From 5b597e0e8b28b52774bd94fc55b9ff09a1994d55 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 20 Apr 2016 09:28:11 +1000 Subject: [PATCH 1/7] Rebuild letsencrypt-auto from current source --- letsencrypt-auto-source/letsencrypt-auto | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 111f2b272..1cd04e506 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -1,6 +1,6 @@ #!/bin/sh # -# Download and run the latest release version of the Let's Encrypt client. +# Download and run the latest release version of the Certbot client. # # NOTE: THIS SCRIPT IS AUTO-GENERATED AND SELF-UPDATING # @@ -46,7 +46,7 @@ for arg in "$@" ; do done # letsencrypt-auto needs root access to bootstrap OS dependencies, and -# letsencrypt itself needs root access for almost all modes of operation +# certbot itself needs root access for almost all modes of operation # The "normal" case is that sudo is used for the steps that need root, but # this script *can* be run as root (not recommended), or fall back to using # `su` @@ -186,7 +186,7 @@ BootstrapDebCommon() { AddBackportRepo precise-backports "deb http://archive.ubuntu.com/ubuntu precise-backports main restricted universe multiverse" else echo "No libaugeas0 version is available that's new enough to run the" - echo "Let's Encrypt apache plugin..." + echo "Certbot apache plugin..." fi # XXX add a case for ubuntu PPAs fi @@ -426,7 +426,7 @@ Bootstrap() { elif grep -iq "Amazon Linux" /etc/issue ; then ExperimentalBootstrap "Amazon Linux" BootstrapRpmCommon else - echo "Sorry, I don't know how to bootstrap Let's Encrypt on your operating system!" + echo "Sorry, I don't know how to bootstrap Certbot on your operating system!" echo echo "You will need to bootstrap, configure virtualenv, and run pip install manually." echo "Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites" @@ -466,7 +466,7 @@ if [ "$1" = "--le-auto-phase2" ]; then # ------------------------------------------------------------------------- cat << "UNLIKELY_EOF" > "$TEMP_DIR/letsencrypt-auto-requirements.txt" # This is the flattened list of packages letsencrypt-auto installs. To generate -# this, do `pip install --no-cache-dir -e acme -e . -e letsencrypt-apache`, and +# this, do `pip install --no-cache-dir -e acme -e . -e certbot-apache`, and # then use `hashin` or a more secure method to gather the hashes. argparse==1.4.0 \ @@ -823,7 +823,7 @@ UNLIKELY_EOF fi echo "Installation succeeded." fi - echo "Requesting root privileges to run letsencrypt..." + echo "Requesting root privileges to run certbot..." echo " " $SUDO "$VENV_BIN/letsencrypt" "$@" $SUDO "$VENV_BIN/letsencrypt" "$@" else @@ -831,8 +831,8 @@ else # # Each phase checks the version of only the thing it is responsible for # upgrading. Phase 1 checks the version of the latest release of - # letsencrypt-auto (which is always the same as that of the letsencrypt - # package). Phase 2 checks the version of the locally installed letsencrypt. + # letsencrypt-auto (which is always the same as that of the certbot + # package). Phase 2 checks the version of the locally installed certbot. if [ ! -f "$VENV_BIN/letsencrypt" ]; then # If it looks like we've never bootstrapped before, bootstrap: From b597f4a284ac17a20482808b266ece29b6fecb99 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 20 Apr 2016 09:28:41 +1000 Subject: [PATCH 2/7] [letsencrypt-auto] handle network/pypi failures more gracefully --- letsencrypt-auto-source/letsencrypt-auto | 5 +++-- letsencrypt-auto-source/letsencrypt-auto.template | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 1cd04e506..81b1801cf 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -978,8 +978,9 @@ if __name__ == '__main__': UNLIKELY_EOF # --------------------------------------------------------------------------- DeterminePythonVersion - REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` - if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then + if ! REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` ; then + echo "WARNING: unable to check for updates." + elif [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." # Now we drop into Python so we don't have to install even more diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index 2c8e1ec4c..168dea2af 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -248,8 +248,9 @@ else UNLIKELY_EOF # --------------------------------------------------------------------------- DeterminePythonVersion - REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` - if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then + if ! REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` ; then + echo "WARNING: unable to check for updates." + elif [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." # Now we drop into Python so we don't have to install even more From 3c455b7e64f44deb8a47f77f8c7e70b67db3aab9 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 20 Apr 2016 10:45:30 +1000 Subject: [PATCH 3/7] letsencrypt-auto: set CERTBOT_AUTO :) --- letsencrypt-auto-source/letsencrypt-auto | 7 +++++-- letsencrypt-auto-source/letsencrypt-auto.template | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 81b1801cf..1f2dfcf85 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -50,9 +50,12 @@ done # The "normal" case is that sudo is used for the steps that need root, but # this script *can* be run as root (not recommended), or fall back to using # `su` +SUDO_ENV="" +export CERTBOT_AUTO="$0" if test "`id -u`" -ne "0" ; then if command -v sudo 1>/dev/null 2>&1; then SUDO=sudo + SUDO_ENV="CERTBOT_AUTO=\"$0\"" else echo \"sudo\" is not available, will use \"su\" for installation steps... # Because the parameters in `su -c` has to be a string, @@ -824,8 +827,8 @@ UNLIKELY_EOF echo "Installation succeeded." fi echo "Requesting root privileges to run certbot..." - echo " " $SUDO "$VENV_BIN/letsencrypt" "$@" - $SUDO "$VENV_BIN/letsencrypt" "$@" + echo " " $SUDO $SUDO_ENV "$VENV_BIN/letsencrypt" "$@" + $SUDO $SUDO_ENV "$VENV_BIN/letsencrypt" "$@" else # Phase 1: Upgrade letsencrypt-auto if neceesary, then self-invoke. # diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index 168dea2af..580ee7c07 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -50,9 +50,12 @@ done # The "normal" case is that sudo is used for the steps that need root, but # this script *can* be run as root (not recommended), or fall back to using # `su` +SUDO_ENV="" +export CERTBOT_AUTO="$0" if test "`id -u`" -ne "0" ; then if command -v sudo 1>/dev/null 2>&1; then SUDO=sudo + SUDO_ENV="CERTBOT_AUTO=\"$0\"" else echo \"sudo\" is not available, will use \"su\" for installation steps... # Because the parameters in `su -c` has to be a string, @@ -220,8 +223,8 @@ UNLIKELY_EOF echo "Installation succeeded." fi echo "Requesting root privileges to run certbot..." - echo " " $SUDO "$VENV_BIN/letsencrypt" "$@" - $SUDO "$VENV_BIN/letsencrypt" "$@" + echo " " $SUDO $SUDO_ENV "$VENV_BIN/letsencrypt" "$@" + $SUDO $SUDO_ENV "$VENV_BIN/letsencrypt" "$@" else # Phase 1: Upgrade letsencrypt-auto if neceesary, then self-invoke. # From a73986576318d9fdbe95621b37caa72bbb470797 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 20 Apr 2016 10:49:02 +1000 Subject: [PATCH 4/7] Print a deprecation warning with the ancient letsencrypt-auto --- certbot/cli.py | 19 ++++++++++++++++++- certbot/main.py | 1 + 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/certbot/cli.py b/certbot/cli.py index e2c57595b..3e6f78bc1 100644 --- a/certbot/cli.py +++ b/certbot/cli.py @@ -37,8 +37,9 @@ helpful_parser = None # should only be used for purposes where inability to detect letsencrypt-auto # fails safely +LEAUTO = "letsencrypt-auto" fragment = os.path.join(".local", "share", "certbot") -cli_command = "letsencrypt-auto" if fragment in sys.argv[0] else "certbot" +cli_command = LEAUTO if fragment in sys.argv[0] else "certbot" # Argparse's help formatting has a lot of unhelpful peculiarities, so we want # to replace as much of it as we can... @@ -141,6 +142,22 @@ def usage_strings(plugins): return USAGE % (apache_doc, nginx_doc), SHORT_USAGE +def possible_deprecation_warning(config): + "A deprecation warning for users with the old, not-self-upgrading letsencrypt-auto." + if cli_command != LEAUTO: + return + if config.no_self_upgrade: + # users setting --no-self-upgrade might be hanging on a clent version like 0.3.0 + # or 0.5.0 which is the new script, but doesn't set CERTBOT_AUTO; they don't + # need warnings + return + if "CERTBOT_AUTO" not in os.environ: + logger.warn("You are running with an old copy of letsencrypt-auto that does " + "not receive updates, and is less reliable than more recent versions. " + "We recommend upgrading to the latest certbot-auto script, or using native " + "OS packages.") + + class _Default(object): """A class to use as a default to detect if a value is set by a user""" diff --git a/certbot/main.py b/certbot/main.py index 72f4fe66e..05347734e 100644 --- a/certbot/main.py +++ b/certbot/main.py @@ -649,6 +649,7 @@ def main(cli_args=sys.argv[1:]): args = cli.prepare_and_parse_args(plugins, cli_args) config = configuration.NamespaceConfig(args) zope.component.provideUtility(config) + cli.possible_deprecation_warning(config) # Setup logging ASAP, otherwise "No handlers could be found for # logger ..." TODO: this should be done before plugins discovery From 86cb5b68e3b2f3148a7d4134ffd786a70c34ee58 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 10 May 2016 10:14:03 -0700 Subject: [PATCH 5/7] cli_command should sometimes be certbot-auto --- certbot/cli.