-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fast-foward to upstream #1
Commits on Nov 4, 2020
-
Implements support for ECDSA keys. Fixes #2163.
Thanks to @pahrohfit and @Tomoyuki-GH for previous efforts to implement suport for this. Co-Authored-By: Robert Dailey <rob@wargam.es> Co-Authored-By: Tomoyuki-GH <55397638+Tomoyuki-GH@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 47c1045 - Browse repository at this point
Copy the full SHA 47c1045View commit details -
Merge pull request #8431 from atombrella/ec_dsa_2163
Implements support for ECDSA keys. Fixes #2163.
Configuration menu - View commit details
-
Copy full SHA for 198f5a9 - Browse repository at this point
Copy the full SHA 198f5a9View commit details
Commits on Nov 11, 2020
-
Handle unexpected key type migration. (#8435)
Fixes #8365 This PR adds a control when `certbot certonly` or `certbot run` are called for a certificate that already exists and would eventually be replaced. As described in #8365, this control is here to ensure that the user will not modify the key type of their certificate (eg. ECDSA to RSA) without an explicit approval (set explicitly `--cert-name` and `--key-type`), since RSA is the default if not specified. * Handle unexpected key type migration. * Update certbot-ci/certbot_integration_tests/certbot_tests/test_main.py Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 8f57870 - Browse repository at this point
Copy the full SHA 8f57870View commit details -
Add certbot renew --key-type test (#8447)
* Test certbot renew --key-type * Fix typo
Configuration menu - View commit details
-
Copy full SHA for f15f4f9 - Browse repository at this point
Copy the full SHA f15f4f9View commit details
Commits on Nov 12, 2020
-
Configuration menu - View commit details
-
Copy full SHA for b742b60 - Browse repository at this point
Copy the full SHA b742b60View commit details -
Add --dns-server option in run_acme_server (#7722)
Fixes #7717 This PR adds a `--dns-server` option to the `run_acme_server` test tool, in order to provide an arbitrary DNS server to Pebble or Boulder for the integration tests. I also take this occasion to make `run_acme_server` a real CLI tool using argparse, and set the `--server-type` (default `pebble`) option as well. * Set --dns-server flag in run_acme_server * Default to pebble * Add documentation * Configure also Boulder
Configuration menu - View commit details
-
Copy full SHA for 553d327 - Browse repository at this point
Copy the full SHA 553d327View commit details
Commits on Nov 13, 2020
-
cli: improve Obtaining/Renewing wording (#8395)
* cli: improve Obtaining/Renewing wording * dont use logger, and use new phrasing * .display_util.notify: dont wrap As this function is supposed to be an analogue for print, we do not want it to wrap by default.
Configuration menu - View commit details
-
Copy full SHA for 78edb28 - Browse repository at this point
Copy the full SHA 78edb28View commit details
Commits on Nov 17, 2020
-
Add certbot-dns-rfc2136 integration testing (#8448)
* tests: add certbot-dns-rfc2136 integration tests * dont use 'with' form of socket.socket fixes py2 crash * address some feedback: - conftest: make DNS server a global resource - conftest: add dns_xdist parameter into node config - conftest: add --dns-server=bind flag - conftest: if configured, point the ACME server to the DNS server - dnsserver: make it sort-of compatible with xdist (future-proofing) - context: parameterize dns-rfc2136 credentials file (future proofing) - context: reduce dns-rfc2136 propagation time to speed up tests - tox: add a integration-dns-rfc2136 target - rfc2136: add a test/zone for subdelegation - rfc2136: skip tests if no DNS server is configured * try add integration-dns-rfc2136 to CI * mock recursive dns via RPZ * update --dns-server args and tox.ini args * address more feedback: - dns_server: rename rfc2136 creds file to .tpl - dns_server: dont vary dns server port, instead we will vary zone names (#8455) - dns_server: log error if bind9 fails to stop cleanly - dns_server: replace assert with raise - context: remove redundant _worker_id - context: remove redundant cleanup override - context: fix seek/flush in credentials context manager - context: rename skip_if_no_server -> ...bind_server - context: add newline EOF * conftest: document _setup_primary_node sideeffects * ci: rfc2136-integration from standard->nightly * fix _stop_bind (function was renamed to stop) * ignore errors from shutil.rmtree during cleanup * dns_server: check for crash while polling * remove --dry-run from rfc2136 test
Configuration menu - View commit details
-
Copy full SHA for 9055792 - Browse repository at this point
Copy the full SHA 9055792View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7ba35b4 - Browse repository at this point
Copy the full SHA 7ba35b4View commit details -
Configuration menu - View commit details
-
Copy full SHA for e8139e8 - Browse repository at this point
Copy the full SHA e8139e8View commit details -
Merge pull request #8458 from certbot/fix-py2-integration
Fix Python 2 integration tests
Configuration menu - View commit details
-
Copy full SHA for 5a85825 - Browse repository at this point
Copy the full SHA 5a85825View commit details
Commits on Nov 18, 2020
-
Configuration menu - View commit details
-
Copy full SHA for be3d0d8 - Browse repository at this point
Copy the full SHA be3d0d8View commit details
Commits on Nov 19, 2020
-
Flesh out ECDSA documentation (#8464)
* Changelog tweaks. * Add ECDSA documentation * Fix typo
Configuration menu - View commit details
-
Copy full SHA for a8cede6 - Browse repository at this point
Copy the full SHA a8cede6View commit details -
Merge pull request #8444 from certbot/ecdsa
Integrate the ECDSA certificates feature on master
Configuration menu - View commit details
-
Copy full SHA for 9ca7f76 - Browse repository at this point
Copy the full SHA 9ca7f76View commit details -
Add Python 3.9 support and tests (#8460)
Fixes #8134. * Test on Python 3.9. * Mention Python 3.9 support in changelog. * s/\( *'Pro.*3\.\)8\(',\)/\18\2\n\19\2/ * undo changes to tox.ini * Move more tests to Python 3.9 * Update PyYAML and packages which pinned it back * Upgrade typed-ast * Use <= to "pin" dnspython * Fix lint by telling pylint it cannot be trusted * Disable mypy on RFC plugin * add comment about <= support
Configuration menu - View commit details
-
Copy full SHA for 9a4e95e - Browse repository at this point
Copy the full SHA 9a4e95eView commit details
Commits on Nov 25, 2020
-
Configuration menu - View commit details
-
Copy full SHA for aea416f - Browse repository at this point
Copy the full SHA aea416fView commit details
Commits on Nov 27, 2020
-
nginx: fix Unicode crash on Python 2 (#8480)
* nginx: fix py2 unicode sandwich The nginx parser would crash when saving configuraitons containing Unicode, because py2's `str` type does not support Unicode. This change fixes that crash by ensuring that a string type supporting Unicode is used in both Python 2 and Python 3. * nginx: add unicode to the integration test config * update CHANGELOG
Configuration menu - View commit details
-
Copy full SHA for f5a88ad - Browse repository at this point
Copy the full SHA f5a88adView commit details
Commits on Dec 1, 2020
-
Configuration menu - View commit details
-
Copy full SHA for 43ee299 - Browse repository at this point
Copy the full SHA 43ee299View commit details -
Configuration menu - View commit details
-
Copy full SHA for adacc4a - Browse repository at this point
Copy the full SHA adacc4aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 7b68761 - Browse repository at this point
Copy the full SHA 7b68761View commit details -
Configuration menu - View commit details
-
Copy full SHA for baab69e - Browse repository at this point
Copy the full SHA baab69eView commit details -
Merge pull request #8487 from certbot/candidate-1.10.0
Update files from 1.10.0 release
Configuration menu - View commit details
-
Copy full SHA for faa8d23 - Browse repository at this point
Copy the full SHA faa8d23View commit details -
Configuration menu - View commit details
-
Copy full SHA for 31b5f13 - Browse repository at this point
Copy the full SHA 31b5f13View commit details
Commits on Dec 2, 2020
-
Deprecate certbot-auto and remove tests
* Completely deprecate certbot-auto * DeaDeactivate centos6/oraclelinux6 tests * Remove tests assets * Remove another test * Revert "Remove tests assets" This reverts commit e603afe.
Configuration menu - View commit details
-
Copy full SHA for ff3a07d - Browse repository at this point
Copy the full SHA ff3a07dView commit details -
Undo certbot-auto changes and remove centos6 tests
* Don't deprecate certbot-auto quite yet * Remove centos6 test farm tests * undo changes to test farm test scripts
Configuration menu - View commit details
-
Copy full SHA for e5113d5 - Browse repository at this point
Copy the full SHA e5113d5View commit details -
Merge pull request #8498 from certbot/remove-centos6-tests
Remove CentOS 6 tests
Configuration menu - View commit details
-
Copy full SHA for d1e7404 - Browse repository at this point
Copy the full SHA d1e7404View commit details -
Configuration menu - View commit details
-
Copy full SHA for 1a3c96a - Browse repository at this point
Copy the full SHA 1a3c96aView commit details -
Undo certbot-auto changes and remove centos6 tests
* Don't deprecate certbot-auto quite yet * Remove centos6 test farm tests * undo changes to test farm test scripts (cherry picked from commit e5113d5)
Configuration menu - View commit details
-
Copy full SHA for 7497c51 - Browse repository at this point
Copy the full SHA 7497c51View commit details -
Merge pull request #8499 from certbot/remove-centos6-tests-1.10.x
Remove centos6 tests 1.10.x
Configuration menu - View commit details
-
Copy full SHA for 8738676 - Browse repository at this point
Copy the full SHA 8738676View commit details -
Fix add deprecated argument (#8500)
Fixes #8495. To further explain the problem here, `modify_kwargs_for_default_detection` as called in `add` is simplistic and doesn't always work. See #6164 for one other example. In this case, were bitten by the code https://github.com/certbot/certbot/blob/d1e7404358c05734aaf436ef3c9d709029d62b09/certbot/certbot/_internal/cli/helpful.py#L393-L395 The action used for deprecated arguments isn't in `ZERO_ARG_ACTIONS` so it assumes that all deprecated flags take one parameter. Rather than trying to fix this function (which I think can only realistically be fixed by #4493), I took the approach that was previously used in `HelpfulArgumentParser.add_deprecated_argument` of bypassing this extra logic entirely. I adapted that function to now call `HelpfulArgumentParser.add` as well for consistency and to make testing easier. * Rename deprecated arg action class * Skip extra parsing for deprecated arguments * Add back test of --manual-public-ip-logging-ok * Add changelog entry
Configuration menu - View commit details
-
Copy full SHA for 5f73274 - Browse repository at this point
Copy the full SHA 5f73274View commit details -
Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 45e48b5 - Browse repository at this point
Copy the full SHA 45e48b5View commit details
Commits on Dec 3, 2020
-
Fix add deprecated argument (#8500) (#8501)
Fixes #8495. To further explain the problem here, `modify_kwargs_for_default_detection` as called in `add` is simplistic and doesn't always work. See #6164 for one other example. In this case, were bitten by the code https://github.com/certbot/certbot/blob/d1e7404358c05734aaf436ef3c9d709029d62b09/certbot/certbot/_internal/cli/helpful.py#L393-L395 The action used for deprecated arguments isn't in `ZERO_ARG_ACTIONS` so it assumes that all deprecated flags take one parameter. Rather than trying to fix this function (which I think can only realistically be fixed by #4493), I took the approach that was previously used in `HelpfulArgumentParser.add_deprecated_argument` of bypassing this extra logic entirely. I adapted that function to now call `HelpfulArgumentParser.add` as well for consistency and to make testing easier. * Rename deprecated arg action class * Skip extra parsing for deprecated arguments * Add back test of --manual-public-ip-logging-ok * Add changelog entry (cherry picked from commit 5f73274)
Configuration menu - View commit details
-
Copy full SHA for a71e226 - Browse repository at this point
Copy the full SHA a71e226View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4c896fd - Browse repository at this point
Copy the full SHA 4c896fdView commit details -
Configuration menu - View commit details
-
Copy full SHA for 64543d4 - Browse repository at this point
Copy the full SHA 64543d4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 38f3d3d - Browse repository at this point
Copy the full SHA 38f3d3dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 1dfac95 - Browse repository at this point
Copy the full SHA 1dfac95View commit details -
Configuration menu - View commit details
-
Copy full SHA for 67fecbe - Browse repository at this point
Copy the full SHA 67fecbeView commit details -
Merge pull request #8505 from certbot/candidate-1.10.1
Candidate 1.10.1
Configuration menu - View commit details
-
Copy full SHA for d3166d7 - Browse repository at this point
Copy the full SHA d3166d7View commit details
Commits on Dec 4, 2020
-
cli: clean up
certbot renew
summary (#8503)* cli: clean up `certbot renew` summary - Unduplicate output which was being sent to both stdout and stderr - Don't use IDisplay.notification to buffer output - Remove big "DRY RUN" guards above and below, instead change language to "renewal" or "simulated renewal" - Reword "Attempting to renew cert ... produced an unexpected error" to be more concise. * add newline to docstring Co-authored-by: ohemorange <ebportnoy@gmail.com> Co-authored-by: ohemorange <ebportnoy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 22cf94f - Browse repository at this point
Copy the full SHA 22cf94fView commit details -
Configuration menu - View commit details
-
Copy full SHA for d476aa4 - Browse repository at this point
Copy the full SHA d476aa4View commit details -
dns-google: improve credentials error message (#8482)
This adds a 'Error parsing credentials file ...' wrapper to any errors raised inside certbot-dns-google's usage of oauth2client, to make it obvious to the user where the problem lies.
Configuration menu - View commit details
-
Copy full SHA for 356e8d8 - Browse repository at this point
Copy the full SHA 356e8d8View commit details -
Removed some unused imports. (#8424)
These were not annotated as something that should be ignored, and the test-suite passes with these changes.
Configuration menu - View commit details
-
Copy full SHA for 5871de0 - Browse repository at this point
Copy the full SHA 5871de0View commit details
Commits on Dec 6, 2020
-
snap: disable the "user site-packages directory" (#8509)
Although Certbot is a classic snap, it shouldn't load Python code from the host system. This change prevents packages being loaded from the "user site-packages directory" (PEP-370). i.e. Certbot will no longer load DNS plugins installed via `pip install --user certbot-dns-*`.
Configuration menu - View commit details
-
Copy full SHA for dc3ac13 - Browse repository at this point
Copy the full SHA dc3ac13View commit details -
add coverage testing to dns-rfc2136 integration (#8469)
* add coverage testing to dns-rfc2136 integration * add coverage rule for certbot/* as well
Configuration menu - View commit details
-
Copy full SHA for 3801747 - Browse repository at this point
Copy the full SHA 3801747View commit details
Commits on Dec 7, 2020
-
Completely deprecate certbot-auto (#8489)
Fixes #8296 * Completely deprecate certbot-auto * Add changelog
Configuration menu - View commit details
-
Copy full SHA for 447b6ff - Browse repository at this point
Copy the full SHA 447b6ffView commit details
Commits on Dec 8, 2020
-
Deprecate support for Python 2 (#8491)
Fixes #8388 * Deprecate support for Python 2 * Ignore deprecation warning * Update certbot/CHANGELOG.md Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 9045c03 - Browse repository at this point
Copy the full SHA 9045c03View commit details
Commits on Dec 9, 2020
-
Add reminders to update documentation (#8518)
* Add documentation PR checklist item. * Update contributing doc
Configuration menu - View commit details
-
Copy full SHA for 148246b - Browse repository at this point
Copy the full SHA 148246bView commit details
Commits on Dec 10, 2020
-
Avoid --system-site-packages during the snap build by preparing a ven…
…v with pipstrap that already includes wheel (#8445) This PR proposes an alternative configuration for the snap build that avoid the need to use `--system-site-package` when constructing the virtual environment in the snap. The rationale of `--system-site-package` was that by default, snapcraft creates a virtual environment without `wheel` installed in it. However we need it to build the wheels like `cryptography` on ARM architectures. Sadly there is not way to instruct snapcraft to install some build dependencies in the virtual environment before it kicks in the build phase itself, without overriding that entire phase (which is possible with `parts.override-build`). The alternative proposed here is to not override the entire build part, but just add some preparatory steps that will be done before the main actions handled by the `python` snap plugin. To do so, I take advantage of the `--upgrade` flag available for the `venv` module in Python 3. This allows to reuse a preexisting virtual environment, and upgrade its component. Adding a flag to the `venv` call is possible in snapcraft, thanks to the `SNAPCRAFT_PYTHON_VENV_ARGS` environment variable (and it is already used to set the `--system-site-package`). Given `SNAPCRAFT_PYTHON_VENV_ARGS` set to `--upgrade` , we configure the build phase as follows: * create the virtual environment ourselves in the expected place (`SNAPCRAFT_PART_INSTALL`) * leverage `tools/pipstrap.py` to install `setuptools`, `pip`, and of course, `wheel` * let the standard build operations kick in with a call to `snapcraftctl build`: at that point the `--upgrade` flag will be appended to the standard virtual environment creation, reusing our crafted venv instead of creating a new one. This approach has also the advantage to invoke `pipstrap.py` as it is done for the other deployable artifacts, and for the PR validations, reducing risks of shifts between the various deployment methods.
Configuration menu - View commit details
-
Copy full SHA for 878c3e3 - Browse repository at this point
Copy the full SHA 878c3e3View commit details -
Deprecate support of Apache 2.2 in certbot-apache (#8516)
Fixes #8462 * Deprecate support of Apache 2.2 in certbot-apache * Add a changelog
Configuration menu - View commit details
-
Copy full SHA for e9a96f5 - Browse repository at this point
Copy the full SHA e9a96f5View commit details -
Configuration menu - View commit details
-
Copy full SHA for 6d71378 - Browse repository at this point
Copy the full SHA 6d71378View commit details
Commits on Dec 11, 2020
-
Setup a timeout to the remote snap build process (#8484)
This PR adds a `--timeout` flag to `tools/snap/build_remote.py` in order to fail the process if the time execution reaches the provided timeout. It is set to 5h30 on the relevant Azure job, while the job itself has a timeout of 6h managed on Azure side. This allows a slightly better output for these jobs when the snapcraft build stales for any reason.
