This PR reactivates tls-sni-01 challenges on recent Boulder versions checkout for integration tests. This allows to continue testing this challenge until it is officially dropped from server (Boulder) and client (Certbot).
Reverts #6679.
* Remove tls-sni-01 challenges in integration tests
* Remove the tls-sni test in the less invasive way
* Correct code coverage from tls-sni logic not been tested anymore.
* Update certbot-boulder-integration.sh
#6636 broke [test-everything tests](https://travis-ci.org/certbot/certbot/builds/475173804) because `_common.sh` is a common file shared between Certbot and Nginx integration tests and `--no-random-sleep-on-renew` isn't defined for the version of Certbot used in the "oldest" integration tests.
This PR adds code to `_common.sh` to check the Certbot version and if it's new enough, add `--no-random-sleep-on-renew` to the command line. I repurposed `$store_flags` and stopped exporting it because it's not used anywhere outside of this file.
Other approaches I considered and decided against were:
1. Adding this flag in `certbot-boulder-integration.sh`. I decided against it because it's setting us up for the same problem in the future if the oldest version of Certbot is upgraded in the Nginx tests and we call `certbot renew`.
2. Just upgrading the oldest version of Certbot required by Nginx to avoid these issues. While this would work (with perhaps some unnecessary burden for our packagers), I think it's avoiding the real problem here which should now be able to addressed easily with the addition of `$other_flags` and `version_at_least`.
* Add version_at_least().
* Conditionally disable sleep.
* Consolidate store_flags and other_flags.
* update comments
* feat(nginx): add and test new parsing abstractions
* chore(nginx parser): fix mypy and address small comments
* chore(nginx parser): clean up by removing context object
* fix integration test and lint
* Use newer boulder config
* Use ACMEv2 endpoint if requested
* Add v2 integration tests
* Work with unset variables
* Add wildcard issuance test
* quote domains
Might help debug #4363.
Also:
make "bash" vs "sh" explicit
move the paranoia flags (-ex) from the shebang into the body
add -u (fail on unset variables)
change _common to work with -u
remove some env vars that were no longer used
remove shebang from _common.sh because it's meant to be sourced, not run
* Start of combined manual/script plugin
* Return str from hooks.execute, not bytes
* finish manual/script rewrite
* delete old manual and script plugins
* manually specify we want chall.token
* use consistent quotes
* specify chall for uri
* s/script/hook
* fix spacing on instructions
* remove unneeded response argument
* make achall more helpful
* simplify perform
* remove old test files
* add start of manual_tests
* fix ParseTest.test_help
* stop using manual_test_mode in cli tests
* Revert "make achall more helpful"
This reverts commit 54b01cea30.
* use bad response/validation methods on achalls
* simplify perform and cleanup environment
* finish manual tests
* Add HTTP manual hook integration test
* add manual http scripts
* Add manual DNS script integration test
* remove references to the script plugin
* they're hooks, not scripts
* add --manual-public-ip-logging-ok to integration tests
* use --pref-chall for dns integration
* does dns work?
* validate hooks
* test hook validation
* Revert "does dns work?"
This reverts commit 1224cc2961.
* busy wait in manual-http-auth
* remove DNS script test for now
* Fix challenge prefix and add trailing .
* Add comment about universal_newlines
* Fix typo from 0464ba2c4
* fix nits and typos
* Generalize HookCOmmandNotFound error
* Add verify_exe_exists
* Don't duplicate code in hooks.py
* Revert changes to hooks.py
* Use consistent hook error messages
Print request and response bodies with newlines, rather than all on one line.
Remove "Omitted empty field" log, which gets logged meaninglessly for every JSON
serialization.
Remove duplicated logging of responses.
Log the base64 version of the nonce, rather than turning it into bytes and
logging the backslash-escaped version of those bytes.
Only pass -vv in tests.
* only verify port is available when you actually need it
* refactor code to create achalls
* Test port checks are based on achall
* test that only the port for the requested challenge is checked in standalone
Save accounts to:
/etc/letsencrypt/accounts/www.letsencrypt-dmeo.org/acme/new-reg/ \
kuba.le.wtf@2015-07-04T14:04:10Z/ \
{regr.json,meta.json,private_key.json}
Account now represents a combination of private key, Registration
Resource and client account metadata. `Account.id` based on the
account metadata (creation host and datetime). UI interface
(`cli._determine_account`) based on the `id`, and not on email as
previously.
Add `AccountStorage` interface and `AccountFileStorage`,
`AccountMemoryStorage` implementations (latter, in-memory, useful for
testing).
Create Account only after Registration Resource is received
(`register()` returns `Account`).
Allow `client.Client(..., acme=acme, ...)`: API client might reuse
acme.client.Client as returned by `register()`.
Move report_new_account to letsencrypt.account, client.Client.register
into client.register.
Use Registration.from_data acme API.
achallenges.AChallenge.key is now the `acme.jose.JWK`, not
`le_util.Key`. Plugins have to export PEM/DER as necessary
(c.f. `letsencrypt.plugins.common.Dvsni.get_key_path`)
Add --agree-tos, save --agree-eula to "args.eula". Prompt for EULA as
soon as client is launched, add prompt for TOS.
Remove unnecessary letsencrypt.network. Remove, now irrelevant,
`IConfig.account_keys_dir`.
Based on the draft from
https://github.com/letsencrypt/letsencrypt/pull/362#issuecomment-97946817.
