Bug 1515781 - Let's encrypt have updated the agreement URL
Summary: Let's encrypt have updated the agreement URL
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: acme-tiny
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Stuart D Gathman
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-21 11:44 UTC by Jonny Heggheim
Modified: 2017-12-12 17:32 UTC (History)
2 users (show)

Fixed In Version: acme-tiny-0.2-3.20170516gitaf025f5.fc27 acme-tiny-0.2-3.20170516gitaf025f5.el7 acme-tiny-0.2-3.20170516gitaf025f5.fc26 acme-tiny-0.2-3.20170516gitaf025f5.fc25 acme-tiny-0.2-3.20170516gitaf025f5.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-12 11:16:50 UTC


Attachments (Terms of Use)

Description Jonny Heggheim 2017-11-21 11:44:02 UTC
Description of problem:
acme-tiny fails because Let's encrypt have changed the agreements URL

Version-Release number of selected component (if applicable):
acme-tiny-0.2-1.20170516gitaf025f5.fc26.noarch

How reproducible:

$ sudo -u acme /usr/libexec/acme-tiny/sign 7

Actual results:
acme_tiny --account-key private/account.key --csr csr/letsencrypt.csr --acme-dir /var/www/challenges/ --chain --out certs/letsencrypt.crt
Parsing account key...
Parsing CSR...
Registering account...
Error registering: 400 b'{\n  "type": "urn:acme:error:malformed",\n  "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",\n  "status": 400\n}'



Additional info:
Upstream done this change: https://github.com/diafygi/acme-tiny/commit/c4940d229a296b7643e86d2e9ab31a6e0099ba71

Comment 1 Jonny Heggheim 2017-11-21 12:07:49 UTC
Changing the URL fixed the issue:

[root@demo40 nginx]# diff /usr/sbin/acme_tiny /usr/sbin/acme_tiny.old
85c85
<         "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
---
>         "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
[root@demo40 nginx]# sudo -u acme /usr/libexec/acme-tiny/sign 7
acme_tiny --account-key private/account.key --csr csr/letsencrypt.csr --acme-dir /var/www/challenges/ --chain --out certs/letsencrypt.crt
Parsing account key...
Parsing CSR...
Registering account...
Registered!
Verifying demo40.zegeba.net...
demo40.zegeba.net verified!
Signing certificate...
Certificate signed!

Comment 2 Stuart D Gathman 2017-11-21 15:12:20 UTC
Wow.  That is going to be a maintenance headache!

Comment 3 Jonny Heggheim 2017-11-21 15:16:19 UTC
I agree, I am surprised that upstream have not fixed this before now.

Comment 4 Jonny Heggheim 2017-11-21 15:19:41 UTC
Would it be possible to update the package with adding a patch that changes the URL until upstream does a new release? Would also be great if we can reduce the time in Bodhi.

Comment 5 Jonny Heggheim 2017-11-21 15:22:57 UTC
The Ansible openssl_certificate module[1] will produce a empty file as the certificate, since it it also uses acme-tiny, lots of time wasted on debugging...


[1] http://docs.ansible.com/ansible/latest/openssl_certificate_module.html

Comment 6 Stuart D Gathman 2017-11-21 15:34:54 UTC
Just changing the URL is the right fix at the moment.  For the mini-wrapper I provide (soon to be split from acme-core), I think it should notify the admin when the agreement changes and require intervention.  You never know what could be in the new agreement...

One simple approach is a special notification for the agreement change problem, and the admin can edit acme-tiny or update the package (if changed there).

Comment 7 Fedora Update System 2017-11-23 05:09:27 UTC
acme-tiny-0.2-3.20170516gitaf025f5.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-532467503a

Comment 8 Fedora Update System 2017-11-23 05:09:39 UTC
acme-tiny-0.2-3.20170516gitaf025f5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0180e6bed2

Comment 9 Fedora Update System 2017-11-23 05:09:49 UTC
acme-tiny-0.2-3.20170516gitaf025f5.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-3e288b6e4d

Comment 10 Fedora Update System 2017-11-23 05:09:59 UTC
acme-tiny-0.2-3.20170516gitaf025f5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-35d7ea827a

Comment 11 Fedora Update System 2017-11-23 05:10:10 UTC
acme-tiny-0.2-3.20170516gitaf025f5.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-914865416c

Comment 12 Stuart D Gathman 2017-11-23 06:27:46 UTC
Ideally, when the url changes, it should download the agreement, notify the admin, and hold off on renewals until the admin signs off.  Maybe by touching a file.

Comment 13 Daniel Roesler 2017-11-24 08:30:35 UTC
@Stuart I fixed this upstream so that the terms are dynamically fetched[1].


[1]: https://github.com/diafygi/acme-tiny/compare/5a7b4e7...4ed1395

Comment 14 Fedora Update System 2017-11-24 23:23:07 UTC
acme-tiny-0.2-3.20170516gitaf025f5.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-914865416c

Comment 15 Fedora Update System 2017-11-25 00:35:33 UTC
acme-tiny-0.2-3.20170516gitaf025f5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-35d7ea827a

Comment 16 Fedora Update System 2017-11-25 00:53:37 UTC
acme-tiny-0.2-3.20170516gitaf025f5.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-3e288b6e4d

Comment 17 Fedora Update System 2017-11-25 01:34:30 UTC
acme-tiny-0.2-3.20170516gitaf025f5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0180e6bed2

Comment 18 Fedora Update System 2017-11-25 05:23:02 UTC
acme-tiny-0.2-3.20170516gitaf025f5.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-532467503a

Comment 19 Stuart D Gathman 2017-11-29 23:27:08 UTC
(In reply to Daniel Roesler from comment #13)
> @Stuart I fixed this upstream so that the terms are dynamically fetched[1].
> 
> 
> [1]: https://github.com/diafygi/acme-tiny/compare/5a7b4e7...4ed1395

I plan to address that, but I also want to notify the admin when the agreement changes.  And I need to make acme-core with just acme-tiny less the tiny cron scripts I supplied.  And maybe even acme-httpd and acme-nginx.

Comment 20 Fedora Update System 2017-12-12 11:16:50 UTC
acme-tiny-0.2-3.20170516gitaf025f5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2017-12-12 12:23:20 UTC
acme-tiny-0.2-3.20170516gitaf025f5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2017-12-12 13:40:23 UTC
acme-tiny-0.2-3.20170516gitaf025f5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2017-12-12 14:38:25 UTC
acme-tiny-0.2-3.20170516gitaf025f5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2017-12-12 17:32:59 UTC
acme-tiny-0.2-3.20170516gitaf025f5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.