upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-06-04 22:33:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Implement a sunset mechanism in certbot-auto for systems not supported anymore (#7587)

Browse source 
* Sunset mechanism

* Simplify code

* Update letsencrypt-auto-source/letsencrypt-auto.template

Co-Authored-By: Brad Warren <bmw@users.noreply.github.com>

* Update template

* Deprecate for all RHEL/CentOS 6 32bits flavors

* Add a wrapper to uname to do tests on fake 32 bits versions

* Replace all occurences

* Add some tests about sunset mechanism

* Update letsencrypt-auto-source/tests/centos6_tests.sh

Co-Authored-By: Brad Warren <bmw@users.noreply.github.com>

* Update letsencrypt-auto-source/tests/centos6_tests.sh

Co-Authored-By: Brad Warren <bmw@users.noreply.github.com>

* Various corrections

* Recreate script

* Update comment position

* Test also install only

* Fix docker

* Update letsencrypt-auto-source/tests/centos6_tests.sh

Co-Authored-By: Brad Warren <bmw@users.noreply.github.com>

* What error command is doing here ?

* Fix permissions

* Rebuild script

* Add changelog

* Update letsencrypt-auto-source/letsencrypt-auto.template

Co-Authored-By: Brad Warren <bmw@users.noreply.github.com>

* Update changelog

* Trigger CI

* Handle old venv path

* Modify test

* Fix test error detection from subpaths

* Edit echo

* Use set -e

* Update letsencrypt-auto-source/letsencrypt-auto.template

Co-Authored-By: Brad Warren <bmw@users.noreply.github.com>

* Corrections

Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
This commit is contained in:
Adrien Ferrand 2020-01-08 16:36:34 +01:00 committed by GitHub
parent fda655370a
commit 84c1b912d9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 211 additions and 69 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
certbot/CHANGELOG.md
View file

@ -13,6 +13,10 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
* Removed the fallback introduced with 0.34.0 in `acme` to retry a POST-as-GET
request as a GET request when the targeted ACME CA server seems to not support
POST-as-GET requests.
* certbot-auto no longer supports architectures other than x86_64 on RHEL 6
based systems. Existing certbot-auto installations affected by this will
continue to work, but they will no longer receive updates. To install a
newer version of Certbot on these systems, you should update your OS.
### Fixed

6
letsencrypt-auto-source/Dockerfile.centos6
View file

@ -30,6 +30,12 @@ RUN update-ca-trust
# Copy code:
COPY . /home/lea/certbot/letsencrypt-auto-source
# Tweak uname binary for tests on fake 32bits
COPY tests/uname_wrapper.sh /bin
RUN mv /bin/uname /bin/uname_orig \
&& mv /bin/uname_wrapper.sh /bin/uname \
&& chmod +x /bin/uname
USER lea
WORKDIR /home/lea

