From 8a15bd7927e2b8956bb1f4d062423e471e473ccf Mon Sep 17 00:00:00 2001 From: Alex Zorin Date: Thu, 21 May 2020 22:58:40 +1000 Subject: [PATCH 1/2] renewal: disregard acme-v01 in renewal configs Fixes #7979 --- certbot/certbot/_internal/constants.py | 2 ++ certbot/certbot/_internal/renewal.py | 17 +++++++++++++++-- certbot/tests/renewal_test.py | 8 ++++++++ 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/certbot/certbot/_internal/constants.py b/certbot/certbot/_internal/constants.py index 9a2220e0b..af6531fe8 100644 --- a/certbot/certbot/_internal/constants.py +++ b/certbot/certbot/_internal/constants.py @@ -120,6 +120,8 @@ CLI_DEFAULTS = dict( ) STAGING_URI = "https://acme-staging-v02.api.letsencrypt.org/directory" +V1_URI = "https://acme-v01.api.letsencrypt.org/directory" + # The set of reasons for revoking a certificate is defined in RFC 5280 in # section 5.3.1. The reasons that users are allowed to submit are restricted to # those accepted by the ACME server implementation. They are listed in diff --git a/certbot/certbot/_internal/renewal.py b/certbot/certbot/_internal/renewal.py index fd23b0d18..47244052a 100644 --- a/certbot/certbot/_internal/renewal.py +++ b/certbot/certbot/_internal/renewal.py @@ -19,6 +19,7 @@ from certbot import errors from certbot import interfaces from certbot import util from certbot._internal import cli +from certbot._internal import constants from certbot._internal import hooks from certbot._internal import storage from certbot._internal import updater @@ -243,16 +244,28 @@ def _restore_int(name, value): raise errors.Error("Expected a numeric value for {0}".format(name)) -def _restore_str(unused_name, value): +def _restore_str(name, value): """Restores a string key-value pair from a renewal config file. - :param str unused_name: option name + :param str name: option name :param str value: option value :returns: converted option value to be stored in the runtime config :rtype: str or None """ + # Previous to v0.5.0, Certbot always stored the `server` URL in the renewal config, + # resulting in configs which explicitly use the deprecated ACMEv1 URL, today + # preventing an automatic transition to the default modern ACME URL. + # (https://github.com/certbot/certbot/issues/7978#issuecomment-625442870) + # As a mitigation, this function reinterprets the value of the `server` parameter if + # necessary, replacing the ACMEv1 URL with the default ACME URL. It is still possible + # to override this choice with the explicit `--server` CLI flag. + if name == "server" and value == constants.V1_URI: + logger.info("Using server %s instead of legacy %s", + constants.CLI_DEFAULTS["server"], value) + return constants.CLI_DEFAULTS["server"] + return None if value == "None" else value diff --git a/certbot/tests/renewal_test.py b/certbot/tests/renewal_test.py index 1fc54b42e..83796cd4f 100644 --- a/certbot/tests/renewal_test.py +++ b/certbot/tests/renewal_test.py @@ -110,6 +110,14 @@ class RestoreRequiredConfigElementsTest(test_util.ConfigTestCase): self.assertRaises( errors.Error, self._call, self.config, renewalparams) + @mock.patch('certbot._internal.renewal.cli.set_by_cli') + def test_ancient_server_renewal_conf(self, mock_set_by_cli): + from certbot._internal import constants + self.config.server = None + mock_set_by_cli.return_value = False + self._call(self.config, {'server': constants.V1_URI}) + self.assertEqual(self.config.server, constants.CLI_DEFAULTS['server']) + if __name__ == "__main__": unittest.main() # pragma: no cover From bebcad0588c50e671bd2f53074c38b28ac8a4917 Mon Sep 17 00:00:00 2001 From: Erica Portnoy Date: Thu, 4 Jun 2020 15:57:34 -0700 Subject: [PATCH 2/2] update changelog --- certbot/CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md index b7a71ff9f..e119b66b1 100644 --- a/certbot/CHANGELOG.md +++ b/certbot/CHANGELOG.md @@ -11,6 +11,8 @@ Certbot adheres to [Semantic Versioning](https://semver.org/). ### Changed * Allow session tickets to be disabled in Apache when mod_ssl is statically linked. +* Read acmev1 Let's Encrypt server URL from renewal config as acmev2 URL to prepare + for impending acmev1 deprecation. ### Fixed