Version in base suite: 0.8.0-2

Base version: lacme_0.8.0-2
Target version: lacme_0.8.0-2+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lacme/lacme_0.8.0-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lacme/lacme_0.8.0-2+deb11u1.dsc

 changelog                                                               |   11 +
 gbp.conf                                                                |    2 
 patches/client-Handle-ready-processing-valid-status-change-during.patch |   76 ++++++++++
 patches/series                                                          |    1 
 4 files changed, 89 insertions(+), 1 deletion(-)

diff -Nru lacme-0.8.0/debian/changelog lacme-0.8.0/debian/changelog
--- lacme-0.8.0/debian/changelog	2021-05-03 23:37:13.000000000 +0000
+++ lacme-0.8.0/debian/changelog	2023-04-28 08:25:54.000000000 +0000
@@ -1,3 +1,14 @@
+lacme (0.8.0-2+deb11u1) bullseye; urgency=medium
+
+  * client: Handle "ready" → "processing" → "valid" status change during
+    newOrder, instead of just "ready" → "valid".  The latter may be what we
+    observe when the server is fast enough, but according to RFC 8555 sec.
+    7.1.6 the state actually transitions via "processing" and we need to
+    account for that (closes: #1034834).
+  * d/gbp.conf: Set 'debian-branch = debian/bullseye'.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Fri, 28 Apr 2023 10:25:54 +0200
+
 lacme (0.8.0-2) unstable; urgency=medium
 
   * d/lacme.postrm: Don't delete system users on purge.  There might be files
diff -Nru lacme-0.8.0/debian/gbp.conf lacme-0.8.0/debian/gbp.conf
--- lacme-0.8.0/debian/gbp.conf	2021-05-03 23:37:13.000000000 +0000
+++ lacme-0.8.0/debian/gbp.conf	2023-04-28 08:25:54.000000000 +0000
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = upstream
-debian-branch = debian/latest
+debian-branch = debian/bullseye
 upstream-tag = v%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = False
diff -Nru lacme-0.8.0/debian/patches/client-Handle-ready-processing-valid-status-change-during.patch lacme-0.8.0/debian/patches/client-Handle-ready-processing-valid-status-change-during.patch
--- lacme-0.8.0/debian/patches/client-Handle-ready-processing-valid-status-change-during.patch	1970-01-01 00:00:00.000000000 +0000
+++ lacme-0.8.0/debian/patches/client-Handle-ready-processing-valid-status-change-during.patch	2023-04-28 08:25:54.000000000 +0000
@@ -0,0 +1,76 @@
+From: Guilhem Moulin <guilhem@fripost.org>
+Date: Tue, 25 Apr 2023 10:51:36 +0200
+Subject: =?utf-8?q?client=3A_Handle_=22ready=22_=E2=86=92_=22processing=22_?=
+ =?utf-8?q?=E2=86=92_=22valid=22_status_change_during_newOrder=2E?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Instead of just "ready" → "valid", which may be what we observe when the
+server is fast enough, but according to RFC 8555 sec. 7.1.6 the state
+actually transitions via "processing" state and we need to account for
+that.
+
+It appears Let's Encrypt staging environment now has different timing
+conditions and lacme is unable to request certificates due to this
+issue.
+
+Thanks to Alexander Borkowski for the report!
+
+Bug-Debian: https://bugs.debian.org/1034834
+---
+ client | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/client b/client
+index fdef865..4d4d129 100755
+--- a/client
++++ b/client
+@@ -351,11 +351,12 @@ elsif ($COMMAND eq 'newOrder') {
+     }
+ 
+     # poll the order URL (to get the status of all challenges at once)
+-    # until the status become 'valid'
++    # until the status become 'valid'; see RFC 8555 sec. 7.1.6 for the
++    # the status change flow
+     my $orderstr = join(', ', map {uc($_->{type}) .":". $_->{value}} @identifiers);
+     my $certuri;
+-    for (my $i = 0;;) {
+-        my $r = acme($orderurl);
++    for (my $i = 0, my $url = $orderurl, my $payload;;) {
++        my $r = acme($url => $payload);
+         my $resp = request_json_decode($r);
+         if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807)
+             my $msg = $problem->{status};
+@@ -366,19 +367,21 @@ elsif ($COMMAND eq 'newOrder') {
+         my $status = $resp->{status};
+         if (!defined $status or $status eq "invalid") {
+             die "Error: Invalid order $orderstr\n";
+-        }
+-        elsif ($status eq "ready") {
+-            my $r = acme($order->{finalize}, {csr => encode_base64url($csr)});
+-            my $resp = request_json_decode($r);
+-            $certuri = $resp->{certificate};
+-            last;
+-        }
+-        elsif ($status eq "valid") {
++        } elsif ($status eq "pending") {
++            # keep retrying
++        } elsif ($status eq "ready") {
++            $url = $order->{finalize};
++            $payload = {csr => encode_base64url($csr)};
++            # retry after moving to "processing" or "valid" state
++            next;
++        } elsif ($status eq "processing") {
++            $url = $orderurl;
++            undef $payload;
++        } elsif ($status eq "valid") {
+             $certuri = $resp->{certificate} //
+                 die "Error: Missing \"certificate\" field in \"valid\" order\n";
+             last;
+-        }
+-        elsif ($status ne "pending" and $status ne "processing") {
++        } else {
+             warn "Unknown order status: $status\n";
+         }
+ 
diff -Nru lacme-0.8.0/debian/patches/series lacme-0.8.0/debian/patches/series
--- lacme-0.8.0/debian/patches/series	2021-05-03 23:37:13.000000000 +0000
+++ lacme-0.8.0/debian/patches/series	2023-04-28 08:25:54.000000000 +0000
@@ -1 +1,2 @@
 Mention-the-Debian-BTS-in-the-manpages.patch
+client-Handle-ready-processing-valid-status-change-during.patch