[Bug 2018252] Re: [SRU] Fix invalid CSR version in python-acme

Mathias Ertl 2018252 at bugs.launchpad.net
Sat May 27 12:10:08 UTC 2023 

Hello Steve,

I was able to verify the fix in both Focal and Jammy:

* For both distributions, I verified the test-plan as above.
* For Focal, I tested 1.1.0-1 vs. 1.1.0-1ubuntu0.1.
* For Jammy, I tested 1.21.0-1 vs. 1.21.0-1ubuntu0.1.

Additionally, for both distributions, I tested certbot in a Docker image
to validate that the old version indeed triggers the bug, and updating
to the new version in proposed indeed fixes the issue. I used the
procedure described in my own cryptography-based ACMEv2
implementation[1] (with a minor modification to use the appropriate
distribution) to run the full certificate validation and issuance
processes using certbot. In both cases, this looked like this (note that
certbot is configured to use the local ACMEv2 server via configuration
file, output trimmed for brievety):

  root at certbot:~# dpkg-query --showformat='${Version}\n' --show  python3-acme
  1.1.0-1
  root at certbot:~# certbot register
  ...
  root at certbot:~# django-ca-test-validation.sh http http-01.example.com
  + certbot certonly --standalone --preferred-challenges http -d http-01.example.com
  ...
  An unexpected error occurred:
  The CSR is unacceptable (e.g., due to a short key) :: Invalid CSR version.
  
  # add -proposed as described in the docs

  root at certbot:~# dpkg-query --showformat='${Version}\n' --show  python3-acme
  1.1.0-1ubuntu0.1

  root at certbot:~# django-ca-test-validation.sh http http-01.example.com
  + certbot certonly --standalone --preferred-challenges http -d http-01.example.com
  ...
  Waiting for verification...
  Cleaning up challenges

  IMPORTANT NOTES:
   - Congratulations! Your certificate and chain have been saved at:
  ...

I hope this properly confirms the fix and this is speedily released.

kr, Mat

[1] https://django-ca.readthedocs.io/en/latest/dev/acme.html

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to a duplicate bug report (2018260).
https://bugs.launchpad.net/bugs/2018252

Title:
  [SRU] Fix invalid CSR version in python-acme

Status in python-acme package in Ubuntu:
  Fix Released
Status in python-acme source package in Focal:
  Fix Committed
Status in python-acme source package in Jammy:
  Fix Committed

Bug description:
  [ Impact ]

  This bug causes certbot to generate CSRs which are invalid. These CSRs
  are then sent to ACME servers or otherwise parsed. Some software
  validate CSR validity more aggressively, whichmeans it will reject
  these CSRs.

  The principle motivation for backporting this fix is to stop certbot
  from generating CSRs. This will both alleviate bugs experienced by
  users, as well as reduce pressure on CSR parsers to accept _invalid_
  CSRs.

  [ Test plan ]

  See https://bugs.launchpad.net/ubuntu/+source/python-
  acme/+bug/2018252/comments/11 for complete test plan including links
  to assets.

  [ Where problems could occur ]

  For a problem to occur, it would require software that not only
  accepted, but in fact _required_, an invalid CSR, and which also did
  not process CSRs from recent versions of certbot or versions from
  Debian or RHEL containing the backport.

  The worst-case scenario for such software would be something that
  copied the version value from a CSR into a certificate it was issuing
  (CSRs have only a single valid version, v1. X.509 certificates can be
  either v1 or v3, however in practice v3 is the only version in use.).
  Such software would end up producing different (and less
  correct/compatible) certificates. I am not aware of any software with
  this behavior.

  A more likely (though still improbable) bug would be software which
  merely asserts that the CSR's version is something incorrect.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/2018252/+subscriptions

More information about the Ubuntu-sponsors mailing list