Normal timeout to check everything is working as expected

Fixes #8462

* Deprecate support of Apache 2.2 in certbot-apache

* Add a changelog

.azure-pipelines/templates/jobs/extended-tests-jobs.yml

@@ -4,7 +4,7 @@ jobs:
       - name: IMAGE_NAME
         value: ubuntu-18.04
       - name: PYTHON_VERSION
-        value: 3.8
+        value: 3.9
       - group: certbot-common
     strategy:
       matrix:
@@ -14,6 +14,9 @@ jobs:
         linux-py37:
           PYTHON_VERSION: 3.7
           TOXENV: py37
+        linux-py38:
+          PYTHON_VERSION: 3.8
+          TOXENV: py38
         linux-py37-nopin:
           PYTHON_VERSION: 3.7
           TOXENV: py37
@@ -62,10 +65,20 @@ jobs:
           PYTHON_VERSION: 3.8
           TOXENV: integration
           ACME_SERVER: boulder-v2
+        linux-boulder-v1-py39-integration:
+          PYTHON_VERSION: 3.9
+          TOXENV: integration
+          ACME_SERVER: boulder-v1
+        linux-boulder-v2-py39-integration:
+          PYTHON_VERSION: 3.9
+          TOXENV: integration
+          ACME_SERVER: boulder-v2
         nginx-compat:
           TOXENV: nginx_compat
-        le-auto-oraclelinux6:
+        linux-integration-rfc2136:
-          TOXENV: le_auto_oraclelinux6
+          IMAGE_NAME: ubuntu-18.04
+          PYTHON_VERSION: 3.8
+          TOXENV: integration-dns-rfc2136
         docker-dev:
           TOXENV: docker_dev
         macos-farmtest-apache2:

.azure-pipelines/templates/jobs/packaging-jobs.yml

@@ -1,122 +1,118 @@
 jobs:
-  - job: docker_build
+#  - job: docker_build
-    pool:
+#    pool:
-      vmImage: ubuntu-18.04
+#      vmImage: ubuntu-18.04
-    strategy:
+#    strategy:
-      matrix:
+#      matrix:
-        amd64:
+#        amd64:
-          DOCKER_ARCH: amd64
+#          DOCKER_ARCH: amd64
-        # Do not run the heavy non-amd64 builds for test branches
+#        # Do not run the heavy non-amd64 builds for test branches
-        ${{ if not(startsWith(variables['Build.SourceBranchName'], 'test-')) }}:
+#        ${{ if not(startsWith(variables['Build.SourceBranchName'], 'test-')) }}:
-          arm32v6:
+#          arm32v6:
-            DOCKER_ARCH: arm32v6
+#            DOCKER_ARCH: arm32v6
-          arm64v8:
+#          arm64v8:
-            DOCKER_ARCH: arm64v8
+#            DOCKER_ARCH: arm64v8
-    steps:
+#    steps:
-      - bash: set -e && tools/docker/build.sh $(dockerTag) $DOCKER_ARCH
+#      - bash: set -e && tools/docker/build.sh $(dockerTag) $DOCKER_ARCH
-        displayName: Build the Docker images
+#        displayName: Build the Docker images
-      # We don't filter for the Docker Hub organization to continue to allow
+#      # We don't filter for the Docker Hub organization to continue to allow
-      # easy testing of these scripts on forks.
+#      # easy testing of these scripts on forks.
-      - bash: |
+#      - bash: |
-          set -e
+#          set -e
-          DOCKER_IMAGES=$(docker images --filter reference='*/certbot' --filter reference='*/dns-*' --format '{{.Repository}}')
+#          DOCKER_IMAGES=$(docker images --filter reference='*/certbot' --filter reference='*/dns-*' --format '{{.Repository}}')
-          docker save --output images.tar $DOCKER_IMAGES
+#          docker save --output images.tar $DOCKER_IMAGES
-        displayName: Save the Docker images
+#        displayName: Save the Docker images
-      # If the name of the tar file or artifact changes, the deploy stage will
+#      # If the name of the tar file or artifact changes, the deploy stage will
-      # also need to be updated.
+#      # also need to be updated.
-      - bash: set -e && mv images.tar $(Build.ArtifactStagingDirectory)
+#      - bash: set -e && mv images.tar $(Build.ArtifactStagingDirectory)
-        displayName: Prepare Docker artifact
+#        displayName: Prepare Docker artifact
-      - task: PublishPipelineArtifact@1
+#      - task: PublishPipelineArtifact@1
-        inputs:
+#        inputs:
-          path: $(Build.ArtifactStagingDirectory)
+#          path: $(Build.ArtifactStagingDirectory)
-          artifact: docker_$(DOCKER_ARCH)
+#          artifact: docker_$(DOCKER_ARCH)
-        displayName: Store Docker artifact
+#        displayName: Store Docker artifact
-  - job: docker_run
+#  - job: docker_run
-    dependsOn: docker_build
+#    dependsOn: docker_build
-    pool:
+#    pool:
-      vmImage: ubuntu-18.04
+#      vmImage: ubuntu-18.04
-    steps:
+#    steps:
-      - task: DownloadPipelineArtifact@2
+#      - task: DownloadPipelineArtifact@2
-        inputs:
+#        inputs:
-          artifact: docker_amd64
+#          artifact: docker_amd64
-          path: $(Build.SourcesDirectory)
+#          path: $(Build.SourcesDirectory)
-        displayName: Retrieve Docker images
+#        displayName: Retrieve Docker images
-      - bash: set -e && docker load --input $(Build.SourcesDirectory)/images.tar
+#      - bash: set -e && docker load --input $(Build.SourcesDirectory)/images.tar
-        displayName: Load Docker images
+#        displayName: Load Docker images
-      - bash: |
+#      - bash: |
-          set -ex
+#          set -ex
-          DOCKER_IMAGES=$(docker images --filter reference='*/certbot' --filter reference='*/dns-*' --format '{{.Repository}}:{{.Tag}}')
+#          DOCKER_IMAGES=$(docker images --filter reference='*/certbot' --filter reference='*/dns-*' --format '{{.Repository}}:{{.Tag}}')
-          for DOCKER_IMAGE in ${DOCKER_IMAGES}
+#          for DOCKER_IMAGE in ${DOCKER_IMAGES}
-            do docker run --rm "${DOCKER_IMAGE}" plugins --prepare
+#            do docker run --rm "${DOCKER_IMAGE}" plugins --prepare
-          done
+#          done
-        displayName: Run integration tests for Docker images
+#        displayName: Run integration tests for Docker images
-  - job: installer_build
+#  - job: installer_build
-    pool:
+#    pool:
-      vmImage: vs2017-win2016
+#      vmImage: vs2017-win2016
-    steps:
+#    steps:
-      - task: UsePythonVersion@0
+#      - task: UsePythonVersion@0
-        inputs:
+#        inputs:
-          versionSpec: 3.7
+#          versionSpec: 3.7
-          architecture: x86
+#          architecture: x86
-          addToPath: true
+#          addToPath: true
-      - script: python windows-installer/construct.py
+#      - script: python windows-installer/construct.py
-        displayName: Build Certbot installer
+#        displayName: Build Certbot installer
-      - task: CopyFiles@2
+#      - task: CopyFiles@2
-        inputs:
+#        inputs:
-          sourceFolder: $(System.DefaultWorkingDirectory)/windows-installer/build/nsis
+#          sourceFolder: $(System.DefaultWorkingDirectory)/windows-installer/build/nsis
-          contents: '*.exe'
+#          contents: '*.exe'
-          targetFolder: $(Build.ArtifactStagingDirectory)
+#          targetFolder: $(Build.ArtifactStagingDirectory)
-      - task: PublishPipelineArtifact@1
+#      - task: PublishPipelineArtifact@1
-        inputs:
+#        inputs:
-          path: $(Build.ArtifactStagingDirectory)
+#          path: $(Build.ArtifactStagingDirectory)
-          # If we change the artifact's name, it should also be changed in tools/create_github_release.py
+#          # If we change the artifact's name, it should also be changed in tools/create_github_release.py
-          artifact: windows-installer
+#          artifact: windows-installer
-        displayName: Publish Windows installer
+#        displayName: Publish Windows installer
-  - job: installer_run
+#  - job: installer_run
-    dependsOn: installer_build
+#    dependsOn: installer_build
-    strategy:
+#    strategy:
-      matrix:
+#      matrix:
-        win2019:
+#        win2019:
-          imageName: windows-2019
+#          imageName: windows-2019
-        win2016:
+#        win2016:
-          imageName: vs2017-win2016
+#          imageName: vs2017-win2016
-    pool:
+#    pool:
-      vmImage: $(imageName)
+#      vmImage: $(imageName)
-    steps:
+#    steps:
-      - powershell: |
+#      - powershell: |
-          if ($PSVersionTable.PSVersion.Major -ne 5) {
+#          if ($PSVersionTable.PSVersion.Major -ne 5) {
-              throw "Powershell version is not 5.x"
+#              throw "Powershell version is not 5.x"
-          }
+#          }
-        condition: eq(variables['imageName'], 'vs2017-win2016')
+#        condition: eq(variables['imageName'], 'vs2017-win2016')
-        displayName: Check Powershell 5.x is used in vs2017-win2016
+#        displayName: Check Powershell 5.x is used in vs2017-win2016
-      - task: UsePythonVersion@0
+#      - task: UsePythonVersion@0
-        inputs:
+#        inputs:
-          versionSpec: 3.8
+#          versionSpec: 3.8
-          addToPath: true
+#          addToPath: true
-      - task: DownloadPipelineArtifact@2
+#      - task: DownloadPipelineArtifact@2
-        inputs:
+#        inputs:
-          artifact: windows-installer
+#          artifact: windows-installer
-          path: $(Build.SourcesDirectory)/bin
+#          path: $(Build.SourcesDirectory)/bin
-        displayName: Retrieve Windows installer
+#        displayName: Retrieve Windows installer
-      # pip 9.0 provided by pipstrap is not able to resolve properly the pywin32 dependency
+#      - script: |
-      # required by certbot-ci: as a temporary workaround until pipstrap is updated, we install
+#          python -m venv venv
-      # a recent version of pip, but we also to disable the isolated feature as described in
+#          venv\Scripts\python tools\pipstrap.py
-      # https://github.com/certbot/certbot/issues/8256
+#          venv\Scripts\python tools\pip_install.py -e certbot-ci
-      - script: |
+#        env:
-          py -3 -m venv venv
+#          PIP_NO_BUILD_ISOLATION: no
-          venv\Scripts\python -m pip install pip==20.2.3 setuptools==50.3.0 wheel==0.35.1
+#        displayName: Prepare Certbot-CI
-          venv\Scripts\python tools\pip_install.py -e certbot-ci
+#      - script: |
-        env:
+#          set PATH=%ProgramFiles(x86)%\Certbot\bin;%PATH%
-          PIP_NO_BUILD_ISOLATION: no
+#          venv\Scripts\python -m pytest certbot-ci\windows_installer_integration_tests --allow-persistent-changes --installer-path $(Build.SourcesDirectory)\bin\certbot-beta-installer-win32.exe
-        displayName: Prepare Certbot-CI
+#        displayName: Run windows installer integration tests
-      - script: |
+#      - script: |
-          set PATH=%ProgramFiles(x86)%\Certbot\bin;%PATH%
+#          set PATH=%ProgramFiles(x86)%\Certbot\bin;%PATH%
-          venv\Scripts\python -m pytest certbot-ci\windows_installer_integration_tests --allow-persistent-changes --installer-path $(Build.SourcesDirectory)\bin\certbot-beta-installer-win32.exe
+#          venv\Scripts\python -m pytest certbot-ci\certbot_integration_tests\certbot_tests -n 4
-        displayName: Run windows installer integration tests
+#        displayName: Run certbot integration tests
-      - script: |
-          set PATH=%ProgramFiles(x86)%\Certbot\bin;%PATH%
-          venv\Scripts\python -m pytest certbot-ci\certbot_integration_tests\certbot_tests -n 4
-        displayName: Run certbot integration tests
   - job: snaps_build
     pool:
       vmImage: ubuntu-18.04
@@ -148,7 +144,7 @@ jobs:
           git config --global user.name "$(Build.RequestedFor)"
           mkdir -p ~/.local/share/snapcraft/provider/launchpad
           cp $(credentials.secureFilePath) ~/.local/share/snapcraft/provider/launchpad/credentials
-          python3 tools/snap/build_remote.py ALL --archs ${ARCHS}
+          python3 tools/snap/build_remote.py ALL --archs ${ARCHS} --timeout 19800
         displayName: Build snaps
       - script: |
           set -e
@@ -174,7 +170,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y --no-install-recommends nginx-light snapd
           python3 -m venv venv
-          venv/bin/python letsencrypt-auto-source/pieces/pipstrap.py
+          venv/bin/python tools/pipstrap.py
           venv/bin/python tools/pip_install.py -U tox
         displayName: Install dependencies
       - task: DownloadPipelineArtifact@2
@@ -212,7 +208,7 @@ jobs:
       - script: |
           set -e
           python3 -m venv venv
-          venv/bin/python letsencrypt-auto-source/pieces/pipstrap.py
+          venv/bin/python tools/pipstrap.py
           venv/bin/python tools/pip_install.py -e certbot-ci
         displayName: Prepare Certbot-CI
       - script: |

