quiet and fast

2019-08-09 11:16:28 -07:00
79 changed files with 363 additions and 1711 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -40,218 +40,6 @@ matrix:
      sudo: required
      services: docker
      <<: *not-on-master
-
-    # This job is always executed, including on master
-    - python: "2.7"
-      env: TOXENV=py27-cover FYI="py27 tests + code coverage"
-
-    - python: "2.7"
-      env: TOXENV=lint
-      <<: *not-on-master
-    - python: "3.4"
-      env: TOXENV=mypy
-      <<: *not-on-master
-    - python: "3.5"
-      env: TOXENV=mypy
-      <<: *not-on-master
-    - python: "2.7"
-      # Ubuntu Trusty or older must be used because the oldest version of
-      # cryptography we support cannot be compiled against the version of
-      # OpenSSL in Xenial or newer.
-      dist: trusty
-      env: TOXENV='py27-{acme,apache,certbot,dns,nginx}-oldest'
-      sudo: required
-      services: docker
-      <<: *not-on-master
-    - python: "3.4"
-      env: TOXENV=py34
-      sudo: required
-      services: docker
-      <<: *not-on-master
-    - python: "3.7"
-      dist: xenial
-      env: TOXENV=py37
-      sudo: required
-      services: docker
-      <<: *not-on-master
-    - sudo: required
-      env: TOXENV=apache_compat
-      services: docker
-      before_install:
-      addons:
-      <<: *not-on-master
-    - sudo: required
-      env: TOXENV=le_auto_xenial
-      services: docker
-      <<: *not-on-master
-    - python: "2.7"
-      env: TOXENV=apacheconftest-with-pebble
-      sudo: required
-      services: docker
-      <<: *not-on-master
-    - python: "2.7"
-      env: TOXENV=nginxroundtrip
-      <<: *not-on-master
-
-    # Extended test suite on cron jobs and pushes to tested branches other than master
-    - sudo: required
-      env: TOXENV=nginx_compat
-      services: docker
-      before_install:
-      addons:
-      <<: *extended-test-suite
-    - python: "2.7"
-      env:
-        - TOXENV=travis-test-farm-apache2
-        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
-      <<: *extended-test-suite
-    - python: "2.7"
-      env:
-        - TOXENV=travis-test-farm-leauto-upgrades
-        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
-      git:
-        depth: false  # This is needed to have the history to checkout old versions of certbot-auto.
-      <<: *extended-test-suite
-    - python: "2.7"
-      env:
-        - TOXENV=travis-test-farm-certonly-standalone
-        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
-      <<: *extended-test-suite
-    - python: "2.7"
-      env:
-        - TOXENV=travis-test-farm-sdists
-        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
-      <<: *extended-test-suite
-    - python: "3.7"
-      dist: xenial
-      env: TOXENV=py37 CERTBOT_NO_PIN=1
-      <<: *extended-test-suite
-    - python: "2.7"
-      env: ACME_SERVER=boulder-v1 TOXENV=integration
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - python: "2.7"
-      env: ACME_SERVER=boulder-v2 TOXENV=integration
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - python: "2.7"
-      env: ACME_SERVER=boulder-v1 TOXENV=integration-certbot-oldest
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - python: "2.7"
-      env: ACME_SERVER=boulder-v2 TOXENV=integration-certbot-oldest
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - python: "2.7"
-      env: ACME_SERVER=boulder-v1 TOXENV=integration-nginx-oldest
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - python: "2.7"
-      env: ACME_SERVER=boulder-v2 TOXENV=integration-nginx-oldest
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - python: "3.4"
-      env: TOXENV=py34
-      <<: *extended-test-suite
-    - python: "3.5"
-      env: TOXENV=py35
-      <<: *extended-test-suite
-    - python: "3.6"
-      env: TOXENV=py36
-      <<: *extended-test-suite
-    - python: "3.7"
-      dist: xenial
-      env: TOXENV=py37
-      <<: *extended-test-suite
-    - python: "3.4"
-      env: ACME_SERVER=boulder-v1 TOXENV=integration
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - python: "3.4"
-      env: ACME_SERVER=boulder-v2 TOXENV=integration
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - python: "3.5"
-      env: ACME_SERVER=boulder-v1 TOXENV=integration
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - python: "3.5"
-      env: ACME_SERVER=boulder-v2 TOXENV=integration
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - python: "3.6"
-      env: ACME_SERVER=boulder-v1 TOXENV=integration
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - python: "3.6"
-      env: ACME_SERVER=boulder-v2 TOXENV=integration
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - python: "3.7"
-      dist: xenial
-      env: ACME_SERVER=boulder-v1 TOXENV=integration
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - python: "3.7"
-      dist: xenial
-      env: ACME_SERVER=boulder-v2 TOXENV=integration
-      sudo: required
-      services: docker
-      <<: *extended-test-suite
-    - sudo: required
-      env: TOXENV=le_auto_jessie
-      services: docker
-      <<: *extended-test-suite
-    - sudo: required
-      env: TOXENV=le_auto_centos6
-      services: docker
-      <<: *extended-test-suite
-    - sudo: required
-      env: TOXENV=docker_dev
-      services: docker
-      addons:
-        apt:
-          packages:  # don't install nginx and apache
-            - libaugeas0
-      <<: *extended-test-suite
-    - language: generic
-      env: TOXENV=py27
-      os: osx
-      # Using this osx_image is a workaround for
-      # https://travis-ci.community/t/xcode-8-3-homebrew-outdated-error/3798.
-      osx_image: xcode10.2
-      addons:
-        homebrew:
-          packages:
-            - augeas
-            - python2
-      <<: *extended-test-suite
-    - language: generic
-      env: TOXENV=py3
-      os: osx
-      # Using this osx_image is a workaround for
-      # https://travis-ci.community/t/xcode-8-3-homebrew-outdated-error/3798.
-      osx_image: xcode10.2
-      addons:
-        homebrew:
-          packages:
-            - augeas
-            - python3
-      <<: *extended-test-suite
-
 # container-based infrastructure
 sudo: false

@@ -280,13 +68,3 @@ after_success: '[ "$TOXENV" == "py27-cover" ] && codecov -F linux'

 notifications:
  email: false
-  irc:
-    channels:
-      # This is set to a secure variable to prevent forks from sending
-      # notifications. This value was created by installing
-      # https://github.com/travis-ci/travis.rb and running
-      # `travis encrypt "chat.freenode.net#certbot-devel"`.
-      - secure: "EWW66E2+KVPZyIPR8ViENZwfcup4Gx3/dlimmAZE0WuLwxDCshBBOd3O8Rf6pBokEoZlXM5eDT6XdyJj8n0DLslgjO62pExdunXpbcMwdY7l1ELxX2/UbnDTE6UnPYa09qVBHNG7156Z6yE0x2lH4M9Ykvp0G0cubjPQHylAwo0="
-    on_cancel: never
-    on_success: never
-    on_failure: always
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -162,7 +162,6 @@ Authors
 * [Michael Schumacher](https://github.com/schumaml)
 * [Michael Strache](https://github.com/Jarodiv)
 * [Michael Sverdlin](https://github.com/sveder)
-* [Michael Watters](https://github.com/blackknight36)
 * [Michal Moravec](https://github.com/https://github.com/Majkl578)
 * [Michal Papis](https://github.com/mpapis)
 * [Minn Soe](https://github.com/MinnSoe)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,34 +2,7 @@

 Certbot adheres to [Semantic Versioning](https://semver.org/).

-## 0.38.0 - master
-
-### Added
-
-*
-
-### Changed
-
-* If Certbot fails to rollback your server configuration, the error message
-  links to the Let's Encrypt forum. Change the link to the Help category now
-  that the Server category has been closed.
-
-### Fixed
-
-*
-
-More details about these changes can be found on our GitHub repo.
-
-## 0.37.1 - 2019-08-08
-
-### Fixed
-
-* Stop disabling TLS session tickets in Apache as it caused TLS failures on
-  some systems.
-
-More details about these changes can be found on our GitHub repo.
-
-## 0.37.0 - 2019-08-07
+## 0.37.0 - master

 ### Added

@@ -38,12 +11,11 @@ More details about these changes can be found on our GitHub repo.

 ### Changed

-* Follow updated Mozilla recommendations for Nginx ssl_protocols, ssl_ciphers,
-  and ssl_prefer_server_ciphers
+*

 ### Fixed

-* Fix certbot-auto failures on RHEL 8.
+*

 More details about these changes can be found on our GitHub repo.

--- a/acme/setup.py
+++ b/acme/setup.py
@@ -3,7 +3,7 @@ from setuptools import find_packages
 from setuptools.command.test import test as TestCommand
 import sys

-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -4,7 +4,6 @@ environment:
  matrix:
    - TOXENV: py35
    - TOXENV: py37-cover
-    - TOXENV: integration-certbot

 branches:
  only:
@@ -25,16 +24,14 @@ init:

 install:
  # Use Python 3.7 by default
-  - SET PATH=C:\\Python37;C:\\Python37\\Scripts;%PATH%
-  # Using 4 processes is proven to be the most efficient integration tests config for AppVeyor
-  - IF %TOXENV%==integration-certbot SET PYTEST_ADDOPTS=--numprocesses=4
+  - "SET PATH=C:\\Python37;C:\\Python37\\Scripts;%PATH%"
  # Check env
-  - python --version
+  - "python --version"
  # Upgrade pip to avoid warnings
-  - python -m pip install --upgrade pip
+  - "python -m pip install --upgrade pip"
  # Ready to install tox and coverage
  # tools/pip_install.py is used to pin packages to a known working version.
-  - python tools\\pip_install.py tox codecov
+  - "python tools\\pip_install.py tox codecov"

 build: off

--- a/certbot-apache/MANIFEST.in
+++ b/certbot-apache/MANIFEST.in
@@ -5,3 +5,4 @@ recursive-include certbot_apache/tests/testdata *
 include certbot_apache/centos-options-ssl-apache.conf
 include certbot_apache/options-ssl-apache.conf
 recursive-include certbot_apache/augeas_lens *.aug
+recursive-include certbot_apache/tls_configs *.conf
--- a/certbot-apache/certbot_apache/apache_util.py
+++ b/certbot-apache/certbot_apache/apache_util.py
@@ -1,6 +1,8 @@
 """ Utility functions for certbot-apache plugin """
 import binascii

+import pkg_resources
+
 from certbot import util
 from certbot.compat import os

@@ -105,3 +107,15 @@ def parse_define_file(filepath, varname):
 def unique_id():
    """ Returns an unique id to be used as a VirtualHost identifier"""
    return binascii.hexlify(os.urandom(16)).decode("utf-8")
+
+
+def find_ssl_apache_conf(prefix):
+    """
+    Find a TLS Apache config file in the dedicated storage.
+    :param str prefix: prefix of the TLS Apache config file to find
+    :return: the path the TLS Apache config file
+    :rtype: str
+    """
+    return pkg_resources.resource_filename(
+        "certbot_apache",
+        os.path.join("tls_configs", "{0}-options-ssl-apache.conf".format(prefix)))
--- a/certbot-apache/certbot_apache/configurator.py
+++ b/certbot-apache/certbot_apache/configurator.py
@@ -9,7 +9,6 @@ import time

 from collections import defaultdict

-import pkg_resources
 import six

 import zope.component
@@ -110,14 +109,24 @@ class ApacheConfigurator(common.Installer):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/apache2",
-        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
-            "certbot_apache", "options-ssl-apache.conf")
    )

    def option(self, key):
        """Get a value from options"""
        return self.options.get(key)

+    def pick_apache_config(self):
+        """
+        Pick the appropriate TLS Apache configuration file for current version of Apache and OS.
+        :return: the path to the TLS Apache configuration file to use
+        :rtype: str
+        """
+        # Disabling TLS session tickets is supported by Apache 2.4.11+.
+        # So for old versions of Apache we pick a configuration without this option.
+        if self.version < (2, 4, 11):
+            return apache_util.find_ssl_apache_conf("old")
+        return apache_util.find_ssl_apache_conf("current")
+
    def _prepare_options(self):
        """
        Set the values possibly changed by command line parameters to
@@ -2339,8 +2348,9 @@ class ApacheConfigurator(common.Installer):
        # XXX if we ever try to enforce a local privilege boundary (eg, running
        # certbot for unprivileged users via setuid), this function will need
        # to be modified.
-        return common.install_version_controlled_file(options_ssl, options_ssl_digest,
-            self.option("MOD_SSL_CONF_SRC"), constants.ALL_SSL_OPTIONS_HASHES)
+        apache_config_path = self.pick_apache_config()
+        return common.install_version_controlled_file(
+            options_ssl, options_ssl_digest, apache_config_path, constants.ALL_SSL_OPTIONS_HASHES)

    def enable_autohsts(self, _unused_lineage, domains):
        """
--- a/certbot-apache/certbot_apache/interfaces.py
+++ b/certbot-apache/certbot_apache/interfaces.py
@@ -1,466 +0,0 @@
-"""ParserNode interface for interacting with configuration tree.
-
-General description
-------------------
-
-The ParserNode interfaces are designed to be able to contain all the parsing logic,
-while allowing their users to interact with the configuration tree in a Pythonic
-and well structured manner.
-
-The structure allows easy traversal of the tree of ParserNodes. Each ParserNode
-stores a reference to its ancestor and immediate children, allowing the user to
-traverse the tree using built in interface methods as well as accessing the interface
-properties directly.
-
-ParserNode interface implementation should stand between the actual underlying
-parser functionality and the business logic within Configurator code, interfacing
-with both. The ParserNode tree is a result of configuration parsing action.
-
-ParserNode tree will be in charge of maintaining the parser state and hence the
-abstract syntax tree (AST). Interactions between ParserNode tree and underlying
-parser should involve only parsing the configuration files to this structure, and
-writing it back to the filesystem - while preserving the format including whitespaces.
-
-For some implementations (Apache for example) it's important to keep track of and
-to use state information while parsing conditional blocks and directives. This
-allows the implementation to set a flag to parts of the parsed configuration
-structure as not being in effect in a case of unmatched conditional block. It's
-important to store these blocks in the tree as well in order to not to conduct
-destructive actions (failing to write back parts of the configuration) while writing
-the AST back to the filesystem.
-
-The ParserNode tree is in charge of maintaining the its own structure while every
-child node fetched with find - methods or by iterating its list of children can be
-changed in place. When making changes the affected nodes should be flagged as "dirty"
-in order for the parser implementation to figure out the parts of the configuration
-that need to be written back to disk during the save() operation.
-
-
-Metadata
--------
-
-The metadata holds all the implementation specific attributes of the ParserNodes -
-things like the positional information related to the AST, file paths, whitespacing,
-and any other information relevant to the underlying parser engine.
-
-Access to the metadata should be handled by implementation specific methods, allowing
-the Configurator functionality to access the underlying information where needed.
-A good example of this is file path of a node - something that is needed by the
-reverter functionality within the Configurator.
-
-
-Apache implementation
---------------------
-
-The Apache implementation of ParserNode interface requires some implementation
-specific functionalities that are not described by the interface itself.
-
-Conditional blocks
-
-Apache configuration can have conditional blocks, for example: <IfModule ...>,
-resulting the directives and subblocks within it being either enabled or disabled.
-While find_* interface methods allow including the disabled parts of the configuration
-tree in searches a special care needs to be taken while parsing the structure in
-order to reflect the active state of configuration.
-
-Whitespaces
-
-Each ParserNode object is responsible of storing its prepending whitespace characters
-in order to be able to write the AST back to filesystem like it was, preserving the
-format, this applies for parameters of BlockNode and DirectiveNode as well.
-When parameters of ParserNode are changed, the pre-existing whitespaces in the
-parameter sequence are discarded, as the general reason for storing them is to
-maintain the ability to write the configuration back to filesystem exactly like
-it was. This loses its meaning when we have to change the directives or blocks
-parameters for other reasons.
-
-Searches and matching
-
-Apache configuration is largely case insensitive, so the Apache implementation of
-ParserNode interface needs to provide the user means to match block and directive
-names and parameters in case insensitive manner. This does not apply to everything
-however, for example the parameters of a conditional statement may be case sensitive.
-For this reason the internal representation of data should not ignore the case.
-"""
-
-import abc
-import six
-
-from acme.magic_typing import Optional, Tuple  # pylint: disable=unused-import, no-name-in-module
-
-
-@six.add_metaclass(abc.ABCMeta)
-class ParserNode(object):
-    """
-    ParserNode is the basic building block of the tree of such nodes,
-    representing the structure of the configuration. It is largely meant to keep
-    the structure information intact and idiomatically accessible.
-
-    The root node as well as the child nodes of it should be instances of ParserNode.
-    Nodes keep track of their differences to on-disk representation of configuration
-    by marking modified ParserNodes as dirty to enable partial write-to-disk for
-    different files in the configuration structure.
-
-    While for the most parts the usage and the child types are obvious, "include"-
-    and similar directives are an exception to this rule. This is because of the
-    nature of include directives - which unroll the contents of another file or
-    configuration block to their place. While we could unroll the included nodes
-    to the parent tree, it remains important to keep the context of include nodes
-    separate in order to write back the original configuration as it was.
-
-    For parsers that require the implementation to keep track of the whitespacing,
-    it's responsibility of each ParserNode object itself to store its prepending
-    whitespaces in order to be able to reconstruct the complete configuration file
-    as it was when originally read from the disk.
-
-    ParserNode objects should have the following attributes:
-
-    # Reference to ancestor node, or None if the node is the root node of the
-    # configuration tree.
-    ancestor: Optional[ParserNode]
-
-    # True if this node has been modified since last save.
-    dirty: bool
-
-    # Filepath of the file where the configuration element for this ParserNode
-    # object resides. For root node, the value for filepath is the httpd root
-    # configuration file. Filepath can be None if a configuration directive is
-    # defined in for example the httpd command line.
-    filepath: Optional[str]
-    """
-
-    @abc.abstractmethod
-    def __init__(self, **kwargs):
-        """
-        Initializes the ParserNode instance, and sets the ParserNode specific
-        instance variables. This is not meant to be used directly, but through
-        specific classes implementing ParserNode interface.
-
-        :param ancestor: BlockNode ancestor for this CommentNode. Required.
-        :type ancestor: BlockNode or None
-
-        :param filepath: Filesystem path for the file where this CommentNode
-            does or should exist in the filesystem. Required.
-        :type filepath: str or None
-
-        :param dirty: Boolean flag for denoting if this CommentNode has been
-            created or changed after the last save. Default: False.
-        :type dirty: bool
-        """
-
-    @abc.abstractmethod
-    def save(self, msg):
-        """
-        Save traverses the children, and attempts to write the AST to disk for
-        all the objects that are marked dirty. The actual operation of course
-        depends on the underlying implementation. save() shouldn't be called
-        from the Configurator outside of its designated save() method in order
-        to ensure that the Reverter checkpoints are created properly.
-
-        Note: this approach of keeping internal structure of the configuration
-        within the ParserNode tree does not represent the file inclusion structure
-        of actual configuration files that reside in the filesystem. To handle
-        file writes properly, the file specific temporary trees should be extracted
-        from the full ParserNode tree where necessary when writing to disk.
-
-        :param str msg: Message describing the reason for the save.
-
-        """
-
-
-# Linter rule exclusion done because of https://github.com/PyCQA/pylint/issues/179
-@six.add_metaclass(abc.ABCMeta)  # pylint: disable=abstract-method
-class CommentNode(ParserNode):
-    """
-    CommentNode class is used for representation of comments within the parsed
-    configuration structure. Because of the nature of comments, it is not able
-    to have child nodes and hence it is always treated as a leaf node.
-
-    CommentNode stores its contents in class variable 'comment' and does not
-    have a specific name.
-
-    CommentNode objects should have the following attributes in addition to
-    the ones described in ParserNode:
-
-    # Contains the contents of the comment without the directive notation
-    # (typically # or /* ... */).
-    comment: str
-
-    """
-
-    @abc.abstractmethod
-    def __init__(self, **kwargs):
-        """
-        Initializes the CommentNode instance and sets its instance variables.
-
-        :param comment: Contents of the comment. Required.
-        :type comment: str
-
-        :param ancestor: BlockNode ancestor for this CommentNode. Required.
-        :type ancestor: BlockNode or None
-
-        :param filepath: Filesystem path for the file where this CommentNode
-            does or should exist in the filesystem. Required.
-        :type filepath: str or None
-
-        :param dirty: Boolean flag for denoting if this CommentNode has been
-            created or changed after the last save. Default: False.
-        :type dirty: bool
-        """
-        super(CommentNode, self).__init__(ancestor=kwargs['ancestor'],
-                                          dirty=kwargs.get('dirty', False),
-                                          filepath=kwargs['filepath'])  # pragma: no cover
-
-
-@six.add_metaclass(abc.ABCMeta)
-class DirectiveNode(ParserNode):
-    """
-    DirectiveNode class represents a configuration directive within the configuration.
-    It can have zero or more parameters attached to it. Because of the nature of
-    single directives, it is not able to have child nodes and hence it is always
-    treated as a leaf node.
-
-    If a this directive was defined on the httpd command line, the ancestor instance
-    variable for this DirectiveNode should be None, and it should be inserted to the
-    beginning of root BlockNode children sequence.
-
-    DirectiveNode objects should have the following attributes in addition to
-    the ones described in ParserNode:
-
-    # True if this DirectiveNode is enabled and False if it is inside of an
-    # inactive conditional block.
-    enabled: bool
-
-    # Name, or key of the configuration directive. If BlockNode subclass of
-    # DirectiveNode is the root configuration node, the name should be None.
-    name: Optional[str]
-
-    # Tuple of parameters of this ParserNode object, excluding whitespaces.
-    parameters: Tuple[str, ...]
-
-    """
-
-    @abc.abstractmethod
-    def __init__(self, **kwargs):
-        """
-        Initializes the DirectiveNode instance and sets its instance variables.
-
-        :param name: Name or key of the DirectiveNode object. Required.
-        :type name: str or None
-
-        :param tuple parameters: Tuple of str parameters for this DirectiveNode.
-            Default: ().
-        :type parameters: tuple
-
-        :param ancestor: BlockNode ancestor for this DirectiveNode, or None for
-            root configuration node. Required.
-        :type ancestor: BlockNode or None
-
-        :param filepath: Filesystem path for the file where this DirectiveNode
-            does or should exist in the filesystem, or None for directives introduced
-            in the httpd command line. Required.
-        :type filepath: str or None
-
-        :param dirty: Boolean flag for denoting if this DirectiveNode has been
-            created or changed after the last save. Default: False.
-        :type dirty: bool
-
-        :param enabled: True if this DirectiveNode object is parsed in the active
-            configuration of the httpd. False if the DirectiveNode exists within a
-            unmatched conditional configuration block. Default: True.
-        :type enabled: bool
-
-        """
-        super(DirectiveNode, self).__init__(ancestor=kwargs['ancestor'],
-                                            dirty=kwargs.get('dirty', False),
-                                            filepath=kwargs['filepath'])  # pragma: no cover
-
-    @abc.abstractmethod
-    def set_parameters(self, parameters):
-        """
-        Sets the sequence of parameters for this ParserNode object without
-        whitespaces. While the whitespaces for parameters are discarded when using
-        this method, the whitespacing preceeding the ParserNode itself should be
-        kept intact.
-
-        :param list parameters: sequence of parameters
-        """
-
-
-@six.add_metaclass(abc.ABCMeta)
-class BlockNode(DirectiveNode):
-    """
-    BlockNode class represents a block of nested configuration directives, comments
-    and other blocks as its children. A BlockNode can have zero or more parameters
-    attached to it.
-
-    Configuration blocks typically consist of one or more child nodes of all possible
-    types. Because of this, the BlockNode class has various discovery and structure
-    management methods.
-
-    Lists of parameters used as an optional argument for some of the methods should
-    be lists of strings that are applicable parameters for each specific BlockNode
-    or DirectiveNode type. As an example, for a following configuration example:
-
-        <VirtualHost *:80>
-           ...
-        </VirtualHost>
-
-    The node type would be BlockNode, name would be 'VirtualHost' and its parameters
-    would be: ['*:80'].
-
-    While for the following example:
-
-        LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so
-
-    The node type would be DirectiveNode, name would be 'LoadModule' and its
-    parameters would be: ['alias_module', '/usr/lib/apache2/modules/mod_alias.so']
-
-    The applicable parameters are dependent on the underlying configuration language
-    and its grammar.
-
-    BlockNode objects should have the following attributes in addition to
-    the ones described in DirectiveNode:
-
-    # Tuple of direct children of this BlockNode object. The order of children
-    # in this tuple retain the order of elements in the parsed configuration
-    # block.
-    children: Tuple[ParserNode, ...]
-
-    """
-
-    @abc.abstractmethod
-    def add_child_block(self, name, parameters=None, position=None):
-        """
-        Adds a new BlockNode child node with provided values and marks the callee
-        BlockNode dirty. This is used to add new children to the AST. The preceeding
-        whitespaces should not be added based on the ancestor or siblings for the
-        newly created object. This is to match the current behavior of the legacy
-        parser implementation.
-
-        :param str name: The name of the child node to add
-        :param list parameters: list of parameters for the node
-        :param int position: Position in the list of children to add the new child
-            node to. Defaults to None, which appends the newly created node to the list.
-            If an integer is given, the child is inserted before that index in the
-            list similar to list().insert.
-
-        :returns: BlockNode instance of the created child block
-
-        """
-
-    @abc.abstractmethod
-    def add_child_directive(self, name, parameters=None, position=None):
-        """
-        Adds a new DirectiveNode child node with provided values and marks the
-        callee BlockNode dirty. This is used to add new children to the AST. The
-        preceeding whitespaces should not be added based on the ancestor or siblings
-        for the newly created object. This is to match the current behavior of the
-        legacy parser implementation.
-
-
-        :param str name: The name of the child node to add
-        :param list parameters: list of parameters for the node
-        :param int position: Position in the list of children to add the new child
-            node to. Defaults to None, which appends the newly created node to the list.
-            If an integer is given, the child is inserted before that index in the
-            list similar to list().insert.
-
-        :returns: DirectiveNode instance of the created child directive
-
-        """
-
-    @abc.abstractmethod
-    def add_child_comment(self, comment="", position=None):
-        """
-        Adds a new CommentNode child node with provided value and marks the
-        callee BlockNode dirty. This is used to add new children to the AST. The
-        preceeding whitespaces should not be added based on the ancestor or siblings
-        for the newly created object. This is to match the current behavior of the
-        legacy parser implementation.
-
-
-        :param str comment: Comment contents
-        :param int position: Position in the list of children to add the new child
-            node to. Defaults to None, which appends the newly created node to the list.
-            If an integer is given, the child is inserted before that index in the
-            list similar to list().insert.
-
-        :returns: CommentNode instance of the created child comment
-
-        """
-
-    @abc.abstractmethod
-    def find_blocks(self, name, exclude=True):
-        """
-        Find a configuration block by name. This method walks the child tree of
-        ParserNodes under the instance it was called from. This way it is possible
-        to search for the whole configuration tree, when starting from root node or
-        to do a partial search when starting from a specified branch. The lookup
-        should be case insensitive.
-
-        :param str name: The name of the directive to search for
-        :param bool exclude: If the search results should exclude the contents of
-            ParserNode objects that reside within conditional blocks and because
-            of current state are not enabled.
-
-        :returns: A list of found BlockNode objects.
-        """
-
-    @abc.abstractmethod
-    def find_directives(self, name, exclude=True):
-        """
-        Find a directive by name. This method walks the child tree of ParserNodes
-        under the instance it was called from. This way it is possible to search
-        for the whole configuration tree, when starting from root node, or to do
-        a partial search when starting from a specified branch. The lookup should
-        be case insensitive.
-
-        :param str name: The name of the directive to search for
-        :param bool exclude: If the search results should exclude the contents of
-            ParserNode objects that reside within conditional blocks and because
-            of current state are not enabled.
-
-        :returns: A list of found DirectiveNode objects.
-
-        """
-
-    @abc.abstractmethod
-    def find_comments(self, comment, exact=False):
-        """
-        Find comments with value containing or being exactly the same as search term.
-
-        This method walks the child tree of ParserNodes under the instance it was
-        called from. This way it is possible to search for the whole configuration
-        tree, when starting from root node, or to do a partial search when starting
-        from a specified branch. The lookup should be case sensitive.
-
-        :param str comment: The content of comment to search for
-        :param bool exact: If the comment needs to exactly match the search term
-
-        :returns: A list of found CommentNode objects.
-
-        """
-
-    @abc.abstractmethod
-    def delete_child(self, child):
-        """
-        Remove a specified child node from the list of children of the called
-        BlockNode object.
-
-        :param ParserNode child: Child ParserNode object to remove from the list
-            of children of the callee.
-        """
-
-    @abc.abstractmethod
-    def unsaved_files(self):
-        """
-        Returns a list of file paths that have been changed since the last save
-        (or the initial configuration parse). The intended use for this method
-        is to tell the Reverter which files need to be included in a checkpoint.
-
-        This is typically called for the root of the ParserNode tree.
-
-        :returns: list of file paths of files that have been changed but not yet
-            saved to disk.
-        """
--- a/certbot-apache/certbot_apache/override_arch.py
+++ b/certbot-apache/certbot_apache/override_arch.py
@@ -1,6 +1,4 @@
 """ Distribution specific override class for Arch Linux """
-import pkg_resources
-
 import zope.interface

 from certbot import interfaces
@@ -26,6 +24,4 @@ class ArchConfigurator(configurator.ApacheConfigurator):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/httpd/conf",
-        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
-            "certbot_apache", "options-ssl-apache.conf")
    )
--- a/certbot-apache/certbot_apache/override_centos.py
+++ b/certbot-apache/certbot_apache/override_centos.py
@@ -1,7 +1,6 @@
 """ Distribution specific override class for CentOS family (RHEL, Fedora) """
 import logging

-import pkg_resources
 import zope.interface

 from certbot import errors
@@ -39,8 +38,6 @@ class CentOSConfigurator(configurator.ApacheConfigurator):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/httpd/conf.d",
-        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
-            "certbot_apache", "centos-options-ssl-apache.conf")
    )

    def config_test(self):
@@ -75,6 +72,18 @@ class CentOSConfigurator(configurator.ApacheConfigurator):
        # Finish with actual config check to see if systemctl restart helped
        super(CentOSConfigurator, self).config_test()

+    def pick_apache_config(self):
+        """
+        Pick the appropriate TLS Apache configuration file for current version of Apache and OS.
+        :return: the path to the TLS Apache configuration file to use
+        :rtype: str
+        """
+        # Disabling TLS session tickets is supported by Apache 2.4.11+.
+        # So for old versions of Apache we pick a configuration without this option.
+        if self.version < (2, 4, 11):
+            return apache_util.find_ssl_apache_conf("centos-old")
+        return apache_util.find_ssl_apache_conf("centos-current")
+
    def _prepare_options(self):
        """
        Override the options dictionary initialization in order to support
--- a/certbot-apache/certbot_apache/override_darwin.py
+++ b/certbot-apache/certbot_apache/override_darwin.py
@@ -1,6 +1,4 @@
 """ Distribution specific override class for macOS """
-import pkg_resources
-
 import zope.interface

 from certbot import interfaces
@@ -26,6 +24,4 @@ class DarwinConfigurator(configurator.ApacheConfigurator):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/apache2/other",
-        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
-            "certbot_apache", "options-ssl-apache.conf")
    )
--- a/certbot-apache/certbot_apache/override_debian.py
+++ b/certbot-apache/certbot_apache/override_debian.py
@@ -1,7 +1,6 @@
 """ Distribution specific override class for Debian family (Ubuntu/Debian) """
 import logging

