[pkg-go] Bug#1003872: lego: RFC2136 unusable on Debian Bullseye

Laura Smith n5d9xq3ti233xiyif2vp at protonmail.ch
Mon Jan 17 11:42:55 GMT 2022 

Package: lego
Version: 3.2.0-3.1+b5
Severity: important
X-Debbugs-Cc: n5d9xq3ti233xiyif2vp at pm.me

Dear Maintainer,

The version of lego installed by default on Debian Bullseye (i.e. via apt-get install lego) is totally unusable with RFC2136.

Please see outputs below. First block is from the "apt-get install lego" version of lego.  The second block is from the latest version downloaded from the Releases section of the official Lego GitHub account.  No other changes were made except from different Lego versions. As you can see, the "built-in" version failed, the newer version worked.

Please urgently update the distro bundled version of Lego !!!!!


#########
######### apt-get install lego
#########


RFC2136_NAMESERVER=REMOVED_FOR_SECURITY RFC2136_TSIG_ALGORITHM=hmac-sha512 RFC2136_TSIG_KEY=REMOVED_FOR_SECURITY RFC2136_TSIG_SECRET=REMOVED_FOR_SECURITY lego -k rsa2048 --dns rfc2136 --email REMOVED_FOR_SECURITY --dns rfc2136 --domains REMOVED_FOR_SECURITY run
2022/01/17 11:18:31 [INFO] [REMOVED_FOR_SECURITY] acme: Obtaining bundled SAN certificate
2022/01/17 11:18:32 [INFO] [REMOVED_FOR_SECURITY] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/69168346090
2022/01/17 11:18:32 [INFO] [REMOVED_FOR_SECURITY] acme: Could not find solver for: tls-alpn-01
2022/01/17 11:18:32 [INFO] [REMOVED_FOR_SECURITY] acme: Could not find solver for: http-01
2022/01/17 11:18:32 [INFO] [REMOVED_FOR_SECURITY] acme: use dns-01 solver
2022/01/17 11:18:32 [INFO] [REMOVED_FOR_SECURITY] acme: Preparing to solve DNS-01
2022/01/17 11:18:42 [INFO] [REMOVED_FOR_SECURITY] acme: Cleaning DNS-01 challenge
2022/01/17 11:18:42 [WARN] [REMOVED_FOR_SECURITY] acme: error cleaning up: rfc2136: failed to remove: DNS update failed: dns: domain must be fully qualified
2022/01/17 11:18:42 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/69168346090
2022/01/17 11:18:42 Could not obtain certificates:
	acme: Error -> One or more domains had a problem:
[REMOVED_FOR_SECURITY] [REMOVED_FOR_SECURITY] acme: error presenting token: rfc2136: failed to insert: unexpected response code 'REFUSED' for REMOVED_FOR_SECURITY.


#########
######### FROM LEGO Github Release
#########

$ rm -rf /home/REMOVED_FOR_SECURITY/.lego
$ tar zxvf lego_v4.5.3_linux_amd64.tar.gz
$ RFC2136_NAMESERVER= REMOVED_FOR_SECURITY RFC2136_TSIG_ALGORITHM=hmac-sha512 RFC2136_TSIG_KEY=REMOVED_FOR_SECURITY RFC2136_TSIG_SECRET=REMOVED_FOR_SECURITY ./lego -k rsa2048 --dns rfc2136 --email REMOVED_FOR_SECURITY --dns rfc2136 --domains REMOVED_FOR_SECURITY run
2022/01/17 11:21:26 No key found for account REMOVED_FOR_SECURITY. Generating a 2048 key.
2022/01/17 11:21:26 Saved key to /home/REMOVED_FOR_SECURITY/tmp/.lego/accounts/acme-v02.api.letsencrypt.org/REMOVED_FOR_SECURITY
2022/01/17 11:21:38 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you accept the TOS? Y/n
y
2022/01/17 11:21:39 [INFO] acme: Registering account for REMOVED_FOR_SECURITY
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/home/REMOVED_FOR_SECURITY/tmp/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2022/01/17 11:21:40 [INFO] [REMOVED_FOR_SECURITY] acme: Obtaining bundled SAN certificate
2022/01/17 11:21:40 [INFO] [REMOVED_FOR_SECURITY] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/69169060960
2022/01/17 11:21:40 [INFO] [REMOVED_FOR_SECURITY] acme: Could not find solver for: tls-alpn-01
2022/01/17 11:21:40 [INFO] [REMOVED_FOR_SECURITY] acme: Could not find solver for: http-01
2022/01/17 11:21:40 [INFO] [REMOVED_FOR_SECURITY] acme: use dns-01 solver
2022/01/17 11:21:40 [INFO] [REMOVED_FOR_SECURITY] acme: Preparing to solve DNS-01
2022/01/17 11:21:45 [INFO] [REMOVED_FOR_SECURITY] acme: Trying to solve DNS-01
2022/01/17 11:21:45 [INFO] [REMOVED_FOR_SECURITY] acme: Checking DNS record propagation using [REMOVED_FOR_SECURITY]
2022/01/17 11:21:47 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2022/01/17 11:21:52 [INFO] [REMOVED_FOR_SECURITY] The server validated our request
2022/01/17 11:21:52 [INFO] [REMOVED_FOR_SECURITY] acme: Cleaning DNS-01 challenge
2022/01/17 11:21:52 [INFO] [REMOVED_FOR_SECURITY] acme: Validations succeeded; requesting certificates
2022/01/17 11:21:53 [INFO] [REMOVED_FOR_SECURITY] Server responded with a certificate.


-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-10-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lego depends on:
ii  ca-certificates  20210119
ii  libc6            2.31-13+deb11u2

lego recommends no packages.

lego suggests no packages.

-- no debconf information

More information about the Pkg-go-maintainers mailing list