Bug 229016

Summary: LibreSSL breaks certbot renewal of certificates issued since April
Product: Ports & Packages Reporter: K J Petrie <freebsd-bugzilla.bugs>
Component: Individual Port(s)Assignee: Bernard Spil <brnrd>
Status: Closed FIXED    
Severity: Affects Some People Flags: bugzilla: maintainer-feedback? (brnrd)
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description K J Petrie 2018-06-14 19:39:46 UTC
If security/certbot and its dependencies are compiled against security/libressl, renewal of certificates issued since late March by Let's Encrypt fails with the message:
"The <ObjectIdentifier(oid=1.3.6.1.4.1.11129.2.4.2, name=Unknown OID)> extension is invalid and can’t be parsed. Skipping.
All renewal attempts failed. The following certs could not be renewed:"

This is caused by Let's Encrypt adding an extension to the certificate which is not recognised by LibreSSL.

To reproduce:

ensure LibreSSL is in use for certbot's dependencies and enter:

"certbot renew --dry-run".
Comment 1 K J Petrie 2018-06-15 00:13:59 UTC
Has this bug just bitten the forum? Its cert has expired.
Comment 2 Bernard Spil freebsd_committer 2020-07-11 20:27:03 UTC
I this still an issue with later versions of LibreSSL?

PR will be closed "Not Enough Information" in by end of July.

(FWIW: I advise acme.sh over py-certbot. Too many dependencies in certbot)
Comment 3 K J Petrie 2020-07-11 20:44:48 UTC
I don't know. I changed certbot's configuration to use openssl rather than libressl the day I reported the bug and have not investigated any further.