-import pkg_resources
 import zope.interface

 from certbot import errors
@@ -35,8 +34,6 @@ class DebianConfigurator(configurator.ApacheConfigurator):
        handle_modules=True,
        handle_sites=True,
        challenge_location="/etc/apache2",
-        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
-            "certbot_apache", "options-ssl-apache.conf")
    )

    def enable_site(self, vhost):
--- a/certbot-apache/certbot_apache/override_fedora.py
+++ b/certbot-apache/certbot_apache/override_fedora.py
@@ -1,5 +1,4 @@
 """ Distribution specific override class for Fedora 29+ """
-import pkg_resources
 import zope.interface

 from certbot import errors
@@ -31,9 +30,6 @@ class FedoraConfigurator(configurator.ApacheConfigurator):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/httpd/conf.d",
-        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
-            # TODO: eventually newest version of Fedora will need their own config
-            "certbot_apache", "centos-options-ssl-apache.conf")
    )

    def config_test(self):
--- a/certbot-apache/certbot_apache/override_gentoo.py
+++ b/certbot-apache/certbot_apache/override_gentoo.py
@@ -1,6 +1,4 @@
 """ Distribution specific override class for Gentoo Linux """
-import pkg_resources
-
 import zope.interface

 from certbot import interfaces
@@ -29,8 +27,6 @@ class GentooConfigurator(configurator.ApacheConfigurator):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/apache2/vhosts.d",
-        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
-            "certbot_apache", "options-ssl-apache.conf")
    )

    def _prepare_options(self):
--- a/certbot-apache/certbot_apache/override_suse.py
+++ b/certbot-apache/certbot_apache/override_suse.py
@@ -1,6 +1,4 @@
 """ Distribution specific override class for OpenSUSE """
-import pkg_resources
-
 import zope.interface

 from certbot import interfaces
@@ -26,6 +24,4 @@ class OpenSUSEConfigurator(configurator.ApacheConfigurator):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/apache2/vhosts.d",
-        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
-            "certbot_apache", "options-ssl-apache.conf")
    )
--- a/certbot-apache/certbot_apache/parsernode_util.py
+++ b/certbot-apache/certbot_apache/parsernode_util.py
@@ -1,85 +0,0 @@
-"""ParserNode utils"""
-
-
-def validate_kwargs(kwargs, required_names):
-    """
-    Ensures that the kwargs dict has all the expected values. This function modifies
-    the kwargs dictionary, and hence the returned dictionary should be used instead
-    in the caller function instead of the original kwargs.
-
-    :param dict kwargs: Dictionary of keyword arguments to validate.
-    :param list required_names: List of required parameter names.
-    """
-
-    validated_kwargs = dict()
-    for name in required_names:
-        try:
-            validated_kwargs[name] = kwargs.pop(name)
-        except KeyError:
-            raise TypeError("Required keyword argument: {} undefined.".format(name))
-
-    # Raise exception if unknown key word arguments are found.
-    if kwargs:
-        unknown = ", ".join(kwargs.keys())
-        raise TypeError("Unknown keyword argument(s): {}".format(unknown))
-    return validated_kwargs
-
-
-def parsernode_kwargs(kwargs):
-    """
-    Validates keyword arguments for ParserNode. This function modifies the kwargs
-    dictionary, and hence the returned dictionary should be used instead in the
-    caller function instead of the original kwargs.
-
-
-    :param dict kwargs: Keyword argument dictionary to validate.
-
-    :returns: Tuple of validated and prepared arguments.
-    """
-    kwargs.setdefault("dirty", False)
-    kwargs = validate_kwargs(kwargs, ["ancestor", "dirty", "filepath"])
-    return kwargs["ancestor"], kwargs["dirty"], kwargs["filepath"]
-
-
-def commentnode_kwargs(kwargs):
-    """
-    Validates keyword arguments for CommentNode and sets the default values for
-    optional kwargs. This function modifies the kwargs dictionary, and hence the
-    returned dictionary should be used instead in the caller function instead of
-    the original kwargs.
-
-
-    :param dict kwargs: Keyword argument dictionary to validate.
-
-    :returns: Tuple of validated and prepared arguments and ParserNode kwargs.
-    """
-    kwargs.setdefault("dirty", False)
-    kwargs = validate_kwargs(kwargs, ["ancestor", "dirty", "filepath", "comment"])
-
-    comment = kwargs.pop("comment")
-    return comment, kwargs
-
-
-def directivenode_kwargs(kwargs):
-    """
-    Validates keyword arguments for DirectiveNode and BlockNode and sets the
-    default values for optional kwargs. This function modifies the kwargs
-    dictionary, and hence the returned dictionary should be used instead in the
-    caller function instead of the original kwargs.
-
-    :param dict kwargs: Keyword argument dictionary to validate.
-
-    :returns: Tuple of validated and prepared arguments and ParserNode kwargs.
-    """
-
-    kwargs.setdefault("dirty", False)
-    kwargs.setdefault("enabled", True)
-    kwargs.setdefault("parameters", ())
-
-    kwargs = validate_kwargs(kwargs, ["ancestor", "dirty", "filepath", "name",
-                                      "parameters", "enabled"])
-
-    name = kwargs.pop("name")
-    parameters = kwargs.pop("parameters")
-    enabled = kwargs.pop("enabled")
-    return name, parameters, enabled, kwargs
--- a/certbot-apache/certbot_apache/tests/centos_test.py
+++ b/certbot-apache/certbot_apache/tests/centos_test.py
@@ -190,6 +190,13 @@ class MultipleVhostsTestCentOS(util.ApacheTest):
                                       errors.SubprocessError]
        self.assertRaises(errors.MisconfigurationError, self.config.restart)

+    def test_pick_correct_tls_config(self):
+        self.config.version = (2, 4, 10)
+        self.assertTrue('centos-old' in self.config.pick_apache_config())
+
+        self.config.version = (2, 4, 11)
+        self.assertTrue('centos-current' in self.config.pick_apache_config())
+

 if __name__ == "__main__":
    unittest.main()  # pragma: no cover
--- a/certbot-apache/certbot_apache/tests/configurator_test.py
+++ b/certbot-apache/certbot_apache/tests/configurator_test.py
@@ -1706,7 +1706,7 @@ class InstallSslOptionsConfTest(util.ApacheTest):
                                             self.config.updated_mod_ssl_conf_digest)

    def _current_ssl_options_hash(self):
-        return crypto_util.sha256sum(self.config.option("MOD_SSL_CONF_SRC"))
+        return crypto_util.sha256sum(self.config.pick_apache_config())

    def _assert_current_file(self):
        self.assertTrue(os.path.isfile(self.config.mod_ssl_conf))
@@ -1742,7 +1742,7 @@ class InstallSslOptionsConfTest(util.ApacheTest):
            self.assertFalse(mock_logger.warning.called)
        self.assertTrue(os.path.isfile(self.config.mod_ssl_conf))
        self.assertEqual(crypto_util.sha256sum(
-            self.config.option("MOD_SSL_CONF_SRC")),
+            self.config.pick_apache_config()),
            self._current_ssl_options_hash())
        self.assertNotEqual(crypto_util.sha256sum(self.config.mod_ssl_conf),
            self._current_ssl_options_hash())
@@ -1758,18 +1758,31 @@ class InstallSslOptionsConfTest(util.ApacheTest):
                "%s has been manually modified; updated file "
                "saved to %s. We recommend updating %s for security purposes.")
        self.assertEqual(crypto_util.sha256sum(
-            self.config.option("MOD_SSL_CONF_SRC")),
+            self.config.pick_apache_config()),
            self._current_ssl_options_hash())
        # only print warning once
        with mock.patch("certbot.plugins.common.logger") as mock_logger:
            self._call()
            self.assertFalse(mock_logger.warning.called)

-    def test_current_file_hash_in_all_hashes(self):
+    def test_ssl_config_files_hash_in_all_hashes(self):
+        """
+        It is really critical that all TLS Apache config files have their SHA256 hash registered in
+        constants.ALL_SSL_OPTIONS_HASHES. Otherwise Certbot will mistakenly assume that the config
+        file has been manually edited by the user, and will refuse to update it.
+        This test ensures that all necessary hashes are present.
+        """
        from certbot_apache.constants import ALL_SSL_OPTIONS_HASHES
-        self.assertTrue(self._current_ssl_options_hash() in ALL_SSL_OPTIONS_HASHES,
-            "Constants.ALL_SSL_OPTIONS_HASHES must be appended"
-            " with the sha256 hash of self.config.mod_ssl_conf when it is updated.")
+        import pkg_resources
+        tls_configs_dir = pkg_resources.resource_filename("certbot_apache", "tls_configs")
+        all_files = [os.path.join(tls_configs_dir, name) for name in os.listdir(tls_configs_dir)
+                     if name.endswith('options-ssl-apache.conf')]
+        self.assertTrue(all_files)
+        for one_file in all_files:
+            file_hash = crypto_util.sha256sum(one_file)
+            self.assertTrue(file_hash in ALL_SSL_OPTIONS_HASHES,
+                            "Constants.ALL_SSL_OPTIONS_HASHES must be appended with the sha256 "
+                            "hash of {0} when it is updated.".format(one_file))


 if __name__ == "__main__":
--- a/certbot-apache/certbot_apache/tests/parsernode_test.py
+++ b/certbot-apache/certbot_apache/tests/parsernode_test.py
@@ -1,123 +0,0 @@
-""" Tests for ParserNode interface """
-
-import unittest
-
-from certbot_apache import interfaces
-from certbot_apache import parsernode_util as util
-
-
-class DummyParserNode(interfaces.ParserNode):
-    """ A dummy class implementing ParserNode interface """
-
-    def __init__(self, **kwargs):
-        """
-        Initializes the ParserNode instance.
-        """
-        ancestor, dirty, filepath = util.parsernode_kwargs(kwargs)
-        self.ancestor = ancestor
-        self.dirty = dirty
-        self.filepath = filepath
-        super(DummyParserNode, self).__init__(**kwargs)
-
-    def save(self, msg):  # pragma: no cover
-        """Save"""
-        pass
-
-
-class DummyCommentNode(DummyParserNode):
-    """ A dummy class implementing CommentNode interface """
-
-    def __init__(self, **kwargs):
-        """
-        Initializes the CommentNode instance and sets its instance variables.
-        """
-        comment, kwargs = util.commentnode_kwargs(kwargs)
-        self.comment = comment
-        super(DummyCommentNode, self).__init__(**kwargs)
-
-
-class DummyDirectiveNode(DummyParserNode):
-    """ A dummy class implementing DirectiveNode interface """
-
-    # pylint: disable=too-many-arguments
-    def __init__(self, **kwargs):
-        """
-        Initializes the DirectiveNode instance and sets its instance variables.
-        """
-        name, parameters, enabled, kwargs = util.directivenode_kwargs(kwargs)
-        self.name = name
-        self.parameters = parameters
-        self.enabled = enabled
-
-        super(DummyDirectiveNode, self).__init__(**kwargs)
-
-    def set_parameters(self, parameters):  # pragma: no cover
-        """Set parameters"""
-        pass
-
-
-class DummyBlockNode(DummyDirectiveNode):
-    """ A dummy class implementing BlockNode interface """
-
-    def add_child_block(self, name, parameters=None, position=None):  # pragma: no cover
-        """Add child block"""
-        pass
-
-    def add_child_directive(self, name, parameters=None, position=None):  # pragma: no cover
-        """Add child directive"""
-        pass
-
-    def add_child_comment(self, comment="", position=None):  # pragma: no cover
-        """Add child comment"""
-        pass
-
-    def find_blocks(self, name, exclude=True):  # pragma: no cover
-        """Find blocks"""
-        pass
-
-    def find_directives(self, name, exclude=True):  # pragma: no cover
-        """Find directives"""
-        pass
-
-    def find_comments(self, comment, exact=False):  # pragma: no cover
-        """Find comments"""
-        pass
-
-    def delete_child(self, child):  # pragma: no cover
-        """Delete child"""
-        pass
-
-    def unsaved_files(self):  # pragma: no cover
-        """Unsaved files"""
-        pass
-
-
-interfaces.CommentNode.register(DummyCommentNode)
-interfaces.DirectiveNode.register(DummyDirectiveNode)
-interfaces.BlockNode.register(DummyBlockNode)
-
-class ParserNodeTest(unittest.TestCase):
-    """Dummy placeholder test case for ParserNode interfaces"""
-
-    def test_dummy(self):
-        dummyblock = DummyBlockNode(
-            name="None",
-            parameters=(),
-            ancestor=None,
-            dirty=False,
-            filepath="/some/random/path"
-        )
-        dummydirective = DummyDirectiveNode(
-            name="Name",
-            ancestor=None,
-            filepath="/another/path"
-        )
-        dummycomment = DummyCommentNode(
-            comment="Comment",
-            ancestor=dummyblock,
-            filepath="/some/file"
-        )
-
-
-if __name__ == "__main__":
-    unittest.main()  # pragma: no cover
--- a/certbot-apache/certbot_apache/tests/parsernode_util_test.py
+++ b/certbot-apache/certbot_apache/tests/parsernode_util_test.py
@@ -1,87 +0,0 @@
-""" Tests for ParserNode utils """
-import unittest
-
-from certbot_apache import parsernode_util as util
-
-
-class ParserNodeUtilTest(unittest.TestCase):
-    """Tests for ParserNode utils"""
-
-    def _setup_parsernode(self):
-        """ Sets up kwargs dict for ParserNode """
-        return {
-            "ancestor": None,
-            "dirty": False,
-            "filepath": "/tmp",
-        }
-
-    def _setup_commentnode(self):
-        """ Sets up kwargs dict for CommentNode """
-
-        pn = self._setup_parsernode()
-        pn["comment"] = "x"
-        return pn
-
-    def _setup_directivenode(self):
-        """ Sets up kwargs dict for DirectiveNode """
-
-        pn = self._setup_parsernode()
-        pn["name"] = "Name"
-        pn["parameters"] = ("first",)
-        pn["enabled"] = True
-        return pn
-
-    def test_unknown_parameter(self):
-        params = self._setup_parsernode()
-        params["unknown"] = "unknown"
-        self.assertRaises(TypeError, util.parsernode_kwargs, params)
-
-        params = self._setup_commentnode()
-        params["unknown"] = "unknown"
-        self.assertRaises(TypeError, util.commentnode_kwargs, params)
-
-        params = self._setup_directivenode()
-        params["unknown"] = "unknown"
-        self.assertRaises(TypeError, util.directivenode_kwargs, params)
-
-    def test_parsernode(self):
-        params = self._setup_parsernode()
-        ctrl = self._setup_parsernode()
-
-        ancestor, dirty, filepath = util.parsernode_kwargs(params)
-        self.assertEqual(ancestor, ctrl["ancestor"])
-        self.assertEqual(dirty, ctrl["dirty"])
-        self.assertEqual(filepath, ctrl["filepath"])
-
-    def test_commentnode(self):
-        params = self._setup_commentnode()
-        ctrl = self._setup_commentnode()
-
-        comment, _ = util.commentnode_kwargs(params)
-        self.assertEqual(comment, ctrl["comment"])
-
-    def test_directivenode(self):
-        params = self._setup_directivenode()
-        ctrl = self._setup_directivenode()
-
-        name, parameters, enabled, _ = util.directivenode_kwargs(params)
-        self.assertEqual(name, ctrl["name"])
-        self.assertEqual(parameters, ctrl["parameters"])
-        self.assertEqual(enabled, ctrl["enabled"])
-
-    def test_missing_required(self):
-        c_params = self._setup_commentnode()
-        c_params.pop("comment")
-        self.assertRaises(TypeError, util.commentnode_kwargs, c_params)
-
-        d_params = self._setup_directivenode()
-        d_params.pop("ancestor")
-        self.assertRaises(TypeError, util.directivenode_kwargs, d_params)
-
-        p_params = self._setup_parsernode()
-        p_params.pop("filepath")
-        self.assertRaises(TypeError, util.parsernode_kwargs, p_params)
-
-
-if __name__ == "__main__":
-    unittest.main()  # pragma: no cover
--- a/certbot-apache/certbot_apache/tls_configs/centos-current-options-ssl-apache.conf
+++ b/certbot-apache/certbot_apache/tls_configs/centos-current-options-ssl-apache.conf
@@ -10,16 +10,10 @@ SSLEngine on
 SSLProtocol             all -SSLv2 -SSLv3
 SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 SSLHonorCipherOrder     on
+SSLSessionTickets       off

