Finish work on #4718.

* Update in response to changes in #4720.

* Update ALL_SSL_OPTIONS_HASHES.

* Add warning to Apache's SSL options files.

certbot-apache/certbot_apache/centos-options-ssl-apache.conf

@@ -1,4 +1,8 @@
-# Baseline setting to Include for SSL sites
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
 
 SSLEngine on
 

certbot-apache/certbot_apache/configurator.py

@@ -1992,4 +1992,4 @@ def install_ssl_options_conf(options_ssl, options_ssl_digest):
     # certbot for unprivileged users via setuid), this function will need
     # to be modified.
     return common.install_ssl_options_conf(options_ssl, options_ssl_digest,
-        constants.os_constant("MOD_SSL_CONF_SRC"), constants.ALL_SSL_OPTIONS_HASHES, logger)
+        constants.os_constant("MOD_SSL_CONF_SRC"), constants.ALL_SSL_OPTIONS_HASHES)

certbot-apache/certbot_apache/constants.py

@@ -138,6 +138,10 @@ UPDATED_MOD_SSL_CONF_DIGEST = ".updated-options-ssl-apache-conf-digest.txt"
 ALL_SSL_OPTIONS_HASHES = [
     '2086bca02db48daf93468332543c60ac6acdb6f0b58c7bfdf578a5d47092f82a',
     '4844d36c9a0f587172d9fa10f4f1c9518e3bcfa1947379f155e16a70a728c21a',
+    '5a922826719981c0a234b1fbcd495f3213e49d2519e845ea0748ba513044b65b',
+    '4066b90268c03c9ba0201068eaa39abbc02acf9558bb45a788b630eb85dadf27',
+    'f175e2e7c673bd88d0aff8220735f385f916142c44aa83b09f1df88dd4767a88',
+    'cfdd7c18d2025836ea3307399f509cfb1ebf2612c87dd600a65da2a8e2f2797b',
 ]
 """SHA256 hashes of the contents of previous versions of all versions of MOD_SSL_CONF_SRC"""
 

certbot-apache/certbot_apache/options-ssl-apache.conf

@@ -1,4 +1,8 @@
-# Baseline setting to Include for SSL sites
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
 
 SSLEngine on
 

certbot-apache/certbot_apache/tests/configurator_test.py

@@ -1480,7 +1480,7 @@ class InstallSslOptionsConfTest(util.ApacheTest):
     def test_manually_modified_current_file_does_not_update(self):
         with open(self.config.mod_ssl_conf, "a") as mod_ssl_conf:
             mod_ssl_conf.write("a new line for the wrong hash\n")
-        with mock.patch("certbot_apache.configurator.logger") as mock_logger:
+        with mock.patch("certbot.plugins.common.logger") as mock_logger:
             self._call()
             self.assertFalse(mock_logger.warning.called)
         self.assertTrue(os.path.isfile(self.config.mod_ssl_conf))
@@ -1494,7 +1494,7 @@ class InstallSslOptionsConfTest(util.ApacheTest):
             mod_ssl_conf.write("a new line for the wrong hash\n")
         with open(self.config.updated_mod_ssl_conf_digest, "w") as f:
             f.write("hashofanoldversion")
-        with mock.patch("certbot_apache.configurator.logger") as mock_logger:
+        with mock.patch("certbot.plugins.common.logger") as mock_logger:
             self._call()
             self.assertEqual(mock_logger.warning.call_args[0][0],
                 "%s has been manually modified; updated ssl configuration options "
@@ -1502,7 +1502,7 @@ class InstallSslOptionsConfTest(util.ApacheTest):
         self.assertEqual(crypto_util.sha256sum(constants.os_constant("MOD_SSL_CONF_SRC")),
             self._current_ssl_options_hash())
         # only print warning once
-        with mock.patch("certbot_apache.configurator.logger") as mock_logger:
+        with mock.patch("certbot.plugins.common.logger") as mock_logger:
             self._call()
             self.assertFalse(mock_logger.warning.called)