Debian Bug report logs - #969126
Certbot will stop working for 2,220 users with upcoming Let's Encrypt deprecation

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Erica Portnoy <erica@eff.org>

To: submit@bugs.debian.org

Subject: Certbot will stop working for 2,220 users with upcoming Let's Encrypt deprecation

Date: Thu, 27 Aug 2020 14:25:00 -0700

Package: python3-certbot
Version: 0.28.0-1~deb9u2


Let’s Encrypt is in the process of shutting down ACMEv1. The full shutdown process will be completed
in June 2021 with temporary brown-outs starting at the beginning of the year; more specific details
are available at https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430.

When ACMEv1 is shut down, many older versions of Certbot will be unable to get new certificates.
ACMEv2 support was first made default in 0.26.0 for new certificates, but it wasn’t until 1.6.0
that certificates which had originally been issued using ACMEv1 were transitioned to ACMEv2.
The original update was supposed to move people off of ACMEv1, but due to some old configuration
management code, we missed a small group of early Certbot users.

Based on recent counts, there are a total of 2,220 distinct non-EOL Debian users still using ACMEv1
who use the version of Certbot packaged in their system’s package manager (1,665 users of 0.28.0 on
debian 9 stretch and 555 users of 0.31.0 on debian 10 buster) that will encounter this issue. These
users will no longer receive certs in June, but would be automatically upgraded to ACMEv2 if the
package for their system were updated.

The commit that switches ACMEv1 users to ACMEv2 is here:
https://github.com/certbot/certbot/commit/340a4280eacc3eac8915996d89ff0c0a0cd023f9
One option to address the upcoming shutdown is to backport the commit into older versions of Certbot.

Another option to address the shutdown, which is preferable from our perspective, would be to update
Certbot to 1.6.0+. First, there’s the inherent risk in backporting an individual change, especially
onto much older code. Released versions are tested extensively both on our systems and by our users,
so we’re much more sure of their stability than a backported patch. Additionally, Certbot continues
to improve over time, closing up bugs, supporting more edge cases, improving usability, and offering
more robust and modern security practices.

Since we made backwards incompatible changes in 0.40.0 and 1.0.0, to update Certbot to a newer version,
our other components will have to be updated as well. Certbot relies on our other libraries `acme` and
`josepy`, and we have a series of plugins which will need to be updated as well, including the
`certbot-nginx` and `certbot-apache` plugins, as well as our `certbot-dns-*` plugins. Certbot 1.0.0
in particular contained significant API changes, and if any of our packages are updated to 1.0.0 or newer,
it will probably be easiest to update all of them. josepy may be fine depending on the version of certbot,
as certbot 1.0.0 relies on `josepy>=1.1.0`, which is already available packaged on all relevant systems.
But Certbot 1.0.0 also requires `acme>=0.40.0`, which is only one release behind 1.0.0, so it would
probably be easier to update it to a matching version. Basically, I would recommend choosing a certbot
version, then updating `acme`, `certbot-nginx`, `certbot-apache`, and `certbot-dns-*` to that version.
None of our 3rd party dependencies should need to be updated.

One thing to note when choosing a version is that Certbot 1.7.0 deprecated Python 3.5 support, which may
be necessary on older systems, so 1.6.0 may be a better choice than later versions on older systems.

Certbot 0.40.0 and 1.0.0 introduced backwards incompatible changes; these include:

* CLI flags --tls-sni-01-port and --tls-sni-01-address have been removed.
* The values tls-sni and tls-sni-01 for the --preferred-challenges flag are no
longer accepted.
* Removed the flags: `--agree-dev-preview`, `--dialog`, and `--apache-init-script`
* Certbot's `config_changes` subcommand has been removed
* `certbot.plugins.common.TLSSNI01` has been removed.
* Deprecated attributes related to the TLS-SNI-01 challenge in `acme.challenges` and `acme.standalone` have been removed.
* The functions `certbot.client.view_config_changes`, `certbot.main.config_changes`, `certbot.plugins.common.Installer.view_config_changes`, `certbot.reverter.Reverter.view_config_changes`, and `certbot.util.get_systemd_os_info` have been removed
* Certbot's `register --update-registration` subcommand has been removed
* When possible, default to automatically configuring the webserver so all requests
  redirect to secure HTTPS access. This is mostly relevant when running Certbot
  in non-interactive mode. Previously, the default was to not redirect all requests.

Message #12 received at 969126-done@bugs.debian.org (full text, mbox, reply):

From: Harlan Lieberman-Berg <hlieberman@setec.io>

To: 969126-done@bugs.debian.org

Subject: Closing manually as dak didn't pick it up correctly

Date: Tue, 8 Dec 2020 15:29:07 -0500

Version: 0.28.0-1~deb9u3

-- 
Harlan Lieberman-Berg
~hlieberman

Send a report that this bug log contains spam.