 SSLOptions +StrictRequire

 # Add vhost name to log entries:
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
 LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
-
-#CustomLog /var/log/apache2/access.log vhost_combined
-#LogLevel warn
-#ErrorLog /var/log/apache2/error.log
-
-# Always ensure Cookies have "Secure" set (JAH 2012/1)
-#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
--- a/certbot-apache/certbot_apache/tls_configs/centos-old-options-ssl-apache.conf
+++ b/certbot-apache/certbot_apache/tls_configs/centos-old-options-ssl-apache.conf
@@ -0,0 +1,18 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+SSLEngine on
+
+# Intermediate configuration, tweak to your needs
+SSLProtocol             all -SSLv2 -SSLv3
+SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+SSLHonorCipherOrder     on
+
+SSLOptions +StrictRequire
+
+# Add vhost name to log entries:
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
+LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
--- a/certbot-apache/certbot_apache/tls_configs/current-options-ssl-apache.conf
+++ b/certbot-apache/certbot_apache/tls_configs/current-options-ssl-apache.conf
@@ -11,16 +11,10 @@ SSLProtocol             all -SSLv2 -SSLv3
 SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 SSLHonorCipherOrder     on
 SSLCompression          off
+SSLSessionTickets       off

 SSLOptions +StrictRequire

 # Add vhost name to log entries:
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
 LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
-
-#CustomLog /var/log/apache2/access.log vhost_combined
-#LogLevel warn
-#ErrorLog /var/log/apache2/error.log
-
-# Always ensure Cookies have "Secure" set (JAH 2012/1)
-#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
--- a/certbot-apache/certbot_apache/tls_configs/old-options-ssl-apache.conf
+++ b/certbot-apache/certbot_apache/tls_configs/old-options-ssl-apache.conf
@@ -0,0 +1,19 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+SSLEngine on
+
+# Intermediate configuration, tweak to your needs
+SSLProtocol             all -SSLv2 -SSLv3
+SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+SSLHonorCipherOrder     on
+SSLCompression          off
+
+SSLOptions +StrictRequire
+
+# Add vhost name to log entries:
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
+LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
--- a/certbot-apache/local-oldest-requirements.txt
+++ b/certbot-apache/local-oldest-requirements.txt
@@ -1,3 +1,3 @@
 # Remember to update setup.py to match the package versions below.
 acme[dev]==0.29.0
-certbot[dev]==0.37.0
+-e .[dev]
--- a/certbot-apache/setup.py
+++ b/certbot-apache/setup.py
@@ -4,13 +4,13 @@ from setuptools.command.test import test as TestCommand
 import sys


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
    'acme>=0.29.0',
-    'certbot>=0.37.0',
+    'certbot>=0.37.0.dev0',
    'mock',
    'python-augeas',
    'setuptools',
--- a/55
+++ b/55
@@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then
 fi
 VENV_BIN="$VENV_PATH/bin"
 BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
-LE_AUTO_VERSION="0.37.1"
+LE_AUTO_VERSION="0.36.0"
 BASENAME=$(basename $0)
 USAGE="Usage: $BASENAME [OPTIONS]
 A self-updating wrapper script for the Certbot ACME client. When run, updates
@@ -755,31 +755,13 @@ elif [ -f /etc/redhat-release ]; then
  prev_le_python="$LE_PYTHON"
  unset LE_PYTHON
  DeterminePythonVersion "NOCRASH"
-
-  RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
-
-  # Set RPM_DIST_VERSION to VERSION_ID from /etc/os-release after splitting on
-  # '.' characters (e.g. "8.0" becomes "8"). If the command exits with an
-  # error, RPM_DIST_VERSION is set to "unknown".
-  RPM_DIST_VERSION=$( (. /etc/os-release 2> /dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown")
-
-  # If RPM_DIST_VERSION is an empty string or it contains any nonnumeric
-  # characters, the value is unexpected so we set RPM_DIST_VERSION to 0.
-  if [ -z "$RPM_DIST_VERSION" ] || [ -n "$(echo "$RPM_DIST_VERSION" | tr -d '[0-9]')" ]; then
-     RPM_DIST_VERSION=0
-  fi
-
  # Starting to Fedora 29, python2 is on a deprecation path. Let's move to python3 then.
-  # RHEL 8 also uses python3 by default.
-  if [ "$RPM_DIST_NAME" = "fedora" -a "$RPM_DIST_VERSION" -ge 29 -o "$PYVER" -eq 26 ]; then
-    RPM_USE_PYTHON_3=1
-  elif [ "$RPM_DIST_NAME" = "rhel" -a "$RPM_DIST_VERSION" -ge 8 ]; then
-    RPM_USE_PYTHON_3=1
-  else
-    RPM_USE_PYTHON_3=0
+  RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
+  RPM_DIST_VERSION=0
+  if [ "$RPM_DIST_NAME" = "fedora" ]; then
+    RPM_DIST_VERSION=`(. /etc/os-release 2> /dev/null && echo $VERSION_ID) || echo "0"`
  fi
-
-  if [ "$RPM_USE_PYTHON_3" = 1 ]; then
+  if [ "$RPM_DIST_NAME" = "fedora" -a "$RPM_DIST_VERSION" -ge 29 -o "$PYVER" -eq 26 ]; then
    Bootstrap() {
      BootstrapMessage "RedHat-based OSes that will use Python3"
      BootstrapRpmPython3
@@ -793,7 +775,6 @@ elif [ -f /etc/redhat-release ]; then
    }
    BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
  fi
-
  LE_PYTHON="$prev_le_python"
 elif [ -f /etc/os-release ] && `grep -q openSUSE /etc/os-release` ; then
  Bootstrap() {
@@ -1333,18 +1314,18 @@ letsencrypt==0.7.0 \
    --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
    --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9

-certbot==0.37.1 \
-    --hash=sha256:84dbdad204327b8d8ef9ab5b040f2be1e427a9f7e087affcc9a6051ea1b03fe7 \
-    --hash=sha256:aace73e63b0c11cdb4b0bd33e1780c1fbe0ce5669dc72e80c3aa9500145daf16
-acme==0.37.1 \
-    --hash=sha256:83a4f6f3c5eb6a85233d5ba87714b426f2d096df58d711f8a2fc4071eb3fd3fc \
-    --hash=sha256:c069a761990751f7c4bf51d2e87ae10319bf460de6629d2908c9fa6f69e97111
-certbot-apache==0.37.1 \
-    --hash=sha256:3ea832408877b12b3a60d17e8b2ee3387364f8c3023ac267161c25b99087cd42 \
-    --hash=sha256:e46c2644451101c0e216aa1f525a577cc903efaf871e0e4da277224a4439040c
-certbot-nginx==0.37.1 \
-    --hash=sha256:1f9af389d26f06634e2eefaace3354e7679dabb4295e1d55d05a4ee7e23a64bd \
-    --hash=sha256:02a7ec15bd388d0f0e94a34c86a8f8d618ec7d5ffde0c206039bb4c46b294ce4
+certbot==0.36.0 \
+    --hash=sha256:486cee6c4861762fe4a94b4f44f7d227034d026d1a8d7ba2911ef4e86a737613 \
+    --hash=sha256:bf6745b823644cdca8461150455aeb67d417f87f80b9ec774c716e9587ef20a2
+acme==0.36.0 \
+    --hash=sha256:5570c8e87383fbc733224fd0f7d164313b67dd9c21deafe9ddc8e769441f0c86 \
+    --hash=sha256:0461ee3c882d865e98e624561843dc135fa1a1412b15603d7ebfbb392de6a668
+certbot-apache==0.36.0 \
+    --hash=sha256:2537f7fb67a38b6d1ed5ee79f6a799090ca609695ac3799bb840b2fb677ac98d \
+    --hash=sha256:458d20a3e9e8a88563d3deb0bbe38752bd2b80100f0e5854e4069390c1b4e5cd
+certbot-nginx==0.36.0 \
+    --hash=sha256:4303b54adf2030671c54bb3964c1f43aec0f677045e0cdb6d4fb931268d08310 \
+    --hash=sha256:4c34e6114dd8204b6667f101579dd9ab2b38fef0dd5a15702585edcb2aefb322

 UNLIKELY_EOF
    # -------------------------------------------------------------------------
--- a/certbot-ci/certbot_integration_tests/assets/hook.py
+++ b/certbot-ci/certbot_integration_tests/assets/hook.py
@@ -1,11 +0,0 @@
-#!/usr/bin/env python
-import sys
-import os
-
-hook_script_type = os.path.basename(os.path.dirname(sys.argv[1]))
-if hook_script_type == 'deploy' and ('RENEWED_DOMAINS' not in os.environ or 'RENEWED_LINEAGE' not in os.environ):
-    sys.stderr.write('Environment variables not properly set!\n')
-    sys.exit(1)
-
-with open(sys.argv[2], 'a') as file_h:
-    file_h.write(hook_script_type + '\n')
--- a/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py
+++ b/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py
@@ -1,17 +1,6 @@
 """This module contains advanced assertions for the certbot integration tests."""
 import os
-try:
-    import grp
-    POSIX_MODE = True
-except ImportError:
-    import win32api
-    import win32security
-    import ntsecuritycon
-    POSIX_MODE = False
-
-EVERYBODY_SID = 'S-1-1-0'
-SYSTEM_SID = 'S-1-5-18'
-ADMINS_SID = 'S-1-5-32-544'
+import grp


 def assert_hook_execution(probe_path, probe_content):
@@ -21,10 +10,9 @@ def assert_hook_execution(probe_path, probe_content):
    :param probe_content: content expected when the hook is executed
    """
    with open(probe_path, 'r') as file:
-        data = file.read()
+        lines = file.readlines()

-    lines = [line.strip() for line in data.splitlines()]
-    assert probe_content in lines
+    assert '{0}{1}'.format(probe_content, os.linesep) in lines


 def assert_saved_renew_hook(config_dir, lineage):
@@ -50,51 +38,16 @@ def assert_cert_count_for_lineage(config_dir, lineage, count):
    assert len(certs) == count


-def assert_equals_group_permissions(file1, file2):
+def assert_equals_permissions(file1, file2, mask):
    """
-    Assert that two files have the same permissions for group owner.
+    Assert that permissions on two files are identical in respect to a given umask.
    :param file1: first file path to compare
    :param file2: second file path to compare
+    :param mask: 3-octal representation of a POSIX umask under which the two files mode
+                 should match (eg. 0o074 will test RWX on group and R on world)
    """
-    # On Windows there is no group, so this assertion does nothing on this platform
-    if POSIX_MODE:
-        mode_file1 = os.stat(file1).st_mode & 0o070
-        mode_file2 = os.stat(file2).st_mode & 0o070
-
-        assert mode_file1 == mode_file2
-
-
-def assert_equals_world_read_permissions(file1, file2):
-    """
-    Assert that two files have the same read permissions for everyone.
-    :param file1: first file path to compare
-    :param file2: second file path to compare
-    """
-    if POSIX_MODE:
-        mode_file1 = os.stat(file1).st_mode & 0o004
-        mode_file2 = os.stat(file2).st_mode & 0o004
-    else:
-        everybody = win32security.ConvertStringSidToSid(EVERYBODY_SID)
-
-        security1 = win32security.GetFileSecurity(file1, win32security.DACL_SECURITY_INFORMATION)
-        dacl1 = security1.GetSecurityDescriptorDacl()
-
-        mode_file1 = dacl1.GetEffectiveRightsFromAcl({
-            'TrusteeForm': win32security.TRUSTEE_IS_SID,
-            'TrusteeType': win32security.TRUSTEE_IS_USER,
-            'Identifier': everybody,
-        })
-        mode_file1 = mode_file1 & ntsecuritycon.FILE_GENERIC_READ
-
-        security2 = win32security.GetFileSecurity(file2, win32security.DACL_SECURITY_INFORMATION)
-        dacl2 = security2.GetSecurityDescriptorDacl()
-
-        mode_file2 = dacl2.GetEffectiveRightsFromAcl({
-            'TrusteeForm': win32security.TRUSTEE_IS_SID,
-            'TrusteeType': win32security.TRUSTEE_IS_USER,
-            'Identifier': everybody,
-        })
-        mode_file2 = mode_file2 & ntsecuritycon.FILE_GENERIC_READ
+    mode_file1 = os.stat(file1).st_mode & mask
+    mode_file2 = os.stat(file2).st_mode & mask

    assert mode_file1 == mode_file2

@@ -104,57 +57,20 @@ def assert_equals_group_owner(file1, file2):
    Assert that two files have the same group owner.
    :param file1: first file path to compare
    :param file2: second file path to compare
+    :return:
    """
-    # On Windows there is no group, so this assertion does nothing on this platform
-    if POSIX_MODE:
-        group_owner_file1 = grp.getgrgid(os.stat(file1).st_gid)[0]
-        group_owner_file2 = grp.getgrgid(os.stat(file2).st_gid)[0]
+    group_owner_file1 = grp.getgrgid(os.stat(file1).st_gid)[0]
+    group_owner_file2 = grp.getgrgid(os.stat(file2).st_gid)[0]

-        assert group_owner_file1 == group_owner_file2
+    assert group_owner_file1 == group_owner_file2


-def assert_world_no_permissions(file):
+def assert_world_permissions(file, mode):
    """
-    Assert that the given file is not world-readable.
-    :param file: path of the file to check
+    Assert that a file has the expected world permission.
+    :param file: file path to check
+    :param mode: world permissions mode expected
    """
-    if POSIX_MODE:
-        mode_file_all = os.stat(file).st_mode & 0o007
-        assert mode_file_all == 0
-    else:
-        security = win32security.GetFileSecurity(file, win32security.DACL_SECURITY_INFORMATION)
-        dacl = security.GetSecurityDescriptorDacl()
-        mode = dacl.GetEffectiveRightsFromAcl({
-            'TrusteeForm': win32security.TRUSTEE_IS_SID,
-            'TrusteeType': win32security.TRUSTEE_IS_USER,
-            'Identifier': win32security.ConvertStringSidToSid(EVERYBODY_SID),
-        })
+    mode_file_all = os.stat(file).st_mode & 0o007

-        assert not mode
-
-
-def assert_world_read_permissions(file):
-    """
-    Assert that the given file is world-readable, but not world-writable or world-executable.
-    :param file: path of the file to check
-    """
-    if POSIX_MODE:
-        mode_file_all = os.stat(file).st_mode & 0o007
-        assert mode_file_all == 4
-    else:
-        security = win32security.GetFileSecurity(file, win32security.DACL_SECURITY_INFORMATION)
-        dacl = security.GetSecurityDescriptorDacl()
-        mode = dacl.GetEffectiveRightsFromAcl({
-            'TrusteeForm': win32security.TRUSTEE_IS_SID,
-            'TrusteeType': win32security.TRUSTEE_IS_USER,
-            'Identifier': win32security.ConvertStringSidToSid(EVERYBODY_SID),
-        })
-
-        assert not mode & ntsecuritycon.FILE_GENERIC_WRITE
-        assert not mode & ntsecuritycon.FILE_GENERIC_EXECUTE
-        assert mode & ntsecuritycon.FILE_GENERIC_READ == ntsecuritycon.FILE_GENERIC_READ
-
-
-def _get_current_user():
-    account_name = win32api.GetUserNameEx(win32api.NameSamCompatible)
-    return win32security.LookupAccountName(None, account_name)[0]
+    assert mode_file_all == mode
--- a/certbot-ci/certbot_integration_tests/certbot_tests/context.py
+++ b/certbot-ci/certbot_integration_tests/certbot_tests/context.py
@@ -1,11 +1,10 @@
 """Module to handle the context of integration tests."""
-import logging
 import os
 import shutil
 import sys
 import tempfile

