Merge branch 'master' into update-fedora-ami

2026-06-04 22:33:00 -04:00 · 2019-05-30 17:30:25 -07:00 · 2019-05-30 17:30:25 -07:00 · 0aa482d896
commit 0aa482d896
parent ba7a2ab9f0 641aba68b1
15 changed files with 82 additions and 31 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -276,8 +276,11 @@ notifications:
  email: false
  irc:
    channels:
-      - secure: "SGWZl3ownKx9xKVV2VnGt7DqkTmutJ89oJV9tjKhSs84kLijU6EYdPnllqISpfHMTxXflNZuxtGo0wTDYHXBuZL47w1O32W6nzuXdra5zC+i4sYQwYULUsyfOv9gJX8zWAULiK0Z3r0oho45U+FR5ZN6TPCidi8/eGU+EEPwaAw="
+      # This is set to a secure variable to prevent forks from sending
+      # notifications. This value was created by installing
+      # https://github.com/travis-ci/travis.rb and running
+      # `travis encrypt "chat.freenode.net#certbot-devel"`.
+      - secure: "EWW66E2+KVPZyIPR8ViENZwfcup4Gx3/dlimmAZE0WuLwxDCshBBOd3O8Rf6pBokEoZlXM5eDT6XdyJj8n0DLslgjO62pExdunXpbcMwdY7l1ELxX2/UbnDTE6UnPYa09qVBHNG7156Z6yE0x2lH4M9Ykvp0G0cubjPQHylAwo0="
    on_cancel: never
    on_success: never
    on_failure: always
-    use_notice: true
--- a/AUTHORS.md
+++ b/AUTHORS.md
@ -75,6 +75,7 @@ Authors
 * [Fabian](https://github.com/faerbit)
 * [Faidon Liambotis](https://github.com/paravoid)
 * [Fan Jiang](https://github.com/tcz001)
+* [Felix Lechner](https://github.com/lechner)
 * [Felix Schwarz](https://github.com/FelixSchwarz)
 * [Felix Yan](https://github.com/felixonmars)
 * [Filip Ochnik](https://github.com/filipochnik)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -16,12 +16,16 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).

 ### Fixed

-*
+* Renewal parameter `webroot_path` is always saved, avoiding some regressions
+  when `webroot` authenticator plugin is invoked with no challenge to perform.
+* Scripts in Certbot hook directories are no longer executed when their
+  filenames end in a tilde.

 Despite us having broken lockstep, we are continuing to release new versions of
 all Certbot components during releases for the time being, however, the only
 package with changes other than its version number was:

+* certbot
 * certbot-dns-rfc2136

 More details about these changes can be found on our GitHub repo.
--- a/certbot-ci/certbot_integration_tests/utils/misc.py
+++ b/certbot-ci/certbot_integration_tests/utils/misc.py
@ -23,8 +23,6 @@ from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption
 from six.moves import socketserver, SimpleHTTPServer

-from acme import crypto_util
-

 RSA_KEY_TYPE = 'rsa'
 ECDSA_KEY_TYPE = 'ecdsa'
@ -250,13 +248,20 @@ def generate_csr(domains, key_path, csr_path, key_type=RSA_KEY_TYPE):
    else:
        raise ValueError('Invalid key type: {0}'.format(key_type))

-    key_bytes = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
-    with open(key_path, 'wb') as file:
-        file.write(key_bytes)
+    with open(key_path, 'wb') as file_h:
+        file_h.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))

-    csr_bytes = crypto_util.make_csr(key_bytes, domains)
-    with open(csr_path, 'wb') as file:
-        file.write(csr_bytes)
+    req = crypto.X509Req()
+    san = ', '.join(['DNS:{0}'.format(item) for item in domains])
+    san_constraint = crypto.X509Extension(b'subjectAltName', False, san.encode('utf-8'))
+    req.add_extensions([san_constraint])
+
+    req.set_pubkey(key)
+    req.set_version(2)
+    req.sign(key, 'sha256')
+
+    with open(csr_path, 'wb') as file_h:
+        file_h.write(crypto.dump_certificate_request(crypto.FILETYPE_ASN1, req))


 def read_certificate(cert_path):
--- a/certbot-ci/setup.py
+++ b/certbot-ci/setup.py
@ -5,7 +5,6 @@ from setuptools import find_packages
 version = '0.32.0.dev0'

