Merge pull request #6274 from certbot/merge-master-into-test-everything

Merge master into test everything
2026-06-04 22:33:00 -04:00 · 2018-07-31 11:15:15 -07:00 · 2018-07-31 11:15:15 -07:00 · 5726d32d8a
commit 5726d32d8a
parent 24bb28186f b28380f7b2
15 changed files with 94 additions and 22 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -20,7 +20,7 @@ before_script:
 matrix:
  include:
    - python: "2.7"
-      env: TOXENV=cover NUMPROCESSES=2 FYI="this also tests py27"
+      env: TOXENV=cover FYI="this also tests py27"
    - python: "2.7"
      env: TOXENV=lint
    - python: "2.7"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,19 @@

 Certbot adheres to [Semantic Versioning](http://semver.org/).

+## 0.26.1 - 2018-07-17
+
+### Fixed
+
+* Fix a bug that was triggered when users who had previously manually set `--server` to get ACMEv2 certs tried to renew ACMEv1 certs.
+
+Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only package with changes other than its version number was:
+
+* certbot
+
+More details about these changes can be found on our GitHub repo:
+https://github.com/certbot/certbot/milestone/58?closed=1
+
 ## 0.26.0 - 2018-07-11

 ### Added
@ -783,7 +796,7 @@ https://github.com/certbot/certbot/pulls?q=is%3Apr%20milestone%3A0.11.1%20is%3Ac

 ### Added

-* When using the standalone plugin while running Certbot interactively 
+* When using the standalone plugin while running Certbot interactively
 and a required port is bound by another process, Certbot will give you
 the option to retry to grab the port rather than immediately exiting.
 * You are now able to deactivate your account with the Let's Encrypt
--- a/acme/acme/client.py
+++ b/acme/acme/client.py
@ -577,16 +577,33 @@ class ClientV2(ClientBase):

        :param .NewRegistration new_account:

+        :raises .ConflictError: in case the account already exists
+
        :returns: Registration Resource.
        :rtype: `.RegistrationResource`
        """
        response = self._post(self.directory['newAccount'], new_account)
+        # if account already exists
+        if response.status_code == 200 and 'Location' in response.headers:
+            raise errors.ConflictError(response.headers.get('Location'))
        # "Instance of 'Field' has no key/contact member" bug:
        # pylint: disable=no-member
        regr = self._regr_from_response(response)
        self.net.account = regr
        return regr

+    def query_registration(self, regr):
+        """Query server about registration.
+
+        :param messages.RegistrationResource: Existing Registration
+            Resource.
+
+        """
+        self.net.account = regr
+        updated_regr = super(ClientV2, self).query_registration(regr)
+        self.net.account = updated_regr
+        return updated_regr
+
    def update_registration(self, regr, update=None):
        """Update registration.

--- a/acme/acme/client_test.py
+++ b/acme/acme/client_test.py
@ -134,6 +134,12 @@ class BackwardsCompatibleClientV2Test(ClientTestBase):
        client = self._init()
        self.assertEqual(client.acme_version, 2)

+    def test_query_registration_client_v2(self):
+        self.response.json.return_value = DIRECTORY_V2.to_json()
+        client = self._init()
+        self.response.json.return_value = self.regr.body.to_json()
+        self.assertEqual(self.regr, client.query_registration(self.regr))
+
    def test_forwarding(self):
        self.response.json.return_value = DIRECTORY_V1.to_json()
        client = self._init()
@ -706,6 +712,11 @@ class ClientV2Test(ClientTestBase):

        self.assertEqual(self.regr, self.client.new_account(self.new_reg))

+    def test_new_account_conflict(self):
+        self.response.status_code = http_client.OK
+        self.response.headers['Location'] = self.regr.uri
+        self.assertRaises(errors.ConflictError, self.client.new_account, self.new_reg)
+
    def test_new_order(self):
        order_response = copy.deepcopy(self.response)
        order_response.status_code = http_client.CREATED
--- a/acme/acme/errors.py
+++ b/acme/acme/errors.py
@ -110,6 +110,8 @@ class ConflictError(ClientError):

    In the version of ACME implemented by Boulder, this is used to find an
    account if you only have the private key, but don't know the account URL.
+
+    Also used in V2 of the ACME client for the same purpose.
    """
    def __init__(self, location):
        self.location = location
--- a/certbot-apache/certbot_apache/display_ops.py
+++ b/certbot-apache/certbot_apache/display_ops.py
@ -113,8 +113,7 @@ def _vhost_menu(domain, vhosts):
        code, tag = zope.component.getUtility(interfaces.IDisplay).menu(
            "We were unable to find a vhost with a ServerName "
            "or Address of {0}.{1}Which virtual host would you "
-            "like to choose?\n(note: conf files with multiple "
-            "vhosts are not yet supported)".format(domain, os.linesep),
+            "like to choose?".format(domain, os.linesep),
            choices, force_interactive=True)
    except errors.MissingCommandlineFlag:
        msg = (
--- a/certbot-dns-sakuracloud/certbot_dns_sakuracloud/dns_sakuracloud_test.py
+++ b/certbot-dns-sakuracloud/certbot_dns_sakuracloud/dns_sakuracloud_test.py
@ -38,7 +38,8 @@ class AuthenticatorTest(test_util.TempDirTestCase,
        self.auth._get_sakuracloud_client = mock.MagicMock(return_value=self.mock_client)


-class NS1LexiconClientTest(unittest.TestCase, dns_test_common_lexicon.BaseLexiconClientTest):
+class SakuraCloudLexiconClientTest(unittest.TestCase,
+                                   dns_test_common_lexicon.BaseLexiconClientTest):
    DOMAIN_NOT_FOUND = HTTPError('404 Client Error: Not Found for url: {0}.'.format(DOMAIN))
    LOGIN_ERROR = HTTPError('401 Client Error: Unauthorized for url: {0}.'.format(DOMAIN))

--- a/certbot-nginx/local-oldest-requirements.txt
+++ b/certbot-nginx/local-oldest-requirements.txt
@ -1,2 +1,2 @@
-acme[dev]==0.25.0
+acme[dev]==0.26.0
 -e .[dev]
--- a/certbot-nginx/setup.py
+++ b/certbot-nginx/setup.py
@ -7,7 +7,7 @@ version = '0.27.0.dev0'
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
-    'acme>=0.25.0',
+    'acme>=0.26.0',
    'certbot>=0.22.0',
    'mock',
    'PyOpenSSL',
--- a/docs/install.rst
+++ b/docs/install.rst
@ -40,11 +40,17 @@ supports
 <https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/constants.py>`_
 modern OSes based on Debian, Fedora, SUSE, Gentoo and Darwin.

+
+Additional integrity verification of certbot-auto script can be done by verifying its digital signature.
+This requires a local installation of gpg2, which comes packaged in many Linux distributions under name gnupg or gnupg2.
+
+
 Installing with ``certbot-auto`` requires 512MB of RAM in order to build some
 of the dependencies. Installing from pre-built OS packages avoids this
 requirement. You can also temporarily set a swap file. See "Problems with
 Python virtual environment" below for details.

+
 Alternate installation methods
 ================================

@ -64,12 +70,30 @@ download and run it as follows::
  user@webserver:~$ chmod a+x ./certbot-auto
  user@webserver:~$ ./certbot-auto --help

-.. hint:: The certbot-auto download is protected by HTTPS, which is pretty good, but if you'd like to
-          double check the integrity of the ``certbot-auto`` script, you can use these steps for verification before running it::
+To check the integrity of the ``certbot-auto`` script,
+you can use these steps::
+
+
+	    user@webserver:~$ wget -N https://dl.eff.org/certbot-auto.asc
+	    user@webserver:~$ gpg2 --keyserver pool.sks-keyservers.net --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
+	    user@webserver:~$ gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc certbot-auto
+
+
+
+The output of the last command should look something like::
+
+
+	    gpg: Signature made Wed 02 May 2018 05:29:12 AM IST
+	    gpg:                using RSA key A2CFB51FA275A7286234E7B24D17C995CD9775F2
+	    gpg: key 4D17C995CD9775F2 marked as ultimately trusted
+	    gpg: checking the trustdb
+	    gpg: marginals needed: 3  completes needed: 1  trust model: pgp
+	    gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
+	    gpg: depth: 1  valid:   2  signed:   0  trust: 2-, 0q, 0n, 0m, 0f, 0u
+	    gpg: next trustdb check due at 2027-11-22
+	    gpg: Good signature from "Let's Encrypt Client Team <letsencrypt-client@eff.org>" [ultimate]
+

-            user@server:~$ wget -N https://dl.eff.org/certbot-auto.asc
-            user@server:~$ gpg2 --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
-            user@server:~$ gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc certbot-auto

 The ``certbot-auto`` command updates to the latest client release automatically.
 Since ``certbot-auto`` is a wrapper to ``certbot``, it accepts exactly
--- a/local-oldest-requirements.txt
+++ b/local-oldest-requirements.txt
@ -1 +1 @@
-acme[dev]==0.25.0
+acme[dev]==0.26.0
--- a/setup.py
+++ b/setup.py
@ -32,7 +32,7 @@ version = meta['version']
 # specified here to avoid masking the more specific request requirements in
 # acme. See https://github.com/pypa/pip/issues/988 for more info.
 install_requires = [
-    'acme>=0.25.0',
+    'acme>=0.26.0',
    # We technically need ConfigArgParse 0.10.0 for Python 2.6 support, but
    # saying so here causes a runtime error against our temporary fork of 0.9.3
    # in which we added 2.6 support (see #2243), so we relax the requirement.
--- a/tools/dev_constraints.txt
+++ b/tools/dev_constraints.txt
@ -48,7 +48,7 @@ pylint==1.4.2
 pytest==3.2.5
 pytest-cov==2.5.1
 pytest-forked==0.2
-pytest-xdist==1.20.1
+pytest-xdist==1.22.5
 python-dateutil==2.6.1
 python-digitalocean==1.11
 PyYAML==3.13
--- a/tox.cover.sh
+++ b/tox.cover.sh
@ -8,8 +8,6 @@
 #
 # -e makes sure we fail fast and don't submit coveralls submit

-NUMPROCESSES=${NUMPROCESSES:=auto}
-
 if [ "xxx$1" = "xxx" ]; then
  pkgs="certbot acme certbot_apache certbot_dns_cloudflare certbot_dns_cloudxns certbot_dns_digitalocean certbot_dns_dnsimple certbot_dns_dnsmadeeasy certbot_dns_gehirn certbot_dns_google certbot_dns_linode certbot_dns_luadns certbot_dns_nsone certbot_dns_ovh certbot_dns_rfc2136 certbot_dns_route53 certbot_dns_sakuracloud certbot_nginx certbot_postfix letshelp_certbot"
 else
@ -63,7 +61,7 @@ cover () {
  fi

  pkg_dir=$(echo "$1" | tr _ -)
-  pytest --cov "$pkg_dir" --cov-append --cov-report= --numprocesses "$NUMPROCESSES" --pyargs "$1"
+  pytest --cov "$pkg_dir" --cov-append --cov-report= --numprocesses "auto" --pyargs "$1"
  coverage report --fail-under="$min" --include="$pkg_dir/*" --show-missing
 }

--- a/tox.ini
+++ b/tox.ini
@ -64,6 +64,7 @@ source_paths =
    tests/lock_test.py

 [testenv]
+passenv = TRAVIS
 commands =
    {[base]install_and_test} {[base]all_packages}
    python tests/lock_test.py
@ -121,7 +122,6 @@ commands =

 [testenv:cover]
 basepython = python2.7
-passenv = NUMPROCESSES
 commands =
    {[base]install_packages}
    ./tox.cover.sh
@ -166,7 +166,9 @@ commands =
    docker run --rm -it apache-compat -c apache.tar.gz -vvvv
 whitelist_externals =
    docker
-passenv = DOCKER_*
+passenv =
+    DOCKER_*
+    TRAVIS

 [testenv:nginx_compat]
 commands =
@ -175,7 +177,9 @@ commands =
    docker run --rm -it nginx-compat -c nginx.tar.gz -vv -aie
 whitelist_externals =
    docker
-passenv = DOCKER_*
+passenv =
+    DOCKER_*
+    TRAVIS

 [testenv:le_auto_precise]
 # At the moment, this tests under Python 2.7 only, as only that version is
@ -185,7 +189,9 @@ commands =
    docker run --rm -t -i lea
 whitelist_externals =
    docker
-passenv = DOCKER_*
+passenv =
+    DOCKER_*
+    TRAVIS

 [testenv:le_auto_trusty]
 # At the moment, this tests under Python 2.7 only, as only that version is
@ -198,6 +204,7 @@ whitelist_externals =
    docker
 passenv =
    DOCKER_*
+    TRAVIS
    TRAVIS_BRANCH

 [testenv:le_auto_wheezy]