.azure-pipelines/templates/jobs/standard-tests-jobs.yml

@@ -1,17 +1,17 @@
 jobs:
   - job: test
     variables:
-      PYTHON_VERSION: 3.8
+      PYTHON_VERSION: 3.9
     strategy:
       matrix:
         macos-py27:
           IMAGE_NAME: macOS-10.15
           PYTHON_VERSION: 2.7
           TOXENV: py27
-        macos-py38:
+        macos-py39:
           IMAGE_NAME: macOS-10.15
-          PYTHON_VERSION: 3.8
+          PYTHON_VERSION: 3.9
-          TOXENV: py38
+          TOXENV: py39
         windows-py36:
           IMAGE_NAME: vs2017-win2016
           PYTHON_VERSION: 3.6
@@ -38,10 +38,10 @@ jobs:
           IMAGE_NAME: ubuntu-18.04
           PYTHON_VERSION: 3.6
           TOXENV: py36
-        linux-py38-cover:
+        linux-py39-cover:
           IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.8
+          PYTHON_VERSION: 3.9
-          TOXENV: py38-cover
+          TOXENV: py39-cover
         linux-py37-lint:
           IMAGE_NAME: ubuntu-18.04
           PYTHON_VERSION: 3.7
@@ -52,15 +52,15 @@ jobs:
           TOXENV: mypy
         linux-integration:
           IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 2.7
+          PYTHON_VERSION: 3.8
           TOXENV: integration
           ACME_SERVER: pebble
         apache-compat:
           IMAGE_NAME: ubuntu-18.04
           TOXENV: apache_compat
-        le-auto-centos6:
+        le-modification:
           IMAGE_NAME: ubuntu-18.04
-          TOXENV: le_auto_centos6
+          TOXENV: modification
         apacheconftest:
           IMAGE_NAME: ubuntu-18.04
           PYTHON_VERSION: 2.7

.azure-pipelines/templates/stages/test-and-package-stage.yml

@@ -1,6 +1,6 @@
 stages:
   - stage: TestAndPackage
     jobs:
-      - template: ../jobs/standard-tests-jobs.yml
+#      - template: ../jobs/standard-tests-jobs.yml
-      - template: ../jobs/extended-tests-jobs.yml
+#      - template: ../jobs/extended-tests-jobs.yml
       - template: ../jobs/packaging-jobs.yml

.azure-pipelines/templates/steps/tox-steps.yml

@@ -32,7 +32,7 @@ steps:
     # problems with its lack of real dependency resolution.
   - bash: |
       set -e
-      python letsencrypt-auto-source/pieces/pipstrap.py
+      python tools/pipstrap.py
       python tools/pip_install.py -I tox virtualenv
     displayName: Install runtime dependencies
   - task: DownloadSecureFile@1

.gitignore

@@ -64,3 +64,4 @@ certbot-dns*/certbot-dns*_amd64*.txt
 certbot-dns*/certbot-dns*_arm*.txt
 /certbot_amd64*.txt
 /certbot_arm*.txt
+certbot-dns*/snap

AUTHORS.md

@@ -154,6 +154,7 @@ Authors
 * [Luca Olivetti](https://github.com/olivluca)
 * [Luke Rogers](https://github.com/lukeroge)
 * [Maarten](https://github.com/mrtndwrd)
+* [Mads Jensen](https://github.com/atombrella)
 * [Maikel Martens](https://github.com/krukas)
 * [Malte Janduda](https://github.com/MalteJ)
 * [Mantas Mikulėnas](https://github.com/grawity)
@@ -213,6 +214,7 @@ Authors
 * [Richard Barnes](https://github.com/r-barnes)
 * [Richard Panek](https://github.com/kernelpanek)
 * [Robert Buchholz](https://github.com/rbu)
+* [Robert Dailey](https://github.com/pahrohfit)
 * [Robert Habermann](https://github.com/frennkie)
 * [Robert Xiao](https://github.com/nneonneo)
 * [Roland Shoemaker](https://github.com/rolandshoemaker)

acme/acme/__init__.py

@@ -20,3 +20,10 @@ for mod in list(sys.modules):
     # preserved (acme.jose.* is josepy.*)
     if mod == 'josepy' or mod.startswith('josepy.'):
         sys.modules['acme.' + mod.replace('josepy', 'jose', 1)] = sys.modules[mod]
+
+if sys.version_info[0] == 2:
+    warnings.warn(
+        "Python 2 support will be dropped in the next release of acme. "
+        "Please upgrade your Python version.",
+        PendingDeprecationWarning,
+    )  # pragma: no cover

acme/acme/client.py

@@ -201,7 +201,7 @@ class ClientBase(object):
             when = parsedate_tz(retry_after)
             if when is not None:
                 try:
-                    tz_secs = datetime.timedelta(when[-1] if when[-1] else 0)
+                    tz_secs = datetime.timedelta(when[-1] if when[-1] is not None else 0)
                     return datetime.datetime(*when[:7]) - tz_secs
                 except (ValueError, OverflowError):
                     pass

acme/acme/magic_typing.py

@@ -12,4 +12,5 @@ try:
     from typing import *  # pylint: disable=wildcard-import, unused-wildcard-import
     from typing import Collection, IO  # type: ignore
 except ImportError:
-    sys.modules[__name__] = TypingClass()
+    # mypy complains because TypingClass is not a module
+    sys.modules[__name__] = TypingClass()  # type: ignore

acme/setup.py

@@ -5,7 +5,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
@@ -66,6 +66,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
     ],

acme/tests/messages_test.py

@@ -108,11 +108,11 @@ class ConstantTest(unittest.TestCase):
 
     def test_equality(self):
         const_a_prime = self.MockConstant('a')
-        self.assertFalse(self.const_a == self.const_b)
+        self.assertNotEqual(self.const_a, self.const_b)
-        self.assertTrue(self.const_a == const_a_prime)
+        self.assertEqual(self.const_a, const_a_prime)
 
-        self.assertTrue(self.const_a != self.const_b)
+        self.assertNotEqual(self.const_a, self.const_b)
-        self.assertFalse(self.const_a != const_a_prime)
+        self.assertEqual(self.const_a, const_a_prime)
 
 
 class DirectoryTest(unittest.TestCase):

certbot-apache/certbot_apache/_internal/configurator.py

@@ -9,7 +9,6 @@ import re
 import socket
 import time
 
-import six
 import zope.component
 import zope.interface
 try:
@@ -328,6 +327,9 @@ class ApacheConfigurator(common.Installer):
         if self.version < (2, 2):
             raise errors.NotSupportedError(
                 "Apache Version {0} not supported.".format(str(self.version)))
+        elif self.version < (2, 4):
+            logger.warning('Support for Apache 2.2 is deprecated and will be removed in a '
+                           'future release.')
 