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/certbot/cli.py b/certbot/cli.py index 7ed8a0d3a..90e86a751 100644 --- a/certbot/cli.py +++ b/certbot/cli.py @@ -38,6 +38,11 @@ helpful_parser = None # fails safely LEAUTO = "letsencrypt-auto" +if "CERTBOT_AUTO" in os.environ: + # if we're here, this is probably going to be certbot-auto, unless the + # user saved the script under a different name + LEAUTO = os.path.basename(os.environ["CERTBOT_AUTO"]) + fragment = os.path.join(".local", "share", "letsencrypt") cli_command = LEAUTO if fragment in sys.argv[0] else "certbot" From ed23f2e27fb42aac0b37cc9df74e6853a912e75a Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 10 May 2016 10:21:15 -0700 Subject: [PATCH 6/7] CERTBOT_AUTO env was broken (especially if containing spaces) --- letsencrypt-auto-source/letsencrypt-auto | 14 +++++++++++--- letsencrypt-auto-source/letsencrypt-auto.template | 14 +++++++++++--- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 1f2dfcf85..72adfccb1 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -55,7 +55,7 @@ export CERTBOT_AUTO="$0" if test "`id -u`" -ne "0" ; then if command -v sudo 1>/dev/null 2>&1; then SUDO=sudo - SUDO_ENV="CERTBOT_AUTO=\"$0\"" + SUDO_ENV="CERTBOT_AUTO=$0" else echo \"sudo\" is not available, will use \"su\" for installation steps... # Because the parameters in `su -c` has to be a string, @@ -827,8 +827,16 @@ UNLIKELY_EOF echo "Installation succeeded." fi echo "Requesting root privileges to run certbot..." - echo " " $SUDO $SUDO_ENV "$VENV_BIN/letsencrypt" "$@" - $SUDO $SUDO_ENV "$VENV_BIN/letsencrypt" "$@" + if [ -z "$SUDO_ENV" ] ; then + # SUDO is su wrapper / noop + echo " " $SUDO "$VENV_BIN/letsencrypt" "$@" + $SUDO "$VENV_BIN/letsencrypt" "$@" + else + # sudo + echo " " $SUDO "$SUDO_ENV" "$VENV_BIN/letsencrypt" "$@" + $SUDO "$SUDO_ENV" "$VENV_BIN/letsencrypt" "$@" + fi + else # Phase 1: Upgrade letsencrypt-auto if neceesary, then self-invoke. # diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index 580ee7c07..4e32d8b4f 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -55,7 +55,7 @@ export CERTBOT_AUTO="$0" if test "`id -u`" -ne "0" ; then if command -v sudo 1>/dev/null 2>&1; then SUDO=sudo - SUDO_ENV="CERTBOT_AUTO=\"$0\"" + SUDO_ENV="CERTBOT_AUTO=$0" else echo \"sudo\" is not available, will use \"su\" for installation steps... # Because the parameters in `su -c` has to be a string, @@ -223,8 +223,16 @@ UNLIKELY_EOF echo "Installation succeeded." fi echo "Requesting root privileges to run certbot..." - echo " " $SUDO $SUDO_ENV "$VENV_BIN/letsencrypt" "$@" - $SUDO $SUDO_ENV "$VENV_BIN/letsencrypt" "$@" + if [ -z "$SUDO_ENV" ] ; then + # SUDO is su wrapper / noop + echo " " $SUDO "$VENV_BIN/letsencrypt" "$@" + $SUDO "$VENV_BIN/letsencrypt" "$@" + else + # sudo + echo " " $SUDO "$SUDO_ENV" "$VENV_BIN/letsencrypt" "$@" + $SUDO "$SUDO_ENV" "$VENV_BIN/letsencrypt" "$@" + fi + else # Phase 1: Upgrade letsencrypt-auto if neceesary, then self-invoke. # From 22f6b77e680af0144b260a85ff51c53a34689179 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 10 May 2016 18:51:16 -0700 Subject: [PATCH 7/7] Move deprecation warning after logging setup --- certbot/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot/main.py b/certbot/main.py index 939a5e0e4..0405d6eb5 100644 --- a/certbot/main.py +++ b/certbot/main.py @@ -649,7 +649,6 @@ def main(cli_args=sys.argv[1:]): args = cli.prepare_and_parse_args(plugins, cli_args) config = configuration.NamespaceConfig(args) zope.component.provideUtility(config) - cli.possible_deprecation_warning(config) # Setup logging ASAP, otherwise "No handlers could be found for # logger ..." TODO: this should be done before plugins discovery @@ -662,6 +661,7 @@ def main(cli_args=sys.argv[1:]): le_util.make_or_verify_dir( config.logs_dir, 0o700, os.geteuid(), "--strict-permissions" in cli_args) setup_logging(config, _cli_log_handler, logfile='letsencrypt.log') + cli.possible_deprecation_warning(config) logger.debug("certbot version: %s", certbot.__version__) # do not log `config`, as it contains sensitive data (e.g. revoke --key)!