Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock
Dear RT, please consider unblocking this revision of dehydrated. I cherry-picked a few patches from upstream, fixing bugs in a few corner cases, plus doc updates. Full debdiff attached. unblock dehydrated/0.6.2-2 -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
diffstat for dehydrated-0.6.2 dehydrated-0.6.2 changelog | 14 +++ control | 2 patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch | 34 +++++++ patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch | 24 +++++ patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch | 25 +++++ patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch | 22 +++++ patches/implement-POST-as-GET-closes-626.patch | 43 ++++++++++ patches/series | 6 + patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch | 21 ++++ 9 files changed, 190 insertions(+), 1 deletion(-) diff -Nru dehydrated-0.6.2/debian/changelog dehydrated-0.6.2/debian/changelog --- dehydrated-0.6.2/debian/changelog 2018-05-08 12:14:45.000000000 +0200 +++ dehydrated-0.6.2/debian/changelog 2019-03-11 16:25:53.000000000 +0100 @@ -1,3 +1,17 @@ +dehydrated (0.6.2-2) unstable; urgency=medium + + * Add a number of patches from upstream. + Fixing the following bugs: + + HTTP/2 support, where header names are lowercase + + Avoid over matching, checking for the Replay-Nonce header only at BOL + + A bug causing deletion of domains.txt when incorrect parameters are used + + Document the DOMAINS_D config option + + Impoent POST-as-GET, for the upcoming change in LE's API + + Document PRIVATE_KEY_ROLLOVER per-cert config option + * d/control: bump Standards-Version to 4.3.0, no changes needed. + + -- Mattia Rizzolo <mat...@debian.org> Mon, 11 Mar 2019 16:25:53 +0100 + dehydrated (0.6.2-1) unstable; urgency=medium * New upstream release 0.6.2. diff -Nru dehydrated-0.6.2/debian/control dehydrated-0.6.2/debian/control --- dehydrated-0.6.2/debian/control 2018-05-08 12:10:08.000000000 +0200 +++ dehydrated-0.6.2/debian/control 2019-03-11 16:25:53.000000000 +0100 @@ -10,7 +10,7 @@ debhelper (>= 11), dh-apache2, dh-exec, -Standards-Version: 4.1.4 +Standards-Version: 4.3.0 Rules-Requires-Root: no Vcs-Git: https://salsa.debian.org/letsencrypt-team/dehydrated.git Vcs-Browser: https://salsa.debian.org/letsencrypt-team/dehydrated diff -Nru dehydrated-0.6.2/debian/patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch dehydrated-0.6.2/debian/patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch --- dehydrated-0.6.2/debian/patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch 1970-01-01 01:00:00.000000000 +0100 +++ dehydrated-0.6.2/debian/patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch 2019-03-11 16:21:33.000000000 +0100 @@ -0,0 +1,25 @@ +From: Lukas Schauer <lu...@schauer.so> +Date: Sat, 20 Oct 2018 13:05:20 +0200 +Subject: document DOMAINS_D parameter in example config (fixes #575, + closes #582) + +--- + docs/examples/config | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/docs/examples/config b/docs/examples/config +index 665704d..c1f9276 100644 +--- a/docs/examples/config ++++ b/docs/examples/config +@@ -40,6 +40,11 @@ + # default: <unset> + #CONFIG_D= + ++# Directory for per-domain configuration files. ++# If not set, per-domain configurations are sourced from each certificates output directory. ++# default: <unset> ++#DOMAINS_D= ++ + # Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined) + #BASEDIR=$SCRIPTDIR + diff -Nru dehydrated-0.6.2/debian/patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch dehydrated-0.6.2/debian/patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch --- dehydrated-0.6.2/debian/patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch 1970-01-01 01:00:00.000000000 +0100 +++ dehydrated-0.6.2/debian/patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch 2019-03-11 16:21:33.000000000 +0100 @@ -0,0 +1,22 @@ +From: Lukas Schauer <lu...