Merge remote-tracking branch 'github/letsencrypt/master' into release

.pylintrc

@@ -38,7 +38,7 @@ load-plugins=linter_plugin
 # --enable=similarities". If you want to run only the classes checker, but have
 # no Warning level messages displayed, use"--disable=all --enable=classes
 # --disable=W"
-disable=fixme,locally-disabled,abstract-class-not-used,bad-continuation,too-few-public-methods,no-self-use
+disable=fixme,locally-disabled,abstract-class-not-used,bad-continuation,too-few-public-methods,no-self-use,invalid-name
 # abstract-class-not-used cannot be disabled locally (at least in pylint 1.4.1)
 
 

Dockerfile

@@ -62,5 +62,5 @@ RUN virtualenv --no-site-packages -p python2 /opt/letsencrypt/venv && \
 # bash" and investigate, apply patches, etc.
 
 ENV PATH /opt/letsencrypt/venv/bin:$PATH
-# TODO: is --text really necessary?
-ENTRYPOINT [ "letsencrypt", "--text" ]
+
+ENTRYPOINT [ "letsencrypt" ]

LICENSE.txt

@@ -1,5 +1,5 @@
-Let's Encrypt:
-Copyright (c) Internet Security Research Group
+Let's Encrypt Python Client
+Copyright (c) Electronic Frontier Foundation and others
 Licensed Apache Version 2.0
 
 Incorporating code from nginxparser

README.rst

@@ -79,7 +79,7 @@ Current Features
 * web servers supported:
 
   - apache/2.x (tested and working on Ubuntu Linux)
-  - nginx/0.8.48+ (tested and mostly working on Ubuntu Linux)
+  - nginx/0.8.48+ (under development)
   - standalone (runs its own webserver to prove you control the domain)
 
 * the private key is generated locally on your system

acme/acme/challenges.py

@@ -25,6 +25,14 @@ class Challenge(jose.TypedJSONObjectWithFields):
     """ACME challenge."""
     TYPES = {}
 
+    @classmethod
+    def from_json(cls, jobj):
+        try:
+            return super(Challenge, cls).from_json(jobj)
+        except jose.UnrecognizedTypeError as error:
+            logger.debug(error)
+            return UnrecognizedChallenge.from_json(jobj)
+
 
 class ContinuityChallenge(Challenge):  # pylint: disable=abstract-method
     """Client validation challenges."""
@@ -42,6 +50,32 @@ class ChallengeResponse(jose.TypedJSONObjectWithFields):
     resource = fields.Resource(resource_type)
 
 
+class UnrecognizedChallenge(Challenge):
+    """Unrecognized challenge.
+
+    ACME specification defines a generic framework for challenges and
+    defines some standard challenges that are implemented in this
+    module. However, other implementations (including peers) might
+    define additional challenge types, which should be ignored if
+    unrecognized.
+
+    :ivar jobj: Original JSON decoded object.
+
+    """
+
+    def __init__(self, jobj):
+        super(UnrecognizedChallenge, self).__init__()
+        object.__setattr__(self, "jobj", jobj)
+
+    def to_partial_json(self):
+        # pylint: disable=no-member
+        return self.jobj
+
+    @classmethod
+    def from_json(cls, jobj):
+        return cls(jobj)
+
+
 @Challenge.register
 class SimpleHTTP(DVChallenge):
     """ACME "simpleHttp" challenge.
@@ -542,7 +576,7 @@ class DNS(DVChallenge):
     def check_validation(self, validation, account_public_key):
         """Check validation.
 
-        :param validation
+        :param JWS validation:
         :type account_public_key:
             `~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
             or

acme/acme/challenges_test.py

@@ -17,6 +17,32 @@ CERT = test_util.load_cert('cert.pem')
 KEY = test_util.load_rsa_private_key('rsa512_key.pem')
 
 
+class ChallengeTest(unittest.TestCase):
+
+    def test_from_json_unrecognized(self):
+        from acme.challenges import Challenge
+        from acme.challenges import UnrecognizedChallenge
+        chall = UnrecognizedChallenge({"type": "foo"})
+        # pylint: disable=no-member
+        self.assertEqual(chall, Challenge.from_json(chall.jobj))
+
+
+class UnrecognizedChallengeTest(unittest.TestCase):
+
+    def setUp(self):
+        from acme.challenges import UnrecognizedChallenge
+        self.jobj = {"type": "foo"}
+        self.chall = UnrecognizedChallenge(self.jobj)
+
+    def test_to_partial_json(self):
+        self.assertEqual(self.jobj, self.chall.to_partial_json())
+
+    def test_from_json(self):
+        from acme.challenges import UnrecognizedChallenge
+        self.assertEqual(
+            self.chall, UnrecognizedChallenge.from_json(self.jobj))
+
+
 class SimpleHTTPTest(unittest.TestCase):
 
     def setUp(self):

acme/acme/messages_test.py

@@ -274,6 +274,7 @@ class AuthorizationTest(unittest.TestCase):
     def setUp(self):
         from acme.messages import ChallengeBody
         from acme.messages import STATUS_VALID
+
         self.challbs = (
             ChallengeBody(
                 uri='http://challb1', status=STATUS_VALID,

docs/api/display.rst

@@ -21,9 +21,3 @@
 
 .. automodule:: letsencrypt.display.enhancements
    :members:
-
-:mod:`letsencrypt.display.revocation`
-=====================================
-
-.. automodule:: letsencrypt.display.revocation
-   :members:

docs/api/recovery_token.rst

@@ -1,5 +0,0 @@
-:mod:`letsencrypt.recovery_token`
---------------------------------------------------
-
-.. automodule:: letsencrypt.recovery_token
-   :members:

docs/api/revoker.rst

@@ -1,5 +0,0 @@
-:mod:`letsencrypt.revoker`
---------------------------
-
-.. automodule:: letsencrypt.revoker
-   :members:

letsencrypt-apache/letsencrypt_apache/configurator.py

@@ -137,6 +137,12 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
         :raises .errors.PluginError: If there is any other error
 
         """
+        # Verify Apache is installed
+        for exe in (self.conf("ctl"), self.conf("enmod"),
+                    self.conf("dismod"), self.conf("init-script")):
+            if not le_util.exe_exists(exe):
+                raise errors.NoInstallationError
+
         # Make sure configuration is valid
         self.config_test()
 
@@ -1162,7 +1168,7 @@ def _get_mod_deps(mod_name):
         changes.
     .. warning:: If all deps are not included, it may cause incorrect parsing
         behavior, due to enable_mod's shortcut for updating the parser's
-        currently defined modules (:method:`.ApacheConfigurator._add_parser_mod`)
+        currently defined modules (`.ApacheConfigurator._add_parser_mod`)
         This would only present a major problem in extremely atypical
         configs that use ifmod for the missing deps.
 

letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py

@@ -37,8 +37,16 @@ class TwoVhost80Test(util.ApacheTest):
         shutil.rmtree(self.config_dir)
         shutil.rmtree(self.work_dir)
 
+    @mock.patch("letsencrypt_apache.configurator.le_util.exe_exists")
+    def test_prepare_no_install(self, mock_exe_exists):
+        mock_exe_exists.return_value = False
+        self.assertRaises(
+            errors.NoInstallationError, self.config.prepare)
+
     @mock.patch("letsencrypt_apache.parser.ApacheParser")
-    def test_prepare_version(self, _):
+    @mock.patch("letsencrypt_apache.configurator.le_util.exe_exists")
+    def test_prepare_version(self, mock_exe_exists, _):
+        mock_exe_exists.return_value = True
         self.config.version = None
         self.config.config_test = mock.Mock()
         self.config.get_version = mock.Mock(return_value=(1, 1))

letsencrypt-apache/letsencrypt_apache/tests/util.py

@@ -66,31 +66,34 @@ def get_apache_configurator(
 
     """
     backups = os.path.join(work_dir, "backups")
+    mock_le_config = mock.MagicMock(
+        apache_server_root=config_path,
+        apache_le_vhost_ext=constants.CLI_DEFAULTS["le_vhost_ext"],
+        backup_dir=backups,
+        config_dir=config_dir,
+        temp_checkpoint_dir=os.path.join(work_dir, "temp_checkpoints"),
+        in_progress_dir=os.path.join(backups, "IN_PROGRESS"),
+        work_dir=work_dir)
 
     with mock.patch("letsencrypt_apache.configurator."
                     "subprocess.Popen") as mock_popen:
-        with mock.patch("letsencrypt_apache.parser.ApacheParser."
-                        "update_runtime_variables"):
-            # This indicates config_test passes
-            mock_popen().communicate.return_value = ("Fine output", "No problems")
-            mock_popen().returncode = 0
+        # This indicates config_test passes
+        mock_popen().communicate.return_value = ("Fine output", "No problems")
+        mock_popen().returncode = 0
+        with mock.patch("letsencrypt_apache.configurator.le_util."
+                        "exe_exists") as mock_exe_exists:
+            mock_exe_exists.return_value = True
+            with mock.patch("letsencrypt_apache.parser.ApacheParser."
+                            "update_runtime_variables"):
+                config = configurator.ApacheConfigurator(
+                    config=mock_le_config,
+                    name="apache",
+                    version=version)
+                # This allows testing scripts to set it a bit more quickly
+                if conf is not None:
+                    config.conf = conf  # pragma: no cover
 
-            config = configurator.ApacheConfigurator(
-                config=mock.MagicMock(
-                    apache_server_root=config_path,
-                    apache_le_vhost_ext=constants.CLI_DEFAULTS["le_vhost_ext"],
-                    backup_dir=backups,
-                    config_dir=config_dir,
-                    temp_checkpoint_dir=os.path.join(work_dir, "temp_checkpoints"),
-                    in_progress_dir=os.path.join(backups, "IN_PROGRESS"),
-                    work_dir=work_dir),
-                name="apache",
-                version=version)
-            # This allows testing scripts to set it a bit more quickly
-            if conf is not None:
-                config.conf = conf  # pragma: no cover
-
-            config.prepare()
+                config.prepare()
 
     return config
 

letsencrypt-nginx/letsencrypt_nginx/configurator.py

@@ -56,7 +56,7 @@ class NginxConfigurator(common.Plugin):
     zope.interface.implements(interfaces.IAuthenticator, interfaces.IInstaller)
     zope.interface.classProvides(interfaces.IPluginFactory)
 
-    description = "Nginx Web Server"
+    description = "Nginx Web Server - currently doesn't work"
 
     @classmethod
     def add_parser_arguments(cls, add):

letsencrypt/account.py

@@ -54,7 +54,7 @@ class Account(object):  # pylint: disable=too-few-public-methods
                 tz=pytz.UTC).replace(microsecond=0),
             creation_host=socket.getfqdn()) if meta is None else meta
 
-        self.id = hashlib.md5(  # pylint: disable=invalid-name
+        self.id = hashlib.md5(
             self.key.key.public_key().public_bytes(
                 encoding=serialization.Encoding.DER,
                 format=serialization.PublicFormat.SubjectPublicKeyInfo)
@@ -92,13 +92,13 @@ def report_new_account(acc, config):
         "contain certificates and private keys obtained by Let's Encrypt "
         "so making regular backups of this folder is ideal.".format(
             config.config_dir),
-        reporter.MEDIUM_PRIORITY, True)
+        reporter.MEDIUM_PRIORITY)
 
     if acc.regr.body.emails:
         recovery_msg = ("If you lose your account credentials, you can "
                         "recover through e-mails sent to {0}.".format(
                             ", ".join(acc.regr.body.emails)))
-        reporter.add_message(recovery_msg, reporter.HIGH_PRIORITY, True)
+        reporter.add_message(recovery_msg, reporter.HIGH_PRIORITY)
 
 
 class AccountMemoryStorage(interfaces.AccountStorage):

letsencrypt/auth_handler.py

@@ -531,7 +531,7 @@ def _report_failed_challs(failed_achalls):
     reporter = zope.component.getUtility(interfaces.IReporter)
     for achalls in problems.itervalues():
         reporter.add_message(
-            _generate_failed_chall_msg(achalls), reporter.MEDIUM_PRIORITY, True)
+            _generate_failed_chall_msg(achalls), reporter.MEDIUM_PRIORITY)
 
 
 def _generate_failed_chall_msg(failed_achalls):

letsencrypt/cli.py

@@ -80,8 +80,8 @@ More detailed help:
   -h, --help [topic]    print this message, or detailed help on a topic;
                         the available topics are:
 
-   all, apache, automation, nginx, paths, security, testing, or any of the
-   subcommands
+   all, apache, automation, manual, nginx, paths, security, testing, or any of
+   the subcommands
 """
 
