Bug 1515781
| Summary: | Let's encrypt have updated the agreement URL | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jonny Heggheim <hegjon> |
| Component: | acme-tiny | Assignee: | Stuart D Gathman <stuart> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 26 | CC: | diafygi, stuart |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | acme-tiny-0.2-3.20170516gitaf025f5.fc27 acme-tiny-0.2-3.20170516gitaf025f5.el7 acme-tiny-0.2-3.20170516gitaf025f5.fc26 acme-tiny-0.2-3.20170516gitaf025f5.fc25 acme-tiny-0.2-3.20170516gitaf025f5.el6 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-12-12 11:16:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Changing the URL fixed the issue: [root@demo40 nginx]# diff /usr/sbin/acme_tiny /usr/sbin/acme_tiny.old 85c85 < "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" --- > "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf", [root@demo40 nginx]# sudo -u acme /usr/libexec/acme-tiny/sign 7 acme_tiny --account-key private/account.key --csr csr/letsencrypt.csr --acme-dir /var/www/challenges/ --chain --out certs/letsencrypt.crt Parsing account key... Parsing CSR... Registering account... Registered! Verifying demo40.zegeba.net... demo40.zegeba.net verified! Signing certificate... Certificate signed! Wow. That is going to be a maintenance headache! I agree, I am surprised that upstream have not fixed this before now. Would it be possible to update the package with adding a patch that changes the URL until upstream does a new release? Would also be great if we can reduce the time in Bodhi. The Ansible openssl_certificate module[1] will produce a empty file as the certificate, since it it also uses acme-tiny, lots of time wasted on debugging... [1] http://docs.ansible.com/ansible/latest/openssl_certificate_module.html Just changing the URL is the right fix at the moment. For the mini-wrapper I provide (soon to be split from acme-core), I think it should notify the admin when the agreement changes and require intervention. You never know what could be in the new agreement... One simple approach is a special notification for the agreement change problem, and the admin can edit acme-tiny or update the package (if changed there). acme-tiny-0.2-3.20170516gitaf025f5.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-532467503a acme-tiny-0.2-3.20170516gitaf025f5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0180e6bed2 acme-tiny-0.2-3.20170516gitaf025f5.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-3e288b6e4d acme-tiny-0.2-3.20170516gitaf025f5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-35d7ea827a acme-tiny-0.2-3.20170516gitaf025f5.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-914865416c Ideally, when the url changes, it should download the agreement, notify the admin, and hold off on renewals until the admin signs off. Maybe by touching a file. @Stuart I fixed this upstream so that the terms are dynamically fetched[1]. [1]: https://github.com/diafygi/acme-tiny/compare/5a7b4e7...4ed1395 acme-tiny-0.2-3.20170516gitaf025f5.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-914865416c acme-tiny-0.2-3.20170516gitaf025f5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-35d7ea827a acme-tiny-0.2-3.20170516gitaf025f5.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-3e288b6e4d acme-tiny-0.2-3.20170516gitaf025f5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0180e6bed2 acme-tiny-0.2-3.20170516gitaf025f5.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-532467503a (In reply to Daniel Roesler from comment #13) > @Stuart I fixed this upstream so that the terms are dynamically fetched[1]. > > > [1]: https://github.com/diafygi/acme-tiny/compare/5a7b4e7...4ed1395 I plan to address that, but I also want to notify the admin when the agreement changes. And I need to make acme-core with just acme-tiny less the tiny cron scripts I supplied. And maybe even acme-httpd and acme-nginx. acme-tiny-0.2-3.20170516gitaf025f5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. acme-tiny-0.2-3.20170516gitaf025f5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. acme-tiny-0.2-3.20170516gitaf025f5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. acme-tiny-0.2-3.20170516gitaf025f5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. acme-tiny-0.2-3.20170516gitaf025f5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: acme-tiny fails because Let's encrypt have changed the agreements URL Version-Release number of selected component (if applicable): acme-tiny-0.2-1.20170516gitaf025f5.fc26.noarch How reproducible: $ sudo -u acme /usr/libexec/acme-tiny/sign 7 Actual results: acme_tiny --account-key private/account.key --csr csr/letsencrypt.csr --acme-dir /var/www/challenges/ --chain --out certs/letsencrypt.crt Parsing account key... Parsing CSR... Registering account... Error registering: 400 b'{\n "type": "urn:acme:error:malformed",\n "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",\n "status": 400\n}' Additional info: Upstream done this change: https://github.com/diafygi/acme-tiny/commit/c4940d229a296b7643e86d2e9ab31a6e0099ba71