 install_requires = [
-    'acme',
    'coverage',
    'cryptography',
    'pyopenssl',
--- a/certbot-dns-route53/setup.py
+++ b/certbot-dns-route53/setup.py
@ -6,11 +6,6 @@ version = '0.35.0.dev0'
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
-    # boto3 requires urllib<1.25 while requests 2.22+ requires urllib<1.26
-    # Since pip lacks a real dependency graph resolver, it will peak the constraint only from
-    # requests, and install urllib==1.25.2. Setting an explicit dependency here solves the issue.
-    # Check https://github.com/boto/botocore/issues/1733 for resolution in botocore.
-    'urllib3<1.25',
    'acme>=0.29.0',
    'certbot>=0.34.0',
    'boto3',
--- a/certbot/cli.py
+++ b/certbot/cli.py
@ -1453,7 +1453,7 @@ def _plugins_parsing(helpful, plugins):
                      "using DNSimple for DNS)."))
    helpful.add(["plugins", "certonly"], "--dns-dnsmadeeasy", action="store_true",
                default=flag_default("dns_dnsmadeeasy"),
-                help=("Obtain certificates using a DNS TXT record (if you are"
+                help=("Obtain certificates using a DNS TXT record (if you are "
                      "using DNS Made Easy for DNS)."))
    helpful.add(["plugins", "certonly"], "--dns-gehirn", action="store_true",
                default=flag_default("dns_gehirn"),
--- a/certbot/hooks.py
+++ b/certbot/hooks.py
@ -266,5 +266,6 @@ def list_hooks(dir_path):
    :rtype: sorted list of absolute paths to executables in dir_path

    """
-    paths = (os.path.join(dir_path, f) for f in os.listdir(dir_path))
-    return sorted(path for path in paths if util.is_exe(path))
+    allpaths = (os.path.join(dir_path, f) for f in os.listdir(dir_path))
+    hooks = [path for path in allpaths if util.is_exe(path) and not path.endswith('~')]
+    return sorted(hooks)
--- a/certbot/plugins/webroot_test.py
+++ b/certbot/plugins/webroot_test.py
@ -295,6 +295,19 @@ class WebrootActionTest(unittest.TestCase):
        self.assertEqual(
            config.webroot_map[self.achall.domain], self.path)

+    def test_webroot_map_partial_without_perform(self):
+        # This test acknowledges the fact that webroot_map content will be partial if webroot
+        # plugin perform method is not invoked (corner case when all auths are already valid).
+        # To not be a problem, the webroot_path must always been conserved during renew.
+        # This condition is challenged by:
+        # certbot.tests.renewal_tests::RenewalTest::test_webroot_params_conservation
+        # See https://github.com/certbot/certbot/pull/7095 for details.
+        other_webroot_path = tempfile.mkdtemp()
+        args = self.parser.parse_args("-w {0} -d {1} -w {2} -d bar".format(
+            self.path, self.achall.domain, other_webroot_path).split())
+        self.assertEqual(args.webroot_map, {self.achall.domain: self.path})
+        self.assertEqual(args.webroot_path, [self.path, other_webroot_path])
+
    def _get_config_after_perform(self, config):
        from certbot.plugins.webroot import Authenticator
        auth = Authenticator(config, "webroot")
--- a/certbot/renewal.py
+++ b/certbot/renewal.py
@ -106,11 +106,11 @@ def _restore_webroot_config(config, renewalparams):
    restoring logic is not able to correctly parse it from the serialized
    form.
    """
-    if "webroot_map" in renewalparams:
-        if not cli.set_by_cli("webroot_map"):
-            config.webroot_map = renewalparams["webroot_map"]
-    elif "webroot_path" in renewalparams:
-        logger.debug("Ancient renewal conf file without webroot-map, restoring webroot-path")
+    if "webroot_map" in renewalparams and not cli.set_by_cli("webroot_map"):
+        config.webroot_map = renewalparams["webroot_map"]
+    # To understand why webroot_path and webroot_map processing are not mutually exclusive,
+    # see https://github.com/certbot/certbot/pull/7095
+    if "webroot_path" in renewalparams and not cli.set_by_cli("webroot_path"):
        wp = renewalparams["webroot_path"]
        if isinstance(wp, six.string_types):  # prior to 0.1.0, webroot_path was a string
            wp = [wp]
--- a/certbot/tests/hook_test.py
+++ b/certbot/tests/hook_test.py
@ -480,6 +480,12 @@ class ListHooksTest(util.TempDirTestCase):

        self.assertEqual(self._call(self.tempdir), [name])

+    def test_ignore_tilde(self):
+        name = os.path.join(self.tempdir, "foo~")
+        create_hook(name)
+
+        self.assertEqual(self._call(self.tempdir), [])
+

 def create_hook(file_path):
    """Creates an executable file at the specified path.
--- a/certbot/tests/renewal_test.py
+++ b/certbot/tests/renewal_test.py
@ -28,6 +28,29 @@ class RenewalTest(test_util.ConfigTestCase):
        renewal._restore_webroot_config(config, renewalparams)
        self.assertEqual(config.webroot_path, ['/var/www/'])

+    @mock.patch('certbot.renewal.cli.set_by_cli')
+    def test_webroot_params_conservation(self, mock_set_by_cli):
+        # For more details about why this test is important, see:
+        # certbot.plugins.webroot_test::WebrootActionTest::test_webroot_map_partial_without_perform
+        from certbot import renewal
+        mock_set_by_cli.return_value = False
+
+        renewalparams = {
+            'webroot_map': {'test.example.com': '/var/www/test'},
+            'webroot_path': ['/var/www/test', '/var/www/other'],
+        }
+        renewal._restore_webroot_config(self.config, renewalparams)  # pylint: disable=protected-access
+        self.assertEqual(self.config.webroot_map, {'test.example.com': '/var/www/test'})
+        self.assertEqual(self.config.webroot_path, ['/var/www/test', '/var/www/other'])
+
+        renewalparams = {
+            'webroot_map': {},
+            'webroot_path': '/var/www/test',
+        }
+        renewal._restore_webroot_config(self.config, renewalparams)  # pylint: disable=protected-access
+        self.assertEqual(self.config.webroot_map, {})
+        self.assertEqual(self.config.webroot_path, ['/var/www/test'])
+

 class RestoreRequiredConfigElementsTest(test_util.ConfigTestCase):
    """Tests for certbot.renewal.restore_required_config_elements."""
@ -89,5 +112,6 @@ class RestoreRequiredConfigElementsTest(test_util.ConfigTestCase):
        self.assertRaises(
            errors.Error, self._call, self.config, renewalparams)

+
 if __name__ == "__main__":
    unittest.main()  # pragma: no cover
--- a/docs/cli-help.txt
+++ b/docs/cli-help.txt
@ -454,8 +454,8 @@ plugins:
                        using DigitalOcean for DNS). (default: False)
  --dns-dnsimple        Obtain certificates using a DNS TXT record (if you are
                        using DNSimple for DNS). (default: False)
-  --dns-dnsmadeeasy     Obtain certificates using a DNS TXT record (if you
-                        areusing DNS Made Easy for DNS). (default: False)
+  --dns-dnsmadeeasy     Obtain certificates using a DNS TXT record (if you are
+                        using DNS Made Easy for DNS). (default: False)
  --dns-gehirn          Obtain certificates using a DNS TXT record (if you are
                        using Gehirn Infrastracture Service for DNS).
                        (default: False)
--- a/tests/letstest/apache2_targets.yaml
+++ b/tests/letstest/apache2_targets.yaml
@ -1,8 +1,8 @@
 targets:
  #-----------------------------------------------------------------------------
  #Ubuntu
-  - ami: ami-064bd2d44a1d6c097
-    name: ubuntu18.10
+  - ami: ami-08ab45c4343f5f5c6
+    name: ubuntu19.04
    type: ubuntu
    virt: hvm
    user: ubuntu
--- a/tests/letstest/targets.yaml
+++ b/tests/letstest/targets.yaml
@ -1,8 +1,8 @@
 targets:
  #-----------------------------------------------------------------------------
  #Ubuntu
-  - ami: ami-064bd2d44a1d6c097
-    name: ubuntu18.10
+  - ami: ami-08ab45c4343f5f5c6
+    name: ubuntu19.04
    type: ubuntu
    virt: hvm
    user: ubuntu