diff options
| -rw-r--r-- | debian/changelog | 11 | ||||
| -rw-r--r-- | debian/gbp.conf | 2 | ||||
| -rw-r--r-- | debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch | 121 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
4 files changed, 134 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index d18bc4c..3366d21 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +lacme (0.5-1+deb10u1) buster; urgency=medium + + * Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the + ACME I-D URL. + * Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the + authorizations, order and certificate URLs. Let's Encrypt will remove + support of unauthenticated GETs from the V2 API on 01 Nov 2019. + Closes: #935799. + + -- Guilhem Moulin <guilhem@debian.org> Thu, 22 Aug 2019 00:14:42 +0200 + lacme (0.5-1) unstable; urgency=medium * New upstream release, adding support for v2 ACME endpoints. diff --git a/debian/gbp.conf b/debian/gbp.conf index 4daf79f..b100207 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,6 +1,6 @@ [DEFAULT] upstream-branch = master -debian-branch = debian +debian-branch = debian-buster upstream-tag = upstream/%(version)s debian-tag = debian/%(version)s pristine-tar = False diff --git a/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch b/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch new file mode 100644 index 0000000..2f07327 --- /dev/null +++ b/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch @@ -0,0 +1,121 @@ +From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001 +From: Guilhem Moulin <guilhem@fripost.org> +Date: Wed, 21 Aug 2019 17:29:19 +0200 +Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) + +For the authorizations, order and certificate URLs. +See RFC 8555 sec. 7.1. +--- + client | 22 +++++++++++----------- + lacme-accountd.md | 2 +- + lacme.md | 2 +- + 3 files changed, 13 insertions(+), 13 deletions(-) + +--- a/client ++++ b/client +@@ -165,16 +165,16 @@ sub request_json_decode($;$$) { + ############################################################################# + # JSON-encode the hash reference $h and send it to the ACME server $uri + # encapsulated it in a JSON Web Signature (JWS). +-# https://tools.ietf.org/html/draft-ietf-acme-acme-12 ++# https://tools.ietf.org/html/rfc8555 + # +-sub acme($@) { +- my $uri = shift; ++sub acme($;$) { ++ my ($uri, $h) = @_; + die "Missing nonce\n" unless defined $NONCE; + + # Produce the JSON Web Signature: RFC 7515 section 5 + my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri ); + defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK); +- my $payload = encode_base64url(json()->encode({ @_ })); ++ my $payload = defined $h ? encode_base64url(json()->encode($h)) : ""; + my $protected = encode_base64url(json()->encode(\%header)); + my $data = $protected .'.'. $payload; + $S->printflush($data, "\r\n"); +@@ -204,7 +204,7 @@ sub acme_resource($%) { + request(HEAD => $RES{newNonce}); + } + my $uri = $RES{$r} // die "Unknown resource '$r'\n"; +- acme($uri, @_); ++ acme($uri, {@_}); + } + + # Set the key ID (registration URI) +@@ -237,7 +237,7 @@ if ($COMMAND eq 'account') { + + if ($r->is_success()) { + $KID = $r->header('Location'); +- $r = acme($KID, %h); ++ $r = acme($KID, \%h); + request_json_decode($r, 1, \*STDOUT) + if $r->is_success() and $r->content_type() eq 'application/json'; + } +@@ -264,7 +264,7 @@ elsif ($COMMAND eq 'newOrder') { + my $order = request_json_decode($r); + + foreach (@{$order->{authorizations}}) { +- my $authz = request_json_decode(request(GET => $_)); ++ my $authz = request_json_decode(acme($_)); + next unless $authz->{status} eq 'pending'; + + my $identifier = $authz->{identifier}->{value}; +@@ -288,7 +288,7 @@ elsif ($COMMAND eq 'newOrder') { + die "Can't open $challenge->{token}: $!"; + } + +- $r = acme($challenge->{url}); ++ $r = acme($challenge->{url}, {}); + + # poll until the status become 'valid' + # XXX poll the order URL instead, to get the status of all +@@ -298,7 +298,7 @@ elsif ($COMMAND eq 'newOrder') { + $resp = request_json_decode($r), + $status = $resp->{status} // 'pending', + $status ne 'valid'; +- $r = request('GET' => $challenge->{url})) { ++ $r = acme($challenge->{url}, {})) { + if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807) + my $msg = $problem->{status}; + $msg .= " " .$problem->{title} if defined $problem->{title}; +@@ -321,7 +321,7 @@ elsif ($COMMAND eq 'newOrder') { + } + } + +- $r = acme($order->{finalize}, csr => encode_base64url($csr)); ++ $r = acme($order->{finalize}, {csr => encode_base64url($csr)}); + my $resp = request_json_decode($r); + + my $uri = $resp->{certificate}; +@@ -329,7 +329,7 @@ elsif ($COMMAND eq 'newOrder') { + + # pool until the cert is available + for (my $i = 0;;) { +- $r = request('GET' => $uri); ++ $r = acme($uri); + die request_status_line($r), "\n" unless $r->is_success(); + last unless $r->code == 202; # Accepted + my $retry_after = $r->header('Retry-After') // 1; +--- a/lacme-accountd.md ++++ b/lacme-accountd.md +@@ -141,7 +141,7 @@ See also + + [`lacme`(1)], [`ssh`(1)] + +-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02 ++[ACME]: https://tools.ietf.org/html/rfc8555 + [`lacme`(1)]: lacme.1.html + [`signal`(7)]: http://linux.die.net/man/7/signal + [`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html +--- a/lacme.md ++++ b/lacme.md +@@ -412,7 +412,7 @@ See also + + [`lacme-accountd`(1)] + +-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-12 ++[ACME]: https://tools.ietf.org/html/rfc8555 + [`lacme-accountd`(1)]: lacme-accountd.1.html + [`iptables`(8)]: http://linux.die.net/man/8/iptables + [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html diff --git a/debian/patches/series b/debian/patches/series index 98a1097..ddf7cce 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0001-Mention-the-Debian-BTS-in-the-manpages.patch +0002-Issue-GET-and-POST-as-GET-requests.patch |