy of Let's Encrypt's serverside boulder codebase. These require docker and are a little more involved to run. See tests/boulder_integration.sh for instructions. * "Compatibility tests" that run the Apache and Nginx plugins against corpora of configuration files for those webservers; these live in certbot-compatibility-test/ * Test farm tests, which we use to check that our releases run correctly on a wide range of platforms. These spin up Amazon EC2 instances for numerous OSes
[Bug 1638268] Re: certbot-auto claims parse error in apache config, but doesn't tell me which line
Hi! Could you please file a bug with us upstream (https://github.com/certbot/certbot/issues) and include a copy of the configuration file within which you're getting the error? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1638268 Title: certbot-auto claims parse error in apache config, but doesn't tell me which line To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1638268/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1610030] Re: certbot improperly encodes CSRs
The underlying upstream issue was: https://github.com/certbot/certbot/pull/2529 However we would strongly, strongly recommend updating Certbot users to 0.8.1-2 rather than leaving them with a letsencrypt 0.4.1. There are plenty of serious issues that have been fixed in between. The full list of issues resolved between 0.4.1 and 0.8.1-2 is the combination of all of these lists: https://github.com/certbot/certbot/issues?q=is%3Aissue+milestone%3A0.4.2+is%3Aclosed https://github.com/certbot/certbot/issues?q=is%3Aissue%20is%3Aclosed%20milestone%3A0.5.0 https://github.com/certbot/certbot/issues?q=is%3Aissue%20is%3Aclosed%20milestone%3A0.6.0 https://github.com/certbot/certbot/issues?q=is%3Aissue%20is%3Aclosed%20milestone%3A0.7.0 https://github.com/certbot/certbot/issues?q=is%3Aissue%20is%3Aclosed%20milestone%3A0.8.0 https://github.com/certbot/certbot/issues?q=is%3Aissue%20is%3Aclosed%20milestone%3A0.8.1 0.8.1-2 has been in the field for over a month, and we believe it is stable and working well for users. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1610030 Title: certbot improperly encodes CSRs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1610030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1535101] Re: Please remove python-letsencrypt and python-letsencrypt-apache from the archive.
Hi Thomas, I'm the upstream lead dev on the python client. We have been working closely with the Debian developers who are packaging our releases. Our current view is that it would be appropriate to package version 0.4.0 or higher of the let's encrypt python client for a LTS release, and a mistake to remove it from xenial. Although it's true that rapid development is continuing, the client has reached a point of solid beta stability and has in fact already issued around 150,000 certs to Ubuntu 14.04 users in particular (!) We believe that the experience those users would get from native OS packages is much, much better than the one available from the "letsencrypt-auto" script which we have deployed as a crude stand-in for native packages. There will certainly be many updates to the client through the course of the xenial support window, and our preference would therefore be for Ubuntu to occasionally ship our releases as xenial updates (after an appropriate amount of field testing, of course). But if we had to live with providing security fixes to 0.4.0 or a similar release for the long term, we could even do that too. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1535101 Title: Please remove python-letsencrypt and python-letsencrypt-apache from the archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-letsencrypt/+bug/1535101/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1275982] [NEW] unity integration breaks some addons
Public bug reported: Install an addon that has its own windows with their own XUL menus. I encountered this problem with the Javascript Debugger extension (AKA venkman). Once you install the Javascript debugger, its window can be opened with Tools-JavaScript Debuuger. But that window itself has a menu bar that contains essential functionality. In Unity, the menu bar fails to render correctly in the Unity-wide menubar. For me this makes extension development work impossible under Unity (!!!). Disabling the Firefox unity integration addon and/or manually running another window manager (eg icewm) doesn't seem to help, either :(. ** Affects: firefox (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1275982 Title: unity integration breaks some addons To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1275982/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs