[Letsencrypt-devel] Bug#855962: acme-tiny: fail to parse openssl 1.1 CSR output

[Aurelien Jarno]

Package: acme-tiny
Version: 20160801-1
Severity: serious

openssl 1.1 slightly changed the way the Subject of a certificate
request is formated:

-        Subject: CN=foobar.domain.net
+        Subject: CN = foobar.domain.net

This causes acme-tiny to fail to get the domain from certificate requests
without SAN. This in turns causes the certificate signing to be rejected
by letsencrypt with error urn:acme:error:unauthorized unless it has been
validated relatively recently.

Here is a possible patch to make it compatible with both openssl 1.0 and
1.1:

--- a/acme_tiny.py
+++ b/acme_tiny.py
@@ -69,7 +69,7 @@
     if proc.returncode != 0:
         raise IOError("Error loading {0}: {1}".format(csr, err))
     domains = set([])
-    common_name = re.search(r"Subject:.*? CN=([^\s,;/]+)", out.decode('utf8'))
+    common_name = re.search(r"Subject:.*? CN\s*=\s*([^\s,;/]+)", out.decode('utf8'))
     if common_name is not None:
         domains.add(common_name.group(1))
     subject_alt_names = re.search(r"X509v3 Subject Alternative Name: \n +([^\n]+)\n", out.decode('utf8'), re.MULTILINE|re.DOTALL)


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages acme-tiny depends on:
ii  openssl                1.1.0d-2
ii  python3-pkg-resources  33.1.1-1
pn  python3:any            <none>

acme-tiny recommends no packages.

acme-tiny suggests no packages.

-- no debconf information