-from certbot_integration_tests.utils import certbot_call
+from certbot_integration_tests.utils import misc, certbot_call


 class IntegrationTestsContext(object):
@@ -20,7 +19,7 @@ class IntegrationTestsContext(object):
            self.worker_id = 'primary'
            acme_xdist = request.config.acme_xdist

-        self.acme_server = acme_xdist['acme_server']
+        self.acme_server =acme_xdist['acme_server']
        self.directory_url = acme_xdist['directory_url']
        self.tls_alpn_01_port = acme_xdist['https_port'][self.worker_id]
        self.http_01_port = acme_xdist['http_port'][self.worker_id]
@@ -31,10 +30,7 @@ class IntegrationTestsContext(object):

        self.workspace = tempfile.mkdtemp()
        self.config_dir = os.path.join(self.workspace, 'conf')
-
-        probe = tempfile.mkstemp(dir=self.workspace)
-        os.close(probe[0])
-        self.hook_probe = probe[1]
+        self.hook_probe = tempfile.mkstemp(dir=self.workspace)[1]

        self.manual_dns_auth_hook = (
            '{0} -c "import os; import requests; import json; '
--- a/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py
+++ b/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py
@@ -11,11 +11,8 @@ from os.path import join, exists
 import pytest
 from certbot_integration_tests.certbot_tests import context as certbot_context
 from certbot_integration_tests.certbot_tests.assertions import (
-    assert_hook_execution, assert_saved_renew_hook,
-    assert_cert_count_for_lineage,
-    assert_world_no_permissions, assert_world_read_permissions,
-    assert_equals_group_owner, assert_equals_group_permissions, assert_equals_world_read_permissions,
-    EVERYBODY_SID
+    assert_hook_execution, assert_saved_renew_hook, assert_cert_count_for_lineage,
+    assert_world_permissions, assert_equals_group_owner, assert_equals_permissions,
 )
 from certbot_integration_tests.utils import misc

@@ -87,9 +84,9 @@ def test_http_01(context):
        context.certbot([
            '--domains', certname, '--preferred-challenges', 'http-01', 'run',
            '--cert-name', certname,
-            '--pre-hook', misc.echo('wtf_pre', context.hook_probe),
-            '--post-hook', misc.echo('wtf_post', context.hook_probe),
-            '--deploy-hook', misc.echo('deploy', context.hook_probe),
+            '--pre-hook', 'echo wtf.pre >> "{0}"'.format(context.hook_probe),
+            '--post-hook', 'echo wtf.post >> "{0}"'.format(context.hook_probe),
+            '--deploy-hook', 'echo deploy >> "{0}"'.format(context.hook_probe)
        ])

    assert_hook_execution(context.hook_probe, 'deploy')
@@ -107,9 +104,9 @@ def test_manual_http_auth(context):
            '--cert-name', certname,
            '--manual-auth-hook', scripts[0],
            '--manual-cleanup-hook', scripts[1],
-            '--pre-hook', misc.echo('wtf_pre', context.hook_probe),
-            '--post-hook', misc.echo('wtf_post', context.hook_probe),
-            '--renew-hook', misc.echo('renew', context.hook_probe),
+            '--pre-hook', 'echo wtf.pre >> "{0}"'.format(context.hook_probe),
+            '--post-hook', 'echo wtf.post >> "{0}"'.format(context.hook_probe),
+            '--renew-hook', 'echo renew >> "{0}"'.format(context.hook_probe)
        ])

    with pytest.raises(AssertionError):
@@ -125,9 +122,9 @@ def test_manual_dns_auth(context):
        'run', '--cert-name', certname,
        '--manual-auth-hook', context.manual_dns_auth_hook,
        '--manual-cleanup-hook', context.manual_dns_cleanup_hook,
-        '--pre-hook', misc.echo('wtf_pre', context.hook_probe),
-        '--post-hook', misc.echo('wtf_post', context.hook_probe),
-        '--renew-hook', misc.echo('renew', context.hook_probe),
+        '--pre-hook', 'echo wtf.pre >> "{0}"'.format(context.hook_probe),
+        '--post-hook', 'echo wtf.post >> "{0}"'.format(context.hook_probe),
+        '--renew-hook', 'echo renew >> "{0}"'.format(context.hook_probe)
    ])

    with pytest.raises(AssertionError):
@@ -176,19 +173,21 @@ def test_renew_files_permissions(context):
    certname = context.get_domain('renew')
    context.certbot(['-d', certname])

-    privkey1 = join(context.config_dir, 'archive', certname, 'privkey1.pem')
-    privkey2 = join(context.config_dir, 'archive', certname, 'privkey2.pem')
-
    assert_cert_count_for_lineage(context.config_dir, certname, 1)
-    assert_world_no_permissions(privkey1)
+    assert_world_permissions(
+        join(context.config_dir, 'archive', certname, 'privkey1.pem'), 0)

    context.certbot(['renew'])

    assert_cert_count_for_lineage(context.config_dir, certname, 2)
-    assert_world_no_permissions(privkey2)
-    assert_equals_group_owner(privkey1, privkey2)
-    assert_equals_world_read_permissions(privkey1, privkey2)
-    assert_equals_group_permissions(privkey1, privkey2)
+    assert_world_permissions(
+        join(context.config_dir, 'archive', certname, 'privkey2.pem'), 0)
+    assert_equals_group_owner(
+        join(context.config_dir, 'archive', certname, 'privkey1.pem'),
+        join(context.config_dir, 'archive', certname, 'privkey2.pem'))
+    assert_equals_permissions(
+        join(context.config_dir, 'archive', certname, 'privkey1.pem'),
+        join(context.config_dir, 'archive', certname, 'privkey2.pem'), 0o074)


 def test_renew_with_hook_scripts(context):
@@ -212,35 +211,15 @@ def test_renew_files_propagate_permissions(context):

    assert_cert_count_for_lineage(context.config_dir, certname, 1)

-    privkey1 = join(context.config_dir, 'archive', certname, 'privkey1.pem')
-    privkey2 = join(context.config_dir, 'archive', certname, 'privkey2.pem')
-
-    if os.name != 'nt':
-        os.chmod(privkey1, 0o444)
-    else:
-        import win32security
-        import ntsecuritycon
-        # Get the current DACL of the private key
-        security = win32security.GetFileSecurity(privkey1, win32security.DACL_SECURITY_INFORMATION)
-        dacl = security.GetSecurityDescriptorDacl()
-        # Create a read permission for Everybody group
-        everybody = win32security.ConvertStringSidToSid(EVERYBODY_SID)
-        dacl.AddAccessAllowedAce(win32security.ACL_REVISION, ntsecuritycon.FILE_GENERIC_READ, everybody)
-        # Apply the updated DACL to the private key
-        security.SetSecurityDescriptorDacl(1, dacl, 0)
-        win32security.SetFileSecurity(privkey1, win32security.DACL_SECURITY_INFORMATION, security)
-
+    os.chmod(join(context.config_dir, 'archive', certname, 'privkey1.pem'), 0o444)
    context.certbot(['renew'])

    assert_cert_count_for_lineage(context.config_dir, certname, 2)
-    if os.name != 'nt':
-        # On Linux, read world permissions + all group permissions will be copied from the previous private key
-        assert_world_read_permissions(privkey2)
-        assert_equals_world_read_permissions(privkey1, privkey2)
-        assert_equals_group_permissions(privkey1, privkey2)
-    else:
-        # On Windows, world will never have any permissions, and group permission is irrelevant for this platform
-        assert_world_no_permissions(privkey2)
+    assert_world_permissions(
+        join(context.config_dir, 'archive', certname, 'privkey2.pem'), 4)
+    assert_equals_permissions(
+        join(context.config_dir, 'archive', certname, 'privkey1.pem'),
+        join(context.config_dir, 'archive', certname, 'privkey2.pem'), 0o074)


 def test_graceful_renew_it_is_not_time(context):
@@ -250,7 +229,7 @@ def test_graceful_renew_it_is_not_time(context):

    assert_cert_count_for_lineage(context.config_dir, certname, 1)

-    context.certbot(['renew', '--deploy-hook', misc.echo('deploy', context.hook_probe)],
+    context.certbot(['renew', '--deploy-hook', 'echo deploy >> "{0}"'.format(context.hook_probe)],
                    force_renew=False)

    assert_cert_count_for_lineage(context.config_dir, certname, 1)
@@ -271,7 +250,7 @@ def test_graceful_renew_it_is_time(context):
    with open(join(context.config_dir, 'renewal', '{0}.conf'.format(certname)), 'w') as file:
        file.writelines(lines)

-    context.certbot(['renew', '--deploy-hook', misc.echo('deploy', context.hook_probe)],
+    context.certbot(['renew', '--deploy-hook', 'echo deploy >> "{0}"'.format(context.hook_probe)],
                    force_renew=False)

    assert_cert_count_for_lineage(context.config_dir, certname, 2)
@@ -338,9 +317,9 @@ def test_renew_hook_override(context):
    context.certbot([
        'certonly', '-d', certname,
        '--preferred-challenges', 'http-01',
-        '--pre-hook', misc.echo('pre', context.hook_probe),
-        '--post-hook', misc.echo('post', context.hook_probe),
-        '--deploy-hook', misc.echo('deploy', context.hook_probe),
+        '--pre-hook', 'echo pre >> "{0}"'.format(context.hook_probe),
+        '--post-hook', 'echo post >> "{0}"'.format(context.hook_probe),
+        '--deploy-hook', 'echo deploy >> "{0}"'.format(context.hook_probe)
    ])

    assert_hook_execution(context.hook_probe, 'pre')
@@ -351,14 +330,14 @@ def test_renew_hook_override(context):
    open(context.hook_probe, 'w').close()
    context.certbot([
        'renew', '--cert-name', certname,
-        '--pre-hook', misc.echo('pre_override', context.hook_probe),
-        '--post-hook', misc.echo('post_override', context.hook_probe),
-        '--deploy-hook', misc.echo('deploy_override', context.hook_probe),
+        '--pre-hook', 'echo pre-override >> "{0}"'.format(context.hook_probe),
+        '--post-hook', 'echo post-override >> "{0}"'.format(context.hook_probe),
+        '--deploy-hook', 'echo deploy-override >> "{0}"'.format(context.hook_probe)
    ])

-    assert_hook_execution(context.hook_probe, 'pre_override')
-    assert_hook_execution(context.hook_probe, 'post_override')
-    assert_hook_execution(context.hook_probe, 'deploy_override')
+    assert_hook_execution(context.hook_probe, 'pre-override')
+    assert_hook_execution(context.hook_probe, 'post-override')
+    assert_hook_execution(context.hook_probe, 'deploy-override')
    with pytest.raises(AssertionError):
        assert_hook_execution(context.hook_probe, 'pre')
    with pytest.raises(AssertionError):
@@ -370,11 +349,11 @@ def test_renew_hook_override(context):
    open(context.hook_probe, 'w').close()
    context.certbot(['renew', '--cert-name', certname])

-    assert_hook_execution(context.hook_probe, 'pre_override')
-    assert_hook_execution(context.hook_probe, 'post_override')
-    assert_hook_execution(context.hook_probe, 'deploy_override')
-
+    assert_hook_execution(context.hook_probe, 'pre-override')
+    assert_hook_execution(context.hook_probe, 'post-override')
+    assert_hook_execution(context.hook_probe, 'deploy-override')

+    
 def test_invalid_domain_with_dns_challenge(context):
    """Test certificate issuance failure with DNS-01 challenge."""
    # Manual dns auth hooks from misc are designed to fail if the domain contains 'fail-*'.
@@ -533,7 +512,7 @@ def test_revoke_multiple_lineages(context):
        data = file.read()

    data = re.sub('archive_dir = .*\n',
-                  'archive_dir = {0}\n'.format(join(context.config_dir, 'archive', cert1).replace('\\', '\\\\')),
+                  'archive_dir = {0}\n'.format(join(context.config_dir, 'archive', cert1)),
                  data)

    with open(join(context.config_dir, 'renewal', '{0}.conf'.format(cert2)), 'w') as file:
@@ -576,9 +555,11 @@ def test_ocsp_status_stale(context):

 def test_ocsp_status_live(context):
    """Test retrieval of OCSP statuses for live config"""
-    cert = context.get_domain('ocsp-check')
+    if context.acme_server == 'pebble':
+        pytest.skip('Pebble does not support OCSP status requests.')

    # OSCP 1: Check live certificate OCSP status (VALID)
+    cert = context.get_domain('ocsp-check')
    context.certbot(['--domains', cert])
    output = context.certbot(['certificates'])

--- a/certbot-ci/certbot_integration_tests/utils/acme_server.py
+++ b/certbot-ci/certbot_integration_tests/utils/acme_server.py
@@ -134,13 +134,6 @@ class ACMEServer(object):
            [challtestsrv_path, '-management', ':{0}'.format(CHALLTESTSRV_PORT), '-defaultIPv6', '""',
             '-defaultIPv4', '127.0.0.1', '-http01', '""', '-tlsalpn01', '""', '-https01', '""'])

-        # pebble_ocsp_server is imported here and not at the top of module in order to avoid a useless
-        # ImportError, in the case where cryptography dependency is too old to support ocsp, but
-        # Boulder is used instead of Pebble, so pebble_ocsp_server is not used. This is the typical
-        # situation of integration-certbot-oldest tox testenv.
-        from certbot_integration_tests.utils import pebble_ocsp_server
-        self._launch_process([sys.executable, pebble_ocsp_server.__file__])
-
        # Wait for the ACME CA server to be up.
        print('=> Waiting for pebble instance to respond...')
        misc.check_until_timeout(self.acme_xdist['directory_url'])
--- a/certbot-ci/certbot_integration_tests/utils/constants.py
+++ b/certbot-ci/certbot_integration_tests/utils/constants.py
@@ -5,5 +5,3 @@ CHALLTESTSRV_PORT = 8055
 BOULDER_V1_DIRECTORY_URL = 'http://localhost:4000/directory'
 BOULDER_V2_DIRECTORY_URL = 'http://localhost:4001/directory'
 PEBBLE_DIRECTORY_URL = 'https://localhost:14000/dir'
-PEBBLE_MANAGEMENT_URL = 'https://localhost:15000'
-MOCK_OCSP_SERVER_PORT = 4002
--- a/certbot-ci/certbot_integration_tests/utils/misc.py
+++ b/certbot-ci/certbot_integration_tests/utils/misc.py
@@ -3,11 +3,9 @@ Misc module contains stateless functions that could be used during pytest execut
 or outside during setup/teardown of the integration tests environment.
 """
 import contextlib
-import logging
 import errno
 import multiprocessing
 import os
-import re
 import shutil
 import stat
 import subprocess
@@ -25,6 +23,7 @@ from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption
 from six.moves import socketserver, SimpleHTTPServer

+
 RSA_KEY_TYPE = 'rsa'
 ECDSA_KEY_TYPE = 'ecdsa'

@@ -64,10 +63,6 @@ class GracefulTCPServer(socketserver.TCPServer):
    allow_reuse_address = True


-def _run_server(port):
-    GracefulTCPServer(('', port), SimpleHTTPServer.SimpleHTTPRequestHandler).serve_forever()
-
-
@contextlib.contextmanager
 def create_http_server(port):
    """
@@ -80,7 +75,10 @@ def create_http_server(port):
    current_cwd = os.getcwd()
    webroot = tempfile.mkdtemp()