@schauer.so> +Date: Sat, 20 Oct 2018 12:27:23 +0200 +Subject: fixed a bug that resulted in a deleted domains.txt when using + incorrect parameters in combination with signcsr (fixes #597) + +--- + dehydrated | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dehydrated b/dehydrated +index c27706a..2cefc6d 100755 +--- a/dehydrated ++++ b/dehydrated +@@ -557,7 +557,7 @@ http_request() { + rm -f "${tempheaders}" + + # remove temporary domains.txt file if used +- [[ -n "${PARAM_DOMAIN:-}" && -n "${DOMAINS_TXT:-}" ]] && rm "${DOMAINS_TXT}" ++ [[ "${COMMAND:-}" = "sign_domains" && -n "${PARAM_DOMAIN:-}" && -n "${DOMAINS_TXT:-}" ]] && rm "${DOMAINS_TXT}" + exit 1 + fi + fi diff -Nru dehydrated-0.6.2/debian/patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch dehydrated-0.6.2/debian/patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch --- dehydrated-0.6.2/debian/patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch 1970-01-01 01:00:00.000000000 +0100 +++ dehydrated-0.6.2/debian/patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch 2019-03-11 16:21:33.000000000 +0100 @@ -0,0 +1,34 @@ +From: Florent <> +Date: Wed, 9 May 2018 19:29:21 +0200 +Subject: Fixes #559 : when HTTP/2 is used, + header names are lower case. So adding ignore case option (-i) to grep's. + +--- + dehydrated | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dehydrated b/dehydrated +index adc3dca..ba0f5a0 100755 +--- a/dehydrated ++++ b/dehydrated +@@ -407,7 +407,7 @@ init_system() { + if [[ ${API} -eq 1 ]]; then + _exiterr "This is not implemented for ACMEv1! Consider switching to ACMEv2 :)" + else +- ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep ^Location: | awk '{print $2}' | tr -d '\r\n')" ++ ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep -i ^Location: | awk '{print $2}' | tr -d '\r\n')" + ACCOUNT_INFO="$(signed_request "${ACCOUNT_URL}" '{}')" + fi + ACCOUNT_ID="${ACCOUNT_URL##*/}" +@@ -577,9 +577,9 @@ signed_request() { + + # Retrieve nonce from acme-server + if [[ ${API} -eq 1 ]]; then +- nonce="$(http_request head "${CA}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" ++ nonce="$(http_request head "${CA}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" + else +- nonce="$(http_request head "${CA_NEW_NONCE}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" ++ nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" + fi + + # Build header with just our public key and algorithm information diff -Nru dehydrated-0.6.2/debian/patches/implement-POST-as-GET-closes-626.patch dehydrated-0.6.2/debian/patches/implement-POST-as-GET-closes-626.patch --- dehydrated-0.6.2/debian/patches/implement-POST-as-GET-closes-626.patch 1970-01-01 01:00:00.000000000 +0100 +++ dehydrated-0.6.2/debian/patches/implement-POST-as-GET-closes-626.patch 2019-03-11 16:21:33.000000000 +0100 @@ -0,0 +1,43 @@ +From: Lukas Schauer <lu...@schauer.so> +Date: Sun, 3 Mar 2019 19:58:04 +0100 +Subject: implement POST-as-GET (closes #626) + +--- + dehydrated | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/dehydrated b/dehydrated +index 2cefc6d..69057e7 100755 +--- a/dehydrated ++++ b/dehydrated +@@ -705,7 +705,7 @@ sign_csr() { + for authorization in ${authorizations[*]}; do + if [[ "${API}" -eq 2 ]]; then + # Receive authorization ($authorization is authz uri) +- response="$(http_request get "$(echo "${authorization}" | _sed -e 's/\"(.*)".*/\1/')" | clean_json)" ++ response="$(signed_request "$(echo "${authorization}" | _sed -e 's/\"(.*)".