[Bug 229016] LibreSSL breaks certbot renewal of certificates issued since April

Thu Jun 14 19:39:49 UTC 2018

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229016

            Bug ID: 229016
           Summary: LibreSSL breaks certbot renewal of certificates issued
                    since April
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: brnrd at freebsd.org
          Reporter: freebsd-bugzilla.bugs at kjpetrie.co.uk
             Flags: maintainer-feedback?(brnrd at freebsd.org)
          Assignee: brnrd at freebsd.org

If security/certbot and its dependencies are compiled against
security/libressl, renewal of certificates issued since late March by Let's
Encrypt fails with the message:
"The <ObjectIdentifier(oid=1.3.6.1.4.1.11129.2.4.2, name=Unknown OID)>
extension is invalid and can’t be parsed. Skipping.
All renewal attempts failed. The following certs could not be renewed:"

This is caused by Let's Encrypt adding an extension to the certificate which is
not recognised by LibreSSL.

To reproduce:

ensure LibreSSL is in use for certbot's dependencies and enter:

"certbot renew --dry-run".

-- 
You are receiving this mail because:
You are the assignee for the bug.