         # Recover from previous crash before Augeas initialization to have the
         # correct parse tree from the get go.
@@ -464,21 +466,6 @@ class ApacheConfigurator(common.Installer):
             metadata=metadata
         )
 
-    def _wildcard_domain(self, domain):
-        """
-        Checks if domain is a wildcard domain
-
-        :param str domain: Domain to check
-
-        :returns: If the domain is wildcard domain
-        :rtype: bool
-        """
-        if isinstance(domain, six.text_type):
-            wildcard_marker = u"*."
-        else:
-            wildcard_marker = b"*."
-        return domain.startswith(wildcard_marker)
-
     def deploy_cert(self, domain, cert_path, key_path,
                     chain_path=None, fullchain_path=None):
         """Deploys certificate to specified virtual host.
@@ -513,7 +500,7 @@ class ApacheConfigurator(common.Installer):
         :rtype: `list` of :class:`~certbot_apache._internal.obj.VirtualHost`
         """
 
-        if self._wildcard_domain(domain):
+        if util.is_wildcard_domain(domain):
             if domain in self._wildcard_vhosts:
                 # Vhosts for a wildcard domain were already selected
                 return self._wildcard_vhosts[domain]

certbot-apache/setup.py

@@ -5,7 +5,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -53,6 +53,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-apache/tests/apache-conf-files/apache-conf-test

@@ -52,7 +52,7 @@ function Cleanup() {
 # if our environment asks us to enable modules, do our best!
 if [ "$1" = --debian-modules ] ; then
     sudo apt-get install -y apache2
-    sudo apt-get install -y libapache2-mod-wsgi
+    sudo apt-get install -y libapache2-mod-wsgi-py3
     sudo apt-get install -y libapache2-mod-macro
 
     for mod in  ssl rewrite macro wsgi deflate userdir version mime setenvif ; do

certbot-apache/tests/configurator_test.py

@@ -1337,13 +1337,6 @@ class MultipleVhostsTest(util.ApacheTest):
                           self.config.enable_mod,
                           "whatever")
 
-    def test_wildcard_domain(self):
-        # pylint: disable=protected-access
-        cases = {u"*.example.org": True, b"*.x.example.org": True,
-                 u"a.example.org": False, b"a.x.example.org": False}
-        for key in cases:
-            self.assertEqual(self.config._wildcard_domain(key), cases[key])
-
     def test_choose_vhosts_wildcard(self):
         # pylint: disable=protected-access
         mock_path = "certbot_apache._internal.display_ops.select_vhost_multiple"
@@ -1357,10 +1350,10 @@ class MultipleVhostsTest(util.ApacheTest):
 
             # And the actual returned values
             self.assertEqual(len(vhs), 1)
-            self.assertTrue(vhs[0].name == "certbot.demo")
+            self.assertEqual(vhs[0].name, "certbot.demo")
             self.assertTrue(vhs[0].ssl)
 
-            self.assertFalse(vhs[0] == self.vh_truth[3])
+            self.assertNotEqual(vhs[0], self.vh_truth[3])
 
     @mock.patch("certbot_apache._internal.configurator.ApacheConfigurator.make_vhost_ssl")
     def test_choose_vhosts_wildcard_no_ssl(self, mock_makessl):
@@ -1471,10 +1464,10 @@ class MultipleVhostsTest(util.ApacheTest):
         self.config.parser.aug.match = mock_match
         vhs = self.config.get_virtual_hosts()
         self.assertEqual(len(vhs), 2)
-        self.assertTrue(vhs[0] == self.vh_truth[1])
+        self.assertEqual(vhs[0], self.vh_truth[1])
         # mock_vhost should have replaced the vh_truth[0], because its filepath
         # isn't a symlink
-        self.assertTrue(vhs[1] == mock_vhost)
+        self.assertEqual(vhs[1], mock_vhost)
 
 
 class AugeasVhostsTest(util.ApacheTest):

certbot-apache/tests/dualnode_test.py

@@ -412,9 +412,9 @@ class DualParserNodeTest(unittest.TestCase):  # pylint: disable=too-many-public-
                                                     ancestor=self.block,
                                                     filepath="/path/to/whatever",
                                                     metadata=self.metadata)
-        self.assertFalse(self.block == ne_block)
+        self.assertNotEqual(self.block, ne_block)
-        self.assertFalse(self.directive == ne_directive)
+        self.assertNotEqual(self.directive, ne_directive)
-        self.assertFalse(self.comment == ne_comment)
+        self.assertNotEqual(self.comment, ne_comment)
 
     def test_parsed_paths(self):
         mock_p = mock.MagicMock(return_value=['/path/file.conf',

certbot-apache/tests/obj_test.py

@@ -27,14 +27,14 @@ class VirtualHostTest(unittest.TestCase):
             "certbot_apache._internal.obj.Addr(('127.0.0.1', '443'))")
 
     def test_eq(self):
-        self.assertTrue(self.vhost1b == self.vhost1)
+        self.assertEqual(self.vhost1b, self.vhost1)
-        self.assertFalse(self.vhost1 == self.vhost2)
+        self.assertNotEqual(self.vhost1, self.vhost2)
         self.assertEqual(str(self.vhost1b), str(self.vhost1))
-        self.assertFalse(self.vhost1b == 1234)
+        self.assertNotEqual(self.vhost1b, 1234)
 
     def test_ne(self):
-        self.assertTrue(self.vhost1 != self.vhost2)
+        self.assertNotEqual(self.vhost1, self.vhost2)
-        self.assertFalse(self.vhost1 != self.vhost1b)
+        self.assertEqual(self.vhost1, self.vhost1b)
 
     def test_conflicts(self):
         from certbot_apache._internal.obj import Addr
@@ -128,13 +128,13 @@ class AddrTest(unittest.TestCase):
         self.assertTrue(self.addr1.conflicts(self.addr2))
 
     def test_equal(self):
-        self.assertTrue(self.addr1 == self.addr2)
+        self.assertEqual(self.addr1, self.addr2)
-        self.assertFalse(self.addr == self.addr1)
+        self.assertNotEqual(self.addr, self.addr1)
-        self.assertFalse(self.addr == 123)
+        self.assertNotEqual(self.addr, 123)
 
     def test_not_equal(self):
-        self.assertFalse(self.addr1 != self.addr2)
+        self.assertEqual(self.addr1, self.addr2)
-        self.assertTrue(self.addr != self.addr1)
+        self.assertNotEqual(self.addr, self.addr1)
 
 
 if __name__ == "__main__":

certbot-auto

@@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then
 fi
 VENV_BIN="$VENV_PATH/bin"
 BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
-LE_AUTO_VERSION="1.9.0"
+LE_AUTO_VERSION="1.10.1"
 BASENAME=$(basename $0)
 USAGE="Usage: $BASENAME [OPTIONS]
 A self-updating wrapper script for the Certbot ACME client. When run, updates
@@ -799,11 +799,7 @@ BootstrapMageiaCommon() {
 # that function. If Bootstrap is set to a function that doesn't install any
 # packages BOOTSTRAP_VERSION is not set.
 if [ -f /etc/debian_version ]; then
-  Bootstrap() {
+  DEPRECATED_OS=1
-    BootstrapMessage "Debian-based OSes"
-    BootstrapDebCommon
-  }
-  BOOTSTRAP_VERSION="BootstrapDebCommon $BOOTSTRAP_DEB_COMMON_VERSION"
 elif [ -f /etc/mageia-release ]; then
   # Mageia has both /etc/mageia-release and /etc/redhat-release
   DEPRECATED_OS=1
@@ -1497,18 +1493,18 @@ letsencrypt==0.7.0 \
     --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
     --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9
 
-certbot==1.9.0 \
+certbot==1.10.1 \
-    --hash=sha256:d5a804d32e471050921f7b39ed9859e2e9de02824176ed78f57266222036b53a \
+    --hash=sha256:011ac980fa21b9f29e02c9b8d8b86e8a4bf4670b51b6ad91656e401e9d2d2231 \
-    --hash=sha256:2ff9bf7d9af381c7efee22dec2dd6938d9d8fddcc9e11682b86e734164a30b57
+    --hash=sha256:0d9ee3fc09e0d03b2d1b1f1c4916e61ecfc6904b4216ddef4e6a5ca1424d9cb7
-acme==1.9.0 \
+acme==1.10.1 \
-    --hash=sha256:d8061b396a22b21782c9b23ff9a945b23e50fca2573909a42f845e11d5658ac5 \
+    --hash=sha256:752d598e54e98ad1e874de53fd50c61044f1b566d6deb790db5676ce9c573546 \
-    --hash=sha256:38a1630c98e144136c62eec4d2c545a1bdb1a3cd4eca82214be6b83a1f5a161f
+    --hash=sha256:fcbb559aedc96b404edf593e78517dcd7291984d5a37036c3fc77f3c5c122fd8
-certbot-apache==1.9.0 \
+certbot-apache==1.10.1 \
-    --hash=sha256:09528a820d57e54984d490100644cd8a6603db97bf5776f86e95795ecfacf23d \
+    --hash=sha256:f077b4b7f166627ef5e0921fe7cde57700670fc86e9ad9dbdfaf2c573cc0f2fa \
-    --hash=sha256:f47fb3f4a9bd927f4812121a0beefe56b163475a28f4db34c64dc838688d9e9e
+    --hash=sha256:97ed637b4c7b03820db6c69aa90145dc989933351d46a3d62baf6b71674f0a10
-certbot-nginx==1.9.0 \
+certbot-nginx==1.10.1 \
-    --hash=sha256:bb2e3f7fe17f071f350a3efa48571b8ef40a8e4b6db9c6da72539206a20b70be \
+    --hash=sha256:7c36459021f8a1ec3b6c062e4c4fc866bfaa1dbf26ccd29e043dd6848003be08 \
-    --hash=sha256:ab26a4f49d53b0e8bf0f903e58e2a840cda233fe1cbbc54c36ff17f973e57d65
+    --hash=sha256:c0bbeccf85f46b728fd95e6bb8c2649d32d3383d7f47ea4b9c312d12bf04d2f0
 
