Bug#924320: unblock: dehydrated/0.6.2-2

Mon, 11 Mar 2019 08:39:33 -0700 

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock

Dear RT,

please consider unblocking this revision of dehydrated.
I cherry-picked a few patches from upstream, fixing bugs in a few corner
cases, plus doc updates.

Full debdiff attached.

unblock dehydrated/0.6.2-2

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

diffstat for dehydrated-0.6.2 dehydrated-0.6.2

 changelog                                                               |   14 +++
 control                                                                 |    2 
 patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch |   34 +++++++
 patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch      |   24 +++++
 patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch |   25 +++++
 patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch |   22 +++++
 patches/implement-POST-as-GET-closes-626.patch                          |   43 ++++++++++
 patches/series                                                          |    6 +
 patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch |   21 ++++
 9 files changed, 190 insertions(+), 1 deletion(-)

diff -Nru dehydrated-0.6.2/debian/changelog dehydrated-0.6.2/debian/changelog
--- dehydrated-0.6.2/debian/changelog	2018-05-08 12:14:45.000000000 +0200
+++ dehydrated-0.6.2/debian/changelog	2019-03-11 16:25:53.000000000 +0100
@@ -1,3 +1,17 @@
+dehydrated (0.6.2-2) unstable; urgency=medium
+
+  * Add a number of patches from upstream.
+    Fixing the following bugs:
+     + HTTP/2 support, where header names are lowercase
+     + Avoid over matching, checking for the Replay-Nonce header only at BOL
+     + A bug causing deletion of domains.txt when incorrect parameters are used
+     + Document the DOMAINS_D config option
+     + Impoent POST-as-GET, for the upcoming change in LE's API
+     + Document PRIVATE_KEY_ROLLOVER per-cert config option
+  * d/control: bump Standards-Version to 4.3.0, no changes needed.
+
+ -- Mattia Rizzolo <mat...@debian.org>  Mon, 11 Mar 2019 16:25:53 +0100
+
 dehydrated (0.6.2-1) unstable; urgency=medium
 
