Update Dockerfile

2021-01-07 20:29:21 +01:00
47 changed files with 327 additions and 224 deletions
--- a/.azure-pipelines/templates/jobs/extended-tests-jobs.yml
+++ b/.azure-pipelines/templates/jobs/extended-tests-jobs.yml
@@ -22,21 +22,25 @@ jobs:
          TOXENV: py37
          CERTBOT_NO_PIN: 1
        linux-boulder-v1-integration-certbot-oldest:
-          PYTHON_VERSION: 3.6
          TOXENV: integration-certbot-oldest
          ACME_SERVER: boulder-v1
        linux-boulder-v2-integration-certbot-oldest:
-          PYTHON_VERSION: 3.6
          TOXENV: integration-certbot-oldest
          ACME_SERVER: boulder-v2
        linux-boulder-v1-integration-nginx-oldest:
-          PYTHON_VERSION: 3.6
          TOXENV: integration-nginx-oldest
          ACME_SERVER: boulder-v1
        linux-boulder-v2-integration-nginx-oldest:
-          PYTHON_VERSION: 3.6
          TOXENV: integration-nginx-oldest
          ACME_SERVER: boulder-v2
+        linux-boulder-v1-py27-integration:
+          PYTHON_VERSION: 2.7
+          TOXENV: integration
+          ACME_SERVER: boulder-v1
+        linux-boulder-v2-py27-integration:
+          PYTHON_VERSION: 2.7
+          TOXENV: integration
+          ACME_SERVER: boulder-v2
        linux-boulder-v1-py36-integration:
          PYTHON_VERSION: 3.6
          TOXENV: integration
--- a/.azure-pipelines/templates/jobs/standard-tests-jobs.yml
+++ b/.azure-pipelines/templates/jobs/standard-tests-jobs.yml
@@ -4,10 +4,10 @@ jobs:
      PYTHON_VERSION: 3.9
    strategy:
      matrix:
-        macos-py36:
+        macos-py27:
          IMAGE_NAME: macOS-10.15
-          PYTHON_VERSION: 3.6
-          TOXENV: py36
+          PYTHON_VERSION: 2.7
+          TOXENV: py27
        macos-py39:
          IMAGE_NAME: macOS-10.15
          PYTHON_VERSION: 3.9
@@ -26,12 +26,14 @@ jobs:
          TOXENV: integration-certbot
        linux-oldest-tests-1:
          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.6
-          TOXENV: '{acme,apache,apache-v2,certbot}-oldest'
+          TOXENV: py27-{acme,apache,apache-v2,certbot}-oldest
        linux-oldest-tests-2:
          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.6
-          TOXENV: '{dns,nginx}-oldest'
+          TOXENV: py27-{dns,nginx}-oldest
+        linux-py27:
+          IMAGE_NAME: ubuntu-18.04
+          PYTHON_VERSION: 2.7
+          TOXENV: py27
        linux-py36:
          IMAGE_NAME: ubuntu-18.04
          PYTHON_VERSION: 3.6
@@ -61,11 +63,11 @@ jobs:
          TOXENV: modification
        apacheconftest:
          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.6
+          PYTHON_VERSION: 2.7
          TOXENV: apacheconftest-with-pebble
        nginxroundtrip:
          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.6
+          PYTHON_VERSION: 2.7
          TOXENV: nginxroundtrip
    pool:
      vmImage: $(IMAGE_NAME)
--- a/.azure-pipelines/templates/steps/tox-steps.yml
+++ b/.azure-pipelines/templates/steps/tox-steps.yml
@@ -45,7 +45,11 @@ steps:
      export TARGET_BRANCH="`echo "${BUILD_SOURCEBRANCH}" | sed -E 's!refs/(heads|tags)/!!g'`"
      [ -z "${SYSTEM_PULLREQUEST_TARGETBRANCH}" ] || export TARGET_BRANCH="${SYSTEM_PULLREQUEST_TARGETBRANCH}"
      env
-      python -m tox
+      if [[ "${TOXENV}" == *"oldest"* ]]; then
+        tools/run_oldest_tests.sh
+      else
+        python -m tox
+      fi
    env:
      AWS_ACCESS_KEY_ID: $(AWS_ACCESS_KEY_ID)
      AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -1,7 +1,6 @@
 Authors
 =======

-* [Aaron Gable](https://github.com/aarongable)
 * [Aaron Zirbes](https://github.com/aaronzirbes)
 * Aaron Zuehlke
 * Ada Lovelace
@@ -61,7 +60,6 @@ Authors
 * [DanCld](https://github.com/DanCld)
 * [Daniel Albers](https://github.com/AID)
 * [Daniel Aleksandersen](https://github.com/da2x)
-* [Daniel Almasi](https://github.com/almasen)
 * [Daniel Convissor](https://github.com/convissor)
 * [Daniel "Drex" Drexler](https://github.com/aeturnum)
 * [Daniel Huang](https://github.com/dhuang)
--- a/acme/acme/init.py
+++ b/acme/acme/init.py
@@ -6,6 +6,7 @@ This module is an implementation of the `ACME protocol`_.

