Bug 1515781
Summary: | Let's encrypt have updated the agreement URL | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jonny Heggheim <hegjon> |
Component: | acme-tiny | Assignee: | Stuart D Gathman <stuart> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 26 | CC: | diafygi, stuart |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | acme-tiny-0.2-3.20170516gitaf025f5.fc27 acme-tiny-0.2-3.20170516gitaf025f5.el7 acme-tiny-0.2-3.20170516gitaf025f5.fc26 acme-tiny-0.2-3.20170516gitaf025f5.fc25 acme-tiny-0.2-3.20170516gitaf025f5.el6 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-12-12 11:16:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jonny Heggheim
2017-11-21 11:44:02 UTC
Changing the URL fixed the issue: [root@demo40 nginx]# diff /usr/sbin/acme_tiny /usr/sbin/acme_tiny.old 85c85 < "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" --- > "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf", [root@demo40 nginx]# sudo -u acme /usr/libexec/acme-tiny/sign 7 acme_tiny --account-key private/account.key --csr csr/letsencrypt.csr --acme-dir /var/www/challenges/ --chain --out certs/letsencrypt.crt Parsing account key... Parsing CSR... Registering account... Registered! Verifying demo40.zegeba.net... demo40.zegeba.net verified! Signing certificate... Certificate signed! Wow. That is going to be a maintenance headache! I agree, I am surprised that upstream have not fixed this before now. Would it be possible to update the package with adding a patch that changes the URL until upstream does a new release? Would also be great if we can reduce the time in Bodhi. The Ansible openssl_certificate module[1] will produce a empty file as the certificate, since it it also uses acme-tiny, lots of time wasted on debugging... [1] http://docs.ansible.com/ansible/latest/openssl_certificate_module.html Just changing the URL is the right fix at the moment. For the mini-wrapper I provide (soon to be split from acme-core), I think it should notify the admin when the agreement changes and require intervention. You never know what could be in the new agreement... One simple approach is a special notification for the agreement change problem, and the admin can edit acme-tiny or update the package (if changed there). acme-tiny-0.2-3.20170516gitaf025f5.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-532467503a acme-tiny-0.2-3.20170516gitaf025f5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0180e6bed2 acme-tiny-0.2-3.20170516gitaf025f5.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-3e288b6e4d acme-tiny-0.2-3.20170516gitaf025f5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-35d7ea827a acme-tiny-0.2-3.20170516gitaf025f5.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-914865416c Ideally, when the url changes, it should download the agreement, notify the admin, and hold off on renewals until the admin signs off. Maybe by touching a file. @Stuart I fixed this upstream so that the terms are dynamically fetched[1]. [1]: https://github.com/diafygi/acme-tiny/compare/5a7b4e7...4ed1395 acme-tiny-0.2-3.20170516gitaf025f5.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-914865416c acme-tiny-0.2-3.20170516gitaf025f5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-35d7ea827a acme-tiny-0.2-3.20170516gitaf025f5.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-3e288b6e4d acme-tiny-0.2-3.20170516gitaf025f5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0180e6bed2 acme-tiny-0.2-3.20170516gitaf025f5.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-532467503a (In reply to Daniel Roesler from comment #13) > @Stuart I fixed this upstream so that the terms are dynamically fetched[1]. > > > [1]: https://github.com/diafygi/acme-tiny/compare/5a7b4e7...4ed1395 I plan to address that, but I also want to notify the admin when the agreement changes. And I need to make acme-core with just acme-tiny less the tiny cron scripts I supplied. And maybe even acme-httpd and acme-nginx. acme-tiny-0.2-3.20170516gitaf025f5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. acme-tiny-0.2-3.20170516gitaf025f5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. acme-tiny-0.2-3.20170516gitaf025f5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. acme-tiny-0.2-3.20170516gitaf025f5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. acme-tiny-0.2-3.20170516gitaf025f5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |