Change parameter scope in workflows

Signed-off-by: Alexis <lxshancock@gmail.com>

.azure-pipelines/INSTALL.md

@@ -1,8 +1,8 @@
 # Configuring Azure Pipelines with Certbot
 
 Let's begin. All pipelines are defined in `.azure-pipelines`. Currently there are two:
-* `.azure-pipelines/main.yml` is the main one, executed on PRs for master, and pushes to master,
-* `.azure-pipelines/advanced.yml` add installer testing on top of the main pipeline, and is executed for `test-*` branches, release branches, and nightly run for master.
+* `.azure-pipelines/main.yml` is the main one, executed on PRs for main, and pushes to main,
+* `.azure-pipelines/advanced.yml` add installer testing on top of the main pipeline, and is executed for `test-*` branches, release branches, and nightly run for main.
 
 Several templates are defined in `.azure-pipelines/templates`. These YAML files aggregate common jobs configuration that can be reused in several pipelines.
 
@@ -64,7 +64,7 @@ Azure Pipeline needs RW on code, RO on metadata, RW on checks, commit statuses,
 RW access here is required to allow update of the pipelines YAML files from Azure DevOps interface, and to
 update the status of builds and PRs on GitHub side when Azure Pipelines are triggered.
 Note however that no admin access is defined here: this means that Azure Pipelines cannot do anything with
-protected branches, like master, and cannot modify the security context around this on GitHub.
+protected branches, like main, and cannot modify the security context around this on GitHub.
 Access can be defined for all or only selected repositories, which is nice.
 ```
 
@@ -91,11 +91,11 @@ grant permissions from Azure Pipelines to GitHub in order to setup a GitHub OAut
 then are way too large (admin level on almost everything), while the classic approach does not add any more
 permissions, and works perfectly well.__
 
-- Select GitHub in "Select your repository section", choose certbot/certbot in Repository, master in default branch.
+- Select GitHub in "Select your repository section", choose certbot/certbot in Repository, main in default branch.
 - Click on YAML option for "Select a template"
 - Choose a name for the pipeline (eg. test-pipeline), and browse to the actual pipeline YAML definition in the
   "YAML file path" input (eg. `.azure-pipelines/test-pipeline.yml`)
-- Click "Save & queue", choose the master branch to build the first pipeline, and click "Save and run" button.
+- Click "Save & queue", choose the main branch to build the first pipeline, and click "Save and run" button.
 
 _Done. Pipeline is operational. Repeat to add more pipelines from existing YAML files in `.azure-pipelines`._
 

.azure-pipelines/main.yml

@@ -1,9 +1,9 @@
-# We run the test suite on commits to master so codecov gets coverage data
-# about the master branch and can use it to track coverage changes.
+# We run the test suite on commits to main so codecov gets coverage data
+# about the main branch and can use it to track coverage changes.
 trigger:
-  - master
+  - main
 pr:
-  - master
+  - main
   - '*.x'
 
 variables:

.azure-pipelines/nightly.yml

@@ -1,4 +1,4 @@
-# Nightly pipeline running each day for master.
+# Nightly pipeline running each day for main.
 trigger: none
 pr: none
 schedules:
@@ -6,7 +6,7 @@ schedules:
     displayName: Nightly build
     branches:
       include:
-      - master
+      - main
     always: true
 
 variables:
@@ -15,5 +15,5 @@ variables:
 
 stages:
   - template: templates/stages/test-and-package-stage.yml
+  - template: templates/stages/changelog-stage.yml
   - template: templates/stages/nightly-deploy-stage.yml
-  - template: templates/stages/notify-failure-stage.yml

.azure-pipelines/release.yml

@@ -14,4 +14,3 @@ stages:
   - template: templates/stages/test-and-package-stage.yml
   - template: templates/stages/changelog-stage.yml
   - template: templates/stages/release-deploy-stage.yml
-  - template: templates/stages/notify-failure-stage.yml

.azure-pipelines/templates/jobs/extended-tests-jobs.yml

@@ -4,32 +4,24 @@ jobs:
       - name: IMAGE_NAME
         value: ubuntu-22.04
       - name: PYTHON_VERSION
-        value: 3.12
+        value: 3.13
       - group: certbot-common
     strategy:
       matrix:
-        linux-py39:
-          PYTHON_VERSION: 3.9
-          TOXENV: py39
-        linux-py310:
-          PYTHON_VERSION: 3.10
-          TOXENV: py310
         linux-py311:
           PYTHON_VERSION: 3.11
           TOXENV: py311
+        linux-py312:
+          PYTHON_VERSION: 3.12
+          TOXENV: py312
         linux-isolated:
           TOXENV: 'isolated-acme,isolated-certbot,isolated-apache,isolated-cloudflare,isolated-digitalocean,isolated-dnsimple,isolated-dnsmadeeasy,isolated-gehirn,isolated-google,isolated-linode,isolated-luadns,isolated-nsone,isolated-ovh,isolated-rfc2136,isolated-route53,isolated-sakuracloud,isolated-nginx'
         linux-integration-certbot-oldest:
-          PYTHON_VERSION: 3.8
+          PYTHON_VERSION: 3.10
           TOXENV: integration-certbot-oldest
         linux-integration-nginx-oldest:
-          PYTHON_VERSION: 3.8
+          PYTHON_VERSION: 3.10
           TOXENV: integration-nginx-oldest
-        # python 3.8 integration tests are not run here because they're run as    
-        # part of the standard test suite 
-        linux-py39-integration:
-          PYTHON_VERSION: 3.9
-          TOXENV: integration
         linux-py310-integration:
           PYTHON_VERSION: 3.10
           TOXENV: integration
@@ -39,17 +31,19 @@ jobs:
         linux-py312-integration:
           PYTHON_VERSION: 3.12
           TOXENV: integration
+        # python 3.13 integration tests are not run here because they're run as
+        # part of the standard test suite
         nginx-compat:
           TOXENV: nginx_compat
         linux-integration-rfc2136:
           IMAGE_NAME: ubuntu-22.04
-          PYTHON_VERSION: 3.8
+          PYTHON_VERSION: 3.12
           TOXENV: integration-dns-rfc2136
         le-modification:
           IMAGE_NAME: ubuntu-22.04
           TOXENV: modification
         farmtest-apache2:
-          PYTHON_VERSION: 3.8
+          PYTHON_VERSION: 3.12
           TOXENV: test-farm-apache2
     pool:
       vmImage: $(IMAGE_NAME)

.azure-pipelines/templates/jobs/packaging-jobs.yml

@@ -1,7 +1,7 @@
 jobs:
   - job: docker_build
     pool:
-      vmImage: ubuntu-22.04
+      vmImage: ubuntu-24.04
     strategy:
       matrix:
         arm32v6:
@@ -155,5 +155,5 @@ jobs:
         displayName: Prepare Certbot-CI
       - script: |
           set -e
-          sudo -E venv/bin/pytest certbot-ci/snap_integration_tests/dns_tests --allow-persistent-changes --snap-folder $(Build.SourcesDirectory)/snap --snap-arch amd64
+          sudo -E venv/bin/pytest certbot-ci/src/snap_integration_tests/dns_tests --allow-persistent-changes --snap-folder $(Build.SourcesDirectory)/snap --snap-arch amd64
         displayName: Test DNS plugins snaps

.azure-pipelines/templates/jobs/standard-tests-jobs.yml

@@ -1,30 +1,26 @@
 jobs:
   - job: test
     variables:
-      PYTHON_VERSION: 3.12
+      PYTHON_VERSION: 3.13
     strategy:
       matrix:
-        macos-py38-cover:
-          IMAGE_NAME: macOS-12
-          PYTHON_VERSION: 3.8
+        macos-cover:
+          IMAGE_NAME: macOS-15
           TOXENV: cover
           # As of pip 23.1.0, builds started failing on macOS unless this flag was set.
           # See https://github.com/certbot/certbot/pull/9717#issuecomment-1610861794.
           PIP_USE_PEP517: "true"
-        macos-cover:
-          IMAGE_NAME: macOS-13
-          TOXENV: cover
-          # See explanation under macos-py38-cover.
-          PIP_USE_PEP517: "true"
         linux-oldest:
           IMAGE_NAME: ubuntu-22.04
-          PYTHON_VERSION: 3.8
+          PYTHON_VERSION: 3.10
           TOXENV: oldest
-        linux-py38:
+        linux-py310:
+          # linux unit tests with the oldest python we support
           IMAGE_NAME: ubuntu-22.04
-          PYTHON_VERSION: 3.8
-          TOXENV: py38
+          PYTHON_VERSION: 3.10
+          TOXENV: py310
         linux-cover:
+          # linux unit+cover tests with the newest python we support
           IMAGE_NAME: ubuntu-22.04
           TOXENV: cover
         linux-lint:
@@ -35,7 +31,6 @@ jobs:
           TOXENV: mypy
         linux-integration:
           IMAGE_NAME: ubuntu-22.04
-          PYTHON_VERSION: 3.8
           TOXENV: integration
         apache-compat:
           IMAGE_NAME: ubuntu-22.04
@@ -46,12 +41,15 @@ jobs:
         nginxroundtrip:
           IMAGE_NAME: ubuntu-22.04
           TOXENV: nginxroundtrip
+        validate-changelog:
+          IMAGE_NAME: ubuntu-22.04
+          TOXENV: validate-changelog
     pool:
       vmImage: $(IMAGE_NAME)
     steps:
       - template: ../steps/tox-steps.yml
   - job: test_sphinx_builds
     pool:
-      vmImage: ubuntu-20.04
+      vmImage: ubuntu-22.04
     steps:
       - template: ../steps/sphinx-steps.yml

.azure-pipelines/templates/stages/changelog-stage.yml

@@ -3,13 +3,13 @@ stages:
     jobs:
       - job: prepare
         pool:
-          vmImage: windows-2019
+          vmImage: ubuntu-latest
         steps:
           # If we change the output filename from `release_notes.md`, it should also be changed in tools/create_github_release.py
           - bash: |
               set -e
-              CERTBOT_VERSION="$(cd certbot && python -c "import certbot; print(certbot.__version__)" && cd ~-)"
-              "${BUILD_REPOSITORY_LOCALPATH}\tools\extract_changelog.py" "${CERTBOT_VERSION}" >> "${BUILD_ARTIFACTSTAGINGDIRECTORY}/release_notes.md"
+              CERTBOT_VERSION="$(cd certbot/src && python -c "import certbot; print(certbot.__version__)" && cd ~-)"
+              "${BUILD_REPOSITORY_LOCALPATH}/tools/extract_changelog.py" "${CERTBOT_VERSION}" >> "${BUILD_ARTIFACTSTAGINGDIRECTORY}/release_notes.md"
             displayName: Prepare changelog
           - task: PublishPipelineArtifact@1
             inputs:

.azure-pipelines/templates/stages/notify-failure-stage.yml

@@ -1,19 +0,0 @@
-stages:
-  - stage: On_Failure
-    jobs:
-      - job: notify_mattermost
-        variables:
-          - group: certbot-common
-        pool:
-          vmImage: ubuntu-20.04
-        steps:
-          - bash: |
-              set -e
-              MESSAGE="\
-              ---\n\
-              ##### Azure Pipeline
-              *Repo* $(Build.Repository.ID) - *Pipeline* $(Build.DefinitionName) #$(Build.BuildNumber) - *Branch/PR* $(Build.SourceBranchName)\n\
-              :warning: __Pipeline has failed__: [Link to the build](https://dev.azure.com/$(Build.Repository.ID)/_build/results?buildId=$(Build.BuildId)&view=results)\n\n\
-              ---"
-              curl -i -X POST --data-urlencode "payload={\"text\":\"${MESSAGE}\"}" "$(MATTERMOST_URL)"
-    condition: failed()

.azure-pipelines/templates/stages/release-deploy-stage.yml

@@ -15,22 +15,11 @@ stages:
         - task: GitHubRelease@1
           inputs:
             # this "github-releases" credential is what azure pipelines calls a
-            # "service connection". it was created using the instructions at
-            # https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#github-service-connection
-            # with a fine-grained personal access token from github to limit
-            # the permissions given to azure pipelines. the connection on azure
-            # needs permissions for the "release" pipeline (and maybe the
-            # "full-test-suite" pipeline to simplify testing it). information
-            # on how to set up these permissions can be found at
-            # https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#secure-a-service-connection.
-            # the github token that is used needs "contents:write" and
-            # "workflows:write" permissions for the certbot repo
+            # "service connection". it needs to be recreated annually. instructions
+            # to do so and further information about the token are available at
+            # https://github.com/EFForg/certbot-misc/wiki/Azure-Pipelines-setup#regenerating-github-release-credentials-for-use-on-azure
             #
-            # as of writing this, the current token will expire on 3/15/2025.
-            # when recreating it, you may also want to create it using the
-            # shared "certbotbot" github account so the credentials aren't tied
-            # to any one dev's github account and their access to the certbot
-            # repo
+            # as of writing this, the current token will expire on Wed, Feb 25 2026.
             gitHubConnection: github-releases
             title: ${{ format('Certbot {0}', replace(variables['Build.SourceBranchName'], 'v', '')) }}
             releaseNotesFilePath: '$(Pipeline.Workspace)/release_notes.md'

.azure-pipelines/templates/steps/sphinx-steps.yml

@@ -2,7 +2,7 @@ steps:
   - bash: |
       set -e
       sudo apt-get update
-      sudo apt-get install -y --no-install-recommends libaugeas0
+      sudo apt-get install -y --no-install-recommends libaugeas-dev
       FINAL_STATUS=0
       declare -a FAILED_BUILDS
       tools/venv.py

.azure-pipelines/templates/steps/tox-steps.yml

@@ -20,7 +20,7 @@ steps:
       set -e
       sudo apt-get update
       sudo apt-get install -y --no-install-recommends \
-        libaugeas0 \
+        libaugeas-dev \
         nginx-light
       sudo systemctl stop nginx
       sudo sysctl net.ipv4.ip_unprivileged_port_start=0

.github/ISSUE_TEMPLATE/bug.yaml

@@ -0,0 +1,69 @@
+name: Bug Report
+description: File a bug report.
+title: "[Bug]: "
+type: Bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report! If you're 
+        having trouble using Certbot and aren't sure you've found a bug,
+        please first try asking for help at https://community.letsencrypt.org/.
+        There is a much larger community there of people familiar with the
+        project who will be able to more quickly answer your questions.
+  - type: input
+    attributes:
+      label: OS
+      description: |
+        Describe your Operating System. Examples: Ubuntu 18.04, CentOS 8 Stream
+      placeholder: Ubuntu 24.04
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Installation method
+      description: |
+        How did you install Certbot? Examples: snap, pip, apt, yum
+      placeholder: snap
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Certbot Version
+      description: |
+        If you're not sure, you can find this by running `certbot --version`.
+      placeholder: 1.0.0
+    validations:
+      required: true
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: |
+        I ran this command and it produced this output. Example:
+        ```
+        $ sudo certbot certonly -d adfsfasdf.asdfasdf --staging
+        Saving debug log to /var/log/letsencrypt/letsencrypt.log
+        Plugins selected: Authenticator nginx, Installer nginx
+        Requesting a certificate for example.com
+        An unexpected error occurred:
+        Invalid identifiers requested :: Cannot issue for "adfsfasdf.asdfasdf": Domain name does not end with a valid public suffix (TLD)
+        Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
+        ```
+      placeholder: Tell us what you see!
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: Certbot's behavior differed from what I expected because.
+      placeholder: "What was expected?"
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: Here is a Certbot log showing the issue (if available). Logs are stored in `/var/log/letsencrypt` by default. Feel free to redact domains, e-mail and IP addresses as you see fit.
+      render: shell

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Let's Encrypt Community Support
+    url: https://community.letsencrypt.org/
+    about: If you're having trouble using Certbot and aren't sure you've found a bug or request for a new feature, please first try asking for help here. There is a much larger community there of people familiar with the project who will be able to more quickly answer your questions.
+  - name: Certbot Security Policy
+    url: https://github.com/certbot/certbot/security/advisories/new
+    about: Please report security vulnerabilities here.

.github/ISSUE_TEMPLATE/feature.yaml

@@ -0,0 +1,27 @@
+name: Feature Request
+description: Suggest a new feature or improvement to Certbot
+title: "[Feature Request]: "
+type: Feature
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem does this feature solve or what does it enhance?
+      description: Explain what this feature addresses, or the benefit it provides.
+      placeholder: For example, "Currently, users have to manually do X, which is time-consuming."
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed Solution
+      description: Describe the solution you'd like to see implemented.
+      placeholder: For example, "Implement a new button that automatically does X."
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered
+      description: Have you considered any alternative solutions?
+      placeholder: For example, "We considered Y, but Z is a better approach because..."

.github/ISSUE_TEMPLATE/task.yaml

@@ -0,0 +1,15 @@
+name: Task
+description: A codebase upkeep task such as managing deprecations and refactoring
+title: "[Task]: "
+type: Task
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Task description
+      description: Describe the work that needs to happen, and why.
+      placeholder: >
+        For example, "In issue [link here], we noted that we cannot update [dependency] until
+        [something happens]. That thing has happened, so now we should update [dependency]."
+    validations:
+      required: true

.github/issue_template.md

@@ -1,22 +0,0 @@
-If you're having trouble using Certbot and aren't sure you've found a bug or
-request for a new feature, please first try asking for help at
-https://community.letsencrypt.org/. There is a much larger community there of
-people familiar with the project who will be able to more quickly answer your
-questions.
-
-## My operating system is (include version):
-
-
-## I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):
-
-
-## I ran this command and it produced this output:
-
-
-## Certbot's behavior differed from what I expected because:
-
-
-## Here is a Certbot log showing the issue (if available):
-###### Logs are stored in `/var/log/letsencrypt` by default. Feel free to redact domains, e-mail and IP addresses as you see fit.
-
-## Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:

.github/pull_request_template.md

@@ -1,6 +1,7 @@
 ## Pull Request Checklist
 
 - [ ] The Certbot team has recently expressed interest in reviewing a PR for this. If not, this PR may be closed due our limited resources and need to prioritize how we spend them.
-- [ ] If the change being made is to a [distributed component](https://certbot.eff.org/docs/contributing.html#code-components-and-layout), edit the `master` section of `certbot/CHANGELOG.md` to include a description of the change being made.
+- [ ] If the change being made is to a [distributed component](https://certbot.eff.org/docs/contributing.html#code-components-and-layout), add a description of your change to the `newsfragments` directory. This should be a file called `<title>.<type>`, where `<title>` is either a GitHub issue number or some other unique name starting with `+`, and `<type>` is either `changed`, `fixed`, or `added`.
+  * For example, if you fixed a bug for issue number 42, create a file called `42.fixed` and put a description of your change in that file.
 - [ ] Add or update any documentation as needed to support the changes in this PR.
 - [ ] Include your name in `AUTHORS.md` if you like.

.github/workflows/assigned.yaml

@@ -0,0 +1,14 @@
+name: Issue Assigned
+
+on:
+  issues:
+    types: [assigned]
+jobs:
+  send-mattermost-message:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: mattermost/action-mattermost-notify@master
+      with:
+        MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_ASSIGN_WEBHOOK }}
+        TEXT: >
+            ${{ github.event.assignee.login }} assigned to "${{ github.event.issue.title }}": ${{ github.event.issue.html_url }}

.github/workflows/merged.yaml

@@ -7,8 +7,7 @@ on:
 
 jobs:
   if_merged:
-    # Forked repos can not access Mattermost secret.
-    if: github.event.pull_request.merged == true && !github.event.pull_request.head.repo.fork 
+    if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
     steps:
     - uses: mattermost/action-mattermost-notify@master
@@ -18,4 +17,4 @@ jobs:
           [${{ github.repository }}] |
           [${{ github.event.pull_request.title }}
           #${{ github.event.number }}](https://github.com/${{ github.repository }}/pull/${{ github.event.number }})
-          was merged into master by ${{ github.actor }}
+          was merged into main by ${{ github.actor }}

.github/workflows/notify_weekly.yaml

@@ -2,8 +2,8 @@ name: Weekly Github Update
 
 on:
   schedule:
-    # Every week on Thursday @ 13:00
-    - cron: "0 13 * * 4"
+    # Every week on Thursday @ 10:00
+    - cron: "0 10 * * 4"
   workflow_dispatch:
 jobs:
   send-mattermost-message:
@@ -13,15 +13,13 @@ jobs:
     - name: Create Mattermost Message
       run: |
         DATE=$(date --date="7 days ago" +"%Y-%m-%d")
-        echo "MERGED_URL=https://github.com/pulls?q=merged%3A%3E${DATE}+org%3Acertbot" >> $GITHUB_ENV
-        echo "UPDATED_URL=https://github.com/pulls?q=updated%3A%3E${DATE}+org%3Acertbot" >> $GITHUB_ENV
+        echo "ASSIGNED_PRS=https://github.com/pulls?q=is%3Apr+is%3Aopen+updated%3A%3E%3D${DATE}+assignee%3A*+user%3Acertbot" >> $GITHUB_ENV
+        echo "UPDATED_URL=https://github.com/issues?q=is%3Aissue+is%3Aopen+sort%3Acomments-desc+updated%3A%3E%3D${DATE}+user%3Acertbot" >> $GITHUB_ENV
     - uses: mattermost/action-mattermost-notify@master
       with:
         MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK_URL }}
         MATTERMOST_CHANNEL: private-certbot
         TEXT: |
-          ## Updates Across Certbot Repos
-          - Certbot team members SHOULD look at: [link](${{ env.MERGED_URL }})
-          - Certbot team members MAY also want to look at: [link](${{ env.UPDATED_URL }})
-          - Want to Discuss something today? Place it [here](https://docs.google.com/document/d/17YMUbtC1yg6MfiTMwT8zVm9LmO-cuGVBom0qFn8XJBM/edit?usp=sharing) and we can meet today on Zoom.
-          - The key words SHOULD and MAY in this message are to be interpreted as described in [RFC 8147](https://www.rfc-editor.org/rfc/rfc8174).
+          ## Updates In the Past Week
+          - Most commented in the last week: [link](${{ env.UPDATED_URL }})
+          - Updated (assigned) PRs in the last week: [link](${{ env.ASSIGNED_PRS }})

.github/workflows/review_requested.yaml

@@ -0,0 +1,16 @@
+name: Review Requested
+
+on:
+  pull_request:
+    types: [review_requested]
+jobs:
+  send-mattermost-message:
+    # Don't notify for the interim step of certbot/eff-devs being assigned
+    if: ${{ github.event.requested_reviewer.login != ''}}
+    runs-on: ubuntu-latest
+    steps:
+    - uses: mattermost/action-mattermost-notify@master
+      with:
+        MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_ASSIGN_WEBHOOK }}
+        TEXT: >
+            Review requested from ${{ github.event.requested_reviewer.login }} for "${{ github.event.pull_request.title }}": ${{ github.event.pull_request.html_url }}

.github/workflows/stale.yml

@@ -28,7 +28,10 @@ jobs:
           exempt-all-issue-assignees: true
 
           # Label to use when marking as stale
-          stale-issue-label: needs-update
+          stale-issue-label: stale-needs-update
+
+          # Label to use when issue is automatically closed
+          close-issue-label: auto-closed
 
           stale-issue-message: >
             We've made a lot of changes to Certbot since this issue was opened. If you

.gitignore

@@ -27,6 +27,8 @@ tags
 .idea
 .ropeproject
 .vscode
+*.sublime-project
+*.sublime-workspace
 
 # auth --cert-path --chain-path
 /*.pem
@@ -60,3 +62,6 @@ certbot-dns*/certbot-dns*_arm*.txt
 /certbot_arm*.txt
 certbot-dns*/snap
 snapcraft.cfg
+
+# pyenv files
+.python-version

.isort.cfg

@@ -4,4 +4,4 @@ force_sort_within_sections=True
 force_single_line=True
 order_by_type=False
 line_length=400
-src_paths=acme/acme,acme/tests,certbot*/certbot*,certbot*/tests
+src_paths=acme/src,acme/tests,certbot*/tests,certbot/src,certbot*/src/certbot*

AUTHORS.md

@@ -139,6 +139,7 @@ Authors
 * [John Reed](https://github.com/leerspace)
 * [Jonas Berlin](https://github.com/xkr47)
 * [Jonathan Herlin](https://github.com/Jonher937)
+* [Jonathan Vanasco](https://github.com/jvanasco)
 * [Jon Walsh](https://github.com/code-tree)
 * [Joona Hoikkala](https://github.com/joohoi)
 * [Josh McCullough](https://github.com/JoshMcCullough)
@@ -245,6 +246,7 @@ Authors
 * [Sagi Kedmi](https://github.com/sagi)
 * [Sam Lanning](https://github.com/samlanning)
 * [sapics](https://github.com/sapics)
+* [SATOH Fumiyasu](https://github.com/fumiyas)
 * [Scott Barr](https://github.com/scottjbarr)
 * [Scott Merrill](https://github.com/skpy)
 * [Sebastian Bögl](https://github.com/TheBoegl)

CONTRIBUTING.md

@@ -1,5 +1,8 @@
 <!---
 
+zoracon: (This is an old comment below, not sure how accurate this is anymore. 
+Since Github seems to lean more towards Markdown these days, it's still probably accurate)
+ 
 This file serves as an entry point for GitHub's Contributing
 Guidelines [1] only.
 
@@ -19,19 +22,15 @@ to the Sphinx generated docs is provided below.
 
 Hi! Welcome to the Certbot project. We look forward to collaborating with you.
 
-If you're reporting a bug in Certbot, please make sure to include:
- - The version of Certbot you're running.
- - The operating system you're running it on.
- - The commands you ran.
- - What you expected to happen, and
- - What actually happened.
+If you're reporting a bug in Certbot. Please open an issue: https://github.com/certbot/certbot/issues/new/choose.
+
+If you're having trouble using Certbot and aren't sure you've found a bug, please first try asking for help at https://community.letsencrypt.org/. There is a much larger community there of people familiar with the project who will be able to more quickly answer your questions.
 
 If you're a developer, we have some helpful information in our
 [Developer's Guide](https://certbot.eff.org/docs/contributing.html) to get you
-started. In particular, we recommend you read these sections 
+started. In particular, we recommend you read these sections:
 
+ - [EFF's Public Projects Code of Conduct](https://www.eff.org/pages/eppcode)
  - [Finding issues to work on](https://certbot.eff.org/docs/contributing.html#find-issues-to-work-on)
  - [Coding style](https://certbot.eff.org/docs/contributing.html#coding-style)
  - [Submitting a pull request](https://certbot.eff.org/docs/contributing.html#submitting-a-pull-request)
- - [EFF's Public Projects Code of Conduct](https://www.eff.org/pages/eppcode)
-

SECURITY.md

@@ -1,5 +1,16 @@
 # Security Policy
 
+## Supported Versions
+
+Explanation on supported versions [here](https://github.com/certbot/certbot/wiki/Architectural-Decision-Records#-update-to-certbots-version-policy-and-end-of-life-support-on-previous-major-versions)
+
+| Major Version | Support Level |
+| ------- | ------------------ |
+| >= 4.0  | Full Support |
+| 3.x     | Discretionary Backports |
+| <=2.x   | None |
+
+
 ## Reporting a Vulnerability
 
 Security vulnerabilities can be reported using GitHub's [private vulnerability reporting tool](https://github.com/certbot/certbot/security/advisories/new).

acme/MANIFEST.in

@@ -1,9 +1,8 @@
 include LICENSE.txt
 include README.rst
-include pytest.ini
 recursive-include docs *
 recursive-include examples *
-recursive-include acme/_internal/tests/testdata *
-include acme/py.typed
+recursive-include src/acme/_internal/tests/testdata *
+include src/acme/py.typed
 global-exclude __pycache__
 global-exclude *.py[cod]

acme/acme/_internal/tests/crypto_util_test.py

@@ -1,356 +0,0 @@
-"""Tests for acme.crypto_util."""
-import ipaddress
-import itertools
-import socket
-import socketserver
-import sys
-import threading
-import time
-from typing import List
-import unittest
-
-import josepy as jose
-import OpenSSL
-import pytest
-
-from acme import errors
-from acme._internal.tests import test_util
-
-
-class SSLSocketAndProbeSNITest(unittest.TestCase):
-    """Tests for acme.crypto_util.SSLSocket/probe_sni."""
-
-    def setUp(self):
-        self.cert = test_util.load_comparable_cert('rsa2048_cert.pem')
-        key = test_util.load_pyopenssl_private_key('rsa2048_key.pem')
-        # pylint: disable=protected-access
-        certs = {b'foo': (key, self.cert.wrapped)}
-
-        from acme.crypto_util import SSLSocket
-
-        class _TestServer(socketserver.TCPServer):
-            def __init__(self, *args, **kwargs):
-                super().__init__(*args, **kwargs)
-                self.socket = SSLSocket(self.socket, certs)
-
-        self.server = _TestServer(('', 0), socketserver.BaseRequestHandler)
-        self.port = self.server.socket.getsockname()[1]
-        self.server_thread = threading.Thread(
-            target=self.server.handle_request)
-
-    def tearDown(self):
-        if self.server_thread.is_alive():
-            # The thread may have already terminated.
-            self.server_thread.join()  # pragma: no cover
-        self.server.server_close()
-
-    def _probe(self, name):
-        from acme.crypto_util import probe_sni
-        return jose.ComparableX509(probe_sni(
-            name, host='127.0.0.1', port=self.port))
-
-    def _start_server(self):
-        self.server_thread.start()
-        time.sleep(1)  # TODO: avoid race conditions in other way
-
-    def test_probe_ok(self):
-        self._start_server()
-        assert self.cert == self._probe(b'foo')
-
-    def test_probe_not_recognized_name(self):
-        self._start_server()
-        with pytest.raises(errors.Error):
-            self._probe(b'bar')
-
-    def test_probe_connection_error(self):
-        self.server.server_close()
-        original_timeout = socket.getdefaulttimeout()
-        try:
-            socket.setdefaulttimeout(1)
-            with pytest.raises(errors.Error):
-                self._probe(b'bar')
-        finally:
-            socket.setdefaulttimeout(original_timeout)
-
-
-class SSLSocketTest(unittest.TestCase):
-    """Tests for acme.crypto_util.SSLSocket."""
-
-    def test_ssl_socket_invalid_arguments(self):
-        from acme.crypto_util import SSLSocket
-        with pytest.raises(ValueError):
-            _ = SSLSocket(None, {'sni': ('key', 'cert')},
-                    cert_selection=lambda _: None)
-        with pytest.raises(ValueError):
-            _ = SSLSocket(None)
-
-
-class PyOpenSSLCertOrReqAllNamesTest(unittest.TestCase):
-    """Test for acme.crypto_util._pyopenssl_cert_or_req_all_names."""
-
-    @classmethod
-    def _call(cls, loader, name):
-        # pylint: disable=protected-access
-        from acme.crypto_util import _pyopenssl_cert_or_req_all_names
-        return _pyopenssl_cert_or_req_all_names(loader(name))
-
-    def _call_cert(self, name):
-        return self._call(test_util.load_cert, name)
-
-    def test_cert_one_san_no_common(self):
-        assert self._call_cert('cert-nocn.der') == \
-                         ['no-common-name.badssl.com']
-
-    def test_cert_no_sans_yes_common(self):
-        assert self._call_cert('cert.pem') == ['example.com']
-
-    def test_cert_two_sans_yes_common(self):
-        assert self._call_cert('cert-san.pem') == \
-                         ['example.com', 'www.example.com']
-
-
-class PyOpenSSLCertOrReqSANTest(unittest.TestCase):
-    """Test for acme.crypto_util._pyopenssl_cert_or_req_san."""
-
-    @classmethod
-    def _call(cls, loader, name):
-        # pylint: disable=protected-access
-        from acme.crypto_util import _pyopenssl_cert_or_req_san
-        return _pyopenssl_cert_or_req_san(loader(name))
-
-    @classmethod
-    def _get_idn_names(cls):
-        """Returns expected names from '{cert,csr}-idnsans.pem'."""
-        chars = [chr(i) for i in itertools.chain(range(0x3c3, 0x400),
-                                                 range(0x641, 0x6fc),
-                                                 range(0x1820, 0x1877))]
-        return [''.join(chars[i: i + 45]) + '.invalid'
-                for i in range(0, len(chars), 45)]
-
-    def _call_cert(self, name):
-        return self._call(test_util.load_cert, name)
-
-    def _call_csr(self, name):
-        return self._call(test_util.load_csr, name)
-
-    def test_cert_no_sans(self):
-        assert self._call_cert('cert.pem') == []
-
-    def test_cert_two_sans(self):
-        assert self._call_cert('cert-san.pem') == \
-                         ['example.com', 'www.example.com']
-
-    def test_cert_hundred_sans(self):
-        assert self._call_cert('cert-100sans.pem') == \
-                         ['example{0}.com'.format(i) for i in range(1, 101)]
-
-    def test_cert_idn_sans(self):
-        assert self._call_cert('cert-idnsans.pem') == \
-                         self._get_idn_names()
-
-    def test_csr_no_sans(self):
-        assert self._call_csr('csr-nosans.pem') == []
-
-    def test_csr_one_san(self):
-        assert self._call_csr('csr.pem') == ['example.com']
-
-    def test_csr_two_sans(self):
-        assert self._call_csr('csr-san.pem') == \
-                         ['example.com', 'www.example.com']
-
-    def test_csr_six_sans(self):
-        assert self._call_csr('csr-6sans.pem') == \
-                         ['example.com', 'example.org', 'example.net',
-                          'example.info', 'subdomain.example.com',
-                          'other.subdomain.example.com']
-
-    def test_csr_hundred_sans(self):
-        assert self._call_csr('csr-100sans.pem') == \
-                         ['example{0}.com'.format(i) for i in range(1, 101)]
-
-    def test_csr_idn_sans(self):
-        assert self._call_csr('csr-idnsans.pem') == \
-                         self._get_idn_names()
-
-    def test_critical_san(self):
-        assert self._call_cert('critical-san.pem') == \
-                         ['chicago-cubs.venafi.example', 'cubs.venafi.example']
-
-
-class PyOpenSSLCertOrReqSANIPTest(unittest.TestCase):
-    """Test for acme.crypto_util._pyopenssl_cert_or_req_san_ip."""
-
-    @classmethod
-    def _call(cls, loader, name):
-        # pylint: disable=protected-access
-        from acme.crypto_util import _pyopenssl_cert_or_req_san_ip
-        return _pyopenssl_cert_or_req_san_ip(loader(name))
-
-    def _call_cert(self, name):
-        return self._call(test_util.load_cert, name)
-
-    def _call_csr(self, name):
-        return self._call(test_util.load_csr, name)
-
-    def test_cert_no_sans(self):
-        assert self._call_cert('cert.pem') == []
-
-    def test_csr_no_sans(self):
-        assert self._call_csr('csr-nosans.pem') == []
-
-    def test_cert_domain_sans(self):
-        assert self._call_cert('cert-san.pem') == []
-
-    def test_csr_domain_sans(self):
-        assert self._call_csr('csr-san.pem') == []
-
-    def test_cert_ip_two_sans(self):
-        assert self._call_cert('cert-ipsans.pem') == ['192.0.2.145', '203.0.113.1']
-
-    def test_csr_ip_two_sans(self):
-        assert self._call_csr('csr-ipsans.pem') == ['192.0.2.145', '203.0.113.1']
-
-    def test_csr_ipv6_sans(self):
-        assert self._call_csr('csr-ipv6sans.pem') == \
-                         ['0:0:0:0:0:0:0:1', 'A3BE:32F3:206E:C75D:956:CEE:9858:5EC5']
-
-    def test_cert_ipv6_sans(self):
-        assert self._call_cert('cert-ipv6sans.pem') == \
-                         ['0:0:0:0:0:0:0:1', 'A3BE:32F3:206E:C75D:956:CEE:9858:5EC5']
-
-
-class GenSsCertTest(unittest.TestCase):
-    """Test for gen_ss_cert (generation of self-signed cert)."""
-
-
-    def setUp(self):
-        self.cert_count = 5
-        self.serial_num: List[int] = []
-        self.key = OpenSSL.crypto.PKey()
-        self.key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
-
-    def test_sn_collisions(self):
-        from acme.crypto_util import gen_ss_cert
-        for _ in range(self.cert_count):
-            cert = gen_ss_cert(self.key, ['dummy'], force_san=True,
-                               ips=[ipaddress.ip_address("10.10.10.10")])
-            self.serial_num.append(cert.get_serial_number())
-        assert len(set(self.serial_num)) >= self.cert_count
-
-
-    def test_no_name(self):
-        from acme.crypto_util import gen_ss_cert
-        with pytest.raises(AssertionError):
-            gen_ss_cert(self.key, ips=[ipaddress.ip_address("1.1.1.1")])
-            gen_ss_cert(self.key)
-
-
-class MakeCSRTest(unittest.TestCase):
-    """Test for standalone functions."""
-
-    @classmethod
-    def _call_with_key(cls, *args, **kwargs):
-        privkey = OpenSSL.crypto.PKey()
-        privkey.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
-        privkey_pem = OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, privkey)
-        from acme.crypto_util import make_csr
-        return make_csr(privkey_pem, *args, **kwargs)
-
-    def test_make_csr(self):
-        csr_pem = self._call_with_key(["a.example", "b.example"])
-        assert b'--BEGIN CERTIFICATE REQUEST--' in csr_pem
-        assert b'--END CERTIFICATE REQUEST--' in csr_pem
-        csr = OpenSSL.crypto.load_certificate_request(
-            OpenSSL.crypto.FILETYPE_PEM, csr_pem)
-        # In pyopenssl 0.13 (used with TOXENV=py27-oldest), csr objects don't
-        # have a get_extensions() method, so we skip this test if the method
-        # isn't available.
-        if hasattr(csr, 'get_extensions'):
-            assert len(csr.get_extensions()) == 1
-            assert csr.get_extensions()[0].get_data() == \
-                OpenSSL.crypto.X509Extension(
-                    b'subjectAltName',
-                    critical=False,
-                    value=b'DNS:a.example, DNS:b.example',
-                ).get_data()
-
-    def test_make_csr_ip(self):
-        csr_pem = self._call_with_key(["a.example"], False, [ipaddress.ip_address('127.0.0.1'), ipaddress.ip_address('::1')])
-        assert b'--BEGIN CERTIFICATE REQUEST--' in csr_pem
-        assert b'--END CERTIFICATE REQUEST--' in csr_pem
-        csr = OpenSSL.crypto.load_certificate_request(
-            OpenSSL.crypto.FILETYPE_PEM, csr_pem)
-        # In pyopenssl 0.13 (used with TOXENV=py27-oldest), csr objects don't
-        # have a get_extensions() method, so we skip this test if the method
-        # isn't available.
-        if hasattr(csr, 'get_extensions'):
-            assert len(csr.get_extensions()) == 1
-            assert csr.get_extensions()[0].get_data() == \
-                             OpenSSL.crypto.X509Extension(
-                                 b'subjectAltName',
-                                 critical=False,
-                                 value=b'DNS:a.example, IP:127.0.0.1, IP:::1',
-                             ).get_data()
-            # for IP san it's actually need to be octet-string,
-            # but somewhere downstream thankfully handle it for us
-
-    def test_make_csr_must_staple(self):
-        csr_pem = self._call_with_key(["a.example"], must_staple=True)
-        csr = OpenSSL.crypto.load_certificate_request(
-            OpenSSL.crypto.FILETYPE_PEM, csr_pem)
-
-        # In pyopenssl 0.13 (used with TOXENV=py27-oldest), csr objects don't
-        # have a get_extensions() method, so we skip this test if the method
-        # isn't available.
-        if hasattr(csr, 'get_extensions'):
-            assert len(csr.get_extensions()) == 2
-            # NOTE: Ideally we would filter by the TLS Feature OID, but
-            # OpenSSL.crypto.X509Extension doesn't give us the extension's raw OID,
-            # and the shortname field is just "UNDEF"
-            must_staple_exts = [e for e in csr.get_extensions()
-                if e.get_data() == b"0\x03\x02\x01\x05"]
-            assert len(must_staple_exts) == 1, \
-                "Expected exactly one Must Staple extension"
-
-    def test_make_csr_without_hostname(self):
-        with pytest.raises(ValueError):
-            self._call_with_key()
-
-    def test_make_csr_correct_version(self):
-        csr_pem = self._call_with_key(["a.example"])
-        csr = OpenSSL.crypto.load_certificate_request(
-            OpenSSL.crypto.FILETYPE_PEM, csr_pem)
-
-        assert csr.get_version() == 0, \
-            "Expected CSR version to be v1 (encoded as 0), per RFC 2986, section 4"
-
-
-class DumpPyopensslChainTest(unittest.TestCase):
-    """Test for dump_pyopenssl_chain."""
-
-    @classmethod
-    def _call(cls, loaded):
-        # pylint: disable=protected-access
-        from acme.crypto_util import dump_pyopenssl_chain
-        return dump_pyopenssl_chain(loaded)
-
-    def test_dump_pyopenssl_chain(self):
-        names = ['cert.pem', 'cert-san.pem', 'cert-idnsans.pem']
-        loaded = [test_util.load_cert(name) for name in names]
-        length = sum(
-            len(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert))
-            for cert in loaded)
-        assert len(self._call(loaded)) == length
-
-    def test_dump_pyopenssl_chain_wrapped(self):
-        names = ['cert.pem', 'cert-san.pem', 'cert-idnsans.pem']
-        loaded = [test_util.load_cert(name) for name in names]
-        wrap_func = jose.ComparableX509
-        wrapped = [wrap_func(cert) for cert in loaded]
-        dump_func = OpenSSL.crypto.dump_certificate
-        length = sum(len(dump_func(OpenSSL.crypto.FILETYPE_PEM, cert)) for cert in loaded)
-        assert len(self._call(wrapped)) == length
-
-
-if __name__ == '__main__':
-    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover

acme/acme/_internal/tests/test_util.py

@@ -1,81 +0,0 @@
-"""Test utilities.
-
-.. warning:: This module is not part of the public API.
-
-"""
-import os
-import sys
-
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import serialization
-import josepy as jose
-from josepy.util import ComparableECKey
-from OpenSSL import crypto
-
-if sys.version_info >= (3, 9):  # pragma: no cover
-    import importlib.resources as importlib_resources
-else:  # pragma: no cover
-    import importlib_resources
-
-
-def load_vector(*names):
-    """Load contents of a test vector."""
-    # luckily, resource_string opens file in binary mode
-    vector_ref = importlib_resources.files(__package__).joinpath('testdata', *names)
-    return vector_ref.read_bytes()
-
-
-def _guess_loader(filename, loader_pem, loader_der):
-    _, ext = os.path.splitext(filename)
-    if ext.lower() == '.pem':
-        return loader_pem
-    elif ext.lower() == '.der':
-        return loader_der
-    raise ValueError("Loader could not be recognized based on extension")  # pragma: no cover
-
-
-def load_cert(*names):
-    """Load certificate."""
-    loader = _guess_loader(
-        names[-1], crypto.FILETYPE_PEM, crypto.FILETYPE_ASN1)
-    return crypto.load_certificate(loader, load_vector(*names))
-
-
-def load_comparable_cert(*names):
-    """Load ComparableX509 cert."""
-    return jose.ComparableX509(load_cert(*names))
-
-
-def load_csr(*names):
-    """Load certificate request."""
-    loader = _guess_loader(
-        names[-1], crypto.FILETYPE_PEM, crypto.FILETYPE_ASN1)
-    return crypto.load_certificate_request(loader, load_vector(*names))
-
-
-def load_comparable_csr(*names):
-    """Load ComparableX509 certificate request."""
-    return jose.ComparableX509(load_csr(*names))
-
-
-def load_rsa_private_key(*names):
-    """Load RSA private key."""
-    loader = _guess_loader(names[-1], serialization.load_pem_private_key,
-                           serialization.load_der_private_key)
-    return jose.ComparableRSAKey(loader(
-        load_vector(*names), password=None, backend=default_backend()))
-
-
-def load_ecdsa_private_key(*names):
-    """Load ECDSA private key."""
-    loader = _guess_loader(names[-1], serialization.load_pem_private_key,
-                           serialization.load_der_private_key)
-    return ComparableECKey(loader(
-        load_vector(*names), password=None, backend=default_backend()))
-
-
-def load_pyopenssl_private_key(*names):
-    """Load pyOpenSSL private key."""
-    loader = _guess_loader(
-        names[-1], crypto.FILETYPE_PEM, crypto.FILETYPE_ASN1)
-    return crypto.load_privatekey(loader, load_vector(*names))

acme/acme/_internal/tests/testdata/csr-mixed.pem

@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICdjCCAV4CAQIwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMXq
-v1y8EIcCbaUIzCtOcLkLS0MJ35oS+6DmV5WB1A0cIk6YrjsHIsY2lwMm13BWIvmw
-tY+Y6n0rr7eViNx5ZRGHpHEI/TL3Neb+VefTydL5CgvK3dd4ex2kSbTaed3fmpOx
-qMajEduwNcZPCcmoEXPkfrCP8w2vKQUkQ+JRPcdX1nTuzticeRP5B7YCmJsmxkEh
-Y0tzzZ+NIRDARoYNofefY86h3e5q66gtJxccNchmIM3YQahhg5n3Xoo8hGfM/TIc
-R7ncCBCLO6vtqo0QFva/NQODrgOmOsmgvqPkUWQFdZfWM8yIaU826dktx0CPB78t
-TudnJ1rBRvGsjHMsZikCAwEAAaAxMC8GCSqGSIb3DQEJDjEiMCAwHgYDVR0RBBcw
-FYINYS5leGVtcGxlLmNvbYcEwAACbzANBgkqhkiG9w0BAQsFAAOCAQEAdGMcRCxq
-1X09gn1TNdMt64XUv+wdJCKDaJ+AgyIJj7QvVw8H5k7dOnxS4I+a/yo4jE+LDl2/
-AuHcBLFEI4ddewdJSMrTNZjuRYuOdr3KP7fL7MffICSBi45vw5EOXg0tnjJCEiKu
-6gcJgbLSP5JMMd7Haf33Q/VWsmHofR3VwOMdrnakwAU3Ff5WTuXTNVhL1kT/uLFX
-yW1ru6BF4unwNqSR2UeulljpNfRBsiN4zJK11W6n9KT0NkBr9zY5WCM4sW7i8k9V
-TeypWGo3jBKzYAGeuxZsB97U77jZ2lrGdBLZKfbcjnTeRVqCvCRrui4El7UGYFmj
-7s6OJyWx5DSV8w==
------END CERTIFICATE REQUEST-----

acme/acme/crypto_util.py

@@ -1,458 +0,0 @@
-"""Crypto utilities."""
-import binascii
-import contextlib
-import ipaddress
-import logging
-import os
-import re
-import socket
-from typing import Any
-from typing import Callable
-from typing import List
-from typing import Mapping
-from typing import Optional
-from typing import Sequence
-from typing import Set
-from typing import Tuple
-from typing import Union
-
-import josepy as jose
-from OpenSSL import crypto
-from OpenSSL import SSL
-
-from acme import errors
-
-logger = logging.getLogger(__name__)
-
-# Default SSL method selected here is the most compatible, while secure
-# SSL method: TLSv1_METHOD is only compatible with
-# TLSv1_METHOD, while SSLv23_METHOD is compatible with all other
-# methods, including TLSv2_METHOD (read more at
-# https://www.openssl.org/docs/ssl/SSLv23_method.html). _serve_sni
-# should be changed to use "set_options" to disable SSLv2 and SSLv3,
-# in case it's used for things other than probing/serving!
-_DEFAULT_SSL_METHOD = SSL.SSLv23_METHOD
-
-
-class _DefaultCertSelection:
-    def __init__(self, certs: Mapping[bytes, Tuple[crypto.PKey, crypto.X509]]):
-        self.certs = certs
-
-    def __call__(self, connection: SSL.Connection) -> Optional[Tuple[crypto.PKey, crypto.X509]]:
-        server_name = connection.get_servername()
-        if server_name:
-            return self.certs.get(server_name, None)
-        return None # pragma: no cover
-
-
-class SSLSocket:  # pylint: disable=too-few-public-methods
-    """SSL wrapper for sockets.
-
-    :ivar socket sock: Original wrapped socket.
-    :ivar dict certs: Mapping from domain names (`bytes`) to
-        `OpenSSL.crypto.X509`.
-    :ivar method: See `OpenSSL.SSL.Context` for allowed values.
-    :ivar alpn_selection: Hook to select negotiated ALPN protocol for
-        connection.
-    :ivar cert_selection: Hook to select certificate for connection. If given,
-        `certs` parameter would be ignored, and therefore must be empty.
-
-    """
-    def __init__(self, sock: socket.socket,
-                 certs: Optional[Mapping[bytes, Tuple[crypto.PKey, crypto.X509]]] = None,
-                 method: int = _DEFAULT_SSL_METHOD,
-                 alpn_selection: Optional[Callable[[SSL.Connection, List[bytes]], bytes]] = None,
-                 cert_selection: Optional[Callable[[SSL.Connection],
-                                                   Optional[Tuple[crypto.PKey,
-                                                                  crypto.X509]]]] = None
-                 ) -> None:
-        self.sock = sock
-        self.alpn_selection = alpn_selection
-        self.method = method
-        if not cert_selection and not certs:
-            raise ValueError("Neither cert_selection or certs specified.")
-        if cert_selection and certs:
-            raise ValueError("Both cert_selection and certs specified.")
-        actual_cert_selection: Union[_DefaultCertSelection,
-                                     Optional[Callable[[SSL.Connection],
-                                                       Optional[Tuple[crypto.PKey,
-                                                                crypto.X509]]]]] = cert_selection
-        if actual_cert_selection is None:
-            actual_cert_selection = _DefaultCertSelection(certs if certs else {})
-        self.cert_selection = actual_cert_selection
-
-    def __getattr__(self, name: str) -> Any:
-        return getattr(self.sock, name)
-
-    def _pick_certificate_cb(self, connection: SSL.Connection) -> None:
-        """SNI certificate callback.
-
-        This method will set a new OpenSSL context object for this
-        connection when an incoming connection provides an SNI name
-        (in order to serve the appropriate certificate, if any).
-
-        :param connection: The TLS connection object on which the SNI
-            extension was received.
-        :type connection: :class:`OpenSSL.Connection`
-
-        """
-        pair = self.cert_selection(connection)
-        if pair is None:
-            logger.debug("Certificate selection for server name %s failed, dropping SSL",
-                         connection.get_servername())
-            return
-        key, cert = pair
-        new_context = SSL.Context(self.method)
-        new_context.set_options(SSL.OP_NO_SSLv2)
-        new_context.set_options(SSL.OP_NO_SSLv3)
-        new_context.use_privatekey(key)
-        new_context.use_certificate(cert)
-        if self.alpn_selection is not None:
-            new_context.set_alpn_select_callback(self.alpn_selection)
-        connection.set_context(new_context)
-
-    class FakeConnection:
-        """Fake OpenSSL.SSL.Connection."""
-
-        # pylint: disable=missing-function-docstring
-
-        def __init__(self, connection: SSL.Connection) -> None:
-            self._wrapped = connection
-
-        def __getattr__(self, name: str) -> Any:
-            return getattr(self._wrapped, name)
-
-        def shutdown(self, *unused_args: Any) -> bool:
-            # OpenSSL.SSL.Connection.shutdown doesn't accept any args
-            try:
-                return self._wrapped.shutdown()
-            except SSL.Error as error:
-                # We wrap the error so we raise the same error type as sockets
-                # in the standard library. This is useful when this object is
-                # used by code which expects a standard socket such as
-                # socketserver in the standard library.
-                raise socket.error(error)
-
-    def accept(self) -> Tuple[FakeConnection, Any]:  # pylint: disable=missing-function-docstring
-        sock, addr = self.sock.accept()
-
-        try:
-            context = SSL.Context(self.method)
-            context.set_options(SSL.OP_NO_SSLv2)
-            context.set_options(SSL.OP_NO_SSLv3)
-            context.set_tlsext_servername_callback(self._pick_certificate_cb)
-            if self.alpn_selection is not None:
-                context.set_alpn_select_callback(self.alpn_selection)
-
-            ssl_sock = self.FakeConnection(SSL.Connection(context, sock))
-            ssl_sock.set_accept_state()
-
-            # This log line is especially desirable because without it requests to
-            # our standalone TLSALPN server would not be logged.
-            logger.debug("Performing handshake with %s", addr)
-            try:
-                ssl_sock.do_handshake()
-            except SSL.Error as error:
-                # _pick_certificate_cb might have returned without
-                # creating SSL context (wrong server name)
-                raise socket.error(error)
-
-            return ssl_sock, addr
-        except:
-            # If we encounter any error, close the new socket before reraising
-            # the exception.
-            sock.close()
-            raise
-
-
-def probe_sni(name: bytes, host: bytes, port: int = 443, timeout: int = 300,  # pylint: disable=too-many-arguments
-              method: int = _DEFAULT_SSL_METHOD, source_address: Tuple[str, int] = ('', 0),
-              alpn_protocols: Optional[Sequence[bytes]] = None) -> crypto.X509:
-    """Probe SNI server for SSL certificate.
-
-    :param bytes name: Byte string to send as the server name in the
-        client hello message.
-    :param bytes host: Host to connect to.
-    :param int port: Port to connect to.
-    :param int timeout: Timeout in seconds.
-    :param method: See `OpenSSL.SSL.Context` for allowed values.
-    :param tuple source_address: Enables multi-path probing (selection
-        of source interface). See `socket.creation_connection` for more
-        info. Available only in Python 2.7+.
-    :param alpn_protocols: Protocols to request using ALPN.
-    :type alpn_protocols: `Sequence` of `bytes`
-
-    :raises acme.errors.Error: In case of any problems.
-
-    :returns: SSL certificate presented by the server.
-    :rtype: OpenSSL.crypto.X509
-
-    """
-    context = SSL.Context(method)
-    context.set_timeout(timeout)
-
-    socket_kwargs = {'source_address': source_address}
-
-    try:
-        logger.debug(
-            "Attempting to connect to %s:%d%s.", host, port,
-            " from {0}:{1}".format(
-                source_address[0],
-                source_address[1]
-            ) if any(source_address) else ""
-        )
-        socket_tuple: Tuple[bytes, int] = (host, port)
-        sock = socket.create_connection(socket_tuple, **socket_kwargs)  # type: ignore[arg-type]
-    except socket.error as error:
-        raise errors.Error(error)
-
-    with contextlib.closing(sock) as client:
-        client_ssl = SSL.Connection(context, client)
-        client_ssl.set_connect_state()
-        client_ssl.set_tlsext_host_name(name)  # pyOpenSSL>=0.13
-        if alpn_protocols is not None:
-            client_ssl.set_alpn_protos(alpn_protocols)
-        try:
-            client_ssl.do_handshake()
-            client_ssl.shutdown()
-        except SSL.Error as error:
-            raise errors.Error(error)
-    cert = client_ssl.get_peer_certificate()
-    assert cert # Appease mypy. We would have crashed out by now if there was no certificate.
-    return cert
-
-
-def make_csr(private_key_pem: bytes, domains: Optional[Union[Set[str], List[str]]] = None,
-             must_staple: bool = False,
-             ipaddrs: Optional[List[Union[ipaddress.IPv4Address, ipaddress.IPv6Address]]] = None
-             ) -> bytes:
-    """Generate a CSR containing domains or IPs as subjectAltNames.
-
-    :param buffer private_key_pem: Private key, in PEM PKCS#8 format.
-    :param list domains: List of DNS names to include in subjectAltNames of CSR.
-    :param bool must_staple: Whether to include the TLS Feature extension (aka
-        OCSP Must Staple: https://tools.ietf.org/html/rfc7633).
-    :param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address)
-    names to include in subbjectAltNames of CSR.
-    params ordered this way for backward competablity when called by positional argument.
-    :returns: buffer PEM-encoded Certificate Signing Request.
-    """
-    private_key = crypto.load_privatekey(
-        crypto.FILETYPE_PEM, private_key_pem)
-    csr = crypto.X509Req()
-    sanlist = []
-    # if domain or ip list not supplied make it empty list so it's easier to iterate
-    if domains is None:
-        domains = []
-    if ipaddrs is None:
-        ipaddrs = []
-    if len(domains)+len(ipaddrs) == 0:
-        raise ValueError("At least one of domains or ipaddrs parameter need to be not empty")
-    for address in domains:
-        sanlist.append('DNS:' + address)
-    for ips in ipaddrs:
-        sanlist.append('IP:' + ips.exploded)
-    # make sure its ascii encoded
-    san_string = ', '.join(sanlist).encode('ascii')
-    # for IP san it's actually need to be octet-string,
-    # but somewhere downsteam thankfully handle it for us
-    extensions = [
-        crypto.X509Extension(
-            b'subjectAltName',
-            critical=False,
-            value=san_string
-        ),
-    ]
-    if must_staple:
-        extensions.append(crypto.X509Extension(
-            b"1.3.6.1.5.5.7.1.24",
-            critical=False,
-            value=b"DER:30:03:02:01:05"))
-    csr.add_extensions(extensions)
-    csr.set_pubkey(private_key)
-    # RFC 2986 Section 4.1 only defines version 0
-    csr.set_version(0)
-    csr.sign(private_key, 'sha256')
-    return crypto.dump_certificate_request(
-        crypto.FILETYPE_PEM, csr)
-
-
-def _pyopenssl_cert_or_req_all_names(loaded_cert_or_req: Union[crypto.X509, crypto.X509Req]
-                                     ) -> List[str]:
-    # unlike its name this only outputs DNS names, other type of idents will ignored
-    common_name = loaded_cert_or_req.get_subject().CN
-    sans = _pyopenssl_cert_or_req_san(loaded_cert_or_req)
-
-    if common_name is None:
-        return sans
-    return [common_name] + [d for d in sans if d != common_name]
-
-
-def _pyopenssl_cert_or_req_san(cert_or_req: Union[crypto.X509, crypto.X509Req]) -> List[str]:
-    """Get Subject Alternative Names from certificate or CSR using pyOpenSSL.
-
-    .. todo:: Implement directly in PyOpenSSL!
-
-    .. note:: Although this is `acme` internal API, it is used by
-        `letsencrypt`.
-
-    :param cert_or_req: Certificate or CSR.
-    :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`.
-
-    :returns: A list of Subject Alternative Names that is DNS.
-    :rtype: `list` of `str`
-
-    """
-    # This function finds SANs with dns name
-
-    # constants based on PyOpenSSL certificate/CSR text dump
-    part_separator = ":"
-    prefix = "DNS" + part_separator
-
-    sans_parts = _pyopenssl_extract_san_list_raw(cert_or_req)
-
-    return [part.split(part_separator)[1]
-            for part in sans_parts if part.startswith(prefix)]
-
-
-def _pyopenssl_cert_or_req_san_ip(cert_or_req: Union[crypto.X509, crypto.X509Req]) -> List[str]:
-    """Get Subject Alternative Names IPs from certificate or CSR using pyOpenSSL.
-
-    :param cert_or_req: Certificate or CSR.
-    :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`.
-
-    :returns: A list of Subject Alternative Names that are IP Addresses.
-    :rtype: `list` of `str`. note that this returns as string, not IPaddress object
-
-    """
-
-    # constants based on PyOpenSSL certificate/CSR text dump
-    part_separator = ":"
-    prefix = "IP Address" + part_separator
-
-    sans_parts = _pyopenssl_extract_san_list_raw(cert_or_req)
-
-    return [part[len(prefix):] for part in sans_parts if part.startswith(prefix)]
-
-
-def _pyopenssl_extract_san_list_raw(cert_or_req: Union[crypto.X509, crypto.X509Req]) -> List[str]:
-    """Get raw SAN string from cert or csr, parse it as UTF-8 and return.
-
-    :param cert_or_req: Certificate or CSR.
-    :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`.
-
-    :returns: raw san strings, parsed byte as utf-8
-    :rtype: `list` of `str`
-
-    """
-    # This function finds SANs by dumping the certificate/CSR to text and
-    # searching for "X509v3 Subject Alternative Name" in the text. This method
-    # is used to because in PyOpenSSL version <0.17 `_subjectAltNameString` methods are
-    # not able to Parse IP Addresses in subjectAltName string.
-
-    if isinstance(cert_or_req, crypto.X509):
-        # pylint: disable=line-too-long
-        text = crypto.dump_certificate(crypto.FILETYPE_TEXT, cert_or_req).decode('utf-8')
-    else:
-        text = crypto.dump_certificate_request(crypto.FILETYPE_TEXT, cert_or_req).decode('utf-8')
-    # WARNING: this function does not support multiple SANs extensions.
-    # Multiple X509v3 extensions of the same type is disallowed by RFC 5280.
-    raw_san = re.search(r"X509v3 Subject Alternative Name:(?: critical)?\s*(.*)", text)
-
-    parts_separator = ", "
-    # WARNING: this function assumes that no SAN can include
-    # parts_separator, hence the split!
-    sans_parts = [] if raw_san is None else raw_san.group(1).split(parts_separator)
-    return sans_parts
-
-
-def gen_ss_cert(key: crypto.PKey, domains: Optional[List[str]] = None,
-                not_before: Optional[int] = None,
-                validity: int = (7 * 24 * 60 * 60), force_san: bool = True,
-                extensions: Optional[List[crypto.X509Extension]] = None,
-                ips: Optional[List[Union[ipaddress.IPv4Address, ipaddress.IPv6Address]]] = None
-                ) -> crypto.X509:
-    """Generate new self-signed certificate.
-
-    :type domains: `list` of `str`
-    :param OpenSSL.crypto.PKey key:
-    :param bool force_san:
-    :param extensions: List of additional extensions to include in the cert.
-    :type extensions: `list` of `OpenSSL.crypto.X509Extension`
-    :type ips: `list` of (`ipaddress.IPv4Address` or `ipaddress.IPv6Address`)
-
-    If more than one domain is provided, all of the domains are put into
-    ``subjectAltName`` X.509 extension and first domain is set as the
-    subject CN. If only one domain is provided no ``subjectAltName``
-    extension is used, unless `force_san` is ``True``.
-
-    """
-    assert domains or ips, "Must provide one or more hostnames or IPs for the cert."
-
-    cert = crypto.X509()
-    cert.set_serial_number(int(binascii.hexlify(os.urandom(16)), 16))
-    cert.set_version(2)
-
-    if extensions is None:
-        extensions = []
-    if domains is None:
-        domains = []
-    if ips is None:
-        ips = []
-    extensions.append(
-        crypto.X509Extension(
-            b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
-    )
-
-    if len(domains) > 0:
-        cert.get_subject().CN = domains[0]
-    # TODO: what to put into cert.get_subject()?
-    cert.set_issuer(cert.get_subject())
-
-    sanlist = []
-    for address in domains:
-        sanlist.append('DNS:' + address)
-    for ip in ips:
-        sanlist.append('IP:' + ip.exploded)
-    san_string = ', '.join(sanlist).encode('ascii')
-    if force_san or len(domains) > 1 or len(ips) > 0:
-        extensions.append(crypto.X509Extension(
-            b"subjectAltName",
-            critical=False,
-            value=san_string
-        ))
-
-    cert.add_extensions(extensions)
-
-    cert.gmtime_adj_notBefore(0 if not_before is None else not_before)
-    cert.gmtime_adj_notAfter(validity)
-
-    cert.set_pubkey(key)
-    cert.sign(key, "sha256")
-    return cert
-
-
-def dump_pyopenssl_chain(chain: Union[List[jose.ComparableX509], List[crypto.X509]],
-                         filetype: int = crypto.FILETYPE_PEM) -> bytes:
-    """Dump certificate chain into a bundle.
-
-    :param list chain: List of `OpenSSL.crypto.X509` (or wrapped in
-        :class:`josepy.util.ComparableX509`).
-
-    :returns: certificate chain bundle
-    :rtype: bytes
-
-    """
-    # XXX: returns empty string when no chain is available, which
-    # shuts up RenewableCert, but might not be the best solution...
-
-    def _dump_cert(cert: Union[jose.ComparableX509, crypto.X509]) -> bytes:
-        if isinstance(cert, jose.ComparableX509):
-            if isinstance(cert.wrapped, crypto.X509Req):
-                raise errors.Error("Unexpected CSR provided.")  # pragma: no cover
-            cert = cert.wrapped
-        return crypto.dump_certificate(filetype, cert)
-
-    # assumes that OpenSSL.crypto.dump_certificate includes ending
-    # newline character
-    return b"".join(_dump_cert(cert) for cert in chain)

acme/docs/api/crypto_util.rst

@@ -0,0 +1,5 @@
+Crypto_util
+-----------
+
+.. automodule:: acme.crypto_util
+   :members:

acme/docs/api/jws.rst

@@ -0,0 +1,5 @@
+JWS
+---
+
+.. automodule:: acme.jws
+   :members:

acme/docs/api/util.rst

@@ -0,0 +1,5 @@
+Util
+----
+
+.. automodule:: acme.util
+   :members:

acme/examples/http01_example.py

@@ -27,10 +27,11 @@ Workflow:
 """
 from contextlib import contextmanager
 
+from cryptography import x509
 from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 import josepy as jose
-import OpenSSL
 
 from acme import challenges
 from acme import client
@@ -68,10 +69,11 @@ def new_csr_comp(domain_name, pkey_pem=None):
     """Create certificate signing request."""
     if pkey_pem is None:
         # Create private key.
-        pkey = OpenSSL.crypto.PKey()
-        pkey.generate_key(OpenSSL.crypto.TYPE_RSA, CERT_PKEY_BITS)
-        pkey_pem = OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM,
-                                                  pkey)
+        pkey = rsa.generate_private_key(public_exponent=65537, key_size=CERT_PKEY_BITS)
+        pkey_pem = pkey.private_bytes(encoding=serialization.Encoding.PEM,
+                                      format=serialization.PrivateFormat.PKCS8,
+                                      encryption_algorithm=serialization.NoEncryption())
+
     csr_pem = crypto_util.make_csr(pkey_pem, [domain_name])
     return pkey_pem, csr_pem
 
@@ -168,11 +170,8 @@ def example_http():
 
     # Terms of Service URL is in client_acme.directory.meta.terms_of_service
     # Registration Resource: regr
-    # Creates account with contact information.
-    email = ('fake@example.com')
     regr = client_acme.new_account(
-        messages.NewRegistration.from_data(
-            email=email, terms_of_service_agreed=True))
+        messages.NewRegistration.from_data(terms_of_service_agreed=True))
 
     # Create domain private key and CSR
     pkey_pem, csr_pem = new_csr_comp(DOMAIN)
@@ -200,9 +199,7 @@ def example_http():
 
     # Revoke certificate
 
-    fullchain_com = jose.ComparableX509(
-        OpenSSL.crypto.load_certificate(
-            OpenSSL.crypto.FILETYPE_PEM, fullchain_pem))
+    fullchain_com = x509.load_pem_x509_certificate(fullchain_pem.encode())
 
     try:
         client_acme.revoke(fullchain_com, 0)  # revocation reason = 0

acme/pyproject.toml

@@ -0,0 +1,55 @@
+[build-system]
+requires = ["setuptools"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "acme"
+dynamic = ["version"]
+description = "ACME protocol implementation in Python"
+readme = "README.rst"
+license = "Apache-2.0"
+requires-python = ">=3.10"
+authors = [
+    { name = "Certbot Project", email = "certbot-dev@eff.org" },
+]
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Intended Audience :: Developers",
+    "Programming Language :: Python",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Internet :: WWW/HTTP",
+    "Topic :: Security",
+]
+dependencies = [
+    "cryptography>=43.0.0",
+    "josepy>=2.0.0",
+    # PyOpenSSL>=25.0.0 is just needed to satisfy mypy right now so this dependency can probably be
+    # relaxed to >=24.0.0 if needed.
+    "PyOpenSSL>=25.0.0",
+    "pyrfc3339",
+    "requests>=2.25.1",
+]
+
+[project.optional-dependencies]
+docs = [
+    "Sphinx>=1.0", # autodoc_member_order = 'bysource', autodoc_default_flags
+    "sphinx_rtd_theme",
+]
+test = [
+    "pytest",
+    "pytest-xdist",
+    "typing-extensions",
+]
+
+[project.urls]
+Homepage = "https://github.com/certbot/certbot"
+
+[tool.setuptools]
+package-dir = {"" = "src"}
+
+[tool.setuptools.packages.find]
+where = ["src"]

acme/pytest.ini

@@ -1,2 +0,0 @@
-[pytest]
-norecursedirs = .* build dist CVS _darcs {arch} *.egg

acme/setup.py

@@ -1,72 +1,7 @@
-import sys
-
-from setuptools import find_packages
 from setuptools import setup
 
-version = '2.12.0.dev0'
-
-install_requires = [
-    'cryptography>=3.2.1',
-    # Josepy 2+ may introduce backward incompatible changes by droping usage of
-    # deprecated PyOpenSSL APIs.
-    'josepy>=1.13.0, <2',
-    # pyOpenSSL 23.1.0 is a bad release: https://github.com/pyca/pyopenssl/issues/1199
-    'PyOpenSSL>=17.5.0,!=23.1.0',
-    'pyrfc3339',
-    'pytz>=2019.3',
-    'requests>=2.20.0',
-    'setuptools>=41.6.0',
-]
-
-docs_extras = [
-    'Sphinx>=1.0',  # autodoc_member_order = 'bysource', autodoc_default_flags
-    'sphinx_rtd_theme',
-]
-
-test_extras = [
-    # In theory we could scope importlib_resources to env marker 'python_version<"3.9"'. But this
-    # makes the pinning mechanism emit warnings when running `poetry lock` because in the corner
-    # case of an extra dependency with env marker coming from a setup.py file, it generate the
-    # invalid requirement 'importlib_resource>=1.3.1;python<=3.9;extra=="test"'.
-    # To fix the issue, we do not pass the env marker. This is fine because:
-    # - importlib_resources can be applied to any Python version,
-    # - this is a "test" extra dependency for limited audience,
-    # - it does not change anything at the end for the generated requirement files.
-    'importlib_resources>=1.3.1',
-    'pytest',
-    'pytest-xdist',
-    'typing-extensions',
-]
+version = '5.2.0.dev0'
 
 setup(
-    name='acme',
     version=version,
-    description='ACME protocol implementation in Python',
-    url='https://github.com/certbot/certbot',
-    author="Certbot Project",
-    author_email='certbot-dev@eff.org',
-    license='Apache License 2.0',
-    python_requires='>=3.8',
-    classifiers=[
-        'Development Status :: 5 - Production/Stable',
-        'Intended Audience :: Developers',
-        'License :: OSI Approved :: Apache Software License',
-        'Programming Language :: Python',
-        'Programming Language :: Python :: 3',
-        'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
-        'Programming Language :: Python :: 3.10',
-        'Programming Language :: Python :: 3.11',
-        'Programming Language :: Python :: 3.12',
-        'Topic :: Internet :: WWW/HTTP',
-        'Topic :: Security',
-    ],
-
-    packages=find_packages(),
-    include_package_data=True,
-    install_requires=install_requires,
-    extras_require={
-        'docs': docs_extras,
-        'test': test_extras,
-    },
 )

acme/src/acme/__init__.py

@@ -12,7 +12,7 @@ import sys
 #
 # It is based on
 # https://github.com/requests/requests/blob/1278ecdf71a312dc2268f3bfc0aabfab3c006dcf/requests/packages.py
-import josepy as jose
+import josepy as jose # noqa: F401
 
 for mod in list(sys.modules):
     # This traversal is apparently necessary such that the identities are

acme/src/acme/_internal/tests/challenges_test.py

@@ -6,14 +6,12 @@ import urllib.parse as urllib_parse
 
 import josepy as jose
 from josepy.jwk import JWKEC
-import OpenSSL
 import pytest
 import requests
 
-from acme import errors
 from acme._internal.tests import test_util
 
-CERT = test_util.load_comparable_cert('cert.pem')
+CERT = test_util.load_cert('cert.pem')
 KEY = jose.JWKRSA(key=test_util.load_rsa_private_key('rsa512_key.pem'))
 
 
@@ -263,126 +261,6 @@ class HTTP01Test(unittest.TestCase):
         assert not self.msg.update(token=b'..').good_token
 
 
-class TLSALPN01ResponseTest(unittest.TestCase):
-
-    def setUp(self):
-        from acme.challenges import TLSALPN01
-        self.chall = TLSALPN01(
-            token=jose.b64decode(b'a82d5ff8ef740d12881f6d3c2277ab2e'))
-        self.domain = u'example.com'
-        self.domain2 = u'example2.com'
-
-        self.response = self.chall.response(KEY)
-        self.jmsg = {
-            'resource': 'challenge',
-            'type': 'tls-alpn-01',
-            'keyAuthorization': self.response.key_authorization,
-        }
-
-    def test_to_partial_json(self):
-        assert {} == self.response.to_partial_json()
-
-    def test_from_json(self):
-        from acme.challenges import TLSALPN01Response
-        assert self.response == TLSALPN01Response.from_json(self.jmsg)
-
-    def test_from_json_hashable(self):
-        from acme.challenges import TLSALPN01Response
-        hash(TLSALPN01Response.from_json(self.jmsg))
-
-    def test_gen_verify_cert(self):
-        key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem')
-        cert, key2 = self.response.gen_cert(self.domain, key1)
-        assert key1 == key2
-        assert self.response.verify_cert(self.domain, cert)
-
-    def test_gen_verify_cert_gen_key(self):
-        cert, key = self.response.gen_cert(self.domain)
-        assert isinstance(key, OpenSSL.crypto.PKey)
-        assert self.response.verify_cert(self.domain, cert)
-
-    def test_verify_bad_cert(self):
-        assert not self.response.verify_cert(self.domain,
-            test_util.load_cert('cert.pem'))
-
-    def test_verify_bad_domain(self):
-        key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem')
-        cert, key2 = self.response.gen_cert(self.domain, key1)
-        assert key1 == key2
-        assert not self.response.verify_cert(self.domain2, cert)
-
-    def test_simple_verify_bad_key_authorization(self):
-        key2 = jose.JWKRSA.load(test_util.load_vector('rsa256_key.pem'))
-        self.response.simple_verify(self.chall, "local", key2.public_key())
-
-    @mock.patch('acme.challenges.TLSALPN01Response.verify_cert', autospec=True)
-    def test_simple_verify(self, mock_verify_cert):
-        mock_verify_cert.return_value = mock.sentinel.verification
-        assert mock.sentinel.verification == self.response.simple_verify(
-                self.chall, self.domain, KEY.public_key(),
-                cert=mock.sentinel.cert)
-        mock_verify_cert.assert_called_once_with(
-            self.response, self.domain, mock.sentinel.cert)
-
-    @mock.patch('acme.challenges.socket.gethostbyname')
-    @mock.patch('acme.challenges.crypto_util.probe_sni')
-    def test_probe_cert(self, mock_probe_sni, mock_gethostbyname):
-        mock_gethostbyname.return_value = '127.0.0.1'
-        self.response.probe_cert('foo.com')
-        mock_gethostbyname.assert_called_once_with('foo.com')
-        mock_probe_sni.assert_called_once_with(
-            host=b'127.0.0.1', port=self.response.PORT, name=b'foo.com',
-            alpn_protocols=[b'acme-tls/1'])
-
-        self.response.probe_cert('foo.com', host='8.8.8.8')
-        mock_probe_sni.assert_called_with(
-            host=b'8.8.8.8', port=mock.ANY, name=b'foo.com',
-            alpn_protocols=[b'acme-tls/1'])
-
-    @mock.patch('acme.challenges.TLSALPN01Response.probe_cert')
-    def test_simple_verify_false_on_probe_error(self, mock_probe_cert):
-        mock_probe_cert.side_effect = errors.Error
-        assert not self.response.simple_verify(
-            self.chall, self.domain, KEY.public_key())
-
-
-class TLSALPN01Test(unittest.TestCase):
-
-    def setUp(self):
-        from acme.challenges import TLSALPN01
-        self.msg = TLSALPN01(
-            token=jose.b64decode('a82d5ff8ef740d12881f6d3c2277ab2e'))
-        self.jmsg = {
-            'type': 'tls-alpn-01',
-            'token': 'a82d5ff8ef740d12881f6d3c2277ab2e',
-        }
-
-    def test_to_partial_json(self):
-        assert self.jmsg == self.msg.to_partial_json()
-
-    def test_from_json(self):
-        from acme.challenges import TLSALPN01
-        assert self.msg == TLSALPN01.from_json(self.jmsg)
-
-    def test_from_json_hashable(self):
-        from acme.challenges import TLSALPN01
-        hash(TLSALPN01.from_json(self.jmsg))
-
-    def test_from_json_invalid_token_length(self):
-        from acme.challenges import TLSALPN01
-        self.jmsg['token'] = jose.encode_b64jose(b'abcd')
-        with pytest.raises(jose.DeserializationError):
-            TLSALPN01.from_json(self.jmsg)
-
-    @mock.patch('acme.challenges.TLSALPN01Response.gen_cert')
-    def test_validation(self, mock_gen_cert):
-        mock_gen_cert.return_value = ('cert', 'key')
-        assert ('cert', 'key') == self.msg.validation(
-            KEY, cert_key=mock.sentinel.cert_key, domain=mock.sentinel.domain)
-        mock_gen_cert.assert_called_once_with(key=mock.sentinel.cert_key,
-                                              domain=mock.sentinel.domain)
-
-
 class DNSTest(unittest.TestCase):
 
     def setUp(self):

acme/src/acme/_internal/tests/client_test.py

@@ -5,10 +5,11 @@ import datetime
 import http.client as http_client
 import json
 import sys
-from typing import Dict
 import unittest
 from unittest import mock
 
+from cryptography import x509
+
 import josepy as jose
 import pytest
 import requests
@@ -24,6 +25,7 @@ from acme.client import ClientV2
 
 CERT_SAN_PEM = test_util.load_vector('cert-san.pem')
 CSR_MIXED_PEM = test_util.load_vector('csr-mixed.pem')
+CSR_NO_SANS_PEM = test_util.load_vector('csr-nosans.pem')
 KEY = jose.JWKRSA.load(test_util.load_vector('rsa512_key.pem'))
 
 DIRECTORY_V2 = messages.Directory({
@@ -52,7 +54,7 @@ class ClientV2Test(unittest.TestCase):
         self.contact = ('mailto:cert-admin@example.com', 'tel:+12025551212')
         reg = messages.Registration(
             contact=self.contact, key=KEY.public_key())
-        the_arg: Dict = dict(reg)
+        the_arg: dict = dict(reg)
         self.new_reg = messages.NewRegistration(**the_arg)
         self.regr = messages.RegistrationResource(
             body=reg, uri='https://www.letsencrypt-demo.org/acme/reg/1')
@@ -97,6 +99,10 @@ class ClientV2Test(unittest.TestCase):
             body=self.order,
             uri='https://www.letsencrypt-demo.org/acme/acct/1/order/1',
             authorizations=[self.authzr, self.authzr2], csr_pem=CSR_MIXED_PEM)
+        self.orderr2 = messages.OrderResource(
+            body=self.order,
+            uri='https://www.letsencrypt-demo.org/acme/acct/1/order/1',
+            authorizations=[self.authzr, self.authzr2], csr_pem=CSR_NO_SANS_PEM)
 
     def test_new_account(self):
         self.response.status_code = http_client.CREATED
@@ -158,6 +164,10 @@ class ClientV2Test(unittest.TestCase):
             mock_post_as_get.side_effect = (authz_response, authz_response2)
             assert self.client.new_order(CSR_MIXED_PEM) == self.orderr
 
+        with mock.patch('acme.client.ClientV2._post_as_get') as mock_post_as_get:
+            mock_post_as_get.side_effect = (authz_response, authz_response2)
+            assert self.client.new_order(CSR_NO_SANS_PEM) == self.orderr2
+
     def test_answer_challege(self):
         self.response.links['up'] = {'url': self.challr.authzr_uri}
         self.response.json.return_value = self.challr.body.to_json()
@@ -245,6 +255,26 @@ class ClientV2Test(unittest.TestCase):
         with pytest.raises(errors.IssuanceError):
             self.client.finalize_order(self.orderr, deadline)
 
+    @mock.patch('acme.client.ClientV2.begin_finalization')
+    def test_finalize_order_ready(self, mock_begin):
+        # https://github.com/certbot/certbot/issues/9766
+        updated_order_ready = self.order.update(status=messages.STATUS_READY)
+
+        updated_order_valid = self.order.update(
+            certificate='https://www.letsencrypt-demo.org/acme/cert/',
+            status=messages.STATUS_VALID)
+        updated_orderr = self.orderr.update(body=updated_order_valid, fullchain_pem=CERT_SAN_PEM)
+
+        self.response.text = CERT_SAN_PEM
+
+        self.response.json.side_effect = [updated_order_ready.to_json(),
+                                           updated_order_valid.to_json()]
+
+        deadline = datetime.datetime(9999, 9, 9)
+        assert self.client.finalize_order(self.orderr, deadline) == updated_orderr
+        assert self.response.json.call_count == 2
+        assert mock_begin.call_count == 2
+
     def test_finalize_order_invalid_status(self):
         # https://github.com/certbot/certbot/issues/9296
         order = self.order.update(error=None, status=messages.STATUS_INVALID)
@@ -252,6 +282,53 @@ class ClientV2Test(unittest.TestCase):
         with pytest.raises(errors.Error, match="The certificate order failed"):
             self.client.finalize_order(self.orderr, datetime.datetime(9999, 9, 9))
 
+    @mock.patch('acme.client.time.sleep')
+    @mock.patch('acme.client.datetime')
+    def test_finalize_order_orderNotReady(self, dt_mock, mock_sleep):
+        # https://github.com/certbot/certbot/issues/9766
+        updated_order_processing = self.order.update(status=messages.STATUS_PROCESSING)
+        updated_order_ready = self.order.update(status=messages.STATUS_READY)
+
+        updated_order_valid = self.order.update(
+            certificate='https://www.letsencrypt-demo.org/acme/cert/',
+            status=messages.STATUS_VALID)
+        self.orderr.update(body=updated_order_valid, fullchain_pem=CERT_SAN_PEM)
+
+        self.response.text = CERT_SAN_PEM
+
+        self.response.json.side_effect = [updated_order_processing.to_json(),
+                                          updated_order_ready.to_json(),
+                                          updated_order_valid.to_json()]
+
+        dt_mock.datetime.now.return_value = datetime.datetime(2015, 3, 27)
+        dt_mock.timedelta = datetime.timedelta
+        self.response.headers['Retry-After'] = '50'
+
+        post = mock.MagicMock()
+        post.side_effect = [messages.Error.with_code('orderNotReady'), # first begin_finalization
+                            # sleep 1
+                            self.response, # first poll_finalization poll --> returns processing
+                            # retry-after sleep here
+                            self.response, # second poll_finalization poll --> returns ready
+                            mock.MagicMock(), # second begin_finalization
+                            # sleep 1
+                            self.response, # third poll_finalization poll --> returns valid
+                            self.response # fetch cert
+                            ]
+        self.net.post = post
+
+        self.client.finalize_order(self.orderr, datetime.datetime(9999, 9, 9))
+        assert self.net.post.call_count == 6
+        assert mock_sleep.call_args_list == [((1,),), ((50,),), ((1,),)]
+
+    def test_finalize_order_otherErrorCode(self):
+        post = mock.MagicMock()
+        post.side_effect = [messages.Error.with_code('serverInternal')]
+        self.net.post = post
+
+        with pytest.raises(messages.Error):
+            self.client.finalize_order(self.orderr, datetime.datetime(9999, 9, 9))
+
     def test_finalize_order_timeout(self):
         deadline = datetime.datetime.now() - datetime.timedelta(seconds=60)
         with pytest.raises(errors.TimeoutError):
@@ -333,7 +410,7 @@ class ClientV2Test(unittest.TestCase):
         with mock.patch('acme.client.ClientV2._authzr_from_response') as mock_client:
             mock_client.return_value = self.authzr2
 
-            self.client.poll(self.authzr2)  # pylint: disable=protected-access
+            self.client.poll(self.authzr2)
 
             self.client.net.post.assert_called_once_with(
                 self.authzr2.uri, None,
@@ -386,6 +463,211 @@ class ClientV2Test(unittest.TestCase):
         assert DIRECTORY_V2.to_partial_json() == \
             ClientV2.get_directory('https://example.com/dir', self.net).to_partial_json()
 
+    @mock.patch('acme.client.datetime')
+    def test_renewal_time_expired_cert(self, dt_mock):
+        utc_now = datetime.datetime(2026, 1, 1, tzinfo=datetime.timezone.utc)
+        dt_mock.datetime.now.return_value = utc_now
+
+        cert_pem = make_cert_for_renewal(
+            not_before=datetime.datetime(2025, 3, 12, 00, 00, 00),
+            not_after=datetime.datetime(2025, 3, 20, 00, 00, 00),
+        )
+        cert = x509.load_pem_x509_certificate(cert_pem)
+
+        t, _ = self.client.renewal_time(cert_pem)
+        assert t == cert.not_valid_after_utc
+
+    @mock.patch('acme.client.datetime')
+    def test_renewal_time_no_renewal_info(self, dt_mock):
+        utc_now = datetime.datetime(2025, 3, 15, tzinfo=datetime.timezone.utc)
+        dt_mock.datetime.now.return_value = utc_now
+        # A directory with no 'renewalInfo' should result in None.
+        self.client.directory = messages.Directory({})
+        cert_pem = make_cert_for_renewal(
+            not_before=datetime.datetime(2025, 3, 12, 00, 00, 00),
+            not_after=datetime.datetime(2025, 3, 20, 00, 00, 00),
+        )
+        t, _ = self.client.renewal_time(cert_pem)
+        assert t is None
+
+        cert_pem = make_cert_for_renewal(
+            not_before=datetime.datetime(2025, 3, 12, 00, 00, 00),
+            not_after=datetime.datetime(2025, 3, 30, 00, 00, 00),
+        )
+        t, _ = self.client.renewal_time(cert_pem)
+        assert t is None
+
+    @mock.patch('acme.client.datetime')
+    def test_renewal_time_with_renewal_info(self, dt_mock):
+        from cryptography import x509
+        from acme.client import _renewal_info_path_component
+        utc_now = datetime.datetime(2025, 3, 15, tzinfo=datetime.timezone.utc)
+        dt_mock.datetime.now.return_value = utc_now
+        dt_mock.timedelta = datetime.timedelta
+
+        cert_pem = make_cert_for_renewal(
+            not_before=datetime.datetime(2025, 3, 12, 00, 00, 00),
+            not_after=datetime.datetime(2025, 3, 20, 00, 00, 00),
+        )
+
+        self.client.directory = messages.Directory({
+            'renewalInfo': 'https://www.letsencrypt-demo.org/acme/renewal-info',
+        })
+
+        self.response.json.return_value = {
+            "suggestedWindow": {
+                "start": "2025-03-14T01:01:01Z",
+                "end": "2025-03-14T01:01:01Z",
+            },
+            "message": "Keep those certs fresh"
+        }
+        t, _ = self.client.renewal_time(cert_pem)
+        cert_parsed = x509.load_pem_x509_certificate(cert_pem)
+        ari_path_component = _renewal_info_path_component(cert_parsed)
+        self.net.get.assert_called_once_with("https://www.letsencrypt-demo.org/acme/renewal-info/" +
+                                             ari_path_component,
+                                             content_type='application/json')
+        assert t == datetime.datetime(2025, 3, 14, 1, 1, 1, tzinfo=datetime.timezone.utc)
+
+        self.net.reset_mock()
+
+        self.response.json.return_value = {
+            "suggestedWindow": {
+                "start": "2025-03-16T01:01:01Z",
+                "end": "2025-03-17T01:01:01Z",
+            },
+            "message": "Keep those certs fresh"
+        }
+        t, _ = self.client.renewal_time(cert_pem)
+        self.net.get.assert_called_once_with("https://www.letsencrypt-demo.org/acme/renewal-info/" +
+                                             ari_path_component,
+                                             content_type='application/json')
+        assert t >= datetime.datetime(2025, 3, 16, 1, 1, 1, tzinfo=datetime.timezone.utc)
+        assert t <= datetime.datetime(2025, 3, 17, 1, 1, 1, tzinfo=datetime.timezone.utc)
+
+    @mock.patch('acme.client.datetime')
+    def test_renewal_time_renewal_info_errors(self, dt_mock):
+        def now(tzinfo=None):
+            return datetime.datetime(2025, 3, 15, tzinfo=tzinfo)
+        dt_mock.datetime.now.side_effect = now
+        dt_mock.timedelta = datetime.timedelta
+        dt_mock.timezone = datetime.timezone
+
+        self.client.directory = messages.Directory({
+            'renewalInfo': 'https://www.letsencrypt-demo.org/acme/renewal-info',
+        })
+        # Failure to fetch the 'renewalInfo' URL should raise an ARIError with the exception raised
+        # by self.net.get as the __cause__ and a Retry-After 6 hours in the future
+        expected_cause = requests.exceptions.RequestException
+        expected_retry_after = now() + datetime.timedelta(seconds=6 * 60 * 60)
+        self.net.get.side_effect = expected_cause
+
+        cert_pem = make_cert_for_renewal(
+            not_before=datetime.datetime(2025, 3, 12, 00, 00, 00),
+            not_after=datetime.datetime(2025, 3, 20, 00, 00, 00),
+        )
+        with pytest.raises(errors.ARIError) as exception_info:
+            self.client.renewal_time(cert_pem)
+        assert isinstance(exception_info.value.__cause__, expected_cause)
+        assert exception_info.value.retry_after == expected_retry_after
+
+        cert_pem = make_cert_for_renewal(
+            not_before=datetime.datetime(2025, 3, 12, 00, 00, 00),
+            not_after=datetime.datetime(2025, 3, 30, 00, 00, 00),
+        )
+        with pytest.raises(errors.ARIError) as exception_info:
+            self.client.renewal_time(cert_pem)
+        assert isinstance(exception_info.value.__cause__, expected_cause)
+        assert exception_info.value.retry_after == expected_retry_after
+
+    @mock.patch('acme.client.datetime')
+    def test_renewal_time_returns_retry_after(self, dt_mock):
+        def now(tzinfo=None):
+            return datetime.datetime(2025, 3, 15, tzinfo=tzinfo)
+        dt_mock.datetime.now.side_effect = now
+        dt_mock.timedelta = datetime.timedelta
+        dt_mock.timezone = datetime.timezone
+
+        self.client.directory = messages.Directory({
+            'renewalInfo': 'https://www.letsencrypt-demo.org/acme/renewal-info',
+        })
+        cert_pem = make_cert_for_renewal(
+            not_before=datetime.datetime(2025, 3, 12, 00, 00, 00),
+            not_after=datetime.datetime(2025, 3, 20, 00, 00, 00),
+        )
+        self.response.json.return_value = {
+            "suggestedWindow": {
+                "start": "2025-03-14T01:01:01Z",
+                "end": "2025-03-14T01:01:01Z",
+            },
+            "message": "Keep those certs fresh"
+        }
+
+        # With no explicit Retry-After in header, default to six hours
+        _, retry_after = self.client.renewal_time(cert_pem)
+        assert retry_after == datetime.datetime(2025, 3, 15, 6, 0, 0)
+
+        # With an explicit Retry-After in header, use that
+        self.response.headers['Retry-After'] = '100'
+        _, retry_after = self.client.renewal_time(cert_pem)
+        assert retry_after == datetime.datetime(2025, 3, 15, 00, 1, 40)
+
+def test_renewal_info_path_component():
+    from cryptography import x509
+    from acme.client import _renewal_info_path_component
+
+    cert = x509.load_pem_x509_certificate(test_util.load_vector('rsa2048_cert.pem'))
+
+    assert _renewal_info_path_component(cert) == "fL5sRirC8VS5AtOQh9DfoAzYNCI.ALVG_VbBb5U7"
+
+    # From https://www.ietf.org/archive/id/draft-ietf-acme-ari-08.html appendix A.
+    ARI_TEST_CERT = b"""
+-----BEGIN CERTIFICATE-----
+MIIBQzCB66ADAgECAgUAh2VDITAKBggqhkjOPQQDAjAVMRMwEQYDVQQDEwpFeGFt
+cGxlIENBMCIYDzAwMDEwMTAxMDAwMDAwWhgPMDAwMTAxMDEwMDAwMDBaMBYxFDAS
+BgNVBAMTC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeBZu
+7cbpAYNXZLbbh8rNIzuOoqOOtmxA1v7cRm//AwyMwWxyHz4zfwmBhcSrf47NUAFf
+qzLQ2PPQxdTXREYEnKMjMCEwHwYDVR0jBBgwFoAUaYhba4dGQEHhs3uEe6CuLN4B
+yNQwCgYIKoZIzj0EAwIDRwAwRAIge09+S5TZAlw5tgtiVvuERV6cT4mfutXIlwTb
++FYN/8oCIClDsqBklhB9KAelFiYt9+6FDj3z4KGVelYM5MdsO3pK
+-----END CERTIFICATE-----
+"""
+
+    cert = x509.load_pem_x509_certificate(ARI_TEST_CERT)
+    assert _renewal_info_path_component(cert) == "aYhba4dGQEHhs3uEe6CuLN4ByNQ.AIdlQyE"
+
+if __name__ == '__main__':
+    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover
+
+def make_cert_for_renewal(not_before, not_after) -> bytes:
+    """
+    Return a PEM-encoded, self-signed certificate with the given dates.
+    """
+    from cryptography import x509
+    from cryptography.hazmat.primitives.asymmetric import ec
+    from cryptography.hazmat.primitives import serialization, hashes
+    # AKID and serial are the inputs to constructing the renewalInfo URL
+    akid = x509.AuthorityKeyIdentifier(b"1234", None, None)
+    serial = 56789
+    key = ec.generate_private_key(ec.SECP256R1())
+    cert = x509.CertificateBuilder(
+        issuer_name=x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, "Some Issuer")]),
+        subject_name=x509.Name([]),
+        public_key=key.public_key(),
+        serial_number=serial,
+        not_valid_before=not_before,
+        not_valid_after=not_after,
+    ).add_extension(
+        x509.SubjectAlternativeName([x509.DNSName('example.com')]),
+        critical=False,
+    ).add_extension(
+        akid,
+        critical=False,
+    ).sign(
+        private_key=key,
+        algorithm=hashes.SHA256(),
+    )
+    return cert.public_bytes(serialization.Encoding.PEM)
 
 class MockJSONDeSerializable(jose.JSONDeSerializable):
     # pylint: disable=missing-docstring
@@ -612,27 +894,12 @@ class ClientNetworkTest(unittest.TestCase):
         with pytest.raises(requests.exceptions.RequestException):
             self.net._send_request('GET', 'uri')
 
-    def test_urllib_error(self):
-        # Using a connection error to test a properly formatted error message
-        try:
-            # pylint: disable=protected-access
-            self.net._send_request('GET', "http://localhost:19123/nonexistent.txt")
-
-        # Value Error Generated Exceptions
-        except ValueError as y:
-            assert "Requesting localhost/nonexistent: " \
-                             "Connection refused" == str(y)
-
-        # Requests Library Exceptions
-        except requests.exceptions.ConnectionError as z: #pragma: no cover
-            assert "'Connection aborted.'" in str(z) or "[WinError 10061]" in str(z)
-
 
 class ClientNetworkWithMockedResponseTest(unittest.TestCase):
     """Tests for acme.client.ClientNetwork which mock out response."""
 
     def setUp(self):
-        self.net = ClientNetwork(key=None, alg=None)
+        self.net = ClientNetwork(key='fake', alg=None)
 
         self.response = mock.MagicMock(ok=True, status_code=http_client.OK)
         self.response.headers = {}
@@ -707,7 +974,6 @@ class ClientNetworkWithMockedResponseTest(unittest.TestCase):
         assert self.response.checked
 
     def test_post(self):
-        # pylint: disable=protected-access
         assert self.response == self.net.post(
             'uri', self.obj, content_type=self.content_type)
         assert self.response.checked
@@ -736,7 +1002,6 @@ class ClientNetworkWithMockedResponseTest(unittest.TestCase):
         check_response = mock.MagicMock()
         check_response.side_effect = messages.Error.with_code('badNonce')
 
-        # pylint: disable=protected-access
         self.net._check_response = check_response
         with pytest.raises(messages.Error):
             self.net.post('uri',
@@ -747,7 +1012,6 @@ class ClientNetworkWithMockedResponseTest(unittest.TestCase):
         check_response.side_effect = [messages.Error.with_code('malformed'),
                                       self.response]
 
-        # pylint: disable=protected-access
         self.net._check_response = check_response
         with pytest.raises(messages.Error):
             self.net.post('uri',
@@ -758,7 +1022,6 @@ class ClientNetworkWithMockedResponseTest(unittest.TestCase):
         post_once.side_effect = [messages.Error.with_code('badNonce'),
                                       self.response]
 
-        # pylint: disable=protected-access
         assert self.response == self.net.post(
             'uri', self.obj, content_type=self.content_type)
 
@@ -789,6 +1052,16 @@ class ClientNetworkWithMockedResponseTest(unittest.TestCase):
         self.content_type = None
         self.net.post('uri', self.obj, content_type=None, new_nonce_url='new_nonce_uri')
 
+    def test_no_key_error(self):
+        "A ClientNetwork with no key should error on POST but succeed on GET"
+        self.net = ClientNetwork()
+        self.net._send_request = mock.MagicMock()
+        self.net._send_request.return_value = self.response
+        with pytest.raises(errors.Error):
+            self.net.post('uri', "body")
+        assert self.response == self.net.get(
+            'uri', content_type=self.content_type, bar='baz')
+
 
 if __name__ == '__main__':
     sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover

acme/src/acme/_internal/tests/conftest.py

@@ -0,0 +1,16 @@
+from unittest import mock
+
+import pytest
+
+# This avoids a bug on mac where getfqdn errors after a long timeout.
+# See https://bugs.python.org/issue35164
+# and discussion at https://github.com/certbot/certbot/pull/10408
+@pytest.fixture(autouse=True)
+def mock_getfqdn():
+    with mock.patch("socket.getfqdn", return_value="server_name") as mocked:
+        yield mocked
+
+@pytest.fixture(autouse=True)
+def mock_sleep():
+    with mock.patch("time.sleep") as mocked:
+        yield mocked

acme/src/acme/_internal/tests/crypto_util_test.py

@@ -0,0 +1,270 @@
+"""Tests for acme.crypto_util."""
+import ipaddress
+import itertools
+import sys
+import unittest
+from unittest import mock
+import warnings
+
+import pytest
+from cryptography import x509
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa, x25519
+
+from acme._internal.tests import test_util
+
+
+class FormatTest(unittest.TestCase):
+    def test_to_cryptography_encoding(self):
+        from acme.crypto_util import Format
+        assert Format.DER.to_cryptography_encoding() == serialization.Encoding.DER
+        assert Format.PEM.to_cryptography_encoding() == serialization.Encoding.PEM
+
+
+class MiscTests(unittest.TestCase):
+
+    def test_dump_cryptography_chain(self):
+        from acme.crypto_util import dump_cryptography_chain
+
+        cert1 = test_util.load_cert('rsa2048_cert.pem')
+        cert2 = test_util.load_cert('rsa4096_cert.pem')
+
+        chain = [cert1, cert2]
+        dumped = dump_cryptography_chain(chain)
+
+        # default is PEM encoding Encoding.PEM
+        assert isinstance(dumped, bytes)
+
+
+class CryptographyCertOrReqSANTest(unittest.TestCase):
+    """Test for acme.crypto_util._cryptography_cert_or_req_san."""
+
+    @classmethod
+    def _call(cls, loader, name):
+        # pylint: disable=protected-access
+        from acme.crypto_util import _cryptography_cert_or_req_san
+        return _cryptography_cert_or_req_san(loader(name))
+
+    @classmethod
+    def _get_idn_names(cls):
+        """Returns expected names from '{cert,csr}-idnsans.pem'."""
+        chars = [chr(i) for i in itertools.chain(range(0x3c3, 0x400),
+                                                 range(0x641, 0x6fc),
+                                                 range(0x1820, 0x1877))]
+        return [''.join(chars[i: i + 45]) + '.invalid'
+                for i in range(0, len(chars), 45)]
+
+    def _call_cert(self, name):
+        return self._call(test_util.load_cert, name)
+
+    def _call_csr(self, name):
+        return self._call(test_util.load_csr, name)
+
+    def test_cert_no_sans(self):
+        assert self._call_cert('cert.pem') == []
+
+    def test_cert_two_sans(self):
+        assert self._call_cert('cert-san.pem') == \
+                         ['example.com', 'www.example.com']
+
+    def test_cert_hundred_sans(self):
+        assert self._call_cert('cert-100sans.pem') == \
+                         ['example{0}.com'.format(i) for i in range(1, 101)]
+
+    def test_cert_idn_sans(self):
+        assert self._call_cert('cert-idnsans.pem') == \
+                         self._get_idn_names()
+
+    def test_csr_no_sans(self):
+        assert self._call_csr('csr-nosans.pem') == []
+
+    def test_csr_one_san(self):
+        assert self._call_csr('csr.pem') == ['example.com']
+
+    def test_csr_two_sans(self):
+        assert self._call_csr('csr-san.pem') == \
+                         ['example.com', 'www.example.com']
+
+    def test_csr_six_sans(self):
+        assert self._call_csr('csr-6sans.pem') == \
+                         ['example.com', 'example.org', 'example.net',
+                          'example.info', 'subdomain.example.com',
+                          'other.subdomain.example.com']
+
+    def test_csr_hundred_sans(self):
+        assert self._call_csr('csr-100sans.pem') == \
+                         ['example{0}.com'.format(i) for i in range(1, 101)]
+
+    def test_csr_idn_sans(self):
+        assert self._call_csr('csr-idnsans.pem') == \
+                         self._get_idn_names()
+
+    def test_critical_san(self):
+        assert self._call_cert('critical-san.pem') == \
+                         ['chicago-cubs.venafi.example', 'cubs.venafi.example']
+
+
+class GenMakeSelfSignedCertTest(unittest.TestCase):
+    """Test for make_self_signed_cert."""
+
+    def setUp(self):
+        self.cert_count = 5
+        self.serial_num: list[int] = []
+        self.privkey = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+
+    @classmethod
+    def _call(cls, *args, **kwargs):
+        from acme.crypto_util import make_self_signed_cert
+        with pytest.warns(DeprecationWarning, match='make_self_signed_cert is deprecated'):
+            return make_self_signed_cert(*args, **kwargs)
+
+    def test_sn_collisions(self):
+        for _ in range(self.cert_count):
+            cert = self._call(self.privkey, ['dummy'], force_san=True,
+                              ips=[ipaddress.ip_address("10.10.10.10")])
+            self.serial_num.append(cert.serial_number)
+        assert len(set(self.serial_num)) >= self.cert_count
+
+    def test_no_ips(self):
+        self._call(self.privkey, ['dummy'])
+
+    @mock.patch("acme.crypto_util._now")
+    def test_expiry_times(self, mock_now):
+        from datetime import datetime, timedelta, timezone
+        not_before = 1736200830
+        validity = 100
+
+        not_before_dt = datetime.fromtimestamp(not_before)
+        validity_td = timedelta(validity)
+        not_after_dt = not_before_dt + validity_td
+        cert = self._call(
+            self.privkey,
+            ['dummy'],
+            not_before=not_before_dt,
+            validity=validity_td,
+        )
+        # TODO: This should be `not_valid_before_utc` once we raise the minimum
+        # cryptography version.
+        # https://github.com/certbot/certbot/issues/10105
+        with warnings.catch_warnings():
+            warnings.filterwarnings(
+                'ignore',
+                message='Properties that return.*datetime object'
+            )
+            self.assertEqual(cert.not_valid_before, not_before_dt)
+            self.assertEqual(cert.not_valid_after, not_after_dt)
+
+        now = not_before + 1
+        now_dt = datetime.fromtimestamp(now)
+        mock_now.return_value = now_dt.replace(tzinfo=timezone.utc)
+        valid_after_now_dt = now_dt + validity_td
+        cert = self._call(
+            self.privkey,
+            ['dummy'],
+            validity=validity_td,
+        )
+        with warnings.catch_warnings():
+            warnings.filterwarnings(
+                'ignore',
+                message='Properties that return.*datetime object'
+            )
+            self.assertEqual(cert.not_valid_before, now_dt)
+            self.assertEqual(cert.not_valid_after, valid_after_now_dt)
+
+    def test_no_name(self):
+        with pytest.raises(AssertionError):
+            self._call(self.privkey, ips=[ipaddress.ip_address("1.1.1.1")])
+            self._call(self.privkey)
+
+    def test_extensions(self):
+        extension_type = x509.TLSFeature([x509.TLSFeatureType.status_request])
+        extension = x509.Extension(
+            x509.TLSFeature.oid,
+            False,
+            extension_type
+        )
+        cert = self._call(
+            self.privkey,
+            ips=[ipaddress.ip_address("1.1.1.1")],
+            extensions=[extension]
+        )
+        self.assertIn(extension, cert.extensions)
+
+
+class MakeCSRTest(unittest.TestCase):
+    """Test for standalone functions."""
+
+    @classmethod
+    def _call_with_key(cls, *args, **kwargs):
+        privkey = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+        privkey_pem = privkey.private_bytes(
+            serialization.Encoding.PEM,
+            serialization.PrivateFormat.PKCS8,
+            serialization.NoEncryption(),
+        )
+        from acme.crypto_util import make_csr
+
+        return make_csr(privkey_pem, *args, **kwargs)
+
+    def test_make_csr(self):
+        csr_pem = self._call_with_key(["a.example", "b.example"])
+        assert b"--BEGIN CERTIFICATE REQUEST--" in csr_pem
+        assert b"--END CERTIFICATE REQUEST--" in csr_pem
+        csr = x509.load_pem_x509_csr(csr_pem)
+
+        assert len(csr.extensions) == 1
+        assert list(
+            csr.extensions.get_extension_for_class(x509.SubjectAlternativeName).value
+        ) == [
+            x509.DNSName("a.example"),
+            x509.DNSName("b.example"),
+        ]
+
+    def test_make_csr_ip(self):
+        csr_pem = self._call_with_key(
+            ["a.example"],
+            False,
+            [ipaddress.ip_address("127.0.0.1"), ipaddress.ip_address("::1")],
+        )
+        assert b"--BEGIN CERTIFICATE REQUEST--" in csr_pem
+        assert b"--END CERTIFICATE REQUEST--" in csr_pem
+
+        csr = x509.load_pem_x509_csr(csr_pem)
+
+        assert len(csr.extensions) == 1
+        assert list(
+            csr.extensions.get_extension_for_class(x509.SubjectAlternativeName).value
+        ) == [
+            x509.DNSName("a.example"),
+            x509.IPAddress(ipaddress.ip_address("127.0.0.1")),
+            x509.IPAddress(ipaddress.ip_address("::1")),
+        ]
+
+    def test_make_csr_must_staple(self):
+        csr_pem = self._call_with_key(["a.example"], must_staple=True)
+        csr = x509.load_pem_x509_csr(csr_pem)
+
+        assert len(csr.extensions) == 2
+        assert list(csr.extensions.get_extension_for_class(x509.TLSFeature).value) == [
+            x509.TLSFeatureType.status_request
+        ]
+
+    def test_make_csr_without_hostname(self):
+        with pytest.raises(ValueError):
+            self._call_with_key()
+
+    def test_make_csr_invalid_key_type(self):
+        privkey = x25519.X25519PrivateKey.generate()
+        privkey_pem = privkey.private_bytes(
+            serialization.Encoding.PEM,
+            serialization.PrivateFormat.PKCS8,
+            serialization.NoEncryption(),
+        )
+        from acme.crypto_util import make_csr
+
+        with pytest.raises(ValueError):
+            make_csr(privkey_pem, ["a.example"])
+
+
+if __name__ == '__main__':
+    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover

acme/src/acme/_internal/tests/errors_test.py

@@ -51,5 +51,36 @@ class PollErrorTest(unittest.TestCase):
                          'sentinel.AR2})' % repr(set()) == repr(self.invalid)
 
 
+class ValidationErrorTest(unittest.TestCase):
+    """Tests for acme.errors.ValidationError"""
+
+    def setUp(self):
+        from acme.errors import ValidationError
+        from acme.challenges import DNS01
+        from acme.messages import Error
+        from acme.messages import Authorization
+        from acme.messages import AuthorizationResource
+        from acme.messages import IDENTIFIER_FQDN
+        from acme.messages import ChallengeBody
+        from acme.messages import Identifier
+        self.challenge_error = Error(typ='custom', detail='bar')
+        failed_authzr = AuthorizationResource(
+            body=Authorization(
+                identifier=Identifier(typ=IDENTIFIER_FQDN, value="example.com"),
+                challenges=[ChallengeBody(
+                    chall=DNS01(),
+                    error=self.challenge_error,
+                )]
+            )
+        )
+        self.error = ValidationError([failed_authzr])
+
+    def test_repr(self):
+        err_message = str(self.error)
+        assert 'Authorization for example.com failed' in err_message
+        assert 'Challenge dns-01 failed' in err_message
+        assert str(self.challenge_error) in err_message
+
+
 if __name__ == "__main__":
     sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover

acme/src/acme/_internal/tests/fields_test.py

@@ -2,11 +2,9 @@
 import datetime
 import sys
 import unittest
-import warnings
 
 import josepy as jose
 import pytest
-import pytz
 
 
 class FixedTest(unittest.TestCase):
@@ -34,7 +32,7 @@ class RFC3339FieldTest(unittest.TestCase):
     """Tests for acme.fields.RFC3339Field."""
 
     def setUp(self):
-        self.decoded = datetime.datetime(2015, 3, 27, tzinfo=pytz.UTC)
+        self.decoded = datetime.datetime(2015, 3, 27, tzinfo=datetime.timezone.utc)
         self.encoded = '2015-03-27T00:00:00Z'
 
     def test_default_encoder(self):

acme/src/acme/_internal/tests/jose_test.py

@@ -1,7 +1,6 @@
 """Tests for acme.jose shim."""
 import importlib
 import sys
-import unittest
 
 import pytest
 
@@ -21,9 +20,9 @@ def _test_it(submodule, attribute):
 
     # We use the imports below with eval, but pylint doesn't
     # understand that.
-    import josepy  # pylint: disable=unused-import
+    import josepy  # pylint: disable=unused-import # noqa: F401
 
-    import acme  # pylint: disable=unused-import
+    import acme  # pylint: disable=unused-import # noqa: F401
     acme_jose_mod = eval(acme_jose_path)  # pylint: disable=eval-used
     josepy_mod = eval(josepy_path)  # pylint: disable=eval-used
     assert acme_jose_mod is josepy_mod

acme/src/acme/_internal/tests/jws_test.py

@@ -21,7 +21,7 @@ class HeaderTest(unittest.TestCase):
     except (ValueError, TypeError):
         assert True
     else:
-        assert False  # pragma: no cover
+        pytest.fail("Exception from jose.b64decode wasn't raised")  # pragma: no cover
 
     def test_nonce_decoder(self):
         from acme.jws import Header

acme/src/acme/_internal/tests/messages_test.py

@@ -1,10 +1,8 @@
 """Tests for acme.messages."""
-import contextlib
 import sys
-from typing import Dict
+import json
 import unittest
 from unittest import mock
-import warnings
 
 import josepy as jose
 import pytest
@@ -12,8 +10,8 @@ import pytest
 from acme import challenges
 from acme._internal.tests import test_util
 
-CERT = test_util.load_comparable_cert('cert.der')
-CSR = test_util.load_comparable_csr('csr.der')
+CERT = test_util.load_cert('cert.der')
+CSR = test_util.load_csr('csr.der')
 KEY = test_util.load_rsa_private_key('rsa512_key.pem')
 
 
@@ -119,7 +117,7 @@ class ConstantTest(unittest.TestCase):
         from acme.messages import _Constant
 
         class MockConstant(_Constant):  # pylint: disable=missing-docstring
-            POSSIBLE_NAMES: Dict = {}
+            POSSIBLE_NAMES: dict = {}
 
         self.MockConstant = MockConstant  # pylint: disable=invalid-name
         self.const_a = MockConstant('a')
@@ -162,6 +160,10 @@ class DirectoryTest(unittest.TestCase):
                 terms_of_service='https://example.com/acme/terms',
                 website='https://www.example.com/',
                 caa_identities=['example.com'],
+                profiles={
+                    "example": "some profile",
+                    "other example": "a different profile"
+                }
             ),
         })
 
@@ -191,6 +193,10 @@ class DirectoryTest(unittest.TestCase):
                 'termsOfService': 'https://example.com/acme/terms',
                 'website': 'https://www.example.com/',
                 'caaIdentities': ['example.com'],
+                'profiles': {
+                    'example': 'some profile',
+                    'other example': 'a different profile'
+                }
             },
         }
 
@@ -212,17 +218,43 @@ class ExternalAccountBindingTest(unittest.TestCase):
         self.key = jose.jwk.JWKRSA(key=KEY.public_key())
         self.kid = "kid-for-testing"
         self.hmac_key = "hmac-key-for-testing"
+        self.hmac_alg = "HS256"
         self.dir = Directory({
             'newAccount': 'http://url/acme/new-account',
         })
 
     def test_from_data(self):
         from acme.messages import ExternalAccountBinding
-        eab = ExternalAccountBinding.from_data(self.key, self.kid, self.hmac_key, self.dir)
+        eab = ExternalAccountBinding.from_data(self.key, self.kid, self.hmac_key, self.dir, self.hmac_alg)
 
         assert len(eab) == 3
         assert sorted(eab.keys()) == sorted(['protected', 'payload', 'signature'])
 
+    def test_from_data_invalid_hmac_alg(self):
+        from acme.messages import ExternalAccountBinding
+        invalid_alg = "HS9999"
+        with pytest.raises(ValueError) as info:
+            ExternalAccountBinding.from_data(self.key, self.kid, self.hmac_key, self.dir, invalid_alg)
+
+        assert "Invalid value for hmac_alg" in str(info.value)
+
+    def test_from_data_default_hmac_alg(self):
+        from acme.messages import ExternalAccountBinding
+        eab_default = ExternalAccountBinding.from_data(self.key, self.kid, self.hmac_key, self.dir)
+
+        assert len(eab_default) == 3
+        assert sorted(eab_default.keys()) == sorted(['protected', 'payload', 'signature'])
+
+        eab_explicit = ExternalAccountBinding.from_data(
+            self.key, self.kid, self.hmac_key, self.dir, "HS256"
+        )
+
+        assert eab_default == eab_explicit
+
+        protected_default = json.loads(
+            jose.b64.b64decode(eab_default['protected']).decode()
+        )
+        assert protected_default['alg'] == 'HS256'
 
 class RegistrationTest(unittest.TestCase):
     """Tests for acme.messages.Registration."""
@@ -262,10 +294,11 @@ class RegistrationTest(unittest.TestCase):
         key = jose.jwk.JWKRSA(key=KEY.public_key())
         kid = "kid-for-testing"
         hmac_key = "hmac-key-for-testing"
+        hmac_alg = "HS256"
         directory = Directory({
             'newAccount': 'http://url/acme/new-account',
         })
-        eab = ExternalAccountBinding.from_data(key, kid, hmac_key, directory)
+        eab = ExternalAccountBinding.from_data(key, kid, hmac_key, directory, hmac_alg)
         reg = NewRegistration.from_data(email='admin@foo.com', external_account_binding=eab)
         assert reg.contact == (
             'mailto:admin@foo.com',
@@ -528,14 +561,25 @@ class NewOrderTest(unittest.TestCase):
 
     def setUp(self):
         from acme.messages import NewOrder
-        self.reg = NewOrder(
+        self.order = NewOrder(
             identifiers=mock.sentinel.identifiers)
 
     def test_to_partial_json(self):
-        assert self.reg.to_json() == {
+        assert self.order.to_json() == {
             'identifiers': mock.sentinel.identifiers,
         }
 
+    def test_default_profile_empty(self):
+        assert self.order.profile is None
+
+    def test_non_empty_profile(self):
+        from acme.messages import NewOrder
+        order = NewOrder(identifiers=mock.sentinel.identifiers, profile='example')
+        assert order.to_json() == {
+            'identifiers': mock.sentinel.identifiers,
+            'profile': 'example',
+        }
+
 
 class JWSPayloadRFC8555Compliant(unittest.TestCase):
     """Test for RFC8555 compliance of JWS generated from resources/challenges"""

acme/src/acme/_internal/tests/standalone_test.py

@@ -4,7 +4,6 @@ import socket
 import socketserver
 import sys
 import threading
-from typing import Set
 import unittest
 from unittest import mock
 
@@ -13,29 +12,9 @@ import pytest
 import requests
 
 from acme import challenges
-from acme import crypto_util
-from acme import errors
 from acme._internal.tests import test_util
 
 
-class TLSServerTest(unittest.TestCase):
-    """Tests for acme.standalone.TLSServer."""
-
-
-    def test_bind(self):  # pylint: disable=no-self-use
-        from acme.standalone import TLSServer
-        server = TLSServer(
-            ('', 0), socketserver.BaseRequestHandler, bind_and_activate=True)
-        server.server_close()
-
-    def test_ipv6(self):
-        if socket.has_ipv6:
-            from acme.standalone import TLSServer
-            server = TLSServer(
-                ('', 0), socketserver.BaseRequestHandler, bind_and_activate=True, ipv6=True)
-            server.server_close()
-
-
 class HTTP01ServerTest(unittest.TestCase):
     """Tests for acme.standalone.HTTP01Server."""
 
@@ -43,7 +22,7 @@ class HTTP01ServerTest(unittest.TestCase):
     def setUp(self):
         self.account_key = jose.JWK.load(
             test_util.load_vector('rsa1024_key.pem'))
-        self.resources: Set = set()
+        self.resources: set = set()
 
         from acme.standalone import HTTP01Server
         self.server = HTTP01Server(('', 0), resources=self.resources)
@@ -110,58 +89,6 @@ class HTTP01ServerTest(unittest.TestCase):
                 assert not is_hung, 'Server shutdown should not be hung'
 
 
-@unittest.skipIf(not challenges.TLSALPN01.is_supported(), "pyOpenSSL too old")
-class TLSALPN01ServerTest(unittest.TestCase):
-    """Test for acme.standalone.TLSALPN01Server."""
-
-    def setUp(self):
-        self.certs = {b'localhost': (
-            test_util.load_pyopenssl_private_key('rsa2048_key.pem'),
-            test_util.load_cert('rsa2048_cert.pem'),
-        )}
-        # Use different certificate for challenge.
-        self.challenge_certs = {b'localhost': (
-            test_util.load_pyopenssl_private_key('rsa4096_key.pem'),
-            test_util.load_cert('rsa4096_cert.pem'),
-        )}
-        from acme.standalone import TLSALPN01Server
-        self.server = TLSALPN01Server(("localhost", 0), certs=self.certs,
-                challenge_certs=self.challenge_certs)
-        # pylint: disable=no-member
-        self.thread = threading.Thread(target=self.server.serve_forever)
-        self.thread.start()
-
-    def tearDown(self):
-        self.server.shutdown()  # pylint: disable=no-member
-        self.thread.join()
-        self.server.server_close()
-
-    # TODO: This is not implemented yet, see comments in standalone.py
-    # def test_certs(self):
-    #    host, port = self.server.socket.getsockname()[:2]
-    #    cert = crypto_util.probe_sni(
-    #        b'localhost', host=host, port=port, timeout=1)
-    #    # Expect normal cert when connecting without ALPN.
-    #    self.assertEqual(jose.ComparableX509(cert),
-    #                     jose.ComparableX509(self.certs[b'localhost'][1]))
-
-    def test_challenge_certs(self):
-        host, port = self.server.socket.getsockname()[:2]
-        cert = crypto_util.probe_sni(
-            b'localhost', host=host, port=port, timeout=1,
-            alpn_protocols=[b"acme-tls/1"])
-        #  Expect challenge cert when connecting with ALPN.
-        assert jose.ComparableX509(cert) == \
-                jose.ComparableX509(self.challenge_certs[b'localhost'][1])
-
-    def test_bad_alpn(self):
-        host, port = self.server.socket.getsockname()[:2]
-        with pytest.raises(errors.Error):
-            crypto_util.probe_sni(
-                b'localhost', host=host, port=port, timeout=1,
-                alpn_protocols=[b"bad-alpn"])
-
-
 class BaseDualNetworkedServersTest(unittest.TestCase):
     """Test for acme.standalone.BaseDualNetworkedServers."""
