Release 0.10.2

* use challenge type strings, not objectS

* Factor out parse_preferred_challenges

* restore pref_challs

* save pref_challs

* Make CheckCertCount more flexible

* improve integration tests

* Make pref_challs more flexible

(cherry picked from commit 4d860b37b0)

.travis.yml

@@ -96,6 +96,7 @@ matrix:
 # turnaround time on review since there is a cap of 5 simultaneous runs.
 branches:
   only:
+    - 0.10.x
     - master
     - /^test-.*$/
 

acme/acme/client.py

@@ -658,8 +658,25 @@ class ClientNetwork(object):  # pylint: disable=too-many-instance-attributes
             self._add_nonce(self.head(url))
         return self._nonces.pop()
 
-    def post(self, url, obj, content_type=JOSE_CONTENT_TYPE, **kwargs):
-        """POST object wrapped in `.JWS` and check response."""
+    def post(self, *args, **kwargs):
+        """POST object wrapped in `.JWS` and check response.
+
+        If the server responded with a badNonce error, the request will
+        be retried once.
+
+        """
+        should_retry = True
+        while True:
+            try:
+                return self._post_once(*args, **kwargs)
+            except messages.Error as error:
+                if should_retry and error.code == 'badNonce':
+                    logger.debug('Retrying request after error:\n%s', error)
+                    should_retry = False
+                else:
+                    raise
+
+    def _post_once(self, url, obj, content_type=JOSE_CONTENT_TYPE, **kwargs):
         data = self._wrap_in_jws(obj, self._get_nonce(url))
         kwargs.setdefault('headers', {'Content-Type': content_type})
         response = self._send_request('POST', url, data=data, **kwargs)

acme/acme/client_test.py

@@ -616,7 +616,9 @@ class ClientNetworkWithMockedResponseTest(unittest.TestCase):
         self.wrapped_obj = mock.MagicMock()
         self.content_type = mock.sentinel.content_type
 
-        self.all_nonces = [jose.b64encode(b'Nonce'), jose.b64encode(b'Nonce2')]
+        self.all_nonces = [
+            jose.b64encode(b'Nonce'),
+            jose.b64encode(b'Nonce2'), jose.b64encode(b'Nonce3')]
         self.available_nonces = self.all_nonces[:]
 
         def send_request(*args, **kwargs):
@@ -664,7 +666,7 @@ class ClientNetworkWithMockedResponseTest(unittest.TestCase):
         self.net._wrap_in_jws.assert_called_once_with(
             self.obj, jose.b64decode(self.all_nonces.pop()))
 
-        assert not self.available_nonces
+        self.available_nonces = []
         self.assertRaises(errors.MissingNonce, self.net.post,
                           'uri', self.obj, content_type=self.content_type)
         self.net._wrap_in_jws.assert_called_with(
@@ -680,6 +682,25 @@ class ClientNetworkWithMockedResponseTest(unittest.TestCase):
         self.assertRaises(errors.BadNonce, self.net.post, 'uri',
                           self.obj, content_type=self.content_type)
 
+    def test_post_failed_retry(self):
+        check_response = mock.MagicMock()
+        check_response.side_effect = messages.Error.with_code('badNonce')
+
+        # pylint: disable=protected-access
+        self.net._check_response = check_response
+        self.assertRaises(messages.Error, self.net.post, 'uri',
+                          self.obj, content_type=self.content_type)
+
+    def test_post_successful_retry(self):
+        check_response = mock.MagicMock()
+        check_response.side_effect = [messages.Error.with_code('badNonce'),
+                                      self.checked_response]
+
+        # pylint: disable=protected-access
+        self.net._check_response = check_response
+        self.assertEqual(self.checked_response, self.net.post(
+            'uri', self.obj, content_type=self.content_type))
+
     def test_head_get_post_error_passthrough(self):
         self.send_request.side_effect = requests.exceptions.RequestException
         for method in self.net.head, self.net.get:

acme/setup.py

@@ -4,7 +4,7 @@ from setuptools import setup
 from setuptools import find_packages
 
 
-version = '0.10.0.dev0'
+version = '0.10.2'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [

certbot-apache/setup.py

@@ -4,7 +4,7 @@ from setuptools import setup
 from setuptools import find_packages
 
 
-version = '0.10.0.dev0'
+version = '0.10.2'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [

certbot-auto

@@ -15,11 +15,15 @@ set -e  # Work even if somebody does "sh thisscript.sh".
 
 # Note: you can set XDG_DATA_HOME or VENV_PATH before running this script,
 # if you want to change where the virtual environment will be installed
-XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share}
+if [ -z "$XDG_DATA_HOME" ]; then
+  XDG_DATA_HOME=~/.local/share
+fi
 VENV_NAME="letsencrypt"
-VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"}
+if [ -z "$VENV_PATH" ]; then
+  VENV_PATH="$XDG_DATA_HOME/$VENV_NAME"
+fi
 VENV_BIN="$VENV_PATH/bin"
-LE_AUTO_VERSION="0.9.3"
+LE_AUTO_VERSION="0.10.2"
 BASENAME=$(basename $0)
 USAGE="Usage: $BASENAME [OPTIONS]
 A self-updating wrapper script for the Certbot ACME client. When run, updates
@@ -58,6 +62,7 @@ for arg in "$@" ; do
     --verbose)
       VERBOSE=1;;
     -[!-]*)
+      OPTIND=1
       while getopts ":hnvq" short_arg $arg; do
         case "$short_arg" in
           h)
@@ -79,43 +84,74 @@ if [ $BASENAME = "letsencrypt-auto" ]; then
   HELP=0
 fi
 
+# Support for busybox and others where there is no "command",
+# but "which" instead
+if command -v command > /dev/null 2>&1 ; then
+  export EXISTS="command -v"
+elif which which > /dev/null 2>&1 ; then
+  export EXISTS="which"
+else
+  echo "Cannot find command nor which... please install one!"
+  exit 1
+fi
+
 # certbot-auto needs root access to bootstrap OS dependencies, and
 # certbot itself needs root access for almost all modes of operation
 # The "normal" case is that sudo is used for the steps that need root, but
 # this script *can* be run as root (not recommended), or fall back to using
-# `su`
+# `su`. Auto-detection can be overrided by explicitly setting the
+# environment variable LE_AUTO_SUDO to 'sudo', 'sudo_su' or '' as used below.
+
+# Because the parameters in `su -c` has to be a string,
+# we need to properly escape it.
+su_sudo() {
+  args=""
+  # This `while` loop iterates over all parameters given to this function.
+  # For each parameter, all `'` will be replace by `'"'"'`, and the escaped string
+  # will be wrapped in a pair of `'`, then appended to `$args` string
+  # For example, `echo "It's only 1\$\!"` will be escaped to:
+  #   'echo' 'It'"'"'s only 1$!'
+  #     │       │└┼┘│
+  #     │       │ │ └── `'s only 1$!'` the literal string
+  #     │       │ └── `\"'\"` is a single quote (as a string)
+  #     │       └── `'It'`, to be concatenated with the strings following it
+  #     └── `echo` wrapped in a pair of `'`, it's totally fine for the shell command itself
+  while [ $# -ne 0 ]; do
+    args="$args'$(printf "%s" "$1" | sed -e "s/'/'\"'\"'/g")' "
+    shift
+  done
+  su root -c "$args"
+}
+
 SUDO_ENV=""
 export CERTBOT_AUTO="$0"
-if test "`id -u`" -ne "0" ; then
-  if command -v sudo 1>/dev/null 2>&1; then
-    SUDO=sudo
-    SUDO_ENV="CERTBOT_AUTO=$0"
-  else
-    echo \"sudo\" is not available, will use \"su\" for installation steps...
-    # Because the parameters in `su -c` has to be a string,
-    # we need properly escape it
-    su_sudo() {
-      args=""
-      # This `while` loop iterates over all parameters given to this function.
-      # For each parameter, all `'` will be replace by `'"'"'`, and the escaped string
-      # will be wrapped in a pair of `'`, then appended to `$args` string
-      # For example, `echo "It's only 1\$\!"` will be escaped to:
-      #   'echo' 'It'"'"'s only 1$!'
-      #     │       │└┼┘│
-      #     │       │ │ └── `'s only 1$!'` the literal string
-      #     │       │ └── `\"'\"` is a single quote (as a string)
-      #     │       └── `'It'`, to be concatenated with the strings following it
-      #     └── `echo` wrapped in a pair of `'`, it's totally fine for the shell command itself
-      while [ $# -ne 0 ]; do
-        args="$args'$(printf "%s" "$1" | sed -e "s/'/'\"'\"'/g")' "
-        shift
-      done
-      su root -c "$args"
-    }
-    SUDO=su_sudo
-  fi
+if [ -n "${LE_AUTO_SUDO+x}" ]; then
+  case "$LE_AUTO_SUDO" in
+    su_sudo|su)
+      SUDO=su_sudo
+      ;;
+    sudo)
+      SUDO=sudo
+      SUDO_ENV="CERTBOT_AUTO=$0"
+      ;;
+    '') ;; # Nothing to do for plain root method.
+    *)
+      echo "Error: unknown root authorization mechanism '$LE_AUTO_SUDO'."
+      exit 1
+  esac
+  echo "Using preset root authorization mechanism '$LE_AUTO_SUDO'."
 else
-  SUDO=
+  if test "`id -u`" -ne "0" ; then
+    if $EXISTS sudo 1>/dev/null 2>&1; then
+      SUDO=sudo
+      SUDO_ENV="CERTBOT_AUTO=$0"
+    else
+      echo \"sudo\" is not available, will use \"su\" for installation steps...
+      SUDO=su_sudo
+    fi
+  else
+    SUDO=
+  fi
 fi
 
 ExperimentalBootstrap() {
@@ -136,7 +172,7 @@ ExperimentalBootstrap() {
 DeterminePythonVersion() {
   for LE_PYTHON in "$LE_PYTHON" python2.7 python27 python2 python; do
     # Break (while keeping the LE_PYTHON value) if found.
-    command -v "$LE_PYTHON" > /dev/null && break
+    $EXISTS "$LE_PYTHON" > /dev/null && break
   done
   if [ "$?" != "0" ]; then
     echo "Cannot find any Pythons; please install one!"
@@ -177,19 +213,22 @@ BootstrapDebCommon() {
   # distro version (#346)
 
   virtualenv=
-  if apt-cache show virtualenv > /dev/null 2>&1 && ! apt-cache --quiet=0 show virtualenv 2>&1 | grep -q 'No packages found'; then
-    virtualenv="virtualenv"
+  # virtual env is known to apt and is installable
+  if apt-cache show virtualenv > /dev/null 2>&1 ; then
+      if ! LC_ALL=C apt-cache --quiet=0 show virtualenv 2>&1 | grep -q 'No packages found'; then
+          virtualenv="virtualenv"
+      fi
   fi
 
   if apt-cache show python-virtualenv > /dev/null 2>&1; then
-    virtualenv="$virtualenv python-virtualenv"
+      virtualenv="$virtualenv python-virtualenv"
   fi
 
   augeas_pkg="libaugeas0 augeas-lenses"
-  AUGVERSION=`apt-cache show --no-all-versions libaugeas0 | grep ^Version: | cut -d" " -f2`
+  AUGVERSION=`LC_ALL=C apt-cache show --no-all-versions libaugeas0 | grep ^Version: | cut -d" " -f2`
 
   if [ "$ASSUME_YES" = 1 ]; then
-    YES_FLAG="-y"
+      YES_FLAG="-y"
   fi
 
   AddBackportRepo() {
@@ -248,15 +287,15 @@ BootstrapDebCommon() {
     python-dev \
     $virtualenv \
     gcc \
-    dialog \
     $augeas_pkg \
     libssl-dev \
+    openssl \
     libffi-dev \
     ca-certificates \
 
 
 
-  if ! command -v virtualenv > /dev/null ; then
+  if ! $EXISTS virtualenv > /dev/null ; then
     echo Failed to install a working \"virtualenv\" command, exiting
     exit 1
   fi
@@ -307,7 +346,6 @@ BootstrapRpmCommon() {
 
   pkgs="
     gcc
-    dialog
     augeas-libs
     openssl
     openssl-devel
@@ -361,7 +399,6 @@ BootstrapSuseCommon() {
     python-devel \
     python-virtualenv \
     gcc \
-    dialog \
     augeas-lenses \
     libopenssl-devel \
     libffi-devel \
@@ -380,7 +417,6 @@ BootstrapArchCommon() {
     python2
     python-virtualenv
     gcc
-    dialog
     augeas
     openssl
     libffi
@@ -404,22 +440,26 @@ BootstrapGentooCommon() {
   PACKAGES="
     dev-lang/python:2.7
     dev-python/virtualenv
-    dev-util/dialog
     app-admin/augeas
     dev-libs/openssl
     dev-libs/libffi
     app-misc/ca-certificates
     virtual/pkgconfig"
 
+  ASK_OPTION="--ask"
+  if [ "$ASSUME_YES" = 1 ]; then
+    ASK_OPTION=""
+  fi
+
   case "$PACKAGE_MANAGER" in
     (paludis)
       $SUDO cave resolve --preserve-world --keep-targets if-possible $PACKAGES -x
       ;;
     (pkgcore)
-      $SUDO pmerge --noreplace --oneshot $PACKAGES
+      $SUDO pmerge --noreplace --oneshot $ASK_OPTION $PACKAGES
       ;;
     (portage|*)
-      $SUDO emerge --noreplace --oneshot $PACKAGES
+      $SUDO emerge --noreplace --oneshot $ASK_OPTION $PACKAGES
       ;;
   esac
 }
@@ -449,7 +489,6 @@ BootstrapMac() {
   fi
 
   $pkgcmd augeas
-  $pkgcmd dialog
   if [ "$(which python)" = "/System/Library/Frameworks/Python.framework/Versions/2.7/bin/python" \
       -o "$(which python)" = "/usr/bin/python" ]; then
     # We want to avoid using the system Python because it requires root to use pip.
@@ -458,7 +497,7 @@ BootstrapMac() {
     $pkgcmd python
   fi
 
-  # Workaround for _dlopen not finding augeas on OS X
+  # Workaround for _dlopen not finding augeas on macOS
   if [ "$pkgman" = "port" ] && ! [ -e "/usr/local/lib/libaugeas.dylib" ] && [ -e "/opt/local/lib/libaugeas.dylib" ]; then
     echo "Applying augeas workaround"
     $SUDO mkdir -p /usr/local/lib/
@@ -496,8 +535,8 @@ BootstrapMageiaCommon() {
     if ! $SUDO urpmi --force \
            git \
            gcc \
-           cdialog \
            python-augeas \
+           openssl \
            libopenssl-devel \
            libffi-devel \
            rootcerts
@@ -541,7 +580,7 @@ Bootstrap() {
   elif uname | grep -iq FreeBSD ; then
     ExperimentalBootstrap "FreeBSD" BootstrapFreeBsd
   elif uname | grep -iq Darwin ; then
-    ExperimentalBootstrap "Mac OS X" BootstrapMac
+    ExperimentalBootstrap "macOS" BootstrapMac
   elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then
     ExperimentalBootstrap "Amazon Linux" BootstrapRpmCommon
   elif [ -f /etc/product ] && grep -q "Joyent Instance" /etc/product ; then
@@ -557,7 +596,7 @@ Bootstrap() {
 }
 
 TempDir() {
-  mktemp -d 2>/dev/null || mktemp -d -t 'le'  # Linux || OS X
+  mktemp -d 2>/dev/null || mktemp -d -t 'le'  # Linux || macOS
 }
 
 
@@ -594,6 +633,11 @@ if [ "$1" = "--le-auto-phase2" ]; then
 # `pip install --no-cache-dir -e acme -e . -e certbot-apache -e certbot-nginx`,
 # and then use `hashin` or a more secure method to gather the hashes.
 
