Description: Fix incorrect CSR version
  Certain strict implementations of the ACME API deny all version numbers except
  that defined in the RFC (version 0). To accommodate, unilaterally set it to 0.
Author: Amir Omidi
Origin: https://github.com/certbot/certbot/pull/9334/
Bug-Debian: https://bugs.debian.org/1025891
Acked-By: Harlan Lieberman-Berg <hlieberman@debian.org>
Index: python-acme/acme/crypto_util.py
===================================================================
--- python-acme.orig/acme/crypto_util.py
+++ python-acme/acme/crypto_util.py
@@ -213,7 +213,8 @@ def make_csr(private_key_pem, domains, m
             value=b"DER:30:03:02:01:05"))
     csr.add_extensions(extensions)
     csr.set_pubkey(private_key)
-    csr.set_version(2)
+    # RFC 2986 Section 4.1 only defines version 0
+    csr.set_version(0)
     csr.sign(private_key, 'sha256')
     return crypto.dump_certificate_request(
         crypto.FILETYPE_PEM, csr)
Index: python-acme/tests/crypto_util_test.py
===================================================================
--- python-acme.orig/tests/crypto_util_test.py
+++ python-acme/tests/crypto_util_test.py
@@ -244,6 +244,14 @@ class MakeCSRTest(unittest.TestCase):
             self.assertEqual(len(must_staple_exts), 1,
                 "Expected exactly one Must Staple extension")
 
+    def test_make_csr_correct_version(self):
+        csr_pem = self._call_with_key(["a.example"])
+        csr = OpenSSL.crypto.load_certificate_request(
+            OpenSSL.crypto.FILETYPE_PEM, csr_pem)
+
+        self.assertEqual(csr.get_version(), 0,
+                         "Expected CSR version to be v1 (encoded as 0), per RFC 2986, section 4")
+
 
 class DumpPyopensslChainTest(unittest.TestCase):
     """Test for dump_pyopenssl_chain."""