 
@@ -193,7 +120,7 @@ class BaseDualNetworkedServersTest(unittest.TestCase):
 
         from acme.standalone import BaseDualNetworkedServers
 
-        mock_bind.side_effect = socket.error(EADDRINUSE, "Fake addr in use error")
+        mock_bind.side_effect = OSError(EADDRINUSE, "Fake addr in use error")
 
         with pytest.raises(socket.error) as exc_info:
             BaseDualNetworkedServers(
@@ -226,7 +153,7 @@ class HTTP01DualNetworkedServersTest(unittest.TestCase):
     def setUp(self):
         self.account_key = jose.JWK.load(
             test_util.load_vector('rsa1024_key.pem'))
-        self.resources: Set = set()
+        self.resources: set = set()
 
         from acme.standalone import HTTP01DualNetworkedServers
         self.servers = HTTP01DualNetworkedServers(('', 0), resources=self.resources)

acme/src/acme/_internal/tests/test_util.py

@@ -0,0 +1,61 @@
+"""Test utilities.
+
+.. warning:: This module is not part of the public API.
+
+"""
+import importlib.resources
+import os
+from typing import Callable
+
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+import josepy as jose
+from josepy.util import ComparableECKey
+
+
+def load_vector(*names):
+    """Load contents of a test vector."""
+    # luckily, resource_string opens file in binary mode
+    vector_ref = importlib.resources.files(__package__).joinpath('testdata', *names)
+    return vector_ref.read_bytes()
+
+
+def _guess_loader(filename: str, loader_pem: Callable, loader_der: Callable) -> Callable:
+    _, ext = os.path.splitext(filename)
+    if ext.lower() == ".pem":
+        return loader_pem
+    elif ext.lower() == ".der":
+        return loader_der
+    else:  # pragma: no cover
+        raise ValueError("Loader could not be recognized based on extension")
+
+
+def load_cert(*names: str) -> x509.Certificate:
+    """Load certificate."""
+    loader = _guess_loader(
+        names[-1], x509.load_pem_x509_certificate, x509.load_der_x509_certificate
+    )
+    return loader(load_vector(*names))
+
+
+def load_csr(*names: str) -> x509.CertificateSigningRequest:
+    """Load certificate request."""
+    loader = _guess_loader(names[-1], x509.load_pem_x509_csr, x509.load_der_x509_csr)
+    return loader(load_vector(*names))
+
+
+def load_rsa_private_key(*names):
+    """Load RSA private key."""
+    loader = _guess_loader(names[-1], serialization.load_pem_private_key,
+                           serialization.load_der_private_key)
+    return jose.ComparableRSAKey(loader(
+        load_vector(*names), password=None, backend=default_backend()))
+
+
+def load_ecdsa_private_key(*names):
+    """Load ECDSA private key."""
+    loader = _guess_loader(names[-1], serialization.load_pem_private_key,
+                           serialization.load_der_private_key)
+    return ComparableECKey(loader(
+        load_vector(*names), password=None, backend=default_backend()))

acme/src/acme/_internal/tests/testdata/csr-mixed.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICdjCCAV4CAQAwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoV
+T1pdvRUUBOqvm7M2ebLEHV7higUH7qAGUZEkfP6W4YriYVY+IHrH1svNPSa+oPTK
+7weDNmT11ehWnGyECIM9z2r2Hi9yVV0ycxh4hWQ4Nt8BAKZwCwaXpyWm7Gj6m2Ez
+pSN5Dd67g5YAQBrUUh1+RRbFi9c0Ls/6ZOExMvfg8kqt4c2sXCgH1IFnxvvOjBYo
+p7xh0x3L1Akyax0tw8qgQp/z5mkupmVDNJYPFmbzFPMNyDR61ed6QUTDg7P4UAuF
+kejLLzFvz5YaO7vC+huaTuPhInAhpzqpr4yU97KIjos2/83Itu/Cv8U1RAeEeRTk
+h0WjUfltoem/5f8bIdsCAwEAAaAxMC8GCSqGSIb3DQEJDjEiMCAwHgYDVR0RBBcw
+FYINYS5leGVtcGxlLmNvbYcEwAACbzANBgkqhkiG9w0BAQsFAAOCAQEAQ7n/hYen
+5INHlcslHPYCQ/BAbX6Ou+Y8hUu8puWNVpE2OM95L2C87jbWwTmCRnkFBwtyoNqo
+j3DXVW2RYv8y/exq7V6Y5LtpHTgwfugINJ3XlcVzA4Vnf1xqOxv3kwejkq74RuXn
+xd5N28srgiFqb0e4tOAWVI8Tw27bgBqjoXl0QDFPZpctqUia5bcDJ9WzNSM7VaO1
+CBNGHBRz+zL8sqoqJA4HV58tjcgzl+1RtGM+iUHxXpnH+aCNKWIUINrAzIm4Sm00
+93RJjhb1kdNR0BC7ikWVbAWaVviHdvATK/RfpmhWDqfEaNgBpvT91GnkhpzctSFD
+ro0yCUUXXrIr0w==
+-----END CERTIFICATE REQUEST-----

acme/src/acme/_internal/tests/util_test.py

@@ -1,6 +1,5 @@
 """Tests for acme.util."""
 import sys
-import unittest
 
 import pytest
 

acme/src/acme/challenges.py

@@ -1,29 +1,19 @@
 """ACME Identifier Validation Challenges."""
 import abc
-import codecs
 import functools
 import hashlib
 import logging
-import socket
 from typing import Any
 from typing import cast
-from typing import Dict
 from typing import Mapping
 from typing import Optional
-from typing import Tuple
-from typing import Type
 from typing import TypeVar
 from typing import Union
 
 from cryptography.hazmat.primitives import hashes
 import josepy as jose
-from OpenSSL import crypto
-from OpenSSL import SSL
 import requests
 
-from acme import crypto_util
-from acme import errors
-
 logger = logging.getLogger(__name__)
 
 GenericChallenge = TypeVar('GenericChallenge', bound='Challenge')
@@ -32,10 +22,10 @@ GenericChallenge = TypeVar('GenericChallenge', bound='Challenge')
 class Challenge(jose.TypedJSONObjectWithFields):
     # _fields_to_partial_json
     """ACME challenge."""
-    TYPES: Dict[str, Type['Challenge']] = {}
+    TYPES: dict[str, type['Challenge']] = {}
 
     @classmethod
-    def from_json(cls: Type[GenericChallenge],
+    def from_json(cls: type[GenericChallenge],
                   jobj: Mapping[str, Any]) -> Union[GenericChallenge, 'UnrecognizedChallenge']:
         try:
             return cast(GenericChallenge, super().from_json(jobj))
@@ -47,9 +37,9 @@ class Challenge(jose.TypedJSONObjectWithFields):
 class ChallengeResponse(jose.TypedJSONObjectWithFields):
     # _fields_to_partial_json
     """ACME challenge response."""
-    TYPES: Dict[str, Type['ChallengeResponse']] = {}
+    TYPES: dict[str, type['ChallengeResponse']] = {}
 
-    def to_partial_json(self) -> Dict[str, Any]:
+    def to_partial_json(self) -> dict[str, Any]:
         # Removes the `type` field which is inserted by TypedJSONObjectWithFields.to_partial_json.
         # This field breaks RFC8555 compliance.
         jobj = super().to_partial_json()
@@ -69,13 +59,13 @@ class UnrecognizedChallenge(Challenge):
     :ivar jobj: Original JSON decoded object.
 
     """
-    jobj: Dict[str, Any]
+    jobj: dict[str, Any]
 
     def __init__(self, jobj: Mapping[str, Any]) -> None:
         super().__init__()
         object.__setattr__(self, "jobj", jobj)
 
-    def to_partial_json(self) -> Dict[str, Any]:
+    def to_partial_json(self) -> dict[str, Any]:
         return self.jobj  # pylint: disable=no-member
 
     @classmethod
@@ -89,7 +79,7 @@ class _TokenChallenge(Challenge):
     :ivar bytes token:
 
     """
-    TOKEN_SIZE = 128 / 8  # Based on the entropy value from the spec
+    TOKEN_SIZE = 128 // 8  # Based on the entropy value from the spec
     """Minimum size of the :attr:`token` in bytes."""
 
     # TODO: acme-spec doesn't specify token as base64-encoded value
@@ -154,7 +144,7 @@ class KeyAuthorizationChallengeResponse(ChallengeResponse):
 
         return True
 
-    def to_partial_json(self) -> Dict[str, Any]:
+    def to_partial_json(self) -> dict[str, Any]:
         jobj = super().to_partial_json()
         jobj.pop('keyAuthorization', None)
         return jobj
@@ -171,7 +161,7 @@ class KeyAuthorizationChallenge(_TokenChallenge, metaclass=abc.ABCMeta):
     :param str typ: type of the challenge
     """
     typ: str = NotImplemented
-    response_cls: Type[KeyAuthorizationChallengeResponse] = NotImplemented
+    response_cls: type[KeyAuthorizationChallengeResponse] = NotImplemented
     thumbprint_hash_function = (
         KeyAuthorizationChallengeResponse.thumbprint_hash_function)
 
@@ -214,7 +204,7 @@ class KeyAuthorizationChallenge(_TokenChallenge, metaclass=abc.ABCMeta):
         raise NotImplementedError()  # pragma: no cover
 
     def response_and_validation(self, account_key: jose.JWK, *args: Any, **kwargs: Any
-                                ) -> Tuple[KeyAuthorizationChallengeResponse, Any]:
+                                ) -> tuple[KeyAuthorizationChallengeResponse, Any]:
         """Generate response and validation.
 
         Convenience function that return results of `response` and
@@ -397,173 +387,6 @@ class HTTP01(KeyAuthorizationChallenge):
         return self.key_authorization(account_key)
 
 
-@ChallengeResponse.register
-class TLSALPN01Response(KeyAuthorizationChallengeResponse):
-    """ACME tls-alpn-01 challenge response."""
-    typ = "tls-alpn-01"
-
-    PORT = 443
-    """Verification port as defined by the protocol.
-
-    You can override it (e.g. for testing) by passing ``port`` to
-    `simple_verify`.
-
-    """
-
-    ID_PE_ACME_IDENTIFIER_V1 = b"1.3.6.1.5.5.7.1.30.1"
-    ACME_TLS_1_PROTOCOL = b"acme-tls/1"
-
-    @property
-    def h(self) -> bytes:
-        """Hash value stored in challenge certificate"""
-        return hashlib.sha256(self.key_authorization.encode('utf-8')).digest()
-
-    def gen_cert(self, domain: str, key: Optional[crypto.PKey] = None, bits: int = 2048
-                 ) -> Tuple[crypto.X509, crypto.PKey]:
-        """Generate tls-alpn-01 certificate.
-
-        :param str domain: Domain verified by the challenge.
-        :param OpenSSL.crypto.PKey key: Optional private key used in
-            certificate generation. If not provided (``None``), then
-            fresh key will be generated.
-        :param int bits: Number of bits for newly generated key.
-
-        :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`
-
-        """
-        if key is None:
-            key = crypto.PKey()
-            key.generate_key(crypto.TYPE_RSA, bits)
-
-        der_value = b"DER:" + codecs.encode(self.h, 'hex')
-        acme_extension = crypto.X509Extension(self.ID_PE_ACME_IDENTIFIER_V1,
-                                              critical=True, value=der_value)
-
-        return crypto_util.gen_ss_cert(key, [domain], force_san=True,
-                                       extensions=[acme_extension]), key
-
-    def probe_cert(self, domain: str, host: Optional[str] = None,
-                   port: Optional[int] = None) -> crypto.X509:
-        """Probe tls-alpn-01 challenge certificate.
-
-        :param str domain: domain being validated, required.
-        :param str host: IP address used to probe the certificate.
-        :param int port: Port used to probe the certificate.
-
-        """
-        if host is None:
-            host = socket.gethostbyname(domain)
-            logger.debug('%s resolved to %s', domain, host)
-        if port is None:
-            port = self.PORT
-
-        return crypto_util.probe_sni(host=host.encode(), port=port, name=domain.encode(),
-                                     alpn_protocols=[self.ACME_TLS_1_PROTOCOL])
-
-    def verify_cert(self, domain: str, cert: crypto.X509) -> bool:
-        """Verify tls-alpn-01 challenge certificate.
-
-        :param str domain: Domain name being validated.
-        :param OpensSSL.crypto.X509 cert: Challenge certificate.
-
-        :returns: Whether the certificate was successfully verified.
-        :rtype: bool
-
-        """
-        # pylint: disable=protected-access
-        names = crypto_util._pyopenssl_cert_or_req_all_names(cert)
-        # Type ignore needed due to
-        # https://github.com/pyca/pyopenssl/issues/730.
-        logger.debug('Certificate %s. SANs: %s',
-                     cert.digest('sha256'), names)
-        if len(names) != 1 or names[0].lower() != domain.lower():
-            return False
-
-        for i in range(cert.get_extension_count()):
-            ext = cert.get_extension(i)
-            # FIXME: assume this is the ACME extension. Currently there is no
-            # way to get full OID of an unknown extension from pyopenssl.
-            if ext.get_short_name() == b'UNDEF':
-                data = ext.get_data()
-                return data == self.h
-
-        return False
-
-    # pylint: disable=too-many-arguments
-    def simple_verify(self, chall: 'TLSALPN01', domain: str, account_public_key: jose.JWK,
-                      cert: Optional[crypto.X509] = None, host: Optional[str] = None,
-                      port: Optional[int] = None) -> bool:
-        """Simple verify.
-
-        Verify ``validation`` using ``account_public_key``, optionally
-        probe tls-alpn-01 certificate and check using `verify_cert`.
-
-        :param .challenges.TLSALPN01 chall: Corresponding challenge.
-        :param str domain: Domain name being validated.
-        :param JWK account_public_key:
-        :param OpenSSL.crypto.X509 cert: Optional certificate. If not
-            provided (``None``) certificate will be retrieved using
-            `probe_cert`.
-        :param string host: IP address used to probe the certificate.
-        :param int port: Port used to probe the certificate.
-
-
-        :returns: ``True`` if and only if client's control of the domain has been verified.
-        :rtype: bool
-
-        """
-        if not self.verify(chall, account_public_key):
-            logger.debug("Verification of key authorization in response failed")
-            return False
-
-        if cert is None:
-            try:
-                cert = self.probe_cert(domain=domain, host=host, port=port)
-            except errors.Error as error:
-                logger.debug(str(error), exc_info=True)
-                return False
-
-        return self.verify_cert(domain, cert)
-
-
-@Challenge.register  # pylint: disable=too-many-ancestors
-class TLSALPN01(KeyAuthorizationChallenge):
-    """ACME tls-alpn-01 challenge."""
-    response_cls = TLSALPN01Response
-    typ = response_cls.typ
-
-    def validation(self, account_key: jose.JWK, **kwargs: Any) -> Tuple[crypto.X509, crypto.PKey]:
-        """Generate validation.
-
-        :param JWK account_key:
-        :param str domain: Domain verified by the challenge.
-        :param OpenSSL.crypto.PKey cert_key: Optional private key used
-            in certificate generation. If not provided (``None``), then
-            fresh key will be generated.
-
-        :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`
-
-        """
-        # TODO: Remove cast when response() is generic.
-        return cast(TLSALPN01Response, self.response(account_key)).gen_cert(
-            key=kwargs.get('cert_key'),
-            domain=cast(str, kwargs.get('domain')))
-
-    @staticmethod
-    def is_supported() -> bool:
-        """
-        Check if TLS-ALPN-01 challenge is supported on this machine.
-        This implies that a recent version of OpenSSL is installed (>= 1.0.2),
-        or a recent cryptography version shipped with the OpenSSL library is installed.
-
-        :returns: ``True`` if TLS-ALPN-01 is supported on this machine, ``False`` otherwise.
-        :rtype: bool
-
-        """
-        return (hasattr(SSL.Connection, "set_alpn_protos")
-                and hasattr(SSL.Context, "set_alpn_select_callback"))
-
-
 @Challenge.register
 class DNS(_TokenChallenge):
     """ACME "dns" challenge."""

acme/src/acme/client.py

@@ -4,19 +4,18 @@ import datetime
 from email.utils import parsedate_tz
 import http.client as http_client
 import logging
-import re
+import math
+import random
 import time
 from typing import Any
 from typing import cast
-from typing import List
 from typing import Mapping
 from typing import Optional
-from typing import Set
-from typing import Tuple
 from typing import Union
 
+from cryptography import x509
+
 import josepy as jose
-import OpenSSL
 import requests
 from requests.adapters import HTTPAdapter
 from requests.utils import parse_header_links
@@ -113,7 +112,7 @@ class ClientV2:
         self.net.account = new_regr
         return new_regr
 
-    def new_order(self, csr_pem: bytes) -> messages.OrderResource:
+    def new_order(self, csr_pem: bytes, profile: Optional[str] = None) -> messages.OrderResource:
         """Request a new Order object from the server.
 
         :param bytes csr_pem: A CSR in PEM format.
@@ -121,19 +120,24 @@ class ClientV2:
         :returns: The newly created order.
         :rtype: OrderResource
         """
-        csr = OpenSSL.crypto.load_certificate_request(OpenSSL.crypto.FILETYPE_PEM, csr_pem)
-        # pylint: disable=protected-access
-        dnsNames = crypto_util._pyopenssl_cert_or_req_all_names(csr)
-        ipNames = crypto_util._pyopenssl_cert_or_req_san_ip(csr)
-        # ipNames is now []string
+        csr = x509.load_pem_x509_csr(csr_pem)
+        dnsNames = crypto_util.get_names_from_subject_and_extensions(csr.subject, csr.extensions)
+        try:
+            san_ext = csr.extensions.get_extension_for_class(x509.SubjectAlternativeName)
+        except x509.ExtensionNotFound:
+            ipNames = []
+        else:
+            ipNames = san_ext.value.get_values_for_type(x509.IPAddress)
         identifiers = []
         for name in dnsNames:
             identifiers.append(messages.Identifier(typ=messages.IDENTIFIER_FQDN,
                 value=name))
-        for ips in ipNames:
+        for ip in ipNames:
             identifiers.append(messages.Identifier(typ=messages.IDENTIFIER_IP,
-                value=ips))
-        order = messages.NewOrder(identifiers=identifiers)
+                value=str(ip)))
+        if profile is None:
+            profile = ""
+        order = messages.NewOrder(identifiers=identifiers, profile=profile)
         response = self._post(self.directory['newOrder'], order)
         body = messages.Order.from_json(response.json())
         authorizations = []
@@ -149,7 +153,7 @@ class ClientV2:
             csr_pem=csr_pem)
 
     def poll(self, authzr: messages.AuthorizationResource
-             ) -> Tuple[messages.AuthorizationResource, requests.Response]:
+             ) -> tuple[messages.AuthorizationResource, requests.Response]:
         """Poll Authorization Resource for status.
 
         :param authzr: Authorization Resource
@@ -218,10 +222,14 @@ class ClientV2:
 
         :returns: updated order
         :rtype: messages.OrderResource
+
+        :raises .messages.Error: If server indicates order is not yet in ready state,
+            it will return a 403 (Forbidden) error with a problem document/error code of type
+            "orderNotReady"
+
         """
-        csr = OpenSSL.crypto.load_certificate_request(
-            OpenSSL.crypto.FILETYPE_PEM, orderr.csr_pem)
-        wrapped_csr = messages.CertificateRequest(csr=jose.ComparableX509(csr))
+        csr = x509.load_pem_x509_csr(orderr.csr_pem)
+        wrapped_csr = messages.CertificateRequest(csr=csr)
         res = self._post(orderr.body.finalize, wrapped_csr)
         orderr = orderr.update(body=messages.Order.from_json(res.json()))
         return orderr
@@ -234,21 +242,37 @@ class ClientV2:
         Poll an order that has been finalized for its status.
         If it becomes valid, obtain the certificate.
 
+        If a finalization request previously returned `orderNotReady`,
+        poll until ready, send a new finalization request, and continue
+        polling until valid as above.
+
         :returns: finalized order (with certificate)
         :rtype: messages.OrderResource
         """
-
+        sleep_seconds: float = 1
         while datetime.datetime.now() < deadline:
-            time.sleep(1)
+            if sleep_seconds > 0:
+                time.sleep(sleep_seconds)
             response = self._post_as_get(orderr.uri)
             body = messages.Order.from_json(response.json())
             if body.status == messages.STATUS_INVALID:
+                # "invalid": The certificate will not be issued.  Consider this
+                # order process abandoned.
                 if body.error is not None:
                     raise errors.IssuanceError(body.error)
                 raise errors.Error(
                     "The certificate order failed. No further information was provided "
                     "by the server.")
+            elif body.status == messages.STATUS_READY:
+                # "ready": The server agrees that the requirements have been
+                # fulfilled, and is awaiting finalization.  Submit a finalization
+                # request.
+                self.begin_finalization(orderr)
+                sleep_seconds = 1
             elif body.status == messages.STATUS_VALID and body.certificate is not None:
+                # "valid": The server has issued the certificate and provisioned its
+                # URL to the "certificate" field of the order.  Download the
+                # certificate.
                 certificate_response = self._post_as_get(body.certificate)
                 orderr = orderr.update(body=body, fullchain_pem=certificate_response.text)
                 if fetch_alternative_chains:
@@ -256,6 +280,14 @@ class ClientV2:
                     alt_chains = [self._post_as_get(url).text for url in alt_chains_urls]
                     orderr = orderr.update(alternative_fullchains_pem=alt_chains)
                 return orderr
+            elif body.status == messages.STATUS_PROCESSING:
+                # "processing": The certificate is being issued.  Send a POST-as-GET request after
+                # the time given in the Retry-After header field of the response, if any.
+                retry_after = self.retry_after(response, 1)
+                # Whatever Retry-After the ACME server requests, the polling must not take
+                # longer than the overall deadline
+                retry_after = min(retry_after, deadline)
+                sleep_seconds = (retry_after - datetime.datetime.now()).total_seconds()
         raise errors.TimeoutError()
 
     def finalize_order(self, orderr: messages.OrderResource, deadline: datetime.datetime,
@@ -271,14 +303,84 @@ class ClientV2:
         :rtype: messages.OrderResource
 
         """
-        self.begin_finalization(orderr)
+        try:
+            self.begin_finalization(orderr)
+        except messages.Error as e:
+            if e.code != 'orderNotReady':
+                raise e
         return self.poll_finalization(orderr, deadline, fetch_alternative_chains)
 
-    def revoke(self, cert: jose.ComparableX509, rsn: int) -> None:
+    def renewal_time(self, cert_pem: bytes
+        ) -> tuple[Optional[datetime.datetime], datetime.datetime]:
+        """Return an appropriate time to attempt renewal of the certificate,
+        and the next time to ask the ACME server for renewal info.
+
+        If the certificate has already expired, renewal info isn't checked.
+        Instead, the certificate's notAfter time is returned and the certificate
+        should be immediately renewed.
+
+        If the ACME directory has a "renewalInfo" field, the response will be
+        based on a fetch of the renewal info resource for the certificate
+        (https://www.ietf.org/archive/id/draft-ietf-acme-ari-08.html).
+
+        If there is no "renewalInfo" field, this function will return a tuple of
+        None, and the next time to ask the ACME server for renewal info.
+
+        This function may make other network calls in the future (e.g., OCSP
+        or CRL).
+
+        :param bytes cert_pem: cert as pem file
+
+        :returns: Tuple of time to attempt renewal, next time to ask for renewal info
+
+        :raises errors.ARIError: If an error occurs fetching ARI from the
+            server. Explicit exception chaining is used so the original error
+            can be accessed through the __cause__ attribute on the ARIError if
+            desired.
+
+        """
+        now = datetime.datetime.now()
+        # https://www.ietf.org/archive/id/draft-ietf-acme-ari-08.html#section-4.3.3
+        default_retry_after = datetime.timedelta(seconds=6 * 60 * 60)
+
+        cert = x509.load_pem_x509_certificate(cert_pem)
+
+        # from https://www.ietf.org/archive/id/draft-ietf-acme-ari-08.html#section-4.3, "Clients
+        # MUST NOT check a certificate's RenewalInfo after the certificate has expired."
