Bug 229016 - LibreSSL breaks certbot renewal of certificates issued since April
Summary: LibreSSL breaks certbot renewal of certificates issued since April
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bernard Spil
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-14 19:39 UTC by K J Petrie
Modified: 2018-06-15 00:13 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (brnrd)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description K J Petrie 2018-06-14 19:39:46 UTC
If security/certbot and its dependencies are compiled against security/libressl, renewal of certificates issued since late March by Let's Encrypt fails with the message:
"The <ObjectIdentifier(oid=1.3.6.1.4.1.11129.2.4.2, name=Unknown OID)> extension is invalid and can’t be parsed. Skipping.
All renewal attempts failed. The following certs could not be renewed:"

This is caused by Let's Encrypt adding an extension to the certificate which is not recognised by LibreSSL.

To reproduce:

ensure LibreSSL is in use for certbot's dependencies and enter:

"certbot renew --dry-run".
Comment 1 K J Petrie 2018-06-15 00:13:59 UTC
Has this bug just bitten the forum? Its cert has expired.