 UNLIKELY_EOF
     # -------------------------------------------------------------------------

certbot-ci/certbot_integration_tests/assets/bind-config/conf/named.conf

@@ -0,0 +1,60 @@
+options {
+  directory "/var/cache/bind";
+
+  // Running inside Docker. Bind address on Docker host is 127.0.0.1.
+  listen-on { any; };
+  listen-on-v6 { any; };
+
+  // We are allowing BIND to service recursive queries, but only in an extremely limimited sense
+  // where it is entirely disconnected from public DNS:
+  // - Iterative queries are disabled. Only forwarding to a non-existent forwarder.
+  // - The only recursive answers we can get (that will not be a SERVFAIL) will come from the
+  //   RPZ "mock-recursion" zone. Effectively this means we are mocking out the entirety of
+  //   public DNS.
+  allow-recursion { any; };       // BIND will only answer using RPZ if recursion is enabled
+  forwarders { 192.0.2.254; };    // Nobody is listening, this is TEST-NET-1
+  forward only;                   // Do NOT perform iterative queries from the root zone
+  dnssec-validation no;           // Do not bother fetching the root DNSKEY set (performance)
+  response-policy {               // All recursive queries will be served from here.
+    zone "mock-recursion"
+    log yes;
+  } recursive-only no             // Allow RPZs to affect authoritative zones too.
+    qname-wait-recurse no         // No real recursion.
+    nsip-wait-recurse no;         // No real recursion.
+
+  allow-transfer { none; };
+  allow-update { none; };
+};
+
+key "default-key." {
+  algorithm hmac-sha512;
+  secret "91CgOwzihr0nAVEHKFXJPQCbuBBbBI19Ks5VAweUXgbF40NWTD83naeg3c5y2MPdEiFRXnRLJxL6M+AfHCGLNw==";
+};
+
+zone "mock-recursion" {
+  type primary;
+  file "/var/lib/bind/rpz.mock-recursion";
+  allow-query {
+    none;
+  };
+};
+
+zone "example.com." {
+  type primary;
+  file "/var/lib/bind/db.example.com";
+  journal "/var/cache/bind/db.example.com.jnl";
+
+  update-policy {
+    grant default-key zonesub TXT;
+  };
+};
+
+zone "sub.example.com." {
+  type primary;
+  file "/var/lib/bind/db.sub.example.com";
+  journal "/var/cache/bind/db.sub.example.com.jnl";
+
+  update-policy {
+    grant default-key zonesub TXT;
+  };
+};

certbot-ci/certbot_integration_tests/assets/bind-config/rfc2136-credentials-default.ini.tpl

@@ -0,0 +1,10 @@
+# Target DNS server
+dns_rfc2136_server = {server_address}
+# Target DNS port
+dns_rfc2136_port = {server_port}
+# TSIG key name
+dns_rfc2136_name = default-key.
+# TSIG key secret
+dns_rfc2136_secret = 91CgOwzihr0nAVEHKFXJPQCbuBBbBI19Ks5VAweUXgbF40NWTD83naeg3c5y2MPdEiFRXnRLJxL6M+AfHCGLNw==
+# TSIG key algorithm
+dns_rfc2136_algorithm = HMAC-SHA512

certbot-ci/certbot_integration_tests/assets/bind-config/zones/db.example.com

@@ -0,0 +1,11 @@
+$ORIGIN example.com.
+$TTL 3600
+example.com.  IN  SOA   ns1.example.com. admin.example.com. ( 2020091025 7200 3600 1209600 3600 )
+
+example.com.  IN  NS    ns1
+example.com.  IN  NS    ns2
+
+ns1           IN  A     192.0.2.2
+ns2           IN  A     192.0.2.3
+
+@         IN  A     192.0.2.1

certbot-ci/certbot_integration_tests/assets/bind-config/zones/db.sub.example.com

@@ -0,0 +1,9 @@
+$ORIGIN sub.example.com.
+$TTL 3600
+sub.example.com.  IN  SOA   ns1.example.com. admin.example.com. ( 2020091025 7200 3600 1209600 3600 )
+
+sub.example.com.  IN  NS    ns1
+sub.example.com.  IN  NS    ns2
+
+ns1           IN  A     192.0.2.2
+ns2           IN  A     192.0.2.3

certbot-ci/certbot_integration_tests/assets/bind-config/zones/rpz.mock-recursion

@@ -0,0 +1,6 @@
+$TTL 3600
+
+@        SOA ns1.example.test. dummy.example.test. 1 12h 15m 3w 2h
+         NS  ns1.example.test.
+
+_acme-challenge.aliased.example   IN     CNAME   _acme-challenge.example.com.

certbot-ci/certbot_integration_tests/assets/sample-config/archive/c.encryption-example.com/README

@@ -0,0 +1,14 @@
+This directory contains your keys and certificates.
+
+`privkey.pem`  : the private key for your certificate.
+`fullchain.pem`: the certificate file used in most server software.
+`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
+`cert.pem`     : will break many server configurations, and should not be used
+                 without reading further documentation (see link below).
+
+WARNING: DO NOT MOVE OR RENAME THESE FILES!
+         Certbot expects these files to remain in this location in order
+         to function properly!
+
+We recommend not moving these files. For more information, see the Certbot
+User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

certbot-ci/certbot_integration_tests/assets/sample-config/archive/c.encryption-example.com/cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2zCCAcOgAwIBAgIIBvrEnbPRYu8wDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UE
+AxMdUGViYmxlIEludGVybWVkaWF0ZSBDQSAxMjZjNGIwHhcNMjAxMDEyMjEwNzQw
+WhcNMjUxMDEyMjEwNzQwWjAjMSEwHwYDVQQDExhjLmVuY3J5cHRpb24tZXhhbXBs
+ZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARjMhuW0ENPPC33PjB5XsYU
+CRw640kPQENIDatcTJaENZIZdqKd6rI6jc+lpbmXot7Zi52clJlSJS+V6oDAt2Lh
+o4HYMIHVMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
+BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUj7Kd3ENqxlPf8B2bIGhsjydX
+mPswHwYDVR0jBBgwFoAUEiGxlkRsi+VvcogH5dVD3h1laAcwMQYIKwYBBQUHAQEE
+JTAjMCEGCCsGAQUFBzABhhVodHRwOi8vMTI3LjAuMC4xOjQwMDIwIwYDVR0RBBww
+GoIYYy5lbmNyeXB0aW9uLWV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCl
+k0JXsa8y7fg41WWMDhw60bPW77O0FtOmTcnhdI5daYNemQVk+Q5EMaBLQ/oGjgXd
+9QXFzXH1PL904YEnSLt+iTpXn++7rQSNzQsdYqw0neWk4f5pEBiN+WORpb6mwobV
+ifMtBOkNEHvrJ2Pkci9U1lLwtKD/DSew6QtJU5DSkmH1XdGuMJiubygEIvELtvgq
+cP9S368ZvPmPGmKaJQXBiuaR8MTjY/Bkr79aXQMjKbf+mpn7h0POCcePk1DY/rm6
+Da+X16lf0hHyQhSUa7Vgyim6rK1/hlw+Z00i+sQCKD9Ih7kXuuGqfSDC33cfO8Tj
+o/MXO8lcxkrem5zU5QWP
+-----END CERTIFICATE-----

certbot-ci/certbot_integration_tests/assets/sample-config/archive/c.encryption-example.com/chain.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUDCCAjigAwIBAgIIbi787yVrcMAwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AxMVUGViYmxlIFJvb3QgQ0EgMGM1MjI1MCAXDTIwMTAxMjIwMjI0NloYDzIwNTAx
+MDEyMjEyMjQ2WjAoMSYwJAYDVQQDEx1QZWJibGUgSW50ZXJtZWRpYXRlIENBIDEy
+NmM0YjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGeVk1BMJraeqRq
+mJ2+hgso8VOAv2s2CVxUJjIVcn7f2adE8NyTsSQ1brlsnKCUYUw7yLTQH0izLQRB
+qKVIDFkUqo5/FuTJ2QlfA2EwBL8J7s/7L7vj3L0DiVpwgxPSyFEwdl/Y5y7ofsX5
+CIhCFcaMAmTIuKLiSfCJjGwkbEMuolm+lO8Mikxxc/JtDVUC479ugU7PU9O09bMH
+nm+sD6Bgd+KMoPkCCCoeShJS9X3Ziq9HGc7Z6nhM/zirFARt2XkonEdAZ8br01zY
+MRiY9txhlWQ7mUkOtzOSoEuYJNoUbvMUf0+tNzto26WRyF7dJmh7lTBsYrvAwUTx
+PzNyst0CAwEAAaOBgzCBgDAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYB
+BQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBIhsZZE
+bIvlb3KIB+XVQ94dZWgHMB8GA1UdIwQYMBaAFOaKTaXg37vKgRt7d79YOjAoAtJT
+MA0GCSqGSIb3DQEBCwUAA4IBAQAU2mZii7PH2pkw2lNM0QqPbcW/UYyvFoUeM8Aq
+uCtsI2s+oxCJTqzfLsA0N8NY4nHLQ5wAlNJfJekngni8hbmJTKU4JFTMe7kLQO8P
+fJbk0pTzhhHVQw7CVwB6Pwq3u2m/JV+d6xDIDc+AVkuEl19ZJU0rTWyooClfFLZV
+EdZmEiUtA3PGlxoYwYhoGHYlhFxsoFONhCsBEdN7k7FKtFGVxN7oc5SKmKp0YZTW
+fcrEtrdNThATO4ymhCC2zh33NI/MT1O74fpaAc2k6LcTl57MKiLfTYX4LTL6v9JG
+9tlNqjFVRRmzEbtXTPcCb+w9g1VqoOGok7mGXYLTYtShCuvE
+-----END CERTIFICATE-----

certbot-ci/certbot_integration_tests/assets/sample-config/archive/c.encryption-example.com/fullchain.pem