-    process = multiprocessing.Process(target=_run_server, args=(port,))
+    def run():
+        GracefulTCPServer(('', port), SimpleHTTPServer.SimpleHTTPRequestHandler).serve_forever()
+
+    process = multiprocessing.Process(target=run)

    try:
        # SimpleHTTPServer is designed to serve files from the current working directory at the
@@ -122,9 +120,15 @@ def generate_test_file_hooks(config_dir, hook_probe):
    :param str config_dir: current certbot config directory
    :param hook_probe: path to the hook probe to test hook scripts execution
    """
-    hook_path = pkg_resources.resource_filename('certbot_integration_tests', 'assets/hook.py')
+    if sys.platform == 'win32':
+        extension = 'bat'
+    else:
+        extension = 'sh'

-    for hook_dir in list_renewal_hooks_dirs(config_dir):
+    renewal_hooks_dirs = list_renewal_hooks_dirs(config_dir)
+    renewal_deploy_hook_path = os.path.join(renewal_hooks_dirs[1], 'hook.sh')
+
+    for hook_dir in renewal_hooks_dirs:
        # We want an equivalent of bash `chmod -p $HOOK_DIR, that does not fail if one folder of
        # the hierarchy already exists. It is not the case of os.makedirs. Python 3 has an
        # optional parameter `exists_ok` to not fail on existing dir, but Python 2.7 does not.
@@ -134,25 +138,26 @@ def generate_test_file_hooks(config_dir, hook_probe):
        except OSError as error:
            if error.errno != errno.EEXIST:
                raise
-
-        if os.name != 'nt':
-            entrypoint_script_path = os.path.join(hook_dir, 'entrypoint.sh')
-            entrypoint_script = '''\
-#!/usr/bin/env bash
-set -e
-"{0}" "{1}" "{2}" "{3}"
-'''.format(sys.executable, hook_path, entrypoint_script_path, hook_probe)
+        hook_path = os.path.join(hook_dir, 'hook.{0}'.format(extension))
+        if extension == 'sh':
+            data = '''\
+#!/bin/bash -xe
+if [ "$0" = "{0}" ]; then
+    if [ -z "$RENEWED_DOMAINS" -o -z "$RENEWED_LINEAGE" ]; then
+        echo "Environment variables not properly set!" >&2
+        exit 1
+    fi
+fi
+echo $(basename $(dirname "$0")) >> "{1}"\
+'''.format(renewal_deploy_hook_path, hook_probe)
        else:
-            entrypoint_script_path = os.path.join(hook_dir, 'entrypoint.bat')
-            entrypoint_script = '''\
-@echo off
-"{0}" "{1}" "{2}" "{3}"
-            '''.format(sys.executable, hook_path, entrypoint_script_path, hook_probe)
+            # TODO: Write the equivalent bat file for Windows
+            data = '''\

-        with open(entrypoint_script_path, 'w') as file_h:
-            file_h.write(entrypoint_script)
-
-        os.chmod(entrypoint_script_path, os.stat(entrypoint_script_path).st_mode | stat.S_IEXEC)
+'''
+        with open(hook_path, 'w') as file:
+            file.write(data)
+        os.chmod(hook_path, os.stat(hook_path).st_mode | stat.S_IEXEC)


@contextlib.contextmanager
@@ -189,7 +194,7 @@ for _ in range(0, 10):
    except requests.exceptions.ConnectionError:
        pass
 raise ValueError('Error, url did not respond after 10 attempts: {{0}}'.format(url))
-'''.format(http_server_root.replace('\\', '\\\\'), http_port))
+'''.format(http_server_root, http_port))
        os.chmod(auth_script_path, 0o755)

        cleanup_script_path = os.path.join(tempdir, 'cleanup.py')
@@ -200,7 +205,7 @@ import os
 import shutil
 well_known = os.path.join('{0}', '.well-known')
 shutil.rmtree(well_known)
-'''.format(http_server_root.replace('\\', '\\\\')))
+'''.format(http_server_root))
        os.chmod(cleanup_script_path, 0o755)

        yield ('{0} {1}'.format(sys.executable, auth_script_path),
@@ -283,32 +288,4 @@ def load_sample_data_path(workspace):
    original = pkg_resources.resource_filename('certbot_integration_tests', 'assets/sample-config')
    copied = os.path.join(workspace, 'sample-config')
    shutil.copytree(original, copied, symlinks=True)
-
-    if os.name == 'nt':
-        # Fix the symlinks on Windows since GIT is not creating them upon checkout
-        for lineage in ['a.encryption-example.com', 'b.encryption-example.com']:
-            current_live = os.path.join(copied, 'live', lineage)
-            for name in os.listdir(current_live):
-                if name != 'README':
-                    current_file = os.path.join(current_live, name)
-                    with open(current_file) as file_h:
-                        src = file_h.read()
-                    os.unlink(current_file)
-                    os.symlink(os.path.join(current_live, src), current_file)
-
    return copied
-
-
-def echo(keyword, path=None):
-    """
-    Generate a platform independent executable command
-    that echoes the given keyword into the given file.
-    :param keyword: the keyword to echo (must be a single keyword)
-    :param path: path to the file were keyword is echoed
-    :return: the executable command
-    """
-    if not re.match(r'^\w+$', keyword):
-        raise ValueError('Error, keyword `{0}` is not a single keyword.'
-                         .format(keyword))
-    return '{0} -c "from __future__ import print_function; print(\'{1}\')"{2}'.format(
-        os.path.basename(sys.executable), keyword, ' >> "{0}"'.format(path) if path else '')
--- a/certbot-ci/certbot_integration_tests/utils/pebble_artifacts.py
+++ b/certbot-ci/certbot_integration_tests/utils/pebble_artifacts.py
@@ -1,18 +1,19 @@
 import json
+import platform
 import os
 import stat

 import pkg_resources
 import requests

-from certbot_integration_tests.utils.constants import MOCK_OCSP_SERVER_PORT
-
-PEBBLE_VERSION = 'v2.2.1'
+PEBBLE_VERSION = 'v2.1.0'
 ASSETS_PATH = pkg_resources.resource_filename('certbot_integration_tests', 'assets')


 def fetch(workspace):
-    suffix = 'linux-amd64' if os.name != 'nt' else 'windows-amd64.exe'
+    suffix = '{0}-{1}{2}'.format(platform.system().lower(),
+                                 platform.machine().lower().replace('x86_64', 'amd64'),
+                                 '.exe' if platform.system() == 'Windows' else '')

    pebble_path = _fetch_asset('pebble', suffix)
    challtestsrv_path = _fetch_asset('pebble-challtestsrv', suffix)
@@ -41,12 +42,10 @@ def _build_pebble_config(workspace):
        file_h.write(json.dumps({
            'pebble': {
                'listenAddress': '0.0.0.0:14000',
-                'managementListenAddress': '0.0.0.0:15000',
                'certificate': os.path.join(ASSETS_PATH, 'cert.pem'),
                'privateKey': os.path.join(ASSETS_PATH, 'key.pem'),
                'httpPort': 5002,
                'tlsPort': 5001,
-                'ocspResponderURL': 'http://127.0.0.1:{0}'.format(MOCK_OCSP_SERVER_PORT),
            },
        }))

--- a/certbot-ci/certbot_integration_tests/utils/pebble_ocsp_server.py
+++ b/certbot-ci/certbot_integration_tests/utils/pebble_ocsp_server.py
@@ -1,71 +0,0 @@
-#!/usr/bin/env python
-"""
-This runnable module interfaces itself with the Pebble management interface in order
-to serve a mock OCSP responder during integration tests against Pebble.
-"""
-import datetime
-import re
-
-import requests
-from dateutil import parser
-
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import serialization, hashes
-from cryptography import x509
-from cryptography.x509 import ocsp
-from six.moves import BaseHTTPServer
-
-from certbot_integration_tests.utils.misc import GracefulTCPServer
-from certbot_integration_tests.utils.constants import MOCK_OCSP_SERVER_PORT, PEBBLE_MANAGEMENT_URL
-
-
-class _ProxyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
-    def do_POST(self):
-        request = requests.get(PEBBLE_MANAGEMENT_URL + '/intermediate-keys/0', verify=False)
-        issuer_key = serialization.load_pem_private_key(request.content, None, default_backend())
-
-        request = requests.get(PEBBLE_MANAGEMENT_URL + '/intermediates/0', verify=False)
-        issuer_cert = x509.load_pem_x509_certificate(request.content, default_backend())
-
-        try:
-            content_len = int(self.headers.getheader('content-length', 0))
-        except AttributeError:
-            content_len = int(self.headers.get('Content-Length'))
-
-        ocsp_request = ocsp.load_der_ocsp_request(self.rfile.read(content_len))
-        response = requests.get('{0}/cert-status-by-serial/{1}'.format(
-            PEBBLE_MANAGEMENT_URL, str(hex(ocsp_request.serial_number)).replace('0x', '')), verify=False)
-
-        if not response.ok:
-            ocsp_response = ocsp.OCSPResponseBuilder.build_unsuccessful(ocsp.OCSPResponseStatus.UNAUTHORIZED)
-        else:
-            data = response.json()
-
-            now = datetime.datetime.utcnow()
-            cert = x509.load_pem_x509_certificate(data['Certificate'].encode(), default_backend())
-            if data['Status'] != 'Revoked':
-                ocsp_status, revocation_time, revocation_reason = ocsp.OCSPCertStatus.GOOD, None, None
-            else:
-                ocsp_status, revocation_reason = ocsp.OCSPCertStatus.REVOKED, x509.ReasonFlags.unspecified
-                revoked_at = re.sub(r'( \+\d{4}).*$', r'\1', data['RevokedAt'])  # "... +0000 UTC" => "+0000"
-                revocation_time = parser.parse(revoked_at)
-
-            ocsp_response = ocsp.OCSPResponseBuilder().add_response(
-                cert=cert, issuer=issuer_cert, algorithm=hashes.SHA1(),
-                cert_status=ocsp_status,
-                this_update=now, next_update=now + datetime.timedelta(hours=1),
-                revocation_time=revocation_time, revocation_reason=revocation_reason
-            ).responder_id(
-                ocsp.OCSPResponderEncoding.NAME, issuer_cert
-            ).sign(issuer_key, hashes.SHA256())
-
-        self.send_response(200)
-        self.end_headers()
-        self.wfile.write(ocsp_response.public_bytes(serialization.Encoding.DER))
-
-
-if __name__ == '__main__':
-    try:
-        GracefulTCPServer(('', MOCK_OCSP_SERVER_PORT), _ProxyHandler).serve_forever()
-    except KeyboardInterrupt:
-        pass
--- a/certbot-ci/setup.py
+++ b/certbot-ci/setup.py
@@ -1,7 +1,5 @@
-import sys
-
-from distutils.version import StrictVersion
-from setuptools import setup, find_packages, __version__ as setuptools_version
+from setuptools import setup
+from setuptools import find_packages


 version = '0.32.0.dev0'
@@ -13,23 +11,11 @@ install_requires = [
    'pytest',
    'pytest-cov',
    'pytest-xdist',
-    'python-dateutil',
    'pyyaml',
    'requests',
    'six',
 ]

-# Add pywin32 on Windows platforms to handle low-level system calls.
-# This dependency needs to be added using environment markers to avoid its installation on Linux.
-# However environment markers are supported only with setuptools >= 36.2.
-# So this dependency is not added for old Linux distributions with old setuptools,
-# in order to allow these systems to build certbot from sources.
-if StrictVersion(setuptools_version) >= StrictVersion('36.2'):
-    install_requires.append("pywin32>=224 ; sys_platform == 'win32'")
-elif 'bdist_wheel' in sys.argv[1:]:
-    raise RuntimeError('Error, you are trying to build certbot wheels using an old version '
-                       'of setuptools. Version 36.2+ of setuptools is required.')
-
 setup(
    name='certbot-ci',
    version=version,
--- a/certbot-compatibility-test/setup.py
+++ b/certbot-compatibility-test/setup.py
@@ -4,7 +4,7 @@ from setuptools import setup
 from setuptools import find_packages


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 install_requires = [
    'certbot',
--- a/certbot-dns-cloudflare/setup.py
+++ b/certbot-dns-cloudflare/setup.py
@@ -2,7 +2,7 @@ from setuptools import setup
 from setuptools import find_packages


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
--- a/certbot-dns-cloudxns/setup.py
+++ b/certbot-dns-cloudxns/setup.py
@@ -2,7 +2,7 @@ from setuptools import setup
 from setuptools import find_packages


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
--- a/certbot-dns-digitalocean/setup.py
+++ b/certbot-dns-digitalocean/setup.py
@@ -2,7 +2,7 @@ from setuptools import setup
 from setuptools import find_packages


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
--- a/certbot-dns-dnsimple/setup.py
+++ b/certbot-dns-dnsimple/setup.py
@@ -3,7 +3,7 @@ from setuptools import setup
 from setuptools import find_packages


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
--- a/certbot-dns-dnsmadeeasy/setup.py
+++ b/certbot-dns-dnsmadeeasy/setup.py
@@ -2,7 +2,7 @@ from setuptools import setup
 from setuptools import find_packages


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
--- a/certbot-dns-gehirn/setup.py
+++ b/certbot-dns-gehirn/setup.py
@@ -2,7 +2,7 @@ from setuptools import setup
 from setuptools import find_packages


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
--- a/certbot-dns-google/setup.py
+++ b/certbot-dns-google/setup.py
@@ -2,7 +2,7 @@ from setuptools import setup
 from setuptools import find_packages


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
--- a/certbot-dns-linode/setup.py
+++ b/certbot-dns-linode/setup.py
@@ -1,7 +1,7 @@
 from setuptools import setup
 from setuptools import find_packages

-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
--- a/certbot-dns-luadns/setup.py
+++ b/certbot-dns-luadns/setup.py
@@ -2,7 +2,7 @@ from setuptools import setup
 from setuptools import find_packages


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
--- a/certbot-dns-nsone/setup.py
+++ b/certbot-dns-nsone/setup.py
@@ -2,7 +2,7 @@ from setuptools import setup
 from setuptools import find_packages


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
--- a/certbot-dns-ovh/setup.py
+++ b/certbot-dns-ovh/setup.py
@@ -2,7 +2,7 @@ from setuptools import setup
 from setuptools import find_packages


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
--- a/certbot-dns-rfc2136/setup.py
+++ b/certbot-dns-rfc2136/setup.py
@@ -2,7 +2,7 @@ from setuptools import setup
 from setuptools import find_packages


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
--- a/certbot-dns-route53/setup.py
+++ b/certbot-dns-route53/setup.py
@@ -1,7 +1,7 @@
 from setuptools import setup
 from setuptools import find_packages

-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
--- a/certbot-dns-sakuracloud/setup.py
+++ b/certbot-dns-sakuracloud/setup.py
@@ -2,7 +2,7 @@ from setuptools import setup
 from setuptools import find_packages


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
--- a/certbot-nginx/MANIFEST.in
+++ b/certbot-nginx/MANIFEST.in
@@ -2,4 +2,5 @@ include LICENSE.txt
 include README.rst
 recursive-include docs *
 recursive-include certbot_nginx/tests/testdata *
-recursive-include certbot_nginx/tls_configs *.conf
+include certbot_nginx/options-ssl-nginx.conf
+include certbot_nginx/options-ssl-nginx-old.conf
--- a/certbot-nginx/certbot_nginx/configurator.py
+++ b/certbot-nginx/certbot_nginx/configurator.py
@@ -127,10 +127,7 @@ class NginxConfigurator(common.Installer):
        config_filename = "options-ssl-nginx.conf"
        if self.version < (1, 5, 9):
            config_filename = "options-ssl-nginx-old.conf"
-        elif self.version < (1, 13, 0):
-            config_filename = "options-ssl-nginx-tls12-only.conf"
-        return pkg_resources.resource_filename(
-            "certbot_nginx", os.path.join("tls_configs", config_filename))
+        return pkg_resources.resource_filename("certbot_nginx", config_filename)

    @property
    def mod_ssl_conf(self):
--- a/certbot-nginx/certbot_nginx/constants.py
+++ b/certbot-nginx/certbot_nginx/constants.py
@@ -23,17 +23,10 @@ UPDATED_MOD_SSL_CONF_DIGEST = ".updated-options-ssl-nginx-conf-digest.txt"
 """Name of the hash of the updated or informed mod_ssl_conf as saved in `IConfig.config_dir`."""

