diff --git a/CHANGELOG.md b/CHANGELOG.md index de2fdfb03..70cb3f8ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,15 @@ Certbot adheres to [Semantic Versioning](https://semver.org/). More details about these changes can be found on our GitHub repo. +## 0.37.1 - 2019-08-08 + +### Fixed + +* Stop disabling TLS session tickets in Apache as it caused TLS failures on + some systems. + +More details about these changes can be found on our GitHub repo. + ## 0.37.0 - 2019-08-07 ### Added diff --git a/certbot-apache/MANIFEST.in b/certbot-apache/MANIFEST.in index c1f79fcc7..3e594a953 100644 --- a/certbot-apache/MANIFEST.in +++ b/certbot-apache/MANIFEST.in @@ -2,5 +2,6 @@ include LICENSE.txt include README.rst recursive-include docs * recursive-include certbot_apache/tests/testdata * +include certbot_apache/centos-options-ssl-apache.conf +include certbot_apache/options-ssl-apache.conf recursive-include certbot_apache/augeas_lens *.aug -recursive-include certbot_apache/tls_configs *.conf diff --git a/certbot-apache/certbot_apache/apache_util.py b/certbot-apache/certbot_apache/apache_util.py index f338c0407..7a2ecf49b 100644 --- a/certbot-apache/certbot_apache/apache_util.py +++ b/certbot-apache/certbot_apache/apache_util.py @@ -1,8 +1,6 @@ """ Utility functions for certbot-apache plugin """ import binascii -import pkg_resources - from certbot import util from certbot.compat import os @@ -107,15 +105,3 @@ def parse_define_file(filepath, varname): def unique_id(): """ Returns an unique id to be used as a VirtualHost identifier""" return binascii.hexlify(os.urandom(16)).decode("utf-8") - - -def find_ssl_apache_conf(prefix): - """ - Find a TLS Apache config file in the dedicated storage. - :param str prefix: prefix of the TLS Apache config file to find - :return: the path the TLS Apache config file - :rtype: str - """ - return pkg_resources.resource_filename( - "certbot_apache", - os.path.join("tls_configs", "{0}-options-ssl-apache.conf".format(prefix))) diff --git a/certbot-apache/certbot_apache/tls_configs/centos-current-options-ssl-apache.conf b/certbot-apache/certbot_apache/centos-options-ssl-apache.conf similarity index 84% rename from certbot-apache/certbot_apache/tls_configs/centos-current-options-ssl-apache.conf rename to certbot-apache/certbot_apache/centos-options-ssl-apache.conf index 2d99f6219..56c946a4e 100644 --- a/certbot-apache/certbot_apache/tls_configs/centos-current-options-ssl-apache.conf +++ b/certbot-apache/certbot_apache/centos-options-ssl-apache.conf @@ -10,10 +10,16 @@ SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on -SSLSessionTickets off SSLOptions +StrictRequire # Add vhost name to log entries: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common + +#CustomLog /var/log/apache2/access.log vhost_combined +#LogLevel warn +#ErrorLog /var/log/apache2/error.log + +# Always ensure Cookies have "Secure" set (JAH 2012/1) +#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index ecc7c83ab..f7c27bf76 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -9,6 +9,7 @@ import time from collections import defaultdict +import pkg_resources import six import zope.component @@ -109,24 +110,14 @@ class ApacheConfigurator(common.Installer): handle_modules=False, handle_sites=False, challenge_location="/etc/apache2", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "options-ssl-apache.conf") ) def option(self, key): """Get a value from options""" return self.options.get(key) - def pick_apache_config(self): - """ - Pick the appropriate TLS Apache configuration file for current version of Apache and OS. - :return: the path to the TLS Apache configuration file to use - :rtype: str - """ - # Disabling TLS session tickets is supported by Apache 2.4.11+. - # So for old versions of Apache we pick a configuration without this option. - if self.version < (2, 4, 11): - return apache_util.find_ssl_apache_conf("old") - return apache_util.find_ssl_apache_conf("current") - def _prepare_options(self): """ Set the values possibly changed by command line parameters to @@ -2348,9 +2339,8 @@ class ApacheConfigurator(common.Installer): # XXX if we ever try to enforce a local privilege boundary (eg, running # certbot for unprivileged users via setuid), this function will need # to be modified. - apache_config_path = self.pick_apache_config() - return common.install_version_controlled_file( - options_ssl, options_ssl_digest, apache_config_path, constants.ALL_SSL_OPTIONS_HASHES) + return common.install_version_controlled_file(options_ssl, options_ssl_digest, + self.option("MOD_SSL_CONF_SRC"), constants.ALL_SSL_OPTIONS_HASHES) def enable_autohsts(self, _unused_lineage, domains): """ diff --git a/certbot-apache/certbot_apache/tls_configs/current-options-ssl-apache.conf b/certbot-apache/certbot_apache/options-ssl-apache.conf similarity index 85% rename from certbot-apache/certbot_apache/tls_configs/current-options-ssl-apache.conf rename to certbot-apache/certbot_apache/options-ssl-apache.conf index c32e83148..8113ee81e 100644 --- a/certbot-apache/certbot_apache/tls_configs/current-options-ssl-apache.conf +++ b/certbot-apache/certbot_apache/options-ssl-apache.conf @@ -11,10 +11,16 @@ SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on SSLCompression off -SSLSessionTickets off SSLOptions +StrictRequire # Add vhost name to log entries: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common + +#CustomLog /var/log/apache2/access.log vhost_combined +#LogLevel warn +#ErrorLog /var/log/apache2/error.log + +# Always ensure Cookies have "Secure" set (JAH 2012/1) +#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" diff --git a/certbot-apache/certbot_apache/override_arch.py b/certbot-apache/certbot_apache/override_arch.py index 02891548d..c5620e9f9 100644 --- a/certbot-apache/certbot_apache/override_arch.py +++ b/certbot-apache/certbot_apache/override_arch.py @@ -1,4 +1,6 @@ """ Distribution specific override class for Arch Linux """ +import pkg_resources + import zope.interface from certbot import interfaces @@ -24,4 +26,6 @@ class ArchConfigurator(configurator.ApacheConfigurator): handle_modules=False, handle_sites=False, challenge_location="/etc/httpd/conf", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "options-ssl-apache.conf") ) diff --git a/certbot-apache/certbot_apache/override_centos.py b/certbot-apache/certbot_apache/override_centos.py index d4a7d7137..7c7492dbf 100644 --- a/certbot-apache/certbot_apache/override_centos.py +++ b/certbot-apache/certbot_apache/override_centos.py @@ -1,6 +1,7 @@ """ Distribution specific override class for CentOS family (RHEL, Fedora) """ import logging +import pkg_resources import zope.interface from certbot import errors @@ -38,6 +39,8 @@ class CentOSConfigurator(configurator.ApacheConfigurator): handle_modules=False, handle_sites=False, challenge_location="/etc/httpd/conf.d", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "centos-options-ssl-apache.conf") ) def config_test(self): @@ -72,18 +75,6 @@ class CentOSConfigurator(configurator.ApacheConfigurator): # Finish with actual config check to see if systemctl restart helped super(CentOSConfigurator, self).config_test() - def pick_apache_config(self): - """ - Pick the appropriate TLS Apache configuration file for current version of Apache and OS. - :return: the path to the TLS Apache configuration file to use - :rtype: str - """ - # Disabling TLS session tickets is supported by Apache 2.4.11+. - # So for old versions of Apache we pick a configuration without this option. - if self.version < (2, 4, 11): - return apache_util.find_ssl_apache_conf("centos-old") - return apache_util.find_ssl_apache_conf("centos-current") - def _prepare_options(self): """ Override the options dictionary initialization in order to support diff --git a/certbot-apache/certbot_apache/override_darwin.py b/certbot-apache/certbot_apache/override_darwin.py index e825b66b8..4e2a6acac 100644 --- a/certbot-apache/certbot_apache/override_darwin.py +++ b/certbot-apache/certbot_apache/override_darwin.py @@ -1,4 +1,6 @@ """ Distribution specific override class for macOS """ +import pkg_resources + import zope.interface from certbot import interfaces @@ -24,4 +26,6 @@ class DarwinConfigurator(configurator.ApacheConfigurator): handle_modules=False, handle_sites=False, challenge_location="/etc/apache2/other", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "options-ssl-apache.conf") ) diff --git a/certbot-apache/certbot_apache/override_debian.py b/certbot-apache/certbot_apache/override_debian.py index 1fc32670b..58492bd01 100644 --- a/certbot-apache/certbot_apache/override_debian.py +++ b/certbot-apache/certbot_apache/override_debian.py @@ -1,6 +1,7 @@ """ Distribution specific override class for Debian family (Ubuntu/Debian) """ import logging +import pkg_resources import zope.interface from certbot import errors @@ -34,6 +35,8 @@ class DebianConfigurator(configurator.ApacheConfigurator): handle_modules=True, handle_sites=True, challenge_location="/etc/apache2", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "options-ssl-apache.conf") ) def enable_site(self, vhost): diff --git a/certbot-apache/certbot_apache/override_fedora.py b/certbot-apache/certbot_apache/override_fedora.py index 77f31efe8..786ada0fc 100644 --- a/certbot-apache/certbot_apache/override_fedora.py +++ b/certbot-apache/certbot_apache/override_fedora.py @@ -1,4 +1,5 @@ """ Distribution specific override class for Fedora 29+ """ +import pkg_resources import zope.interface from certbot import errors @@ -30,6 +31,9 @@ class FedoraConfigurator(configurator.ApacheConfigurator): handle_modules=False, handle_sites=False, challenge_location="/etc/httpd/conf.d", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + # TODO: eventually newest version of Fedora will need their own config + "certbot_apache", "centos-options-ssl-apache.conf") ) def config_test(self): diff --git a/certbot-apache/certbot_apache/override_gentoo.py b/certbot-apache/certbot_apache/override_gentoo.py index 6fa033857..c358a10fa 100644 --- a/certbot-apache/certbot_apache/override_gentoo.py +++ b/certbot-apache/certbot_apache/override_gentoo.py @@ -1,4 +1,6 @@ """ Distribution specific override class for Gentoo Linux """ +import pkg_resources + import zope.interface from certbot import interfaces @@ -27,6 +29,8 @@ class GentooConfigurator(configurator.ApacheConfigurator): handle_modules=False, handle_sites=False, challenge_location="/etc/apache2/vhosts.d", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "options-ssl-apache.conf") ) def _prepare_options(self): diff --git a/certbot-apache/certbot_apache/override_suse.py b/certbot-apache/certbot_apache/override_suse.py index 4baa57497..3d0043afe 100644 --- a/certbot-apache/certbot_apache/override_suse.py +++ b/certbot-apache/certbot_apache/override_suse.py @@ -1,4 +1,6 @@ """ Distribution specific override class for OpenSUSE """ +import pkg_resources + import zope.interface from certbot import interfaces @@ -24,4 +26,6 @@ class OpenSUSEConfigurator(configurator.ApacheConfigurator): handle_modules=False, handle_sites=False, challenge_location="/etc/apache2/vhosts.d", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "options-ssl-apache.conf") ) diff --git a/certbot-apache/certbot_apache/tests/centos_test.py b/certbot-apache/certbot_apache/tests/centos_test.py index 5c8cff3b3..dddbf489e 100644 --- a/certbot-apache/certbot_apache/tests/centos_test.py +++ b/certbot-apache/certbot_apache/tests/centos_test.py @@ -190,13 +190,6 @@ class MultipleVhostsTestCentOS(util.ApacheTest): errors.SubprocessError] self.assertRaises(errors.MisconfigurationError, self.config.restart) - def test_pick_correct_tls_config(self): - self.config.version = (2, 4, 10) - self.assertTrue('centos-old' in self.config.pick_apache_config()) - - self.config.version = (2, 4, 11) - self.assertTrue('centos-current' in self.config.pick_apache_config()) - if __name__ == "__main__": unittest.main() # pragma: no cover diff --git a/certbot-apache/certbot_apache/tests/configurator_test.py b/certbot-apache/certbot_apache/tests/configurator_test.py index 2bc2271a1..1eafae982 100644 --- a/certbot-apache/certbot_apache/tests/configurator_test.py +++ b/certbot-apache/certbot_apache/tests/configurator_test.py @@ -1706,7 +1706,7 @@ class InstallSslOptionsConfTest(util.ApacheTest): self.config.updated_mod_ssl_conf_digest) def _current_ssl_options_hash(self): - return crypto_util.sha256sum(self.config.pick_apache_config()) + return crypto_util.sha256sum(self.config.option("MOD_SSL_CONF_SRC")) def _assert_current_file(self): self.assertTrue(os.path.isfile(self.config.mod_ssl_conf)) @@ -1742,7 +1742,7 @@ class InstallSslOptionsConfTest(util.ApacheTest): self.assertFalse(mock_logger.warning.called) self.assertTrue(os.path.isfile(self.config.mod_ssl_conf)) self.assertEqual(crypto_util.sha256sum( - self.config.pick_apache_config()), + self.config.option("MOD_SSL_CONF_SRC")), self._current_ssl_options_hash()) self.assertNotEqual(crypto_util.sha256sum(self.config.mod_ssl_conf), self._current_ssl_options_hash()) @@ -1758,31 +1758,18 @@ class InstallSslOptionsConfTest(util.ApacheTest): "%s has been manually modified; updated file " "saved to %s. We recommend updating %s for security purposes.") self.assertEqual(crypto_util.sha256sum( - self.config.pick_apache_config()), + self.config.option("MOD_SSL_CONF_SRC")), self._current_ssl_options_hash()) # only print warning once with mock.patch("certbot.plugins.common.logger") as mock_logger: self._call() self.assertFalse(mock_logger.warning.called) - def test_ssl_config_files_hash_in_all_hashes(self): - """ - It is really critical that all TLS Apache config files have their SHA256 hash registered in - constants.ALL_SSL_OPTIONS_HASHES. Otherwise Certbot will mistakenly assume that the config - file has been manually edited by the user, and will refuse to update it. - This test ensures that all necessary hashes are present. - """ + def test_current_file_hash_in_all_hashes(self): from certbot_apache.constants import ALL_SSL_OPTIONS_HASHES - import pkg_resources - tls_configs_dir = pkg_resources.resource_filename("certbot_apache", "tls_configs") - all_files = [os.path.join(tls_configs_dir, name) for name in os.listdir(tls_configs_dir) - if name.endswith('options-ssl-apache.conf')] - self.assertTrue(all_files) - for one_file in all_files: - file_hash = crypto_util.sha256sum(one_file) - self.assertTrue(file_hash in ALL_SSL_OPTIONS_HASHES, - "Constants.ALL_SSL_OPTIONS_HASHES must be appended with the sha256 " - "hash of {0} when it is updated.".format(one_file)) + self.assertTrue(self._current_ssl_options_hash() in ALL_SSL_OPTIONS_HASHES, + "Constants.ALL_SSL_OPTIONS_HASHES must be appended" + " with the sha256 hash of self.config.mod_ssl_conf when it is updated.") if __name__ == "__main__": diff --git a/certbot-apache/certbot_apache/tls_configs/centos-old-options-ssl-apache.conf b/certbot-apache/certbot_apache/tls_configs/centos-old-options-ssl-apache.conf deleted file mode 100644 index 277c8954a..000000000 --- a/certbot-apache/certbot_apache/tls_configs/centos-old-options-ssl-apache.conf +++ /dev/null @@ -1,18 +0,0 @@ -# This file contains important security parameters. If you modify this file -# manually, Certbot will be unable to automatically provide future security -# updates. Instead, Certbot will print and log an error message with a path to -# the up-to-date file that you will need to refer to when manually updating -# this file. - -SSLEngine on - -# Intermediate configuration, tweak to your needs -SSLProtocol all -SSLv2 -SSLv3 -SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS -SSLHonorCipherOrder on - -SSLOptions +StrictRequire - -# Add vhost name to log entries: -LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined -LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common diff --git a/certbot-apache/certbot_apache/tls_configs/old-options-ssl-apache.conf b/certbot-apache/certbot_apache/tls_configs/old-options-ssl-apache.conf deleted file mode 100644 index cd7c9bc4b..000000000 --- a/certbot-apache/certbot_apache/tls_configs/old-options-ssl-apache.conf +++ /dev/null @@ -1,19 +0,0 @@ -# This file contains important security parameters. If you modify this file -# manually, Certbot will be unable to automatically provide future security -# updates. Instead, Certbot will print and log an error message with a path to -# the up-to-date file that you will need to refer to when manually updating -# this file. - -SSLEngine on - -# Intermediate configuration, tweak to your needs -SSLProtocol all -SSLv2 -SSLv3 -SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS -SSLHonorCipherOrder on -SSLCompression off - -SSLOptions +StrictRequire - -# Add vhost name to log entries: -LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined -LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common diff --git a/certbot-auto b/certbot-auto index 90b7c951e..15623463b 100755 --- a/certbot-auto +++ b/certbot-auto @@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then fi VENV_BIN="$VENV_PATH/bin" BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt" -LE_AUTO_VERSION="0.37.0" +LE_AUTO_VERSION="0.37.1" BASENAME=$(basename $0) USAGE="Usage: $BASENAME [OPTIONS] A self-updating wrapper script for the Certbot ACME client. When run, updates @@ -1333,18 +1333,18 @@ letsencrypt==0.7.0 \ --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \ --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9 -certbot==0.37.0 \ - --hash=sha256:940a7c5902d45c222bf977477d6898d2d1112181252bf998a4b41f6078093b65 \ - --hash=sha256:34c5a832b43f41438bd84eb247a64607228a865e3cdc5272d7a27c3943a94d8a -acme==0.37.0 \ - --hash=sha256:c68f37ac2cbc230af1efd39f258a8fab73a6211d87dd7af56ca6b4651e5c99a6 \ - --hash=sha256:9178b725ad1f282d3ccab89fbdf36a403447eab7c0c52669279fb33df6fbe161 -certbot-apache==0.37.0 \ - --hash=sha256:6737355b54fee44552a9c9374cb0ec532cbd0215506994c8f0d73ee0eeb1c36f \ - --hash=sha256:6d1c413937c0a9419fbd2c67f110cad860e87afdd358650707f32cde71d4fc21 -certbot-nginx==0.37.0 \ - --hash=sha256:e173f523ab21ce6bd290bc0e842ca435e5ff6b325b5ad6ea257d517aeac697bb \ - --hash=sha256:93c9f8d934b886e5632e1658ea411fbbded9fa55dc07a5bc35d493e2a6cc4ffe +certbot==0.37.1 \ + --hash=sha256:84dbdad204327b8d8ef9ab5b040f2be1e427a9f7e087affcc9a6051ea1b03fe7 \ + --hash=sha256:aace73e63b0c11cdb4b0bd33e1780c1fbe0ce5669dc72e80c3aa9500145daf16 +acme==0.37.1 \ + --hash=sha256:83a4f6f3c5eb6a85233d5ba87714b426f2d096df58d711f8a2fc4071eb3fd3fc \ + --hash=sha256:c069a761990751f7c4bf51d2e87ae10319bf460de6629d2908c9fa6f69e97111 +certbot-apache==0.37.1 \ + --hash=sha256:3ea832408877b12b3a60d17e8b2ee3387364f8c3023ac267161c25b99087cd42 \ + --hash=sha256:e46c2644451101c0e216aa1f525a577cc903efaf871e0e4da277224a4439040c +certbot-nginx==0.37.1 \ + --hash=sha256:1f9af389d26f06634e2eefaace3354e7679dabb4295e1d55d05a4ee7e23a64bd \ + --hash=sha256:02a7ec15bd388d0f0e94a34c86a8f8d618ec7d5ffde0c206039bb4c46b294ce4 UNLIKELY_EOF # ------------------------------------------------------------------------- diff --git a/docs/cli-help.txt b/docs/cli-help.txt index 09075e61a..e7aa03d11 100644 --- a/docs/cli-help.txt +++ b/docs/cli-help.txt @@ -113,7 +113,7 @@ optional arguments: case, and to know when to deprecate support for past Python versions and flags. If you wish to hide this information from the Let's Encrypt server, set this to - "". (default: CertbotACMEClient/0.37.0 + "". (default: CertbotACMEClient/0.37.1 (certbot(-auto); OS_NAME OS_VERSION) Authenticator/XXX Installer/YYY (SUBCOMMAND; flags: FLAGS) Py/major.minor.patchlevel). The flags encoded in the diff --git a/letsencrypt-auto b/letsencrypt-auto index 90b7c951e..15623463b 100755 --- a/letsencrypt-auto +++ b/letsencrypt-auto @@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then fi VENV_BIN="$VENV_PATH/bin" BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt" -LE_AUTO_VERSION="0.37.0" +LE_AUTO_VERSION="0.37.1" BASENAME=$(basename $0) USAGE="Usage: $BASENAME [OPTIONS] A self-updating wrapper script for the Certbot ACME client. When run, updates @@ -1333,18 +1333,18 @@ letsencrypt==0.7.0 \ --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \ --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9 -certbot==0.37.0 \ - --hash=sha256:940a7c5902d45c222bf977477d6898d2d1112181252bf998a4b41f6078093b65 \ - --hash=sha256:34c5a832b43f41438bd84eb247a64607228a865e3cdc5272d7a27c3943a94d8a -acme==0.37.0 \ - --hash=sha256:c68f37ac2cbc230af1efd39f258a8fab73a6211d87dd7af56ca6b4651e5c99a6 \ - --hash=sha256:9178b725ad1f282d3ccab89fbdf36a403447eab7c0c52669279fb33df6fbe161 -certbot-apache==0.37.0 \ - --hash=sha256:6737355b54fee44552a9c9374cb0ec532cbd0215506994c8f0d73ee0eeb1c36f \ - --hash=sha256:6d1c413937c0a9419fbd2c67f110cad860e87afdd358650707f32cde71d4fc21 -certbot-nginx==0.37.0 \ - --hash=sha256:e173f523ab21ce6bd290bc0e842ca435e5ff6b325b5ad6ea257d517aeac697bb \ - --hash=sha256:93c9f8d934b886e5632e1658ea411fbbded9fa55dc07a5bc35d493e2a6cc4ffe +certbot==0.37.1 \ + --hash=sha256:84dbdad204327b8d8ef9ab5b040f2be1e427a9f7e087affcc9a6051ea1b03fe7 \ + --hash=sha256:aace73e63b0c11cdb4b0bd33e1780c1fbe0ce5669dc72e80c3aa9500145daf16 +acme==0.37.1 \ + --hash=sha256:83a4f6f3c5eb6a85233d5ba87714b426f2d096df58d711f8a2fc4071eb3fd3fc \ + --hash=sha256:c069a761990751f7c4bf51d2e87ae10319bf460de6629d2908c9fa6f69e97111 +certbot-apache==0.37.1 \ + --hash=sha256:3ea832408877b12b3a60d17e8b2ee3387364f8c3023ac267161c25b99087cd42 \ + --hash=sha256:e46c2644451101c0e216aa1f525a577cc903efaf871e0e4da277224a4439040c +certbot-nginx==0.37.1 \ + --hash=sha256:1f9af389d26f06634e2eefaace3354e7679dabb4295e1d55d05a4ee7e23a64bd \ + --hash=sha256:02a7ec15bd388d0f0e94a34c86a8f8d618ec7d5ffde0c206039bb4c46b294ce4 UNLIKELY_EOF # ------------------------------------------------------------------------- diff --git a/letsencrypt-auto-source/certbot-auto.asc b/letsencrypt-auto-source/certbot-auto.asc index d015c7cc8..a9f7e1e9f 100644 --- a/letsencrypt-auto-source/certbot-auto.asc +++ b/letsencrypt-auto-source/certbot-auto.asc @@ -1,11 +1,11 @@ -----BEGIN PGP SIGNATURE----- -iQEzBAABCAAdFiEEos+1H6J1pyhiNOeyTRfJlc2XdfIFAl1LC8MACgkQTRfJlc2X -dfLT8gf/aBYJDQQcRyS9p72t2e7hHgbDuLDIS8GeBSwMxNp9caDr7m5O1eLDOHIq -VtbCRR2c1CIWq2WlJ/WJLIf9I5MHjkr7/+xFkYuybU0waEceC1RgkI6d49gPhg2V -iTbDErAOW9Ito2TNbJJX+VZfTHI1JH0BXNL+TIl7nLWoXTvI+65gzSiv/ng8WD+6 -Dd2ibZGV7AlcHS1+i3iNEFPNc9qALkImfAvZssU3CfRgO/WQphlgvXDkSYRP8cDx -esjyUniHjd4N6tr2WSaD9do2ZVbMuJtPWt7JrIMJHs+UgB8BaAQCSzmv2ItWXD9t -o1zHyEUEgMuV49GZRdnNM+6aEZt7xA== -=vP3K +iQEzBAABCAAdFiEEos+1H6J1pyhiNOeyTRfJlc2XdfIFAl1Mt7UACgkQTRfJlc2X +dfIALggAhyS29bqwp7L2u31uJalZbZQzK2jb86+YyxYzJ/TNAOVHghZNrF7krXAV +GCYEV6SXNHlScAtv7eIVbMcbiaSh/+6/1K3HsPBNP/7nR2sTZ/AOSQNPKdgUia5E +jypTdGYcOiQBCqyP0yDKFXIKxJFOP63tIvidfuT0rBcyusrJ/QPJs6uhKLggOiFv +9kNgZQsOhE3LpA9Yaqf0lsbKhA154c2Q662JiGCzQ2AST36bdzNEwsUeVoTbJda3 +o3qN5kg+mWZNrc9qgYjDA3gXxepNGxjXmFasJc1k1uVx9gxYhEO+/WC1UKMQJR1O +Y/7Qrv3sR3KJ/Q/guhEB4jTKOnvXvw== +=+61j -----END PGP SIGNATURE----- diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 1a1f01b04..d87f338a5 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -1382,18 +1382,18 @@ letsencrypt==0.7.0 \ --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \ --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9 -certbot==0.37.0 \ - --hash=sha256:940a7c5902d45c222bf977477d6898d2d1112181252bf998a4b41f6078093b65 \ - --hash=sha256:34c5a832b43f41438bd84eb247a64607228a865e3cdc5272d7a27c3943a94d8a -acme==0.37.0 \ - --hash=sha256:c68f37ac2cbc230af1efd39f258a8fab73a6211d87dd7af56ca6b4651e5c99a6 \ - --hash=sha256:9178b725ad1f282d3ccab89fbdf36a403447eab7c0c52669279fb33df6fbe161 -certbot-apache==0.37.0 \ - --hash=sha256:6737355b54fee44552a9c9374cb0ec532cbd0215506994c8f0d73ee0eeb1c36f \ - --hash=sha256:6d1c413937c0a9419fbd2c67f110cad860e87afdd358650707f32cde71d4fc21 -certbot-nginx==0.37.0 \ - --hash=sha256:e173f523ab21ce6bd290bc0e842ca435e5ff6b325b5ad6ea257d517aeac697bb \ - --hash=sha256:93c9f8d934b886e5632e1658ea411fbbded9fa55dc07a5bc35d493e2a6cc4ffe +certbot==0.37.1 \ + --hash=sha256:84dbdad204327b8d8ef9ab5b040f2be1e427a9f7e087affcc9a6051ea1b03fe7 \ + --hash=sha256:aace73e63b0c11cdb4b0bd33e1780c1fbe0ce5669dc72e80c3aa9500145daf16 +acme==0.37.1 \ + --hash=sha256:83a4f6f3c5eb6a85233d5ba87714b426f2d096df58d711f8a2fc4071eb3fd3fc \ + --hash=sha256:c069a761990751f7c4bf51d2e87ae10319bf460de6629d2908c9fa6f69e97111 +certbot-apache==0.37.1 \ + --hash=sha256:3ea832408877b12b3a60d17e8b2ee3387364f8c3023ac267161c25b99087cd42 \ + --hash=sha256:e46c2644451101c0e216aa1f525a577cc903efaf871e0e4da277224a4439040c +certbot-nginx==0.37.1 \ + --hash=sha256:1f9af389d26f06634e2eefaace3354e7679dabb4295e1d55d05a4ee7e23a64bd \ + --hash=sha256:02a7ec15bd388d0f0e94a34c86a8f8d618ec7d5ffde0c206039bb4c46b294ce4 UNLIKELY_EOF # ------------------------------------------------------------------------- diff --git a/letsencrypt-auto-source/letsencrypt-auto.sig b/letsencrypt-auto-source/letsencrypt-auto.sig index 015f6741e..20d7b4570 100644 Binary files a/letsencrypt-auto-source/letsencrypt-auto.sig and b/letsencrypt-auto-source/letsencrypt-auto.sig differ diff --git a/letsencrypt-auto-source/pieces/certbot-requirements.txt b/letsencrypt-auto-source/pieces/certbot-requirements.txt index 59892c207..c7a8a50f5 100644 --- a/letsencrypt-auto-source/pieces/certbot-requirements.txt +++ b/letsencrypt-auto-source/pieces/certbot-requirements.txt @@ -1,12 +1,12 @@ -certbot==0.37.0 \ - --hash=sha256:940a7c5902d45c222bf977477d6898d2d1112181252bf998a4b41f6078093b65 \ - --hash=sha256:34c5a832b43f41438bd84eb247a64607228a865e3cdc5272d7a27c3943a94d8a -acme==0.37.0 \ - --hash=sha256:c68f37ac2cbc230af1efd39f258a8fab73a6211d87dd7af56ca6b4651e5c99a6 \ - --hash=sha256:9178b725ad1f282d3ccab89fbdf36a403447eab7c0c52669279fb33df6fbe161 -certbot-apache==0.37.0 \ - --hash=sha256:6737355b54fee44552a9c9374cb0ec532cbd0215506994c8f0d73ee0eeb1c36f \ - --hash=sha256:6d1c413937c0a9419fbd2c67f110cad860e87afdd358650707f32cde71d4fc21 -certbot-nginx==0.37.0 \ - --hash=sha256:e173f523ab21ce6bd290bc0e842ca435e5ff6b325b5ad6ea257d517aeac697bb \ - --hash=sha256:93c9f8d934b886e5632e1658ea411fbbded9fa55dc07a5bc35d493e2a6cc4ffe +certbot==0.37.1 \ + --hash=sha256:84dbdad204327b8d8ef9ab5b040f2be1e427a9f7e087affcc9a6051ea1b03fe7 \ + --hash=sha256:aace73e63b0c11cdb4b0bd33e1780c1fbe0ce5669dc72e80c3aa9500145daf16 +acme==0.37.1 \ + --hash=sha256:83a4f6f3c5eb6a85233d5ba87714b426f2d096df58d711f8a2fc4071eb3fd3fc \ + --hash=sha256:c069a761990751f7c4bf51d2e87ae10319bf460de6629d2908c9fa6f69e97111 +certbot-apache==0.37.1 \ + --hash=sha256:3ea832408877b12b3a60d17e8b2ee3387364f8c3023ac267161c25b99087cd42 \ + --hash=sha256:e46c2644451101c0e216aa1f525a577cc903efaf871e0e4da277224a4439040c +certbot-nginx==0.37.1 \ + --hash=sha256:1f9af389d26f06634e2eefaace3354e7679dabb4295e1d55d05a4ee7e23a64bd \ + --hash=sha256:02a7ec15bd388d0f0e94a34c86a8f8d618ec7d5ffde0c206039bb4c46b294ce4