Configuration menu - View commit details
-
Copy full SHA for 3889311 - Browse repository at this point
Copy the full SHA 3889311View commit details
Commits on Dec 14, 2020
-
Configuration menu - View commit details
-
Copy full SHA for 5151e2a - Browse repository at this point
Copy the full SHA 5151e2aView commit details
Commits on Dec 15, 2020
-
Make our test farm tests instances self-destruct (#8536)
* remove unused user data * have instance self-destruct in case cleanup fails * correct kwargs * fix param order
Configuration menu - View commit details
-
Copy full SHA for 7febc18 - Browse repository at this point
Copy the full SHA 7febc18View commit details -
Configuration menu - View commit details
-
Copy full SHA for fcc8b38 - Browse repository at this point
Copy the full SHA fcc8b38View commit details
Commits on Dec 16, 2020
-
Configuration menu - View commit details
-
Copy full SHA for c5a0b1a - Browse repository at this point
Copy the full SHA c5a0b1aView commit details -
Enable again build isolation with proper pinning of build dependencies (
#8443) Fixes #8256 First let's sum up the problem to solve. We disabled the build isolation available in pip>=19 because it could potential break certbot build without a control on our side. Basically builds are not reproductible. Indeed the build isolation triggers build of PEP-517 enabled transitive dependencies (like `cryptography`) with the build dependencies defined in their `pyproject.toml`. For `cryptography` in particular these requirements include `setuptools>=40.6.0`, and quite logically pip will install the latest version of `setuptools` for the build. And when `setuptools` broke with the version 50, our build did the same. But disabling the build isolation is not a long term solution, as more and more project will migrate on this approach and it basically provides a lot of benefit in how dependencies are built. The ideal solution would be to be able to apply version constraints on our side on the build dependencies, in order to pin `setuptools` for instance, and decide precisely when we upgrade to a newer version. However for now pip does not provide a mechanism for that (like a `--build-constraint` flag or propagation of existing `--constraint` flag). Until I saw pypa/pip#9081 and pypa/pip#8439. Apart the fact that pypa/pip#9081 shows that pip maintainers are working on this issue, it explains how pip works regarding PEP-517 and infers which workaround can be used to still pin the build dependencies. It turns out that pip invokes itself in each build isolation to install the build dependencies. It means that even if some flags (like `--constraint`) are not explicitly passed to the pip sub call, the global environment remains, in particular the environment variables. Thus it is known that every pip flag can alternatively be set by environment variable using the following pattern for the variable name: `PIP_[FLAG_NAME_UPPERCASE]`. So for `--constraint`, it is `PIP_CONSTRAINT`. And so you can pass a constraint file to the pip sub call through that mechanism. I made some tests with a constraint file containing pinning for `setuptools`: indeed under isolation zone, the constraint file has been honored and the provided pinned version has been used to build the dependencies (I tested it with `cryptography`). Finally this PR takes advantage of this mechanism, by setting `PIP_CONSTRAINT` to `pip_install`, the snap building process, the Dockerfiles and the windows installer building process. I also extracted out the requirements of the new `pipstrap.py` to be reusable in these various build processes. * Use workaround to fix build requirements in build isolation, and renable build isolation * Clean imports in pipstrap * Externalize pipstrap reqs to be reusable * Inject pipstrap constraints during pip_install * Update docker build * Update snapcraft build * Prepare installer build * Fix pipstrap constraints in snap build * Add back --no-build-cache option in Docker images build * Update snap/snapcraft.yaml * Use proper flags with pip Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for d38766e - Browse repository at this point
Copy the full SHA d38766eView commit details -
Configuration menu - View commit details
-
Copy full SHA for 96a05d9 - Browse repository at this point
Copy the full SHA 96a05d9View commit details -
Configuration menu - View commit details
-
Copy full SHA for fcdfed9 - Browse repository at this point
Copy the full SHA fcdfed9View commit details -
Clean up certbot-auto docs (#8532)
Fixes #8519. I left the `certbot-auto` docs in `install.rst` to avoid breaking links and to help propagate information about our changes there. I moved it closer to the bottom of the doc though since I think our documentation about OS packages and Docker is more helpful to most people. * clean up certbot-auto docs * add more info to changelog * remove more certbot-auto references
Configuration menu - View commit details
-
Copy full SHA for cbf42ff - Browse repository at this point
Copy the full SHA cbf42ffView commit details