From 6362716a94ef687e2d1f5bf662a3329866346675 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 15 Jun 2024 21:24:54 +0200 Subject: Typofix Pointed by Jonathan Wiltshire at https://bugs.debian.org/1073174#12 . Thanks! --- debian/changelog | 13 +++++++------ debian/patches/Fix-post-issuance-validation-logic.patch | 2 +- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/debian/changelog b/debian/changelog index 382a8ed..8a26ff6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,11 +1,12 @@ lacme (0.8.0-2+deb11u2) bullseye; urgency=medium - * Backport upstream patches to fix fix post-issuance validation logic. - We avoid pining the intermediate certificates in the bundle and instead - validate the leaf certificate with intermediates supplied during issuance - as untrusted (used for chain building only). Only the root certificates - are used as trust anchor. Not pining intermediate certificates is in line - with Let's Encrypt's latest recommendations. + * Backport upstream patches to fix post-issuance validation logic. We avoid + pinning the intermediate certificates in the bundle and instead validate + the leaf certificate with intermediates supplied during issuance as + untrusted (used for chain building only). Only the root certificates are + used as trust anchor. + Not pinning intermediate certificates is in line with Let's Encrypt's + latest recommendations. Closes: #1072847 * Adjust test suite against current Let's Encrypt staging environment. diff --git a/debian/patches/Fix-post-issuance-validation-logic.patch b/debian/patches/Fix-post-issuance-validation-logic.patch index 61f8da3..bbd9f02 100644 --- a/debian/patches/Fix-post-issuance-validation-logic.patch +++ b/debian/patches/Fix-post-issuance-validation-logic.patch @@ -7,7 +7,7 @@ validate the leaf certificate with intermediates as untrusted (used for chain building only). Only the root certificates are used as trust anchor. -Not pining intermediate certificates anymore is in line with Let's +Not pinning intermediate certificates anymore is in line with Let's Encrypt's latest recommendations: Rotating the set of intermediates we issue from helps keep the -- cgit v1.2.3