+# Hashin example:
+# pip install hashin
+# hashin -r letsencrypt-auto-requirements.txt cryptography==1.5.2
+# sets the new certbot-auto pinned version of cryptography to 1.5.2
+
 argparse==1.4.0 \
     --hash=sha256:c31647edb69fd3d465a847ea3157d37bed1f95f19760b11a47aa91c04b666314 \
     --hash=sha256:62b089a55be1d8949cd2bc7e0df0bddb9e028faefc8c32038cc84862aefdd6e4
@@ -601,7 +645,8 @@ argparse==1.4.0 \
 # This comes before cffi because cffi will otherwise install an unchecked
 # version via setup_requires.
 pycparser==2.14 \
-    --hash=sha256:7959b4a74abdc27b312fed1c21e6caf9309ce0b29ea86b591fd2e99ecdf27f73
+    --hash=sha256:7959b4a74abdc27b312fed1c21e6caf9309ce0b29ea86b591fd2e99ecdf27f73 \
+    --no-binary pycparser
 
 cffi==1.4.2 \
     --hash=sha256:53c1c9ddb30431513eb7f3cdef0a3e06b0f1252188aaa7744af0f5a4cd45dbaf \
@@ -624,29 +669,29 @@ ConfigArgParse==0.10.0 \
     --hash=sha256:3b50a83dd58149dfcee98cb6565265d10b53e9c0a2bca7eeef7fb5f5524890a7
 configobj==5.0.6 \
     --hash=sha256:a2f5650770e1c87fb335af19a9b7eb73fc05ccf22144eb68db7d00cd2bcb0902
-cryptography==1.3.4 \
-    --hash=sha256:bede00edd11a2a62c8c98c271cc103fa3a3d72acf64f6e5e4eaf251128897b17 \
-    --hash=sha256:53b39e687b744bb548a98f40736cc529d9f60959b4e6cc551322cf9505d35eb3 \
-    --hash=sha256:474b73ad1139b4e423e46bbd818efd0d5c0df1c65d9f7c957d64c9215d77afde \
-    --hash=sha256:aaddf9592d5b99e32dd518bb4a25b147c124f9d6b4ad64b94f01b15d1666b8c8 \
-    --hash=sha256:6dcad2f407db8c3cd6ecd78361439c449a4f94786b46c54507e7e68f51e1709d \
-    --hash=sha256:475c153fc622e656f1f10a9c9941d0ac7ab18df7c38d35d563a437c1c0e34f24 \
-    --hash=sha256:86dd61df581cba04e89e45081efbc531faff1c9d99c77b1ce97f87216c356353 \
-    --hash=sha256:75cc697e4ef5fdd0102ca749114c6370dbd11db0c9132a18834858c2566247e3 \
-    --hash=sha256:ea03ad5b9df6d79fc9fc1ab23729e01e1c920d2974c5e3c634ccf45a5c378452 \
-    --hash=sha256:c8872b8fe4f3416d6338ab99612f49ab314f7856cb43bffab2a32d28a6267be8 \
-    --hash=sha256:468fc6e16eaec6ceaa6bc341273e6e9912d01b42b740f8cf896ace7fcd6a321d \
-    --hash=sha256:d6fea3c6502735011c5d61a62aef1c1d770fc6a2def45d9e6c0d94c9651e3317 \
-    --hash=sha256:3cf95f179f4bead3d5649b91860ef4cf60ad4244209190fc405908272576d961 \
-    --hash=sha256:141f77e60a5b9158309b2b60288c7f81d37faa15c22a69b94c190ceefaaa6236 \
-    --hash=sha256:87b7a1fe703c6424451f3372d1879dae91c7fe5e13375441a72833db76fee30e \
-    --hash=sha256:f5ee3cb0cf1a6550bf483ccffa6608db267a377b45f7e3a8201a86d1d8feb19f \
-    --hash=sha256:4e097286651ea318300af3251375d48b71b8228481c56cd617ddd4459a1ff261 \
-    --hash=sha256:1e3d3ae3f22f22d50d340f47f25227511326f3f1396c6d2446a5b45b516c4313 \
-    --hash=sha256:6a057941cb64d79834ea3cf99093fcc4787c2a5d44f686c4f297361ddc419bcd \
-    --hash=sha256:68b3d5390b92559ddd3353c73ab2dfcff758f9c4ec4f5d5226ccede0e5d779f4 \
-    --hash=sha256:545dc003b4b6081f9c3e452da15d819b04b696f49484aff64c0a2aedf766bef8 \
-    --hash=sha256:423ff890c01be7c70dbfeaa967eeef5146f1a43a5f810ffdc07b178e48a105a9
+cryptography==1.5.3 \
+    --hash=sha256:e514d92086246b53ae9b048df652cf3036b462e50a6ce9fac6b6253502679991 \
+    --hash=sha256:10ee414f4b5af403a0d8f20dfa80f7dad1fc7ae5452ec5af03712d5b6e78c664 \
+    --hash=sha256:7234456d1f4345a144ed07af2416c7c0659d4bb599dd1a963103dc8c183b370e \
+    --hash=sha256:d3b9587406f94642bd70b3d666b813f446e95f84220c9e416ad94cbfb6be2eaa \
+    --hash=sha256:b15fc6b59f1474eef62207c85888afada8acc47fae8198ba2b0197d54538961a \
+    --hash=sha256:3b62d65d342704fc07ed171598db2a2775bdf587b1b6abd2cba2261bfe3ccde3 \
+    --hash=sha256:059343022ec904c867a13bc55d2573e36c8cfb2c250e30d8a2e9825f253b07ba \
+    --hash=sha256:c7897cf13bc8b4ee0215d83cbd51766d87c06b277fcca1f9108595508e5bcfb4 \
+    --hash=sha256:9b69e983e5bf83039ddd52e52a28c7faedb2b22bdfb5876377b95aac7d3be63e \
+    --hash=sha256:61e40905c426d02b3fae38088dc66ce4ef84830f7eb223dec6b3ac3ccdc676fb \
+    --hash=sha256:00783a32bcd91a12177230d35bfcf70a2333ade4a6b607fac94a633a7971c671 \
+    --hash=sha256:d11973f49b648cde1ea1a30e496d7557dbfeccd08b3cd9ba58d286a9c274ff8e \
+    --hash=sha256:f24bedf28b81932ba6063aec9a826669f5237ea3b755efe04d98b072faa053a5 \
+    --hash=sha256:3ab5725367239e3deb9b92e917aa965af3fef008f25b96a3000821869e208181 \
+    --hash=sha256:8a53209de822e22b5f73bf4b99e68ac4ccc91051fd6751c8252982983e86a77d \
+    --hash=sha256:5a07439d4b1e4197ac202b7eea45e26a6fd65757652dc50f1a63367f711df933 \
+    --hash=sha256:26b1c4b40aec7b0074bceabe6e06565aa28176eca7323a31df66ebf89fe916d3 \
+    --hash=sha256:eaa4a7b5a6682adcf8d6ebb2a08a008802657643655bb527c95c8a3860253d8e \
+    --hash=sha256:8156927dcf8da274ff205ad0612f75c380df45385bacf98531a5b3348c88d135 \
+    --hash=sha256:61ec0d792749d0e91e84b1d58b6dfd204806b10b5811f846c2ceca0de028c53a \
+    --hash=sha256:26330c88041569ca621cc42274d0ea2667a48b6deab41467272c3aba0b6e8f07 \
+    --hash=sha256:cf82ddac919b587f5e44247579b433224cc2e03332d2ea4d89aa70d7e6b64ae5
 enum34==1.1.2 \
     --hash=sha256:2475d7fcddf5951e92ff546972758802de5260bf409319a9f1934e6bbc8b1dc7 \
     --hash=sha256:35907defb0f992b75ab7788f65fedc1cf20ffa22688e0e6f6f12afc06b3ea501
@@ -662,8 +707,6 @@ ipaddress==1.0.16 \
 linecache2==1.0.0 \
     --hash=sha256:e78be9c0a0dfcbac712fe04fbf92b96cddae80b1b842f24248214c8496f006ef \
     --hash=sha256:4b26ff4e7110db76eeb6f5a7b64a82623839d595c2038eeda662f2a2db78e97c
-ndg-httpsclient==0.4.0 \
-    --hash=sha256:e8c155fdebd9c4bcb0810b4ed01ae1987554b1ee034dd7532d7b8fdae38a6274
 ordereddict==1.1 \
     --hash=sha256:1c35b4ac206cef2d24816c89f89cf289dd3d38cf7c449bb3fab7bf6d43f01b1f
 parsedatetime==2.1 \
@@ -684,9 +727,9 @@ pyasn1==0.1.9 \
     --hash=sha256:5191ff6b9126d2c039dd87f8ff025bed274baf07fa78afa46f556b1ad7265d6e \
     --hash=sha256:8323e03637b2d072cc7041300bac6ec448c3c28950ab40376036788e9a1af629 \
     --hash=sha256:853cacd96d1f701ddd67aa03ecc05f51890135b7262e922710112f12a2ed2a7f
-pyopenssl==16.0.0 \
-    --hash=sha256:5add70cf00273bf957ca31fdb0df9b0ae4639e081897d5f86a0ae1f104901230 \
-    --hash=sha256:363d10ee43d062285facf4e465f4f5163f9f702f9134f0a5896f134cbb92d17d
+pyOpenSSL==16.2.0 \
+    --hash=sha256:26ca380ddf272f7556e48064bbcd5bd71f83dfc144f3583501c7ddbd9434ee17 \
+    --hash=sha256:7779a3bbb74e79db234af6a08775568c6769b5821faecf6e2f4143edb227516e
 pyparsing==2.1.8 \
     --hash=sha256:2f0f5ceb14eccd5aef809d6382e87df22ca1da583c79f6db01675ce7d7f49c18 \
     --hash=sha256:03a4869b9f3493807ee1f1cb405e6d576a1a2ca4d81a982677c0c1ad6177c56b \
@@ -701,9 +744,6 @@ pyRFC3339==1.0 \
     --hash=sha256:8dfbc6c458b8daba1c0f3620a8c78008b323a268b27b7359e92a4ae41325f535
 python-augeas==0.5.0 \
     --hash=sha256:67d59d66cdba8d624e0389b87b2a83a176f21f16a87553b50f5703b23f29bac2
-python2-pythondialog==3.3.0 \
-    --hash=sha256:04e93f24995c43dd90f338d5d865ca72ce3fb5a5358d4daa4965571db35fc3ec \
-    --hash=sha256:3e6f593fead98f8a526bc3e306933533236e33729f552f52896ea504f55313fa
 pytz==2015.7 \
     --hash=sha256:3abe6a6d3fc2fbbe4c60144211f45da2edbe3182a6f6511af6bbba0598b1f992 \
     --hash=sha256:939ef9c1e1224d980405689a97ffcf7828c56d1517b31d73464356c1f2b7769e \
@@ -718,9 +758,9 @@ pytz==2015.7 \
     --hash=sha256:fbd26746772c24cb93c8b97cbdad5cb9e46c86bbdb1b9d8a743ee00e2fb1fc5d \
     --hash=sha256:99266ef30a37e43932deec2b7ca73e83c8dbc3b9ff703ec73eca6b1dae6befea \
     --hash=sha256:8b6ce1c993909783bc96e0b4f34ea223bff7a4df2c90bdb9c4e0f1ac928689e3
-requests==2.9.1 \
-    --hash=sha256:113fbba5531a9e34945b7d36b33a084e8ba5d0664b703c81a7c572d91919a5b8 \
-    --hash=sha256:c577815dd00f1394203fc44eb979724b098f88264a9ef898ee45b8e5e9cf587f
+requests==2.12.1 \
+    --hash=sha256:3f3f27a9d0f9092935efc78054ef324eb9f8166718270aefe036dfa1e4f68e1e \
+    --hash=sha256:2109ecea94df90980be040490ff1d879971b024861539abb00054062388b612e
 six==1.10.0 \
     --hash=sha256:0ff78c403d9bccf5a425a6d31a12aa6b47f1c21ca4dc2573a7e2f32a97335eb1 \
     --hash=sha256:105f8d68616f8248e24bf0e9372ef04d3cc10104f1980f54d57b2ce73a5ad56a
@@ -761,18 +801,18 @@ letsencrypt==0.7.0 \
 
 # THE LINES BELOW ARE EDITED BY THE RELEASE SCRIPT; ADD ALL DEPENDENCIES ABOVE.
 
-acme==0.9.3 \
-    --hash=sha256:d18ce17a75ad24d27981dfaef0524aa905eab757b267e027162b56a8967ab8fb \
-    --hash=sha256:a6eff1f955eb2e4316abd9aa2fedb6d9345e6b5b8a2d64ea0ad35e05d6124099
-certbot==0.9.3 \
-    --hash=sha256:a87ef4c53c018df4e52ee2f2e906ad16bbb37789f29e6f284c495a2eb4d9b243 \
-    --hash=sha256:68149cb8392b29f5d5246e7226d25f913f2b10482bf3bc7368e8c8821d25f3b0
-certbot-apache==0.9.3 \
-    --hash=sha256:f379b1053e10709692654d7a6fcea9eaed19b66c49a753b61e31bd06a04b0aac \
-    --hash=sha256:a5d98cf972072de08f984db4e6a7f20269f3f023c43f6d4e781fe43be7c10086
-certbot-nginx==0.9.3 \
-    --hash=sha256:3c26f18f0b57550f069263bd9b2984ef33eab6693e7796611c1b2cc16574069c \
-    --hash=sha256:7337a2e90e0b28a1ab09e31d9fb81c6d78e6453500c824c0f18bab5d31b63058
+acme==0.10.2 \
+    --hash=sha256:053bbf8d36be298e411e0fa397289307e1a888f419de1205931236114f8f825e \
+    --hash=sha256:6465b66256849f8cd4269a43037d404b1ccf31a60d3c93fc628d6f6f4c43de78
+certbot==0.10.2 \
+    --hash=sha256:1e680cab3cda6c3079ee64066903f93e421df46a8d4db63264a6359f3d5ba63e \
+    --hash=sha256:33729ce100fc9d00d9820c81fc3ef9b95802b8d261f0cca0cce422bc568b1631
+certbot-apache==0.10.2 \
+    --hash=sha256:c1f196506bf961e2171fb2af9feca8926100564b644acda1895acdf294c46e71 \
+    --hash=sha256:8573275e74c8b74a9c7d7824636a37a4bc83327a7cc97a43b334fe8956ba8cb1
+certbot-nginx==0.10.2 \
+    --hash=sha256:74c32bdaf2f3873aa811c3e2cdc205d3137b59c64dbcdca6f3982ed2a89b4f2a \
+    --hash=sha256:c8265ab4b4bc0a6a3a81d7f0b8ff2606dd28ebbb3cd045635862286b97af2c36
 
 UNLIKELY_EOF
     # -------------------------------------------------------------------------
@@ -940,7 +980,28 @@ UNLIKELY_EOF
       # Report error. (Otherwise, be quiet.)
       echo "Had a problem while installing Python packages."
       if [ "$VERBOSE" != 1 ]; then
+        echo
+        echo "pip prints the following errors: "
+        echo "====================================================="
         echo "$PIP_OUT"
+        echo "====================================================="
+        echo
+        echo "Certbot has problem setting up the virtual environment."
+
+        if `echo $PIP_OUT | grep -q Killed` || `echo $PIP_OUT | grep -q "allocate memory"` ; then
+          echo
+          echo "Based on your pip output, the problem can likely be fixed by "
+          echo "increasing the available memory."
+        else
+          echo
+          echo "We were not be able to guess the right solution from your pip "
+          echo "output."
+        fi
+
+        echo
+        echo "Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment"
+        echo "for possible solutions."
+        echo "You may also find some support resources at https://certbot.eff.org/support/ ."
       fi
       rm -rf "$VENV_PATH"
       exit 1
@@ -1132,7 +1193,7 @@ UNLIKELY_EOF
       # TODO: Deal with quotes in pathnames.
       echo "Replacing certbot-auto..."
       # Clone permissions with cp. chmod and chown don't have a --reference
-      # option on OS X or BSD, and stat -c on Linux is stat -f on OS X and BSD:
+      # option on macOS or BSD, and stat -c on Linux is stat -f on macOS and BSD:
       $SUDO cp -p "$0" "$TEMP_DIR/letsencrypt-auto.permission-clone"
       $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$TEMP_DIR/letsencrypt-auto.permission-clone"
       # Using mv rather than cp leaves the old file descriptor pointing to the

certbot-compatibility-test/setup.py

@@ -4,7 +4,7 @@ from setuptools import setup
 from setuptools import find_packages
 
 
-version = '0.10.0.dev0'
+version = '0.10.2'
 
 install_requires = [
     'certbot',

certbot-nginx/setup.py

@@ -4,7 +4,7 @@ from setuptools import setup
 from setuptools import find_packages
 
 
-version = '0.10.0.dev0'
+version = '0.10.2'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [

certbot/__init__.py

@@ -1,4 +1,4 @@
 """Certbot client."""
 
 # version number like 1.2.3a0, must have at least 2 parts, like 1.2
-__version__ = '0.10.0.dev0'
+__version__ = '0.10.2'

certbot/auth_handler.py

@@ -34,8 +34,7 @@ class AuthHandler(object):
     :ivar list achalls: DV challenges in the form of
         :class:`certbot.achallenges.AnnotatedChallenge`
     :ivar list pref_challs: sorted user specified preferred challenges
-        in the form of subclasses of :class:`acme.challenges.Challenge`
-        with the most preferred challenge listed first
+        type strings with the most preferred challenge listed first
 
     """
     def __init__(self, auth, acme, account, pref_challs):
@@ -252,8 +251,10 @@ class AuthHandler(object):
         # Make sure to make a copy...
         plugin_pref = self.auth.get_chall_pref(domain)
         if self.pref_challs:
-            chall_prefs.extend(pref for pref in self.pref_challs
-                               if pref in plugin_pref)
+            plugin_pref_types = set(chall.typ for chall in plugin_pref)
+            for typ in self.pref_challs:
+                if typ in plugin_pref_types:
+                    chall_prefs.append(challenges.Challenge.TYPES[typ])
             if chall_prefs:
                 return chall_prefs
             raise errors.AuthorizationError(

certbot/cli.py

@@ -1,4 +1,5 @@
 """Certbot command line argument & config processing."""
+# pylint: disable=too-many-lines
 from __future__ import print_function
 import argparse
 import copy
@@ -1201,13 +1202,31 @@ class _PrefChallAction(argparse.Action):
     """Action class for parsing preferred challenges."""
 
     def __call__(self, parser, namespace, pref_challs, option_string=None):
-        aliases = {"dns": "dns-01", "http": "http-01", "tls-sni": "tls-sni-01"}
-        challs = [c.strip() for c in pref_challs.split(",")]
-        challs = [aliases[c] if c in aliases else c for c in challs]
-        unrecognized = ", ".join(name for name in challs
-                                 if name not in challenges.Challenge.TYPES)
-        if unrecognized:
-            raise argparse.ArgumentTypeError(
-                "Unrecognized challenges: {0}".format(unrecognized))
-        namespace.pref_challs.extend(challenges.Challenge.TYPES[name]
-                                     for name in challs)
+        try:
+            challs = parse_preferred_challenges(pref_challs.split(","))
+        except errors.Error as error:
+            raise argparse.ArgumentTypeError(str(error))
+        namespace.pref_challs.extend(challs)
+
+
+def parse_preferred_challenges(pref_challs):
+    """Translate and validate preferred challenges.
+
+    :param pref_challs: list of preferred challenge types
+    :type pref_challs: `list` of `str`
+
+    :returns: validated list of preferred challenge types
+    :rtype: `list` of `str`
+
+    :raises errors.Error: if pref_challs is invalid
+
+    """
+    aliases = {"dns": "dns-01", "http": "http-01", "tls-sni": "tls-sni-01"}
+    challs = [c.strip() for c in pref_challs]
+    challs = [aliases.get(c, c) for c in challs]
+    unrecognized = ", ".join(name for name in challs
+                             if name not in challenges.Challenge.TYPES)
+    if unrecognized:
+        raise errors.Error(
+            "Unrecognized challenges: {0}".format(unrecognized))
+    return challs

certbot/main.py

@@ -100,7 +100,7 @@ def _auth_from_available(le_client, config, domains=None, certname=None, lineage
     try:
         if action == "renew":
             logger.info("Renewing an existing certificate")
-            renewal.renew_cert(config, le_client, lineage)
+            renewal.renew_cert(config, domains, le_client, lineage)
         elif action == "newcert":
             # TREAT AS NEW REQUEST
             logger.info("Obtaining a new certificate")

certbot/plugins/selection_test.py

@@ -6,6 +6,7 @@ import mock
 import zope.component
 
 from certbot.display import util as display_util
+from certbot.tests import util as test_util
 from certbot import interfaces
 
 
@@ -126,14 +127,14 @@ class ChoosePluginTest(unittest.TestCase):
         from certbot.plugins.selection import choose_plugin
         return choose_plugin(self.plugins, "Question?")
 
-    @mock.patch("certbot.plugins.selection.z_util")
+    @test_util.patch_get_utility("certbot.plugins.selection.z_util")
     def test_selection(self, mock_util):
         mock_util().menu.side_effect = [(display_util.OK, 0),
                                         (display_util.OK, 1)]
         self.assertEqual(self.mock_stand, self._call())
         self.assertEqual(mock_util().notification.call_count, 1)
 
-    @mock.patch("certbot.plugins.selection.z_util")
+    @test_util.patch_get_utility("certbot.plugins.selection.z_util")
     def test_more_info(self, mock_util):
         mock_util().menu.side_effect = [
             (display_util.HELP, 0),
@@ -144,7 +145,7 @@ class ChoosePluginTest(unittest.TestCase):
         self.assertEqual(self.mock_stand, self._call())
         self.assertEqual(mock_util().notification.call_count, 2)
 
-    @mock.patch("certbot.plugins.selection.z_util")
+    @test_util.patch_get_utility("certbot.plugins.selection.z_util")
     def test_no_choice(self, mock_util):
         mock_util().menu.return_value = (display_util.CANCEL, 0)
         self.assertTrue(self._call() is None)

certbot/renewal.py

@@ -35,7 +35,7 @@ INT_CONFIG_ITEMS = ["rsa_key_size", "tls_sni_01_port", "http01_port"]
 BOOL_CONFIG_ITEMS = ["must_staple", "allow_subset_of_names"]
 
 CONFIG_ITEMS = set(itertools.chain(
-    BOOL_CONFIG_ITEMS, INT_CONFIG_ITEMS, STR_CONFIG_ITEMS))
+    BOOL_CONFIG_ITEMS, INT_CONFIG_ITEMS, STR_CONFIG_ITEMS, ('pref_challs',)))
 
 
 def _reconstitute(config, full_path):
@@ -165,6 +165,7 @@ def restore_required_config_elements(config, renewalparams):
     """
 
     required_items = itertools.chain(
+        (("pref_challs", _restore_pref_challs),),
         six.moves.zip(BOOL_CONFIG_ITEMS, itertools.repeat(_restore_bool)),
         six.moves.zip(INT_CONFIG_ITEMS, itertools.repeat(_restore_int)),
         six.moves.zip(STR_CONFIG_ITEMS, itertools.repeat(_restore_str)))
@@ -174,6 +175,28 @@ def restore_required_config_elements(config, renewalparams):
             setattr(config.namespace, item_name, value)
 
 
+def _restore_pref_challs(unused_name, value):
+    """Restores preferred challenges from a renewal config file.
+
+    If value is a `str`, it should be a single challenge type.
+
+    :param str unused_name: option name
+    :param value: option value
+    :type value: `list` of `str` or `str`
+
+    :returns: converted option value to be stored in the runtime config
+    :rtype: `list` of `str`
+
+    :raises errors.Error: if value can't be converted to an bool
+
+    """
+    # If pref_challs has only one element, configobj saves the value
+    # with a trailing comma so it's parsed as a list. If this comma is
+    # removed by the user, the value is parsed as a str.
+    value = [value] if isinstance(value, str) else value
+    return cli.parse_preferred_challenges(value)
+
+
 def _restore_bool(name, value):
     """Restores an boolean key-value pair from a renewal config file.
 
@@ -263,12 +286,14 @@ def _avoid_invalidating_lineage(config, lineage, original_server):
                     "unless you use the --break-my-certs flag!".format(names))
 
 
-def renew_cert(config, le_client, lineage):
+def renew_cert(config, domains, le_client, lineage):
     "Renew a certificate lineage."
     renewal_params = lineage.configuration["renewalparams"]
     original_server = renewal_params.get("server", cli.flag_default("server"))
     _avoid_invalidating_lineage(config, lineage, original_server)
-    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(lineage.names())
+    if not domains:
+        domains = lineage.names()
+    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
     if config.dry_run:
         logger.debug("Dry run: skipping updating lineage at %s",
                     os.path.dirname(lineage.cert))
@@ -281,7 +306,7 @@ def renew_cert(config, le_client, lineage):
         lineage.save_successor(prior_version, new_cert, new_key.pem, new_chain, config)
         lineage.update_all_links_to(lineage.latest_common_version())
 
-    hooks.renew_hook(config, lineage.names(), lineage.live_dir)
+    hooks.renew_hook(config, domains, lineage.live_dir)
 
 
 def report(msgs, category):

certbot/tests/auth_handler_test.py

@@ -176,7 +176,8 @@ class GetAuthorizationsTest(unittest.TestCase):
         mock_poll.side_effect = self._validate_all
         self.mock_auth.get_chall_pref.return_value.append(challenges.HTTP01)
 
-        self.handler.pref_challs.extend((challenges.HTTP01, challenges.DNS01,))
+        self.handler.pref_challs.extend((challenges.HTTP01.typ,
+                                         challenges.DNS01.typ,))
 
         self.handler.get_authorizations(["0"])
 
@@ -187,7 +188,7 @@ class GetAuthorizationsTest(unittest.TestCase):
     def test_preferred_challenges_not_supported(self):
         self.mock_net.request_domain_challenges.side_effect = functools.partial(
             gen_dom_authzr, challs=acme_util.CHALLENGES)
-        self.handler.pref_challs.append(challenges.HTTP01)
+        self.handler.pref_challs.append(challenges.HTTP01.typ)
         self.assertRaises(
             errors.AuthorizationError, self.handler.get_authorizations, ["0"])
 

certbot/tests/cli_test.py

@@ -1,22 +1,22 @@
 """Tests for certbot.cli."""
 import argparse
-import functools
 import unittest
 import os
 import tempfile
 
-import six
 import mock
+import six
 from six.moves import reload_module  # pylint: disable=import-error
 
+from acme import challenges
+
 from certbot import cli
 from certbot import constants
 from certbot import errors
 from certbot.plugins import disco
 
-def reset_set_by_cli():
-    '''Reset the state of the `set_by_cli` function'''
-    cli.set_by_cli.detector = None
+PLUGINS = disco.PluginsRegistry.find_all()
+
 
 class TestReadFile(unittest.TestCase):
     '''Test cli.read_file'''
@@ -43,13 +43,13 @@ class ParseTest(unittest.TestCase):
 
     _multiprocess_can_split_ = True
 
-    @classmethod
-    def setUpClass(cls):
-        cls.plugins = disco.PluginsRegistry.find_all()
-        cls.parse = functools.partial(cli.prepare_and_parse_args, cls.plugins)
-
     def setUp(self):
-        reset_set_by_cli()
+        reload_module(cli)
+
+    @staticmethod
+    def parse(*args, **kwargs):
+        """Get result of cli.prepare_and_parse_args."""
+        return cli.prepare_and_parse_args(PLUGINS, *args, **kwargs)
 
     def _help_output(self, args):
         "Run a command, and return the ouput string for scrutiny"
@@ -88,7 +88,7 @@ class ParseTest(unittest.TestCase):
         self.assertTrue("{0}" not in out)
 
         out = self._help_output(['-h', 'nginx'])
-        if "nginx" in self.plugins:
+        if "nginx" in PLUGINS:
             # may be false while building distributions without plugins
             self.assertTrue("--nginx-ctl" in out)
         self.assertTrue("--webroot-path" not in out)
@@ -96,7 +96,7 @@ class ParseTest(unittest.TestCase):
 
         out = self._help_output(['-h'])
         self.assertTrue("letsencrypt-auto" not in out)  # test cli.cli_command
-        if "nginx" in self.plugins:
+        if "nginx" in PLUGINS:
             self.assertTrue("Use the Nginx plugin" in out)
         else:
             self.assertTrue("(the certbot nginx plugin is not" in out)
@@ -159,12 +159,12 @@ class ParseTest(unittest.TestCase):
         self.assertEqual(namespace.domains, ['example.com', 'another.net'])
 
     def test_preferred_challenges(self):
-        from acme.challenges import HTTP01, TLSSNI01, DNS01
-
         short_args = ['--preferred-challenges', 'http, tls-sni-01, dns']
         namespace = self.parse(short_args)
 
-        self.assertEqual(namespace.pref_challs, [HTTP01, TLSSNI01, DNS01])
+        expected = [challenges.HTTP01.typ,
+                    challenges.TLSSNI01.typ, challenges.DNS01.typ]
+        self.assertEqual(namespace.pref_challs, expected)
 
         short_args = ['--preferred-challenges', 'jumping-over-the-moon']
         self.assertRaises(argparse.ArgumentTypeError, self.parse, short_args)

certbot/tests/display/ops_test.py

@@ -115,17 +115,17 @@ class ChooseAccountTest(unittest.TestCase):
         from certbot.display import ops
         return ops.choose_account(accounts)
 
-    @mock.patch("certbot.display.ops.z_util")
+    @test_util.patch_get_utility("certbot.display.ops.z_util")
     def test_one(self, mock_util):
         mock_util().menu.return_value = (display_util.OK, 0)
         self.assertEqual(self._call([self.acc1]), self.acc1)
 
-    @mock.patch("certbot.display.ops.z_util")
+    @test_util.patch_get_utility("certbot.display.ops.z_util")
     def test_two(self, mock_util):
         mock_util().menu.return_value = (display_util.OK, 1)
         self.assertEqual(self._call([self.acc1, self.acc2]), self.acc2)
 
-    @mock.patch("certbot.display.ops.z_util")
+    @test_util.patch_get_utility("certbot.display.ops.z_util")
     def test_cancel(self, mock_util):
         mock_util().menu.return_value = (display_util.CANCEL, 1)
         self.assertTrue(self._call([self.acc1, self.acc2]) is None)
@@ -216,12 +216,12 @@ class ChooseNamesTest(unittest.TestCase):
         self._call(None)
         self.assertEqual(mock_manual.call_count, 1)
 
-    @mock.patch("certbot.display.ops.z_util")
+    @test_util.patch_get_utility("certbot.display.ops.z_util")
     def test_no_installer_cancel(self, mock_util):
         mock_util().input.return_value = (display_util.CANCEL, [])
         self.assertEqual(self._call(None), [])
 
-    @mock.patch("certbot.display.ops.z_util")
+    @test_util.patch_get_utility("certbot.display.ops.z_util")
     def test_no_names_choose(self, mock_util):
         self.mock_install().get_all_names.return_value = set()
         domain = "example.com"
@@ -272,7 +272,7 @@ class ChooseNamesTest(unittest.TestCase):
         self.assertEqual(_sort_names(to_sort), sortd)
 
 
-    @mock.patch("certbot.display.ops.z_util")
+    @test_util.patch_get_utility("certbot.display.ops.z_util")
     def test_filter_names_valid_return(self, mock_util):
         self.mock_install.get_all_names.return_value = set(["example.com"])
         mock_util().checklist.return_value = (display_util.OK, ["example.com"])
@@ -281,14 +281,14 @@ class ChooseNamesTest(unittest.TestCase):
         self.assertEqual(names, ["example.com"])
         self.assertEqual(mock_util().checklist.call_count, 1)
 
-    @mock.patch("certbot.display.ops.z_util")
+    @test_util.patch_get_utility("certbot.display.ops.z_util")
     def test_filter_names_nothing_selected(self, mock_util):
         self.mock_install.get_all_names.return_value = set(["example.com"])
         mock_util().checklist.return_value = (display_util.OK, [])
 
         self.assertEqual(self._call(self.mock_install), [])
 
-    @mock.patch("certbot.display.ops.z_util")
+    @test_util.patch_get_utility("certbot.display.ops.z_util")
     def test_filter_names_cancel(self, mock_util):
         self.mock_install.get_all_names.return_value = set(["example.com"])
         mock_util().checklist.return_value = (
@@ -307,7 +307,7 @@ class ChooseNamesTest(unittest.TestCase):
         self.assertEqual(get_valid_domains(all_invalid), [])
         self.assertEqual(len(get_valid_domains(two_valid)), 2)
 
-    @mock.patch("certbot.display.ops.z_util")
+    @test_util.patch_get_utility("certbot.display.ops.z_util")
     def test_choose_manually(self, mock_util):
         from certbot.display.ops import _choose_names_manually
         # No retry
@@ -350,7 +350,7 @@ class SuccessInstallationTest(unittest.TestCase):
         from certbot.display.ops import success_installation
         success_installation(names)
 
-    @mock.patch("certbot.display.ops.z_util")
+    @test_util.patch_get_utility("certbot.display.ops.z_util")
     def test_success_installation(self, mock_util):
         mock_util().notification.return_value = None
         names = ["example.com", "abc.com"]
@@ -372,7 +372,7 @@ class SuccessRenewalTest(unittest.TestCase):
         from certbot.display.ops import success_renewal
         success_renewal(names)
 
-    @mock.patch("certbot.display.ops.z_util")
+    @test_util.patch_get_utility("certbot.display.ops.z_util")
     def test_success_renewal(self, mock_util):
         mock_util().notification.return_value = None
         names = ["example.com", "abc.com"]
@@ -393,12 +393,16 @@ class SuccessRevocationTest(unittest.TestCase):
         from certbot.display.ops import success_revocation
         success_revocation(path)
 
-    @mock.patch("certbot.display.ops.z_util")
+    @test_util.patch_get_utility("certbot.display.ops.z_util")
     def test_success_revocation(self, mock_util):
         mock_util().notification.return_value = None
         path = "/path/to/cert.pem"
         self._call(path)
-        mock_util().notification.assert_called_once()
+        mock_util().notification.assert_called_once_with(
+            "Congratulations! You have successfully revoked the certificate "
+            "that was located at {0}{1}{1}".format(
+                path,
+                os.linesep), pause=False)
         self.assertTrue(path in mock_util().notification.call_args[0][0])
 
 if __name__ == "__main__":

certbot/tests/hook_test.py

@@ -5,16 +5,14 @@ import os
 import unittest
 
 import mock
+from six.moves import reload_module  # pylint: disable=import-error
 
 from certbot import errors
 from certbot import hooks
 
 class HookTest(unittest.TestCase):
     def setUp(self):
-        pass
-
-    def tearDown(self):
-        pass
+        reload_module(hooks)
 
     @mock.patch('certbot.hooks._prog')
     def test_validate_hooks(self, mock_prog):
@@ -47,7 +45,6 @@ class HookTest(unittest.TestCase):
             return mock_logger.warning
 
     def test_pre_hook(self):
-        hooks.pre_hook.already = set()
         config = mock.MagicMock(pre_hook="true")
         self._test_a_hook(config, hooks.pre_hook, 1)
         self._test_a_hook(config, hooks.pre_hook, 0)

certbot/tests/main_test.py

@@ -12,6 +12,7 @@ import datetime
 import pytz
 
 import six
+from six.moves import reload_module  # pylint: disable=import-error
 
 from acme import jose
 
@@ -422,10 +423,9 @@ class MainTest(unittest.TestCase):  # pylint: disable=too-many-public-methods
                               '--logs-dir', self.logs_dir, '--text']
 
     def tearDown(self):
-        shutil.rmtree(self.tmp_dir)
         # Reset globals in cli
-        # pylint: disable=protected-access
-        cli._parser = cli.set_by_cli.detector = None
+        reload_module(cli)
+        shutil.rmtree(self.tmp_dir)
 
     def _call(self, args, stdout=None):
         "Run the cli with output streams and actual client mocked out"
@@ -862,8 +862,9 @@ class MainTest(unittest.TestCase):  # pylint: disable=too-many-public-methods
         test_util.make_lineage(self, 'sample-renewal.conf')
         args = ["renew", "--dry-run", "--post-hook=no-such-command",
                 "--disable-hook-validation"]
-        self._test_renewal_common(True, [], args=args, should_renew=True,
-                                  error_expected=False)
+        with mock.patch("certbot.hooks.post_hook"):
+            self._test_renewal_common(True, [], args=args, should_renew=True,
+                                      error_expected=False)
 
     @mock.patch("certbot.cli.set_by_cli")
     def test_ancient_webroot_renewal_conf(self, mock_set_by_cli):

certbot/tests/renewal_test.py

@@ -4,6 +4,8 @@ import mock
 import unittest
 import tempfile
 
+from acme import challenges
+
 from certbot import configuration
 from certbot import errors
 from certbot import storage
@@ -53,6 +55,29 @@ class RestoreRequiredConfigElementsTest(unittest.TestCase):
         self.assertRaises(
             errors.Error, self._call, self.config, renewalparams)
 
+    @mock.patch('certbot.renewal.cli.set_by_cli')
+    def test_pref_challs_list(self, mock_set_by_cli):
+        mock_set_by_cli.return_value = False
+        renewalparams = {'pref_challs': 'tls-sni, http-01, dns'.split(',')}
+        self._call(self.config, renewalparams)
+        expected = [challenges.TLSSNI01.typ,
+                    challenges.HTTP01.typ, challenges.DNS01.typ]
+        self.assertEqual(self.config.namespace.pref_challs, expected)
+
+    @mock.patch('certbot.renewal.cli.set_by_cli')
+    def test_pref_challs_str(self, mock_set_by_cli):
+        mock_set_by_cli.return_value = False
+        renewalparams = {'pref_challs': 'dns'}
+        self._call(self.config, renewalparams)
+        expected = [challenges.DNS01.typ]
+        self.assertEqual(self.config.namespace.pref_challs, expected)
+
+    @mock.patch('certbot.renewal.cli.set_by_cli')
+    def test_pref_challs_failure(self, mock_set_by_cli):
+        mock_set_by_cli.return_value = False
+        renewalparams = {'pref_challs': 'finding-a-shrubbery'}
+        self.assertRaises(errors.Error, self._call, self.config, renewalparams)
+
     @mock.patch('certbot.renewal.cli.set_by_cli')
     def test_must_staple_success(self, mock_set_by_cli):
         mock_set_by_cli.return_value = False

docs/cli-help.txt

@@ -1,39 +1,61 @@
-usage:
-  certbot [SUBCOMMAND] [options] [-d domain] [-d domain] ...
+usage: 
+  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
 
 Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
 it will attempt to use a webserver both for obtaining and installing the
-cert. Major SUBCOMMANDS are:
+cert. The most common SUBCOMMANDS and flags are:
 
-  (default) run        Obtain & install a cert in your current webserver
-  certonly             Obtain cert, but do not install it (aka "auth")
-  install              Install a previously obtained cert in a server
-  renew                Renew previously obtained certs that are near expiry
-  revoke               Revoke a previously obtained certificate
-  register             Perform tasks related to registering with the CA
-  rollback             Rollback server configuration changes made during install
-  config_changes       Show changes made to server config during installation
-  plugins              Display information about installed plugins
+obtain, install, and renew certificates:
+    (default) run   Obtain & install a cert in your current webserver
+    certonly        Obtain or renew a cert, but do not install it
+    renew           Renew all previously obtained certs that are near expiry
+   -d DOMAINS       Comma-separated list of domains to obtain a cert for
+
+  --apache          Use the Apache plugin for authentication & installation
+  --standalone      Run a standalone webserver for authentication
+  --nginx           Use the Nginx plugin for authentication & installation
+  --webroot         Place files in a server's webroot folder for authentication
+  --manual          Obtain certs interactively, or using shell script hooks
+
+   -n               Run non-interactively
+  --test-cert       Obtain a test cert from a staging server
+  --dry-run         Test "renew" or "certonly" without saving any certs to disk
+
+manage certificates:
+    certificates    Display information about certs you have from Certbot
+    revoke          Revoke a certificate (supply --cert-path)
+    delete          Delete a certificate
+
+manage your account with Let's Encrypt:
+    register        Create a Let's Encrypt ACME account
+  --agree-tos       Agree to the ACME server's Subscriber Agreement
+   -m EMAIL         Email address for important account notifications
 
 optional arguments:
   -h, --help            show this help message and exit
   -c CONFIG_FILE, --config CONFIG_FILE
-                        config file path (default: None)
+                        path to config file (default: /etc/letsencrypt/cli.ini
+                        and ~/.config/letsencrypt/cli.ini)
   -v, --verbose         This flag can be used multiple times to incrementally
                         increase the verbosity of output, e.g. -vvv. (default:
                         -2)
-  -t, --text            Use the text output instead of the curses UI.
-                        (default: False)
   -n, --non-interactive, --noninteractive
                         Run without ever asking for user input. This may
                         require additional command line flags; the client will
                         try to explain which ones are required if it finds one
                         missing (default: False)
-  --dialog              Run using interactive dialog menus (default: False)
+  --force-interactive   Force Certbot to be interactive even if it detects
+                        it's not being run in a terminal. This flag cannot be
+                        used with the renew subcommand. (default: False)
   -d DOMAIN, --domains DOMAIN, --domain DOMAIN
                         Domain names to apply. For multiple domains you can
                         use multiple -d flags or enter a comma separated list
-                        of domains as a parameter. (default: [])
+                        of domains as a parameter. (default: Ask)
+  --cert-name CERTNAME  Certificate name to apply. Only one certificate name
+                        can be used per Certbot run. To see certificate names,
+                        run 'certbot certificates'. When creating a new
+                        certificate, specifies the new certificate's name.
+                        (default: None)
   --dry-run             Perform a test run of the client, obtaining test
                         (invalid) certs but not saving them to disk. This can
                         currently only be used with the 'certonly' and 'renew'
@@ -48,6 +70,219 @@ optional arguments:
                         because they may be necessary to accurately simulate
                         renewal. --renew-hook commands are not called.
                         (default: False)
+  --preferred-challenges PREF_CHALLS
+                        A sorted, comma delimited list of the preferred
+                        challenge to use during authorization with the most
+                        preferred challenge listed first (Eg, "dns" or "tls-
+                        sni-01,http,dns"). Not all plugins support all
+                        challenges. See
+                        https://certbot.eff.org/docs/using.html#plugins for
+                        details. ACME Challenges are versioned, but if you
+                        pick "http" rather than "http-01", Certbot will select
+                        the latest version automatically. (default: [])
+  --user-agent USER_AGENT
+                        Set a custom user agent string for the client. User
+                        agent strings allow the CA to collect high level
+                        statistics about success rates by OS and plugin. If
+                        you wish to hide your server OS version from the Let's
+                        Encrypt server, set this to "". (default:
+                        CertbotACMEClient/0.10.2 (Ubuntu 16.04.1 LTS)
+                        Authenticator/XXX Installer/YYY)
+
+automation:
+  Arguments for automating execution & other tweaks
+
+  --keep-until-expiring, --keep, --reinstall
+                        If the requested cert matches an existing cert, always
+                        keep the existing one until it is due for renewal (for
+                        the 'run' subcommand this means reinstall the existing
+                        cert). (default: Ask)
+  --expand              If an existing cert covers some subset of the
+                        requested names, always expand and replace it with the
+                        additional names. (default: Ask)
+  --version             show program's version number and exit
+  --force-renewal, --renew-by-default
+                        If a certificate already exists for the requested
+                        domains, renew it now, regardless of whether it is
+                        near expiry. (Often --keep-until-expiring is more
+                        appropriate). Also implies --expand. (default: False)
+  --renew-with-new-domains
+                        If a certificate already exists for the requested
+                        certificate name but does not match the requested
+                        domains, renew it now, regardless of whether it is
+                        near expiry. (default: False)
+  --allow-subset-of-names
+                        When performing domain validation, do not consider it
+                        a failure if authorizations can not be obtained for a
+                        strict subset of the requested domains. This may be
+                        useful for allowing renewals for multiple domains to
+                        succeed even if some domains no longer point at this
+                        system. This option cannot be used with --csr.
+                        (default: False)
+  --agree-tos           Agree to the ACME Subscriber Agreement (default: Ask)
+  --account ACCOUNT_ID  Account ID to use (default: None)
+  --duplicate           Allow making a certificate lineage that duplicates an
+                        existing one (both can be renewed in parallel)
+                        (default: False)
+  --os-packages-only    (certbot-auto only) install OS package dependencies
+                        and then stop (default: False)
+  --no-self-upgrade     (certbot-auto only) prevent the certbot-auto script
+                        from upgrading itself to newer released versions
+                        (default: Upgrade automatically)
+  -q, --quiet           Silence all output except errors. Useful for
+                        automation via cron. Implies --non-interactive.
+                        (default: False)
+
+security:
+  Security parameters & server settings
+
+  --rsa-key-size N      Size of the RSA key. (default: 2048)
+  --must-staple         Adds the OCSP Must Staple extension to the
+                        certificate. Autoconfigures OCSP Stapling for
+                        supported setups (Apache version >= 2.3.3 ). (default:
+                        False)
+  --redirect            Automatically redirect all HTTP traffic to HTTPS for
+                        the newly authenticated vhost. (default: Ask)
+  --no-redirect         Do not automatically redirect all HTTP traffic to
+                        HTTPS for the newly authenticated vhost. (default:
+                        Ask)
+  --hsts                Add the Strict-Transport-Security header to every HTTP
+                        response. Forcing browser to always use SSL for the
+                        domain. Defends against SSL Stripping. (default:
+                        False)
+  --uir                 Add the "Content-Security-Policy: upgrade-insecure-
+                        requests" header to every HTTP response. Forcing the
+                        browser to use https:// for every http:// resource.
+                        (default: None)
+  --staple-ocsp         Enables OCSP Stapling. A valid OCSP response is
+                        stapled to the certificate that the server offers
+                        during TLS. (default: None)
+  --strict-permissions  Require that all configuration files are owned by the
+                        current user; only needed if your config is somewhere
+                        unsafe like /tmp/ (default: False)
+
+testing:
+  The following flags are meant for testing and integration purposes only.
+
+  --test-cert, --staging
+                        Use the staging server to obtain or revoke test
+                        (invalid) certs; equivalent to --server https://acme-
+                        staging.api.letsencrypt.org/directory (default: False)
+  --debug               Show tracebacks in case of errors, and allow certbot-
+                        auto execution on experimental platforms (default:
+                        False)
+  --no-verify-ssl       Disable verification of the ACME server's certificate.
+                        (default: False)
+  --tls-sni-01-port TLS_SNI_01_PORT
+                        Port used during tls-sni-01 challenge. This only
+                        affects the port Certbot listens on. A conforming ACME
+                        server will still attempt to connect on port 443.
+                        (default: 443)
+  --http-01-port HTTP01_PORT
+                        Port used in the http-01 challenge. This only affects
+                        the port Certbot listens on. A conforming ACME server
+                        will still attempt to connect on port 80. (default:
+                        80)
+  --break-my-certs      Be willing to replace or renew valid certs with
+                        invalid (testing/staging) certs (default: False)
+
+paths:
+  Arguments changing execution paths & servers
+
+  --cert-path CERT_PATH
+                        Path to where cert is saved (with auth --csr),
+                        installed from, or revoked. (default: None)
+  --key-path KEY_PATH   Path to private key for cert installation or
+                        revocation (if account key is missing) (default: None)
+  --chain-path CHAIN_PATH
+                        Accompanying path to a certificate chain. (default:
+                        None)
+  --config-dir CONFIG_DIR
+                        Configuration directory. (default: /etc/letsencrypt)
+  --work-dir WORK_DIR   Working directory. (default: /var/lib/letsencrypt)
+  --logs-dir LOGS_DIR   Logs directory. (default: /var/log/letsencrypt)
+  --server SERVER       ACME Directory Resource URI. (default:
+                        https://acme-v01.api.letsencrypt.org/directory)
+
+manage:
+  Various subcommands and flags are available for managing your
+  certificates:
+
+  certificates          List certificates managed by Certbot
+  delete                Clean up all files related to a certificate
+  renew                 Renew all certificates (or one specifed with --cert-
+                        name)
+  revoke                Revoke a certificate specified with --cert-path
+  update_symlinks       Recreate symlinks in your /etc/letsencrypt/live/
+                        directory
+
+run:
+  Options for obtaining & installing certs
+
+certonly:
+  Options for modifying how a cert is obtained
+
+  --csr CSR             Path to a Certificate Signing Request (CSR) in DER or
+                        PEM format. Currently --csr only works with the
+                        'certonly' subcommand. (default: None)
+
+renew:
+  The 'renew' subcommand will attempt to renew all certificates (or more
+  precisely, certificate lineages) you have previously obtained if they are
+  close to expiry, and print a summary of the results. By default, 'renew'
+  will reuse the options used to create obtain or most recently successfully
+  renew each certificate lineage. You can try it with `--dry-run` first. For
+  more fine-grained control, you can renew individual lineages with the
+  `certonly` subcommand. Hooks are available to run commands before and
+  after renewal; see https://certbot.eff.org/docs/using.html#renewal for
+  more information on these.
+
+  --pre-hook PRE_HOOK   Command to be run in a shell before obtaining any
+                        certificates. Intended primarily for renewal, where it
+                        can be used to temporarily shut down a webserver that
+                        might conflict with the standalone plugin. This will
+                        only be called if a certificate is actually to be
+                        obtained/renewed. When renewing several certificates
+                        that have identical pre-hooks, only the first will be
+                        executed. (default: None)
+  --post-hook POST_HOOK
+                        Command to be run in a shell after attempting to
+                        obtain/renew certificates. Can be used to deploy
+                        renewed certificates, or to restart any servers that
+                        were stopped by --pre-hook. This is only run if an
+                        attempt was made to obtain/renew a certificate. If
+                        multiple renewed certificates have identical post-
+                        hooks, only one will be run. (default: None)
+  --renew-hook RENEW_HOOK
+                        Command to be run in a shell once for each
+                        successfully renewed certificate. For this command,
+                        the shell variable $RENEWED_LINEAGE will point to the
+                        config live subdirectory containing the new certs and
+                        keys; the shell variable $RENEWED_DOMAINS will contain
+                        a space-delimited list of renewed cert domains
+                        (default: None)
+  --disable-hook-validation
+                        Ordinarily the commands specified for --pre-hook
+                        /--post-hook/--renew-hook will be checked for
+                        validity, to see if the programs being run are in the
+                        $PATH, so that mistakes can be caught early, even when
+                        the hooks aren't being run just yet. The validation is
+                        rather simplistic and fails if you use more advanced
+                        shell constructs, so you can use this switch to
+                        disable it. (default: False)
+
+certificates:
+  List certificates managed by Certbot
+
+delete:
+  Options for deleting a certificate
+
+revoke:
+  Options for revocation of certs
+
+register:
+  Options for account registration & modification
+
   --register-unsafely-without-email
                         Specifying this flag enables registering an account
                         with no email address. This is strongly discouraged,
@@ -65,220 +300,38 @@ optional arguments:
                         registering a new account. (default: False)
   -m EMAIL, --email EMAIL
                         Email used for registration and recovery contact.
-                        (default: None)
-  --preferred-challenges PREF_CHALLS
-                        A sorted, comma delimited list of the preferred
-                        challenge to use during authorization with the most
-                        preferred challenge listed first (Eg, "dns" or "tls-
-                        sni-01,http,dns"). Not all plugins support all
-                        challenges. See
-                        https://certbot.eff.org/docs/using.html#plugins for
-                        details. ACME Challenges are versioned, but if you
-                        pick "http" rather than "http-01", Certbot will select
-                        the latest version automatically. (default: [])
-  --user-agent USER_AGENT
-                        Set a custom user agent string for the client. User
-                        agent strings allow the CA to collect high level
-                        statistics about success rates by OS and plugin. If
-                        you wish to hide your server OS version from the Let's
-                        Encrypt server, set this to "". (default: None)
-
-automation:
-  Arguments for automating execution & other tweaks
-
-  --keep-until-expiring, --keep, --reinstall
-                        If the requested cert matches an existing cert, always
-                        keep the existing one until it is due for renewal (for
-                        the 'run' subcommand this means reinstall the existing
-                        cert) (default: False)
-  --expand              If an existing cert covers some subset of the
-                        requested names, always expand and replace it with the
-                        additional names. (default: False)
-  --version             show program's version number and exit
-  --force-renewal, --renew-by-default
-                        If a certificate already exists for the requested
-                        domains, renew it now, regardless of whether it is
-                        near expiry. (Often --keep-until-expiring is more
-                        appropriate). Also implies --expand. (default: False)
-  --allow-subset-of-names
-                        When performing domain validation, do not consider it
-                        a failure if authorizations can not be obtained for a
-                        strict subset of the requested domains. This may be
-                        useful for allowing renewals for multiple domains to
-                        succeed even if some domains no longer point at this
-                        system. This option cannot be used with --csr.
-                        (default: False)
-  --agree-tos           Agree to the ACME Subscriber Agreement (default:
-                        False)
-  --account ACCOUNT_ID  Account ID to use (default: None)
-  --duplicate           Allow making a certificate lineage that duplicates an
-                        existing one (both can be renewed in parallel)
-                        (default: False)
-  --os-packages-only    (certbot-auto only) install OS package dependencies
-                        and then stop (default: False)
-  --no-self-upgrade     (certbot-auto only) prevent the certbot-auto script
-                        from upgrading itself to newer released versions
-                        (default: False)
-  -q, --quiet           Silence all output except errors. Useful for
-                        automation via cron. Implies --non-interactive.
-                        (default: False)
-
-security:
-  Security parameters & server settings
-
-  --rsa-key-size N      Size of the RSA key. (default: 2048)
-  --must-staple         Adds the OCSP Must Staple extension to the
-                        certificate. Autoconfigures OCSP Stapling for
-                        supported setups (Apache version >= 2.3.3 ). (default:
-                        False)
-  --redirect            Automatically redirect all HTTP traffic to HTTPS for
-                        the newly authenticated vhost. (default: None)
-  --no-redirect         Do not automatically redirect all HTTP traffic to
-                        HTTPS for the newly authenticated vhost. (default:
-                        None)
-  --hsts                Add the Strict-Transport-Security header to every HTTP
-                        response. Forcing browser to always use SSL for the
-                        domain. Defends against SSL Stripping. (default:
-                        False)
-  --no-hsts             Do not automatically add the Strict-Transport-Security
-                        header to every HTTP response. (default: False)
-  --uir                 Add the "Content-Security-Policy: upgrade-insecure-
-                        requests" header to every HTTP response. Forcing the
-                        browser to use https:// for every http:// resource.
-                        (default: None)
-  --no-uir              Do not automatically set the "Content-Security-Policy:
-                        upgrade-insecure-requests" header to every HTTP
-                        response. (default: None)
-  --staple-ocsp         Enables OCSP Stapling. A valid OCSP response is
-                        stapled to the certificate that the server offers
-                        during TLS. (default: None)
-  --no-staple-ocsp      Do not automatically enable OCSP Stapling. (default:
-                        None)
-  --strict-permissions  Require that all configuration files are owned by the
-                        current user; only needed if your config is somewhere
-                        unsafe like /tmp/ (default: False)
-
-testing:
-  The following flags are meant for testing purposes only! Do NOT change
-  them, unless you really know what you're doing!
-
-  --test-cert, --staging
-                        Use the staging server to obtain test (invalid) certs;
-                        equivalent to --server https://acme-
-                        staging.api.letsencrypt.org/directory (default: False)
-  --debug               Show tracebacks in case of errors, and allow certbot-
-                        auto execution on experimental platforms (default:
-                        False)
-  --no-verify-ssl       Disable verification of the ACME server's certificate.
-                        (default: False)
-  --break-my-certs      Be willing to replace or renew valid certs with
-                        invalid (testing/staging) certs (default: False)
-
-renew:
-  The 'renew' subcommand will attempt to renew all certificates (or more
-  precisely, certificate lineages) you have previously obtained if they are
-  close to expiry, and print a summary of the results. By default, 'renew'
-  will reuse the options used to create, obtain or most recently successfully
-  renew each certificate lineage. You can try it with `--dry-run` first. For
-  more fine-grained control, you can renew individual lineages with the
-  `certonly` subcommand. Hooks are available to run commands before and
-  after renewal; see https://certbot.eff.org/docs/using.html#renewal for
-  more information on these.
-
-  --pre-hook PRE_HOOK   Command to be run in a shell before obtaining any
-                        certificates. Intended primarily for renewal, where it
-                        can be used to temporarily shut down a webserver that
-                        might conflict with the standalone plugin. This will
-                        only be called if a certificate is actually to be
-                        obtained/renewed. (default: None)
-  --post-hook POST_HOOK
-                        Command to be run in a shell after attempting to
-                        obtain/renew certificates. Can be used to deploy
-                        renewed certificates, or to restart any servers that
-                        were stopped by --pre-hook. This is only run if an
-                        attempt was made to obtain/renew a certificate.
-                        (default: None)
-  --renew-hook RENEW_HOOK
-                        Command to be run in a shell once for each
-                        successfully renewed certificate. For this command,
-                        the shell variable $RENEWED_LINEAGE will point to the
-                        config live subdirectory containing the new certs and
-                        keys; the shell variable $RENEWED_DOMAINS will contain
-                        a space-delimited list of renewed cert domains
-                        (default: None)
-  --disable-hook-validation
-                        Ordinarily the commands specified for --pre-hook
-                        /--post-hook/--renew-hook will be checked for
-                        validity, to see if the programs being run are in the
-                        $PATH, so that mistakes can be caught early, even when
-                        the hooks aren't being run just yet. The validation is
-                        rather simplistic and fails if you use more advanced
-                        shell constructs, so you can use this switch to
-                        disable it. (default: True)
-
-certonly:
-  Options for modifying how a cert is obtained
-
-  --tls-sni-01-port TLS_SNI_01_PORT
-                        Port used during tls-sni-01 challenge. This only
-                        affects the port Certbot listens on. A conforming ACME
-                        server will still attempt to connect on port 443.
-                        (default: 443)
-  --http-01-port HTTP01_PORT
-                        Port used in the http-01 challenge. This only affects
-                        the port Certbot listens on. A conforming ACME server
-                        will still attempt to connect on port 80. (default:
-                        80)
-  --csr CSR             Path to a Certificate Signing Request (CSR) in DER or
-                        PEM format. Currently --csr only works with the
-                        'certonly' subcommand. (default: None)
+                        (default: Ask)
 
 install:
   Options for modifying how a cert is deployed
 
-revoke:
-  Options for revocation of certs
+  --fullchain-path FULLCHAIN_PATH
+                        Accompanying path to a full certificate chain (cert
+                        plus chain). (default: None)
+
+config_changes:
+  Options for controlling which changes are displayed
+
+  --num NUM             How many past revisions you want to be displayed
+                        (default: None)
 
 rollback:
-  Options for reverting config changes
+  Options for rolling back server configuration changes
 
   --checkpoints N       Revert configuration N number of checkpoints.
                         (default: 1)
 
 plugins:
-  Options for the "plugins" subcommand
+  Options for for the "plugins" subcommand
 
   --init                Initialize plugins. (default: False)
   --prepare             Initialize and prepare plugins. (default: False)
   --authenticators      Limit to authenticator plugins only. (default: None)
   --installers          Limit to installer plugins only. (default: None)
 
-config_changes:
-  Options for showing a history of config changes
-
-  --num NUM             How many past revisions you want to be displayed
-                        (default: None)
-
-paths:
-  Arguments changing execution paths & servers
-
-  --cert-path CERT_PATH
-                        Path to where cert is saved (with auth --csr),
-                        installed from or revoked. (default: None)
-  --key-path KEY_PATH   Path to private key for cert installation or
-                        revocation (if account key is missing) (default: None)
-  --fullchain-path FULLCHAIN_PATH
-                        Accompanying path to a full certificate chain (cert
-                        plus chain). (default: None)
-  --chain-path CHAIN_PATH
-                        Accompanying path to a certificate chain. (default:
-                        None)
-  --config-dir CONFIG_DIR
-                        Configuration directory. (default: /etc/letsencrypt)
-  --work-dir WORK_DIR   Working directory. (default: /var/lib/letsencrypt)
-  --logs-dir LOGS_DIR   Logs directory. (default: /var/log/letsencrypt)
-  --server SERVER       ACME Directory Resource URI. (default:
-                        https://acme-v01.api.letsencrypt.org/directory)
+update_symlinks:
+  Recreates cert and key symlinks in /etc/letsencrypt/live, if you changed
+  them by hand or edited a renewal configuration file
 
 plugins:
   Plugin Selection: Certbot client supports an extensible plugins
@@ -287,15 +340,15 @@ plugins:
   provided below. Running --help <plugin_name> will list flags specific to
   that plugin.
 
+  --configurator CONFIGURATOR
+                        Name of the plugin that is both an authenticator and
+                        an installer. Should not be used together with
+                        --authenticator or --installer. (default: Ask)
   -a AUTHENTICATOR, --authenticator AUTHENTICATOR
                         Authenticator plugin name. (default: None)
   -i INSTALLER, --installer INSTALLER
                         Installer plugin name (also used to find domains).
                         (default: None)
-  --configurator CONFIGURATOR
-                        Name of the plugin that is both an authenticator and
-                        an installer. Should not be used together with
-                        --authenticator or --installer. (default: None)
   --apache              Obtain and install certs using Apache (default: False)
   --nginx               Obtain and install certs using Nginx (default: False)
   --standalone          Obtain certs using a "standalone" webserver. (default:
@@ -318,13 +371,24 @@ standalone:
   Spin up a temporary webserver
 
 manual:
-  Manually configure an HTTP server
+  Authenticate through manual configuration or custom shell scripts. When
+  using shell scripts, an authenticator script must be provided. The
+  environment variables available to this script are $CERTBOT_DOMAIN which
+  contains the domain being authenticated, $CERTBOT_VALIDATION which is the
+  validation string, and $CERTBOT_TOKEN which is the filename of the
+  resource requested when performing an HTTP-01 challenge. An additional
+  cleanup script can also be provided and can use the additional variable
+  $CERTBOT_AUTH_OUTPUT which contains the stdout output from the auth
+  script.
 
-  --manual-test-mode    Test mode. Executes the manual command in subprocess.
-                        (default: False)
+  --manual-auth-hook MANUAL_AUTH_HOOK
+                        Path or command to execute for the authentication
+                        script (default: None)
+  --manual-cleanup-hook MANUAL_CLEANUP_HOOK
+                        Path or command to execute for the cleanup script
+                        (default: None)
   --manual-public-ip-logging-ok
-                        Automatically allows public IP logging. (default:
-                        False)
+                        Automatically allows public IP logging (default: Ask)
 
 webroot:
   Place files in webroot directory
@@ -335,7 +399,7 @@ webroot:
                         domain will have the webroot path that preceded it.
                         For instance: `-w /var/www/example -d example.com -d
                         www.example.com -w /var/www/thing -d thing.net -d
-                        m.thing.net` (default: [])
+                        m.thing.net` (default: Ask)
   --webroot-map WEBROOT_MAP
                         JSON dictionary mapping domains to webroot paths; this
                         implies -d for each entry. You may need to escape this

letsencrypt-auto

@@ -15,11 +15,15 @@ set -e  # Work even if somebody does "sh thisscript.sh".
 
 # Note: you can set XDG_DATA_HOME or VENV_PATH before running this script,
 # if you want to change where the virtual environment will be installed
-XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share}
+if [ -z "$XDG_DATA_HOME" ]; then
+  XDG_DATA_HOME=~/.local/share
+fi
 VENV_NAME="letsencrypt"
-VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"}
+if [ -z "$VENV_PATH" ]; then
+  VENV_PATH="$XDG_DATA_HOME/$VENV_NAME"
+fi
 VENV_BIN="$VENV_PATH/bin"
-LE_AUTO_VERSION="0.9.3"
+LE_AUTO_VERSION="0.10.2"
 BASENAME=$(basename $0)
 USAGE="Usage: $BASENAME [OPTIONS]
 A self-updating wrapper script for the Certbot ACME client. When run, updates
@@ -58,6 +62,7 @@ for arg in "$@" ; do
     --verbose)
       VERBOSE=1;;
     -[!-]*)
+      OPTIND=1
       while getopts ":hnvq" short_arg $arg; do
         case "$short_arg" in
           h)
@@ -79,43 +84,74 @@ if [ $BASENAME = "letsencrypt-auto" ]; then
   HELP=0
 fi
 
+# Support for busybox and others where there is no "command",
+# but "which" instead
+if command -v command > /dev/null 2>&1 ; then
+  export EXISTS="command -v"
+elif which which > /dev/null 2>&1 ; then
+  export EXISTS="which"
+else
+  echo "Cannot find command nor which... please install one!"
+  exit 1
+fi
+
 # certbot-auto needs root access to bootstrap OS dependencies, and
 # certbot itself needs root access for almost all modes of operation
 # The "normal" case is that sudo is used for the steps that need root, but
 # this script *can* be run as root (not recommended), or fall back to using
-# `su`
+# `su`. Auto-detection can be overrided by explicitly setting the
+# environment variable LE_AUTO_SUDO to 'sudo', 'sudo_su' or '' as used below.
+
+# Because the parameters in `su -c` has to be a string,
+# we need to properly escape it.
+su_sudo() {
+  args=""
+  # This `while` loop iterates over all parameters given to this function.
+  # For each parameter, all `'` will be replace by `'"'"'`, and the escaped string
+  # will be wrapped in a pair of `'`, then appended to `$args` string
+  # For example, `echo "It's only 1\$\!"` will be escaped to:
+  #   'echo' 'It'"'"'s only 1$!'
+  #     │       │└┼┘│
+  #     │       │ │ └── `'s only 1$!'` the literal string
+  #     │       │ └── `\"'\"` is a single quote (as a string)
+  #     │       └── `'It'`, to be concatenated with the strings following it
+  #     └── `echo` wrapped in a pair of `'`, it's totally fine for the shell command itself
+  while [ $# -ne 0 ]; do
+    args="$args'$(printf "%s" "$1" | sed -e "s/'/'\"'\"'/g")' "
+    shift
+  done
+  su root -c "$args"
+}
+
 SUDO_ENV=""
 export CERTBOT_AUTO="$0"
-if test "`id -u`" -ne "0" ; then
-  if command -v sudo 1>/dev/null 2>&1; then
-    SUDO=sudo
-    SUDO_ENV="CERTBOT_AUTO=$0"
-  else
-    echo \"sudo\" is not available, will use \"su\" for installation steps...
-    # Because the parameters in `su -c` has to be a string,
-    # we need properly escape it
-    su_sudo() {
-      args=""
-      # This `while` loop iterates over all parameters given to this function.
-      # For each parameter, all `'` will be replace by `'"'"'`, and the escaped string
-      # will be wrapped in a pair of `'`, then appended to `$args` string
-      # For example, `echo "It's only 1\$\!"` will be escaped to:
-      #   'echo' 'It'"'"'s only 1$!'
-      #     │       │└┼┘│
-      #     │       │ │ └── `'s only 1$!'` the literal string
-      #     │       │ └── `\"'\"` is a single quote (as a string)
-      #     │       └── `'It'`, to be concatenated with the strings following it
-      #     └── `echo` wrapped in a pair of `'`, it's totally fine for the shell command itself
-      while [ $# -ne 0 ]; do
-        args="$args'$(printf "%s" "$1" | sed -e "s/'/'\"'\"'/g")' "
-        shift
-      done
-      su root -c "$args"
-    }
-    SUDO=su_sudo
-  fi
+if [ -n "${LE_AUTO_SUDO+x}" ]; then
+  case "$LE_AUTO_SUDO" in
+    su_sudo|su)
+      SUDO=su_sudo
+      ;;
+    sudo)
+      SUDO=sudo
+      SUDO_ENV="CERTBOT_AUTO=$0"
+      ;;
+    '') ;; # Nothing to do for plain root method.
+    *)
+      echo "Error: unknown root authorization mechanism '$LE_AUTO_SUDO'."
+      exit 1
+  esac
+  echo "Using preset root authorization mechanism '$LE_AUTO_SUDO'."
 else
-  SUDO=
+  if test "`id -u`" -ne "0" ; then
+    if $EXISTS sudo 1>/dev/null 2>&1; then
+      SUDO=sudo
+      SUDO_ENV="CERTBOT_AUTO=$0"
+    else
+      echo \"sudo\" is not available, will use \"su\" for installation steps...
+      SUDO=su_sudo
+    fi
+  else
+    SUDO=
+  fi
 fi
 
 ExperimentalBootstrap() {
@@ -136,7 +172,7 @@ ExperimentalBootstrap() {
 DeterminePythonVersion() {
   for LE_PYTHON in "$LE_PYTHON" python2.7 python27 python2 python; do
     # Break (while keeping the LE_PYTHON value) if found.
-    command -v "$LE_PYTHON" > /dev/null && break
+    $EXISTS "$LE_PYTHON" > /dev/null && break
   done
   if [ "$?" != "0" ]; then
     echo "Cannot find any Pythons; please install one!"
@@ -177,19 +213,22 @@ BootstrapDebCommon() {
   # distro version (#346)
 
   virtualenv=
-  if apt-cache show virtualenv > /dev/null 2>&1 && ! apt-cache --quiet=0 show virtualenv 2>&1 | grep -q 'No packages found'; then
-    virtualenv="virtualenv"
+  # virtual env is known to apt and is installable
+  if apt-cache show virtualenv > /dev/null 2>&1 ; then
+      if ! LC_ALL=C apt-cache --quiet=0 show virtualenv 2>&1 | grep -q 'No packages found'; then
+          virtualenv="virtualenv"
+      fi
   fi
 
   if apt-cache show python-virtualenv > /dev/null 2>&1; then
-    virtualenv="$virtualenv python-virtualenv"
+      virtualenv="$virtualenv python-virtualenv"
   fi
 
   augeas_pkg="libaugeas0 augeas-lenses"
-  AUGVERSION=`apt-cache show --no-all-versions libaugeas0 | grep ^Version: | cut -d" " -f2`
+  AUGVERSION=`LC_ALL=C apt-cache show --no-all-versions libaugeas0 | grep ^Version: | cut -d" " -f2`
 
   if [ "$ASSUME_YES" = 1 ]; then
-    YES_FLAG="-y"
+      YES_FLAG="-y"
   fi
 
   AddBackportRepo() {
@@ -248,15 +287,15 @@ BootstrapDebCommon() {
     python-dev \
     $virtualenv \
     gcc \
-    dialog \
     $augeas_pkg \
     libssl-dev \
+    openssl \
     libffi-dev \
     ca-certificates \
 
 
 
-  if ! command -v virtualenv > /dev/null ; then
+  if ! $EXISTS virtualenv > /dev/null ; then
     echo Failed to install a working \"virtualenv\" command, exiting
     exit 1
   fi
@@ -307,7 +346,6 @@ BootstrapRpmCommon() {
 
   pkgs="
     gcc
-    dialog
     augeas-libs
     openssl
     openssl-devel
@@ -361,7 +399,6 @@ BootstrapSuseCommon() {
     python-devel \
     python-virtualenv \
     gcc \
-    dialog \
     augeas-lenses \
     libopenssl-devel \
     libffi-devel \
@@ -380,7 +417,6 @@ BootstrapArchCommon() {
     python2
     python-virtualenv
     gcc
-    dialog
     augeas
     openssl
     libffi
@@ -404,22 +440,26 @@ BootstrapGentooCommon() {
   PACKAGES="
     dev-lang/python:2.7
     dev-python/virtualenv
-    dev-util/dialog
     app-admin/augeas
     dev-libs/openssl
     dev-libs/libffi
     app-misc/ca-certificates
     virtual/pkgconfig"
 
+  ASK_OPTION="--ask"
+  if [ "$ASSUME_YES" = 1 ]; then
+    ASK_OPTION=""
+  fi
+
   case "$PACKAGE_MANAGER" in
     (paludis)
       $SUDO cave resolve --preserve-world --keep-targets if-possible $PACKAGES -x
       ;;
     (pkgcore)
-      $SUDO pmerge --noreplace --oneshot $PACKAGES
+      $SUDO pmerge --noreplace --oneshot $ASK_OPTION $PACKAGES
       ;;
     (portage|*)
-      $SUDO emerge --noreplace --oneshot $PACKAGES
+      $SUDO emerge --noreplace --oneshot $ASK_OPTION $PACKAGES
       ;;
   esac
 }
@@ -449,7 +489,6 @@ BootstrapMac() {
   fi
 
   $pkgcmd augeas
-  $pkgcmd dialog
   if [ "$(which python)" = "/System/Library/Frameworks/Python.framework/Versions/2.7/bin/python" \
       -o "$(which python)" = "/usr/bin/python" ]; then
     # We want to avoid using the system Python because it requires root to use pip.
@@ -458,7 +497,7 @@ BootstrapMac() {
     $pkgcmd python
   fi
 
-  # Workaround for _dlopen not finding augeas on OS X
+  # Workaround for _dlopen not finding augeas on macOS
   if [ "$pkgman" = "port" ] && ! [ -e "/usr/local/lib/libaugeas.dylib" ] && [ -e "/opt/local/lib/libaugeas.dylib" ]; then
     echo "Applying augeas workaround"
     $SUDO mkdir -p /usr/local/lib/
@@ -496,8 +535,8 @@ BootstrapMageiaCommon() {
     if ! $SUDO urpmi --force \
            git \
            gcc \
-           cdialog \
            python-augeas \
+           openssl \
            libopenssl-devel \
            libffi-devel \
            rootcerts
@@ -541,7 +580,7 @@ Bootstrap() {
   elif uname | grep -iq FreeBSD ; then
     ExperimentalBootstrap "FreeBSD" BootstrapFreeBsd
   elif uname | grep -iq Darwin ; then
-    ExperimentalBootstrap "Mac OS X" BootstrapMac
+    ExperimentalBootstrap "macOS" BootstrapMac
   elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then
     ExperimentalBootstrap "Amazon Linux" BootstrapRpmCommon
   elif [ -f /etc/product ] && grep -q "Joyent Instance" /etc/product ; then
@@ -557,7 +596,7 @@ Bootstrap() {
 }
 
 TempDir() {
-  mktemp -d 2>/dev/null || mktemp -d -t 'le'  # Linux || OS X
+  mktemp -d 2>/dev/null || mktemp -d -t 'le'  # Linux || macOS
 }
 
 
@@ -594,6 +633,11 @@ if [ "$1" = "--le-auto-phase2" ]; then
 # `pip install --no-cache-dir -e acme -e . -e certbot-apache -e certbot-nginx`,
 # and then use `hashin` or a more secure method to gather the hashes.
 
+# Hashin example:
+# pip install hashin
+# hashin -r letsencrypt-auto-requirements.txt cryptography==1.5.2
+# sets the new certbot-auto pinned version of cryptography to 1.5.2
+
 argparse==1.4.0 \
     --hash=sha256:c31647edb69fd3d465a847ea3157d37bed1f95f19760b11a47aa91c04b666314 \
     --hash=sha256:62b089a55be1d8949cd2bc7e0df0bddb9e028faefc8c32038cc84862aefdd6e4
@@ -601,7 +645,8 @@ argparse==1.4.0 \
 # This comes before cffi because cffi will otherwise install an unchecked
 # version via setup_requires.
 pycparser==2.14 \
-    --hash=sha256:7959b4a74abdc27b312fed1c21e6caf9309ce0b29ea86b591fd2e99ecdf27f73
+    --hash=sha256:7959b4a74abdc27b312fed1c21e6caf9309ce0b29ea86b591fd2e99ecdf27f73 \
+    --no-binary pycparser
 
 cffi==1.4.2 \
     --hash=sha256:53c1c9ddb30431513eb7f3cdef0a3e06b0f1252188aaa7744af0f5a4cd45dbaf \
@@ -624,29 +669,29 @@ ConfigArgParse==0.10.0 \
     --hash=sha256:3b50a83dd58149dfcee98cb6565265d10b53e9c0a2bca7eeef7fb5f5524890a7
 configobj==5.0.6 \
     --hash=sha256:a2f5650770e1c87fb335af19a9b7eb73fc05ccf22144eb68db7d00cd2bcb0902
-cryptography==1.3.4 \
-    --hash=sha256:bede00edd11a2a62c8c98c271cc103fa3a3d72acf64f6e5e4eaf251128897b17 \
-    --hash=sha256:53b39e687b744bb548a98f40736cc529d9f60959b4e6cc551322cf9505d35eb3 \
-    --hash=sha256:474b73ad1139b4e423e46bbd818efd0d5c0df1c65d9f7c957d64c9215d77afde \
-    --hash=sha256:aaddf9592d5b99e32dd518bb4a25b147c124f9d6b4ad64b94f01b15d1666b8c8 \
-    --hash=sha256:6dcad2f407db8c3cd6ecd78361439c449a4f94786b46c54507e7e68f51e1709d \
-    --hash=sha256:475c153fc622e656f1f10a9c9941d0ac7ab18df7c38d35d563a437c1c0e34f24 \
-    --hash=sha256:86dd61df581cba04e89e45081efbc531faff1c9d99c77b1ce97f87216c356353 \
-    --hash=sha256:75cc697e4ef5fdd0102ca749114c6370dbd11db0c9132a18834858c2566247e3 \
-    --hash=sha256:ea03ad5b9df6d79fc9fc1ab23729e01e1c920d2974c5e3c634ccf45a5c378452 \
-    --hash=sha256:c8872b8fe4f3416d6338ab99612f49ab314f7856cb43bffab2a32d28a6267be8 \
-    --hash=sha256:468fc6e16eaec6ceaa6bc341273e6e9912d01b42b740f8cf896ace7fcd6a321d \
-    --hash=sha256:d6fea3c6502735011c5d61a62aef1c1d770fc6a2def45d9e6c0d94c9651e3317 \
-    --hash=sha256:3cf95f179f4bead3d5649b91860ef4cf60ad4244209190fc405908272576d961 \
-    --hash=sha256:141f77e60a5b9158309b2b60288c7f81d37faa15c22a69b94c190ceefaaa6236 \
-    --hash=sha256:87b7a1fe703c6424451f3372d1879dae91c7fe5e13375441a72833db76fee30e \
-    --hash=sha256:f5ee3cb0cf1a6550bf483ccffa6608db267a377b45f7e3a8201a86d1d8feb19f \
-    --hash=sha256:4e097286651ea318300af3251375d48b71b8228481c56cd617ddd4459a1ff261 \
-    --hash=sha256:1e3d3ae3f22f22d50d340f47f25227511326f3f1396c6d2446a5b45b516c4313 \
-    --hash=sha256:6a057941cb64d79834ea3cf99093fcc4787c2a5d44f686c4f297361ddc419bcd \
-    --hash=sha256:68b3d5390b92559ddd3353c73ab2dfcff758f9c4ec4f5d5226ccede0e5d779f4 \
-    --hash=sha256:545dc003b4b6081f9c3e452da15d819b04b696f49484aff64c0a2aedf766bef8 \
-    --hash=sha256:423ff890c01be7c70dbfeaa967eeef5146f1a43a5f810ffdc07b178e48a105a9
+cryptography==1.5.3 \
+    --hash=sha256:e514d92086246b53ae9b048df652cf3036b462e50a6ce9fac6b6253502679991 \
+    --hash=sha256:10ee414f4b5af403a0d8f20dfa80f7dad1fc7ae5452ec5af03712d5b6e78c664 \
+    --hash=sha256:7234456d1f4345a144ed07af2416c7c0659d4bb599dd1a963103dc8c183b370e \
+    --hash=sha256:d3b9587406f94642bd70b3d666b813f446e95f84220c9e416ad94cbfb6be2eaa \
+    --hash=sha256:b15fc6b59f1474eef62207c85888afada8acc47fae8198ba2b0197d54538961a \
+    --hash=sha256:3b62d65d342704fc07ed171598db2a2775bdf587b1b6abd2cba2261bfe3ccde3 \
+    --hash=sha256:059343022ec904c867a13bc55d2573e36c8cfb2c250e30d8a2e9825f253b07ba \
+    --hash=sha256:c7897cf13bc8b4ee0215d83cbd51766d87c06b277fcca1f9108595508e5bcfb4 \
+    --hash=sha256:9b69e983e5bf83039ddd52e52a28c7faedb2b22bdfb5876377b95aac7d3be63e \
+    --hash=sha256:61e40905c426d02b3fae38088dc66ce4ef84830f7eb223dec6b3ac3ccdc676fb \
+    --hash=sha256:00783a32bcd91a12177230d35bfcf70a2333ade4a6b607fac94a633a7971c671 \
+    --hash=sha256:d11973f49b648cde1ea1a30e496d7557dbfeccd08b3cd9ba58d286a9c274ff8e \
+    --hash=sha256:f24bedf28b81932ba6063aec9a826669f5237ea3b755efe04d98b072faa053a5 \
+    --hash=sha256:3ab5725367239e3deb9b92e917aa965af3fef008f25b96a3000821869e208181 \
+    --hash=sha256:8a53209de822e22b5f73bf4b99e68ac4ccc91051fd6751c8252982983e86a77d \
+    --hash=sha256:5a07439d4b1e4197ac202b7eea45e26a6fd65757652dc50f1a63367f711df933 \
+    --hash=sha256:26b1c4b40aec7b0074bceabe6e06565aa28176eca7323a31df66ebf89fe916d3 \
+    --hash=sha256:eaa4a7b5a6682adcf8d6ebb2a08a008802657643655bb527c95c8a3860253d8e \
+    --hash=sha256:8156927dcf8da274ff205ad0612f75c380df45385bacf98531a5b3348c88d135 \
+    --hash=sha256:61ec0d792749d0e91e84b1d58b6dfd204806b10b5811f846c2ceca0de028c53a \
+    --hash=sha256:26330c88041569ca621cc42274d0ea2667a48b6deab41467272c3aba0b6e8f07 \
+    --hash=sha256:cf82ddac919b587f5e44247579b433224cc2e03332d2ea4d89aa70d7e6b64ae5
 enum34==1.1.2 \
     --hash=sha256:2475d7fcddf5951e92ff546972758802de5260bf409319a9f1934e6bbc8b1dc7 \
     --hash=sha256:35907defb0f992b75ab7788f65fedc1cf20ffa22688e0e6f6f12afc06b3ea501
@@ -662,8 +707,6 @@ ipaddress==1.0.16 \
 linecache2==1.0.0 \
     --hash=sha256:e78be9c0a0dfcbac712fe04fbf92b96cddae80b1b842f24248214c8496f006ef \
     --hash=sha256:4b26ff4e7110db76eeb6f5a7b64a82623839d595c2038eeda662f2a2db78e97c
-ndg-httpsclient==0.4.0 \
-    --hash=sha256:e8c155fdebd9c4bcb0810b4ed01ae1987554b1ee034dd7532d7b8fdae38a6274
 ordereddict==1.1 \
     --hash=sha256:1c35b4ac206cef2d24816c89f89cf289dd3d38cf7c449bb3fab7bf6d43f01b1f
 parsedatetime==2.1 \
@@ -684,9 +727,9 @@ pyasn1==0.1.9 \
     --hash=sha256:5191ff6b9126d2c039dd87f8ff025bed274baf07fa78afa46f556b1ad7265d6e \
     --hash=sha256:8323e03637b2d072cc7041300bac6ec448c3c28950ab40376036788e9a1af629 \
     --hash=sha256:853cacd96d1f701ddd67aa03ecc05f51890135b7262e922710112f12a2ed2a7f
-pyopenssl==16.0.0 \
-    --hash=sha256:5add70cf00273bf957ca31fdb0df9b0ae4639e081897d5f86a0ae1f104901230 \
-    --hash=sha256:363d10ee43d062285facf4e465f4f5163f9f702f9134f0a5896f134cbb92d17d
+pyOpenSSL==16.2.0 \
+    --hash=sha256:26ca380ddf272f7556e48064bbcd5bd71f83dfc144f3583501c7ddbd9434ee17 \
+    --hash=sha256:7779a3bbb74e79db234af6a08775568c6769b5821faecf6e2f4143edb227516e
 pyparsing==2.1.8 \
     --hash=sha256:2f0f5ceb14eccd5aef809d6382e87df22ca1da583c79f6db01675ce7d7f49c18 \
     --hash=sha256:03a4869b9f3493807ee1f1cb405e6d576a1a2ca4d81a982677c0c1ad6177c56b \
@@ -701,9 +744,6 @@ pyRFC3339==1.0 \
     --hash=sha256:8dfbc6c458b8daba1c0f3620a8c78008b323a268b27b7359e92a4ae41325f535
 python-augeas==0.5.0 \
     --hash=sha256:67d59d66cdba8d624e0389b87b2a83a176f21f16a87553b50f5703b23f29bac2
-python2-pythondialog==3.3.0 \
-    --hash=sha256:04e93f24995c43dd90f338d5d865ca72ce3fb5a5358d4daa4965571db35fc3ec \
-    --hash=sha256:3e6f593fead98f8a526bc3e306933533236e33729f552f52896ea504f55313fa
 pytz==2015.7 \
     --hash=sha256:3abe6a6d3fc2fbbe4c60144211f45da2edbe3182a6f6511af6bbba0598b1f992 \
     --hash=sha256:939ef9c1e1224d980405689a97ffcf7828c56d1517b31d73464356c1f2b7769e \
@@ -718,9 +758,9 @@ pytz==2015.7 \
     --hash=sha256:fbd26746772c24cb93c8b97cbdad5cb9e46c86bbdb1b9d8a743ee00e2fb1fc5d \
     --hash=sha256:99266ef30a37e43932deec2b7ca73e83c8dbc3b9ff703ec73eca6b1dae6befea \
     --hash=sha256:8b6ce1c993909783bc96e0b4f34ea223bff7a4df2c90bdb9c4e0f1ac928689e3
-requests==2.9.1 \
-    --hash=sha256:113fbba5531a9e34945b7d36b33a084e8ba5d0664b703c81a7c572d91919a5b8 \
-    --hash=sha256:c577815dd00f1394203fc44eb979724b098f88264a9ef898ee45b8e5e9cf587f
+requests==2.12.1 \
+    --hash=sha256:3f3f27a9d0f9092935efc78054ef324eb9f8166718270aefe036dfa1e4f68e1e \
+    --hash=sha256:2109ecea94df90980be040490ff1d879971b024861539abb00054062388b612e
 six==1.10.0 \
     --hash=sha256:0ff78c403d9bccf5a425a6d31a12aa6b47f1c21ca4dc2573a7e2f32a97335eb1 \
     --hash=sha256:105f8d68616f8248e24bf0e9372ef04d3cc10104f1980f54d57b2ce73a5ad56a
@@ -761,18 +801,18 @@ letsencrypt==0.7.0 \
 
 # THE LINES BELOW ARE EDITED BY THE RELEASE SCRIPT; ADD ALL DEPENDENCIES ABOVE.
 
-acme==0.9.3 \
-    --hash=sha256:d18ce17a75ad24d27981dfaef0524aa905eab757b267e027162b56a8967ab8fb \
-    --hash=sha256:a6eff1f955eb2e4316abd9aa2fedb6d9345e6b5b8a2d64ea0ad35e05d6124099
-certbot==0.9.3 \
-    --hash=sha256:a87ef4c53c018df4e52ee2f2e906ad16bbb37789f29e6f284c495a2eb4d9b243 \
-    --hash=sha256:68149cb8392b29f5d5246e7226d25f913f2b10482bf3bc7368e8c8821d25f3b0
-certbot-apache==0.9.3 \
-    --hash=sha256:f379b1053e10709692654d7a6fcea9eaed19b66c49a753b61e31bd06a04b0aac \
-    --hash=sha256:a5d98cf972072de08f984db4e6a7f20269f3f023c43f6d4e781fe43be7c10086
-certbot-nginx==0.9.3 \
-    --hash=sha256:3c26f18f0b57550f069263bd9b2984ef33eab6693e7796611c1b2cc16574069c \
-    --hash=sha256:7337a2e90e0b28a1ab09e31d9fb81c6d78e6453500c824c0f18bab5d31b63058
+acme==0.10.2 \
+    --hash=sha256:053bbf8d36be298e411e0fa397289307e1a888f419de1205931236114f8f825e \
+    --hash=sha256:6465b66256849f8cd4269a43037d404b1ccf31a60d3c93fc628d6f6f4c43de78
+certbot==0.10.2 \
+    --hash=sha256:1e680cab3cda6c3079ee64066903f93e421df46a8d4db63264a6359f3d5ba63e \
+    --hash=sha256:33729ce100fc9d00d9820c81fc3ef9b95802b8d261f0cca0cce422bc568b1631
+certbot-apache==0.10.2 \
+    --hash=sha256:c1f196506bf961e2171fb2af9feca8926100564b644acda1895acdf294c46e71 \
+    --hash=sha256:8573275e74c8b74a9c7d7824636a37a4bc83327a7cc97a43b334fe8956ba8cb1
+certbot-nginx==0.10.2 \
+    --hash=sha256:74c32bdaf2f3873aa811c3e2cdc205d3137b59c64dbcdca6f3982ed2a89b4f2a \
+    --hash=sha256:c8265ab4b4bc0a6a3a81d7f0b8ff2606dd28ebbb3cd045635862286b97af2c36
 
 UNLIKELY_EOF
     # -------------------------------------------------------------------------
@@ -940,7 +980,28 @@ UNLIKELY_EOF
       # Report error. (Otherwise, be quiet.)
       echo "Had a problem while installing Python packages."
       if [ "$VERBOSE" != 1 ]; then
+        echo
+        echo "pip prints the following errors: "
+        echo "====================================================="
         echo "$PIP_OUT"
+        echo "====================================================="
+        echo
+        echo "Certbot has problem setting up the virtual environment."
+
+        if `echo $PIP_OUT | grep -q Killed` || `echo $PIP_OUT | grep -q "allocate memory"` ; then
+          echo
+          echo "Based on your pip output, the problem can likely be fixed by "
+          echo "increasing the available memory."
+        else
+          echo
+          echo "We were not be able to guess the right solution from your pip "
+          echo "output."
+        fi
+
+        echo
+        echo "Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment"
+        echo "for possible solutions."
+        echo "You may also find some support resources at https://certbot.eff.org/support/ ."
       fi
       rm -rf "$VENV_PATH"
       exit 1
@@ -1132,7 +1193,7 @@ UNLIKELY_EOF
       # TODO: Deal with quotes in pathnames.
       echo "Replacing certbot-auto..."
       # Clone permissions with cp. chmod and chown don't have a --reference
-      # option on OS X or BSD, and stat -c on Linux is stat -f on OS X and BSD:
+      # option on macOS or BSD, and stat -c on Linux is stat -f on macOS and BSD:
       $SUDO cp -p "$0" "$TEMP_DIR/letsencrypt-auto.permission-clone"
       $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$TEMP_DIR/letsencrypt-auto.permission-clone"
       # Using mv rather than cp leaves the old file descriptor pointing to the

letsencrypt-auto-source/certbot-auto.asc

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
-iQEcBAABAgAGBQJYADL6AAoJEE0XyZXNl3XyZW8H/RgPxga4SZ8VoMGGOpzYGzaD
-C/VW6IZeHjD7urkAjfSiMMStkYKlZMGcT/3Pw1L39wIX/37jqQTTh01JL+TcqRMJ
-AUHmSgrErjUU42YV68u2c/wT9Dsid+OxpP/WSbJn5MomWtvGpFxffc/FK/W8ccFR
-r6ZhAt2rgkBmYjrC6w8V9KTzhp4+n7ZpQPxuMFxpJhyTmMzgj9K+aI2OuKDKT7iO
-nke74Lgx/xPatLDgygw5bRiFyZ+X65p/awalEXBcFW0zmlN2Fqp8om8UjtUtkVw9
-ixr9/kq9VhcHjho9cmKWl14IShbcxZZc60xL2y6gmkgoBpzVlHfvRNnxapodTsc=
-=jULW
+iQEcBAABAgAGBQJYiWfOAAoJEE0XyZXNl3XyES8H/A77QJnVn4mNBv5+WDvOuxii
+OVch92SHT9FSrUpM0QNAB981SzjSt6vAwjdFjqyMYmfrITYl5Kfo9UjHJY3gfYAR
+S+oiSnBBJ1+9O1+s9kRt0/zwXS6iqIyT7gKM6ZQ5PPaKeB0Iw820m16QgOdMN6d3
+jBQlUIqg6Bl5y79znx8yAYXpIrbOj/Q1xcYpKjRcnyzgR7sWIGvJvVygtXcDN+QV
+HUjtumjnqFON4+638N6xPeiJobTGgTwOLr91I0IhNWKCZ5hBgvm8Oq8r+cfZejCX
+XIdtlvmcw08GiKsFY8WW7k9rK1/D8uy4Xx26KAAXmdY/xdyG9rOBHOui2N921nw=
+=B8NE
 -----END PGP SIGNATURE-----

letsencrypt-auto-source/letsencrypt-auto

@@ -23,7 +23,7 @@ if [ -z "$VENV_PATH" ]; then
   VENV_PATH="$XDG_DATA_HOME/$VENV_NAME"
 fi
 VENV_BIN="$VENV_PATH/bin"
-LE_AUTO_VERSION="0.10.0.dev0"
+LE_AUTO_VERSION="0.10.2"
 BASENAME=$(basename $0)
 USAGE="Usage: $BASENAME [OPTIONS]
 A self-updating wrapper script for the Certbot ACME client. When run, updates
@@ -801,18 +801,18 @@ letsencrypt==0.7.0 \
 
 # THE LINES BELOW ARE EDITED BY THE RELEASE SCRIPT; ADD ALL DEPENDENCIES ABOVE.
 
-acme==0.9.3 \
-    --hash=sha256:d18ce17a75ad24d27981dfaef0524aa905eab757b267e027162b56a8967ab8fb \
-    --hash=sha256:a6eff1f955eb2e4316abd9aa2fedb6d9345e6b5b8a2d64ea0ad35e05d6124099
-certbot==0.9.3 \
-    --hash=sha256:a87ef4c53c018df4e52ee2f2e906ad16bbb37789f29e6f284c495a2eb4d9b243 \
-    --hash=sha256:68149cb8392b29f5d5246e7226d25f913f2b10482bf3bc7368e8c8821d25f3b0
-certbot-apache==0.9.3 \
-    --hash=sha256:f379b1053e10709692654d7a6fcea9eaed19b66c49a753b61e31bd06a04b0aac \
-    --hash=sha256:a5d98cf972072de08f984db4e6a7f20269f3f023c43f6d4e781fe43be7c10086
-certbot-nginx==0.9.3 \
-    --hash=sha256:3c26f18f0b57550f069263bd9b2984ef33eab6693e7796611c1b2cc16574069c \
-    --hash=sha256:7337a2e90e0b28a1ab09e31d9fb81c6d78e6453500c824c0f18bab5d31b63058
+acme==0.10.2 \
+    --hash=sha256:053bbf8d36be298e411e0fa397289307e1a888f419de1205931236114f8f825e \
+    --hash=sha256:6465b66256849f8cd4269a43037d404b1ccf31a60d3c93fc628d6f6f4c43de78
+certbot==0.10.2 \
+    --hash=sha256:1e680cab3cda6c3079ee64066903f93e421df46a8d4db63264a6359f3d5ba63e \
+    --hash=sha256:33729ce100fc9d00d9820c81fc3ef9b95802b8d261f0cca0cce422bc568b1631
+certbot-apache==0.10.2 \
+    --hash=sha256:c1f196506bf961e2171fb2af9feca8926100564b644acda1895acdf294c46e71 \
+    --hash=sha256:8573275e74c8b74a9c7d7824636a37a4bc83327a7cc97a43b334fe8956ba8cb1
+certbot-nginx==0.10.2 \
+    --hash=sha256:74c32bdaf2f3873aa811c3e2cdc205d3137b59c64dbcdca6f3982ed2a89b4f2a \
+    --hash=sha256:c8265ab4b4bc0a6a3a81d7f0b8ff2606dd28ebbb3cd045635862286b97af2c36
 
 UNLIKELY_EOF
     # -------------------------------------------------------------------------

letsencrypt-auto-source/pieces/letsencrypt-auto-requirements.txt

@@ -171,15 +171,15 @@ letsencrypt==0.7.0 \
 
 # THE LINES BELOW ARE EDITED BY THE RELEASE SCRIPT; ADD ALL DEPENDENCIES ABOVE.
 
-acme==0.9.3 \
-    --hash=sha256:d18ce17a75ad24d27981dfaef0524aa905eab757b267e027162b56a8967ab8fb \
-    --hash=sha256:a6eff1f955eb2e4316abd9aa2fedb6d9345e6b5b8a2d64ea0ad35e05d6124099
-certbot==0.9.3 \
-    --hash=sha256:a87ef4c53c018df4e52ee2f2e906ad16bbb37789f29e6f284c495a2eb4d9b243 \
-    --hash=sha256:68149cb8392b29f5d5246e7226d25f913f2b10482bf3bc7368e8c8821d25f3b0
-certbot-apache==0.9.3 \
-    --hash=sha256:f379b1053e10709692654d7a6fcea9eaed19b66c49a753b61e31bd06a04b0aac \
-    --hash=sha256:a5d98cf972072de08f984db4e6a7f20269f3f023c43f6d4e781fe43be7c10086
-certbot-nginx==0.9.3 \
-    --hash=sha256:3c26f18f0b57550f069263bd9b2984ef33eab6693e7796611c1b2cc16574069c \
-    --hash=sha256:7337a2e90e0b28a1ab09e31d9fb81c6d78e6453500c824c0f18bab5d31b63058
+acme==0.10.2 \
+    --hash=sha256:053bbf8d36be298e411e0fa397289307e1a888f419de1205931236114f8f825e \
+    --hash=sha256:6465b66256849f8cd4269a43037d404b1ccf31a60d3c93fc628d6f6f4c43de78
+certbot==0.10.2 \
+    --hash=sha256:1e680cab3cda6c3079ee64066903f93e421df46a8d4db63264a6359f3d5ba63e \
+    --hash=sha256:33729ce100fc9d00d9820c81fc3ef9b95802b8d261f0cca0cce422bc568b1631
+certbot-apache==0.10.2 \
+    --hash=sha256:c1f196506bf961e2171fb2af9feca8926100564b644acda1895acdf294c46e71 \
+    --hash=sha256:8573275e74c8b74a9c7d7824636a37a4bc83327a7cc97a43b334fe8956ba8cb1
+certbot-nginx==0.10.2 \
+    --hash=sha256:74c32bdaf2f3873aa811c3e2cdc205d3137b59c64dbcdca6f3982ed2a89b4f2a \
+    --hash=sha256:c8265ab4b4bc0a6a3a81d7f0b8ff2606dd28ebbb3cd045635862286b97af2c36

tests/boulder-integration.sh

@@ -84,7 +84,7 @@ common certonly -a manual -d le.wtf --rsa-key-size 4096 \
     --pre-hook 'echo wtf2.pre >> "$HOOK_TEST"' \
     --post-hook 'echo wtf2.post >> "$HOOK_TEST"'
 
-common certonly -a manual -d dns.le.wtf --preferred-challenges dns-01 \
+common certonly -a manual -d dns.le.wtf --preferred-challenges dns,tls-sni \
     --manual-auth-hook ./tests/manual-dns-auth.sh
 
 export CSR_PATH="${root}/csr.der" KEY_PATH="${root}/key.pem" \
@@ -101,29 +101,30 @@ common --domains le3.wtf install \
        --key-path "${root}/csr/key.pem"
 
 CheckCertCount() {
-    CERTCOUNT=`ls "${root}/conf/archive/le.wtf/cert"* | wc -l`
-    if [ "$CERTCOUNT" -ne "$1" ] ; then
-        echo Wrong cert count, not "$1" `ls "${root}/conf/archive/le.wtf/"*`
+    CERTCOUNT=`ls "${root}/conf/archive/$1/cert"* | wc -l`
+    if [ "$CERTCOUNT" -ne "$2" ] ; then
+        echo Wrong cert count, not "$2" `ls "${root}/conf/archive/$1/"*`
         exit 1
     fi
 }
 
-CheckCertCount 1
+CheckCertCount "le.wtf" 1
 # This won't renew (because it's not time yet)
 common_no_force_renew renew
-CheckCertCount 1
+CheckCertCount "le.wtf" 1
 
-# --renew-by-default is used, so renewal should occur
-[ -f "$HOOK_TEST" ] && rm -f "$HOOK_TEST"
-common renew
-CheckCertCount 2
-CheckHooks
+# renew using HTTP manual auth hooks
+common renew --cert-name le.wtf --authenticator manual
+CheckCertCount "le.wtf" 2
 
+# renew using DNS manual auth hooks
+common renew --cert-name dns.le.wtf --authenticator manual
+CheckCertCount "dns.le.wtf" 2
 
 # This will renew because the expiry is less than 10 years from now
 sed -i "4arenew_before_expiry = 4 years" "$root/conf/renewal/le.wtf.conf"
 common_no_force_renew renew --rsa-key-size 2048
-CheckCertCount 3
+CheckCertCount "le.wtf" 3
 
 # The 4096 bit setting should persist to the first renewal, but be overriden in the second
 
@@ -137,6 +138,12 @@ if [ "$size1" -lt 3000 ] || [ "$size2" -lt 3000 ] || [ "$size3" -gt 1800 ] ; the
     exit 1
 fi
 
+# --renew-by-default is used, so renewal should occur
+[ -f "$HOOK_TEST" ] && rm -f "$HOOK_TEST"
+common renew
+CheckCertCount "le.wtf" 4
+CheckHooks
+
 # ECDSA
 openssl ecparam -genkey -name secp384r1 -out "${root}/privkey-p384.pem"
 SAN="DNS:ecdsa.le.wtf" openssl req -new -sha256 \