 
@@ -267,6 +267,14 @@ def _treat_as_renewal(config, domains):
     return None
 
 
+def _report_new_cert(cert_path):
+    """Reports the creation of a new certificate to the user."""
+    reporter_util = zope.component.getUtility(interfaces.IReporter)
+    reporter_util.add_message("Congratulations! Your certificate has been "
+                              "saved at {0}.".format(cert_path),
+                              reporter_util.MEDIUM_PRIORITY)
+
+
 def _auth_from_domains(le_client, config, domains, plugins):
     """Authenticate and enroll certificate."""
     # Note: This can raise errors... caught above us though.
@@ -292,6 +300,8 @@ def _auth_from_domains(le_client, config, domains, plugins):
         if not lineage:
             raise errors.Error("Certificate could not be obtained")
 
+    _report_new_cert(lineage.cert)
+
     return lineage
 
 
@@ -365,6 +375,7 @@ def auth(args, config, plugins):
             file=args.csr[0], data=args.csr[1], form="der"))
         le_client.save_certificate(
             certr, chain, args.cert_path, args.chain_path)
+        _report_new_cert(args.cert_path)
     else:
         domains = _find_domains(args, installer)
         _auth_from_domains(le_client, config, domains, plugins)
@@ -420,7 +431,7 @@ def plugins_cmd(args, config, plugins):  # TODO: Use IDisplay rather than print
     logger.debug("Expected interfaces: %s", args.ifaces)
 
     ifaces = [] if args.ifaces is None else args.ifaces
-    filtered = plugins.ifaces(ifaces)
+    filtered = plugins.visible().ifaces(ifaces)
     logger.debug("Filtered plugins: %r", filtered)
 
     if not args.init and not args.prepare:
@@ -489,9 +500,6 @@ class SilentParser(object):  # pylint: disable=too-few-public-methods
         self.parser.add_argument(*args, **kwargs)
 
 
-HELP_TOPICS = ["all", "security", "paths", "automation", "testing", "plugins"]
-
-
 class HelpfulArgumentParser(object):
     """Argparse Wrapper.
 
@@ -513,12 +521,13 @@ class HelpfulArgumentParser(object):
         self.parser._add_config_file_help = False  # pylint: disable=protected-access
         self.silent_parser = SilentParser(self.parser)
 
+        self.verb = None
         self.args = self.preprocess_args(args)
         help1 = self.prescan_for_flag("-h", self.help_topics)
         help2 = self.prescan_for_flag("--help", self.help_topics)
         assert max(True, "a") == "a", "Gravity changed direction"
         help_arg = max(help1, help2)
-        if help_arg == True:
+        if help_arg is True:
             # just --help with no topic; avoid argparse altogether
             print USAGE
             sys.exit(0)
@@ -529,13 +538,22 @@ class HelpfulArgumentParser(object):
     def preprocess_args(self, args):
         """Work around some limitations in argparse.
 
-        Currently, add the default verb "run" as a default.
+        Currently: add the default verb "run" as a default, and ensure that the
+        subcommand / verb comes last.
         """
+        if "-h" in args or "--help" in args:
+            # all verbs double as help arguments; don't get them confused
+            self.verb = "help"
+            return args
 
-        for token in args:
+        for i, token in enumerate(args):
             if token in VERBS:
-                return args
-        return ["run"] + args
+                reordered = args[:i] + args[i+1:] + [args[i]]
+                self.verb = token
+                return reordered
+
+        self.verb = "run"
+        return args + ["run"]
 
     def prescan_for_flag(self, flag, possible_arguments):
         """Checks cli input for flags.
@@ -713,77 +731,79 @@ def create_parser(plugins, args):
 
 # For now unfortunately this constant just needs to match the code below;
 # there isn't an elegant way to autogenerate it in time.
-VERBS = ["run", "auth", "install", "revoke", "rollback", "config_changes",
-         "plugins", "--help"]
-
+VERBS = ["run", "auth", "install", "revoke", "rollback", "config_changes", "plugins"]
+HELP_TOPICS = ["all", "security", "paths", "automation", "testing"] + VERBS
 
 def _create_subparsers(helpful):
     subparsers = helpful.parser.add_subparsers(metavar="SUBCOMMAND")
 
-    def add_subparser(name, func):  # pylint: disable=missing-docstring
-        subparser = subparsers.add_parser(
-            name, help=func.__doc__.splitlines()[0], description=func.__doc__)
+    def add_subparser(name):  # pylint: disable=missing-docstring
+        if name == "plugins":
+            func = plugins_cmd
+        else:
+            func = eval(name) # pylint: disable=eval-used
+        h = func.__doc__.splitlines()[0]
+        subparser = subparsers.add_parser(name, help=h, description=func.__doc__)
         subparser.set_defaults(func=func)
         return subparser
 
     # the order of add_subparser() calls is important: it defines the
     # order in which subparser names will be displayed in --help
-    add_subparser("run", run)
-    parser_auth = add_subparser("auth", auth)
-    parser_install = add_subparser("install", install)
-    parser_revoke = add_subparser("revoke", revoke)
-    parser_rollback = add_subparser("rollback", rollback)
-    add_subparser("config_changes", config_changes)
-    parser_plugins = add_subparser("plugins", plugins_cmd)
+    # these add_subparser objects return objects to which arguments could be
+    # attached, but they have annoying arg ordering constrains so we use
+    # groups instead: https://github.com/letsencrypt/letsencrypt/issues/820
+    for v in VERBS:
+        add_subparser(v)
 
-    parser_auth.add_argument(
-        "--csr", type=read_file, help="Path to a Certificate Signing "
-        "Request (CSR) in DER format.")
-    parser_auth.add_argument(
-        "--cert-path", default=flag_default("auth_cert_path"),
-        help="When using --csr this is where certificate is saved.")
-    parser_auth.add_argument(
-        "--chain-path", default=flag_default("auth_chain_path"),
-        help="When using --csr this is where certificate chain is saved.")
+    helpful.add_group("auth", description="Options for modifying how a cert is obtained")
+    helpful.add_group("install", description="Options for modifying how a cert is deployed")
+    helpful.add_group("revoke", description="Options for revocation of certs")
+    helpful.add_group("rollback", description="Options for reverting config changes")
+    helpful.add_group("plugins", description="Plugin options")
 
-    parser_install.add_argument(
-        "--cert-path", required=True, help="Path to a certificate that "
-        "is going to be installed.")
-    parser_install.add_argument(
-        "--key-path", required=True, help="Accompanying private key")
-    parser_install.add_argument(
-        "--chain-path", help="Accompanying path to a certificate chain.")
-    parser_revoke.add_argument(
-        "--cert-path", type=read_file, help="Revoke a specific certificate.",
-        required=True)
-    parser_revoke.add_argument(
-        "--key-path", type=read_file,
-        help="Revoke certificate using its accompanying key. Useful if "
-        "Account Key is lost.")
-
-    parser_rollback.add_argument(
+    helpful.add("auth",
+        "--csr", type=read_file, help="Path to a Certificate Signing Request (CSR) in DER format.")
+    helpful.add("rollback",
         "--checkpoints", type=int, metavar="N",
         default=flag_default("rollback_checkpoints"),
         help="Revert configuration N number of checkpoints.")
 
-    parser_plugins.add_argument(
+    helpful.add("plugins",
         "--init", action="store_true", help="Initialize plugins.")
-    parser_plugins.add_argument(
-        "--prepare", action="store_true",
-        help="Initialize and prepare plugins.")
-    parser_plugins.add_argument(
+    helpful.add("plugins",
+        "--prepare", action="store_true", help="Initialize and prepare plugins.")
+    helpful.add("plugins",
         "--authenticators", action="append_const", dest="ifaces",
-        const=interfaces.IAuthenticator,
-        help="Limit to authenticator plugins only.")
-    parser_plugins.add_argument(
+        const=interfaces.IAuthenticator, help="Limit to authenticator plugins only.")
+    helpful.add("plugins",
         "--installers", action="append_const", dest="ifaces",
         const=interfaces.IInstaller, help="Limit to installer plugins only.")
 
 
 def _paths_parser(helpful):
     add = helpful.add
+    verb = helpful.verb
     helpful.add_group(
         "paths", description="Arguments changing execution paths & servers")
+
+    cph = "Path to where cert is saved (with auth), installed (with install --csr) or revoked."
+    if verb == "auth":
+        add("paths", "--cert-path", default=flag_default("auth_cert_path"), help=cph)
+    elif verb == "revoke":
+        add("paths", "--cert-path", type=read_file, required=True, help=cph)
+    else:
+        add("paths", "--cert-path", help=cph, required=(verb == "install"))
+
+    # revoke --key-path reads a file, install --key-path takes a string
+    add("paths", "--key-path", type=((verb == "revoke" and read_file) or str),
+        required=(verb == "install"),
+        help="Path to private key for cert creation or revocation (if account key is missing)")
+
+    default_cp = None
+    if verb == "auth":
+        default_cp = flag_default("auth_chain_path")
+    add("paths", "--chain-path", default=default_cp,
+        help="Accompanying path to a certificate chain.")
     add("paths", "--config-dir", default=flag_default("config_dir"),
         help=config_help("config_dir"))
     add("paths", "--work-dir", default=flag_default("work_dir"),

letsencrypt/client.py

@@ -286,7 +286,7 @@ class Client(object):
                 "configured in the directories under {0}.").format(
                     cert.cli_config.renewal_configs_dir)
         reporter = zope.component.getUtility(interfaces.IReporter)
-        reporter.add_message(msg, reporter.LOW_PRIORITY, True)
+        reporter.add_message(msg, reporter.LOW_PRIORITY)
 
     def save_certificate(self, certr, chain_cert, cert_path, chain_path):
         # pylint: disable=no-self-use

letsencrypt/display/enhancements.py

@@ -11,7 +11,7 @@ from letsencrypt.display import util as display_util
 logger = logging.getLogger(__name__)
 
 # Define a helper function to avoid verbose code
-util = zope.component.getUtility  # pylint: disable=invalid-name
+util = zope.component.getUtility
 
 
 def ask(enhancement):

letsencrypt/display/ops.py

@@ -12,7 +12,7 @@ from letsencrypt.display import util as display_util
 logger = logging.getLogger(__name__)
 
 # Define a helper function to avoid verbose code
-util = zope.component.getUtility  # pylint: disable=invalid-name
+util = zope.component.getUtility
 
 
 def choose_plugin(prepared, question):
@@ -65,7 +65,7 @@ def pick_plugin(config, default, plugins, question, ifaces):
         # throw more UX-friendly error if default not in plugins
         filtered = plugins.filter(lambda p_ep: p_ep.name == default)
     else:
-        filtered = plugins.ifaces(ifaces)
+        filtered = plugins.visible().ifaces(ifaces)
 
     filtered.init(config)
     verified = filtered.verify(ifaces)

letsencrypt/error_handler.py

@@ -15,15 +15,15 @@ logger = logging.getLogger(__name__)
 # immediately.
 _SIGNALS = ([signal.SIGTERM] if os.name == "nt" else
             [signal.SIGTERM, signal.SIGHUP, signal.SIGQUIT,
-             signal.SIGXCPU, signal.SIGXFSZ, signal.SIGPWR])
+             signal.SIGXCPU, signal.SIGXFSZ])
 
 
 class ErrorHandler(object):
     """Registers functions to be called if an exception or signal occurs.
 
     This class allows you to register functions that will be called when
-    an exception or signal is encountered. The class works best as a
-    context manager. For example:
+    an exception (excluding SystemExit) or signal is encountered. The
+    class works best as a context manager. For example:
 
     with ErrorHandler(cleanup_func):
         do_something()
@@ -50,7 +50,8 @@ class ErrorHandler(object):
         self.set_signal_handlers()
 
     def __exit__(self, exec_type, exec_value, trace):
-        if exec_value is not None:
+        # SystemExit is ignored to properly handle forks that don't exec
+        if exec_type not in (None, SystemExit):
             logger.debug("Encountered exception:\n%s", "".join(
                 traceback.format_exception(exec_type, exec_value, trace)))
             self.call_registered()

letsencrypt/interfaces.py

@@ -478,7 +478,7 @@ class IReporter(zope.interface.Interface):
     LOW_PRIORITY = zope.interface.Attribute(
         "Used to denote low priority messages")
 
-    def add_message(self, msg, priority, on_crash=False):
+    def add_message(self, msg, priority, on_crash=True):
         """Adds msg to the list of messages to be printed.
 
         :param str msg: Message to be displayed to the user.

letsencrypt/log.py

@@ -25,7 +25,7 @@ class DialogHandler(logging.Handler):  # pylint: disable=too-few-public-methods
         logging.Handler.__init__(self, level)
         self.height = height
         self.width = width
-        # "dialog" collides with module name... pylint: disable=invalid-name
+        # "dialog" collides with module name...
         self.d = dialog.Dialog() if d is None else d
         self.lines = []
 

letsencrypt/plugins/common.py

@@ -23,10 +23,10 @@ def dest_namespace(name):
     """ArgumentParser dest namespace (prefix of all destinations)."""
     return name.replace("-", "_") + "_"
 
-private_ips_regex = re.compile(  # pylint: disable=invalid-name
+private_ips_regex = re.compile(
     r"(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|"
     r"(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)")
-hostname_regex = re.compile(  # pylint: disable=invalid-name
+hostname_regex = re.compile(
     r"^(([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*[a-z]+$", re.IGNORECASE)
 
 
@@ -173,7 +173,7 @@ class Dvsni(object):
                             achall.chall.encode("token") + '.pem')
 
     def _setup_challenge_cert(self, achall, s=None):
-        # pylint: disable=invalid-name
+
         """Generate and write out challenge certificate."""
         cert_path = self.get_cert_path(achall)
         key_path = self.get_key_path(achall)

letsencrypt/plugins/disco.py

@@ -50,6 +50,11 @@ class PluginEntryPoint(object):
         """Description with name. Handy for UI."""
         return "{0} ({1})".format(self.description, self.name)
 
+    @property
+    def hidden(self):
+        """Should this plugin be hidden from UI?"""
+        return getattr(self.plugin_cls, "hidden", False)
+
     def ifaces(self, *ifaces_groups):
         """Does plugin implements specified interface groups?"""
         return not ifaces_groups or any(
@@ -183,6 +188,10 @@ class PluginsRegistry(collections.Mapping):
         return type(self)(dict((name, plugin_ep) for name, plugin_ep
                                in self._plugins.iteritems() if pred(plugin_ep)))
 
+    def visible(self):
+        """Filter plugins based on visibility."""
+        return self.filter(lambda plugin_ep: not plugin_ep.hidden)
+
     def ifaces(self, *ifaces_groups):
         """Filter plugins based on interfaces."""
         # pylint: disable=star-args

letsencrypt/plugins/manual.py

@@ -182,6 +182,8 @@ binary for temporary key/certificate generation.""".replace("\n", "")
                 achall.account_key.public_key(), self.config.simple_http_port):
             return response
         else:
+            logger.error(
+                "Self-verify of challenge failed, authorization abandoned.")
             if self.conf("test-mode") and self._httpd.poll() is not None:
                 # simply verify cause command failure...
                 return False

letsencrypt/plugins/null.py

@@ -17,6 +17,7 @@ class Installer(common.Plugin):
     zope.interface.classProvides(interfaces.IPluginFactory)
 
     description = "Null Installer"
+    hidden = True
 
     # pylint: disable=missing-docstring,no-self-use
 

letsencrypt/reporter.py

@@ -36,7 +36,7 @@ class Reporter(object):
     def __init__(self):
         self.messages = Queue.PriorityQueue()
 
-    def add_message(self, msg, priority, on_crash=False):
+    def add_message(self, msg, priority, on_crash=True):
         """Adds msg to the list of messages to be printed.
 
         :param str msg: Message to be displayed to the user.

letsencrypt/storage.py

@@ -520,7 +520,7 @@ class RenewableCert(object):  # pylint: disable=too-many-instance-attributes
             remaining = expiry - now
             if remaining < autorenew_interval:
                 return True
-            return False
+        return False
 
     @classmethod
     def new_lineage(cls, lineagename, cert, privkey, chain,

letsencrypt/tests/auth_handler_test.py

@@ -355,7 +355,7 @@ class GenChallengePathTest(unittest.TestCase):
 class MutuallyExclusiveTest(unittest.TestCase):
     """Tests for letsencrypt.auth_handler.mutually_exclusive."""
 
-    # pylint: disable=invalid-name,missing-docstring,too-few-public-methods
+    # pylint: disable=missing-docstring,too-few-public-methods
     class A(object):
         pass
 

letsencrypt/tests/cli_test.py

@@ -2,6 +2,7 @@
 import itertools
 import os
 import shutil
+import StringIO
 import traceback
 import tempfile
 import unittest
@@ -16,6 +17,9 @@ from letsencrypt.tests import renewer_test
 from letsencrypt.tests import test_util
 
 
+CSR = test_util.vector_path('csr.der')
+
+
 class CLITest(unittest.TestCase):
     """Tests for different commands."""
 
@@ -39,12 +43,54 @@ class CLITest(unittest.TestCase):
                     ret = cli.main(args)
         return ret, stdout, stderr, client
 
+    def _call_stdout(self, args):
+        """
+        Variant of _call that preserves stdout so that it can be mocked by the
+        caller.
+        """
+        from letsencrypt import cli
+        args = ['--text', '--config-dir', self.config_dir,
+                '--work-dir', self.work_dir, '--logs-dir', self.logs_dir,
+                '--agree-eula'] + args
+        with mock.patch('letsencrypt.cli.sys.stderr') as stderr:
+            with mock.patch('letsencrypt.cli.client') as client:
+                ret = cli.main(args)
+        return ret, None, stderr, client
+
+
     def test_no_flags(self):
-        self.assertRaises(SystemExit, self._call, [])
+        with mock.patch('letsencrypt.cli.run') as mock_run:
+            self._call([])
+            self.assertEqual(1, mock_run.call_count)
 
     def test_help(self):
         self.assertRaises(SystemExit, self._call, ['--help'])
-        self.assertRaises(SystemExit, self._call, ['--help all'])
+        self.assertRaises(SystemExit, self._call, ['--help', 'all'])
+        output = StringIO.StringIO()
+        with mock.patch('letsencrypt.cli.sys.stdout', new=output):
+            self.assertRaises(SystemExit, self._call_stdout, ['--help', 'all'])
+            out = output.getvalue()
+            self.assertTrue("--configurator" in out)
+            self.assertTrue("how a cert is deployed" in out)
+            self.assertTrue("--manual-test-mode" in out)
+            output.truncate(0)
+            self.assertRaises(SystemExit, self._call_stdout, ['-h', 'nginx'])
+            out = output.getvalue()
+            self.assertTrue("--nginx-ctl" in out)
+            self.assertTrue("--manual-test-mode" not in out)
+            self.assertTrue("--checkpoints" not in out)
+            output.truncate(0)
+            self.assertRaises(SystemExit, self._call_stdout, ['--help', 'plugins'])
+            out = output.getvalue()
+            self.assertTrue("--manual-test-mode" not in out)
+            self.assertTrue("--prepare" in out)
+            self.assertTrue("Plugin options" in out)
+            output.truncate(0)
+            self.assertRaises(SystemExit, self._call_stdout, ['-h'])
+            out = output.getvalue()
+            from letsencrypt import cli
+            self.assertTrue(cli.USAGE in out)
+
 
     def test_rollback(self):
         _, _, _, client = self._call(['rollback'])
@@ -65,40 +111,114 @@ class CLITest(unittest.TestCase):
                   for r in xrange(len(flags)))):
             self._call(['plugins'] + list(args))
 
-    @mock.patch("letsencrypt.cli.sys")
+    def test_auth_bad_args(self):
+        ret, _, _, _ = self._call(['-d', 'foo.bar', 'auth', '--csr', CSR])
+        self.assertEqual(ret, '--domains and --csr are mutually exclusive')
+
+        ret, _, _, _ = self._call(['-a', 'bad_auth', 'auth'])
+        self.assertEqual(ret, 'Authenticator could not be determined')
+
+    @mock.patch('letsencrypt.cli.zope.component.getUtility')
+    def test_auth_new_request_success(self, mock_get_utility):
+        cert_path = '/etc/letsencrypt/live/foo.bar'
+        mock_lineage = mock.MagicMock(cert=cert_path)
+        mock_client = mock.MagicMock()
+        mock_client.obtain_and_enroll_certificate.return_value = mock_lineage
+        self._auth_new_request_common(mock_client)
+        self.assertEqual(
+            mock_client.obtain_and_enroll_certificate.call_count, 1)
+        self.assertTrue(
+            cert_path in mock_get_utility().add_message.call_args[0][0])
+
+    def test_auth_new_request_failure(self):
+        mock_client = mock.MagicMock()
+        mock_client.obtain_and_enroll_certificate.return_value = False
+        self.assertRaises(errors.Error,
+                          self._auth_new_request_common, mock_client)
+
+    def _auth_new_request_common(self, mock_client):
+        with mock.patch('letsencrypt.cli._treat_as_renewal') as mock_renewal:
+            mock_renewal.return_value = None
+            with mock.patch('letsencrypt.cli._init_le_client') as mock_init:
+                mock_init.return_value = mock_client
+                self._call(['-d', 'foo.bar', '-a', 'standalone', 'auth'])
+
+    @mock.patch('letsencrypt.cli.zope.component.getUtility')
+    @mock.patch('letsencrypt.cli._treat_as_renewal')
+    @mock.patch('letsencrypt.cli._init_le_client')
+    def test_auth_renewal(self, mock_init, mock_renewal, mock_get_utility):
+        cert_path = '/etc/letsencrypt/live/foo.bar'
+        mock_lineage = mock.MagicMock(cert=cert_path)
+        mock_cert = mock.MagicMock(body='body')
+        mock_key = mock.MagicMock(pem='pem_key')
+        mock_renewal.return_value = mock_lineage
+        mock_client = mock.MagicMock()
+        mock_client.obtain_certificate.return_value = (mock_cert, 'chain',
+                                                       mock_key, 'csr')
+        mock_init.return_value = mock_client
+        with mock.patch('letsencrypt.cli.OpenSSL'):
+            with mock.patch('letsencrypt.cli.crypto_util'):
+                self._call(['-d', 'foo.bar', '-a', 'standalone', 'auth'])
+        mock_client.obtain_certificate.assert_called_once_with(['foo.bar'])
+        self.assertEqual(mock_lineage.save_successor.call_count, 1)
+        mock_lineage.update_all_links_to.assert_called_once_with(
+            mock_lineage.latest_common_version())
+        self.assertTrue(
+            cert_path in mock_get_utility().add_message.call_args[0][0])
+
+    @mock.patch('letsencrypt.cli.display_ops.pick_installer')
+    @mock.patch('letsencrypt.cli.zope.component.getUtility')
+    @mock.patch('letsencrypt.cli._init_le_client')
+    def test_auth_csr(self, mock_init, mock_get_utility, mock_pick_installer):
+        cert_path = '/etc/letsencrypt/live/foo.bar'
+        mock_client = mock.MagicMock()
+        mock_client.obtain_certificate_from_csr.return_value = ('certr',
+                                                                'chain')
+        mock_init.return_value = mock_client
+        installer = 'installer'
+        self._call(
+            ['-a', 'standalone', '-i', installer, 'auth', '--csr', CSR,
+             '--cert-path', cert_path, '--chain-path', '/'])
+        self.assertEqual(mock_pick_installer.call_args[0][1], installer)
+        mock_client.save_certificate.assert_called_once_with(
+            'certr', 'chain', cert_path, '/')
+        self.assertTrue(
+            cert_path in mock_get_utility().add_message.call_args[0][0])
+
+    @mock.patch('letsencrypt.cli.sys')
     def test_handle_exception(self, mock_sys):
         # pylint: disable=protected-access
         from letsencrypt import cli
 
         mock_open = mock.mock_open()
-        with mock.patch("letsencrypt.cli.open", mock_open, create=True):
-            exception = Exception("detail")
+        with mock.patch('letsencrypt.cli.open', mock_open, create=True):
+            exception = Exception('detail')
             cli._handle_exception(
                 Exception, exc_value=exception, trace=None, args=None)
-            mock_open().write.assert_called_once_with("".join(
+            mock_open().write.assert_called_once_with(''.join(
                 traceback.format_exception_only(Exception, exception)))
             error_msg = mock_sys.exit.call_args_list[0][0][0]
-            self.assertTrue("unexpected error" in error_msg)
+            self.assertTrue('unexpected error' in error_msg)
 
-        with mock.patch("letsencrypt.cli.open", mock_open, create=True):
+        with mock.patch('letsencrypt.cli.open', mock_open, create=True):
             mock_open.side_effect = [KeyboardInterrupt]
-            error = errors.Error("detail")
+            error = errors.Error('detail')
             cli._handle_exception(
                 errors.Error, exc_value=error, trace=None, args=None)
             # assert_any_call used because sys.exit doesn't exit in cli.py
-            mock_sys.exit.assert_any_call("".join(
+            mock_sys.exit.assert_any_call(''.join(
                 traceback.format_exception_only(errors.Error, error)))
 
         args = mock.MagicMock(debug=False)
         cli._handle_exception(
-            Exception, exc_value=Exception("detail"), trace=None, args=args)
+            Exception, exc_value=Exception('detail'), trace=None, args=args)
         error_msg = mock_sys.exit.call_args_list[-1][0][0]
-        self.assertTrue("unexpected error" in error_msg)
+        self.assertTrue('unexpected error' in error_msg)
 
-        interrupt = KeyboardInterrupt("detail")
+        interrupt = KeyboardInterrupt('detail')
         cli._handle_exception(
             KeyboardInterrupt, exc_value=interrupt, trace=None, args=None)
-        mock_sys.exit.assert_called_with("".join(
+        mock_sys.exit.assert_called_with(''.join(
             traceback.format_exception_only(KeyboardInterrupt, interrupt)))
 
 
@@ -108,13 +228,13 @@ class DetermineAccountTest(unittest.TestCase):
     def setUp(self):
         self.args = mock.MagicMock(account=None, email=None)
         self.config = configuration.NamespaceConfig(self.args)
-        self.accs = [mock.MagicMock(id="x"), mock.MagicMock(id="y")]
+        self.accs = [mock.MagicMock(id='x'), mock.MagicMock(id='y')]
         self.account_storage = account.AccountMemoryStorage()
 
     def _call(self):
         # pylint: disable=protected-access
         from letsencrypt.cli import _determine_account
-        with mock.patch("letsencrypt.cli.account.AccountFileStorage") as mock_storage:
+        with mock.patch('letsencrypt.cli.account.AccountFileStorage') as mock_storage:
             mock_storage.return_value = self.account_storage
             return _determine_account(self.args, self.config)
 
@@ -131,7 +251,7 @@ class DetermineAccountTest(unittest.TestCase):
         self.assertEqual(self.accs[0].id, self.args.account)
         self.assertTrue(self.args.email is None)
 
-    @mock.patch("letsencrypt.client.display_ops.choose_account")
+    @mock.patch('letsencrypt.client.display_ops.choose_account')
     def test_multiple_accounts(self, mock_choose_accounts):
         for acc in self.accs:
             self.account_storage.save(acc)
@@ -142,11 +262,11 @@ class DetermineAccountTest(unittest.TestCase):
         self.assertEqual(self.accs[1].id, self.args.account)
         self.assertTrue(self.args.email is None)
 
-    @mock.patch("letsencrypt.client.display_ops.get_email")
+    @mock.patch('letsencrypt.client.display_ops.get_email')
     def test_no_accounts_no_email(self, mock_get_email):
-        mock_get_email.return_value = "foo@bar.baz"
+        mock_get_email.return_value = 'foo@bar.baz'
 
-        with mock.patch("letsencrypt.cli.client") as client:
+        with mock.patch('letsencrypt.cli.client') as client:
             client.register.return_value = (
                 self.accs[0], mock.sentinel.acme)
             self.assertEqual((self.accs[0], mock.sentinel.acme), self._call())
@@ -154,15 +274,15 @@ class DetermineAccountTest(unittest.TestCase):
             self.config, self.account_storage, tos_cb=mock.ANY)
 
         self.assertEqual(self.accs[0].id, self.args.account)
-        self.assertEqual("foo@bar.baz", self.args.email)
+        self.assertEqual('foo@bar.baz', self.args.email)
 
     def test_no_accounts_email(self):
-        self.args.email = "other email"
-        with mock.patch("letsencrypt.cli.client") as client:
+        self.args.email = 'other email'
+        with mock.patch('letsencrypt.cli.client') as client:
             client.register.return_value = (self.accs[1], mock.sentinel.acme)
             self._call()
         self.assertEqual(self.accs[1].id, self.args.account)
-        self.assertEqual("other email", self.args.email)
+        self.assertEqual('other email', self.args.email)
 
 
 class DuplicativeCertsTest(renewer_test.BaseRenewableCertTest):
@@ -176,36 +296,36 @@ class DuplicativeCertsTest(renewer_test.BaseRenewableCertTest):
     def tearDown(self):
         shutil.rmtree(self.tempdir)
 
-    @mock.patch("letsencrypt.le_util.make_or_verify_dir")
+    @mock.patch('letsencrypt.le_util.make_or_verify_dir')
     def test_find_duplicative_names(self, unused_makedir):
         from letsencrypt.cli import _find_duplicative_certs
-        test_cert = test_util.load_vector("cert-san.pem")
-        with open(self.test_rc.cert, "w") as f:
+        test_cert = test_util.load_vector('cert-san.pem')
+        with open(self.test_rc.cert, 'w') as f:
             f.write(test_cert)
 
         # No overlap at all
-        result = _find_duplicative_certs(["wow.net", "hooray.org"],
+        result = _find_duplicative_certs(['wow.net', 'hooray.org'],
                                          self.config, self.cli_config)
         self.assertEqual(result, (None, None))
 
         # Totally identical
-        result = _find_duplicative_certs(["example.com", "www.example.com"],
+        result = _find_duplicative_certs(['example.com', 'www.example.com'],
                                          self.config, self.cli_config)
-        self.assertTrue(result[0].configfile.filename.endswith("example.org.conf"))
+        self.assertTrue(result[0].configfile.filename.endswith('example.org.conf'))
         self.assertEqual(result[1], None)
 
         # Superset
-        result = _find_duplicative_certs(["example.com", "www.example.com",
-                                          "something.new"], self.config,
+        result = _find_duplicative_certs(['example.com', 'www.example.com',
+                                          'something.new'], self.config,
                                          self.cli_config)
         self.assertEqual(result[0], None)
-        self.assertTrue(result[1].configfile.filename.endswith("example.org.conf"))
+        self.assertTrue(result[1].configfile.filename.endswith('example.org.conf'))
 
         # Partial overlap doesn't count
-        result = _find_duplicative_certs(["example.com", "something.new"],
+        result = _find_duplicative_certs(['example.com', 'something.new'],
                                          self.config, self.cli_config)
         self.assertEqual(result, (None, None))
 
 
-if __name__ == "__main__":
+if __name__ == '__main__':
     unittest.main()  # pragma: no cover

letsencrypt/tests/display/ops_test.py

@@ -84,7 +84,7 @@ class PickPluginTest(unittest.TestCase):
 
     def test_no_default(self):
         self._call()
-        self.assertEqual(1, self.reg.ifaces.call_count)
+        self.assertEqual(1, self.reg.visible().ifaces.call_count)
 
     def test_no_candidate(self):
         self.assertTrue(self._call() is None)
@@ -94,7 +94,8 @@ class PickPluginTest(unittest.TestCase):
         plugin_ep.init.return_value = "foo"
         plugin_ep.misconfigured = False
 