86
letsencrypt-auto-source/letsencrypt-auto
View file

@ -758,6 +758,11 @@ elif [ -f /etc/redhat-release ]; then
RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
if [ "$PYVER" -eq 26 -a $(uname -m) != 'x86_64' ]; then
# 32 bits CentOS 6 and affiliates are not supported anymore by certbot-auto.
DEPRECATED_OS=1
fi
# Set RPM_DIST_VERSION to VERSION_ID from /etc/os-release after splitting on
# '.' characters (e.g. "8.0" becomes "8"). If the command exits with an
# error, RPM_DIST_VERSION is set to "unknown".
@ -870,6 +875,13 @@ if [ "$NO_BOOTSTRAP" = 1 ]; then
unset BOOTSTRAP_VERSION
fi
if [ "$DEPRECATED_OS" = 1 ]; then
Bootstrap() {
error "Skipping bootstrap because certbot-auto is deprecated on this system."
}
unset BOOTSTRAP_VERSION
fi
# Sets PREV_BOOTSTRAP_VERSION to the identifier for the bootstrap script used
# to install OS dependencies on this system. PREV_BOOTSTRAP_VERSION isn't set
# if it is unknown how OS dependencies were installed on this system.
@ -1067,6 +1079,28 @@ if [ "$1" = "--le-auto-phase2" ]; then
# Phase 2: Create venv, install LE, and run.
shift 1 # the --le-auto-phase2 arg
if [ "$DEPRECATED_OS" = 1 ]; then
# Phase 2 damage control mode for deprecated OSes.
# In this situation, we bypass any bootstrap or certbot venv setup.
error "Your system is not supported by certbot-auto anymore."
if [ ! -d "$VENV_PATH" ] && OldVenvExists; then
VENV_BIN="$OLD_VENV_PATH/bin"
fi
if [ -f "$VENV_BIN/letsencrypt" -a "$INSTALL_ONLY" != 1 ]; then
error "Certbot will no longer receive updates."
error "Please visit https://certbot.eff.org/ to check for other alternatives."
"$VENV_BIN/letsencrypt" "$@"
exit 0
else
error "Certbot cannot be installed."
error "Please visit https://certbot.eff.org/ to check for other alternatives."
exit 1
fi
fi
SetPrevBootstrapVersion
if [ -z "$PHASE_1_VERSION" -a "$USE_PYTHON_3" = 1 ]; then
@ -1617,6 +1651,9 @@ UNLIKELY_EOF
say "Installation succeeded."
fi
# If you're modifying any of the code after this point in this current `if` block, you
# may need to update the "$DEPRECATED_OS" = 1 case at the beginning of phase 2 as well.
if [ "$INSTALL_ONLY" = 1 ]; then
say "Certbot is installed."
exit 0
@ -1828,30 +1865,35 @@ UNLIKELY_EOF
error "WARNING: unable to check for updates."
fi
LE_VERSION_STATE=`CompareVersions "$LE_PYTHON" "$LE_AUTO_VERSION" "$REMOTE_VERSION"`
if [ "$LE_VERSION_STATE" = "UNOFFICIAL" ]; then
say "Unofficial certbot-auto version detected, self-upgrade is disabled: $LE_AUTO_VERSION"
elif [ "$LE_VERSION_STATE" = "OUTDATED" ]; then
say "Upgrading certbot-auto $LE_AUTO_VERSION to $REMOTE_VERSION..."
# If for any reason REMOTE_VERSION is not set, let's assume certbot-auto is up-to-date,
# and do not go into the self-upgrading process.
if [ -n "$REMOTE_VERSION" ]; then
LE_VERSION_STATE=`CompareVersions "$LE_PYTHON" "$LE_AUTO_VERSION" "$REMOTE_VERSION"`
# Now we drop into Python so we don't have to install even more
# dependencies (curl, etc.), for better flow control, and for the option of
# future Windows compatibility.
"$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION"
if [ "$LE_VERSION_STATE" = "UNOFFICIAL" ]; then
say "Unofficial certbot-auto version detected, self-upgrade is disabled: $LE_AUTO_VERSION"
elif [ "$LE_VERSION_STATE" = "OUTDATED" ]; then
say "Upgrading certbot-auto $LE_AUTO_VERSION to $REMOTE_VERSION..."
# Install new copy of certbot-auto.
# TODO: Deal with quotes in pathnames.
say "Replacing certbot-auto..."
# Clone permissions with cp. chmod and chown don't have a --reference
# option on macOS or BSD, and stat -c on Linux is stat -f on macOS and BSD:
cp -p "$0" "$TEMP_DIR/letsencrypt-auto.permission-clone"
cp "$TEMP_DIR/letsencrypt-auto" "$TEMP_DIR/letsencrypt-auto.permission-clone"
# Using mv rather than cp leaves the old file descriptor pointing to the
# original copy so the shell can continue to read it unmolested. mv across
# filesystems is non-atomic, doing `rm dest, cp src dest, rm src`, but the
# cp is unlikely to fail if the rm doesn't.
mv -f "$TEMP_DIR/letsencrypt-auto.permission-clone" "$0"
fi # A newer version is available.
# Now we drop into Python so we don't have to install even more
# dependencies (curl, etc.), for better flow control, and for the option of
# future Windows compatibility.
"$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION"
# Install new copy of certbot-auto.
# TODO: Deal with quotes in pathnames.
say "Replacing certbot-auto..."
# Clone permissions with cp. chmod and chown don't have a --reference
# option on macOS or BSD, and stat -c on Linux is stat -f on macOS and BSD:
cp -p "$0" "$TEMP_DIR/letsencrypt-auto.permission-clone"
cp "$TEMP_DIR/letsencrypt-auto" "$TEMP_DIR/letsencrypt-auto.permission-clone"
# Using mv rather than cp leaves the old file descriptor pointing to the
# original copy so the shell can continue to read it unmolested. mv across
# filesystems is non-atomic, doing `rm dest, cp src dest, rm src`, but the
# cp is unlikely to fail if the rm doesn't.
mv -f "$TEMP_DIR/letsencrypt-auto.permission-clone" "$0"
fi # A newer version is available.
fi
fi # Self-upgrading is allowed.
RerunWithArgs --le-auto-phase2 "$@"

86
letsencrypt-auto-source/letsencrypt-auto.template
View file

@ -333,6 +333,11 @@ elif [ -f /etc/redhat-release ]; then
RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
if [ "$PYVER" -eq 26 -a $(uname -m) != 'x86_64' ]; then
# 32 bits CentOS 6 and affiliates are not supported anymore by certbot-auto.
DEPRECATED_OS=1
fi
# Set RPM_DIST_VERSION to VERSION_ID from /etc/os-release after splitting on
# '.' characters (e.g. "8.0" becomes "8"). If the command exits with an
# error, RPM_DIST_VERSION is set to "unknown".
@ -445,6 +450,13 @@ if [ "$NO_BOOTSTRAP" = 1 ]; then
unset BOOTSTRAP_VERSION
fi
if [ "$DEPRECATED_OS" = 1 ]; then
Bootstrap() {
error "Skipping bootstrap because certbot-auto is deprecated on this system."
}
unset BOOTSTRAP_VERSION
fi
# Sets PREV_BOOTSTRAP_VERSION to the identifier for the bootstrap script used
# to install OS dependencies on this system. PREV_BOOTSTRAP_VERSION isn't set
# if it is unknown how OS dependencies were installed on this system.
@ -534,6 +546,28 @@ if [ "$1" = "--le-auto-phase2" ]; then
# Phase 2: Create venv, install LE, and run.
shift 1 # the --le-auto-phase2 arg
if [ "$DEPRECATED_OS" = 1 ]; then
# Phase 2 damage control mode for deprecated OSes.
# In this situation, we bypass any bootstrap or certbot venv setup.
error "Your system is not supported by certbot-auto anymore."
if [ ! -d "$VENV_PATH" ] && OldVenvExists; then
VENV_BIN="$OLD_VENV_PATH/bin"
fi
if [ -f "$VENV_BIN/letsencrypt" -a "$INSTALL_ONLY" != 1 ]; then
error "Certbot will no longer receive updates."
error "Please visit https://certbot.eff.org/ to check for other alternatives."
"$VENV_BIN/letsencrypt" "$@"
exit 0
else
error "Certbot cannot be installed."
error "Please visit https://certbot.eff.org/ to check for other alternatives."
exit 1
fi
fi
SetPrevBootstrapVersion
if [ -z "$PHASE_1_VERSION" -a "$USE_PYTHON_3" = 1 ]; then
@ -657,6 +691,9 @@ UNLIKELY_EOF
say "Installation succeeded."
fi
# If you're modifying any of the code after this point in this current `if` block, you
# may need to update the "$DEPRECATED_OS" = 1 case at the beginning of phase 2 as well.
if [ "$INSTALL_ONLY" = 1 ]; then
say "Certbot is installed."
exit 0
@ -720,30 +757,35 @@ UNLIKELY_EOF
error "WARNING: unable to check for updates."
fi
LE_VERSION_STATE=`CompareVersions "$LE_PYTHON" "$LE_AUTO_VERSION" "$REMOTE_VERSION"`
if [ "$LE_VERSION_STATE" = "UNOFFICIAL" ]; then
say "Unofficial certbot-auto version detected, self-upgrade is disabled: $LE_AUTO_VERSION"
elif [ "$LE_VERSION_STATE" = "OUTDATED" ]; then
say "Upgrading certbot-auto $LE_AUTO_VERSION to $REMOTE_VERSION..."
# If for any reason REMOTE_VERSION is not set, let's assume certbot-auto is up-to-date,
# and do not go into the self-upgrading process.
if [ -n "$REMOTE_VERSION" ]; then
LE_VERSION_STATE=`CompareVersions "$LE_PYTHON" "$LE_AUTO_VERSION" "$REMOTE_VERSION"`
# Now we drop into Python so we don't have to install even more
# dependencies (curl, etc.), for better flow control, and for the option of
# future Windows compatibility.
"$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION"
if [ "$LE_VERSION_STATE" = "UNOFFICIAL" ]; then
say "Unofficial certbot-auto version detected, self-upgrade is disabled: $LE_AUTO_VERSION"
elif [ "$LE_VERSION_STATE" = "OUTDATED" ]; then
say "Upgrading certbot-auto $LE_AUTO_VERSION to $REMOTE_VERSION..."
# Install new copy of certbot-auto.
# TODO: Deal with quotes in pathnames.
say "Replacing certbot-auto..."
# Clone permissions with cp. chmod and chown don't have a --reference
# option on macOS or BSD, and stat -c on Linux is stat -f on macOS and BSD:
cp -p "$0" "$TEMP_DIR/letsencrypt-auto.permission-clone"
cp "$TEMP_DIR/letsencrypt-auto" "$TEMP_DIR/letsencrypt-auto.permission-clone"
# Using mv rather than cp leaves the old file descriptor pointing to the
# original copy so the shell can continue to read it unmolested. mv across
# filesystems is non-atomic, doing `rm dest, cp src dest, rm src`, but the
# cp is unlikely to fail if the rm doesn't.
mv -f "$TEMP_DIR/letsencrypt-auto.permission-clone" "$0"
fi # A newer version is available.
# Now we drop into Python so we don't have to install even more
# dependencies (curl, etc.), for better flow control, and for the option of
# future Windows compatibility.
"$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION"
# Install new copy of certbot-auto.
# TODO: Deal with quotes in pathnames.
say "Replacing certbot-auto..."
# Clone permissions with cp. chmod and chown don't have a --reference
# option on macOS or BSD, and stat -c on Linux is stat -f on macOS and BSD:
cp -p "$0" "$TEMP_DIR/letsencrypt-auto.permission-clone"
cp "$TEMP_DIR/letsencrypt-auto" "$TEMP_DIR/letsencrypt-auto.permission-clone"
# Using mv rather than cp leaves the old file descriptor pointing to the
# original copy so the shell can continue to read it unmolested. mv across
# filesystems is non-atomic, doing `rm dest, cp src dest, rm src`, but the
# cp is unlikely to fail if the rm doesn't.
mv -f "$TEMP_DIR/letsencrypt-auto.permission-clone" "$0"
fi # A newer version is available.
fi
fi # Self-upgrading is allowed.
RerunWithArgs --le-auto-phase2 "$@"

88
letsencrypt-auto-source/tests/centos6_tests.sh
View file

@ -1,4 +1,5 @@
#!/bin/bash
set -e
# Start by making sure your system is up-to-date:
yum update -y > /dev/null
yum install -y centos-release-scl > /dev/null
@ -6,46 +7,51 @@ yum install -y python27 > /dev/null 2> /dev/null
LE_AUTO="certbot/letsencrypt-auto-source/letsencrypt-auto"
echo ""
# we're going to modify env variables, so do this in a subshell
(
# ensure CentOS6 32bits is not supported anymore, and so certbot is not installed
export UNAME_FAKE_32BITS=true
if ! "$LE_AUTO" 2>&1 | grep -q "Certbot cannot be installed."; then
echo "On CentOS 32 bits, certbot-auto installed certbot."
exit 1
fi
)
echo "PASSED: On CentOS 6 32 bits, certbot-auto refused to install certbot."
# we're going to modify env variables, so do this in a subshell
(
source /opt/rh/python27/enable
# ensure python 3 isn't installed
python3 --version 2> /dev/null
RESULT=$?
if [ $RESULT -eq 0 ]; then
error "Python3 is already installed."
if python3 --version 2> /dev/null; then
echo "Python3 is already installed."
exit 1
fi
# ensure python2.7 is available
python2.7 --version 2> /dev/null
RESULT=$?
if [ $RESULT -ne 0 ]; then
error "Python3 is not available."
if ! python2.7 --version 2> /dev/null; then
echo "Python2.7 is not available."
exit 1
fi
# bootstrap, but don't install python 3.
"$LE_AUTO" --no-self-upgrade -n > /dev/null 2> /dev/null
"$LE_AUTO" --no-self-upgrade -n --version > /dev/null 2> /dev/null
# ensure python 3 isn't installed
python3 --version 2> /dev/null
RESULT=$?
if [ $RESULT -eq 0 ]; then
error "letsencrypt-auto installed Python3 even though Python2.7 is present."
if python3 --version 2> /dev/null; then
echo "letsencrypt-auto installed Python3 even though Python2.7 is present."
exit 1
fi
echo ""
echo "PASSED: Did not upgrade to Python3 when Python2.7 is present."
)
echo "PASSED: Did not upgrade to Python3 when Python2.7 is present."
# ensure python2.7 isn't available
python2.7 --version 2> /dev/null
RESULT=$?
if [ $RESULT -eq 0 ]; then
error "Python2.7 is still available."
if python2.7 --version 2> /dev/null; then
echo "Python2.7 is still available."
exit 1
fi
@ -56,13 +62,11 @@ if ! "$LE_AUTO" 2>&1 | grep -q "WARNING: couldn't find Python"; then
fi
# bootstrap, this time installing python3
"$LE_AUTO" --no-self-upgrade -n > /dev/null 2> /dev/null
"$LE_AUTO" --no-self-upgrade -n --version > /dev/null 2> /dev/null
# ensure python 3 is installed
python3 --version > /dev/null
RESULT=$?
if [ $RESULT -ne 0 ]; then
error "letsencrypt-auto failed to install Python3 when only Python2.6 is present."
if ! python3 --version > /dev/null; then
echo "letsencrypt-auto failed to install Python3 when only Python2.6 is present."
exit 1
fi
@ -77,5 +81,39 @@ if [ "$($VENV_PATH/bin/python -V 2>&1 | cut -d" " -f2 | cut -d. -f1)" != 3 ]; th
fi
unset VENV_PATH
# we're going to modify env variables, so do this in a subshell
(
# ensure CentOS6 32bits is not supported anymore, and so certbot
# is not upgraded nor reinstalled.
export UNAME_FAKE_32BITS=true
set -o pipefail
if ! "$LE_AUTO" --version 2>&1 | grep -q "Certbot will no longer receive updates."; then
echo "On CentOS 6 32 bits, certbot-auto failed or upgraded installed certbot instance."
exit 1
fi
set +o pipefail
if ! "$LE_AUTO" --install-only 2>&1 | grep -q "Certbot cannot be installed."; then
echo "On CentOS 6 32 bits, certbot-auto installed certbot again."
exit 1
fi
)
# we're going to modify env variables, so do this in a subshell
(
# Prepare a certbot installation in the old venv path
rm -rf /opt/eff.org
VENV_PATH=~/.local/share/letsencrypt "$LE_AUTO" --install-only > /dev/null 2> /dev/null
# fake 32 bits mode
export UNAME_FAKE_32BITS=true
set -o pipefail
if ! "$LE_AUTO" --version 2>&1 | grep -q "Certbot will no longer receive updates."; then
echo "On CentOS 6 32 bits, certbot-auto failed or upgraded installed certbot in the old venv path."
exit 1
fi
set +o pipefail
)
echo "PASSED: On CentOS 6 32 bits, certbot-auto refused to install/upgrade certbot."
# test using python3
pytest -v -s certbot/letsencrypt-auto-source/tests

10
letsencrypt-auto-source/tests/uname_wrapper.sh Normal file
View file

@ -0,0 +1,10 @@
#!/bin/bash
set -e
uname_output=$(/bin/uname_orig "$@")
if [ "$UNAME_FAKE_32BITS" = true ]; then
uname_output="${uname_output//x86_64/i686}"
fi
echo "$uname_output"