Hello community,
here is the log from the commit of package python-certbot for openSUSE:Factory checked in at 2019-02-02 21:48:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-certbot (Old)
and /work/SRC/openSUSE:Factory/.python-certbot.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-certbot"
Sat Feb 2 21:48:50 2019 rev:7 rq:669788 version:0.30.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-certbot/python-certbot.changes 2018-12-18 14:58:15.242263860 +0100
+++ /work/SRC/openSUSE:Factory/.python-certbot.new.28833/python-certbot.changes 2019-02-02 21:48:52.208000525 +0100
@@ -1,0 +2,13 @@
+Tue Jan 29 11:39:30 UTC 2019 - Tomáš Chvátal
+
+- Update to 0.30.2:
+ * Update the version of setuptools pinned in certbot-auto to 40.6.3 to
+ solve installation problems on newer OSes.
+ * Always download the pinned version of pip in pipstrap to address breakages
+ * Rename old,default.conf to old-and-default.conf to address commas in filenames
+ breaking recent versions of pip.
+ * Add VIRTUALENV_NO_DOWNLOAD=1 to all calls to virtualenv to address breakages
+ from venv downloading the latest pip
+ * Added the `update_account` subcommand for account management commands.
+
+-------------------------------------------------------------------
Old:
----
certbot-0.29.1.tar.gz
New:
----
certbot-0.30.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-certbot.spec ++++++
--- /var/tmp/diff_new_pack.6p6tut/_old 2019-02-02 21:48:52.975999860 +0100
+++ /var/tmp/diff_new_pack.6p6tut/_new 2019-02-02 21:48:52.975999860 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-certbot
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,14 +18,14 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-certbot
-Version: 0.29.1
+Version: 0.30.2
Release: 0
Summary: ACME client
License: Apache-2.0
Group: Development/Languages/Python
URL: https://github.com/certbot/certbot
Source: https://files.pythonhosted.org/packages/source/c/certbot/certbot-%{version}.tar.gz
-BuildRequires: %{python_module acme >= 0.26.0}
+BuildRequires: %{python_module acme >= 0.29.0}
BuildRequires: %{python_module configargparse >= 0.9.3}
BuildRequires: %{python_module configobj}
BuildRequires: %{python_module cryptography >= 1.2}
++++++ certbot-0.29.1.tar.gz -> certbot-0.30.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/CHANGELOG.md new/certbot-0.30.2/CHANGELOG.md
--- old/certbot-0.29.1/CHANGELOG.md 2018-12-06 00:47:58.000000000 +0100
+++ new/certbot-0.30.2/CHANGELOG.md 2019-01-25 21:15:41.000000000 +0100
@@ -1,6 +1,66 @@
# Certbot change log
-Certbot adheres to [Semantic Versioning](http://semver.org/).
+Certbot adheres to [Semantic Versioning](https://semver.org/).
+
+## 0.30.2 - 2019-01-25
+
+### Fixed
+
+* Update the version of setuptools pinned in certbot-auto to 40.6.3 to
+ solve installation problems on newer OSes.
+
+Despite us having broken lockstep, we are continuing to release new versions of
+all Certbot components during releases for the time being, however, this
+release only affects certbot-auto.
+
+More details about these changes can be found on our GitHub repo.
+
+## 0.30.1 - 2019-01-24
+
+### Fixed
+
+* Always download the pinned version of pip in pipstrap to address breakages
+* Rename old,default.conf to old-and-default.conf to address commas in filenames
+ breaking recent versions of pip.
+* Add VIRTUALENV_NO_DOWNLOAD=1 to all calls to virtualenv to address breakages
+ from venv downloading the latest pip
+
+Despite us having broken lockstep, we are continuing to release new versions of
+all Certbot components during releases for the time being, however, the only
+package with changes other than its version number was:
+
+* certbot-apache
+
+More details about these changes can be found on our GitHub repo.
+
+## 0.30.0 - 2019-01-02
+
+### Added
+
+* Added the `update_account` subcommand for account management commands.
+
+### Changed
+
+* Copied account management functionality from the `register` subcommand
+ to the `update_account` subcommand.
+* Marked usage `register --update-registration` for deprecation and
+ removal in a future release.
+
+### Fixed
+
+* Older modules in the josepy library can now be accessed through acme.jose
+ like it could in previous versions of acme. This is only done to preserve
+ backwards compatibility and support for doing this with new modules in josepy
+ will not be added. Users of the acme library should switch to using josepy
+ directly if they haven't done so already.
