diff --git a/.travis.yml b/.travis.yml index 52595c111..1eee09898 100644 --- a/.travis.yml +++ b/.travis.yml @@ -276,8 +276,11 @@ notifications: email: false irc: channels: - - secure: "SGWZl3ownKx9xKVV2VnGt7DqkTmutJ89oJV9tjKhSs84kLijU6EYdPnllqISpfHMTxXflNZuxtGo0wTDYHXBuZL47w1O32W6nzuXdra5zC+i4sYQwYULUsyfOv9gJX8zWAULiK0Z3r0oho45U+FR5ZN6TPCidi8/eGU+EEPwaAw=" + # This is set to a secure variable to prevent forks from sending + # notifications. This value was created by installing + # https://github.com/travis-ci/travis.rb and running + # `travis encrypt "chat.freenode.net#certbot-devel"`. + - secure: "EWW66E2+KVPZyIPR8ViENZwfcup4Gx3/dlimmAZE0WuLwxDCshBBOd3O8Rf6pBokEoZlXM5eDT6XdyJj8n0DLslgjO62pExdunXpbcMwdY7l1ELxX2/UbnDTE6UnPYa09qVBHNG7156Z6yE0x2lH4M9Ykvp0G0cubjPQHylAwo0=" on_cancel: never on_success: never on_failure: always - use_notice: true diff --git a/AUTHORS.md b/AUTHORS.md index 6ee739bc0..0e8d88a4d 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -75,6 +75,7 @@ Authors * [Fabian](https://github.com/faerbit) * [Faidon Liambotis](https://github.com/paravoid) * [Fan Jiang](https://github.com/tcz001) +* [Felix Lechner](https://github.com/lechner) * [Felix Schwarz](https://github.com/FelixSchwarz) * [Felix Yan](https://github.com/felixonmars) * [Filip Ochnik](https://github.com/filipochnik) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3cc3ff41f..83e62c792 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,12 +16,16 @@ Certbot adheres to [Semantic Versioning](https://semver.org/). ### Fixed -* +* Renewal parameter `webroot_path` is always saved, avoiding some regressions + when `webroot` authenticator plugin is invoked with no challenge to perform. +* Scripts in Certbot hook directories are no longer executed when their + filenames end in a tilde. Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only package with changes other than its version number was: +* certbot * certbot-dns-rfc2136 More details about these changes can be found on our GitHub repo. diff --git a/certbot-ci/certbot_integration_tests/utils/misc.py b/certbot-ci/certbot_integration_tests/utils/misc.py index 4647a229e..2144b9cee 100644 --- a/certbot-ci/certbot_integration_tests/utils/misc.py +++ b/certbot-ci/certbot_integration_tests/utils/misc.py @@ -23,8 +23,6 @@ from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption from six.moves import socketserver, SimpleHTTPServer -from acme import crypto_util - RSA_KEY_TYPE = 'rsa' ECDSA_KEY_TYPE = 'ecdsa' @@ -250,13 +248,20 @@ def generate_csr(domains, key_path, csr_path, key_type=RSA_KEY_TYPE): else: raise ValueError('Invalid key type: {0}'.format(key_type)) - key_bytes = crypto.dump_privatekey(crypto.FILETYPE_PEM, key) - with open(key_path, 'wb') as file: - file.write(key_bytes) + with open(key_path, 'wb') as file_h: + file_h.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key)) - csr_bytes = crypto_util.make_csr(key_bytes, domains) - with open(csr_path, 'wb') as file: - file.write(csr_bytes) + req = crypto.X509Req() + san = ', '.join(['DNS:{0}'.format(item) for item in domains]) + san_constraint = crypto.X509Extension(b'subjectAltName', False, san.encode('utf-8')) + req.add_extensions([san_constraint]) + + req.set_pubkey(key) + req.set_version(2) + req.sign(key, 'sha256') + + with open(csr_path, 'wb') as file_h: + file_h.write(crypto.dump_certificate_request(crypto.FILETYPE_ASN1, req)) def read_certificate(cert_path): diff --git a/certbot-ci/setup.py b/certbot-ci/setup.py index 88372bffc..eecbe2887 100644 --- a/certbot-ci/setup.py +++ b/certbot-ci/setup.py @@ -5,7 +5,6 @@ from setuptools import find_packages version = '0.32.0.dev0' install_requires = [ - 'acme', 'coverage', 'cryptography', 'pyopenssl', diff --git a/certbot-dns-route53/setup.py b/certbot-dns-route53/setup.py index ab9bc4d06..09cd4acd2 100644 --- a/certbot-dns-route53/setup.py +++ b/certbot-dns-route53/setup.py @@ -6,11 +6,6 @@ version = '0.35.