diff --git a/acme/docs/jws-help.txt b/acme/docs/jws-help.txt index 34cf5ce23..bfd16dff4 100644 --- a/acme/docs/jws-help.txt +++ b/acme/docs/jws-help.txt @@ -3,6 +3,6 @@ usage: jws [-h] [--compact] {sign,verify} ... positional arguments: {sign,verify} -optional arguments: +options: -h, --help show this help message and exit --compact diff --git a/acme/setup.py b/acme/setup.py index f4e143421..c3117c612 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -1,7 +1,7 @@ from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ 'cryptography>=43.0.0', diff --git a/certbot-apache/setup.py b/certbot-apache/setup.py index 41a34e919..6ffce4f3f 100644 --- a/certbot-apache/setup.py +++ b/certbot-apache/setup.py @@ -1,7 +1,7 @@ from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ # We specify the minimum acme and certbot version as the current plugin diff --git a/certbot-compatibility-test/setup.py b/certbot-compatibility-test/setup.py index a20fb114b..81f600353 100644 --- a/certbot-compatibility-test/setup.py +++ b/certbot-compatibility-test/setup.py @@ -1,7 +1,7 @@ from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ 'certbot', diff --git a/certbot-dns-cloudflare/setup.py b/certbot-dns-cloudflare/setup.py index 212c51b80..69b06554b 100644 --- a/certbot-dns-cloudflare/setup.py +++ b/certbot-dns-cloudflare/setup.py @@ -4,7 +4,7 @@ import sys from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ # for now, do not upgrade to cloudflare>=2.20 to avoid deprecation warnings and the breaking diff --git a/certbot-dns-digitalocean/setup.py b/certbot-dns-digitalocean/setup.py index 72f0d0ce1..a1ede89ff 100644 --- a/certbot-dns-digitalocean/setup.py +++ b/certbot-dns-digitalocean/setup.py @@ -4,7 +4,7 @@ import sys from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ 'python-digitalocean>=1.11', # 1.15.0 or newer is recommended for TTL support diff --git a/certbot-dns-dnsimple/setup.py b/certbot-dns-dnsimple/setup.py index 3d3ffa6c2..2c12a6a65 100644 --- a/certbot-dns-dnsimple/setup.py +++ b/certbot-dns-dnsimple/setup.py @@ -4,7 +4,7 @@ import sys from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ # This version of lexicon is required to address the problem described in diff --git a/certbot-dns-dnsmadeeasy/setup.py b/certbot-dns-dnsmadeeasy/setup.py index 729363dab..ebc27a5ef 100644 --- a/certbot-dns-dnsmadeeasy/setup.py +++ b/certbot-dns-dnsmadeeasy/setup.py @@ -4,7 +4,7 @@ import sys from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ 'dns-lexicon>=3.14.1', diff --git a/certbot-dns-gehirn/setup.py b/certbot-dns-gehirn/setup.py index 282930095..0a699f91e 100644 --- a/certbot-dns-gehirn/setup.py +++ b/certbot-dns-gehirn/setup.py @@ -4,7 +4,7 @@ import sys from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ 'dns-lexicon>=3.14.1', diff --git a/certbot-dns-google/setup.py b/certbot-dns-google/setup.py index 5bd42285f..f98cc0328 100644 --- a/certbot-dns-google/setup.py +++ b/certbot-dns-google/setup.py @@ -4,7 +4,7 @@ import sys from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ 'google-api-python-client>=1.6.5', diff --git a/certbot-dns-linode/setup.py b/certbot-dns-linode/setup.py index 44f839fdc..9ab0b5098 100644 --- a/certbot-dns-linode/setup.py +++ b/certbot-dns-linode/setup.py @@ -4,7 +4,7 @@ import sys from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ 'dns-lexicon>=3.14.1', diff --git a/certbot-dns-luadns/setup.py b/certbot-dns-luadns/setup.py index a22cef376..b2acf6128 100644 --- a/certbot-dns-luadns/setup.py +++ b/certbot-dns-luadns/setup.py @@ -4,7 +4,7 @@ import sys from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ 'dns-lexicon>=3.14.1', diff --git a/certbot-dns-nsone/setup.py b/certbot-dns-nsone/setup.py index 3d19c3d32..73d9f2f82 100644 --- a/certbot-dns-nsone/setup.py +++ b/certbot-dns-nsone/setup.py @@ -4,7 +4,7 @@ import sys from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ 'dns-lexicon>=3.14.1', diff --git a/certbot-dns-ovh/setup.py b/certbot-dns-ovh/setup.py index 4218a4d53..fab380bb1 100644 --- a/certbot-dns-ovh/setup.py +++ b/certbot-dns-ovh/setup.py @@ -4,7 +4,7 @@ import sys from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ 'dns-lexicon>=3.15.1', diff --git a/certbot-dns-rfc2136/setup.py b/certbot-dns-rfc2136/setup.py index 33266ff0f..465a06725 100644 --- a/certbot-dns-rfc2136/setup.py +++ b/certbot-dns-rfc2136/setup.py @@ -4,7 +4,7 @@ import sys from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ # This version was chosen because it is the version packaged in RHEL 9 and Debian unstable. It diff --git a/certbot-dns-route53/setup.py b/certbot-dns-route53/setup.py index ca2990659..2f0d8b46d 100644 --- a/certbot-dns-route53/setup.py +++ b/certbot-dns-route53/setup.py @@ -4,7 +4,7 @@ import sys from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ 'boto3>=1.15.15', diff --git a/certbot-dns-sakuracloud/setup.py b/certbot-dns-sakuracloud/setup.py index 9eeccf5bc..042b80c44 100644 --- a/certbot-dns-sakuracloud/setup.py +++ b/certbot-dns-sakuracloud/setup.py @@ -4,7 +4,7 @@ import sys from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ 'dns-lexicon>=3.14.1', diff --git a/certbot-nginx/setup.py b/certbot-nginx/setup.py index 91de73b9a..baaaf7164 100644 --- a/certbot-nginx/setup.py +++ b/certbot-nginx/setup.py @@ -1,7 +1,7 @@ from setuptools import find_packages from setuptools import setup -version = '4.2.0.dev0' +version = '5.0.0.dev0' install_requires = [ # We specify the minimum acme and certbot version as the current plugin diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md index 3b54baa9a..e9ebf224a 100644 --- a/certbot/CHANGELOG.md +++ b/certbot/CHANGELOG.md @@ -3,6 +3,45 @@ Certbot adheres to [Semantic Versioning](https://semver.org/). + +## 4.2.0 - 2025-08-05 + +### Added + +- Added `--eab-hmac-alg` parameter to support custom HMAC algorithm for + External Account Binding. + ([#10281](https://github.com/certbot/certbot/issues/10281)) + +### Changed + +- Catches and ignores errors during the directory fetch for ARI checking so + that these errors do not hinder the actual certificate issuance. + ([#10342](https://github.com/certbot/certbot/issues/10342)) +- Removed the dependency on `pytz`. + ([#10350](https://github.com/certbot/certbot/issues/10350)) +- Deprecated `acme.crypto_util.probe_sni` + ([#10386](https://github.com/certbot/certbot/issues/10386)) +- Support for Python 3.9 was deprecated and will be removed in our next planned + release. ([#10390](https://github.com/certbot/certbot/issues/10390)) + +### Fixed + +- The Certbot snap no longer sets the environment variable PYTHONPATH stopping + it from picking up Python files in the current directory and polluting the + environment for Certbot hooks written in Python. + ([#10176](https://github.com/certbot/certbot/issues/10176), + [#10257](https://github.com/certbot/certbot/issues/10257)) +- Previously, we claimed to set FAILED_DOMAINS and RENEWED_DOMAINS env + variables for use by post-hooks when certificate renewals fail, but we were + not actually setting them. Now, we are. + ([#10259](https://github.com/certbot/certbot/issues/10259)) +- Certbot now always uses the server value from the renewal configuration file + for ARI checks instead of the server value from the current invocation of + Certbot. This helps prevent ARI requests from going to the wrong server if + the user changes CAs. + ([#10339](https://github.com/certbot/certbot/issues/10339)) + + ## 4.1.1 - 2025-06-12 ### Fixed diff --git a/certbot/docs/cli-help.txt b/certbot/docs/cli-help.txt index cf955eec5..51291fb11 100644 --- a/certbot/docs/cli-help.txt +++ b/certbot/docs/cli-help.txt @@ -36,7 +36,7 @@ manage your account: --agree-tos Agree to the ACME server's Subscriber Agreement -m EMAIL Email address for important account notifications -optional arguments: +options: -h, --help show this help message and exit -c CONFIG_FILE, --config CONFIG_FILE path to config file (default: /etc/letsencrypt/cli.ini @@ -72,6 +72,9 @@ optional arguments: None) --eab-hmac-key EAB_HMAC_KEY HMAC key for External Account Binding (default: None) + --eab-hmac-alg EAB_HMAC_ALG + HMAC algorithm for External Account Binding (default: + HS256) --cert-name CERTNAME Certificate name to apply. This name is used by Certbot for housekeeping and in file paths; it doesn't affect the content of the certificate itself. @@ -139,7 +142,7 @@ optional arguments: case, and to know when to deprecate support for past Python versions and flags. If you wish to hide this information from the Let's Encrypt server, set this to - "". (default: CertbotACMEClient/4.1.1 (certbot; + "". (default: CertbotACMEClient/4.2.0 (certbot; OS_NAME OS_VERSION) Authenticator/XXX Installer/YYY (SUBCOMMAND; flags: FLAGS) Py/major.minor.patchlevel). The flags encoded in the user agent are: --duplicate, diff --git a/certbot/src/certbot/__init__.py b/certbot/src/certbot/__init__.py index b8ac7c9d6..07bf1f61d 100644 --- a/certbot/src/certbot/__init__.py +++ b/certbot/src/certbot/__init__.py @@ -3,7 +3,7 @@ import sys import warnings # version number like 1.2.3a0, must have at least 2 parts, like 1.2 -__version__ = '4.2.0.dev0' +__version__ = '5.0.0.dev0' if sys.version_info[:2] == (3, 9): diff --git a/newsfragments/10176.fixed b/newsfragments/10176.fixed deleted file mode 100644 index 9edda49d6..000000000 --- a/newsfragments/10176.fixed +++ /dev/null @@ -1 +0,0 @@ -The Certbot snap no longer sets the environment variable PYTHONPATH stopping it from picking up Python files in the current directory and polluting the environment for Certbot hooks written in Python. diff --git a/newsfragments/10257.fixed b/newsfragments/10257.fixed deleted file mode 100644 index 9edda49d6..000000000 --- a/newsfragments/10257.fixed +++ /dev/null @@ -1 +0,0 @@ -The Certbot snap no longer sets the environment variable PYTHONPATH stopping it from picking up Python files in the current directory and polluting the environment for Certbot hooks written in Python. diff --git a/newsfragments/10259.fixed b/newsfragments/10259.fixed deleted file mode 100644 index 277b7a0a0..000000000 --- a/newsfragments/10259.fixed +++ /dev/null @@ -1 +0,0 @@ -Previously, we claimed to set FAILED_DOMAINS and RENEWED_DOMAINS env variables for use by post-hooks when certificate renewals fail, but we were not actually setting them. Now, we are. diff --git a/newsfragments/10281.added b/newsfragments/10281.added deleted file mode 100644 index c8fea9cdb..000000000 --- a/newsfragments/10281.added +++ /dev/null @@ -1 +0,0 @@ -Added `--eab-hmac-alg` parameter to support custom HMAC algorithm for External Account Binding. diff --git a/newsfragments/10339.fixed b/newsfragments/10339.fixed deleted file mode 100644 index d0924db88..000000000 --- a/newsfragments/10339.fixed +++ /dev/null @@ -1 +0,0 @@ -Certbot now always uses the server value from the renewal configuration file for ARI checks instead of the server value from the current invocation of Certbot. This helps prevent ARI requests from going to the wrong server if the user changes CAs. diff --git a/newsfragments/10342.changed b/newsfragments/10342.changed deleted file mode 100644 index 4c2fe6f96..000000000 --- a/newsfragments/10342.changed +++ /dev/null @@ -1 +0,0 @@ -Catches and ignores errors during the directory fetch for ARI checking so that these errors do not hinder the actual certificate issuance. diff --git a/newsfragments/10350.changed b/newsfragments/10350.changed deleted file mode 100644 index 410eef3ff..000000000 --- a/newsfragments/10350.changed +++ /dev/null @@ -1 +0,0 @@ -Removed the dependency on `pytz`. diff --git a/newsfragments/10386.changed b/newsfragments/10386.changed deleted file mode 100644 index 5918609be..000000000 --- a/newsfragments/10386.changed +++ /dev/null @@ -1 +0,0 @@ -Deprecated `acme.crypto_util.probe_sni` diff --git a/newsfragments/10390.changed b/newsfragments/10390.changed deleted file mode 100644 index 37a988e3b..000000000 --- a/newsfragments/10390.changed +++ /dev/null @@ -1 +0,0 @@ -Support for Python 3.9 was deprecated and will be removed in our next planned release.