This PR is the second part of #6497 to ease the integration, following the new plan propose by @bmw here: #6497 (comment)
This PR creates the module certbot.compat.os, that delegates everything to os, and that will be the safeguard against problematic methods of the standard module. On top of that, a quality check wrapper is called in the lint tox environment. This wrapper calls pylint and ensures that standard os module is no used directly in the certbot codebase.
Finally local oldest requirements are updated to ensure that tests will take the new logic when running.
* Add executable permissions
* Add the delegate certbot.compat.os module, add check coding style to enforce usage of certbot.compat.os instead of standard os
* Load certbot.compat.os instead of os
* Move existing compat test
* Update local oldest requirements
* Import sys
* Update account_test.py
* Update os.py
* Update os.py
* Update local oldest requirements
* Implement the new linter_plugin
* Fix local oldest for nginx
* Remove check coding style
* Update linter_plugin.py
* Add several comments
* Update the setup.py
* Add documentation
* Update acme dependencies
* Update certbot/compat/os.py
* Update docs/contributing.rst
* Update linter_plugin.py
* Handle os.path. Simplify checker.
* Add a comment to a reference implementation
* Update changelog
* Fix module registering
* Update docs/contributing.rst
* Update config and changelog
This PR is the first part of #6497 to ease the integration, following the new plan propose by @bmw here: #6497 (comment)
This step 1 refactor existing certbot.compat module into certbot.compat.misc, without any logic changed. Package certbot.compat will host the new modules that constitute the security model for Windows.
* Create the certbot.compat package. Move logic in certbot.compat.misc
* Add doc
* Fix lint
* Correct mypy
* Update client.py
This PR is a part of the tls-sni-01 removal plan described in #6849.
This PR removes --tls-sni-01-port, --tls-sni-01-address and tls-sni-01/tls-sni options from --preferred-challenges. They are replace by deprecation warning, indicating that these options will be removed soon.
This deprecation, instead of complete removal, is done to avoid certbot instances to hard fail if some automated scripts still use these flags for some users.
Once this PR lands, we can remove completely theses flags in one or two release.
* Remove tls-sni related flags in cli. Add a deprecation warning instead.
* Adapt tests to cli and renewal towards tls-sni flags deprecation
* Add https_port option. Make tls_sni_01_port show a deprecation warning, but silently modify https_port if set
* Migrate last items
* Fix lint
* Update certbot/cli.py
Co-Authored-By: adferrand <adferrand@users.noreply.github.com>
* Ensure to remove all occurences of tls-sni-01
* Remove unused parameter
* Revert modifications on cli-help.txt
* Use logger.warning instead of sys.stderr
* Update the logger warning message
* Remove standalone_supported_challenges option.
* Fix order of preferred-challenges
* Remove supported_challenges property
* Fix some tests
* Fix lint
* Fix tests
* Add a changelog
* Clean code, fix test
* Update CI
* Reload
* No hard date for tls-sni removal
* Remove useless cast to list
* Update certbot/tests/renewal_test.py
Co-Authored-By: adferrand <adferrand@users.noreply.github.com>
* Add entry to the changelog
* Add entry to the changelog
* Remove tls-sni from nginx config
* Add a dedicated configuration to define what is the HTTPS port for this certbot instance.
* Correct some tests
* Reestablish default vhost creation
* Clean tls references for nginx integration tests
* Associate https_port only to tests and nginx
This PR is a part of the tls-sni-01 removal plan described in #6849.
This PR removes the tls-sni-01 challenge tests during the integration tests. The approach I used here is not to remove completely the existing test code, but simply editing it to use a http-01 challenge. Indeed:
* the current integration tests are strongly coupled, and would require more modifications that it is worth, because ...
* the certbot-ci project, that has already no tls-sni tests, will soon replace completely the current integration tests code.
If you execute `tests/lock_test.py` or `tox -e integration` on a fairly recent machine, you will get the following error during tests executing against a live Nginx instance:
```
no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: x.x.x.x, server: y:y:y:y:z
```
Indeed, having no defined ssl certificate for a ssl port would inevitably lead to an error during the handshake SSL process between a client and this mis-configured nginx instance.
However it was not a problem one year before, because the handshake was not occurring in practice: the test just need to have a nginx started, and then immediately proceed to modify the configuration with a correct SSL setup. And nginx was able to start with a mis-configuration on SSL.