*/\1/')" "" | clean_json)" + identifier="$(echo "${response}" | get_json_dict_value identifier | get_json_string_value value)" + echo " + Handling authorization for ${identifier}" + else +@@ -793,7 +793,11 @@ sign_csr() { + + while [[ "${reqstatus}" = "pending" ]]; do + sleep 1 +- result="$(http_request get "${challenge_uris[${idx}]}")" ++ if [[ "${API}" -eq 2 ]]; then ++ result="$(signed_request "${challenge_uris[${idx}]}" "")" ++ else ++ result="$(http_request get "${challenge_uris[${idx}]}")" ++ fi + reqstatus="$(printf '%s\n' "${result}" | get_json_string_value status)" + done + +@@ -838,7 +842,7 @@ sign_csr() { + crt="$( printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" )" + else + result="$(signed_request "${finalize}" '{"csr": "'"${csr64}"'"}' | clean_json | get_json_string_value certificate)" +- crt="$(http_request get "${result}")" ++ crt="$(signed_request "${result}" "")" + fi + + # Try to load the certificate to detect corruption diff -Nru dehydrated-0.6.2/debian/patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch dehydrated-0.6.2/debian/patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch --- dehydrated-0.6.2/debian/patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch 1970-01-01 01:00:00.000000000 +0100 +++ dehydrated-0.6.2/debian/patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch 2019-03-11 16:21:33.000000000 +0100 @@ -0,0 +1,24 @@ +From: Lukas Schauer <lu...@schauer.so> +Date: Wed, 9 May 2018 21:01:57 +0200 +Subject: Only match Replace-Nonce header at beginning of line + +--- + dehydrated | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/dehydrated b/dehydrated +index ba0f5a0..c27706a 100755 +--- a/dehydrated ++++ b/dehydrated +@@ -577,9 +577,9 @@ signed_request() { + + # Retrieve nonce from acme-server + if [[ ${API} -eq 1 ]]; then +- nonce="$(http_request head "${CA}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" ++ nonce="$(http_request head "${CA}" | grep -i ^Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" + else +- nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" ++ nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i ^Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" + fi + + # Build header with just our public key and algorithm information diff -Nru dehydrated-0.6.2/debian/patches/series dehydrated-0.6.2/debian/patches/series --- dehydrated-0.6.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ dehydrated-0.6.2/debian/patches/series 2019-03-11 16:21:33.000000000 +0100 @@ -0,0 +1,6 @@ +Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch +Only-match-Replace-Nonce-header-at-beginning-of-line.patch +fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch +document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch +implement-POST-as-GET-closes-626.patch +tiny-documentation-fix-per-certificate-config-can-overrid.patch diff -Nru dehydrated-0.6.2/debian/patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch dehydrated-0.6.2/debian/patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch --- dehydrated-0.6.2/debian/patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch 1970-01-01 01:00:00.000000000 +0100 +++ dehydrated-0.6.2/debian/patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch 2019-03-11 16:21:33.000000000 +0100 @@ -0,0 +1,21 @@ +From: Lukas Schauer <lu...@schauer.so> +Date: Sun, 3 Mar 2019 20:38:38 +0100 +Subject: tiny documentation fix: per-certificate-config can override + PRIVATE_KEY_ROLLOVER (closes #614) + +--- + docs/per-certificate-config.md | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/docs/per-certificate-config.md b/docs/per-certificate-config.md +index da88838..457a41a 100644 +--- a/docs/per-certificate-config.md ++++ b/docs/per-certificate-config.md +@@ -7,6 +7,7 @@ To use this feature create a `config` file in the certificates output directory + Currently supported options: + + - PRIVATE_KEY_RENEW ++- PRIVATE_KEY_ROLLOVER + - KEY_ALGO + - KEYSIZE + - OCSP_MUST_STAPLE
signature.asc
Description: PGP signature