+        #
+        # we call datetime.datetime.now here with the UTC argument to create a timezone aware
+        # datetime object that can be compared with the UTC notAfter from cryptography
+        if cert.not_valid_after_utc < datetime.datetime.now(datetime.timezone.utc):
+            return cert.not_valid_after_utc, now + default_retry_after
+
+        try:
+            renewal_info_base_url = self.directory['renewalInfo']
+        except KeyError:
+            return None, now + default_retry_after
+
+        ari_url = renewal_info_base_url + '/' + _renewal_info_path_component(cert)
+        try:
+            resp = self.net.get(ari_url, content_type='application/json')
+        except Exception as e:  # pylint: disable=broad-except
+            error_msg = f'failed to fetch renewal_info URL {ari_url}'
+            raise errors.ARIError(error_msg, now + default_retry_after) from e
+        renewal_info: messages.RenewalInfo = messages.RenewalInfo.from_json(resp.json())
+
+        start = renewal_info.suggested_window.start # pylint: disable=no-member
+        end = renewal_info.suggested_window.end # pylint: disable=no-member
+
+        delta_seconds = (end - start).total_seconds()
+        random_seconds = random.uniform(0, delta_seconds)
+        random_time = start + datetime.timedelta(seconds=random_seconds)
+
+        retry_after = self.retry_after(resp, default_retry_after.seconds)
+        return random_time, retry_after
+
+
+    def revoke(self, cert: x509.Certificate, rsn: int) -> None:
         """Revoke certificate.
 
-        :param .ComparableX509 cert: `OpenSSL.crypto.X509` wrapped in
-            `.ComparableX509`
+        :param x509.Certificate cert: `x509.Certificate`
 
         :param int rsn: Reason code for certificate revocation.
 
@@ -303,7 +405,7 @@ class ClientV2:
         new_args = args[:1] + (None,) + args[1:]
         return self._post(*new_args, **kwargs)
 
-    def _get_links(self, response: requests.Response, relation_type: str) -> List[str]:
+    def _get_links(self, response: requests.Response, relation_type: str) -> list[str]:
         """
         Retrieves all Link URIs of relation_type from the response.
         :param requests.Response response: The requests HTTP response.
@@ -314,8 +416,8 @@ class ClientV2:
         if 'Link' not in response.headers:
             return []
         links = parse_header_links(response.headers['Link'])
-        return [l['url'] for l in links
-                if 'rel' in l and 'url' in l and l['rel'] == relation_type]
+        return [link['url'] for link in links
+                if 'rel' in link and 'url' in link and link['rel'] == relation_type]
 
     @classmethod
     def get_directory(cls, url: str, net: 'ClientNetwork') -> messages.Directory:
@@ -466,11 +568,10 @@ class ClientV2:
 
         return datetime.datetime.now() + datetime.timedelta(seconds=seconds)
 
-    def _revoke(self, cert: jose.ComparableX509, rsn: int, url: str) -> None:
+    def _revoke(self, cert: x509.Certificate, rsn: int, url: str) -> None:
         """Revoke certificate.
 
-        :param .ComparableX509 cert: `OpenSSL.crypto.X509` wrapped in
-            `.ComparableX509`
+        :param .x509.Certificate cert: `x509.Certificate`
 
         :param int rsn: Reason code for certificate revocation.
 
@@ -500,7 +601,7 @@ class ClientNetwork:
 
     """Initialize.
 
-    :param josepy.JWK key: Account private key
+    :param josepy.JWK key: Account private key. Required to use .post().
     :param messages.RegistrationResource account: Account object. Required if you are
             planning to use .post() for anything other than creating a new account;
             may be set later after registering.
@@ -509,14 +610,15 @@ class ClientNetwork:
     :param str user_agent: String to send as User-Agent header.
     :param int timeout: Timeout for requests.
     """
-    def __init__(self, key: jose.JWK, account: Optional[messages.RegistrationResource] = None,
+    def __init__(self, key: Optional[jose.JWK] = None,
+                 account: Optional[messages.RegistrationResource] = None,
                  alg: jose.JWASignature = jose.RS256, verify_ssl: bool = True,
                  user_agent: str = 'acme-python', timeout: int = DEFAULT_NETWORK_TIMEOUT) -> None:
         self.key = key
         self.account = account
         self.alg = alg
         self.verify_ssl = verify_ssl
-        self._nonces: Set[str] = set()
+        self._nonces: set[str] = set()
         self.user_agent = user_agent
         self.session = requests.Session()
         self._default_timeout = timeout
@@ -546,16 +648,17 @@ class ClientNetwork:
         """
         jobj = obj.json_dumps(indent=2).encode() if obj else b''
         logger.debug('JWS payload:\n%s', jobj)
+        assert self.key
         kwargs = {
             "alg": self.alg,
             "nonce": nonce,
-            "url": url
+            "url": url,
+            "key": self.key
         }
         # newAccount and revokeCert work without the kid
         # newAccount must not have kid
         if self.account is not None:
             kwargs["kid"] = self.account["uri"]
-        kwargs["key"] = self.key
         return jws.JWS.sign(jobj, **cast(Mapping[str, Any], kwargs)).json_dumps(indent=2)
 
     @classmethod
@@ -643,30 +746,7 @@ class ClientNetwork:
         kwargs.setdefault('headers', {})
         kwargs['headers'].setdefault('User-Agent', self.user_agent)
         kwargs.setdefault('timeout', self._default_timeout)
-        try:
-            response = self.session.request(method, url, *args, **kwargs)
-        except requests.exceptions.RequestException as e:
-            # pylint: disable=pointless-string-statement
-            """Requests response parsing
-
-            The requests library emits exceptions with a lot of extra text.
-            We parse them with a regexp to raise a more readable exceptions.
-
-            Example:
-            HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org',
-            port=443): Max retries exceeded with url: /directory
-            (Caused by NewConnectionError('
-            <requests.packages.urllib3.connection.VerifiedHTTPSConnection
-            object at 0x108356c50>: Failed to establish a new connection:
-            [Errno 65] No route to host',))"""
-
-            # pylint: disable=line-too-long
-            err_regex = r".*host='(\S*)'.*Max retries exceeded with url\: (\/\w*).*(\[Errno \d+\])([A-Za-z ]*)"
-            m = re.match(err_regex, str(e))
-            if m is None:
-                raise  # pragma: no cover
-            host, path, _err_no, err_msg = m.groups()
-            raise ValueError(f"Requesting {host}{path}:{err_msg}")
+        response = self.session.request(method, url, *args, **kwargs)
 
         # If an Accept header was sent in the request, the response may not be
         # UTF-8 encoded. In this case, we don't set response.encoding and log
@@ -745,9 +825,30 @@ class ClientNetwork:
     def _post_once(self, url: str, obj: jose.JSONDeSerializable,
                    content_type: str = JOSE_CONTENT_TYPE, **kwargs: Any) -> requests.Response:
         new_nonce_url = kwargs.pop('new_nonce_url', None)
+        if not self.key:
+            raise errors.Error("acme.ClientNetwork with no private key can't POST.")
         data = self._wrap_in_jws(obj, self._get_nonce(url, new_nonce_url), url)
         kwargs.setdefault('headers', {'Content-Type': content_type})
         response = self._send_request('POST', url, data=data, **kwargs)
         response = self._check_response(response, content_type=content_type)
         self._add_nonce(response)
         return response
+
+def _renewal_info_path_component(cert: x509.Certificate) -> str:
+    akid_ext = cert.extensions.get_extension_for_oid(x509.ExtensionOID.AUTHORITY_KEY_IDENTIFIER)
+    key_identifier = akid_ext.value.key_identifier # type: ignore[attr-defined]
+
+    akid_encoded = base64.urlsafe_b64encode(key_identifier).decode('ascii').replace("=", "")
+
+    # We add one to the reported bit_length so there is room for the sign bit.
+    # https://docs.python.org/3/library/stdtypes.html#int.bit_length
+    # "Return the number of bits necessary to represent an integer in binary, excluding
+    # the sign and leading zeros"
+    serial = cert.serial_number
+    encoded_serial_len = math.ceil((serial.bit_length()+1)/8)
+    # Serials are encoded as ASN.1 INTEGERS, which means big endian and signed (two's complement).
+    # https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/#integer-encoding
+    serial_bytes = serial.to_bytes(encoded_serial_len, byteorder='big', signed=True)
+    serial_encoded = base64.urlsafe_b64encode(serial_bytes).decode('ascii').replace("=", "")
+
+    return f"{akid_encoded}.{serial_encoded}"

acme/src/acme/crypto_util.py

@@ -0,0 +1,277 @@
+"""Crypto utilities."""
+import enum
+from datetime import datetime, timedelta, timezone
+import ipaddress
+import logging
+import typing
+from typing import Literal
+from typing import Optional
+from typing import Union
+import warnings
+
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import dsa, rsa, ec, ed25519, ed448, types
+from cryptography.hazmat.primitives.serialization import Encoding
+from OpenSSL import crypto
+
+logger = logging.getLogger(__name__)
+
+
+class Format(enum.IntEnum):
+    """File format to be used when parsing or serializing X.509 structures.
+
+    Backwards compatible with the `FILETYPE_ASN1` and `FILETYPE_PEM` constants
+    from pyOpenSSL.
+    """
+    DER = crypto.FILETYPE_ASN1
+    PEM = crypto.FILETYPE_PEM
+
+    def to_cryptography_encoding(self) -> Encoding:
+        """Converts the Format to the corresponding cryptography `Encoding`.
+        """
+        if self == Format.DER:
+            return Encoding.DER
+        else:
+            return Encoding.PEM
+
+
+# Even *more* annoyingly, due to a mypy bug, we can't use Union[] types in
+# isinstance expressions without causing false mypy errors. So we have to
+# recreate the type collection as a tuple here. And no, typing.get_args doesn't
+# work due to another mypy bug.
+#
+# mypy issues:
+#  * https://github.com/python/mypy/issues/17680
+#  * https://github.com/python/mypy/issues/15106
+CertificateIssuerPrivateKeyTypesTpl = (
+    dsa.DSAPrivateKey,
+    rsa.RSAPrivateKey,
+    ec.EllipticCurvePrivateKey,
+    ed25519.Ed25519PrivateKey,
+    ed448.Ed448PrivateKey,
+)
+
+
+def make_csr(
+    private_key_pem: bytes,
+    domains: Optional[Union[set[str], list[str]]] = None,
+    must_staple: bool = False,
+    ipaddrs: Optional[list[Union[ipaddress.IPv4Address, ipaddress.IPv6Address]]] = None,
+) -> bytes:
+    """Generate a CSR containing domains or IPs as subjectAltNames.
+
+    Parameters are ordered this way for backwards compatibility when called using positional
+    arguments.
+
+    :param buffer private_key_pem: Private key, in PEM PKCS#8 format.
+    :param list domains: List of DNS names to include in subjectAltNames of CSR.
+    :param bool must_staple: Whether to include the TLS Feature extension (aka
+        OCSP Must Staple: https://tools.ietf.org/html/rfc7633).
+    :param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address)
+        names to include in subbjectAltNames of CSR.
+
+    :returns: buffer PEM-encoded Certificate Signing Request.
+
+    """
+    private_key = serialization.load_pem_private_key(private_key_pem, password=None)
+    if not isinstance(private_key, CertificateIssuerPrivateKeyTypesTpl):
+        raise ValueError(f"Invalid private key type: {type(private_key)}")
+    if domains is None:
+        domains = []
+    if ipaddrs is None:
+        ipaddrs = []
+    if len(domains) + len(ipaddrs) == 0:
+        raise ValueError(
+            "At least one of domains or ipaddrs parameter need to be not empty"
+        )
+
+    builder = (
+        x509.CertificateSigningRequestBuilder()
+        .subject_name(x509.Name([]))
+        .add_extension(
+            x509.SubjectAlternativeName(
+                [x509.DNSName(d) for d in domains]
+                + [x509.IPAddress(i) for i in ipaddrs]
+            ),
+            critical=False,
+        )
+    )
+    if must_staple:
+        builder = builder.add_extension(
+            # "status_request" is the feature commonly known as OCSP
+            # Must-Staple
+            x509.TLSFeature([x509.TLSFeatureType.status_request]),
+            critical=False,
+        )
+
+    csr = builder.sign(private_key, hashes.SHA256())
+    return csr.public_bytes(Encoding.PEM)
+
+
+def get_names_from_subject_and_extensions(
+    subject: x509.Name, exts: x509.Extensions
+) -> list[str]:
+    """Gets all DNS SAN names as well as the first Common Name from subject.
+
+    :param subject: Name of the x509 object, which may include Common Name
+    :type subject: `cryptography.x509.Name`
+    :param exts: Extensions of the x509 object, which may include SANs
+    :type exts: `cryptography.x509.Extensions`
+
+    :returns: List of DNS Subject Alternative Names and first Common Name
+    :rtype: `list` of `str`
+    """
+    # We know these are always `str` because `bytes` is only possible for
+    # other OIDs.
+    cns = [
+        typing.cast(str, c.value)
+        for c in subject.get_attributes_for_oid(x509.NameOID.COMMON_NAME)
+    ]
+    try:
+        san_ext = exts.get_extension_for_class(x509.SubjectAlternativeName)
+    except x509.ExtensionNotFound:
+        dns_names = []
+    else:
+        dns_names = san_ext.value.get_values_for_type(x509.DNSName)
+
+    if not cns:
+        return dns_names
+    else:
+        # We only include the first CN, if there are multiple. This matches
+        # the behavior of the previous implementation using pyOpenSSL.
+        return [cns[0]] + [d for d in dns_names if d != cns[0]]
+
+
+def _cryptography_cert_or_req_san(
+    cert_or_req: Union[x509.Certificate, x509.CertificateSigningRequest],
+) -> list[str]:
+    """Get Subject Alternative Names from certificate or CSR using cryptography.
+
+    .. note:: Although this is `acme` internal API, it is used by
+        `letsencrypt`.
+
+    :param cert_or_req: Certificate or CSR.
+    :type cert_or_req: `x509.Certificate` or `x509.CertificateSigningRequest`.
+
+    :returns: A list of Subject Alternative Names that is DNS.
+    :rtype: `list` of `str`
+
+    Deprecated
+    .. deprecated: 3.2.1
+    """
+    # ???: is this translation needed?
+    exts = cert_or_req.extensions
+    try:
+        san_ext = exts.get_extension_for_class(x509.SubjectAlternativeName)
+    except x509.ExtensionNotFound:
+        return []
+
+    return san_ext.value.get_values_for_type(x509.DNSName)
+
+
+# Helper function that can be mocked in unit tests
+def _now() -> datetime:
+    return datetime.now(tz=timezone.utc)
+
+
+def make_self_signed_cert(private_key: types.CertificateIssuerPrivateKeyTypes,
+                          domains: Optional[list[str]] = None,
+                          not_before: Optional[datetime] = None,
+                          validity: Optional[timedelta] = None, force_san: bool = True,
+                          extensions: Optional[list[x509.Extension]] = None,
+                          ips: Optional[list[Union[ipaddress.IPv4Address,
+                                                   ipaddress.IPv6Address]]] = None
+                          ) -> x509.Certificate:
+    """Generate new self-signed certificate.
+    :param buffer private_key_pem: Private key, in PEM PKCS#8 format.
+    :type domains: `list` of `str`
+    :param int not_before: A datetime after which the cert is valid. If no
+    timezone is specified, UTC is assumed
+    :type not_before: `datetime.datetime`
+    :param validity: Duration for which the cert will be valid. Defaults to 1
+    week
+    :type validity: `datetime.timedelta`
+    :param buffer private_key_pem: One of
+    `cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPrivateKeyTypes`
+    :param bool force_san:
+    :param extensions: List of additional extensions to include in the cert.
+    :type extensions: `list` of `x509.Extension[x509.ExtensionType]`
+    :type ips: `list` of (`ipaddress.IPv4Address` or `ipaddress.IPv6Address`)
+    If more than one domain is provided, all of the domains are put into
+    ``subjectAltName`` X.509 extension and first domain is set as the
+    subject CN. If only one domain is provided no ``subjectAltName``
+    extension is used, unless `force_san` is ``True``.
+    """
+    warnings.warn("make_self_signed_cert is deprecated and will be removed in "
+                  "an upcoming release", DeprecationWarning)
+    assert domains or ips, "Must provide one or more hostnames or IPs for the cert."
+
+    builder = x509.CertificateBuilder()
+    builder = builder.serial_number(x509.random_serial_number())
+
+    if extensions is not None:
+        for ext in extensions:
+            builder = builder.add_extension(ext.value, ext.critical)
+    if domains is None:
+        domains = []
+    if ips is None:
+        ips = []
+    builder = builder.add_extension(x509.BasicConstraints(ca=True, path_length=0), critical=True)
+
+    name_attrs = []
+    if len(domains) > 0:
+        name_attrs.append(x509.NameAttribute(
+            x509.OID_COMMON_NAME,
+            domains[0]
+        ))
+
+    builder = builder.subject_name(x509.Name(name_attrs))
+    builder = builder.issuer_name(x509.Name(name_attrs))
+
+    sanlist: list[x509.GeneralName] = []
+    for address in domains:
+        sanlist.append(x509.DNSName(address))
+    for ip in ips:
+        sanlist.append(x509.IPAddress(ip))
+    if force_san or len(domains) > 1 or len(ips) > 0:
+        builder = builder.add_extension(
+            x509.SubjectAlternativeName(sanlist),
+            critical=False
+        )
+
+    if not_before is None:
+        not_before = _now()
+    if validity is None:
+        validity = timedelta(seconds=7 * 24 * 60 * 60)
+    builder = builder.not_valid_before(not_before)
+    builder = builder.not_valid_after(not_before + validity)
+
+    public_key = private_key.public_key()
+    builder = builder.public_key(public_key)
+    return builder.sign(private_key, hashes.SHA256())
+
+
+def dump_cryptography_chain(
+    chain: list[x509.Certificate],
+    encoding: Literal[Encoding.PEM, Encoding.DER] = Encoding.PEM,
+) -> bytes:
+    """Dump certificate chain into a bundle.
+
+    :param list chain: List of `cryptography.x509.Certificate`.
+
+    :returns: certificate chain bundle
+    :rtype: bytes
+
+    Deprecated
+    .. deprecated: 3.2.1
+    """
+    # XXX: returns empty string when no chain is available, which
+    # shuts up RenewableCert, but might not be the best solution...
+
+    def _dump_cert(cert: x509.Certificate) -> bytes:
+        return cert.public_bytes(encoding)
+
+    # assumes that x509.Certificate.public_bytes includes ending
+    # newline character
+    return b"".join(_dump_cert(cert) for cert in chain)

acme/src/acme/errors.py

@@ -1,9 +1,8 @@
 """ACME errors."""
+import datetime
 import typing
 from typing import Any
-from typing import List
 from typing import Mapping
-from typing import Set
 
 from josepy import errors as jose_errors
 import requests
@@ -81,7 +80,7 @@ class PollError(ClientError):
         to the most recently updated one
 
     """
-    def __init__(self, exhausted: Set['messages.AuthorizationResource'],
+    def __init__(self, exhausted: set['messages.AuthorizationResource'],
                  updated: Mapping['messages.AuthorizationResource',
                                   'messages.AuthorizationResource']
                  ) -> None:
@@ -103,10 +102,20 @@ class ValidationError(Error):
     """Error for authorization failures. Contains a list of authorization
     resources, each of which is invalid and should have an error field.
     """
-    def __init__(self, failed_authzrs: List['messages.AuthorizationResource']) -> None:
+    def __init__(self, failed_authzrs: list['messages.AuthorizationResource']) -> None:
         self.failed_authzrs = failed_authzrs
         super().__init__()
 
+    def __str__(self) -> str:
+        msg = []
+        for authzr in self.failed_authzrs:
+            msg.append(f'Authorization for {authzr.body.identifier.value} ' \
+                'failed due to one or more failed challenges:')
+            for challenge in authzr.body.challenges:
+                msg.append(f'  Challenge {challenge.chall.typ} failed ' \
+                    f'with error {str(challenge.error)}')
+        return '\n'.join(msg)
+
 
 class TimeoutError(Error):  # pylint: disable=redefined-builtin
     """Error for when polling an authorization or an order times out."""
@@ -139,3 +148,10 @@ class ConflictError(ClientError):
 
 class WildcardUnsupportedError(Error):
     """Error for when a wildcard is requested but is unsupported by ACME CA."""
+
+
+class ARIError(ClientError):
+    """An error occurred during an ARI request and we want to suggest a Retry-After time."""
+    def __init__(self, message: str, retry_after: datetime.datetime) -> None:
+        super().__init__(message, retry_after)
+        self.retry_after = retry_after

acme/src/acme/fields.py

@@ -34,7 +34,7 @@ class RFC3339Field(jose.Field):
 
     Handles decoding/encoding between RFC3339 strings and aware (not
     naive) `datetime.datetime` objects
-    (e.g. ``datetime.datetime.now(pytz.UTC)``).
+    (e.g. ``datetime.datetime.now(datetime.timezone.utc)``).
 
     """
 

acme/src/acme/messages.py

@@ -3,16 +3,14 @@ from collections.abc import Hashable
 import datetime
 import json
 from typing import Any
-from typing import Dict
 from typing import Iterator
-from typing import List
 from typing import Mapping
 from typing import MutableMapping
 from typing import Optional
-from typing import Tuple
-from typing import Type
 from typing import TypeVar
 
+from cryptography import x509
+
 import josepy as jose
 
 from acme import challenges
@@ -71,7 +69,7 @@ def is_acme_error(err: BaseException) -> bool:
 class _Constant(jose.JSONDeSerializable, Hashable):
     """ACME constant."""
     __slots__ = ('name',)
-    POSSIBLE_NAMES: Dict[str, '_Constant'] = NotImplemented
+    POSSIBLE_NAMES: dict[str, '_Constant'] = NotImplemented
 
     def __init__(self, name: str) -> None:
         super().__init__()
@@ -99,7 +97,7 @@ class _Constant(jose.JSONDeSerializable, Hashable):
 
 class IdentifierType(_Constant):
     """ACME identifier type."""
-    POSSIBLE_NAMES: Dict[str, _Constant] = {}
+    POSSIBLE_NAMES: dict[str, _Constant] = {}
 
 
 IDENTIFIER_FQDN = IdentifierType('dns')  # IdentifierDNS in Boulder
@@ -138,12 +136,12 @@ class Error(jose.JSONObjectWithFields, errors.Error):
     detail: str = jose.field('detail', omitempty=True)
     identifier: Optional['Identifier'] = jose.field(
         'identifier', decoder=Identifier.from_json, omitempty=True)
-    subproblems: Optional[Tuple['Error', ...]] = jose.field('subproblems', omitempty=True)
+    subproblems: Optional[tuple['Error', ...]] = jose.field('subproblems', omitempty=True)
 
     # Mypy does not understand the josepy magic happening here, and falsely claims
     # that subproblems is redefined. Let's ignore the type check here.
     @subproblems.decoder  # type: ignore
-    def subproblems(value: List[Dict[str, Any]]) -> Tuple['Error', ...]:  # pylint: disable=no-self-argument,missing-function-docstring
+    def subproblems(value: list[dict[str, Any]]) -> tuple['Error', ...]:  # pylint: disable=no-self-argument,missing-function-docstring
         return tuple(Error.from_json(subproblem) for subproblem in value)
 
     @classmethod
@@ -206,7 +204,7 @@ class Error(jose.JSONObjectWithFields, errors.Error):
 
 class Status(_Constant):
     """ACME "status" field."""
-    POSSIBLE_NAMES: Dict[str, _Constant] = {}
+    POSSIBLE_NAMES: dict[str, _Constant] = {}
 
 
 STATUS_UNKNOWN = Status('unknown')
@@ -229,8 +227,9 @@ class Directory(jose.JSONDeSerializable):
         """Directory Meta."""
         _terms_of_service: str = jose.field('termsOfService', omitempty=True)
         website: str = jose.field('website', omitempty=True)
-        caa_identities: List[str] = jose.field('caaIdentities', omitempty=True)
+        caa_identities: list[str] = jose.field('caaIdentities', omitempty=True)
         external_account_required: bool = jose.field('externalAccountRequired', omitempty=True)
+        profiles: dict[str, str] = jose.field('profiles', omitempty=True)
 
         def __init__(self, **kwargs: Any) -> None:
             kwargs = {self._internal_name(k): v for k, v in kwargs.items()}
@@ -265,7 +264,7 @@ class Directory(jose.JSONDeSerializable):
         except KeyError:
             raise KeyError(f'Directory field "{name}" not found')
 
-    def to_partial_json(self) -> Dict[str, Any]:
+    def to_partial_json(self) -> dict[str, Any]:
         return util.map_keys(self._jobj, lambda k: k)
 
     @classmethod
@@ -301,15 +300,26 @@ class ExternalAccountBinding:
 
     @classmethod
     def from_data(cls, account_public_key: jose.JWK, kid: str, hmac_key: str,
-                  directory: Directory) -> Dict[str, Any]:
+                  directory: Directory, hmac_alg: str = "HS256") -> dict[str, Any]:
         """Create External Account Binding Resource from contact details, kid and hmac."""
 
         key_json = json.dumps(account_public_key.to_partial_json()).encode()
         decoded_hmac_key = jose.b64.b64decode(hmac_key)
         url = directory["newAccount"]
 
+        hmac_alg_map = {
+            "HS256": jose.jwa.HS256,
+            "HS384": jose.jwa.HS384,
+            "HS512": jose.jwa.HS512,
+        }
+        alg = hmac_alg_map.get(hmac_alg)
+        if alg is None:
+            supported = ", ".join(hmac_alg_map.keys())
+            raise ValueError(f"Invalid value for hmac_alg: {hmac_alg}. "
+                             f"Expected one of: {supported}.")
+
         eab = jws.JWS.sign(key_json, jose.jwk.JWKOct(key=decoded_hmac_key),
-                           jose.jwa.HS256, None,
+                           alg, None,
                            url, kid)
 
         return eab.to_partial_json()
@@ -333,21 +343,21 @@ class Registration(ResourceBody):
     # Contact field implements special behavior to allow messages that clear existing
     # contacts while not expecting the `contact` field when loading from json.
     # This is implemented in the constructor and *_json methods.
-    contact: Tuple[str, ...] = jose.field('contact', omitempty=True, default=())
+    contact: tuple[str, ...] = jose.field('contact', omitempty=True, default=())
     agreement: str = jose.field('agreement', omitempty=True)
     status: Status = jose.field('status', omitempty=True)
     terms_of_service_agreed: bool = jose.field('termsOfServiceAgreed', omitempty=True)
     only_return_existing: bool = jose.field('onlyReturnExisting', omitempty=True)
-    external_account_binding: Dict[str, Any] = jose.field('externalAccountBinding',
+    external_account_binding: dict[str, Any] = jose.field('externalAccountBinding',
                                                           omitempty=True)
 
     phone_prefix = 'tel:'
     email_prefix = 'mailto:'
 
     @classmethod
-    def from_data(cls: Type[GenericRegistration], phone: Optional[str] = None,
+    def from_data(cls: type[GenericRegistration], phone: Optional[str] = None,
                   email: Optional[str] = None,
-                  external_account_binding: Optional[Dict[str, Any]] = None,
+                  external_account_binding: Optional[dict[str, Any]] = None,
                   **kwargs: Any) -> GenericRegistration:
         """
         Create registration resource from contact details.
@@ -384,12 +394,12 @@ class Registration(ResourceBody):
             object.__setattr__(self, '_add_contact', True)
         super().__init__(**kwargs)
 
-    def _filter_contact(self, prefix: str) -> Tuple[str, ...]:
+    def _filter_contact(self, prefix: str) -> tuple[str, ...]:
         return tuple(
             detail[len(prefix):] for detail in self.contact  # pylint: disable=not-an-iterable
             if detail.startswith(prefix))
 
-    def _add_contact_if_appropriate(self, jobj: Dict[str, Any]) -> Dict[str, Any]:
+    def _add_contact_if_appropriate(self, jobj: dict[str, Any]) -> dict[str, Any]:
         """
         The `contact` member of Registration objects should not be required when
         de-serializing (as it would be if the Fields' `omitempty` flag were `False`), but
@@ -406,23 +416,23 @@ class Registration(ResourceBody):
 
         return jobj
 
-    def to_partial_json(self) -> Dict[str, Any]:
+    def to_partial_json(self) -> dict[str, Any]:
         """Modify josepy.JSONDeserializable.to_partial_json()"""
         jobj = super().to_partial_json()
         return self._add_contact_if_appropriate(jobj)
 
-    def fields_to_partial_json(self) -> Dict[str, Any]:
+    def fields_to_partial_json(self) -> dict[str, Any]:
         """Modify josepy.JSONObjectWithFields.fields_to_partial_json()"""
         jobj = super().fields_to_partial_json()
         return self._add_contact_if_appropriate(jobj)
 
     @property
-    def phones(self) -> Tuple[str, ...]:
+    def phones(self) -> tuple[str, ...]:
         """All phones found in the ``contact`` field."""
         return self._filter_contact(self.phone_prefix)
 
     @property
-    def emails(self) -> Tuple[str, ...]:
+    def emails(self) -> tuple[str, ...]:
         """All emails found in the ``contact`` field."""
         return self._filter_contact(self.email_prefix)
 
@@ -484,13 +494,13 @@ class ChallengeBody(ResourceBody):
     def encode(self, name: str) -> Any:
         return super().encode(self._internal_name(name))
 
-    def to_partial_json(self) -> Dict[str, Any]:
+    def to_partial_json(self) -> dict[str, Any]:
         jobj = super().to_partial_json()
         jobj.update(self.chall.to_partial_json())
         return jobj
 
     @classmethod
-    def fields_from_json(cls, jobj: Mapping[str, Any]) -> Dict[str, Any]:
+    def fields_from_json(cls, jobj: Mapping[str, Any]) -> dict[str, Any]:
         jobj_fields = super().fields_from_json(jobj)
         jobj_fields['chall'] = challenges.Challenge.from_json(jobj)
         return jobj_fields
@@ -539,7 +549,7 @@ class Authorization(ResourceBody):
 
     """
     identifier: Identifier = jose.field('identifier', decoder=Identifier.from_json, omitempty=True)
-    challenges: List[ChallengeBody] = jose.field('challenges', omitempty=True)
+    challenges: list[ChallengeBody] = jose.field('challenges', omitempty=True)
 
     status: Status = jose.field('status', omitempty=True, decoder=Status.from_json)
     # TODO: 'expires' is allowed for Authorization Resources in
@@ -552,7 +562,7 @@ class Authorization(ResourceBody):
     # Mypy does not understand the josepy magic happening here, and falsely claims
     # that challenge is redefined. Let's ignore the type check here.
     @challenges.decoder  # type: ignore
-    def challenges(value: List[Dict[str, Any]]) -> Tuple[ChallengeBody, ...]:  # pylint: disable=no-self-argument,missing-function-docstring
+    def challenges(value: list[dict[str, Any]]) -> tuple[ChallengeBody, ...]:  # pylint: disable=no-self-argument,missing-function-docstring
         return tuple(ChallengeBody.from_json(chall) for chall in value)
 
 
@@ -578,34 +588,32 @@ class AuthorizationResource(ResourceWithURI):
 class CertificateRequest(jose.JSONObjectWithFields):
     """ACME newOrder request.
 
-    :ivar jose.ComparableX509 csr:
-        `OpenSSL.crypto.X509Req` wrapped in `.ComparableX509`
+    :ivar x509.CertificateSigningRequest csr: `x509.CertificateSigningRequest`
 
     """
-    csr: jose.ComparableX509 = jose.field('csr', decoder=jose.decode_csr, encoder=jose.encode_csr)
+    csr: x509.CertificateSigningRequest = jose.field(
+        'csr', decoder=jose.decode_csr, encoder=jose.encode_csr)
 
 
 class CertificateResource(ResourceWithURI):
     """Certificate Resource.
 
-    :ivar josepy.util.ComparableX509 body:
-        `OpenSSL.crypto.X509` wrapped in `.ComparableX509`
+    :ivar x509.Certificate body: `x509.Certificate`
     :ivar str cert_chain_uri: URI found in the 'up' ``Link`` header
     :ivar tuple authzrs: `tuple` of `AuthorizationResource`.
 
     """
     cert_chain_uri: str = jose.field('cert_chain_uri')
-    authzrs: Tuple[AuthorizationResource, ...] = jose.field('authzrs')
+    authzrs: tuple[AuthorizationResource, ...] = jose.field('authzrs')
 
 
 class Revocation(jose.JSONObjectWithFields):
     """Revocation message.
 
-    :ivar jose.ComparableX509 certificate: `OpenSSL.crypto.X509` wrapped in
-        `jose.ComparableX509`
+    :ivar x509.Certificate certificate: `x509.Certificate`
 
     """
-    certificate: jose.ComparableX509 = jose.field(
+    certificate: x509.Certificate = jose.field(
         'certificate', decoder=jose.decode_cert, encoder=jose.encode_cert)
     reason: int = jose.field('reason')
 
@@ -613,6 +621,8 @@ class Revocation(jose.JSONObjectWithFields):
 class Order(ResourceBody):
     """Order Resource Body.
 
+    :ivar profile: The profile to request.
+    :vartype profile: str
     :ivar identifiers: List of identifiers for the certificate.
     :vartype identifiers: `list` of `.Identifier`
     :ivar acme.messages.Status status:
@@ -624,9 +634,11 @@ class Order(ResourceBody):
     :ivar datetime.datetime expires: When the order expires.
     :ivar ~.Error error: Any error that occurred during finalization, if applicable.
     """
-    identifiers: List[Identifier] = jose.field('identifiers', omitempty=True)
+    # https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/
+    profile: str = jose.field('profile', omitempty=True)
+    identifiers: list[Identifier] = jose.field('identifiers', omitempty=True)
     status: Status = jose.field('status', decoder=Status.from_json, omitempty=True)
-    authorizations: List[str] = jose.field('authorizations', omitempty=True)
+    authorizations: list[str] = jose.field('authorizations', omitempty=True)
     certificate: str = jose.field('certificate', omitempty=True)
     finalize: str = jose.field('finalize', omitempty=True)
     expires: datetime.datetime = fields.rfc3339('expires', omitempty=True)
@@ -635,7 +647,7 @@ class Order(ResourceBody):
     # Mypy does not understand the josepy magic happening here, and falsely claims
     # that identifiers is redefined. Let's ignore the type check here.
     @identifiers.decoder  # type: ignore
-    def identifiers(value: List[Dict[str, Any]]) -> Tuple[Identifier, ...]:  # pylint: disable=no-self-argument,missing-function-docstring
+    def identifiers(value: list[dict[str, Any]]) -> tuple[Identifier, ...]:  # pylint: disable=no-self-argument,missing-function-docstring
         return tuple(Identifier.from_json(identifier) for identifier in value)
 
 
@@ -665,17 +677,33 @@ class OrderResource(ResourceWithURI):
                                 decoder=lambda s: s.encode("utf-8"),
                                 encoder=lambda b: b.decode("utf-8"))
 
-    authorizations: List[AuthorizationResource] = jose.field('authorizations')
+    authorizations: list[AuthorizationResource] = jose.field('authorizations')
     fullchain_pem: str = jose.field('fullchain_pem', omitempty=True)
-    alternative_fullchains_pem: List[str] = jose.field('alternative_fullchains_pem',
+    alternative_fullchains_pem: list[str] = jose.field('alternative_fullchains_pem',
                                                        omitempty=True)
 
     # Mypy does not understand the josepy magic happening here, and falsely claims
     # that authorizations is redefined. Let's ignore the type check here.
     @authorizations.decoder  # type: ignore
-    def authorizations(value: List[Dict[str, Any]]) -> Tuple[AuthorizationResource, ...]: # pylint: disable=no-self-argument,missing-function-docstring
+    def authorizations(value: list[dict[str, Any]]) -> tuple[AuthorizationResource, ...]: # pylint: disable=no-self-argument,missing-function-docstring
         return tuple(AuthorizationResource.from_json(authz) for authz in value)
 
 
 class NewOrder(Order):
     """New order."""
+
+
+class RenewalInfo(ResourceBody):
+    """Renewal Info Resource Body.
+    :ivar acme.messages.SuggestedWindow window: The suggested renewal window.
+    """
+    class SuggestedWindow(jose.JSONObjectWithFields):
+        """Suggested Renewal Window, sub-resource of Renewal Info Resource.
+        :ivar datetime.datetime start: Beginning of suggested renewal window
+        :ivar datetime.datetime end: End of suggested renewal window (inclusive)
+        """
+        start: datetime.datetime = fields.rfc3339('start', omitempty=True)
+        end: datetime.datetime = fields.rfc3339('end', omitempty=True)
+
+    suggested_window: SuggestedWindow = jose.field('suggestedWindow',
+                                                   decoder=SuggestedWindow.from_json)

acme/src/acme/standalone.py

@@ -1,4 +1,6 @@
 """Support for standalone client challenge solvers. """
+from __future__ import annotations
+
 import collections
 import functools
 import http.client as http_client
@@ -8,56 +10,13 @@ import socket
 import socketserver
 import threading
 from typing import Any
-from typing import cast
-from typing import List
-from typing import Mapping
 from typing import Optional
-from typing import Set
-from typing import Tuple
-from typing import Type
-
-from OpenSSL import crypto
-from OpenSSL import SSL
 
 from acme import challenges
-from acme import crypto_util
 
 logger = logging.getLogger(__name__)
 
 
-class TLSServer(socketserver.TCPServer):
-    """Generic TLS Server."""
-
-    def __init__(self, *args: Any, **kwargs: Any) -> None:
-        self.ipv6 = kwargs.pop("ipv6", False)
-        if self.ipv6:
-            self.address_family = socket.AF_INET6
-        else:
-            self.address_family = socket.AF_INET
-        self.certs = kwargs.pop("certs", {})
-        self.method = kwargs.pop("method", crypto_util._DEFAULT_SSL_METHOD)
-        self.allow_reuse_address = kwargs.pop("allow_reuse_address", True)
-        super().__init__(*args, **kwargs)
-
-    def _wrap_sock(self) -> None:
-        self.socket = cast(socket.socket, crypto_util.SSLSocket(
-            self.socket, cert_selection=self._cert_selection,
-            alpn_selection=getattr(self, '_alpn_selection', None),
-            method=self.method))
-
-    def _cert_selection(self, connection: SSL.Connection
-                        ) -> Optional[Tuple[crypto.PKey, crypto.X509]]:  # pragma: no cover
-        """Callback selecting certificate for connection."""
-        server_name = connection.get_servername()
-        if server_name:
-            return self.certs.get(server_name, None)
-        return None
-
-    def server_bind(self) -> None:
-        self._wrap_sock()
-        return socketserver.TCPServer.server_bind(self)
-
-
 class ACMEServerMixin:
     """ACME server common settings mixin."""
     # TODO: c.f. #858
@@ -73,11 +32,11 @@ class BaseDualNetworkedServers:
        If two servers are instantiated, they will serve on the same port.
        """
 
-    def __init__(self, ServerClass: Type[socketserver.TCPServer], server_address: Tuple[str, int],
+    def __init__(self, ServerClass: type[socketserver.TCPServer], server_address: tuple[str, int],
                  *remaining_args: Any, **kwargs: Any) -> None:
         port = server_address[1]
-        self.threads: List[threading.Thread] = []
-        self.servers: List[socketserver.BaseServer] = []
+        self.threads: list[threading.Thread] = []
+        self.servers: list[socketserver.BaseServer] = []
 
         # Preserve socket error for re-raising, if no servers can be started
         last_socket_err: Optional[socket.error] = None
@@ -98,7 +57,7 @@ class BaseDualNetworkedServers:
                 logger.debug(
                     "Successfully bound to %s:%s using %s", new_address[0],
                     new_address[1], "IPv6" if ip_version else "IPv4")
-            except socket.error as e:
+            except OSError as e:
                 last_socket_err = e
                 if self.servers:
                     # Already bound using IPv6.
@@ -121,7 +80,7 @@ class BaseDualNetworkedServers:
             if last_socket_err:
                 raise last_socket_err
             else: # pragma: no cover
-                raise socket.error("Could not bind to IPv4 or IPv6.")
+                raise OSError("Could not bind to IPv4 or IPv6.")
 
     def serve_forever(self) -> None:
         """Wraps socketserver.TCPServer.serve_forever"""
@@ -131,7 +90,7 @@ class BaseDualNetworkedServers:
             thread.start()
             self.threads.append(thread)
 
-    def getsocknames(self) -> List[Tuple[str, int]]:
+    def getsocknames(self) -> list[tuple[str, int]]:
         """Wraps socketserver.TCPServer.socket.getsockname"""
         return [server.socket.getsockname() for server in self.servers]
 
@@ -146,49 +105,6 @@ class BaseDualNetworkedServers:
         self.threads = []
 
 
-class TLSALPN01Server(TLSServer, ACMEServerMixin):
-    """TLSALPN01 Server."""
-
-    ACME_TLS_1_PROTOCOL = b"acme-tls/1"
-
-    def __init__(self, server_address: Tuple[str, int],
-                 certs: List[Tuple[crypto.PKey, crypto.X509]],
-                 challenge_certs: Mapping[bytes, Tuple[crypto.PKey, crypto.X509]],
-                 ipv6: bool = False) -> None:
-        # We don't need to implement a request handler here because the work
-        # (including logging) is being done by wrapped socket set up in the
-        # parent TLSServer class.
-        TLSServer.__init__(
-            self, server_address, socketserver.BaseRequestHandler, certs=certs,
-            ipv6=ipv6)
-        self.challenge_certs = challenge_certs
-
-    def _cert_selection(self, connection: SSL.Connection) -> Optional[Tuple[crypto.PKey,
-                                                                            crypto.X509]]:
-        # TODO: We would like to serve challenge cert only if asked for it via
-        # ALPN. To do this, we need to retrieve the list of protos from client
-        # hello, but this is currently impossible with openssl [0], and ALPN
-        # negotiation is done after cert selection.
-        # Therefore, currently we always return challenge cert, and terminate
-        # handshake in alpn_selection() if ALPN protos are not what we expect.
-        # [0] https://github.com/openssl/openssl/issues/4952
-        server_name = connection.get_servername()
-        if server_name:
-            logger.debug("Serving challenge cert for server name %s", server_name)
-            return self.challenge_certs[server_name]
-        return None # pragma: no cover
-
-    def _alpn_selection(self, _connection: SSL.Connection, alpn_protos: List[bytes]) -> bytes:
-        """Callback to select alpn protocol."""
-        if len(alpn_protos) == 1 and alpn_protos[0] == self.ACME_TLS_1_PROTOCOL:
-            logger.debug("Agreed on %s ALPN", self.ACME_TLS_1_PROTOCOL)
-            return self.ACME_TLS_1_PROTOCOL
-        logger.debug("Cannot agree on ALPN proto. Got: %s", str(alpn_protos))
-        # Explicitly close the connection now, by returning an empty string.
-        # See https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_alpn_select_callback  # pylint: disable=line-too-long
-        return b""
-
-
 class HTTPServer(BaseHTTPServer.HTTPServer):
     """Generic HTTP Server."""
 
@@ -204,7 +120,8 @@ class HTTPServer(BaseHTTPServer.HTTPServer):
 class HTTP01Server(HTTPServer, ACMEServerMixin):
     """HTTP01 Server."""
 
-    def __init__(self, server_address: Tuple[str, int], resources: Set[challenges.HTTP01],
+    def __init__(self, server_address: tuple[str, int],
+                 resources: set[HTTP01RequestHandler.HTTP01Resource],
                  ipv6: bool = False, timeout: int = 30) -> None:
         super().__init__(
             server_address, HTTP01RequestHandler.partial_init(
@@ -299,8 +216,8 @@ class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
                          self.path)
 
     @classmethod
-    def partial_init(cls, simple_http_resources: Set[challenges.HTTP01],
-                     timeout: int) -> 'functools.partial[HTTP01RequestHandler]':
+    def partial_init(cls, simple_http_resources: set[HTTP01RequestHandler.HTTP01Resource],
+                     timeout: int) -> functools.partial[HTTP01RequestHandler]:
         """Partially initialize this handler.
 
         This is useful because `socketserver.BaseServer` takes

acme/src/acme/util.py

@@ -1,10 +1,9 @@
 """ACME utilities."""
 from typing import Any
 from typing import Callable
-from typing import Dict
 from typing import Mapping
 
 
-def map_keys(dikt: Mapping[Any, Any], func: Callable[[Any], Any]) -> Dict[Any, Any]:
+def map_keys(dikt: Mapping[Any, Any], func: Callable[[Any], Any]) -> dict[Any, Any]:
     """Map dictionary keys."""
     return {func(key): value for key, value in dikt.items()}

certbot-apache/MANIFEST.in

@@ -1,8 +1,8 @@
 include LICENSE.txt
 include README.rst
-recursive-include certbot_apache/_internal/augeas_lens *.aug
-recursive-include certbot_apache/_internal/tls_configs *.conf
-recursive-include certbot_apache/_internal/tests/testdata *
-include certbot_apache/py.typed
+recursive-include src/certbot_apache/_internal/augeas_lens *.aug
+recursive-include src/certbot_apache/_internal/tls_configs *.conf
+recursive-include src/certbot_apache/_internal/tests/testdata *
+include src/certbot_apache/py.typed
 global-exclude __pycache__
 global-exclude *.py[cod]

certbot-apache/pyproject.toml

@@ -0,0 +1,52 @@
+[build-system]
+requires = ["setuptools"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "certbot-apache"
+dynamic = ["version", "dependencies"]
+description = "Apache plugin for Certbot"
+readme = "README.rst"
+license = "Apache-2.0"
+requires-python = ">=3.10"
+authors = [
+    { name = "Certbot Project", email = "certbot-dev@eff.org" },
+]
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Environment :: Plugins",
+    "Intended Audience :: System Administrators",
+    "Operating System :: POSIX :: Linux",
+    "Programming Language :: Python",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Internet :: WWW/HTTP",
+    "Topic :: Security",
+    "Topic :: System :: Installation/Setup",
+    "Topic :: System :: Networking",
+    "Topic :: System :: Systems Administration",
+    "Topic :: Utilities",
+]
+
+[project.optional-dependencies]
+dev = [
+    "apacheconfig>=0.3.2",
+]
+test = [
+    "pytest",
+]
+
+[project.entry-points."certbot.plugins"]
+apache = "certbot_apache._internal.entrypoint:ENTRYPOINT"
+
+[project.urls]
+Homepage = "https://github.com/certbot/certbot"
+
+[tool.setuptools]
+package-dir = {"" = "src"}
+
+[tool.setuptools.packages.find]
+where = ["src"]

certbot-apache/setup.py

@@ -1,7 +1,6 @@
-from setuptools import find_packages
 from setuptools import setup
 
-version = '2.12.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     # We specify the minimum acme and certbot version as the current plugin
@@ -9,59 +8,10 @@ install_requires = [
     # https://github.com/certbot/certbot/issues/8761 for more info.
     f'acme>={version}',
     f'certbot>={version}',
-    'importlib_resources>=1.3.1; python_version < "3.9"',
     'python-augeas',
-    'setuptools>=41.6.0',
-]
-
-dev_extras = [
-    'apacheconfig>=0.3.2',
-]
-
-test_extras = [
-    'pytest',
 ]
 
 setup(
-    name='certbot-apache',
     version=version,
-    description="Apache plugin for Certbot",
-    url='https://github.com/certbot/certbot',
-    author="Certbot Project",
-    author_email='certbot-dev@eff.org',
-    license='Apache License 2.0',
-    python_requires='>=3.8',
-    classifiers=[
-        'Development Status :: 5 - Production/Stable',
-        'Environment :: Plugins',
-        'Intended Audience :: System Administrators',
-        'License :: OSI Approved :: Apache Software License',
-        'Operating System :: POSIX :: Linux',
-        'Programming Language :: Python',
-        'Programming Language :: Python :: 3',
-        'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
-        'Programming Language :: Python :: 3.10',
-        'Programming Language :: Python :: 3.11',
-        'Programming Language :: Python :: 3.12',
-        'Topic :: Internet :: WWW/HTTP',
-        'Topic :: Security',
-        'Topic :: System :: Installation/Setup',
-        'Topic :: System :: Networking',
-        'Topic :: System :: Systems Administration',
-        'Topic :: Utilities',
-    ],
-
-    packages=find_packages(),
-    include_package_data=True,
     install_requires=install_requires,
-    extras_require={
-        'dev': dev_extras,
-        'test': test_extras,
-    },
-    entry_points={
-        'certbot.plugins': [
-            'apache = certbot_apache._internal.entrypoint:ENTRYPOINT',
-        ],
-    },
 )