Bug 2010217 - Update certbot in EPEL7 for --preferred-chain
Summary: Update certbot in EPEL7 for --preferred-chain
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: certbot
Version: epel7
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Felix Schwarz
QA Contact: Fedora Extras Quality Assurance
Depends On: 1797129
TreeView+ depends on / blocked
Reported: 2021-10-04 08:39 UTC by Pim Rupert
Modified: 2021-10-16 21:07 UTC (History)
9 users (show)

Fixed In Version: certbot-1.11.0-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-16 21:07:01 UTC
Type: Bug

Attachments (Terms of Use)

Description Pim Rupert 2021-10-04 08:39:26 UTC
No updates were released after 1.11.0 (#1913017) for EPEL7. 

I want to use the --preferred-chain option in certbot, can you please update to 1.12 or higher?

Comment 1 Felix Schwarz 2021-10-04 20:53:36 UTC
The problem is that certbot 1.12 requires Python 3. EPEL ships all certbot plugins this creates a pretty impressive dependency tree. I had two fix/tweak/adapt roughly two dozen packages to get all the required plugins. Unfortunately the project stalled about 4 months ago as I did not have enough free time to finish the transition but most pieces are actually in place already.

If you only need certbot (or certbot-nginx/a few select plugins) and you could try my COPR repo: https://copr.fedorainfracloud.org/coprs/fschwarz/certbot-python3-epel7/ .
However that COPR was only meant for my packaging experiments so no actual deployment testing. The stuff that was built should work but this is really not tested like the usual certbot updates you get via EPEL. Also certbot-apache is not yet available in my copr (missing Python 3 version for augeas).

I have to admit that I missed the problem that certbot 1.11 does not support "--preferred-chain". If you need a fix within the next weeks the best way forward is likely to use a custom virtualenv and install certbot there until EPEL 7 packages are ready. If you only use packages which I already built successfully (https://copr.fedorainfracloud.org/coprs/fschwarz/certbot-python3-epel7/builds/) and the machine is not really critical you could try my COPR and check if everything is working.

I'll try to get the transition in the next weeks but there are a lot of packages involved so I can't promise a quick solution.

Comment 2 Brad Warren 2021-10-05 14:20:29 UTC
Sorry for the unexpected trouble here Felix. I also overlooked that EPEL 7 didn't get this feature, partially because I didn't think there'd be as much demand for it as there seems to be.

While I do think that fully upgrading Certbot is a better long term solution (although we still don't know how long we plan to keep Python 3.6 support as we started discussing at https://bugzilla.redhat.com/show_bug.cgi?id=1813670), backporting this feature shouldn't be too bad if you'd like to go that route in the short term. The diff would be the PR at https://github.com/certbot/certbot/pull/8596.

If you'd like to talk about this option more, please don't hesitate to contact me/us. See https://community.letsencrypt.org/t/patch-1-11-0-with-preferred-chain-from-1-12/162064 for more info.

Comment 3 Brad Warren 2021-10-05 14:31:33 UTC
Whoops. I just realized you're not going to be able to access that community.letsencrypt.org link as it's a private thread, however, I don't think there's anything relevant for you there other than the other information I put in my previous post.

Comment 4 Felix Schwarz 2021-10-07 20:53:40 UTC
I guess adding just that one patch is the best solution we can provide to EPEL 7 users right now. I applied to patch locally to v1.11.0 and the test suite passes. Is that just it or do you remember follow-up fixes for that feature?

Comment 5 Felix Schwarz 2021-10-07 21:13:55 UTC
As it is quite late here I created a COPR containing only a patched certbot: https://copr.fedorainfracloud.org/coprs/fschwarz/certbot-v1.11-epel7/

I'd be glad if someone could check if "--preferred-chain" works as expected with that package. Once that is confirmed I can push an update to EPEL 7.

Comment 6 Brad Warren 2021-10-07 22:10:33 UTC
Thanks a lot Felix. Things look good to me.

Certbot's code was patched in the way I expect and I confirmed that --preferred-chain works when using the package from your COPR repo. (That is, when you issue a certificate from Let's Encrypt's server with --preferred-chain 'ISRG Root X1' set on the command line, /etc/letsencrypt/live/<certname>/chain.pem contains 1 certificate instead of 2.)

Comment 7 Fedora Update System 2021-10-08 07:12:43 UTC
FEDORA-EPEL-2021-6906f3091d has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-6906f3091d

Comment 8 Felix Schwarz 2021-10-08 07:13:22 UTC
Hi Brad, thank you so much for your support + testing.

Comment 9 Fedora Update System 2021-10-09 00:57:37 UTC
FEDORA-EPEL-2021-6906f3091d has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-6906f3091d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2021-10-16 21:07:01 UTC
FEDORA-EPEL-2021-6906f3091d has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.