+
+Despite us having broken lockstep, we are continuing to release new versions of
+all Certbot components during releases for the time being, however, the only
+package with changes other than its version number was:
+
+* acme
+
+More details about these changes can be found on our GitHub repo.
## 0.29.1 - 2018-12-05
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/PKG-INFO new/certbot-0.30.2/PKG-INFO
--- old/certbot-0.29.1/PKG-INFO 2018-12-06 00:47:59.000000000 +0100
+++ new/certbot-0.30.2/PKG-INFO 2019-01-25 21:15:42.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: certbot
-Version: 0.29.1
+Version: 0.30.2
Summary: ACME client
Home-page: https://github.com/letsencrypt/letsencrypt
Author: Certbot Project
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/certbot/__init__.py new/certbot-0.30.2/certbot/__init__.py
--- old/certbot-0.29.1/certbot/__init__.py 2018-12-06 00:47:59.000000000 +0100
+++ new/certbot-0.30.2/certbot/__init__.py 2019-01-25 21:15:42.000000000 +0100
@@ -1,4 +1,4 @@
"""Certbot client."""
# version number like 1.2.3a0, must have at least 2 parts, like 1.2
-__version__ = '0.29.1'
+__version__ = '0.30.2'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/certbot/cli.py new/certbot-0.30.2/certbot/cli.py
--- old/certbot-0.29.1/certbot/cli.py 2018-12-06 00:47:58.000000000 +0100
+++ new/certbot-0.30.2/certbot/cli.py 2019-01-25 21:15:41.000000000 +0100
@@ -101,6 +101,7 @@
manage your account with Let's Encrypt:
register Create a Let's Encrypt ACME account
+ update_account Update a Let's Encrypt ACME account
--agree-tos Agree to the ACME server's Subscriber Agreement
-m EMAIL Email address for important account notifications
"""
@@ -397,9 +398,14 @@
}),
("register", {
"short": "Register for account with Let's Encrypt / other ACME server",
- "opts": "Options for account registration & modification",
+ "opts": "Options for account registration",
"usage": "\n\n certbot register --email user@example.com [options]\n\n"
}),
+ ("update_account", {
+ "short": "Update existing account with Let's Encrypt / other ACME server",
+ "opts": "Options for account modification",
+ "usage": "\n\n certbot update_account --email updated_email@example.com [options]\n\n"
+ }),
("unregister", {
"short": "Irrevocably deactivate your account",
"opts": "Options for account deactivation.",
@@ -465,6 +471,7 @@
"install": main.install,
"plugins": main.plugins_cmd,
"register": main.register,
+ "update_account": main.update_account,
"unregister": main.unregister,
"renew": main.renew,
"revoke": main.revoke,
@@ -993,21 +1000,21 @@
"certificates. Updates to the Subscriber Agreement will still "
"affect you, and will be effective 14 days after posting an "
"update to the web site.")
+ # TODO: When `certbot register --update-registration` is fully deprecated,
+ # delete following helpful.add
helpful.add(
"register", "--update-registration", action="store_true",
- default=flag_default("update_registration"),
- help="With the register verb, indicates that details associated "
- "with an existing registration, such as the e-mail address, "
- "should be updated, rather than registering a new account.")