 """
 import sys
+import warnings

 # This code exists to keep backwards compatibility with people using acme.jose
 # before it became the standalone josepy package.
@@ -19,3 +20,10 @@ for mod in list(sys.modules):
    # preserved (acme.jose.* is josepy.*)
    if mod == 'josepy' or mod.startswith('josepy.'):
        sys.modules['acme.' + mod.replace('josepy', 'jose', 1)] = sys.modules[mod]
+
+if sys.version_info[0] == 2:
+    warnings.warn(
+        "Python 2 support will be dropped in the next release of acme. "
+        "Please upgrade your Python version.",
+        PendingDeprecationWarning,
+    )  # pragma: no cover
--- a/acme/acme/crypto_util.py
+++ b/acme/acme/crypto_util.py
@@ -166,7 +166,7 @@ def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-argu
            " from {0}:{1}".format(
                source_address[0],
                source_address[1]
-            ) if any(source_address) else ""
+            ) if socket_kwargs else ""
        )
        socket_tuple = (host, port)  # type: Tuple[str, int]
        sock = socket.create_connection(socket_tuple, **socket_kwargs)  # type: ignore
--- a/acme/setup.py
+++ b/acme/setup.py
@@ -9,18 +9,21 @@ version = '1.12.0.dev0'

 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
-    'cryptography>=2.1.4',
+    # load_pem_private/public_key (>=0.6)
+    # rsa_recover_prime_factors (>=0.8)
+    'cryptography>=1.2.3',
    # formerly known as acme.jose:
    # 1.1.0+ is required to avoid the warnings described at
    # https://github.com/certbot/josepy/issues/13.
    'josepy>=1.1.0',
-    'PyOpenSSL>=17.3.0',
+    # Connection.set_tlsext_host_name (>=0.13) + matching Xenial requirements (>=0.15.1)
+    'PyOpenSSL>=0.15.1',
    'pyrfc3339',
    'pytz',
    'requests[security]>=2.6.0',  # security extras added in 2.4.1
    'requests-toolbelt>=0.3.0',
-    'setuptools>=39.0.1',
-    'six>=1.11.0',
+    'setuptools',
+    'six>=1.9.0',  # needed for python_2_unicode_compatible
 ]

 setuptools_known_environment_markers = (LooseVersion(setuptools_version) >= LooseVersion('36.2'))
@@ -51,12 +54,14 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Intended Audience :: Developers',
        'License :: OSI Approved :: Apache Software License',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-apache/certbot_apache/_internal/override_suse.py
+++ b/certbot-apache/certbot_apache/_internal/override_suse.py
@@ -14,10 +14,10 @@ class OpenSUSEConfigurator(configurator.ApacheConfigurator):
        vhost_root="/etc/apache2/vhosts.d",
        vhost_files="*.conf",
        logs_root="/var/log/apache2",
-        ctl="apachectl",
-        version_cmd=['apachectl', '-v'],
-        restart_cmd=['apachectl', 'graceful'],
-        conftest_cmd=['apachectl', 'configtest'],
+        ctl="apache2ctl",
+        version_cmd=['apache2ctl', '-v'],
+        restart_cmd=['apache2ctl', 'graceful'],
+        conftest_cmd=['apache2ctl', 'configtest'],
        enmod="a2enmod",
        dismod="a2dismod",
        le_vhost_ext="-le-ssl.conf",
--- a/certbot-apache/setup.py
+++ b/certbot-apache/setup.py
@@ -13,7 +13,7 @@ install_requires = [
    'acme>=0.29.0',
    'certbot>=1.6.0',
    'python-augeas',
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.component',
    'zope.interface',
 ]
@@ -39,7 +39,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -47,6 +47,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py
+++ b/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py
@@ -9,7 +9,7 @@ import shutil
 import subprocess
 import time

-from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1, SECP384R1, SECP521R1
+from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1, SECP384R1
 from cryptography.x509 import NameOID

 import pytest
@@ -148,17 +148,6 @@ def test_certonly(context):
    """Test the certonly verb on certbot."""
    context.certbot(['certonly', '--cert-name', 'newname', '-d', context.get_domain('newname')])

-    assert_cert_count_for_lineage(context.config_dir, 'newname', 1)
-
-
-def test_certonly_webroot(context):
-    """Test the certonly verb with webroot plugin"""
-    with misc.create_http_server(context.http_01_port) as webroot:
-        certname = context.get_domain('webroot')
-        context.certbot(['certonly', '-a', 'webroot', '--webroot-path', webroot, '-d', certname])
-
-    assert_cert_count_for_lineage(context.config_dir, certname, 1)
-

 def test_auth_and_install_with_csr(context):
    """Test certificate issuance and install using an existing CSR."""
@@ -487,28 +476,6 @@ def test_default_curve_type(context):
    assert_elliptic_key(key1, SECP256R1)


-@pytest.mark.parametrize('curve,curve_cls,skip_servers', [
-    # Curve name, Curve class, ACME servers to skip
-    ('secp256r1', SECP256R1, []),
-    ('secp384r1', SECP384R1, []),
-    ('secp521r1', SECP521R1, ['boulder-v1', 'boulder-v2'])]
-)
-def test_ecdsa_curves(context, curve, curve_cls, skip_servers):
-    """Test issuance for each supported ECDSA curve"""
-    if context.acme_server in skip_servers:
-        pytest.skip('ACME server {} does not support ECDSA curve {}'
-                    .format(context.acme_server, curve))
-
-    domain = context.get_domain('curve')
-    context.certbot([
-        'certonly',
-        '--key-type', 'ecdsa', '--elliptic-curve', curve,
-        '--force-renewal', '-d', domain,
-    ])
-    key = join(context.config_dir, "live", domain, 'privkey.pem')
-    assert_elliptic_key(key, curve_cls)
-
-
 def test_renew_with_ec_keys(context):
    """Test proper renew with updated private key complexity."""
    certname = context.get_domain('renew')
--- a/certbot-ci/setup.py
+++ b/certbot-ci/setup.py
@@ -40,12 +40,14 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 3 - Alpha',
        'Intended Audience :: Developers',
        'License :: OSI Approved :: Apache Software License',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-compatibility-test/setup.py
+++ b/certbot-compatibility-test/setup.py
@@ -38,12 +38,14 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 3 - Alpha',
        'Intended Audience :: Developers',
        'License :: OSI Approved :: Apache Software License',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-cloudflare/setup.py
+++ b/certbot-dns-cloudflare/setup.py
@@ -12,7 +12,7 @@ version = '1.12.0.dev0'
 # acme/certbot version.
 install_requires = [
    'cloudflare>=1.5.1',
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.interface',
 ]

@@ -49,7 +49,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -57,6 +57,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-cloudxns/setup.py
+++ b/certbot-dns-cloudxns/setup.py
@@ -12,7 +12,7 @@ version = '1.12.0.dev0'
 # acme/certbot version.
 install_requires = [
    'dns-lexicon>=2.2.1',  # Support for >1 TXT record per name
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.interface',
 ]

@@ -49,7 +49,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -57,6 +57,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-digitalocean/setup.py
+++ b/certbot-dns-digitalocean/setup.py
@@ -12,8 +12,8 @@ version = '1.12.0.dev0'
 # acme/certbot version.
 install_requires = [
    'python-digitalocean>=1.11',
-    'setuptools>=39.0.1',
-    'six>=1.11.0',
+    'setuptools',
+    'six',
    'zope.interface',
 ]

@@ -50,7 +50,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -58,6 +58,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-dnsimple/setup.py
+++ b/certbot-dns-dnsimple/setup.py
@@ -11,7 +11,7 @@ version = '1.12.0.dev0'
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.interface',
 ]

@@ -60,7 +60,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -68,6 +68,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-dnsmadeeasy/setup.py
+++ b/certbot-dns-dnsmadeeasy/setup.py
@@ -12,7 +12,7 @@ version = '1.12.0.dev0'
 # acme/certbot version.
 install_requires = [
    'dns-lexicon>=2.2.1',  # Support for >1 TXT record per name
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.interface',
 ]

@@ -49,7 +49,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -57,6 +57,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-gehirn/setup.py
+++ b/certbot-dns-gehirn/setup.py
@@ -11,7 +11,7 @@ version = '1.12.0.dev0'
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
    'dns-lexicon>=2.1.22',
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.interface',
 ]

@@ -48,7 +48,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -56,6 +56,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-google/setup.py
+++ b/certbot-dns-google/setup.py
@@ -13,7 +13,7 @@ version = '1.12.0.dev0'
 install_requires = [
    'google-api-python-client>=1.5.5',
    'oauth2client>=4.0',
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.interface',
    # already a dependency of google-api-python-client, but added for consistency
    'httplib2'
@@ -52,7 +52,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -60,6 +60,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-linode/setup.py
+++ b/certbot-dns-linode/setup.py
@@ -11,7 +11,7 @@ version = '1.12.0.dev0'
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
    'dns-lexicon>=2.2.3',
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.interface',
 ]

@@ -48,7 +48,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -56,6 +56,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-luadns/setup.py
+++ b/certbot-dns-luadns/setup.py
@@ -12,7 +12,7 @@ version = '1.12.0.dev0'
 # acme/certbot version.
 install_requires = [
    'dns-lexicon>=2.2.1',  # Support for >1 TXT record per name
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.interface',
 ]

@@ -49,7 +49,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -57,6 +57,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-nsone/setup.py
+++ b/certbot-dns-nsone/setup.py
@@ -12,7 +12,7 @@ version = '1.12.0.dev0'
 # acme/certbot version.
 install_requires = [
    'dns-lexicon>=2.2.1',  # Support for >1 TXT record per name
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.interface',
 ]

@@ -49,7 +49,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -57,6 +57,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-ovh/setup.py
+++ b/certbot-dns-ovh/setup.py
@@ -12,7 +12,7 @@ version = '1.12.0.dev0'
 # acme/certbot version.
 install_requires = [
    'dns-lexicon>=2.7.14',  # Correct proxy use on OVH provider
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.interface',
 ]

@@ -49,7 +49,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -57,6 +57,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py
+++ b/certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py
@@ -1,3 +1,13 @@
+# type: ignore
+# pylint: disable=no-member
+# Many attributes of dnspython are now dynamically defined which causes both
+# mypy and pylint to error about accessing attributes they think do not exist.
+# This is the case even in up-to-date versions of mypy and pylint which as of
+# writing this are 0.790 and 2.6.0 respectively. This problem may be fixed in
+# dnspython 2.1.0. See https://github.com/rthalley/dnspython/issues/598. For
+# now, let's disable these checks. This is done at the very top of the file
+# like this because "type: ignore" must be the first line in the file to be
+# respected by mypy.
 """DNS Authenticator using RFC 2136 Dynamic Updates."""
 import logging