@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIC2zCCAcOgAwIBAgIILlmGtZhUFEwwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UE
+AxMdUGViYmxlIEludGVybWVkaWF0ZSBDQSAxMjZjNGIwHhcNMjAxMDEyMjA1MDM0
+WhcNMjUxMDEyMjA1MDM0WjAjMSEwHwYDVQQDExhjLmVuY3J5cHRpb24tZXhhbXBs
+ZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARHEzR8JPWrEmpmgM+F2bk5
+9mT0u6CjzmJG0QpbaqprLiG5NGpW84VQ5TFCrmC4KxYfigCfMhfHRNfFYvNUK3V/
+o4HYMIHVMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
+BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU1CsVL+bPnzaxxQ5jUENmQJIO
+lKwwHwYDVR0jBBgwFoAUEiGxlkRsi+VvcogH5dVD3h1laAcwMQYIKwYBBQUHAQEE
+JTAjMCEGCCsGAQUFBzABhhVodHRwOi8vMTI3LjAuMC4xOjQwMDIwIwYDVR0RBBww
+GoIYYy5lbmNyeXB0aW9uLWV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBn
+2D8loC7pfk28JYpFLr5lmFKJWWmtLGlpsWDj61fVjtTfGKLziJz+MM6il4Y3hIz5
+58qiFK0ue0M63dIBJ33N+XxSEXon4Q0gy/zRWfH9jtPJ3FwfjkU/RT9PAUClYi0G
+ptNWnTmgQkNzousbcAtRNXuuShH3856vhUnwkX+xM+cbIDi1JVmFjcGrEEQJ0rUF
+mv2ZTyfbWbUs3v4rReETi2NVzr1Ql6J+ByNcMvHODzFy3t0L6yelAw2ca1I+c9HU
++Z0tnp/ykR7eXNuVLivok8UBf5OC413lh8ZO5g+Bgzh/LdtkUuavg1MYtEX0H6mX
+9U7y3nVI8WEbPGf+HDeu
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDUDCCAjigAwIBAgIIbi787yVrcMAwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AxMVUGViYmxlIFJvb3QgQ0EgMGM1MjI1MCAXDTIwMTAxMjIwMjI0NloYDzIwNTAx
+MDEyMjEyMjQ2WjAoMSYwJAYDVQQDEx1QZWJibGUgSW50ZXJtZWRpYXRlIENBIDEy
+NmM0YjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGeVk1BMJraeqRq
+mJ2+hgso8VOAv2s2CVxUJjIVcn7f2adE8NyTsSQ1brlsnKCUYUw7yLTQH0izLQRB
+qKVIDFkUqo5/FuTJ2QlfA2EwBL8J7s/7L7vj3L0DiVpwgxPSyFEwdl/Y5y7ofsX5
+CIhCFcaMAmTIuKLiSfCJjGwkbEMuolm+lO8Mikxxc/JtDVUC479ugU7PU9O09bMH
+nm+sD6Bgd+KMoPkCCCoeShJS9X3Ziq9HGc7Z6nhM/zirFARt2XkonEdAZ8br01zY
+MRiY9txhlWQ7mUkOtzOSoEuYJNoUbvMUf0+tNzto26WRyF7dJmh7lTBsYrvAwUTx
+PzNyst0CAwEAAaOBgzCBgDAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYB
+BQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBIhsZZE
+bIvlb3KIB+XVQ94dZWgHMB8GA1UdIwQYMBaAFOaKTaXg37vKgRt7d79YOjAoAtJT
+MA0GCSqGSIb3DQEBCwUAA4IBAQAU2mZii7PH2pkw2lNM0QqPbcW/UYyvFoUeM8Aq
+uCtsI2s+oxCJTqzfLsA0N8NY4nHLQ5wAlNJfJekngni8hbmJTKU4JFTMe7kLQO8P
+fJbk0pTzhhHVQw7CVwB6Pwq3u2m/JV+d6xDIDc+AVkuEl19ZJU0rTWyooClfFLZV
+EdZmEiUtA3PGlxoYwYhoGHYlhFxsoFONhCsBEdN7k7FKtFGVxN7oc5SKmKp0YZTW
+fcrEtrdNThATO4ymhCC2zh33NI/MT1O74fpaAc2k6LcTl57MKiLfTYX4LTL6v9JG
+9tlNqjFVRRmzEbtXTPcCb+w9g1VqoOGok7mGXYLTYtShCuvE
+-----END CERTIFICATE-----

certbot-ci/certbot_integration_tests/assets/sample-config/archive/c.encryption-example.com/privkey.pem

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgNgefv2dad4U1VYEi
+0WkdHuqywi5QXAe30OwNTTGjhbihRANCAARHEzR8JPWrEmpmgM+F2bk59mT0u6Cj
+zmJG0QpbaqprLiG5NGpW84VQ5TFCrmC4KxYfigCfMhfHRNfFYvNUK3V/
+-----END PRIVATE KEY-----

certbot-ci/certbot_integration_tests/assets/sample-config/live/c.encryption-example.com/README

@@ -0,0 +1,14 @@
+This directory contains your keys and certificates.
+
+`privkey.pem`  : the private key for your certificate.
+`fullchain.pem`: the certificate file used in most server software.
+`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
+`cert.pem`     : will break many server configurations, and should not be used
+                 without reading further documentation (see link below).
+
+WARNING: DO NOT MOVE OR RENAME THESE FILES!
+         Certbot expects these files to remain in this location in order
+         to function properly!
+
+We recommend not moving these files. For more information, see the Certbot
+User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

certbot-ci/certbot_integration_tests/assets/sample-config/live/c.encryption-example.com/cert.pem

@@ -0,0 +1 @@
+../../archive/c.encryption-example.com/cert.pem

certbot-ci/certbot_integration_tests/assets/sample-config/live/c.encryption-example.com/chain.pem

@@ -0,0 +1 @@
+../../archive/c.encryption-example.com/chain.pem

certbot-ci/certbot_integration_tests/assets/sample-config/live/c.encryption-example.com/fullchain.pem

@@ -0,0 +1 @@
+../../archive/c.encryption-example.com/fullchain.pem

certbot-ci/certbot_integration_tests/assets/sample-config/live/c.encryption-example.com/privkey.pem

@@ -0,0 +1 @@
+../../archive/c.encryption-example.com/privkey.pem

certbot-ci/certbot_integration_tests/assets/sample-config/renewal/c.encryption-example.com.conf

@@ -0,0 +1,17 @@
+# renew_before_expiry = 30 days
+version = 1.10.0.dev0
+archive_dir = sample-config/archive/c.encryption-example.com
+cert = sample-config/live/c.encryption-example.com/cert.pem
+privkey = sample-config/live/c.encryption-example.com/privkey.pem
+chain = sample-config/live/c.encryption-example.com/chain.pem
+fullchain = sample-config/live/c.encryption-example.com/fullchain.pem
+
+# Options used in the renewal process
+[renewalparams]
+authenticator = apache
+installer = apache
+account = 48d6b9e8d767eccf7e4d877d6ffa81e3
+key_type = ecdsa
+config_dir = sample-config-ec
+elliptic_curve = secp256r1
+manual_public_ip_logging_ok = True

certbot-ci/certbot_integration_tests/certbot_tests/assertions.py

@@ -2,6 +2,11 @@
 import io
 import os
 
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+
 try:
     import grp
     POSIX_MODE = True
@@ -16,6 +21,33 @@ SYSTEM_SID = 'S-1-5-18'
 ADMINS_SID = 'S-1-5-32-544'
 
 
+def assert_elliptic_key(key, curve):
+    """
+    Asserts that the key at the given path is an EC key using the given curve.
+    :param key: path to key
+    :param curve: name of the expected elliptic curve
+    """
+    with open(key, 'rb') as file:
+        privkey1 = file.read()
+
+    key = load_pem_private_key(data=privkey1, password=None, backend=default_backend())
+
+    assert isinstance(key, EllipticCurvePrivateKey)
+    assert isinstance(key.curve, curve)
+
+
+def assert_rsa_key(key):
+    """
+    Asserts that the key at the given path is an RSA key.
+    :param key: path to key
+    """
+    with open(key, 'rb') as file:
+        privkey1 = file.read()
+
+    key = load_pem_private_key(data=privkey1, password=None, backend=default_backend())
+    assert isinstance(key, RSAPrivateKey)
+
+
 def assert_hook_execution(probe_path, probe_content):
     """
     Assert that a certbot hook has been executed

certbot-ci/certbot_integration_tests/certbot_tests/test_main.py

@@ -9,12 +9,15 @@ import shutil
 import subprocess
 import time
 
+from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1, SECP384R1
 from cryptography.x509 import NameOID
 
 import pytest
 
 from certbot_integration_tests.certbot_tests import context as certbot_context
 from certbot_integration_tests.certbot_tests.assertions import assert_cert_count_for_lineage
+from certbot_integration_tests.certbot_tests.assertions import assert_elliptic_key
+from certbot_integration_tests.certbot_tests.assertions import assert_rsa_key
 from certbot_integration_tests.certbot_tests.assertions import assert_equals_group_owner
 from certbot_integration_tests.certbot_tests.assertions import assert_equals_group_permissions
 from certbot_integration_tests.certbot_tests.assertions import assert_equals_world_read_permissions
@@ -289,7 +292,7 @@ def test_renew_with_changed_private_key_complexity(context):
     assert_cert_count_for_lineage(context.config_dir, certname, 1)
 
     context.certbot(['renew'])
-    
+
     assert_cert_count_for_lineage(context.config_dir, certname, 2)
     key2 = join(context.config_dir, 'archive', certname, 'privkey2.pem')
     assert os.stat(key2).st_size > 3000
@@ -421,20 +424,93 @@ def test_reuse_key(context):
     assert len({cert1, cert2, cert3}) == 3
 
 
+def test_incorrect_key_type(context):
+    with pytest.raises(subprocess.CalledProcessError):
+        context.certbot(['--key-type="failwhale"'])
+
+
 def test_ecdsa(context):
-    """Test certificate issuance with ECDSA key."""
+    """Test issuance for ECDSA CSR based request (legacy supported mode)."""
     key_path = join(context.workspace, 'privkey-p384.pem')
     csr_path = join(context.workspace, 'csr-p384.der')
     cert_path = join(context.workspace, 'cert-p384.pem')
     chain_path = join(context.workspace, 'chain-p384.pem')
 
