diff --git a/.travis.yml b/.travis.yml index 5d70ca799..16b5700e5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -23,6 +23,7 @@ env: global: - GOPATH=/tmp/go - PATH=$GOPATH/bin:$PATH + - GO15VENDOREXPERIMENT=1 # Fixes problems with vendor directories matrix: include: diff --git a/README.rst b/README.rst index a0bd4059b..385a031ff 100644 --- a/README.rst +++ b/README.rst @@ -3,9 +3,9 @@ Disclaimer ========== -Certbot is **BETA SOFTWARE**. It contains plenty of bugs and -rough edges, and should be tested thoroughly in staging environments before use -on production systems. +Certbot (previously, the Let's Encrypt client) is **BETA SOFTWARE**. It +contains plenty of bugs and rough edges, and should be tested thoroughly in +staging environments before use on production systems. For more information regarding the status of the project, please see https://letsencrypt.org. Be sure to checkout the @@ -138,16 +138,15 @@ System Requirements =================== The Let's Encrypt Client presently only runs on Unix-ish OSes that include -Python 2.6 or 2.7; Python 3.x support will be added after the Public Beta -launch. The client requires root access in order to write to -``/etc/letsencrypt``, ``/var/log/letsencrypt``, ``/var/lib/letsencrypt``; to -bind to ports 80 and 443 (if you use the ``standalone`` plugin) and to read and -modify webserver configurations (if you use the ``apache`` or ``nginx`` -plugins). If none of these apply to you, it is theoretically possible to run -without root privileges, but for most users who want to avoid running an ACME -client as root, either `letsencrypt-nosudo -`_ or `simp_le -`_ are more appropriate choices. +Python 2.6 or 2.7; Python 3.x support will hopefully be added in the future. The +client requires root access in order to write to ``/etc/letsencrypt``, +``/var/log/letsencrypt``, ``/var/lib/letsencrypt``; to bind to ports 80 and 443 +(if you use the ``standalone`` plugin) and to read and modify webserver +configurations (if you use the ``apache`` or ``nginx`` plugins). If none of +these apply to you, it is theoretically possible to run without root privileges, +but for most users who want to avoid running an ACME client as root, either +`letsencrypt-nosudo `_ or +`simp_le `_ are more appropriate choices. The Apache plugin currently requires a Debian-based OS with augeas version 1.0; this includes Ubuntu 12.04+ and Debian 7+. diff --git a/certbot/cli.py b/certbot/cli.py index e2c57595b..97b1a5399 100644 --- a/certbot/cli.py +++ b/certbot/cli.py @@ -37,7 +37,7 @@ helpful_parser = None # should only be used for purposes where inability to detect letsencrypt-auto # fails safely -fragment = os.path.join(".local", "share", "certbot") +fragment = os.path.join(".local", "share", "letsencrypt") cli_command = "letsencrypt-auto" if fragment in sys.argv[0] else "certbot" # Argparse's help formatting has a lot of unhelpful peculiarities, so we want diff --git a/certbot/client.py b/certbot/client.py index 60e37a787..6f41a3a0b 100644 --- a/certbot/client.py +++ b/certbot/client.py @@ -245,8 +245,9 @@ class Client(object): domains, self.config.allow_subset_of_names) - domains = [a.body.identifier.value.encode('ascii') - for a in authzr] + auth_domains = set(a.body.identifier.value.encode('ascii') + for a in authzr) + domains = [d for d in domains if d in auth_domains] # Create CSR from names key = crypto_util.init_save_key( diff --git a/certbot/main.py b/certbot/main.py index 72f4fe66e..309889e8e 100644 --- a/certbot/main.py +++ b/certbot/main.py @@ -528,7 +528,7 @@ def obtain_cert(config, plugins, lineage=None): notify("new certificate deployed with reload of {0} server; fullchain is {1}".format( config.installer, lineage.fullchain), pause=False) elif action == "reinstall" and config.verb == "certonly": - notify("Certificate not yet due for renewal; no action taken.") + notify("Certificate not yet due for renewal; no action taken.", pause=False) _suggest_donation_if_appropriate(config, action) diff --git a/certbot/renewal.py b/certbot/renewal.py index 180499387..3682c50d5 100644 --- a/certbot/renewal.py +++ b/certbot/renewal.py @@ -287,7 +287,7 @@ def _renew_describe_results(config, renew_successes, renew_failures, if parse_failures: notify("\nAdditionally, the following renewal configuration files " "were invalid: ") - notify(parse_failures, "parsefail") + notify(report(parse_failures, "parsefail")) if config.dry_run: notify("** DRY RUN: simulating 'certbot renew' close to cert expiry") diff --git a/certbot/storage.py b/certbot/storage.py index 4ef614a8e..c4bfb3e28 100644 --- a/certbot/storage.py +++ b/certbot/storage.py @@ -78,6 +78,10 @@ def write_renewal_config(o_filename, n_filename, target, relevant_data): if k not in relevant_data: del config["renewalparams"][k] + if "renew_before_expiry" not in config: + default_interval = constants.RENEWER_DEFAULTS["renew_before_expiry"] + config.initial_comment = ["renew_before_expiry = " + default_interval] + # TODO: add human-readable comments explaining other available # parameters logger.debug("Writing new config %s.", n_filename) diff --git a/certbot/tests/client_test.py b/certbot/tests/client_test.py index