 SSL_OPTIONS_HASHES_NEW = [
-    '108c4555058a087496a3893aea5d9e1cee0f20a3085d44a52dc1a66522299ac3',
-]
-"""SHA256 hashes of the contents of versions of MOD_SSL_CONF_SRC for nginx >= 1.13.0"""
-
-SSL_OPTIONS_HASHES_MEDIUM = [
    '63e2bddebb174a05c9d8a7cf2adf72f7af04349ba59a1a925fe447f73b2f1abf',
    '2901debc7ecbc10917edd9084c05464c9c5930b463677571eaf8c94bffd11ae2',
-    '30baca73ed9a5b0e9a69ea40e30482241d8b1a7343aa79b49dc5d7db0bf53b6c',
 ]
-"""SHA256 hashes of the contents of versions of MOD_SSL_CONF_SRC for nginx >= 1.5.9
-   and nginx < 1.13.0"""
+"""SHA256 hashes of the contents of versions of MOD_SSL_CONF_SRC for nginx >= 1.5.9"""

 ALL_SSL_OPTIONS_HASHES = [
    '0f81093a1465e3d4eaa8b0c14e77b2a2e93568b0fc1351c2b87893a95f0de87c',
@@ -43,8 +36,7 @@ ALL_SSL_OPTIONS_HASHES = [
    '394732f2bbe3e5e637c3fb5c6e980a1f1b90b01e2e8d6b7cff41dde16e2a756d',
    '4b16fec2bcbcd8a2f3296d886f17f9953ffdcc0af54582452ca1e52f5f776f16',
    'c052ffff0ad683f43bffe105f7c606b339536163490930e2632a335c8d191cc4',
-    '02329eb19930af73c54b3632b3165d84571383b8c8c73361df940cb3894dd426',
-] + SSL_OPTIONS_HASHES_MEDIUM + SSL_OPTIONS_HASHES_NEW
+] + SSL_OPTIONS_HASHES_NEW
 """SHA256 hashes of the contents of all versions of MOD_SSL_CONF_SRC"""

 def os_constant(key):
--- a/certbot-nginx/certbot_nginx/options-ssl-nginx-old.conf
+++ b/certbot-nginx/certbot_nginx/options-ssl-nginx-old.conf
@@ -0,0 +1,13 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+
+ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
--- a/certbot-nginx/certbot_nginx/options-ssl-nginx.conf
+++ b/certbot-nginx/certbot_nginx/options-ssl-nginx.conf
@@ -0,0 +1,14 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+
+ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
--- a/certbot-nginx/certbot_nginx/tests/configurator_test.py
+++ b/certbot-nginx/certbot_nginx/tests/configurator_test.py
@@ -963,40 +963,13 @@ class InstallSslOptionsConfTest(util.NginxTest):
            "Constants.ALL_SSL_OPTIONS_HASHES must be appended"
            " with the sha256 hash of self.config.mod_ssl_conf when it is updated.")

-    def test_ssl_config_files_hash_in_all_hashes(self):
-        """
-        It is really critical that all TLS Nginx config files have their SHA256 hash registered in
-        constants.ALL_SSL_OPTIONS_HASHES. Otherwise Certbot will mistakenly assume that the config
-        file has been manually edited by the user, and will refuse to update it.
-        This test ensures that all necessary hashes are present.
-        """
-        from certbot_nginx.constants import ALL_SSL_OPTIONS_HASHES
-        import pkg_resources
-        all_files = [
-            pkg_resources.resource_filename("certbot_nginx", os.path.join("tls_configs", x))
-            for x in ("options-ssl-nginx.conf",
-                      "options-ssl-nginx-old.conf",
-                      "options-ssl-nginx-tls12-only.conf")
-        ]
-        self.assertTrue(all_files)
-        for one_file in all_files:
-            file_hash = crypto_util.sha256sum(one_file)
-            self.assertTrue(file_hash in ALL_SSL_OPTIONS_HASHES,
-                            "Constants.ALL_SSL_OPTIONS_HASHES must be appended with the sha256 "
-                            "hash of {0} when it is updated.".format(one_file))
-
-    def test_nginx_version_uses_correct_config(self):
+    def test_old_nginx_version_uses_old_config(self):
        self.config.version = (1, 5, 8)
        self.assertEqual(os.path.basename(self.config.mod_ssl_conf_src),
                         "options-ssl-nginx-old.conf")
        self._call()
        self._assert_current_file()
        self.config.version = (1, 5, 9)
-        self.assertEqual(os.path.basename(self.config.mod_ssl_conf_src),
-                         "options-ssl-nginx-tls12-only.conf")
-        self._call()
-        self._assert_current_file()
-        self.config.version = (1, 13, 0)
        self.assertEqual(os.path.basename(self.config.mod_ssl_conf_src),
                         "options-ssl-nginx.conf")

--- a/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx-old.conf
+++ b/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx-old.conf
@@ -1,13 +0,0 @@
-# This file contains important security parameters. If you modify this file
-# manually, Certbot will be unable to automatically provide future security
-# updates. Instead, Certbot will print and log an error message with a path to
-# the up-to-date file that you will need to refer to when manually updating
-# this file.
-
-ssl_session_cache shared:le_nginx_SSL:10m;
-ssl_session_timeout 1440m;
-
-ssl_protocols TLSv1.2;
-ssl_prefer_server_ciphers off;
-
-ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
--- a/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx-tls12-only.conf
+++ b/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx-tls12-only.conf
@@ -1,14 +0,0 @@
-# This file contains important security parameters. If you modify this file
-# manually, Certbot will be unable to automatically provide future security
-# updates. Instead, Certbot will print and log an error message with a path to
-# the up-to-date file that you will need to refer to when manually updating
-# this file.
-
-ssl_session_cache shared:le_nginx_SSL:10m;
-ssl_session_timeout 1440m;
-ssl_session_tickets off;
-
-ssl_protocols TLSv1.2;
-ssl_prefer_server_ciphers off;
-
-ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
--- a/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx.conf
+++ b/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx.conf
@@ -1,14 +0,0 @@
-# This file contains important security parameters. If you modify this file
-# manually, Certbot will be unable to automatically provide future security
-# updates. Instead, Certbot will print and log an error message with a path to
-# the up-to-date file that you will need to refer to when manually updating
-# this file.
-
-ssl_session_cache shared:le_nginx_SSL:10m;
-ssl_session_timeout 1440m;
-ssl_session_tickets off;
-
-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_prefer_server_ciphers off;
-
-ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
--- a/certbot-nginx/setup.py
+++ b/certbot-nginx/setup.py
@@ -4,7 +4,7 @@ from setuptools.command.test import test as TestCommand
 import sys


-version = '0.38.0.dev0'
+version = '0.37.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
--- a/certbot/init.py
+++ b/certbot/init.py
@@ -1,4 +1,4 @@
 """Certbot client."""

 # version number like 1.2.3a0, must have at least 2 parts, like 1.2
-__version__ = '0.38.0.dev0'
+__version__ = '0.37.0.dev0'
--- a/certbot/client.py
+++ b/certbot/client.py
@@ -624,7 +624,7 @@ class Client(object):
            reporter.add_message(
                "An error occurred and we failed to restore your config and "
                "restart your server. Please post to "
-                "https://community.letsencrypt.org/c/help "
+                "https://community.letsencrypt.org/c/server-config "
                "with details about your configuration and this error you received.",
                reporter.HIGH_PRIORITY)
            raise
--- a/docs/cli-help.txt
+++ b/docs/cli-help.txt
@@ -113,7 +113,7 @@ optional arguments:
                        case, and to know when to deprecate support for past
                        Python versions and flags. If you wish to hide this
                        information from the Let's Encrypt server, set this to
-                        "". (default: CertbotACMEClient/0.37.1
+                        "". (default: CertbotACMEClient/0.36.0
                        (certbot(-auto); OS_NAME OS_VERSION) Authenticator/XXX
                        Installer/YYY (SUBCOMMAND; flags: FLAGS)
                        Py/major.minor.patchlevel). The flags encoded in the
--- a/docs/contributing.rst
+++ b/docs/contributing.rst
@@ -114,9 +114,9 @@ Once you are done with your code changes, and the tests in ``foo_test.py`` pass,
 run all of the unittests for Certbot with ``tox -e py27`` (this uses Python
 2.7).

-Once all the unittests pass, check for sufficient test coverage using ``tox -e
-py27-cover``, and then check for code style with ``tox -e lint`` (all files) or
-``pylint --rcfile=.pylintrc path/to/file.py`` (single file at a time).
+Once all the unittests pass, check for sufficient test coverage using
+``tox -e cover``, and then check for code style with ``tox -e lint`` (all files)
+or ``pylint --rcfile=.pylintrc path/to/file.py`` (single file at a time).

 Once all of the above is successful, you may run the full test suite using
 ``tox --skip-missing-interpreters``. We recommend running the commands above
--- a/55
+++ b/55
@@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then
 fi
 VENV_BIN="$VENV_PATH/bin"
 BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
-LE_AUTO_VERSION="0.37.1"
+LE_AUTO_VERSION="0.36.0"
 BASENAME=$(basename $0)
 USAGE="Usage: $BASENAME [OPTIONS]
 A self-updating wrapper script for the Certbot ACME client. When run, updates
@@ -755,31 +755,13 @@ elif [ -f /etc/redhat-release ]; then
  prev_le_python="$LE_PYTHON"
  unset LE_PYTHON
  DeterminePythonVersion "NOCRASH"
-
-  RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
-
-  # Set RPM_DIST_VERSION to VERSION_ID from /etc/os-release after splitting on
-  # '.' characters (e.g. "8.0" becomes "8"). If the command exits with an
-  # error, RPM_DIST_VERSION is set to "unknown".
-  RPM_DIST_VERSION=$( (. /etc/os-release 2> /dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown")
-
-  # If RPM_DIST_VERSION is an empty string or it contains any nonnumeric
-  # characters, the value is unexpected so we set RPM_DIST_VERSION to 0.
-  if [ -z "$RPM_DIST_VERSION" ] || [ -n "$(echo "$RPM_DIST_VERSION" | tr -d '[0-9]')" ]; then
-     RPM_DIST_VERSION=0
-  fi
-
  # Starting to Fedora 29, python2 is on a deprecation path. Let's move to python3 then.
-  # RHEL 8 also uses python3 by default.
-  if [ "$RPM_DIST_NAME" = "fedora" -a "$RPM_DIST_VERSION" -ge 29 -o "$PYVER" -eq 26 ]; then
-    RPM_USE_PYTHON_3=1
-  elif [ "$RPM_DIST_NAME" = "rhel" -a "$RPM_DIST_VERSION" -ge 8 ]; then
-    RPM_USE_PYTHON_3=1
-  else
-    RPM_USE_PYTHON_3=0
+  RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
+  RPM_DIST_VERSION=0
+  if [ "$RPM_DIST_NAME" = "fedora" ]; then
+    RPM_DIST_VERSION=`(. /etc/os-release 2> /dev/null && echo $VERSION_ID) || echo "0"`
  fi
-
-  if [ "$RPM_USE_PYTHON_3" = 1 ]; then
+  if [ "$RPM_DIST_NAME" = "fedora" -a "$RPM_DIST_VERSION" -ge 29 -o "$PYVER" -eq 26 ]; then
    Bootstrap() {
      BootstrapMessage "RedHat-based OSes that will use Python3"
      BootstrapRpmPython3
@@ -793,7 +775,6 @@ elif [ -f /etc/redhat-release ]; then
    }
    BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
  fi
-
  LE_PYTHON="$prev_le_python"
 elif [ -f /etc/os-release ] && `grep -q openSUSE /etc/os-release` ; then
  Bootstrap() {
@@ -1333,18 +1314,18 @@ letsencrypt==0.7.0 \
    --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
    --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9

-certbot==0.37.1 \
-    --hash=sha256:84dbdad204327b8d8ef9ab5b040f2be1e427a9f7e087affcc9a6051ea1b03fe7 \
-    --hash=sha256:aace73e63b0c11cdb4b0bd33e1780c1fbe0ce5669dc72e80c3aa9500145daf16
-acme==0.37.1 \
-    --hash=sha256:83a4f6f3c5eb6a85233d5ba87714b426f2d096df58d711f8a2fc4071eb3fd3fc \
-    --hash=sha256:c069a761990751f7c4bf51d2e87ae10319bf460de6629d2908c9fa6f69e97111
-certbot-apache==0.37.1 \
-    --hash=sha256:3ea832408877b12b3a60d17e8b2ee3387364f8c3023ac267161c25b99087cd42 \
-    --hash=sha256:e46c2644451101c0e216aa1f525a577cc903efaf871e0e4da277224a4439040c
-certbot-nginx==0.37.1 \
-    --hash=sha256:1f9af389d26f06634e2eefaace3354e7679dabb4295e1d55d05a4ee7e23a64bd \
-    --hash=sha256:02a7ec15bd388d0f0e94a34c86a8f8d618ec7d5ffde0c206039bb4c46b294ce4
+certbot==0.36.0 \
+    --hash=sha256:486cee6c4861762fe4a94b4f44f7d227034d026d1a8d7ba2911ef4e86a737613 \
+    --hash=sha256:bf6745b823644cdca8461150455aeb67d417f87f80b9ec774c716e9587ef20a2
+acme==0.36.0 \
+    --hash=sha256:5570c8e87383fbc733224fd0f7d164313b67dd9c21deafe9ddc8e769441f0c86 \
+    --hash=sha256:0461ee3c882d865e98e624561843dc135fa1a1412b15603d7ebfbb392de6a668
+certbot-apache==0.36.0 \
+    --hash=sha256:2537f7fb67a38b6d1ed5ee79f6a799090ca609695ac3799bb840b2fb677ac98d \
+    --hash=sha256:458d20a3e9e8a88563d3deb0bbe38752bd2b80100f0e5854e4069390c1b4e5cd
+certbot-nginx==0.36.0 \
+    --hash=sha256:4303b54adf2030671c54bb3964c1f43aec0f677045e0cdb6d4fb931268d08310 \
+    --hash=sha256:4c34e6114dd8204b6667f101579dd9ab2b38fef0dd5a15702585edcb2aefb322

 UNLIKELY_EOF
    # -------------------------------------------------------------------------
--- a/letsencrypt-auto-source/certbot-auto.asc
+++ b/letsencrypt-auto-source/certbot-auto.asc
@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----

