[Bug 2018252] Re: [SRU] Fix invalid CSR version in python-acme
Mathias Ertl
2018252 at bugs.launchpad.net
Wed May 24 20:15:19 UTC 2023
Hi,
I attached a docker-compose.yml file and a Dockerfile packed as a
tarball that allow you to reproduce this issue.
The docker-compose.yml file starts pebble (the ACMEv2 demo server
provided by Lets Encrypt) and is copied from [1] and extended to also
add a Dockerfile that can start certbot. It requires that you need to
have Docker Compose installed[2].
To reproduce, first extract the tarball and cd to ubuntu-2018252/:
$ tar xf ubuntu-2018252.tar.gz
$ cd ubuntu-2018252/
Then, start the setup with Ubuntu Jammy. A certificate will be retrieved
automatically after five seconds in csr/:
$ DIST=jammy docker compose build
$ docker compose up
Quit the container and try the same with lunar:
$ DIST=lunar docker compose build
$ docker compose up
Now see the (ordered) CSRs retrieved:
$ ls csr/
0000_csr-certbot.pem 0001_csr-certbot.pem
... and see that the CSR version created differs from the first (Jammy)
and second (Lunar):
$ openssl req -in csr/0000_csr-certbot.pem -noout -text | head -n 3
Certificate Request:
Data:
Version: Unknown (2)
$ openssl req -in csr/0001_csr-certbot.pem -noout -text | head -n 3
Certificate Request:
Data:
Version: 1 (0x0)
You can then also start the container manually and run certbot (e.g.
after applying a patch):
$ docker compose run certbot /bin/bash
# certbot certonly --standalone -n -d example.com -m user at example.com --agree-tos --server https://pebble:14000/dir
...
I hope this helps and we can finally get this trivial patch into
affected distributions.
Thanks, Mat
[1] https://github.com/letsencrypt/pebble
[2] https://docs.docker.com/compose/install/
** Attachment added: "ubuntu-2018252.tar.gz"
https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/2018252/+attachment/5675469/+files/ubuntu-2018252.tar.gz
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to a duplicate bug report (2018260).
https://bugs.launchpad.net/bugs/2018252
Title:
[SRU] Fix invalid CSR version in python-acme
Status in python-acme package in Ubuntu:
Fix Released
Status in python-acme source package in Focal:
Confirmed
Status in python-acme source package in Jammy:
Incomplete
Bug description:
[ Impact ]
This bug causes certbot to generate CSRs which are invalid. These CSRs
are then sent to ACME servers or otherwise parsed. Some software
validate CSR validity more aggressively, whichmeans it will reject
these CSRs.
The principle motivation for backporting this fix is to stop certbot
from generating CSRs. This will both alleviate bugs experienced by
users, as well as reduce pressure on CSR parsers to accept _invalid_
CSRs.
[ Test plan ]
The patch contains a unit test that verifies the patch itself works
correctly. It has been present in certbot upstream since the 1.29.0
release. Further, the fix was backported to both Debian and RHEL.
Therefore, it has received substantial burn-in and is extremely
unlikely to regress anything.
[ Where problems could occur ]
For a problem to occur, it would require software that not only
accepted, but in fact _required_, an invalid CSR, and which also did
not process CSRs from recent versions of certbot or versions from
Debian or RHEL containing the backport.
The worst-case scenario for such software would be something that
copied the version value from a CSR into a certificate it was issuing
(CSRs have only a single valid version, v1. X.509 certificates can be
either v1 or v3, however in practice v3 is the only version in use.).
Such software would end up producing different (and less
correct/compatible) certificates. I am not aware of any software with
this behavior.
A more likely (though still improbable) bug would be software which
merely asserts that the CSR's version is something incorrect.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/2018252/+subscriptions
More information about the Ubuntu-sponsors
mailing list