But then this fix has been done: https://trac.nginx.org/nginx/ticket/178
Basically with this, validation of the configuration is done during nginx startup, that will refuse to start with invalid configuration on SSL. Consequently, all related tests are failing with a sufficiently up-to-date nginx. For now, it is not seen on Travis because Ubuntu Trusty is used, with an old Nginx.
The PR fixes that, by generating on the fly self-signed certificates in the two impacted tests, and pushing the right parameters in the Nginx configuration.
* Fix nginx configuration with self-signed certificates generated on the fly
* Fix lint/mypy
* Fix old cryptography
* Unattended openssl
* Update lock_test.py
So merging the study from @bmw and me, here is what happened.
Each invocation of `certbot.logger.post_arg_parse_setup` create a file handler on `letsencrypt.log`. This function also set an atexit handler invoking `logger.shutdown()`, that have the effect to close all logger file handler not already closed at this point. This method is supposed to be called when a python process is close to exit, because it makes all logger unable to write new logs on any handler.
Before #6667 and this PR, for tests, the atexit handle would be triggered only at the end of the pytest process. It means that each test that launches `certbot.logger.post_arg_parse_setup` add a new file handler. These tests were typically connecting the file handler on a `letsencrypt.log` located in a temporary directory, and this directory and content was wipped out at each test tearDown. As a consequence, the file handles, not cleared from the logger, were accumulating in the logger, with all of them connected to a deleted file log, except the last one that was just created by the current test. Considering the number of tests concerned, there were ~300 file handler at the end of pytest execution.
One can see that, on prior #6667, by calling `print(logger.getLogger().handlers` on the `tearDown` of these tests, and see the array growing at each test execution.
Even if this represent a memory leak, this situation was not really a problem on Linux: because a file can be deleted before it is closed, it was only meaning that a given invocation of `logger.debug` for instance, during the tests, was written in 300 log files. The overhead is negligeable. On Windows however, the file handlers were failing because you cannot delete a file before it is closed.
It was one of the reason for #6667, that added a call to `logging.shutdown()` at each test tearDown, with the consequence to close all file handlers. At this point, Linux is not happy anymore. Any call to `logger.warn` will generate an error for each closed file handler. As a file handler is added for each test, the number of errors grows on each test, following an arithmetical suite divergence.
On `test_sdists.py`, that is using the bare setuptools test suite without output capturing, we can see the damages. The total output takes 216000 lines, and 23000 errors are generated. A decent machine can support this load, but a not a small AWS instance, that is crashing during the execution. Even with pytest, the captured output and the memory leak become so large that segfaults are generated.
On the current PR, the problem is solved, by resetting the file handlers array on the logging system on each test tearDown. So each fileHandler is properly closed, and removed from the stack. They do not participate anymore in the logging system, and can be garbage collected. Then we stay on always one file handler opened at any time, and tests can succeed on AWS instances.
For the record, here is all the places where the logging system is called and fail if there is still file handlers closed but not cleaned (extracted from the original huge output before correction):
```
Logged from file account.py, line 116
Logged from file account.py, line 178
Logged from file client.py, line 166
Logged from file client.py, line 295
Logged from file client.py, line 415
Logged from file client.py, line 422
Logged from file client.py, line 480
Logged from file client.py, line 503
Logged from file client.py, line 540
Logged from file client.py, line 601
Logged from file client.py, line 622
Logged from file client.py, line 750
Logged from file cli.py, line 220
Logged from file cli.py, line 226
Logged from file crypto_util.py, line 101
Logged from file crypto_util.py, line 127
Logged from file crypto_util.py, line 147
Logged from file crypto_util.py, line 261
Logged from file crypto_util.py, line 283
Logged from file crypto_util.py, line 307
Logged from file crypto_util.py, line 336
Logged from file disco.py, line 116
Logged from file disco.py, line 124
Logged from file disco.py, line 134
Logged from file disco.py, line 138
Logged from file disco.py, line 141
Logged from file dns_common_lexicon.py, line 45
Logged from file dns_common_lexicon.py, line 61
Logged from file dns_common_lexicon.py, line 67
Logged from file dns_common.py, line 316
Logged from file dns_common.py, line 64
Logged from file eff.py, line 60
Logged from file eff.py, line 73
Logged from file error_handler.py, line 105
Logged from file error_handler.py, line 110
Logged from file error_handler.py, line 87
Logged from file hooks.py, line 248
Logged from file main.py, line 1071
Logged from file main.py, line 1075
Logged from file main.py, line 1189
Logged from file ops.py, line 122
Logged from file ops.py, line 325
Logged from file ops.py, line 338
Logged from file reporter.py, line 55
Logged from file selection.py, line 110
Logged from file selection.py, line 118
Logged from file selection.py, line 123
Logged from file selection.py, line 176
Logged from file selection.py, line 231
Logged from file selection.py, line 310
Logged from file selection.py, line 66
Logged from file standalone.py, line 101
Logged from file standalone.py, line 88
Logged from file standalone.py, line 97
Logged from file standalone.py, line 98
Logged from file storage.py, line 52
Logged from file storage.py, line 59
Logged from file storage.py, line 75
Logged from file util.py, line 56
Logged from file webroot.py, line 165
Logged from file webroot.py, line 186
Logged from file webroot.py, line 187
Logged from file webroot.py, line 204
Logged from file webroot.py, line 223
Logged from file webroot.py, line 234
Logged from file webroot.py, line 235
Logged from file webroot.py, line 237
Logged from file webroot.py, line 91
```
* Reapply #6667
* Make setuptools delegates tests execution to pytest, like in acme module.
* Clean handlers at each tearDown to avoid memory leaks.
* Update changelog
This PR fixes certbot-nginx and relevant tests to make them succeed on Windows.
Next step will be to enable integration tests through certbot-ci in a future PR.
* Fix tests and incompabilities in certbot-nginx for Windows
* Fix lint, fix oldest local dependencies
This PR reactivates tls-sni-01 challenges on recent Boulder versions checkout for integration tests. This allows to continue testing this challenge until it is officially dropped from server (Boulder) and client (Certbot).
Reverts #6679.
* Remove tls-sni-01 challenges in integration tests
* Remove the tls-sni test in the less invasive way
* Correct code coverage from tls-sni logic not been tested anymore.
* Update certbot-boulder-integration.sh
In response to #5342.
Currently, certbot will execute the operations necessary to validate a challenge even if the challenge has already been validated before against the acme ca server. This can occur for instance if a certificate is asked and issue correctly, then deleted locally, then asked again.
It is a corner case, but it will lead to some heavy operations (like updating a DNS zone, or creating an HTTP server) that are not needed.
This PR corrects this behavior by not executing challenges already validated, and use them directly instead to issue the certificate.
Fixes#5342
* Avoid to execute a given challenge that have been already validated by acme ca server.
* Execute tls challenge on a separate dns name, to avoid reusing the existing valid http challenge.
* Align with master
* Improve log
* Simplify the implementation
* Update changelog
* Add a unit test to ensure that validated challenges are not rerun
* flip challenge preference in Nginx
* Fix Nginx tests
* Flip challenge preference in Apache
* Flip challenge preference in standalone
* update changelog
* continue to run with tls-sni in integration tests for coverage
* feat(nginx): add and test new parsing abstractions
* chore(nginx parser): fix mypy and address small comments
* chore(nginx parser): clean up by removing context object
* fix integration test and lint
Stop caching the results of ipv6_info in http01.py. A call to choose_vhosts might change the ipv6 results of later calls. Add tests for this and default_listen_addresses more broadly.
Previously, Nginx did not allow `${` to start a variable name. Now it's allowed to. This means we'll be more permissible than Nginx when people are on older versions of Nginx, but it's unlikely anyone was relying on this to fail in the first place, so that's probably ok.
This makes errors more useful when Nginx can't be found or when Nginx's
configuration can't be found. Previously, a generic
`NoInstallationError` isn't descriptive enough to explain _what_ wasn't
installed or what failed without going digging into the source code.
* Exclude one-time use parameters. Fixes#6118
* Fix error.
* Delete items inplace, rather than creating new list.
* Fix stupid mistake.
* Use .index() for stability.
* Try previous idea while resetting the index.
* Shorter comment for pylint.
* More readable approach
* Fix whitespace
* Use greater than or equal to in requirements.
This changes the existing requirements using strictly greater than to greater
than or equal to so that they're more conventional.
* Use >= for certbot-postfix.
Despite it previously saying 'certbot>0.23.0', certbot-postfix/local-oldest-requirements.txt was pinned to 0.23.0 so let's just use certbot>=0.23.0.
See https://github.com/certbot/website/pull/348#issuecomment-399257703.
```
$ certbot --help all | grep -C 3 nginx-server-root
nginx:
Nginx Web Server plugin - Alpha
--nginx-server-root NGINX_SERVER_ROOT
Nginx server root directory. (default: /etc/nginx)
--nginx-ctl NGINX_CTL
Path to the 'nginx' binary, used for 'configtest' and
```
```
$ CERTBOT_DOCS=1 certbot --help all | grep -C 3 nginx-server-root
nginx:
Nginx Web Server plugin - Alpha
--nginx-server-root NGINX_SERVER_ROOT
Nginx server root directory. (default: /etc/nginx or
/usr/local/etc/nginx)
--nginx-ctl NGINX_CTL
```
* Show both possible Nginx default server root values in docs
* add test
* check that exactly one server root is in the default
* use default magic
* automatically select among default vhosts if we have a port preference
* ports should be strings in the nginx plugin
* clarify port vs preferred_port behavior by adding allow_port_mismatch flag
* update all instances of default_vhosts to all_default_vhosts
* require port
* port should never be None in _get_default_vhost
* Remove unneeded sys import.
Once upon a time we needed this in some of these setup.py files because we were
using sys in the file, but we aren't anymore so let's remove the import.
* use setuptools instead of distutils
* Remove unsupported pylint disable options
* star-args removed in Pylint 1.4.3
* abstract-class-little-used removed in Pylint 1.4.3
* Fixes new lint errors
* Copy dummy-variable-rgx expression to new ignored-argument-names expression to ignore unused funtion arguments
* Notable changes
* Refactor to satisfy Pylint no-else-return warning
* Fix Pylint inconsistent-return-statements warning
* Refactor to satisfy consider-iterating-dictionary
* Remove methods with only super call to satisfy useless-super-delegation
* Refactor too-many-nested-statements where possible
* Suppress type checked errors where member is dynamically added (notably derived from josepy.JSONObjectWithFields)
* Remove None default of func parameter for ExitHandler and ErrorHandler
Resolves#5973
* Adds type checking for certbot-nginx
* First pass at type annotation in certbot-nginx
* Ensure linting is disabled for timing imports
* Makes container types specific per PR comments
* Removes unnecessary lint option
* Add a rewrite directive for the .well-known location so we don't hit existing rewrites
* add comment
* Add (nonexistent) document root so we don't use the default value
* Add integration tests for nginx plugin
* add a sleep 5 to test on travis
* put sleep 5 in the right spot
* test return status of grep respecting -e and note that we're actually not posix compliant
* redelete newline
* rename delete_default to remove_singleton_listen_params
* update docstring
* add documentation to obj.py
* add test for remove duplicate ipv6only
* Remove ipv6only=on from duplicated vhosts
* add test to make sure ipv6only=on is not erroneously removed
* test default detection
* Allow 'default' along with 'default_server' in Nginx
* Test that default gets written out as default_server in canonical string
* remove superfulous parens
* Refactor _add_directive to separate functions
* UnspacedList isn't idempotent
* refactor parser in add_server_directives and update_or_add_server_directives
* update parser tests
* remove replace=False and add to update_or_add for replace=True in configurator
* remove replace=False and add to update_or_add for replace=True in http01
* update documentation
* fixes#4919 openresty_support
* making the regex more general
* reformatting warning to pass lint
* Fix string formatting in logging function
* Fix LE_AUTO_VERSION
* feat(nginx plugin): add HSTS enhancement
* chore(nginx): factor out block-splitting code from redirect & hsts enhancements!
* chore(nginx): merge fixes
* address comments
* fix linter: remove a space
* fix(config): remove SSL directives in HTTP block after block split, and remove_directive removes 'Managed by certbot' comment
* chore(nginx-hsts): Move added SSL directives to a constant on Configurator class
* fix(nginx-hsts): rebase on wildcard cert changes
Fixes#5490.
There's a lot of possibilities discussed in #5490, but I'll try and explain what I actually did here as succinctly as I can. Unfortunately, there's a fair bit to explain. My goal was to break lockstep and give us tests to ensure the minimum specified versions are correct without taking the time now to refactor our whole test setup.
To handle specifying each package's minimum acme/certbot version, I added a requirements file to each package. This won't actually be included in the shipped package (because it's not in the MANIFEST).
After creating these files and modifying tools/pip_install.sh to use them, I created a separate tox env for most packages (I kept the DNS plugins together for convenience). The reason this is necessary is because we currently use a single environment for each plugin, but if we used this approach for these tests we'd hit issues due to different installed plugins requiring different versions of acme/certbot. There's a lot more discussion about this in #5490 if you're interested in this piece. I unfortunately wasted a lot of time trying to remove the boilerplate this approach causes in tox.ini, but to do this I think we need negations described at complex factor conditions which hasn't made it into a tox release yet.
The biggest missing piece here is how to make sure the oldest versions that are currently pinned to master get updated. Currently, they'll stay pinned that way without manual intervention and won't be properly testing the oldest version. I think we should solve this during the larger test/repo refactoring after the release because the tests are using the correct values now and I don't see a simple way around the problem.
Once this lands, I'm planning on updating the test-everything tests to do integration tests with the "oldest" versions here.
* break lockstep between packages
* Use per package requirements files
* add local oldest requirements files
* update tox.ini
* work with dev0 versions
* Install requirements in separate step.
* don't error when we don't have requirements
* install latest packages in editable mode
* Update .travis.yml
* Add reminder comments
* move dev to requirements
* request acme[dev]
* Update pip_install documentation
* support wildcards for deploy_cert
* support wildcards for enhance
* redirect enhance and some tests
* update tests
* add display_ops and display_repr
* update display_ops_test and errors found
* say server block
* match redirects properly
* functional code
* start adding tests and lint errors
* add configurator tests
* lint
* change message to be generic to installation and enhancement
* remove _wildcard_domain
* take selecting vhosts out of loop
* remove extra newline
* filter wildcard vhosts by port
* lint
* don't filter by domain
* [^.]+
* lint
* make vhost hashable
* one more tuple
* Drop support for EOL Python 2.6
* Use more helpful assertIn/NotIn instead of assertTrue/False
* Drop support for EOL Python 3.3
* Remove redundant Python 3.3 code
* Restore code for RHEL 6 and virtualenv for Py2.7
* Revert pipstrap.py to upstream
* Merge py26_packages and non_py26_packages into all_packages
* Revert changes to *-auto in root
* Update by calling letsencrypt-auto-source/build.py
* Revert permissions for pipstrap.py
* wrap redirect in if host matches
* return 404 if we've created a new block
* change domain matching to exact match
* insert new redirect directive at the top
* add a redirect block to the top if it doesn't already exist, even if there's an existing redirect
* fix obj tests
* remove active parameter
* update tests
* add back spaces
* move imports
* remove unused code
* only when using http01, only match default_server by port
* import errors
* put back in the code that creates a dummy block, but only when we can't find anything else
* get http01 challenge working
* support multiple challenge types in configurator.py
* update existing nginx tests
* lint
* refactor NginxHttp01 and NginxTlsSni01 to both now inherit from NginxChallengePerformer
* remove TODO
* challenges_test tests with both tlssni01 and http01
* Make challenges.py more abstract to make lint happier
* add pylint disables to the tests to make pylint happier about the inheritance and abstraction situation
* no need to cover raise NotImplementedError() lines
* python3 compatibility
* test that http01 perform is called
* only remove ssl from addresses during http01
* Initialize addrs_to_add
* Change Nginx http01 to modify server block so the site doesn't stop serving while getting a cert
* pass existing unit tests
* rename sni --> http01 in unit tests
* lint
* fix configurator test
* select an http block instead of https
* properly test for port number
* use domains that have matching addresses
* remove debugger
* remove access_log and error_log cruft that wasn't being executed
* continue to return None from choose_redirect_vhost when create_if_no_match is False
* add nginx integration test
* create_new_vhost_from_default --> duplicate_vhost
* add source_path property
* set source path for duplicated vhost
* change around logic of where making ssl happens
* don't add listen 80 to newly created ssl block
* cache vhosts list
* remove source path
* add redirect block if we created a new server block
* Remove listen directives when making server block ssl
* Reset vhost cache on parser load
* flip connected pointer direction for finding newly made server block to match previous redirect search constraints
* also test for new redirect block styles
* fix contains_list and test redirect blocks
* update lint, parser, and obj tests
* reset new vhost (fixing previous bug) and move removing default from addrs under if statement
* reuse and update newly created ssl server block when appropriate, and update unit tests
* append newly created server blocks to file instead of inserting directly after, so we don't have to update other vhosts' paths
* add coverage for NO_IF_REDIRECT_COMMENT_BLOCK
* add coverage for parser load calls
* replace some double quotes with single quotes
* replace backslash continuations with parentheses
* update docstrings
* switch to only creating a new block on redirect enhancement, including removing the get_vhosts cache
* update configurator tests
* update obj test
* switch delete_default default for duplicate_vhost
The reason for this PR is many bug fixes in the nginx plugin for changes we haven't released yet are included in #5220 which may not make our next release. If it doesn't, we will (mostly) revert the nginx plugin back to its previous state to avoid releasing these bugs and will revert this PR after the release.