-    misc.generate_csr([context.get_domain('ecdsa')], key_path, csr_path, key_type=misc.ECDSA_KEY_TYPE)
+    misc.generate_csr(
-    context.certbot(['auth', '--csr', csr_path, '--cert-path', cert_path, '--chain-path', chain_path])
+        [context.get_domain('ecdsa')],
+        key_path, csr_path,
+        key_type=misc.ECDSA_KEY_TYPE
+    )
+    context.certbot([
+        'auth', '--csr', csr_path, '--cert-path', cert_path,
+        '--chain-path', chain_path,
+    ])
 
     certificate = misc.read_certificate(cert_path)
     assert 'ASN1 OID: secp384r1' in certificate
 
 
+def test_default_key_type(context):
+    """Test default key type is RSA"""
+    certname = context.get_domain('renew')
+    context.certbot([
+        'certonly',
+        '--cert-name', certname, '-d', certname
+    ])
+    filename = join(context.config_dir, 'archive/{0}/privkey1.pem').format(certname)
+    assert_rsa_key(filename)
+
+
+def test_default_curve_type(context):
+    """test that the curve used when not specifying any is secp256r1"""
+    certname = context.get_domain('renew')
+    context.certbot([
+        '--key-type', 'ecdsa', '--cert-name', certname, '-d', certname
+    ])
+    key1 = join(context.config_dir, 'archive/{0}/privkey1.pem'.format(certname))
+    assert_elliptic_key(key1, SECP256R1)
+
+
+def test_renew_with_ec_keys(context):
+    """Test proper renew with updated private key complexity."""
+    certname = context.get_domain('renew')
+    context.certbot([
+        'certonly',
+        '--cert-name', certname,
+        '--key-type', 'ecdsa', '--elliptic-curve', 'secp256r1',
+        '--force-renewal', '-d', certname,
+    ])
+
+    key1 = join(context.config_dir, "archive", certname, 'privkey1.pem')
+    assert 200 < os.stat(key1).st_size < 250  # ec keys of 256 bits are ~225 bytes
+    assert_elliptic_key(key1, SECP256R1)
+    assert_cert_count_for_lineage(context.config_dir, certname, 1)
+
+    context.certbot(['renew', '--elliptic-curve', 'secp384r1'])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 2)
+    key2 = join(context.config_dir, 'archive', certname, 'privkey2.pem')
+    assert_elliptic_key(key2, SECP384R1)
+    assert 280 < os.stat(key2).st_size < 320  # ec keys of 384 bits are ~310 bytes
+
+    # We expect here that the command will fail because without --key-type specified,
+    # Certbot must error out to prevent changing an existing certificate key type,
+    # without explicit user consent (by specifying both --cert-name and --key-type).
+    with pytest.raises(subprocess.CalledProcessError):
+        context.certbot([
+            'certonly',
+            '--force-renewal',
+            '-d', certname
+        ])
+
+    # We expect that the previous behavior of requiring both --cert-name and
+    # --key-type to be set to not apply to the renew subcommand.
+    context.certbot(['renew', '--force-renewal', '--key-type', 'rsa'])
+    assert_cert_count_for_lineage(context.config_dir, certname, 3)
+    key3 = join(context.config_dir, 'archive', certname, 'privkey3.pem')
+    assert_rsa_key(key3)
+
+
 def test_ocsp_must_staple(context):
     """Test that OCSP Must-Staple is correctly set in the generated certificate."""
     if context.acme_server == 'pebble':
@@ -544,7 +620,8 @@ def test_revoke_multiple_lineages(context):
         'revoke', '--cert-path', join(context.config_dir, 'live', cert1, 'cert.pem')
     ])
 
-    assert 'Not deleting revoked certs due to overlapping archive dirs' in output
+    with open(join(context.workspace, 'logs', 'letsencrypt.log'), 'r') as f:
+        assert 'Not deleting revoked certs due to overlapping archive dirs' in f.read()
 
 
 def test_wildcard_certificates(context):
@@ -657,4 +734,4 @@ def test_preferred_chain(context):
 
         with open(conf_path, 'r') as f:
             assert 'preferred_chain = {}'.format(requested) in f.read(), \
-                   'Expected preferred_chain to be set in renewal config'
+                   'Expected preferred_chain to be set in renewal config'

certbot-ci/certbot_integration_tests/conftest.py

@@ -12,6 +12,8 @@ import subprocess
 import sys
 
 from certbot_integration_tests.utils import acme_server as acme_lib
+from certbot_integration_tests.utils import dns_server as dns_lib
+from certbot_integration_tests.utils.dns_server import DNSServer
 
 
 def pytest_addoption(parser):
@@ -23,6 +25,10 @@ def pytest_addoption(parser):
                      choices=['boulder-v1', 'boulder-v2', 'pebble'],
                      help='select the ACME server to use (boulder-v1, boulder-v2, '
                           'pebble), defaulting to pebble')
+    parser.addoption('--dns-server', default='challtestsrv',
+                     choices=['bind', 'challtestsrv'],
+                     help='select the DNS server to use (bind, challtestsrv), '
+                          'defaulting to challtestsrv')
 
 
 def pytest_configure(config):
@@ -32,7 +38,7 @@ def pytest_configure(config):
     """
     if not hasattr(config, 'slaveinput'):  # If true, this is the primary node
         with _print_on_err():
-            config.acme_xdist = _setup_primary_node(config)
+            _setup_primary_node(config)
 
 
 def pytest_configure_node(node):
@@ -41,6 +47,7 @@ def pytest_configure_node(node):
     :param node: current worker node
     """
     node.slaveinput['acme_xdist'] = node.config.acme_xdist
+    node.slaveinput['dns_xdist'] = node.config.dns_xdist
 
 
 @contextlib.contextmanager
@@ -61,12 +68,18 @@ def _print_on_err():
 def _setup_primary_node(config):
     """
     Setup the environment for integration tests.
-    Will:
+
+    This function will:
         - check runtime compatibility (Docker, docker-compose, Nginx)
         - create a temporary workspace and the persistent GIT repositories space
+        - configure and start a DNS server using Docker, if configured
         - configure and start paralleled ACME CA servers using Docker
-        - transfer ACME CA servers configurations to pytest nodes using env variables
+        - transfer ACME CA and DNS servers configurations to pytest nodes using env variables
-    :param config: Configuration of the pytest primary node
+
+    This function modifies `config` by injecting the ACME CA and DNS server configurations,
+    in addition to cleanup functions for those servers.
+
+    :param config: Configuration of the pytest primary node. Is modified by this function.
     """
     # Check for runtime compatibility: some tools are required to be available in PATH
     if 'boulder' in config.option.acme_server:
@@ -86,11 +99,26 @@ def _setup_primary_node(config):
     workers = ['primary'] if not config.option.numprocesses\
         else ['gw{0}'.format(i) for i in range(config.option.numprocesses)]
 
+    # If a non-default DNS server is configured, start it and feed it to the ACME server
+    dns_server = None
+    acme_dns_server = None
+    if config.option.dns_server == 'bind':
+        dns_server = dns_lib.DNSServer(workers)
+        config.add_cleanup(dns_server.stop)
+        print('DNS xdist config:\n{0}'.format(dns_server.dns_xdist))
+        dns_server.start()
+        acme_dns_server = '{}:{}'.format(
+            dns_server.dns_xdist['address'],
+            dns_server.dns_xdist['port']
+        )
+
     # By calling setup_acme_server we ensure that all necessary acme server instances will be
     # fully started. This runtime is reflected by the acme_xdist returned.
-    acme_server = acme_lib.ACMEServer(config.option.acme_server, workers)
+    acme_server = acme_lib.ACMEServer(config.option.acme_server, workers,
+                                      dns_server=acme_dns_server)
     config.add_cleanup(acme_server.stop)
     print('ACME xdist config:\n{0}'.format(acme_server.acme_xdist))
     acme_server.start()
 
-    return acme_server.acme_xdist
+    config.acme_xdist = acme_server.acme_xdist
+    config.dns_xdist = dns_server.dns_xdist if dns_server else None

certbot-ci/certbot_integration_tests/nginx_tests/nginx_config.py

@@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 """General purpose nginx test configuration generator."""
 import getpass
 
@@ -42,6 +43,8 @@ events {{
   worker_connections 1024;
 }}
 
+# “This comment contains valid Unicode”.
+
 http {{
   # Set an array of temp, cache and log file options that will otherwise default to
   # restricted locations accessible only to root.
@@ -51,61 +54,61 @@ http {{
   #scgi_temp_path {nginx_root}/scgi_temp;
   #uwsgi_temp_path {nginx_root}/uwsgi_temp;
   access_log {nginx_root}/error.log;
-  
+
   # This should be turned off in a Virtualbox VM, as it can cause some
   # interesting issues with data corruption in delivered files.
   sendfile off;
-  
+
   tcp_nopush on;
   tcp_nodelay on;
   keepalive_timeout 65;
   types_hash_max_size 2048;
-  
+
   #include /etc/nginx/mime.types;
   index index.html index.htm index.php;
-  
+
   log_format   main '$remote_addr - $remote_user [$time_local] $status '
     '"$request" $body_bytes_sent "$http_referer" '
     '"$http_user_agent" "$http_x_forwarded_for"';
-    
+
   default_type application/octet-stream;
-  
+
   server {{
     # IPv4.
     listen {http_port} {default_server};
     # IPv6.
     listen [::]:{http_port} {default_server};
     server_name nginx.{wtf_prefix}.wtf nginx2.{wtf_prefix}.wtf;
-    
+
     root {nginx_webroot};
-    
+
     location / {{
       # First attempt to serve request as file, then as directory, then fall
       # back to index.html.
       try_files $uri $uri/ /index.html;
     }}
   }}
-  
+
   server {{
     listen {http_port};
     listen [::]:{http_port};
     server_name nginx3.{wtf_prefix}.wtf;
-    
+
     root {nginx_webroot};
-    
+
     location /.well-known/ {{
       return 404;
     }}
-    
+
     return 301 https://$host$request_uri;
   }}
-  
+
   server {{
     listen {other_port};
     listen [::]:{other_port};
     server_name nginx4.{wtf_prefix}.wtf nginx5.{wtf_prefix}.wtf;
   }}
-  
+
   server {{
     listen {http_port};
     listen [::]:{http_port};

