229016 – LibreSSL breaks certbot renewal of certificates issued since April

Bug 229016 - LibreSSL breaks certbot renewal of certificates issued since April

Summary: LibreSSL breaks certbot renewal of certificates issued since April

Status:	New

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Bernard Spil

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-14 19:39 UTC by K J Petrie
Modified:	2018-06-15 00:13 UTC (History)
CC List:	0 users

See Also:

Flags:	bugzilla: maintainer-feedback? (brnrd)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description K J Petrie 2018-06-14 19:39:46 UTC

If security/certbot and its dependencies are compiled against security/libressl, renewal of certificates issued since late March by Let's Encrypt fails with the message:
"The <ObjectIdentifier(oid=1.3.6.1.4.1.11129.2.4.2, name=Unknown OID)> extension is invalid and can’t be parsed. Skipping.
All renewal attempts failed. The following certs could not be renewed:"

This is caused by Let's Encrypt adding an extension to the certificate which is not recognised by LibreSSL.

To reproduce:

ensure LibreSSL is in use for certbot's dependencies and enter:

"certbot renew --dry-run".

Comment 1 K J Petrie 2018-06-15 00:13:59 UTC

Has this bug just bitten the forum? Its cert has expired.