-iQEzBAABCAAdFiEEos+1H6J1pyhiNOeyTRfJlc2XdfIFAl1Mt7UACgkQTRfJlc2X
-dfIALggAhyS29bqwp7L2u31uJalZbZQzK2jb86+YyxYzJ/TNAOVHghZNrF7krXAV
-GCYEV6SXNHlScAtv7eIVbMcbiaSh/+6/1K3HsPBNP/7nR2sTZ/AOSQNPKdgUia5E
-jypTdGYcOiQBCqyP0yDKFXIKxJFOP63tIvidfuT0rBcyusrJ/QPJs6uhKLggOiFv
-9kNgZQsOhE3LpA9Yaqf0lsbKhA154c2Q662JiGCzQ2AST36bdzNEwsUeVoTbJda3
-o3qN5kg+mWZNrc9qgYjDA3gXxepNGxjXmFasJc1k1uVx9gxYhEO+/WC1UKMQJR1O
-Y/7Qrv3sR3KJ/Q/guhEB4jTKOnvXvw==
-=+61j
+iQEzBAABCAAdFiEEos+1H6J1pyhiNOeyTRfJlc2XdfIFAl0njnkACgkQTRfJlc2X
+dfIqjwf/XBEzOEtwi84v97jZjHi9bqeFBzAt+n6YXleKySk8anxFMFmFIvrc2w/U
+eyskpn0mmJDX2LjaXcsJji+l5yAWbm3p8M2J2toaPI2TLznhM6+uEWP62BHJiQYi
+1ORBJYATSfLxA541CwXXW3VTYDu+CLq0w1nr5mHg1Y20ZFBrPIlt04mkh9o70fD4
+qv6MsMXKZxglhH1ORyLMVn5Jze22awmJ944pP8aI54ZEkTl2XT9DsZt3QpZ1muOy
+IRg6sU86ukgWK66zWjTyd1AOddDL2OY3+U7JachFd5eb7dnnaCGeZhCjfVide7a3
+Fk8NrXwlrpKKJYkbqDfRkT4Pba47VQ==
+=gf1k
 -----END PGP SIGNATURE-----
--- a/letsencrypt-auto-source/letsencrypt-auto
+++ b/letsencrypt-auto-source/letsencrypt-auto
@@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then
 fi
 VENV_BIN="$VENV_PATH/bin"
 BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
-LE_AUTO_VERSION="0.38.0.dev0"
+LE_AUTO_VERSION="0.37.0.dev0"
 BASENAME=$(basename $0)
 USAGE="Usage: $BASENAME [OPTIONS]
 A self-updating wrapper script for the Certbot ACME client. When run, updates
@@ -755,31 +755,13 @@ elif [ -f /etc/redhat-release ]; then
  prev_le_python="$LE_PYTHON"
  unset LE_PYTHON
  DeterminePythonVersion "NOCRASH"
-
-  RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
-
-  # Set RPM_DIST_VERSION to VERSION_ID from /etc/os-release after splitting on
-  # '.' characters (e.g. "8.0" becomes "8"). If the command exits with an
-  # error, RPM_DIST_VERSION is set to "unknown".
-  RPM_DIST_VERSION=$( (. /etc/os-release 2> /dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown")
-
-  # If RPM_DIST_VERSION is an empty string or it contains any nonnumeric
-  # characters, the value is unexpected so we set RPM_DIST_VERSION to 0.
-  if [ -z "$RPM_DIST_VERSION" ] || [ -n "$(echo "$RPM_DIST_VERSION" | tr -d '[0-9]')" ]; then
-     RPM_DIST_VERSION=0
-  fi
-
  # Starting to Fedora 29, python2 is on a deprecation path. Let's move to python3 then.
-  # RHEL 8 also uses python3 by default.
-  if [ "$RPM_DIST_NAME" = "fedora" -a "$RPM_DIST_VERSION" -ge 29 -o "$PYVER" -eq 26 ]; then
-    RPM_USE_PYTHON_3=1
-  elif [ "$RPM_DIST_NAME" = "rhel" -a "$RPM_DIST_VERSION" -ge 8 ]; then
-    RPM_USE_PYTHON_3=1
-  else
-    RPM_USE_PYTHON_3=0
+  RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
+  RPM_DIST_VERSION=0
+  if [ "$RPM_DIST_NAME" = "fedora" ]; then
+    RPM_DIST_VERSION=`(. /etc/os-release 2> /dev/null && echo $VERSION_ID) || echo "0"`
  fi
-
-  if [ "$RPM_USE_PYTHON_3" = 1 ]; then
+  if [ "$RPM_DIST_NAME" = "fedora" -a "$RPM_DIST_VERSION" -ge 29 -o "$PYVER" -eq 26 ]; then
    Bootstrap() {
      BootstrapMessage "RedHat-based OSes that will use Python3"
      BootstrapRpmPython3
@@ -793,7 +775,6 @@ elif [ -f /etc/redhat-release ]; then
    }
    BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
  fi
-
  LE_PYTHON="$prev_le_python"
 elif [ -f /etc/os-release ] && `grep -q openSUSE /etc/os-release` ; then
  Bootstrap() {
@@ -1333,18 +1314,18 @@ letsencrypt==0.7.0 \
    --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
    --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9

-certbot==0.37.1 \
-    --hash=sha256:84dbdad204327b8d8ef9ab5b040f2be1e427a9f7e087affcc9a6051ea1b03fe7 \
-    --hash=sha256:aace73e63b0c11cdb4b0bd33e1780c1fbe0ce5669dc72e80c3aa9500145daf16
-acme==0.37.1 \
-    --hash=sha256:83a4f6f3c5eb6a85233d5ba87714b426f2d096df58d711f8a2fc4071eb3fd3fc \
-    --hash=sha256:c069a761990751f7c4bf51d2e87ae10319bf460de6629d2908c9fa6f69e97111
-certbot-apache==0.37.1 \
-    --hash=sha256:3ea832408877b12b3a60d17e8b2ee3387364f8c3023ac267161c25b99087cd42 \
-    --hash=sha256:e46c2644451101c0e216aa1f525a577cc903efaf871e0e4da277224a4439040c
-certbot-nginx==0.37.1 \
-    --hash=sha256:1f9af389d26f06634e2eefaace3354e7679dabb4295e1d55d05a4ee7e23a64bd \
-    --hash=sha256:02a7ec15bd388d0f0e94a34c86a8f8d618ec7d5ffde0c206039bb4c46b294ce4
+certbot==0.36.0 \
+    --hash=sha256:486cee6c4861762fe4a94b4f44f7d227034d026d1a8d7ba2911ef4e86a737613 \
+    --hash=sha256:bf6745b823644cdca8461150455aeb67d417f87f80b9ec774c716e9587ef20a2
+acme==0.36.0 \
+    --hash=sha256:5570c8e87383fbc733224fd0f7d164313b67dd9c21deafe9ddc8e769441f0c86 \
+    --hash=sha256:0461ee3c882d865e98e624561843dc135fa1a1412b15603d7ebfbb392de6a668
+certbot-apache==0.36.0 \
+    --hash=sha256:2537f7fb67a38b6d1ed5ee79f6a799090ca609695ac3799bb840b2fb677ac98d \
+    --hash=sha256:458d20a3e9e8a88563d3deb0bbe38752bd2b80100f0e5854e4069390c1b4e5cd
+certbot-nginx==0.36.0 \
+    --hash=sha256:4303b54adf2030671c54bb3964c1f43aec0f677045e0cdb6d4fb931268d08310 \
+    --hash=sha256:4c34e6114dd8204b6667f101579dd9ab2b38fef0dd5a15702585edcb2aefb322

 UNLIKELY_EOF
    # -------------------------------------------------------------------------
--- a/letsencrypt-auto-source/letsencrypt-auto.sig
+++ b/letsencrypt-auto-source/letsencrypt-auto.sig
--- a/letsencrypt-auto-source/letsencrypt-auto.template
+++ b/letsencrypt-auto-source/letsencrypt-auto.template
@@ -330,31 +330,13 @@ elif [ -f /etc/redhat-release ]; then
  prev_le_python="$LE_PYTHON"
  unset LE_PYTHON
  DeterminePythonVersion "NOCRASH"
-
-  RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
-
-  # Set RPM_DIST_VERSION to VERSION_ID from /etc/os-release after splitting on
-  # '.' characters (e.g. "8.0" becomes "8"). If the command exits with an
-  # error, RPM_DIST_VERSION is set to "unknown".
-  RPM_DIST_VERSION=$( (. /etc/os-release 2> /dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown")
-
-  # If RPM_DIST_VERSION is an empty string or it contains any nonnumeric
-  # characters, the value is unexpected so we set RPM_DIST_VERSION to 0.
-  if [ -z "$RPM_DIST_VERSION" ] || [ -n "$(echo "$RPM_DIST_VERSION" | tr -d '[0-9]')" ]; then
-     RPM_DIST_VERSION=0
-  fi
-
  # Starting to Fedora 29, python2 is on a deprecation path. Let's move to python3 then.
-  # RHEL 8 also uses python3 by default.
-  if [ "$RPM_DIST_NAME" = "fedora" -a "$RPM_DIST_VERSION" -ge 29 -o "$PYVER" -eq 26 ]; then
-    RPM_USE_PYTHON_3=1
-  elif [ "$RPM_DIST_NAME" = "rhel" -a "$RPM_DIST_VERSION" -ge 8 ]; then
-    RPM_USE_PYTHON_3=1
-  else
-    RPM_USE_PYTHON_3=0
+  RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
+  RPM_DIST_VERSION=0
+  if [ "$RPM_DIST_NAME" = "fedora" ]; then
+    RPM_DIST_VERSION=`(. /etc/os-release 2> /dev/null && echo $VERSION_ID) || echo "0"`
  fi
-
-  if [ "$RPM_USE_PYTHON_3" = 1 ]; then
+  if [ "$RPM_DIST_NAME" = "fedora" -a "$RPM_DIST_VERSION" -ge 29 -o "$PYVER" -eq 26 ]; then
    Bootstrap() {
      BootstrapMessage "RedHat-based OSes that will use Python3"
      BootstrapRpmPython3
@@ -368,7 +350,6 @@ elif [ -f /etc/redhat-release ]; then
    }
    BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
  fi
-
  LE_PYTHON="$prev_le_python"
 elif [ -f /etc/os-release ] && `grep -q openSUSE /etc/os-release` ; then
  Bootstrap() {
--- a/letsencrypt-auto-source/pieces/certbot-requirements.txt
+++ b/letsencrypt-auto-source/pieces/certbot-requirements.txt
@@ -1,12 +1,12 @@
-certbot==0.37.1 \
-    --hash=sha256:84dbdad204327b8d8ef9ab5b040f2be1e427a9f7e087affcc9a6051ea1b03fe7 \
-    --hash=sha256:aace73e63b0c11cdb4b0bd33e1780c1fbe0ce5669dc72e80c3aa9500145daf16
-acme==0.37.1 \
-    --hash=sha256:83a4f6f3c5eb6a85233d5ba87714b426f2d096df58d711f8a2fc4071eb3fd3fc \
-    --hash=sha256:c069a761990751f7c4bf51d2e87ae10319bf460de6629d2908c9fa6f69e97111
-certbot-apache==0.37.1 \
-    --hash=sha256:3ea832408877b12b3a60d17e8b2ee3387364f8c3023ac267161c25b99087cd42 \
-    --hash=sha256:e46c2644451101c0e216aa1f525a577cc903efaf871e0e4da277224a4439040c
-certbot-nginx==0.37.1 \
-    --hash=sha256:1f9af389d26f06634e2eefaace3354e7679dabb4295e1d55d05a4ee7e23a64bd \
-    --hash=sha256:02a7ec15bd388d0f0e94a34c86a8f8d618ec7d5ffde0c206039bb4c46b294ce4
+certbot==0.36.0 \
+    --hash=sha256:486cee6c4861762fe4a94b4f44f7d227034d026d1a8d7ba2911ef4e86a737613 \
+    --hash=sha256:bf6745b823644cdca8461150455aeb67d417f87f80b9ec774c716e9587ef20a2
+acme==0.36.0 \
+    --hash=sha256:5570c8e87383fbc733224fd0f7d164313b67dd9c21deafe9ddc8e769441f0c86 \
+    --hash=sha256:0461ee3c882d865e98e624561843dc135fa1a1412b15603d7ebfbb392de6a668
+certbot-apache==0.36.0 \
+    --hash=sha256:2537f7fb67a38b6d1ed5ee79f6a799090ca609695ac3799bb840b2fb677ac98d \
+    --hash=sha256:458d20a3e9e8a88563d3deb0bbe38752bd2b80100f0e5854e4069390c1b4e5cd
+certbot-nginx==0.36.0 \
+    --hash=sha256:4303b54adf2030671c54bb3964c1f43aec0f677045e0cdb6d4fb931268d08310 \
+    --hash=sha256:4c34e6114dd8204b6667f101579dd9ab2b38fef0dd5a15702585edcb2aefb322
--- a/setup.py
+++ b/setup.py
@@ -59,7 +59,7 @@ install_requires = [
 # So this dependency is not added for old Linux distributions with old setuptools,
 # in order to allow these systems to build certbot from sources.
 if StrictVersion(setuptools_version) >= StrictVersion('36.2'):
-    install_requires.append("pywin32>=224 ; sys_platform == 'win32'")
+    install_requires.append("pywin32 ; sys_platform == 'win32'")
 elif 'bdist_wheel' in sys.argv[1:]:
    raise RuntimeError('Error, you are trying to build certbot wheels using an old version '
                       'of setuptools. Version 36.2+ of setuptools is required.')
--- a/tests/letstest/scripts/test_leauto_upgrades.sh
+++ b/tests/letstest/scripts/test_leauto_upgrades.sh
@@ -26,17 +26,6 @@ else
    # 0.33.x is the oldest version of letsencrypt-auto that works on Fedora 29+.
    INITIAL_VERSION="0.33.1"
 fi
-
-# If we're on RHEL 8, the initial version of certbot-auto will fail until we do
-# a release including https://github.com/certbot/certbot/pull/7240 and update
-# INITIAL_VERSION above to use a version containing this fix. This works around
-# the problem for now so we can successfully run tests on RHEL 8.
-RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
-RPM_DIST_VERSION=`(. /etc/os-release 2> /dev/null && echo $VERSION_ID) | cut -d '.' -f1 || echo "0"`
-if [ "$RPM_DIST_NAME" = "rhel" -a "$RPM_DIST_VERSION" -ge 8 ]; then
-    sudo yum install python3-virtualenv -y
-fi
-
 git checkout -f "v$INITIAL_VERSION" letsencrypt-auto
 if ! ./letsencrypt-auto -v --debug --version --no-self-upgrade 2>&1 | tail -n1 | grep "^certbot $INITIAL_VERSION$" ; then
    echo initial installation appeared to fail
--- a/tests/letstest/scripts/test_sdists.sh
+++ b/tests/letstest/scripts/test_sdists.sh
@@ -1,7 +1,7 @@
 #!/bin/sh -xe

 cd letsencrypt
-letsencrypt-auto-source/letsencrypt-auto --install-only -n --debug
+./certbot-auto --install-only -n --debug

 PLUGINS="certbot-apache certbot-nginx"
 PYTHON_MAJOR_VERSION=$(/opt/eff.org/certbot/venv/bin/python --version 2>&1 | cut -d" " -f 2 | cut -d. -f1)
--- a/tests/letstest/targets.yaml
+++ b/tests/letstest/targets.yaml
@@ -45,11 +45,6 @@ targets:
    type: centos
    virt: hvm
    user: ec2-user
-  - ami: ami-0c322300a1dd5dc79
-    name: RHEL8
-    type: centos
-    virt: hvm
-    user: ec2-user
  - ami: ami-00bbc6858140f19ed
    name: fedora30
    type: centos
--- a/tools/dev_constraints.txt
+++ b/tools/dev_constraints.txt
@@ -61,7 +61,6 @@ pytest-sugar==0.9.2
 pytest-rerunfailures==4.2
 python-dateutil==2.6.1
 python-digitalocean==1.11
-pywin32==224
 PyYAML==3.13
 repoze.sphinx.autointerface==0.8
 requests-file==1.4.2
--- a/tox.ini
+++ b/tox.ini
@@ -232,15 +232,6 @@ commands =
    coverage report --include 'certbot-nginx/*' --show-missing --fail-under=74
 passenv = DOCKER_*

-[testenv:integration-certbot]
-commands =
-    {[base]pip_install} acme . certbot-ci
-    pytest certbot-ci/certbot_integration_tests/certbot_tests \
-        --acme-server={env:ACME_SERVER:pebble} \
-        --cov=acme --cov=certbot --cov-report= \
-        --cov-config=certbot-ci/certbot_integration_tests/.coveragerc
-    coverage report --include 'certbot/*' --show-missing --fail-under=62
-
 [testenv:integration-certbot-oldest]
 commands =
    {[base]pip_install} .