certbot-ci/certbot_integration_tests/rfc2136_tests/context.py

@@ -0,0 +1,64 @@
+from contextlib import contextmanager
+from pytest import skip
+from pkg_resources import resource_filename
+import tempfile
+
+from certbot_integration_tests.certbot_tests import context as certbot_context
+from certbot_integration_tests.utils import certbot_call
+
+
+class IntegrationTestsContext(certbot_context.IntegrationTestsContext):
+    """Integration test context for certbot-dns-rfc2136"""
+    def __init__(self, request):
+        super(IntegrationTestsContext, self).__init__(request)
+
+        self.request = request
+
+        self._dns_xdist = None
+        if hasattr(request.config, 'slaveinput'):  # Worker node
+            self._dns_xdist = request.config.slaveinput['dns_xdist']
+        else:  # Primary node
+            self._dns_xdist = request.config.dns_xdist
+
+    def certbot_test_rfc2136(self, args):
+        """
+        Main command to execute certbot using the RFC2136 DNS authenticator.
+        :param list args: list of arguments to pass to Certbot
+        """
+        command = ['--authenticator', 'dns-rfc2136', '--dns-rfc2136-propagation-seconds', '2']
+        command.extend(args)
+        return certbot_call.certbot_test(
+            command, self.directory_url, self.http_01_port, self.tls_alpn_01_port,
+            self.config_dir, self.workspace, force_renew=True)
+
+    @contextmanager
+    def rfc2136_credentials(self, label='default'):
+        # type: (str) -> str
+        """
+        Produces the contents of a certbot-dns-rfc2136 credentials file.
+        :param str label: which RFC2136 credential to use
+        :yields: Path to credentials file
+        :rtype: str
+        """
+        src_file = resource_filename('certbot_integration_tests',
+                                     'assets/bind-config/rfc2136-credentials-{}.ini.tpl'
+                                     .format(label))
+        contents = None
+
+        with open(src_file, 'r') as f:
+            contents = f.read().format(
+                server_address=self._dns_xdist['address'],
+                server_port=self._dns_xdist['port']
+            )
+
+        with tempfile.NamedTemporaryFile('w+', prefix='rfc2136-creds-{}'.format(label),
+                                         suffix='.ini', dir=self.workspace) as f:
+            f.write(contents)
+            f.flush()
+            yield f.name
+
+    def skip_if_no_bind9_server(self):
+        """Skips the test if there was no RFC2136-capable DNS server configured
+        in the test environment"""
+        if not self._dns_xdist:
+            skip('No RFC2136-capable DNS server is configured')

certbot-ci/certbot_integration_tests/rfc2136_tests/test_main.py

@@ -0,0 +1,25 @@
+"""Module executing integration tests against Certbot with the RFC2136 DNS authenticator."""
+import pytest
+
+from certbot_integration_tests.rfc2136_tests import context as rfc2136_context
+
+
+@pytest.fixture()
+def context(request):
+    # Fixture request is a built-in pytest fixture describing current test request.
+    integration_test_context = rfc2136_context.IntegrationTestsContext(request)
+    try:
+        yield integration_test_context
+    finally:
+        integration_test_context.cleanup()
+
+
+@pytest.mark.parametrize('domain', [('example.com'), ('sub.example.com')])
+def test_get_certificate(domain, context):
+    context.skip_if_no_bind9_server()
+
+    with context.rfc2136_credentials() as creds:
+        context.certbot_test_rfc2136([
+            'certonly', '--dns-rfc2136-credentials', creds,
+            '-d', domain, '-d', '*.{}'.format(domain)
+        ])

certbot-ci/certbot_integration_tests/utils/acme_server.py

@@ -2,10 +2,12 @@
 """Module to setup an ACME CA server environment able to run multiple tests in parallel"""
 from __future__ import print_function
 
+import argparse
 import errno
 import json
 import os
 from os.path import join
+import re
 import shutil
 import subprocess
 import sys
@@ -32,13 +34,14 @@ class ACMEServer(object):
     ACMEServer is also a context manager, and so can be used to ensure ACME server is started/stopped
     upon context enter/exit.
     """
-    def __init__(self, acme_server, nodes, http_proxy=True, stdout=False):
+    def __init__(self, acme_server, nodes, http_proxy=True, stdout=False, dns_server=None):
         """
         Create an ACMEServer instance.
         :param str acme_server: the type of acme server used (boulder-v1, boulder-v2 or pebble)
         :param list nodes: list of node names that will be setup by pytest xdist
         :param bool http_proxy: if False do not start the HTTP proxy
         :param bool stdout: if True stream all subprocesses stdout to standard stdout
+        :param str dns_server: if set, Pebble/Boulder will use it to resolve domains
         """
         self._construct_acme_xdist(acme_server, nodes)
 
@@ -47,6 +50,7 @@ class ACMEServer(object):
         self._workspace = tempfile.mkdtemp()
         self._processes = []
         self._stdout = sys.stdout if stdout else open(os.devnull, 'w')
+        self._dns_server = dns_server
 
     def start(self):
         """Start the test stack"""
@@ -132,18 +136,23 @@ class ACMEServer(object):
         environ['PEBBLE_AUTHZREUSE'] = '100'
         environ['PEBBLE_ALTERNATE_ROOTS'] = str(PEBBLE_ALTERNATE_ROOTS)
 
+        if self._dns_server:
+            dns_server = self._dns_server
+        else:
+            dns_server = '127.0.0.1:8053'
+            self._launch_process(
+                [challtestsrv_path, '-management', ':{0}'.format(CHALLTESTSRV_PORT),
+                 '-defaultIPv6', '""', '-defaultIPv4', '127.0.0.1', '-http01', '""',
+                 '-tlsalpn01', '""', '-https01', '""'])
+
         self._launch_process(
-            [pebble_path, '-config', pebble_config_path, '-dnsserver', '127.0.0.1:8053', '-strict'],
+            [pebble_path, '-config', pebble_config_path, '-dnsserver', dns_server, '-strict'],
             env=environ)
 
-        self._launch_process(
+        # pebble_ocsp_server is imported here and not at the top of module in order to avoid a
-            [challtestsrv_path, '-management', ':{0}'.format(CHALLTESTSRV_PORT), '-defaultIPv6', '""',
+        # useless ImportError, in the case where cryptography dependency is too old to support ocsp,
-             '-defaultIPv4', '127.0.0.1', '-http01', '""', '-tlsalpn01', '""', '-https01', '""'])
+        # but Boulder is used instead of Pebble, so pebble_ocsp_server is not used. This is the
-
+        # typical situation of integration-certbot-oldest tox testenv.
-        # pebble_ocsp_server is imported here and not at the top of module in order to avoid a useless
-        # ImportError, in the case where cryptography dependency is too old to support ocsp, but
-        # Boulder is used instead of Pebble, so pebble_ocsp_server is not used. This is the typical
-        # situation of integration-certbot-oldest tox testenv.
         from certbot_integration_tests.utils import pebble_ocsp_server
         self._launch_process([sys.executable, pebble_ocsp_server.__file__])
 
@@ -167,6 +176,15 @@ class ACMEServer(object):
         os.rename(join(instance_path, 'test/rate-limit-policies-b.yml'),
                   join(instance_path, 'test/rate-limit-policies.yml'))
 
+        if self._dns_server:
+            # Change Boulder config to use the provided DNS server
+            for suffix in ["", "-remote-a", "-remote-b"]:
+                with open(join(instance_path, 'test/config/va{}.json'.format(suffix)), 'r') as f:
+                    config = json.loads(f.read())
+                config['va']['dnsResolvers'] = [self._dns_server]
+                with open(join(instance_path, 'test/config/va{}.json'.format(suffix)), 'w') as f:
+                    f.write(json.dumps(config, indent=2, separators=(',', ': ')))
+
         try:
             # Launch the Boulder server
             self._launch_process(['docker-compose', 'up', '--force-recreate'], cwd=instance_path)
@@ -175,10 +193,11 @@ class ACMEServer(object):
             print('=> Waiting for boulder instance to respond...')
             misc.check_until_timeout(self.acme_xdist['directory_url'], attempts=300)
 
-            # Configure challtestsrv to answer any A record request with ip of the docker host.
+            if not self._dns_server:
-            response = requests.post('http://localhost:{0}/set-default-ipv4'.format(CHALLTESTSRV_PORT),
+                # Configure challtestsrv to answer any A record request with ip of the docker host.
-                                     json={'ip': '10.77.77.1'})
+                response = requests.post('http://localhost:{0}/set-default-ipv4'.format(CHALLTESTSRV_PORT),
-            response.raise_for_status()
+                                         json={'ip': '10.77.77.1'})
+                response.raise_for_status()
         except BaseException:
             # If we failed to set up boulder, print its logs.
             print('=> Boulder setup failed. Boulder logs are:')
@@ -208,14 +227,19 @@ class ACMEServer(object):
 
 
 def main():
-    args = sys.argv[1:]
+    parser = argparse.ArgumentParser(
-    server_type = args[0] if args else 'pebble'
+        description='CLI tool to start a local instance of Pebble or Boulder CA server.')
-    possible_values = ('pebble', 'boulder-v1', 'boulder-v2')
+    parser.add_argument('--server-type', '-s',
-    if server_type not in possible_values:
+                        choices=['pebble', 'boulder-v1', 'boulder-v2'], default='pebble',
-        raise ValueError('Invalid server value {0}, should be one of {1}'
+                        help='type of CA server to start: can be Pebble or Boulder '
-                         .format(server_type, possible_values))
+                             '(in ACMEv1 or ACMEv2 mode), Pebble is used if not set.')
+    parser.add_argument('--dns-server', '-d',
+                        help='specify the DNS server as `IP:PORT` to use by '
+                             'Pebble; if not specified, a local mock DNS server will be used to '
+                             'resolve domains to localhost.')
+    args = parser.parse_args()
 