+ default=flag_default("update_registration"), dest="update_registration",
+ help=argparse.SUPPRESS)
helpful.add(
- ["register", "unregister", "automation"], "-m", "--email",
+ ["register", "update_account", "unregister", "automation"], "-m", "--email",
default=flag_default("email"),
help=config_help("email"))
- helpful.add(["register", "automation"], "--eff-email", action="store_true",
+ helpful.add(["register", "update_account", "automation"], "--eff-email", action="store_true",
default=flag_default("eff_email"), dest="eff_email",
help="Share your e-mail address with EFF")
- helpful.add(["register", "automation"], "--no-eff-email", action="store_false",
- default=flag_default("eff_email"), dest="eff_email",
+ helpful.add(["register", "update_account", "automation"], "--no-eff-email",
+ action="store_false", default=flag_default("eff_email"), dest="eff_email",
help="Don't share your e-mail address with EFF")
helpful.add(
["automation", "certonly", "run"],
@@ -1209,6 +1216,10 @@
helpful.add("renew", "--renew-hook",
action=_RenewHookAction, help=argparse.SUPPRESS)
helpful.add(
+ "renew", "--no-random-sleep-on-renew", action="store_false",
+ default=flag_default("random_sleep_on_renew"), dest="random_sleep_on_renew",
+ help=argparse.SUPPRESS)
+ helpful.add(
"renew", "--deploy-hook", action=_DeployHookAction,
help='Command to be run in a shell once for each successfully'
' issued certificate. For this command, the shell variable'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/certbot/constants.py new/certbot-0.30.2/certbot/constants.py
--- old/certbot-0.29.1/certbot/constants.py 2018-12-06 00:47:58.000000000 +0100
+++ new/certbot-0.30.2/certbot/constants.py 2019-01-25 21:15:41.000000000 +0100
@@ -68,6 +68,7 @@
directory_hooks=True,
reuse_key=False,
disable_renew_updates=False,
+ random_sleep_on_renew=True,
eab_hmac_key=None,
eab_kid=None,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/certbot/main.py new/certbot-0.30.2/certbot/main.py
--- old/certbot-0.29.1/certbot/main.py 2018-12-06 00:47:58.000000000 +0100
+++ new/certbot-0.30.2/certbot/main.py 2019-01-25 21:15:41.000000000 +0100
@@ -4,9 +4,7 @@
import functools
import logging.handlers
import os
-import random
import sys
-import time
import configobj
import josepy as jose
@@ -654,7 +652,45 @@
def register(config, unused_plugins):
- """Create or modify accounts on the server.
+ """Create accounts on the server.
+
+ :param config: Configuration object
+ :type config: interfaces.IConfig
+
+ :param unused_plugins: List of plugins (deprecated)
+ :type unused_plugins: `list` of `str`
+
+ :returns: `None` or a string indicating and error
+ :rtype: None or str
+
+ """
+ # TODO: When `certbot register --update-registration` is fully deprecated,
+ # delete the true case of if block
+ if config.update_registration:
+ msg = ("Usage 'certbot register --update-registration' is deprecated.\n"
+ "Please use 'cerbot update_account [options]' instead.\n")
+ logger.warning(msg)
+ return update_account(config, unused_plugins)
+
+ # Portion of _determine_account logic to see whether accounts already
+ # exist or not.
+ account_storage = account.AccountFileStorage(config)
+ accounts = account_storage.find_all()
+
+ if len(accounts) > 0:
+ # TODO: add a flag to register a duplicate account (this will
+ # also require extending _determine_account's behavior
+ # or else extracting the registration code from there)
+ return ("There is an existing account; registration of a "
+ "duplicate account with this command is currently "
+ "unsupported.")
+ # _determine_account will register an account
+ _determine_account(config)
+ return
+
+
+def update_account(config, unused_plugins):
+ """Modify accounts on the server.
:param config: Configuration object
:type config: interfaces.IConfig
@@ -673,20 +709,6 @@
reporter_util = zope.component.getUtility(interfaces.IReporter)
add_msg = lambda m: reporter_util.add_message(m, reporter_util.MEDIUM_PRIORITY)
- # registering a new account
- if not config.update_registration:
- if len(accounts) > 0:
- # TODO: add a flag to register a duplicate account (this will
- # also require extending _determine_account's behavior
- # or else extracting the registration code from there)
- return ("There is an existing account; registration of a "
- "duplicate account with this command is currently "
- "unsupported.")
- # _determine_account will register an account
- _determine_account(config)
- return
-
- # --update-registration
if len(accounts) == 0:
return "Could not find an existing account to update."
if config.email is None:
@@ -1245,16 +1267,6 @@
:rtype: None
"""
- if not sys.stdin.isatty():
- # Noninteractive renewals include a random delay in order to spread
- # out the load on the certificate authority servers, even if many
- # users all pick the same time for renewals. This delay precedes
- # running any hooks, so that side effects of the hooks (such as
- # shutting down a web service) aren't prolonged unnecessarily.