a41301148..8ceefe8ae 100644 --- a/certbot/tests/client_test.py +++ b/certbot/tests/client_test.py @@ -201,7 +201,8 @@ class ClientTest(unittest.TestCase): authzr = [] - for domain in domains: + # domain ordering should not be affected by authorization order + for domain in reversed(domains): authzr.append( mock.MagicMock( body=mock.MagicMock( diff --git a/certbot/tests/main_test.py b/certbot/tests/main_test.py new file mode 100644 index 000000000..66cba64a3 --- /dev/null +++ b/certbot/tests/main_test.py @@ -0,0 +1,48 @@ +"""Tests for certbot.main.""" +import unittest + + +import mock + + +from certbot import cli +from certbot import configuration +from certbot.plugins import disco as plugins_disco + + +class ObtainCertTest(unittest.TestCase): + """Tests for certbot.main.obtain_cert.""" + + def setUp(self): + self.get_utility_patch = mock.patch( + 'certbot.main.zope.component.getUtility') + self.mock_get_utility = self.get_utility_patch.start() + + def tearDown(self): + self.get_utility_patch.stop() + + def _call(self, args): + plugins = plugins_disco.PluginsRegistry.find_all() + config = configuration.NamespaceConfig( + cli.prepare_and_parse_args(plugins, args)) + + from certbot import main + with mock.patch('certbot.main._init_le_client') as mock_init: + main.obtain_cert(config, plugins) + + return mock_init() # returns the client + + @mock.patch('certbot.main._auth_from_domains') + def test_no_reinstall_text_pause(self, mock_auth): + mock_notification = self.mock_get_utility().notification + mock_notification.side_effect = self._assert_no_pause + mock_auth.return_value = (mock.ANY, 'reinstall') + self._call('certonly --webroot -d example.com -t'.split()) + + def _assert_no_pause(self, message, height=42, pause=True): + # pylint: disable=unused-argument + self.assertFalse(pause) + + +if __name__ == '__main__': + unittest.main() # pragma: no cover diff --git a/docs/using.rst b/docs/using.rst index 83377ecee..10d4aa544 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -124,7 +124,7 @@ or ``--webroot-path /usr/share/nginx/html`` are two common webroot paths. If you're getting a certificate for many domains at once, the plugin needs to know where each domain's files are served from, which could -potentially be a separate directory for each domain. When requested a +potentially be a separate directory for each domain. When requesting a certificate for multiple domains, each domain will use the most recently specified ``--webroot-path``. So, for instance, @@ -184,11 +184,11 @@ be on a different computer. Nginx ----- -In the future, if you're running Nginx you can use this plugin to -automatically obtain and install your certificate. The Nginx plugin -is still experimental, however, and is not installed with -certbot-auto_. If installed, you can select this plugin on the -command line by including ``--nginx``. +In the future, if you're running Nginx you will hopefully be able to use this +plugin to automatically obtain and install your certificate. The Nginx plugin is +still experimental, however, and is not installed with certbot-auto_. If +installed, you can select this plugin on the command line by including +``--nginx``. Third-party plugins ------------------- @@ -447,7 +447,13 @@ If you run Debian Stretch or Debian Sid, you can install letsencrypt packages. If you don't want to use the Apache plugin, you can omit the ``python-certbot-apache`` package. -Packages for Debian Jessie are coming in the next few weeks. +Packages exist for Debian Jessie via backports. First you'll have to follow the +instructions at http://backports.debian.org/Instructions/ to enable the Jessie backports +repo, if you have not already done so. Then run: + +.. code-block:: shell + + sudo apt-get install certbot python-certbot-apache -t jessie-backports **Fedora** diff --git a/setup.py b/setup.py index 67cefdc48..4ee56576b 100644 --- a/setup.py +++ b/setup.py @@ -39,7 +39,7 @@ install_requires = [ 'ConfigArgParse>=0.9.3', 'configobj', 'cryptography>=0.7', # load_pem_x509_certificate - 'parsedatetime', + 'parsedatetime>=1.3', # Calendar.parseDT 'psutil>=2.1.0', # net_connections introduced in 2.1.0 'PyOpenSSL', 'pyrfc3339', diff --git a/tests/letstest/multitester.py b/tests/letstest/multitester.py index 02dfc4410..d9491939c 100644 --- a/tests/letstest/multitester.py +++ b/tests/letstest/multitester.py @@ -349,7 +349,7 @@ def test_client_process(inqueue, outqueue): print(env.host_string) try: - install_and_launch_letsencrypt(instances[ii], boulder_url, target) + install_and_launch_certbot(instances[ii], boulder_url, target) outqueue.put((ii, target, 'pass')) print("%s - %s SUCCESS"%(target['ami'], target['name'])) except: diff --git a/tools/_venv_common.sh b/tools/_venv_common.sh index a121af82d..dc6ca3dd2 100755 --- a/tools/_venv_common.sh +++ b/tools/_venv_common.sh @@ -18,7 +18,8 @@ virtualenv --no-site-packages $VENV_NAME $VENV_ARGS # Separately install setuptools and pip to make sure following # invocations use latest pip install -U setuptools -pip install -U pip +# --force-reinstall used to fix broken pip installation on some systems +pip install --force-reinstall -U pip pip install "$@" set +x