--- a/certbot-dns-rfc2136/setup.py
+++ b/certbot-dns-rfc2136/setup.py
@@ -12,7 +12,7 @@ version = '1.12.0.dev0'
 # acme/certbot version.
 install_requires = [
    'dnspython',
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.interface',
 ]

@@ -49,7 +49,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -57,6 +57,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-route53/MANIFEST.in
+++ b/certbot-dns-route53/MANIFEST.in
@@ -1,5 +1,4 @@
 include LICENSE.txt
-include README.rst
 recursive-include docs *
 recursive-include tests *
 global-exclude __pycache__
--- a/certbot-dns-route53/README.rst
+++ b/certbot-dns-route53/README.rst
@@ -1 +0,0 @@
-Amazon Web Services Route 53 DNS Authenticator plugin for Certbot
--- a/certbot-dns-route53/setup.py
+++ b/certbot-dns-route53/setup.py
@@ -12,7 +12,7 @@ version = '1.12.0.dev0'
 # acme/certbot version.
 install_requires = [
    'boto3',
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.interface',
 ]

@@ -49,7 +49,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -57,6 +57,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-dns-sakuracloud/setup.py
+++ b/certbot-dns-sakuracloud/setup.py
@@ -11,7 +11,7 @@ version = '1.12.0.dev0'
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
    'dns-lexicon>=2.1.23',
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.interface',
 ]

@@ -48,7 +48,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -56,6 +56,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot-nginx/setup.py
+++ b/certbot-nginx/setup.py
@@ -12,9 +12,9 @@ version = '1.12.0.dev0'
 install_requires = [
    'acme>=1.4.0',
    'certbot>=1.6.0',
-    'PyOpenSSL>=17.3.0',
-    'pyparsing>=2.2.0',
-    'setuptools>=39.0.1',
+    'PyOpenSSL',
+    'pyparsing>=1.5.5',  # Python3 support
+    'setuptools',
    'zope.interface',
 ]

@@ -35,7 +35,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -43,6 +43,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@@ -10,16 +10,11 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).

 ### Changed

-* The `--preferred-chain` flag now only checks the Issuer Common Name of the
-  topmost (closest to the root) certificate in the chain, instead of checking
-  every certificate in the chain.
-  See [#8577](https://github.com/certbot/certbot/issues/8577).
+*

 ### Fixed

-* Fixed the apache component on openSUSE Tumbleweed which no longer provides
-  an apache2ctl symlink and uses apachectl instead.
-* Fixed a typo in `certbot/crypto_util.py` causing an error upon attempting `secp521r1` key generation
+*

 More details about these changes can be found on our GitHub repo.

--- a/certbot/certbot/init.py
+++ b/certbot/certbot/init.py
@@ -1,3 +1,13 @@
 """Certbot client."""
+import warnings
+import sys
+
 # version number like 1.2.3a0, must have at least 2 parts, like 1.2
 __version__ = '1.12.0.dev0'
+
+if sys.version_info[0] == 2:
+    warnings.warn(
+        "Python 2 support will be dropped in the next release of Certbot. "
+        "Please upgrade your Python version.",
+        PendingDeprecationWarning,
+    )  # pragma: no cover
--- a/certbot/certbot/_internal/main.py
+++ b/certbot/certbot/_internal/main.py
@@ -5,6 +5,7 @@ from __future__ import print_function
 import functools
 import logging.handlers
 import sys
+import warnings

 import configobj
 import josepy as jose
@@ -1403,6 +1404,13 @@ def main(cli_args=None):
        if config.func != plugins_cmd:  # pylint: disable=comparison-with-callable
            raise

+    if sys.version_info[0] == 2:
+        warnings.warn(
+            "Python 2 support will be dropped in the next release of Certbot. "
+            "Please upgrade your Python version.",
+            PendingDeprecationWarning,
+        )  # pragma: no cover
+
    set_displayer(config)

    # Reporter
--- a/certbot/certbot/_internal/plugins/webroot.py
+++ b/certbot/certbot/_internal/plugins/webroot.py
@@ -157,8 +157,7 @@ to serve all files under specified web root ({0})."""
                "--webroot-path and --domains, or --webroot-map. Run with "
                " --help webroot for examples.")
        for name, path in path_map.items():
-            self.full_roots[name] = os.path.join(path, os.path.normcase(
-                challenges.HTTP01.URI_ROOT_PATH))
+            self.full_roots[name] = os.path.join(path, challenges.HTTP01.URI_ROOT_PATH)
            logger.debug("Creating root challenges validation dir at %s",
                         self.full_roots[name])

--- a/certbot/certbot/crypto_util.py
+++ b/certbot/certbot/crypto_util.py
@@ -205,7 +205,7 @@ def make_key(bits=1024, key_type="rsa", elliptic_curve=None):
    elif key_type == 'ecdsa':
        try:
            name = elliptic_curve.upper()
-            if name in ('SECP256R1', 'SECP384R1', 'SECP521R1'):
+            if name in ('SECP256R1', 'SECP384R1', 'SECP512R1'):
                _key = ec.generate_private_key(
                    curve=getattr(ec, elliptic_curve.upper(), None)(),
                    backend=default_backend()
@@ -573,9 +573,8 @@ def get_serial_from_cert(cert_path):


 def find_chain_with_issuer(fullchains, issuer_cn, warn_on_no_match=False):
-    """Chooses the first certificate chain from fullchains whose topmost
-    intermediate has an Issuer Common Name matching issuer_cn (in other words
-    the first chain which chains to a root whose name matches issuer_cn).
+    """Chooses the first certificate chain from fullchains which contains an
+    Issuer Subject Common Name matching issuer_cn.

    :param fullchains: The list of fullchains in PEM chain format.
    :type fullchains: `list` of `str`
@@ -586,11 +585,14 @@ def find_chain_with_issuer(fullchains, issuer_cn, warn_on_no_match=False):
    :rtype: `str`
    """
    for chain in fullchains:
-        certs = CERT_PEM_REGEX.findall(chain.encode())
-        top_cert = x509.load_pem_x509_certificate(certs[-1], default_backend())
-        top_issuer_cn = top_cert.issuer.get_attributes_for_oid(x509.NameOID.COMMON_NAME)
-        if top_issuer_cn and top_issuer_cn[0].value == issuer_cn:
-            return chain
+        certs = [x509.load_pem_x509_certificate(cert, default_backend()) \
+                 for cert in CERT_PEM_REGEX.findall(chain.encode())]
+        # Iterate the fullchain beginning from the leaf. For each certificate encountered,
+        # match against Issuer Subject CN.
+        for cert in certs:
+            cert_issuer_cn = cert.issuer.get_attributes_for_oid(x509.NameOID.COMMON_NAME)
+            if cert_issuer_cn and cert_issuer_cn[0].value == issuer_cn:
+                return chain

    # Nothing matched, return whatever was first in the list.
    if warn_on_no_match:
--- a/certbot/certbot/interfaces.py
+++ b/certbot/certbot/interfaces.py
@@ -262,9 +262,9 @@ class IConfig(zope.interface.Interface):
        " with \"renew\" verb should be disabled.")

    preferred_chain = zope.interface.Attribute(
-        "If the CA offers multiple certificate chains, prefer the chain whose "
-        "topmost certificate was issued from this Subject Common Name. "
-        "If no match, the default offered chain will be used."
+        "If the CA offers multiple certificate chains, prefer the chain with "
+        "an issuer matching this Subject Common Name. If no match, the default "
+        "offered chain will be used."
    )


--- a/certbot/docs/contributing.rst
+++ b/certbot/docs/contributing.rst
@@ -470,8 +470,11 @@ Mypy type annotations
 =====================

 Certbot uses the `mypy`_ static type checker. Python 3 natively supports official type annotations,
-which can then be tested for consistency using mypy. Mypy does some type checks even without type
-annotations; we can find bugs in Certbot even without a fully annotated codebase.
+which can then be tested for consistency using mypy. Python 2 doesn’t, but type annotations can
+be `added in comments`_. Mypy does some type checks even without type annotations; we can find
+bugs in Certbot even without a fully annotated codebase.
+
+Certbot supports both Python 2 and 3, so we’re using Python 2-style annotations.

 Zulip wrote a `great guide`_ to using mypy. It’s useful, but you don’t have to read the whole thing
 to start contributing to Certbot.
--- a/certbot/docs/install.rst
+++ b/certbot/docs/install.rst
@@ -28,7 +28,7 @@ your system.
 System Requirements
 ===================

-Certbot currently requires Python 3.6+ running on a UNIX-like operating
+Certbot currently requires Python 2.7 or 3.6+ running on a UNIX-like operating
 system. By default, it requires root access in order to write to
 ``/etc/letsencrypt``, ``/var/log/letsencrypt``, ``/var/lib/letsencrypt``; to
 bind to port 80 (if you use the ``standalone`` plugin) and to read and
@@ -197,12 +197,12 @@ Optionally to install the Certbot Apache plugin, you can use:

 .. code-block:: shell

-    sudo dnf install certbot python3-certbot-apache
+    sudo dnf install certbot python2-certbot-apache

 **FreeBSD**

  * Port: ``cd /usr/ports/security/py-certbot && make install clean``
-  * Package: ``pkg install py37-certbot``
+  * Package: ``pkg install py27-certbot``

 **Gentoo**

@@ -223,7 +223,7 @@ They need to be installed separately if you require their functionality.
 **NetBSD**

  * Build from source: ``cd /usr/pkgsrc/security/py-certbot && make install clean``
-  * Install pre-compiled package: ``pkg_add py37-certbot``
+  * Install pre-compiled package: ``pkg_add py27-certbot``

 **OpenBSD**

--- a/certbot/setup.py
+++ b/certbot/setup.py
@@ -40,16 +40,16 @@ install_requires = [
    # saying so here causes a runtime error against our temporary fork of 0.9.3
    # in which we added 2.6 support (see #2243), so we relax the requirement.
    'ConfigArgParse>=0.9.3',
-    'configobj>=5.0.6',
-    'cryptography>=2.1.4',
+    'configobj',
+    'cryptography>=1.2.3',  # load_pem_x509_certificate
    'distro>=1.0.1',
    # 1.1.0+ is required to avoid the warnings described at
    # https://github.com/certbot/josepy/issues/13.
    'josepy>=1.1.0',
-    'parsedatetime>=2.4',
+    'parsedatetime>=1.3',  # Calendar.parseDT
    'pyrfc3339',
    'pytz',
-    'setuptools>=39.0.1',
+    'setuptools',
    'zope.component',
    'zope.interface',
 ]
@@ -116,7 +116,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Console',
@@ -125,6 +125,8 @@ setup(
        'License :: OSI Approved :: Apache Software License',
        'Operating System :: POSIX :: Linux',
        'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/certbot/tests/crypto_util_test.py
+++ b/certbot/tests/crypto_util_test.py
@@ -184,13 +184,11 @@ class MakeKeyTest(unittest.TestCase):
    def test_ec(self):  # pylint: disable=no-self-use
        # ECDSA Key Type Tests
        from certbot.crypto_util import make_key
+        # Do not test larger keys as it takes too long.

-        for (name, bits) in [('secp256r1', 256), ('secp384r1', 384), ('secp521r1', 521)]:
-            pkey = OpenSSL.crypto.load_privatekey(
-                OpenSSL.crypto.FILETYPE_PEM,
-                make_key(elliptic_curve=name, key_type='ecdsa')
-            )
-            self.assertEqual(pkey.bits(), bits)
+        # Try a good key size for ECDSA
+        OpenSSL.crypto.load_privatekey(
+            OpenSSL.crypto.FILETYPE_PEM, make_key(elliptic_curve="secp256r1", key_type='ecdsa'))

    def test_bad_key_sizes(self):
        from certbot.crypto_util import make_key
@@ -473,19 +471,6 @@ class FindChainWithIssuerTest(unittest.TestCase):
        matched = self._call(fullchains, "Pebble Root CA 0cc6f0")
        self.assertEqual(matched, fullchains[1])

-    @mock.patch('certbot.crypto_util.logger.info')
-    def test_intermediate_match(self, mock_info):
-        """Don't pick a chain where only an intermediate matches"""
-        fullchains = self._all_fullchains()
-        # Make the second chain actually only contain "Pebble Root CA 0cc6f0"
-        # as an intermediate, not as the root. This wouldn't be a valid chain
-        # (the CERT_ISSUER cert didn't issue the CERT_ALT_ISSUER cert), but the
-        # function under test here doesn't care about that.
-        fullchains[1] = fullchains[1] + CERT_ISSUER.decode()
-        matched = self._call(fullchains, "Pebble Root CA 0cc6f0")
-        self.assertEqual(matched, fullchains[0])
-        mock_info.assert_not_called()
-
    @mock.patch('certbot.crypto_util.logger.info')
    def test_no_match(self, mock_info):
        fullchains = self._all_fullchains()
--- a/tools/_release.sh
+++ b/tools/_release.sh
@@ -216,13 +216,8 @@ fi
 # ensure we have the latest built version of leauto
 letsencrypt-auto-source/build.py

-# Now we have to sign the built version of leauto.
-SignLEAuto() {
-    yubico-piv-tool -a verify-pin --sign -s 9c -i letsencrypt-auto-source/letsencrypt-auto -o letsencrypt-auto-source/letsencrypt-auto.sig
-}
-
-# Loop until letsencrypt-auto is signed correctly.
-SignLEAuto || true
+# and that it's signed correctly
+tools/offline-sigrequest.sh || true
 while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
        letsencrypt-auto-source/letsencrypt-auto.sig \
        letsencrypt-auto-source/letsencrypt-auto            ; do
@@ -230,7 +225,7 @@ while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
    read -p "Would you like this script to try and sign it again [Y/n]?" response
    case $response in
      [yY][eE][sS]|[yY]|"")
-        SignLEAuto || true;;
+        tools/offline-sigrequest.sh || true;;
      *)
        ;;
    esac
--- a/tools/dev_constraints.txt
+++ b/tools/dev_constraints.txt
@@ -26,7 +26,13 @@ coverage==4.5.4
 decorator==4.4.1
 deprecated==1.2.10
 dns-lexicon==3.3.17
-dnspython==2.1.0
+# There is no version of dnspython that works on both Python 2 and Python 3.9.
+# To work around this, we make use of the fact that subject to other
+# constraints, pip will install the newest version of a package while ignoring
+# versions that don't support the version of Python being used. The result of
+# this is dnspython 2.0.0 is installed in Python 3 while dnspython 1.16.0 is
+# installed in Python 2.
+dnspython<=2.0.0
 docker==4.3.1
 docker-compose==1.26.2
 docker-pycreds==0.4.0
--- a/tools/docker/core/Dockerfile
+++ b/tools/docker/core/Dockerfile
@@ -28,7 +28,8 @@ RUN apk add --no-cache --virtual .certbot-deps \
        libssl1.1 \
        openssl \
        ca-certificates \
-        binutils
+        binutils \
+        curl

 # Install certbot from sources
 #
--- a/tools/offline-sigrequest.sh
+++ b/tools/offline-sigrequest.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+set -o errexit
+
+function sayhash { # $1 <-- HASH ; $2 <---SIGFILEBALL
+  while read -p "Press Enter to read the hash aloud or type 'done':  " INP && [ "$INP" = "" ] ; do
+    if ! `which festival > /dev/null` ; then
+      echo \`festival\` is not installed!
+      echo Please install it to read the hash aloud
+    else
+      cat $1 | (echo "(Parameter.set 'Duration_Stretch 1.8)"; \
+                  echo -n '(SayText "'; \
+                  sha256sum | cut -c1-64 | fold -1 | sed 's/^a$/alpha/; s/^b$/bravo/; s/^c$/charlie/; s/^d$/delta/; s/^e$/echo/; s/^f$/foxtrot/'; \
+                  echo '")' ) | festival
+    fi
+  done
+
+  echo 'Paste in the data from the QR code, then type Ctrl-D:'
+  cat > $2
+}
+
+function offlinesign {  # $1 <-- INPFILE ; $2 <---SIGFILE
+  echo HASH FOR SIGNING:
+  SIGFILEBALL="$2.lzma.base64"
+  #echo "(place the resulting raw binary signature in $SIGFILEBALL)"
+  sha256sum $1
+  echo metahash for confirmation only $(sha256sum $1   |cut -d' ' -f1 | tr -d '\n' | sha256sum  | cut -c1-6) ...
+  echo
+  sayhash $1 $SIGFILEBALL
+}
+
+function oncesigned { # $1 <-- INPFILE ; $2 <--SIGFILE
+  SIGFILEBALL="$2.lzma.base64"
+  cat $SIGFILEBALL | tr -d '\r' | base64 -d | unlzma -c > $2 || exit 1
+  if ! [ -f $2 ] ; then
+    echo "Failed to find $2"'!'
+    exit 1
+  fi
+
+  if file $2 | grep -qv " data" ; then
+    echo "WARNING WARNING $2 does not look like a binary signature:"
+    echo `file $2`
+    exit 1
+  fi
+}
+
+HERE=`dirname $0`
+LEAUTO="`realpath $HERE`/../letsencrypt-auto-source/letsencrypt-auto"
+SIGFILE="$LEAUTO".sig
+offlinesign $LEAUTO $SIGFILE
+oncesigned $LEAUTO $SIGFILE
--- a/tools/oldest_constraints.txt
+++ b/tools/oldest_constraints.txt
@@ -1,79 +1,76 @@
-# This file contains the oldest versions of our dependencies we're trying to
-# support. Usually these version numbers are taken from the packages of our
-# dependencies available in popular LTS Linux distros. Keeping compatibility
-# with those versions makes it much easier for OS maintainers to update their
-# Certbot packages.
-#
-# When updating these dependencies, we should try to only update them to the
-# oldest version of the package that is found in a non-EOL'd version of
-# CentOS, Debian, or Ubuntu that has Certbot packages in their OS repositories
-# using a version of Python we support. If the distro is EOL'd or using a
-# version of Python we don't support, it can be ignored.
+# This file contains the oldest versions of our dependencies we say we require
+# in our packages or versions we need to support to maintain compatibility with
+# the versions included in the various Linux distros where we are packaged.

 # CentOS/RHEL 7 EPEL constraints
-# Some of these constraints may be stricter than necessary because they
-# initially referred to the Python 2 packages in CentOS/RHEL 7 with EPEL.
-cffi==1.9.1
+cffi==1.6.0
 chardet==2.2.1
+configobj==4.7.2
 ipaddress==1.0.16
 mock==1.0.1
 ndg-httpsclient==0.3.2
 ply==3.4
-pyOpenSSL==17.3.0
 pyasn1==0.1.9
 pycparser==2.14
 pyRFC3339==1.0
 python-augeas==0.5.0
 oauth2client==4.0.0
+six==1.9.0
+# setuptools 0.9.8 is the actual version packaged, but some other dependencies
+# in this file require setuptools>=1.0 and there are no relevant changes for us
+# between these versions.
+setuptools==1.0.0
 urllib3==1.10.2
 zope.component==4.1.0
 zope.event==4.0.3
 zope.interface==4.0.5

 # Debian Jessie Backports constraints
-# Debian Jessie has reached end of life so these dependencies can probably be
-# updated as needed or desired.
+# Debian Jessie has reached end of life. However:
+# When it becomes necessary to upgrade any of these dependencies, you should only update them to the oldest version of the package found
+# in a non-EOL'd version of CentOS, Debian, or Ubuntu that has Certbot packages in their OS repositories.
+PyICU==1.8
 colorama==0.3.2
 enum34==1.0.3
 html5lib==0.999
+idna==2.0
 pbr==1.8.0
 pytz==2012rc0

 # Debian Buster constraints
 google-api-python-client==1.5.5
-pyparsing==2.2.0

 # Our setup.py constraints
 apacheconfig==0.3.2
 cloudflare==1.5.1
+cryptography==1.2.3
+parsedatetime==1.3
+pyparsing==1.5.5
 python-digitalocean==1.11
 requests[security]==2.6.0

 # Ubuntu Xenial constraints
-# Ubuntu Xenial only has versions of Python which we do not support available
-# so these dependencies can probably be updated as needed or desired.
 ConfigArgParse==0.10.0
+pyOpenSSL==0.15.1
 funcsigs==0.4
 zope.hookable==4.0.4

 # Ubuntu Bionic constraints.
-cryptography==2.1.4
 distro==1.0.1
 # Lexicon oldest constraint is overridden appropriately on relevant DNS provider plugins
 # using their local-oldest-requirements.txt
 dns-lexicon==2.2.1
 httplib2==0.9.2
-idna==2.6
-setuptools==39.0.1
-six==1.11.0
-
-# Ubuntu Focal constraints
-asn1crypto==0.24.0
-configobj==5.0.6
-parsedatetime==2.4

 # Plugin constraints
 # These aren't necessarily the oldest versions we need to support
 # Tracking at https://github.com/certbot/certbot/issues/6473
 boto3==1.4.7
 botocore==1.7.41
+
+# Old certbot[dev] constraints
+# Old versions of certbot[dev] required ipdb and our normally pinned version of
+# ipython which ipdb depends on doesn't support Python 2 so we pin an older
+# version here to keep tests working while we have Python 2 support.
+ipython==5.8.0
+prompt-toolkit==1.0.18
--- a/tools/run_oldest_tests.sh
+++ b/tools/run_oldest_tests.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+set -e
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+pushd "${DIR}/../"
+
+function cleanup() {
+  rm -f "${DOCKERFILE}"
+  popd
+}
+
+trap cleanup EXIT
+
+DOCKERFILE=$(mktemp /tmp/Dockerfile.XXXXXX)
+
+cat << "EOF" >> "${DOCKERFILE}"
+FROM ubuntu:16.04
+COPY letsencrypt-auto-source/pieces/dependency-requirements.txt /tmp/letsencrypt-auto-source/pieces/
+COPY tools/ /tmp/tools/
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+        python-dev python-pip python-setuptools \
+        gcc libaugeas0 libssl-dev libffi-dev \
+        git ca-certificates nginx-light openssl curl \
+ && curl -fsSL https://get.docker.com | bash /dev/stdin \
+ && python /tmp/tools/pipstrap.py \
+ && python /tmp/tools/pip_install.py tox \
+ && rm -rf /var/lib/apt/lists/*
+EOF
+
+docker build -f "${DOCKERFILE}" -t oldest-worker .
+docker run --rm --network=host -w "${PWD}" \
+  -v /var/run/docker.sock:/var/run/docker.sock \
+  -v "${PWD}:${PWD}" -v /tmp:/tmp \
+  -e TOXENV -e ACME_SERVER -e PYTEST_ADDOPTS \
+  oldest-worker python -m tox
--- a/tox.ini
+++ b/tox.ini
@@ -77,65 +77,49 @@ setenv =
    PYTEST_ADDOPTS = {env:PYTEST_ADDOPTS:--numprocesses auto}
    PYTHONHASHSEED = 0

-[testenv:oldest]
-# Setting basepython allows the tests to fail fast if that version of Python
-# isn't available instead of potentially trying to use a newer version of
-# Python which is unlikely to work.
-basepython = python3.6
+[testenv:py27-oldest]
 commands =
    {[testenv]commands}
 setenv =
    {[testenv]setenv}
    CERTBOT_OLDEST=1

-[testenv:acme-oldest]
-basepython =
-    {[testenv:oldest]basepython}
+[testenv:py27-acme-oldest]
 commands =
    {[base]install_and_test} acme[dev]
 setenv =
-    {[testenv:oldest]setenv}
+    {[testenv:py27-oldest]setenv}

-[testenv:apache-oldest]
-basepython =
-    {[testenv:oldest]basepython}
+[testenv:py27-apache-oldest]
 commands =
    {[base]install_and_test} certbot-apache
 setenv =
-    {[testenv:oldest]setenv}
+    {[testenv:py27-oldest]setenv}

-[testenv:apache-v2-oldest]
-basepython =
-    {[testenv:oldest]basepython}
+[testenv:py27-apache-v2-oldest]
 commands =
    {[base]install_and_test} certbot-apache[dev]
 setenv =
-    {[testenv:oldest]setenv}
+    {[testenv:py27-oldest]setenv}

-[testenv:certbot-oldest]
-basepython =
-    {[testenv:oldest]basepython}
+[testenv:py27-certbot-oldest]
 commands =
    {[base]install_and_test} certbot[dev]
 setenv =
-    {[testenv:oldest]setenv}
+    {[testenv:py27-oldest]setenv}

-[testenv:dns-oldest]
-basepython =
-    {[testenv:oldest]basepython}
+[testenv:py27-dns-oldest]
 commands =
    {[base]install_and_test} {[base]dns_packages}
 setenv =
-    {[testenv:oldest]setenv}
+    {[testenv:py27-oldest]setenv}

-[testenv:nginx-oldest]
-basepython =
-    {[testenv:oldest]basepython}
+[testenv:py27-nginx-oldest]
 commands =
    {[base]install_and_test} certbot-nginx
    python tests/lock_test.py
 setenv =
-    {[testenv:oldest]setenv}
+    {[testenv:py27-oldest]setenv}

 [testenv:lint]
 basepython = python3
@@ -254,26 +238,22 @@ commands =
 passenv = DOCKER_*

 [testenv:integration-certbot-oldest]
-basepython =
-    {[testenv:oldest]basepython}
 commands =
    {[base]pip_install} certbot
    {[base]pip_install} certbot-ci
    pytest certbot-ci/certbot_integration_tests/certbot_tests \
        --acme-server={env:ACME_SERVER:pebble}
 passenv = DOCKER_*
-setenv = {[testenv:oldest]setenv}
+setenv = {[testenv:py27-oldest]setenv}

 [testenv:integration-nginx-oldest]
-basepython =
-    {[testenv:oldest]basepython}
 commands =
    {[base]pip_install} certbot-nginx
    {[base]pip_install} certbot-ci
    pytest certbot-ci/certbot_integration_tests/nginx_tests \
        --acme-server={env:ACME_SERVER:pebble}
 passenv = DOCKER_*
-setenv = {[testenv:oldest]setenv}
+setenv = {[testenv:py27-oldest]setenv}

 [testenv:test-farm-tests-base]
 changedir = tests/letstest
				`@@ -1 +0,0 @@`
				`Amazon Web Services Route 53 DNS Authenticator plugin for Certbot`