* Revert "Nginx IPv6 support (#5178)"
This reverts commit 68e37b03c8.
* Revert "Fix bug that stopped nginx from finding new server block for redirect (#5198)"
This reverts commit e2ab940ac0.
* Revert "Nginx creates a vhost block if no matching block is found (#5153)"
This reverts commit 95a7d45856.
* Use pipstrap to install a good version of pip
* Use pytest in cb-auto tests
* Remove nose usage in auto_test.py
* remove nose dev dep
* use pytest in test_tests
* Use pytest in tox
* Update dev dependency pinnings
* remove nose multiprocess lines
* Use pytest for coverage
* Use older py and pytest for old python versions
* Add test for Error.__str__
* pin pytest in oldest test
* Fix tests for DNS-DO plugin on py26
* Work around bug for Python 3.3
* Clarify dockerfile comments
* Nginx IPv6 support
* Test and lint fixes
* IPv6 tests to Nginx plugin
* Make ipv6_info() port aware
* Named tuple values for readability
* Lint fix
* Requested changes
* Allow authentication if there's no appropriate vhost
* Update test
* add flag to suppress raising error if no match is found
* Allow installation if there's no appropriate vhost
* remove traceback
* make new vhost ssl
* Fix existing bugs in nginxparser.py and obj.py
* Switch isinstance(x, str) to isinstance(x, six.string_types) in the Nginx plugin
* remove unused import
* remove unneeded custom copy from Addr
* Add docstring for create_new_vhost_from_default
* add test for create_new_vhost_from_default
* add configurator tests and leave finding the first server block for another PR
* don't assume order from a set
* address multiple default_server problem
* don't add vhosts twice
* update unit tests
* update docstring
* Add logger.info message for using default address in tlssni01 auth
* Rename plugins.common.install_ssl_options_conf to plugins.common.install_version_controlled_file
* Install ssl_dhparams file
* Add installation test
* Add ssl_dhparam option when making a server block ssl
* add install_ssl_dhparams to Installer common plugin class
* Remove redundant code and tests
* update MANIFEST.in
* Add installer class
* Add wrapped reverter methods to common.Installer.
* Use Installer class in Apache plugin
* Use Installer class in Nginx plugin
* Don't create reverter in Apache and Nginx plugins
* Be careful with new interaction from enabling nginx
* Fix py3 compataibility & better docs
* Make minor changes to @pde's PR to unhide nginx
* unhide nginx plugin
* Only protect against nginx interaction in cb-auto
* Change add_server_directives replace=True behavior to attempt to replace, but append on failure to find.
* Remove try/except around add_server_directives
* Revert "Don't save keys/csr on dry run (#4380)"
This reverts commit e034b50363.
* Don't save CSRs and keys during dry run
* Factor out _test_obtain_certificate_common
* Add test_obtain_certificate_dry_run
* Wrap key from make_key in util.Key
* Wrap result from make_csr in util.CSR
* move install_ssl_options_conf functionality to common
* add no cover
* compute current hash instead of saving
* make current hash be computed; switch to list of all canonical hashes
* put message directly into assertion
* don't pass logger
* add docstring
* Add unit tests for certbot.plugins.common.install_ssl_options_conf
Fixes#4559.
* Update options-ssl-nginx.conf in prepare, if it hasn't been modified.
* add previous options-ssl-nginx.conf hashes
* InstallSslOptionsConfTest
* remove .new file and only print warning once
* save digest to /etc/letsencrypt
* add comment reminding devs to update hashes
* add comment and test for sha256sum
* treat hash file as text file because python3
* move constants and rename hidden digest file
* Switch to using include directive for Nginx constants
* remove deprecated comment
* give better error message when attempting to insert an existing directive
* make code more readable
* add docstrings
* allow a duplicated directive if it's identical
* comment out precisely repeated directives
* add comments
* Mention python 3 support in setup.py
* Build universal (py2 and py3 compatible) wheels
* Mention Python 3.3+ support in docs
* we work on python 3.6 too
* increases server_names_hash_bucket_size if it's too low in your nginx conf
* switching from k,v pairwise indices -> inner_line
* simply using bucket_directive