-        self.reg.ifaces().verify().available.return_value = {"bar": plugin_ep}
+        self.reg.visible().ifaces().verify().available.return_value = {
+            "bar": plugin_ep}
         self.assertEqual("foo", self._call())
 
     def test_single_misconfigured(self):
@@ -102,13 +103,14 @@ class PickPluginTest(unittest.TestCase):
         plugin_ep.init.return_value = "foo"
         plugin_ep.misconfigured = True
 
-        self.reg.ifaces().verify().available.return_value = {"bar": plugin_ep}
+        self.reg.visible().ifaces().verify().available.return_value = {
+            "bar": plugin_ep}
         self.assertTrue(self._call() is None)
 
     def test_multiple(self):
         plugin_ep = mock.MagicMock()
         plugin_ep.init.return_value = "foo"
-        self.reg.ifaces().verify().available.return_value = {
+        self.reg.visible().ifaces().verify().available.return_value = {
             "bar": plugin_ep,
             "baz": plugin_ep,
         }
@@ -119,7 +121,7 @@ class PickPluginTest(unittest.TestCase):
             [plugin_ep, plugin_ep], self.question)
 
     def test_choose_plugin_none(self):
-        self.reg.ifaces().verify().available.return_value = {
+        self.reg.visible().ifaces().verify().available.return_value = {
             "bar": None,
             "baz": None,
         }

letsencrypt/tests/error_handler_test.py

@@ -1,5 +1,6 @@
 """Tests for letsencrypt.error_handler."""
 import signal
+import sys
 import unittest
 
 import mock
@@ -50,6 +51,14 @@ class ErrorHandlerTest(unittest.TestCase):
         self.init_func.assert_called_once_with()
         bad_func.assert_called_once_with()
 
+    def test_sysexit_ignored(self):
+        try:
+            with self.handler:
+                sys.exit(0)
+        except SystemExit:
+            pass
+        self.assertFalse(self.init_func.called)
+
 
 if __name__ == "__main__":
     unittest.main()  # pragma: no cover

letsencrypt/tests/log_test.py

@@ -8,7 +8,7 @@ import mock
 class DialogHandlerTest(unittest.TestCase):
 
     def setUp(self):
-        self.d = mock.MagicMock()  # pylint: disable=invalid-name
+        self.d = mock.MagicMock()
 
         from letsencrypt.log import DialogHandler
         self.handler = DialogHandler(height=2, width=6, d=self.d)

letsencrypt/tests/reporter_test.py

@@ -82,9 +82,11 @@ class ReporterTest(unittest.TestCase):
         self.assertTrue("Low" not in output)
 
     def _add_messages(self):
-        self.reporter.add_message("High", self.reporter.HIGH_PRIORITY, True)
-        self.reporter.add_message("Med", self.reporter.MEDIUM_PRIORITY)
-        self.reporter.add_message("Low", self.reporter.LOW_PRIORITY)
+        self.reporter.add_message("High", self.reporter.HIGH_PRIORITY)
+        self.reporter.add_message(
+            "Med", self.reporter.MEDIUM_PRIORITY, on_crash=False)
+        self.reporter.add_message(
+            "Low", self.reporter.LOW_PRIORITY, on_crash=False)
 
 
 if __name__ == "__main__":

letsencrypt/tests/reverter_test.py

@@ -85,7 +85,7 @@ class ReverterCheckpointLocalTest(unittest.TestCase):
         self.assertEqual(read_in(self.config1), "directive-dir1")
 
     def test_multiple_registration_fail_and_revert(self):
-        # pylint: disable=invalid-name
+
         config3 = os.path.join(self.dir1, "config3.txt")
         update_file(config3, "Config3")
         config4 = os.path.join(self.dir2, "config4.txt")
@@ -173,7 +173,7 @@ class ReverterCheckpointLocalTest(unittest.TestCase):
         self.assertRaises(errors.ReverterError, self.reverter.recovery_routine)
 
     def test_recover_checkpoint_revert_temp_failures(self):
-        # pylint: disable=invalid-name
+
         mock_recover = mock.MagicMock(
             side_effect=errors.ReverterError("e"))
 
@@ -291,7 +291,7 @@ class TestFullCheckpointsReverter(unittest.TestCase):
             errors.ReverterError, self.reverter.rollback_checkpoints, "one")
 
     def test_rollback_finalize_checkpoint_valid_inputs(self):
-        # pylint: disable=invalid-name
+
         config3 = self._setup_three_checkpoints()
 
         # Check resulting backup directory
@@ -334,7 +334,7 @@ class TestFullCheckpointsReverter(unittest.TestCase):
 
     @mock.patch("letsencrypt.reverter.os.rename")
     def test_finalize_checkpoint_no_rename_directory(self, mock_rename):
-        # pylint: disable=invalid-name
+
         self.reverter.add_to_checkpoint(self.sets[0], "perm save")
         mock_rename.side_effect = OSError
 

setup.py

@@ -125,7 +125,6 @@ setup(
         ],
         'letsencrypt.plugins': [
             'manual = letsencrypt.plugins.manual:Authenticator',
-            # TODO: null should probably not be presented to the user
             'null = letsencrypt.plugins.null:Installer',
             'standalone = letsencrypt.plugins.standalone.authenticator'
             ':StandaloneAuthenticator',

tests/boulder-start.sh

@@ -4,11 +4,17 @@
 
 # ugh, go version output is like:
 # go version go1.4.2 linux/amd64
-GOVER=`go version | cut -d" " -f3 | cut -do -f2`  
+GOVER=`go version | cut -d" " -f3 | cut -do -f2`
 
 # version comparison
 function verlte {
+  #OS X doesn't support version sorting; emulate with sed
+  if [ `uname` == 'Darwin' ]; then
+    [ "$1" = "`echo -e \"$1\n$2\" |  sed 's/\b\([0-9]\)\b/0\1/g' \
+      | sort | sed 's/\b0\([0-9]\)/\1/g' | head -n1`" ]
+  else
     [  "$1" = "`echo -e "$1\n$2" | sort -V | head -n1`" ]
+  fi
 }
 
 if ! verlte 1.5 "$GOVER" ; then

tox.cover.sh

@@ -16,7 +16,7 @@ fi
 
 cover () {
   if [ "$1" = "letsencrypt" ]; then
-    min=96
+    min=97
   elif [ "$1" = "acme" ]; then
     min=100
   elif [ "$1" = "letsencrypt_apache" ]; then