[Bug 1123345] New: Certbot does not seem ready for TLS-SNI-01 reaching end-of-life
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345 Bug ID: 1123345 Summary: Certbot does not seem ready for TLS-SNI-01 reaching end-of-life Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: x86-64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: jwagner@computing.dcu.ie QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Leap 15.0 comes with certbot 0.24.0, which is not ready for TLS-SNI-01 validation reaching end-of-life in 2019Q1 according to https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbo... Package version suffix and zypper log/history does not suggest that functionality has been backported recently and I received a warning e-mail yesterday that I used ACME TLS-SNI-01 domain validation on 2019-01-19 (subject line "Action required: Let's Encrypt certificate renewals"). I use `certbot --apache certonly` for a single virtual domain and call `/usr/bin/certbot renew --quiet` weekly via crontab. Briefly scanning the certbot log for "sni", tls-sni-01 seems to have been used for the renewal on 2019-01-19. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345#c1
Jon Brightwell
TLS-SNI-01 validation is reaching end-of-life. It will stop working temporarily on February 13th, 2019, and permanently on March 13th, 2019. Any certificates issued before then will continue to work for 90 days after their issuance date.
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345#c2
Tomáš Chvátal
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345#c3
David Kronlid
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345
Ansgar Esztermann
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345#c5
Alfred Scherff
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345#c6
--- Comment #6 from Tomáš Chvátal
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345#c7
--- Comment #7 from Tomáš Chvátal
repo-checker wrote about 1 month ago openSUSE_Leap_15.0_Update/x86_64 install check & file conflicts found conflict of certbot-0.24.0-lp150.1.4.noarch with python2-certbot-0.30.2-lp150.2.1.noarch: - /usr/bin/certbot
^ reason it is stopped. Sadly nobody told me about it until I digged myself.
Submission #684875 should fix it.
Actually I looked wrongly it is released. See python2-certbot or python3-certbot are both at version 0.30.2. If you have certbot or certbot-python package and do update this is what happens: The following 13 NEW packages are going to be installed: python2-certbot python3-acme python3-certbot python3-configargparse python3-future python3-josepy python3-parsedatetime python3-pyRFC3339 python3-pytz python3-requests-toolbelt python3-zope.component python3-zope.event python3-zope.interface The following 2 packages are going to be REMOVED: certbot python-certbot 13 new packages to install, 2 to remove. Overall download size: 2.4 MiB. Already cached: 0 B. After the operation, additional 11.7 MiB will be used. Continue? [y/n/...? shows all options] (y): -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345#c8
--- Comment #8 from Alfred Scherff
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345#c9
--- Comment #9 from Jon Brightwell
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345#c10
--- Comment #10 from Jon Brightwell
Also be aware with the change over that your configs and cron will be renamed to *.rpmsave. Other than that, I had no problems on L15.
Correction, this fix suffers from this issue. /etc paths are broken. https://bugzilla.opensuse.org/show_bug.cgi?id=1119619 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345#c11
--- Comment #11 from Joachim Wagner
Certbot 0.23.0 is new enough that it supports HTTP validation, but old enough that it will continue to use TLS-SNI validation by default until Let’s Encrypt disables it.
I guess that certbot 0.24.0 automatically switched from using TLS-SNI to some other method when TLS-SNI was no longer accepted by the cert server. This would mean that previous information from the https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbo... 0.24.0 being too old was wrong and we are fine to keep certbot 0.24.0 (until some other problem emerges). Right? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1123345
Javier Llorente
participants (2)
-
bugzilla_noreply@novell.com
-
bugzilla_noreply@suse.com