diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index b32eda921..e0982a5d6 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -1990,4 +1990,3 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): return common.install_version_controlled_file(options_ssl, options_ssl_digest, self.constant("MOD_SSL_CONF_SRC"), constants.ALL_SSL_OPTIONS_HASHES) - diff --git a/certbot/cli.py b/certbot/cli.py index 75e1e4c9b..1005f96eb 100644 --- a/certbot/cli.py +++ b/certbot/cli.py @@ -1073,12 +1073,6 @@ def prepare_and_parse_args(plugins, args, detect_defaults=False): # pylint: dis helpful.add( "security", "--rsa-key-size", type=int, metavar="N", default=flag_default("rsa_key_size"), help=config_help("rsa_key_size")) - helpful.add( - "security", "--disable-installer-updates", action="store_false", - default=flag_default("installer_updates"), dest="installer_updates", - help="Disable any automatic updates to your server configuration that" - " would otherwise be done by the selected installer plugin, and" - " triggered by the \"renew\" verb.") helpful.add( "security", "--must-staple", action="store_true", dest="must_staple", default=flag_default("must_staple"), @@ -1123,8 +1117,9 @@ def prepare_and_parse_args(plugins, args, detect_defaults=False): # pylint: dis help="Require that all configuration files are owned by the current " "user; only needed if your config is somewhere unsafe like /tmp/") helpful.add( - "security", "--dangerously-disable-server-tls-updates", action="store_false", - default=flag_default("server_tls_updates"), dest="server_tls_updates", + "security", "--dangerously-disable-server-tls-updates", action="store_true", + default=flag_default("disable_server_tls_updates"), + dest="disable_server_tls_updates", help="Disable any updates to your server's TLS configuration" " other than setting the certificate and key to be used when" " Certbot installs a new certificate. Using this flag is" @@ -1188,6 +1183,13 @@ def prepare_and_parse_args(plugins, args, detect_defaults=False): # pylint: dis default=flag_default("directory_hooks"), dest="directory_hooks", help="Disable running executables found in Certbot's hook directories" " during renewal. (default: False)") + helpful.add( + "renew", "--disable-renew-updates", action="store_true", + default=flag_default("disable_renew_updates"), dest="disable_renew_updates", + help="Disable automatic updates to your server configuration that" + " would otherwise be done by the selected installer plugin, and" + " triggered by the \"renew\" verb. This setting does not apply to" + " important TLS configuration updates.") helpful.add_deprecated_argument("--agree-dev-preview", 0) helpful.add_deprecated_argument("--dialog", 0) diff --git a/certbot/constants.py b/certbot/constants.py index d69d2177d..fd3fd5c18 100644 --- a/certbot/constants.py +++ b/certbot/constants.py @@ -64,8 +64,8 @@ CLI_DEFAULTS = dict( pref_challs=[], validate_hooks=True, directory_hooks=True, - server_tls_updates=True, - installer_updates=False, + disable_server_tls_updates=False, + disable_renew_updates=False, # Subparsers num=None, diff --git a/certbot/interfaces.py b/certbot/interfaces.py index f9a5d7270..7dfaf276d 100644 --- a/certbot/interfaces.py +++ b/certbot/interfaces.py @@ -256,13 +256,13 @@ class IConfig(zope.interface.Interface): "user; only needed if your config is somewhere unsafe like /tmp/." "This is a boolean") - server_tls_updates = zope.interface.Attribute( - "If updates to the server's TLS configuration should be" - " performed by the installer.") + disable_server_tls_updates = zope.interface.Attribute( + "If updates to the server's TLS configuration performed by the installer" + " should be disabled.") - installer_updates = zope.interface.Attribute( - "If updates provided by installer enhancements should be performed" - " when Certbot is being run with \"renew\" verb.") + disable_renew_updates = zope.interface.Attribute( + "If updates provided by installer enhancements when Certbot is being run" + " with \"renew\" verb should be disabled.") class IInstaller(IPlugin): """Generic Certbot Installer Interface. @@ -679,14 +679,14 @@ class ServerTLSUpdater(object): and keys used by the server. An installer can determine if TLS server updates are enabled by checking - :attr:`IConfig.server_tls_updates`. + :attr:`IConfig.disable_server_tls_updates`. """ __metaclass__ = abc.ABCMeta @abc.abstractmethod - def server_tls_updates(self, domain, lineage=None, *args, **kwargs): + def server_tls_updates(self, domain, *args, **kwargs): """Set the server's TLS config to latest recommended version. This function will only be called if the user hasn't disabled TLS diff --git a/certbot/plugins/selection.py b/certbot/plugins/selection.py index f870b3199..aacaba7b5 100644 --- a/certbot/plugins/selection.py +++ b/certbot/plugins/selection.py @@ -192,7 +192,7 @@ def choose_configurator_plugins(config, plugins, verb): # pylint: disable=too-m installer = pick_installer(config, req_inst, plugins) if need_auth: authenticator = pick_authenticator(config, req_auth, plugins) - if installer is not None: + if installer is not None and verb != "renew": verify_enhancements_supported(config, installer) logger.debug("Selected authenticator %s and installer %s", authenticator, installer) @@ -226,7 +226,7 @@ def verify_enhancements_supported(config, installer): :raises errors.MisconfigurationError: configuration conflict """ - if not config.server_tls_updates: + if config.disable_server_tls_updates: flag = "--dangerously-disable-server-tls-updates" if isinstance(installer, interfaces.ServerTLSUpdater): verified = z_util(interfaces.IDisplay).yesno( diff --git a/certbot/tests/renewupdater_test.py b/certbot/tests/renewupdater_test.py index e1c46e2b6..3b83fda59 100644 --- a/certbot/tests/renewupdater_test.py +++ b/certbot/tests/renewupdater_test.py @@ -75,8 +75,8 @@ class RenewUpdaterTest(unittest.TestCase): @mock.patch('certbot.plugins.selection.choose_configurator_plugins') @test_util.patch_get_utility() def test_server_updates(self, _, mock_select, mock_getsave): - config = self.get_config({"server_tls_updates": True, - "installer_updates": True}) + config = self.get_config({"disable_server_tls_updates": False, + "disable_renew_updates": False}) lineage = mock.MagicMock() lineage.names.return_value = ['firstdomain', 'seconddomain'] @@ -104,7 +104,6 @@ class RenewUpdaterTest(unittest.TestCase): mock_generic_updater.restart.reset_mock() mock_generic_updater.callcounter.reset_mock() - updater.run_renewal_updaters(config, None, lineage) self.assertEqual(mock_generic_updater.callcounter.call_count, 2) self.assertFalse(mock_generic_updater.restart.called) diff --git a/certbot/updater.py b/certbot/updater.py index 4a864ca6a..449e1547d 100644 --- a/certbot/updater.py +++ b/certbot/updater.py @@ -44,7 +44,8 @@ def run_renewal_deployer(lineage, installer, config): :returns: `None` :rtype: None """ - if config.installer_updates and isinstance(installer, interfaces.RenewDeployer): + if not config.disable_renew_updates and isinstance(installer, + interfaces.RenewDeployer): installer.renew_deploy(lineage) def _run_updaters(lineage, installer, config): @@ -61,9 +62,9 @@ def _run_updaters(lineage, installer, config): :rtype: None """ for domain in lineage.names(): - if config.server_tls_updates: + if not config.disable_server_tls_updates: if isinstance(installer, interfaces.ServerTLSUpdater): installer.server_tls_updates(domain) - if config.installer_updates: + if not config.disable_renew_updates: if isinstance(installer, interfaces.GenericUpdater): installer.generic_updates(domain)