   * New upstream release 0.6.2.
diff -Nru dehydrated-0.6.2/debian/control dehydrated-0.6.2/debian/control
--- dehydrated-0.6.2/debian/control	2018-05-08 12:10:08.000000000 +0200
+++ dehydrated-0.6.2/debian/control	2019-03-11 16:25:53.000000000 +0100
@@ -10,7 +10,7 @@
  debhelper (>= 11),
  dh-apache2,
  dh-exec,
-Standards-Version: 4.1.4
+Standards-Version: 4.3.0
 Rules-Requires-Root: no
 Vcs-Git: https://salsa.debian.org/letsencrypt-team/dehydrated.git
 Vcs-Browser: https://salsa.debian.org/letsencrypt-team/dehydrated
diff -Nru dehydrated-0.6.2/debian/patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch dehydrated-0.6.2/debian/patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch
--- dehydrated-0.6.2/debian/patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch	1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch	2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,25 @@
+From: Lukas Schauer <lu...@schauer.so>
+Date: Sat, 20 Oct 2018 13:05:20 +0200
+Subject: document DOMAINS_D parameter in example config (fixes #575,
+ closes #582)
+
+---
+ docs/examples/config | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/docs/examples/config b/docs/examples/config
+index 665704d..c1f9276 100644
+--- a/docs/examples/config
++++ b/docs/examples/config
+@@ -40,6 +40,11 @@
+ # default: <unset>
+ #CONFIG_D=
+ 
++# Directory for per-domain configuration files.
++# If not set, per-domain configurations are sourced from each certificates output directory.
++# default: <unset>
++#DOMAINS_D=
++
+ # Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
+ #BASEDIR=$SCRIPTDIR
+ 
diff -Nru dehydrated-0.6.2/debian/patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch dehydrated-0.6.2/debian/patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch
--- dehydrated-0.6.2/debian/patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch	1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch	2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,22 @@
+From: Lukas Schauer <lu...@schauer.so>
+Date: Sat, 20 Oct 2018 12:27:23 +0200
+Subject: fixed a bug that resulted in a deleted domains.txt when using
+ incorrect parameters in combination with signcsr (fixes #597)
+
+---
+ dehydrated | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dehydrated b/dehydrated
+index c27706a..2cefc6d 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -557,7 +557,7 @@ http_request() {
+       rm -f "${tempheaders}"
+ 
+       # remove temporary domains.txt file if used
+-      [[ -n "${PARAM_DOMAIN:-}" && -n "${DOMAINS_TXT:-}" ]] && rm "${DOMAINS_TXT}"
++      [[ "${COMMAND:-}" = "sign_domains" && -n "${PARAM_DOMAIN:-}" && -n "${DOMAINS_TXT:-}" ]] && rm "${DOMAINS_TXT}"
+       exit 1
+     fi
+   fi
diff -Nru dehydrated-0.6.2/debian/patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch dehydrated-0.6.2/debian/patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch
--- dehydrated-0.6.2/debian/patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch	1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch	2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,34 @@
+From: Florent <>
+Date: Wed, 9 May 2018 19:29:21 +0200
+Subject: Fixes #559 : when HTTP/2 is used,
+ header names are lower case. So adding ignore case option (-i) to grep's.
+
+---
+ dehydrated | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dehydrated b/dehydrated
+index adc3dca..ba0f5a0 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -407,7 +407,7 @@ init_system() {
+     if [[ ${API} -eq 1 ]]; then
+       _exiterr "This is not implemented for ACMEv1! Consider switching to ACMEv2 :)"
+     else
+-      ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep ^Location: | awk '{print $2}' | tr -d '\r\n')"
++      ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep -i ^Location: | awk '{print $2}' | tr -d '\r\n')"
+       ACCOUNT_INFO="$(signed_request "${ACCOUNT_URL}" '{}')"
+     fi
+     ACCOUNT_ID="${ACCOUNT_URL##*/}"
+@@ -577,9 +577,9 @@ signed_request() {
+ 
+   # Retrieve nonce from acme-server
+   if [[ ${API} -eq 1 ]]; then
+-    nonce="$(http_request head "${CA}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
++    nonce="$(http_request head "${CA}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+   else
+-    nonce="$(http_request head "${CA_NEW_NONCE}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
++    nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+   fi
+ 
+   # Build header with just our public key and algorithm information
diff -Nru dehydrated-0.6.2/debian/patches/implement-POST-as-GET-closes-626.patch dehydrated-0.6.2/debian/patches/implement-POST-as-GET-closes-626.patch
--- dehydrated-0.6.2/debian/patches/implement-POST-as-GET-closes-626.patch	1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/implement-POST-as-GET-closes-626.patch	2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,43 @@
+From: Lukas Schauer <lu...@schauer.so>
+Date: Sun, 3 Mar 2019 19:58:04 +0100
+Subject: implement POST-as-GET (closes #626)
+
+---
+ dehydrated | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/dehydrated b/dehydrated
+index 2cefc6d..69057e7 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -705,7 +705,7 @@ sign_csr() {
+   for authorization in ${authorizations[*]}; do
+     if [[ "${API}" -eq 2 ]]; then
+       # Receive authorization ($authorization is authz uri)
+-      response="$(http_request get "$(echo "${authorization}" | _sed -e 's/\"(.*)".*/\1/')" | clean_json)"
++      response="$(signed_request "$(echo "${authorization}" | _sed -e 's/\"(.*)".*/\1/')" "" | clean_json)"
+       identifier="$(echo "${response}" | get_json_dict_value identifier | get_json_string_value value)"
+       echo " + Handling authorization for ${identifier}"
+     else
+@@ -793,7 +793,11 @@ sign_csr() {
+ 
+     while [[ "${reqstatus}" = "pending" ]]; do
+       sleep 1
+-      result="$(http_request get "${challenge_uris[${idx}]}")"
++      if [[ "${API}" -eq 2 ]]; then
++        result="$(signed_request "${challenge_uris[${idx}]}" "")"
++      else
++        result="$(http_request get "${challenge_uris[${idx}]}")"
++      fi
+       reqstatus="$(printf '%s\n' "${result}" | get_json_string_value status)"
+     done
+ 
+@@ -838,7 +842,7 @@ sign_csr() {
+     crt="$( printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" )"
+   else
+     result="$(signed_request "${finalize}" '{"csr": "'"${csr64}"'"}' | clean_json | get_json_string_value certificate)"
+-    crt="$(http_request get "${result}")"
++    crt="$(signed_request "${result}" "")"
+   fi
+ 
+   # Try to load the certificate to detect corruption
diff -Nru dehydrated-0.6.2/debian/patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch dehydrated-0.6.2/debian/patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch
--- dehydrated-0.6.2/debian/patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch	1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/Only-match-Replace-Nonce-header-at-beginning-of-line.patch	2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,24 @@
+From: Lukas Schauer <lu...@schauer.so>
+Date: Wed, 9 May 2018 21:01:57 +0200
+Subject: Only match Replace-Nonce header at beginning of line
+
+---
+ dehydrated | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/dehydrated b/dehydrated
+index ba0f5a0..c27706a 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -577,9 +577,9 @@ signed_request() {
+ 
+   # Retrieve nonce from acme-server
+   if [[ ${API} -eq 1 ]]; then
+-    nonce="$(http_request head "${CA}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
++    nonce="$(http_request head "${CA}" | grep -i ^Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+   else
+-    nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
++    nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i ^Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+   fi
+ 
+   # Build header with just our public key and algorithm information
diff -Nru dehydrated-0.6.2/debian/patches/series dehydrated-0.6.2/debian/patches/series
--- dehydrated-0.6.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/series	2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,6 @@
+Fixes-559-when-HTTP-2-is-used-header-names-are-lower-case.patch
+Only-match-Replace-Nonce-header-at-beginning-of-line.patch
+fixed-a-bug-that-resulted-in-a-deleted-domains.txt-when-u.patch
+document-DOMAINS_D-parameter-in-example-config-fixes-575-.patch
+implement-POST-as-GET-closes-626.patch
+tiny-documentation-fix-per-certificate-config-can-overrid.patch
diff -Nru dehydrated-0.6.2/debian/patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch dehydrated-0.6.2/debian/patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch
--- dehydrated-0.6.2/debian/patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch	1970-01-01 01:00:00.000000000 +0100
+++ dehydrated-0.6.2/debian/patches/tiny-documentation-fix-per-certificate-config-can-overrid.patch	2019-03-11 16:21:33.000000000 +0100
@@ -0,0 +1,21 @@
+From: Lukas Schauer <lu...@schauer.so>
+Date: Sun, 3 Mar 2019 20:38:38 +0100
+Subject: tiny documentation fix: per-certificate-config can override
+ PRIVATE_KEY_ROLLOVER (closes #614)
+
+---
+ docs/per-certificate-config.md | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/docs/per-certificate-config.md b/docs/per-certificate-config.md
+index da88838..457a41a 100644
+--- a/docs/per-certificate-config.md
++++ b/docs/per-certificate-config.md
+@@ -7,6 +7,7 @@ To use this feature create a `config` file in the certificates output directory
+ Currently supported options:
+ 
+ - PRIVATE_KEY_RENEW
++- PRIVATE_KEY_ROLLOVER
+ - KEY_ALGO
+ - KEYSIZE
+ - OCSP_MUST_STAPLE

Attachment: signature.asc
Description: PGP signature

Reply via email to