- sleep_time = random.randint(1, 60*8)
- logger.info("Non-interactive renewal: random delay of %s seconds", sleep_time)
- time.sleep(sleep_time)
-
try:
renewal.handle_renewal_request(config)
finally:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/certbot/renewal.py new/certbot-0.30.2/certbot/renewal.py
--- old/certbot-0.29.1/certbot/renewal.py 2018-12-06 00:47:58.000000000 +0100
+++ new/certbot-0.30.2/certbot/renewal.py 2019-01-25 21:15:41.000000000 +0100
@@ -5,6 +5,9 @@
import logging
import os
import traceback
+import sys
+import time
+import random
import six
import zope.component
@@ -372,7 +375,7 @@
disp.notification("\n".join(out), wrap=False)
-def handle_renewal_request(config):
+def handle_renewal_request(config): # pylint: disable=too-many-locals,too-many-branches,too-many-statements
"""Examine each lineage; renew if due and report results"""
# This is trivially False if config.domains is empty
@@ -396,6 +399,14 @@
renew_failures = []
renew_skipped = []
parse_failures = []
+
+ # Noninteractive renewals include a random delay in order to spread
+ # out the load on the certificate authority servers, even if many
+ # users all pick the same time for renewals. This delay precedes
+ # running any hooks, so that side effects of the hooks (such as
+ # shutting down a web service) aren't prolonged unnecessarily.
+ apply_random_sleep = not sys.stdin.isatty() and config.random_sleep_on_renew
+
for renewal_file in conf_files:
disp = zope.component.getUtility(interfaces.IDisplay)
disp.notification("Processing " + renewal_file, pause=False)
@@ -424,6 +435,15 @@
from certbot import main
plugins = plugins_disco.PluginsRegistry.find_all()
if should_renew(lineage_config, renewal_candidate):
+ # Apply random sleep upon first renewal if needed
+ if apply_random_sleep:
+ sleep_time = random.randint(1, 60 * 8)
+ logger.info("Non-interactive renewal: random delay of %s seconds",
+ sleep_time)
+ time.sleep(sleep_time)
+ # We will sleep only once this day, folks.
+ apply_random_sleep = False
+
# domains have been restored into lineage_config by reconstitute
# but they're unnecessary anyway because renew_cert here
# will just grab them from the certificate
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/certbot/tests/main_test.py new/certbot-0.30.2/certbot/tests/main_test.py
--- old/certbot-0.29.1/certbot/tests/main_test.py 2018-12-06 00:47:58.000000000 +0100
+++ new/certbot-0.30.2/certbot/tests/main_test.py 2019-01-25 21:15:41.000000000 +0100
@@ -1398,7 +1398,20 @@
x = self._call_no_clientmock(["register", "--email", "user@example.org"])
self.assertTrue("There is an existing account" in x[0])
- def test_update_registration_no_existing_accounts(self):
+ def test_update_account_no_existing_accounts(self):
+ # with mock.patch('certbot.main.client') as mocked_client:
+ with mock.patch('certbot.main.account') as mocked_account:
+ mocked_storage = mock.MagicMock()
+ mocked_account.AccountFileStorage.return_value = mocked_storage
+ mocked_storage.find_all.return_value = []
+ x = self._call_no_clientmock(
+ ["update_account", "--email",
+ "user@example.org"])
+ self.assertTrue("Could not find an existing account" in x[0])
+
+ # TODO: When `certbot register --update-registration` is fully deprecated,
+ # delete the following test
+ def test_update_registration_no_existing_accounts_deprecated(self):
# with mock.patch('certbot.main.client') as mocked_client:
with mock.patch('certbot.main.account') as mocked_account:
mocked_storage = mock.MagicMock()
@@ -1409,7 +1422,9 @@
"user@example.org"])
self.assertTrue("Could not find an existing account" in x[0])
- def test_update_registration_unsafely(self):
+ # TODO: When `certbot register --update-registration` is fully deprecated,
+ # delete the following test
+ def test_update_registration_unsafely_deprecated(self):
# This test will become obsolete when register --update-registration
# supports removing an e-mail address from the account
with mock.patch('certbot.main.account') as mocked_account:
@@ -1423,7 +1438,39 @@
@mock.patch('certbot.main.display_ops.get_email')
@test_util.patch_get_utility()
- def test_update_registration_with_email(self, mock_utility, mock_email):
+ def test_update_account_with_email(self, mock_utility, mock_email):
+ email = "user@example.com"
+ mock_email.return_value = email
+ with mock.patch('certbot.eff.handle_subscription') as mock_handle:
+ with mock.patch('certbot.main._determine_account') as mocked_det:
+ with mock.patch('certbot.main.account') as mocked_account:
+ with mock.patch('certbot.main.client') as mocked_client:
+ mocked_storage = mock.MagicMock()
+ mocked_account.AccountFileStorage.return_value = mocked_storage
+ mocked_storage.find_all.return_value = ["an account"]
+ mocked_det.return_value = (mock.MagicMock(), "foo")
+ cb_client = mock.MagicMock()
+ mocked_client.Client.return_value = cb_client
+ x = self._call_no_clientmock(
+ ["update_account"])
+ # When registration change succeeds, the return value
+ # of register() is None
+ self.assertTrue(x[0] is None)
+ # and we got supposedly did update the registration from
+ # the server
+ self.assertTrue(
+ cb_client.acme.update_registration.called)
+ # and we saved the updated registration on disk
+ self.assertTrue(mocked_storage.save_regr.called)
+ self.assertTrue(
+ email in mock_utility().add_message.call_args[0][0])
+ self.assertTrue(mock_handle.called)
+
+ # TODO: When `certbot register --update-registration` is fully deprecated,
+ # delete the following test
+ @mock.patch('certbot.main.display_ops.get_email')
+ @test_util.patch_get_utility()
+ def test_update_registration_with_email_deprecated(self, mock_utility, mock_email):
email = "user@example.com"
mock_email.return_value = email
with mock.patch('certbot.eff.handle_subscription') as mock_handle:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/certbot.egg-info/PKG-INFO new/certbot-0.30.2/certbot.egg-info/PKG-INFO
--- old/certbot-0.29.1/certbot.egg-info/PKG-INFO 2018-12-06 00:47:59.000000000 +0100
+++ new/certbot-0.30.2/certbot.egg-info/PKG-INFO 2019-01-25 21:15:42.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: certbot
-Version: 0.29.1
+Version: 0.30.2
Summary: ACME client
Home-page: https://github.com/letsencrypt/letsencrypt
Author: Certbot Project
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/docs/challenges.rst new/certbot-0.30.2/docs/challenges.rst
--- old/certbot-0.29.1/docs/challenges.rst 2018-12-06 00:47:58.000000000 +0100
+++ new/certbot-0.30.2/docs/challenges.rst 2019-01-25 21:15:41.000000000 +0100
@@ -3,10 +3,9 @@
To receive a certificate from Let's Encrypt certificate authority (CA), you must pass a *challenge* to
prove you control each of the domain names that will be listed in the certificate. A challenge is one of
-three tasks that only someone who controls the domain should be able to accomplish:
+a list of specified tasks that only someone who controls the domain should be able to accomplish, such as:
* Posting a specified file in a specified location on a web site (the HTTP-01 challenge)
-* Offering a specified temporary certificate on a web site (the TLS-SNI-01 challenge)
* Posting a specified DNS record in the domain name system (the DNS-01 challenge)
It’s possible to complete each type of challenge *automatically* (Certbot directly makes the necessary
@@ -16,21 +15,21 @@
Some plugins offer an *authenticator*, meaning that they can satisfy challenges:
-* Apache plugin: (TLS-SNI-01) Tries to edit your Apache configuration files to temporarily serve
- a Certbot-generated certificate for a specified name. Use the Apache plugin when you're running
- Certbot on a web server with Apache listening on port 443.
-* NGINX plugin: (TLS-SNI-01) Tries to edit your NGINX configuration files to temporarily serve a
- Certbot-generated certificate for a specified name. Use the NGINX plugin when you're running
- Certbot on a web server with NGINX listening on port 443.
+* Apache plugin: (HTTP-01) Tries to edit your Apache configuration files to temporarily serve files to
+ satisfy challenges from the certificate authority. Use the Apache plugin when you're running Certbot on a
+ web server with Apache listening on port 80.
+* Nginx plugin: (HTTP-01) Tries to edit your nginx configuration files to temporarily serve files to
+ satisfy challenges from the certificate authority. Use the nginx plugin when you're running Certbot on a
+ web server with nginx listening on port 80.
* Webroot plugin: (HTTP-01) Tries to place a file where it can be served over HTTP on port 80 by a
web server running on your system. Use the Webroot plugin when you're running Certbot on
a web server with any server application listening on port 80 serving files from a folder on disk in response.
-* Standalone plugin: (TLS-SNI-01 or HTTP-01) Tries to run a temporary web server listening on either HTTP on
- port 80 (for HTTP-01) or HTTPS on port 443 (for TLS-SNI-01). Use the Standalone plugin if no existing program
- is listening to these ports. Choose TLS-SNI-01 or HTTP-01 using the `--preferred-challenges` option.
+* Standalone plugin: (HTTP-01) Tries to run a temporary web server listening on HTTP on port 80. Use the
+ Standalone plugin if no existing program is listening to this port.
* Manual plugin: (DNS-01 or HTTP-01) Either tells you what changes to make to your configuration or updates
your DNS records using an external script (for DNS-01) or your webroot (for HTTP-01). Use the Manual
- plugin if you have the technical knowledge to make configuration changes yourself when asked to do so.
+ plugin if you have the technical knowledge to make configuration changes yourself when asked to do so,
+ and are prepared to repeat these steps every time the certificate needs to be renewed.
Tips for Challenges
-------------------
@@ -63,20 +62,6 @@
* When using the Standalone plugin, make sure another program is not already listening to port 80 on the server.
* When using the Webroot plugin, make sure there is a web server listening on port 80.
-TLS-SNI-01 Challenge
-~~~~~~~~~~~~~~~~~~~~
-
-* The TLS-SNI-01 challenge doesn’t work with content delivery networks (CDNs)
- like CloudFlare and Akamai because the domain name is pointed at the CDN, not directly at your server.
-* Make sure port 443 is open, publicly reachable from the Internet, and not blocked by a router or firewall.
-* When using the Apache plugin, make sure you are running Apache and no other web server on port 443.
-* When using the NGINX plugin, make sure you are running NGINX and no other web server on port 443.
-* With either the Apache or NGINX plugin, certbot modifies your web server configuration. If you get
- an error after successfully completing the challenge, then you have received a certificate but the
- plugin was unable to modify your web server configuration, meaning that you'll have to install the certificate manually.
- In that case, please file a bug to help us improve certbot!
-* When using the Standalone plugin, make sure another program is not already listening to port 443 on the server.
-
DNS-01 Challenge
~~~~~~~~~~~~~~~~
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/docs/cli-help.txt new/certbot-0.30.2/docs/cli-help.txt
--- old/certbot-0.29.1/docs/cli-help.txt 2018-12-06 00:47:58.000000000 +0100
+++ new/certbot-0.30.2/docs/cli-help.txt 2019-01-25 21:15:41.000000000 +0100
@@ -29,6 +29,7 @@
manage your account with Let's Encrypt:
register Create a Let's Encrypt ACME account
+ update_account Update a Let's Encrypt ACME account
--agree-tos Agree to the ACME server's Subscriber Agreement
-m EMAIL Email address for important account notifications
@@ -112,7 +113,7 @@
case, and to know when to deprecate support for past
Python versions and flags. If you wish to hide this
information from the Let's Encrypt server, set this to
- "". (default: CertbotACMEClient/0.29.0
+ "". (default: CertbotACMEClient/0.30.1
(certbot(-auto); OS_NAME OS_VERSION) Authenticator/XXX
Installer/YYY (SUBCOMMAND; flags: FLAGS)
Py/major.minor.patchlevel). The flags encoded in the
@@ -252,8 +253,8 @@
None)
--config-dir CONFIG_DIR
Configuration directory. (default: /etc/letsencrypt)
- --work-dir WORK_DIR Working directory. (default: /var/letsencrypt/lib)
- --logs-dir LOGS_DIR Logs directory. (default: /var/letsencrypt/log)
+ --work-dir WORK_DIR Working directory. (default: /var/lib/letsencrypt)
+ --logs-dir LOGS_DIR Logs directory. (default: /var/log/letsencrypt)
--server SERVER ACME Directory Resource URI. (default:
https://acme-v02.api.letsencrypt.org/directory)
@@ -359,7 +360,7 @@
certificates. (default: None)
register:
- Options for account registration & modification
+ Options for account registration
--register-unsafely-without-email
Specifying this flag enables registering an account
@@ -371,11 +372,6 @@
to the Subscriber Agreement will still affect you, and
will be effective 14 days after posting an update to
the web site. (default: False)
- --update-registration
- With the register verb, indicates that details
- associated with an existing registration, such as the
- e-mail address, should be updated, rather than
- registering a new account. (default: False)
-m EMAIL, --email EMAIL
Email used for registration and recovery contact. Use
comma to register multiple emails, ex:
@@ -384,6 +380,9 @@
--no-eff-email Don't share your e-mail address with EFF (default:
None)
+update_account:
+ Options for account modification
+
unregister:
Options for account deactivation.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/docs/contributing.rst new/certbot-0.30.2/docs/contributing.rst
--- old/certbot-0.29.1/docs/contributing.rst 2018-12-06 00:47:58.000000000 +0100
+++ new/certbot-0.30.2/docs/contributing.rst 2019-01-25 21:15:41.000000000 +0100
@@ -186,8 +186,8 @@
--------------
Authenticators are plugins that prove control of a domain name by solving a
-challenge provided by the ACME server. ACME currently defines three types of
-challenges: HTTP, TLS-SNI, and DNS, represented by classes in `acme.challenges`.
+challenge provided by the ACME server. ACME currently defines several types of
+challenges: HTTP, TLS-SNI (deprecated), TLS-ALPR, and DNS, represented by classes in `acme.challenges`.
An authenticator plugin should implement support for at least one challenge type.
An Authenticator indicates which challenges it supports by implementing
@@ -215,7 +215,7 @@
Installers and Authenticators will oftentimes be the same class/object
(because for instance both tasks can be performed by a webserver like nginx)
though this is not always the case (the standalone plugin is an authenticator
-that listens on port 443, but it cannot install certs; a postfix plugin would
+that listens on port 80, but it cannot install certs; a postfix plugin would
be an installer but not an authenticator).
Installers and Authenticators are kept separate because
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/docs/install.rst new/certbot-0.30.2/docs/install.rst
--- old/certbot-0.29.1/docs/install.rst 2018-12-06 00:47:58.000000000 +0100
+++ new/certbot-0.30.2/docs/install.rst 2019-01-25 21:15:41.000000000 +0100
@@ -29,7 +29,7 @@
Certbot currently requires Python 2.7 or 3.4+ running on a UNIX-like operating
system. By default, it requires root access in order to write to
``/etc/letsencrypt``, ``/var/log/letsencrypt``, ``/var/lib/letsencrypt``; to
-bind to ports 80 and 443 (if you use the ``standalone`` plugin) and to read and
+bind to port 80 (if you use the ``standalone`` plugin) and to read and
modify webserver configurations (if you use the ``apache`` or ``nginx``
plugins). If none of these apply to you, it is theoretically possible to run
without root privileges, but for most users who want to avoid running an ACME
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/certbot-0.29.1/docs/using.rst new/certbot-0.30.2/docs/using.rst
--- old/certbot-0.29.1/docs/using.rst 2018-12-06 00:47:58.000000000 +0100
+++ new/certbot-0.30.2/docs/using.rst 2019-01-25 21:15:41.000000000 +0100
@@ -44,14 +44,13 @@
=========== ==== ==== =============================================================== =============================
Plugin Auth Inst Notes Challenge types (and port)
=========== ==== ==== =============================================================== =============================
-apache_ Y Y | Automates obtaining and installing a certificate with Apache tls-sni-01_ (443)
+apache_ Y Y | Automates obtaining and installing a certificate with Apache http-01_ (80)
| 2.4 on OSes with ``libaugeas0`` 1.0+.
+nginx_ Y Y | Automates obtaining and installing a certificate with Nginx. http-01_ (80)
webroot_ Y N | Obtains a certificate by writing to the webroot directory of http-01_ (80)
| an already running webserver.
-nginx_ Y Y | Automates obtaining and installing a certificate with Nginx. tls-sni-01_ (443)
- | Shipped with Certbot 0.9.0.
-standalone_ Y N | Uses a "standalone" webserver to obtain a certificate. http-01_ (80) or
- | Requires port 80 or 443 to be available. This is useful on tls-sni-01_ (443)
+standalone_ Y N | Uses a "standalone" webserver to obtain a certificate. http-01_ (80)
+ | Requires port 80 to be available. This is useful on
| systems with no webserver, or when direct integration with
| the local webserver is not supported or not desired.
|dns_plugs| Y N | This category of plugins automates obtaining a certificate by dns-01_ (53)
@@ -59,17 +58,17 @@
| domain. Doing domain validation in this way is
| the only way to obtain wildcard certificates from Let's
| Encrypt.
