From aa779d1f1658a1244e2cba03b07ea9be3c4ee2a0 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 21 Aug 2019 18:55:48 +0200 Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) For the authorizations, order and certificate URLs. See RFC 8555 sec. 7.1. Let's Encrypt will remove support of unauthenticated GETs from the V2 API on 01 Nov 2019: https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380 --- debian/changelog | 11 ++ debian/gbp.conf | 2 +- .../0002-Issue-GET-and-POST-as-GET-requests.patch | 121 +++++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 134 insertions(+), 1 deletion(-) create mode 100644 debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch diff --git a/debian/changelog b/debian/changelog index d18bc4c..3366d21 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +lacme (0.5-1+deb10u1) buster; urgency=medium + + * Link to RFC 8555 instead of the + ACME I-D URL. + * Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the + authorizations, order and certificate URLs. Let's Encrypt will remove + support of unauthenticated GETs from the V2 API on 01 Nov 2019. + Closes: #935799. + + -- Guilhem Moulin Thu, 22 Aug 2019 00:14:42 +0200 + lacme (0.5-1) unstable; urgency=medium * New upstream release, adding support for v2 ACME endpoints. diff --git a/debian/gbp.conf b/debian/gbp.conf index 4daf79f..b100207 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,6 +1,6 @@ [DEFAULT] upstream-branch = master -debian-branch = debian +debian-branch = debian-buster upstream-tag = upstream/%(version)s debian-tag = debian/%(version)s pristine-tar = False diff --git a/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch b/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch new file mode 100644 index 0000000..2f07327 --- /dev/null +++ b/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch @@ -0,0 +1,121 @@ +From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001 +From: Guilhem Moulin +Date: Wed, 21 Aug 2019 17:29:19 +0200 +Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) + +For the authorizations, order and certificate URLs. +See RFC 8555 sec. 7.1. +--- + client | 22 +++++++++++----------- + lacme-accountd.md | 2 +- + lacme.md | 2 +- + 3 files changed, 13 insertions(+), 13 deletions(-) + +--- a/client ++++ b/client +@@ -165,16 +165,16 @@ sub request_json_decode($;$$) { + ############################################################################# + # JSON-encode the hash reference $h and send it to the ACME server $uri + # encapsulated it in a JSON Web Signature (JWS). +-# https://tools.ietf.org/html/draft-ietf-acme-acme-12 ++# https://tools.ietf.org/html/rfc8555 + # +-sub acme($@) { +- my $uri = shift; ++sub acme($;$) { ++ my ($uri, $h) = @_; + die "Missing nonce\n" unless defined $NONCE; + + # Produce the JSON Web Signature: RFC 7515 section 5 + my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri ); + defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK); +- my $payload = encode_base64url(json()->encode({ @_ })); ++ my $payload = defined $h ? encode_base64url(json()->encode($h)) : ""; + my $protected = encode_base64url(json()->encode(\%header)); + my $data = $protected .'.'. $payload; + $S->printflush($data, "\r\n"); +@@ -204,7 +204,7 @@ sub acme_resource($%) { + request(HEAD => $RES{newNonce}); + } + my $uri = $RES{$r} // die "Unknown resource '$r'\n"; +- acme($uri, @_); ++ acme($uri, {@_}); + } + + # Set the key ID (registration URI) +@@ -237,7 +237,7 @@ if ($COMMAND eq 'account') { + + if ($r->is_success()) { + $KID = $r->header('Location'); +- $r = acme($KID, %h); ++ $r = acme($KID, \%h); + request_json_decode($r, 1, \*STDOUT) + if $r->is_success() and $r->content_type() eq 'application/json'; + } +@@ -264,7 +264,7 @@ elsif ($COMMAND eq 'newOrder') { + my $order = request_json_decode($r); + + foreach (@{$order->{authorizations}}) { +- my $authz = request_json_decode(request(GET => $_)); ++ my $authz = request_json_decode(acme($_)); + next unless $authz->{status} eq 'pending'; + + my $identifier = $authz->{identifier}->{value}; +@@ -288,7 +288,7 @@ elsif ($COMMAND eq 'newOrder') { + die "Can't open $challenge->{token}: $!"; + } + +- $r = acme($challenge->{url}); ++ $r = acme($challenge->{url}, {}); + + # poll until the status become 'valid' + # XXX poll the order URL instead, to get the status of all +@@ -298,7 +298,7 @@ elsif ($COMMAND eq 'newOrder') { + $resp = request_json_decode($r), + $status = $resp->{status} // 'pending', + $status ne 'valid'; +- $r = request('GET' => $challenge->{url})) { ++ $r = acme($challenge->{url}, {})) { + if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807) + my $msg = $problem->{status}; + $msg .= " " .$problem->{title} if defined $problem->{title}; +@@ -321,7 +321,7 @@ elsif ($COMMAND eq 'newOrder') { + } + } + +- $r = acme($order->{finalize}, csr => encode_base64url($csr)); ++ $r = acme($order->{finalize}, {csr => encode_base64url($csr)}); + my $resp = request_json_decode($r); + + my $uri = $resp->{certificate}; +@@ -329,7 +329,7 @@ elsif ($COMMAND eq 'newOrder') { + + # pool until the cert is available + for (my $i = 0;;) { +- $r = request('GET' => $uri); ++ $r = acme($uri); + die request_status_line($r), "\n" unless $r->is_success(); + last unless $r->code == 202; # Accepted + my $retry_after = $r->header('Retry-After') // 1; +--- a/lacme-accountd.md ++++ b/lacme-accountd.md +@@ -141,7 +141,7 @@ See also + + [`lacme`(1)], [`ssh`(1)] + +-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02 ++[ACME]: https://tools.ietf.org/html/rfc8555 + [`lacme`(1)]: lacme.1.html + [`signal`(7)]: http://linux.die.net/man/7/signal + [`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html +--- a/lacme.md ++++ b/lacme.md +@@ -412,7 +412,7 @@ See also + + [`lacme-accountd`(1)] + +-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-12 ++[ACME]: https://tools.ietf.org/html/rfc8555 + [`lacme-accountd`(1)]: lacme-accountd.1.html + [`iptables`(8)]: http://linux.die.net/man/8/iptables + [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html diff --git a/debian/patches/series b/debian/patches/series index 98a1097..ddf7cce 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0001-Mention-the-Debian-BTS-in-the-manpages.patch +0002-Issue-GET-and-POST-as-GET-requests.patch -- cgit v1.2.3