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. install_requires = [ - # boto3 requires urllib<1.25 while requests 2.22+ requires urllib<1.26 - # Since pip lacks a real dependency graph resolver, it will peak the constraint only from - # requests, and install urllib==1.25.2. Setting an explicit dependency here solves the issue. - # Check https://github.com/boto/botocore/issues/1733 for resolution in botocore. - 'urllib3<1.25', 'acme>=0.29.0', 'certbot>=0.34.0', 'boto3', diff --git a/certbot/cli.py b/certbot/cli.py index 866b64aa6..b7c021ed4 100644 --- a/certbot/cli.py +++ b/certbot/cli.py @@ -1453,7 +1453,7 @@ def _plugins_parsing(helpful, plugins): "using DNSimple for DNS).")) helpful.add(["plugins", "certonly"], "--dns-dnsmadeeasy", action="store_true", default=flag_default("dns_dnsmadeeasy"), - help=("Obtain certificates using a DNS TXT record (if you are" + help=("Obtain certificates using a DNS TXT record (if you are " "using DNS Made Easy for DNS).")) helpful.add(["plugins", "certonly"], "--dns-gehirn", action="store_true", default=flag_default("dns_gehirn"), diff --git a/certbot/hooks.py b/certbot/hooks.py index 7de846ae4..34e06e0a3 100644 --- a/certbot/hooks.py +++ b/certbot/hooks.py @@ -266,5 +266,6 @@ def list_hooks(dir_path): :rtype: sorted list of absolute paths to executables in dir_path """ - paths = (os.path.join(dir_path, f) for f in os.listdir(dir_path)) - return sorted(path for path in paths if util.is_exe(path)) + allpaths = (os.path.join(dir_path, f) for f in os.listdir(dir_path)) + hooks = [path for path in allpaths if util.is_exe(path) and not path.endswith('~')] + return sorted(hooks) diff --git a/certbot/plugins/webroot_test.py b/certbot/plugins/webroot_test.py index 3a902b91f..bca1045d8 100644 --- a/certbot/plugins/webroot_test.py +++ b/certbot/plugins/webroot_test.py @@ -295,6 +295,19 @@ class WebrootActionTest(unittest.TestCase): self.assertEqual( config.webroot_map[self.achall.domain], self.path) + def test_webroot_map_partial_without_perform(self): + # This test acknowledges the fact that webroot_map content will be partial if webroot + # plugin perform method is not invoked (corner case when all auths are already valid). + # To not be a problem, the webroot_path must always been conserved during renew. + # This condition is challenged by: + # certbot.tests.renewal_tests::RenewalTest::test_webroot_params_conservation + # See https://github.com/certbot/certbot/pull/7095 for details. + other_webroot_path = tempfile.mkdtemp() + args = self.parser.parse_args("-w {0} -d {1} -w {2} -d bar".format( + self.path, self.achall.domain, other_webroot_path).split()) + self.assertEqual(args.webroot_map, {self.achall.domain: self.path}) + self.assertEqual(args.webroot_path, [self.path, other_webroot_path]) + def _get_config_after_perform(self, config): from certbot.plugins.webroot import Authenticator auth = Authenticator(config, "webroot") diff --git a/certbot/renewal.py b/certbot/renewal.py index f932269b6..4b4a5a082 100644 --- a/certbot/renewal.py +++ b/certbot/renewal.py @@ -106,11 +106,11 @@ def _restore_webroot_config(config, renewalparams): restoring logic is not able to correctly parse it from the serialized form. """ - if "webroot_map" in renewalparams: - if not cli.set_by_cli("webroot_map"): - config.webroot_map = renewalparams["webroot_map"] - elif "webroot_path" in renewalparams: - logger.debug("Ancient renewal conf file without webroot-map, restoring webroot-path") + if "webroot_map" in renewalparams and not cli.set_by_cli("webroot_map"): + config.webroot_map = renewalparams["webroot_map"] + # To understand why webroot_path and webroot_map processing are not mutually exclusive, + # see https://github.com/certbot/certbot/pull/7095 + if "webroot_path" in renewalparams and not cli.set_by_cli("webroot_path"): wp = renewalparams["webroot_path"] if isinstance(wp, six.string_types): # prior to 0.1.0, webroot_path was a string wp = [wp] diff --git a/certbot/tests/hook_test.py b/certbot/tests/hook_test.py index 2a3742aa2..2ed7d4229 100644 --- a/certbot/tests/hook_test.py +++ b/certbot/tests/hook_test.py @@ -480,6 +480,12 @@ class ListHooksTest(util.TempDirTestCase): self.assertEqual(self._call(self.tempdir), [name]) + def test_ignore_tilde(self): + name = os.path.join(self.tempdir, "foo~") + create_hook(name) + + self.assertEqual(self._call(self.tempdir), []) + def create_hook(file_path): """Creates an executable file at the specified path. diff --git a/certbot/tests/renewal_test.py b/certbot/tests/renewal_test.py index dac585239..e33869e13 100644 --- a/certbot/tests/renewal_test.py +++ b/certbot/tests/renewal_test.py @@ -28,6 +28,29 @@ class RenewalTest(test_util.ConfigTestCase): renewal._restore_webroot_config(config, renewalparams) self.assertEqual(config.webroot_path, ['/var/www/']) + @mock.patch('certbot.renewal.cli.set_by_cli') + def test_webroot_params_conservation(self, mock_set_by_cli): + # For more details about why this test is important, see: + # certbot.plugins.webroot_test::WebrootActionTest::test_webroot_map_partial_without_perform + from certbot import renewal + mock_set_by_cli.return_value = False + + renewalparams = { + 'webroot_map': {'test.example.com': '/var/www/test'}, + 'webroot_path': ['/var/www/test', '/var/www/other'], + } + renewal._restore_webroot_config(self.config, renewalparams) # pylint: disable=protected-access + self.assertEqual(self.config.webroot_map, {'test.example.com': '/var/www/test'}) + self.assertEqual(self.config.webroot_path, ['/var/www/test', '/var/www/other']) + + renewalparams = { + 'webroot_map': {}, + 'webroot_path': '/var/www/test', + } + renewal._restore_webroot_config(self.config, renewalparams) # pylint: disable=protected-access + self.assertEqual(self.config.webroot_map, {}) + self.assertEqual(self.config.webroot_path, ['/var/www/test']) + class RestoreRequiredConfigElementsTest(test_util.ConfigTestCase): """Tests for certbot.renewal.restore_required_config_elements.""" @@ -89,5 +112,6 @@ class RestoreRequiredConfigElementsTest(test_util.ConfigTestCase): self.assertRaises( errors.Error, self._call, self.config, renewalparams) + if __name__ == "__main__": unittest.main() # pragma: no cover diff --git a/docs/cli-help.txt b/docs/cli-help.txt index 3e5fdc53b..f65384bbc 100644 --- a/docs/cli-help.txt +++ b/docs/cli-help.txt @@ -454,8 +454,8 @@ plugins: using DigitalOcean for DNS). (default: False) --dns-dnsimple Obtain certificates using a DNS TXT record (if you are using DNSimple for DNS). (default: False) - --dns-dnsmadeeasy Obtain certificates using a DNS TXT record (if you - areusing DNS Made Easy for DNS). (default: False) + --dns-dnsmadeeasy Obtain certificates using a DNS TXT record (if you are + using DNS Made Easy for DNS). (default: False) --dns-gehirn Obtain certificates using a DNS TXT record (if you are using Gehirn Infrastracture Service for DNS). (default: False) diff --git a/tests/letstest/apache2_targets.yaml b/tests/letstest/apache2_targets.yaml index 60a40366a..44faf8027 100644 --- a/tests/letstest/apache2_targets.yaml +++ b/tests/letstest/apache2_targets.yaml @@ -1,8 +1,8 @@ targets: #----------------------------------------------------------------------------- #Ubuntu - - ami: ami-064bd2d44a1d6c097 - name: ubuntu18.10 + - ami: ami-08ab45c4343f5f5c6 + name: ubuntu19.04 type: ubuntu virt: hvm user: ubuntu diff --git a/tests/letstest/targets.yaml b/tests/letstest/targets.yaml index ab861b39e..1ca605b5d 100644 --- a/tests/letstest/targets.yaml +++ b/tests/letstest/targets.yaml @@ -1,8 +1,8 @@ targets: #----------------------------------------------------------------------------- #Ubuntu - - ami: ami-064bd2d44a1d6c097 - name: ubuntu18.10 + - ami: ami-08ab45c4343f5f5c6 + name: ubuntu19.04 type: ubuntu virt: hvm user: ubuntu