-manual_ Y N | Helps you obtain a certificate by giving you instructions to http-01_ (80),
- | perform domain validation yourself. Additionally allows you dns-01_ (53) or
- | to specify scripts to automate the validation task in a tls-sni-01_ (443)
+manual_ Y N | Helps you obtain a certificate by giving you instructions to http-01_ (80) or
+ | perform domain validation yourself. Additionally allows you dns-01_ (53)
+ | to specify scripts to automate the validation task in a
| customized way.
=========== ==== ==== =============================================================== =============================
.. |dns_plugs| replace:: :ref:`DNS plugins `
Under the hood, plugins use one of several ACME protocol challenges_ to
-prove you control a domain. The options are http-01_ (which uses port 80),
-tls-sni-01_ (port 443) and dns-01_ (requiring configuration of a DNS server on
+prove you control a domain. The options are http-01_ (which uses port 80)
+and dns-01_ (requiring configuration of a DNS server on
port 53, though that's often not the same machine as your webserver). A few
plugins support more than one challenge type, in which case you can choose one
with ``--preferred-challenges``.
@@ -78,7 +77,6 @@
the circumstances in which each plugin can be used, and how to use it.
.. _challenges: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7
-.. _tls-sni-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.3
.. _http-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.2
.. _dns-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.4
@@ -159,13 +157,9 @@
To obtain a certificate using a "standalone" webserver, you can use the
standalone plugin by including ``certonly`` and ``--standalone``
-on the command line. This plugin needs to bind to port 80 or 443 in
+on the command line. This plugin needs to bind to port 80 in
order to perform domain validation, so you may need to stop your
-existing webserver. To control which port the plugin uses, include
-one of the options shown below on the command line.
-
- * ``--preferred-challenges http`` to use port 80
- * ``--preferred-challenges tls-sni`` to use port 443
+existing webserver.
It must still be possible for your machine to accept inbound connections from
the Internet on the specified port using each requested domain name.
@@ -222,8 +216,7 @@
to copy and paste commands into another terminal session, which may
be on a different computer.
-The manual plugin can use either the ``http``, ``dns`` or the
-``tls-sni`` challenge. You can use the ``--preferred-challenges`` option
+The manual plugin can use either the ``http`` or the ``dns`` challenge. You can use the ``--preferred-challenges`` option
to choose the challenge of your preference.
The ``http`` challenge will ask you to place a file with a specific name and
@@ -241,11 +234,6 @@
_acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM"
-When using the ``tls-sni`` challenge, ``certbot`` will prepare a self-signed
-SSL certificate for you with the challenge validation appropriately
-encoded into a subjectAlternatNames entry. You will need to configure
-your SSL server to present this challenge SSL certificate to the ACME
-server using SNI.
Additionally you can specify scripts to prepare for validation and
perform the authentication procedure and/or clean up after it by using
@@ -262,16 +250,20 @@
``--authenticator`` or ``-a`` and the installer plugin with ``--installer`` or
``-i``.
-For instance, you may want to create a certificate using the webroot_ plugin
-for authentication and the apache_ plugin for installation, perhaps because you
-use a proxy or CDN for SSL and only want to secure the connection between them
-and your origin server, which cannot use the tls-sni-01_ challenge due to the
-intermediate proxy.
+For instance, you could create a certificate using the webroot_ plugin
+for authentication and the apache_ plugin for installation.
::
certbot run -a webroot -i apache -w /var/www/html -d example.com
+Or you could create a certificate using the manual_ plugin for authentication
+and the nginx_ plugin for installation. (Note that this certificate cannot
+be renewed automatically.)
+
+::
+ certbot run -a manual -i nginx -d example.com
+
.. _third-party-plugins:
Third-party plugins
@@ -781,9 +773,6 @@
- ``CERTBOT_DOMAIN``: The domain being authenticated
- ``CERTBOT_VALIDATION``: The validation string (HTTP-01 and DNS-01 only)
- ``CERTBOT_TOKEN``: Resource name part of the HTTP-01 challenge (HTTP-01 only)
-- ``CERTBOT_CERT_PATH``: The challenge SSL certificate (TLS-SNI-01 only)
-- ``CERTBOT_KEY_PATH``: The private key associated with the aforementioned SSL certificate (TLS-SNI-01 only)
-- ``CERTBOT_SNI_DOMAIN``: The SNI name for which the ACME server expects to be presented the self-signed certificate located at ``$CERTBOT_CERT_PATH`` (TLS-SNI-01 only)
Additionally for cleanup: