aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2019-08-21 18:55:48 +0200
committerGuilhem Moulin <guilhem@fripost.org>2019-08-26 12:35:58 +0200
commitaa779d1f1658a1244e2cba03b07ea9be3c4ee2a0 (patch)
treeea19988bb6ea58e5296dc204c6d78a968ee69a9c
parent7f4db501dfc80b4571833f95c090bdd0e1da240d (diff)
Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)debian/0.5-1+deb10u1debian-buster
For the authorizations, order and certificate URLs. See RFC 8555 sec. 7.1. Let's Encrypt will remove support of unauthenticated GETs from the V2 API on 01 Nov 2019: https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
-rw-r--r--debian/changelog11
-rw-r--r--debian/gbp.conf2
-rw-r--r--debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch121
-rw-r--r--debian/patches/series1
4 files changed, 134 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog
index d18bc4c..3366d21 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+lacme (0.5-1+deb10u1) buster; urgency=medium
+
+ * Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the
+ ACME I-D URL.
+ * Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the
+ authorizations, order and certificate URLs. Let's Encrypt will remove
+ support of unauthenticated GETs from the V2 API on 01 Nov 2019.
+ Closes: #935799.
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 22 Aug 2019 00:14:42 +0200
+
lacme (0.5-1) unstable; urgency=medium
* New upstream release, adding support for v2 ACME endpoints.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 4daf79f..b100207 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,6 +1,6 @@
[DEFAULT]
upstream-branch = master
-debian-branch = debian
+debian-branch = debian-buster
upstream-tag = upstream/%(version)s
debian-tag = debian/%(version)s
pristine-tar = False
diff --git a/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch b/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch
new file mode 100644
index 0000000..2f07327
--- /dev/null
+++ b/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch
@@ -0,0 +1,121 @@
+From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001
+From: Guilhem Moulin <guilhem@fripost.org>
+Date: Wed, 21 Aug 2019 17:29:19 +0200
+Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)
+
+For the authorizations, order and certificate URLs.
+See RFC 8555 sec. 7.1.
+---
+ client | 22 +++++++++++-----------
+ lacme-accountd.md | 2 +-
+ lacme.md | 2 +-
+ 3 files changed, 13 insertions(+), 13 deletions(-)
+
+--- a/client
++++ b/client
+@@ -165,16 +165,16 @@ sub request_json_decode($;$$) {
+ #############################################################################
+ # JSON-encode the hash reference $h and send it to the ACME server $uri
+ # encapsulated it in a JSON Web Signature (JWS).
+-# https://tools.ietf.org/html/draft-ietf-acme-acme-12
++# https://tools.ietf.org/html/rfc8555
+ #
+-sub acme($@) {
+- my $uri = shift;
++sub acme($;$) {
++ my ($uri, $h) = @_;
+ die "Missing nonce\n" unless defined $NONCE;
+
+ # Produce the JSON Web Signature: RFC 7515 section 5
+ my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri );
+ defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK);
+- my $payload = encode_base64url(json()->encode({ @_ }));
++ my $payload = defined $h ? encode_base64url(json()->encode($h)) : "";
+ my $protected = encode_base64url(json()->encode(\%header));
+ my $data = $protected .'.'. $payload;
+ $S->printflush($data, "\r\n");
+@@ -204,7 +204,7 @@ sub acme_resource($%) {
+ request(HEAD => $RES{newNonce});
+ }
+ my $uri = $RES{$r} // die "Unknown resource '$r'\n";
+- acme($uri, @_);
++ acme($uri, {@_});
+ }
+
+ # Set the key ID (registration URI)
+@@ -237,7 +237,7 @@ if ($COMMAND eq 'account') {
+
+ if ($r->is_success()) {
+ $KID = $r->header('Location');
+- $r = acme($KID, %h);
++ $r = acme($KID, \%h);
+ request_json_decode($r, 1, \*STDOUT)
+ if $r->is_success() and $r->content_type() eq 'application/json';
+ }
+@@ -264,7 +264,7 @@ elsif ($COMMAND eq 'newOrder') {
+ my $order = request_json_decode($r);
+
+ foreach (@{$order->{authorizations}}) {
+- my $authz = request_json_decode(request(GET => $_));
++ my $authz = request_json_decode(acme($_));
+ next unless $authz->{status} eq 'pending';
+
+ my $identifier = $authz->{identifier}->{value};
+@@ -288,7 +288,7 @@ elsif ($COMMAND eq 'newOrder') {
+ die "Can't open $challenge->{token}: $!";
+ }
+
+- $r = acme($challenge->{url});
++ $r = acme($challenge->{url}, {});
+
+ # poll until the status become 'valid'
+ # XXX poll the order URL instead, to get the status of all
+@@ -298,7 +298,7 @@ elsif ($COMMAND eq 'newOrder') {
+ $resp = request_json_decode($r),
+ $status = $resp->{status} // 'pending',
+ $status ne 'valid';
+- $r = request('GET' => $challenge->{url})) {
++ $r = acme($challenge->{url}, {})) {
+ if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807)
+ my $msg = $problem->{status};
+ $msg .= " " .$problem->{title} if defined $problem->{title};
+@@ -321,7 +321,7 @@ elsif ($COMMAND eq 'newOrder') {
+ }
+ }
+
+- $r = acme($order->{finalize}, csr => encode_base64url($csr));
++ $r = acme($order->{finalize}, {csr => encode_base64url($csr)});
+ my $resp = request_json_decode($r);
+
+ my $uri = $resp->{certificate};
+@@ -329,7 +329,7 @@ elsif ($COMMAND eq 'newOrder') {
+
+ # pool until the cert is available
+ for (my $i = 0;;) {
+- $r = request('GET' => $uri);
++ $r = acme($uri);
+ die request_status_line($r), "\n" unless $r->is_success();
+ last unless $r->code == 202; # Accepted
+ my $retry_after = $r->header('Retry-After') // 1;
+--- a/lacme-accountd.md
++++ b/lacme-accountd.md
+@@ -141,7 +141,7 @@ See also
+
+ [`lacme`(1)], [`ssh`(1)]
+
+-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02
++[ACME]: https://tools.ietf.org/html/rfc8555
+ [`lacme`(1)]: lacme.1.html
+ [`signal`(7)]: http://linux.die.net/man/7/signal
+ [`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html
+--- a/lacme.md
++++ b/lacme.md
+@@ -412,7 +412,7 @@ See also
+
+ [`lacme-accountd`(1)]
+
+-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-12
++[ACME]: https://tools.ietf.org/html/rfc8555
+ [`lacme-accountd`(1)]: lacme-accountd.1.html
+ [`iptables`(8)]: http://linux.die.net/man/8/iptables
+ [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html
diff --git a/debian/patches/series b/debian/patches/series
index 98a1097..ddf7cce 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0001-Mention-the-Debian-BTS-in-the-manpages.patch
+0002-Issue-GET-and-POST-as-GET-requests.patch