-    acme_server = ACMEServer(server_type, [], http_proxy=False, stdout=True)
+    acme_server = ACMEServer(args.server_type, [], http_proxy=False, stdout=True, dns_server=args.dns_server)
 
     try:
         with acme_server as acme_xdist:

certbot-ci/certbot_integration_tests/utils/certbot_call.py

@@ -92,6 +92,7 @@ def _prepare_args_env(certbot_args, directory_url, http_01_port, tls_alpn_01_por
         '--no-verify-ssl',
         '--http-01-port', str(http_01_port),
         '--https-port', str(tls_alpn_01_port),
+        '--manual-public-ip-logging-ok',
         '--config-dir', config_dir,
         '--work-dir', os.path.join(workspace, 'work'),
         '--logs-dir', os.path.join(workspace, 'logs'),

certbot-ci/certbot_integration_tests/utils/dns_server.py

@@ -0,0 +1,144 @@
+#!/usr/bin/env python
+"""Module to setup an RFC2136-capable DNS server"""
+from __future__ import print_function
+
+import os
+import os.path
+from pkg_resources import resource_filename
+import shutil
+import socket
+import subprocess
+import sys
+import tempfile
+import time
+
+
+BIND_DOCKER_IMAGE = 'internetsystemsconsortium/bind9:9.16'
+BIND_BIND_ADDRESS = ('127.0.0.1', 45953)
+
+# A TCP DNS message which is a query for '. CH A' transaction ID 0xcb37. This is used
+# by _wait_until_ready to check that BIND is responding without depending on dnspython.
+BIND_TEST_QUERY = bytearray.fromhex('0011cb37000000010000000000000000010003')
+
+
+class DNSServer(object):
+    """
+    DNSServer configures and handles the lifetime of an RFC2136-capable server.
+    DNServer provides access to the dns_xdist parameter, listing the address and port
+    to use for each pytest node.
+
+    At this time, DNSServer should only be used with a single node, but may be expanded in
+    future to support parallelization (https://github.com/certbot/certbot/issues/8455).
+    """
+
+    def __init__(self, nodes, show_output=False):
+        """
+        Create an DNSServer instance.
+        :param list nodes: list of node names that will be setup by pytest xdist
+        :param bool show_output: if True, print the output of the DNS server
+        """
+
+        self.bind_root = tempfile.mkdtemp()
+
+        self.process = None
+
+        self.dns_xdist = {
+            'address': BIND_BIND_ADDRESS[0],
+            'port': BIND_BIND_ADDRESS[1]
+        }
+
+        # Unfortunately the BIND9 image forces everything to stderr with -g and we can't
+        # modify the verbosity.
+        self._output = sys.stderr if show_output else open(os.devnull, 'w')
+
+    def start(self):
+        """Start the DNS server"""
+        try:
+            self._configure_bind()
+            self._start_bind()
+        except:
+            self.stop()
+            raise
+
+    def stop(self):
+        """Stop the DNS server, and clean its resources"""
+        if self.process:
+          try:
+              self.process.terminate()
+              self.process.wait()
+          except BaseException as e:
+              print("BIND9 did not stop cleanly: {}".format(e), file=sys.stderr)
+
+        shutil.rmtree(self.bind_root, ignore_errors=True)
+
+        if self._output != sys.stderr:
+            self._output.close()
+
+    def _configure_bind(self):
+        """Configure the BIND9 server based on the prebaked configuration"""
+        bind_conf_src = resource_filename('certbot_integration_tests', 'assets/bind-config')
+        for dir in ('conf', 'zones'):
+          shutil.copytree(os.path.join(bind_conf_src, dir), os.path.join(self.bind_root, dir))
+
+    def _start_bind(self):
+        """Launch the BIND9 server as a Docker container"""
+        addr_str = '{}:{}'.format(BIND_BIND_ADDRESS[0], BIND_BIND_ADDRESS[1])
+        self.process = subprocess.Popen([
+          'docker', 'run', '--rm',
+          '-p', '{}:53/udp'.format(addr_str),
+          '-p', '{}:53/tcp'.format(addr_str),
+          '-v', '{}/conf:/etc/bind'.format(self.bind_root),
+          '-v', '{}/zones:/var/lib/bind'.format(self.bind_root),
+          BIND_DOCKER_IMAGE
+        ], stdout=self._output, stderr=self._output)
+
+        if self.process.poll():
+            raise("BIND9 server stopped unexpectedly")
+
+        try:
+          self._wait_until_ready()
+        except:
+          # The container might be running even if we think it isn't
+          self.stop()
+          raise
+
+    def _wait_until_ready(self, attempts=30):
+      # type: (int) -> None
+      """
+      Polls the DNS server over TCP until it gets a response, or until
+      it runs out of attempts and raises a ValueError.
+      The DNS response message must match the txn_id of the DNS query message,
+      but otherwise the contents are ignored.
+      :param int attempts: The number of attempts to make.
+      """
+      for _ in range(attempts):
+        if self.process.poll():
+          raise ValueError('BIND9 server stopped unexpectedly')
+
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        sock.settimeout(5.0)
+        try:
+          sock.connect(BIND_BIND_ADDRESS)
+          sock.sendall(BIND_TEST_QUERY)
+          buf = sock.recv(1024)
+          # We should receive a DNS message with the same tx_id
+          if buf and len(buf) > 4 and buf[2:4] == BIND_TEST_QUERY[2:4]:
+            return
+          # If we got a response but it wasn't the one we wanted, wait a little
+          time.sleep(1)
+        except:
+          # If there was a network error, wait a little
+          time.sleep(1)
+          pass
+        finally:
+          sock.close()
+
+      raise ValueError(
+        'Gave up waiting for DNS server {} to respond'.format(BIND_BIND_ADDRESS))
+
+    def __enter__(self):
+        self.start()
+        return self.dns_xdist
+
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        self.stop()

certbot-ci/certbot_integration_tests/utils/misc.py

@@ -280,7 +280,11 @@ def load_sample_data_path(workspace):
 
     if os.name == 'nt':
         # Fix the symlinks on Windows if GIT is not configured to create them upon checkout
-        for lineage in ['a.encryption-example.com', 'b.encryption-example.com']:
+        for lineage in [
+            'a.encryption-example.com',
+            'b.encryption-example.com',
+            'c.encryption-example.com',
+        ]:
             current_live = os.path.join(copied, 'live', lineage)
             for name in os.listdir(current_live):
                 if name != 'README':

certbot-ci/setup.py

@@ -52,6 +52,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
     ],

certbot-ci/windows_installer_integration_tests/conftest.py

@@ -9,8 +9,6 @@ See https://docs.pytest.org/en/latest/reference.html#hook-reference
 from __future__ import print_function
 import os
 
-import pytest
-
 ROOT_PATH = os.path.dirname(os.path.dirname(os.path.dirname(__file__)))
 
 

certbot-compatibility-test/certbot_compatibility_test/configurators/common.py

@@ -69,11 +69,10 @@ class Proxy(object):
         shutil.copy(cert_path, cert)
         key = os.path.join(cert_and_key_dir, "key")
         shutil.copy(key_path, key)
+        chain = None
         if chain_path:
             chain = os.path.join(cert_and_key_dir, "chain")
             shutil.copy(chain_path, chain)
-        else:
-            chain = None
 
         return cert, key, chain
 

certbot-compatibility-test/certbot_compatibility_test/validator.py

@@ -18,7 +18,7 @@ class Validator(object):
     def certificate(self, cert, name, alt_host=None, port=443):
         """Verifies the certificate presented at name is cert"""
         if alt_host is None:
-            host = socket.gethostbyname(name)
+            host = socket.gethostbyname(name).encode()
         elif isinstance(alt_host, six.binary_type):
             host = alt_host
         else:

certbot-compatibility-test/setup.py

@@ -5,7 +5,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 install_requires = [
     'certbot',
@@ -50,6 +50,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
     ],

certbot-dns-cloudflare/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -63,6 +63,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-cloudflare/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-cloudflare/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-cloudflare
-summary: Cloudflare DNS Authenticator plugin for Certbot
-description: Cloudflare DNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-cloudflare
-
-parts:
-  certbot-dns-cloudflare:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-dns-cloudxns/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -63,6 +63,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-cloudxns/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-cloudxns/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-cloudxns
-summary: CloudXNS DNS Authenticator plugin for Certbot
-description: CloudXNS DNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-cloudxns
-
-parts:
-  certbot-dns-cloudxns:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-dns-digitalocean/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -64,6 +64,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-digitalocean/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-digitalocean/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-digitalocean
-summary: DigitalOcean DNS Authenticator plugin for Certbot
-description: DigitalOcean DNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-digitalocean
-
-parts:
-  certbot-dns-digitalocean:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-dns-dnsimple/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -74,6 +74,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-dnsimple/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-dnsimple/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-dnsimple
-summary: DNSimple DNS Authenticator plugin for Certbot
-description: DNSimple DNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-dnsimple
-
-parts:
-  certbot-dns-dnsimple:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-dns-dnsmadeeasy/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -63,6 +63,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-dnsmadeeasy/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-dnsmadeeasy/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-dnsmadeeasy
-summary: DNS Made Easy DNS Authenticator plugin for Certbot
-description: DNS Made Easy DNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-dnsmadeeasy
-
-parts:
-  certbot-dns-dnsmadeeasy:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-dns-gehirn/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
@@ -62,6 +62,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-gehirn/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-gehirn/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-gehirn
-summary: Gehirn Infrastructure Service DNS Authenticator plugin for Certbot
-description: Gehirn Infrastructure Service DNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-gehirn
-
-parts:
-  certbot-dns-gehirn:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-dns-google/certbot_dns_google/_internal/dns_google.py

@@ -85,9 +85,13 @@ class _GoogleClient(object):
 
         scopes = ['https://www.googleapis.com/auth/ndev.clouddns.readwrite']
         if account_json is not None:
-            credentials = ServiceAccountCredentials.from_json_keyfile_name(account_json, scopes)
+            try:
-            with open(account_json) as account:
+                credentials = ServiceAccountCredentials.from_json_keyfile_name(account_json, scopes)
-                self.project_id = json.load(account)['project_id']
+                with open(account_json) as account:
+                    self.project_id = json.load(account)['project_id']
+            except Exception as e:
+                raise errors.PluginError(
+                    "Error parsing credentials file '{}': {}".format(account_json, e))
         else:
             credentials = None
             self.project_id = self.get_project_id()

certbot-dns-google/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -66,6 +66,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-google/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-google/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-google
-summary: Google Cloud DNS Authenticator plugin for Certbot
-description: Google Cloud DNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-google
-
-parts:
-  certbot-dns-google:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-dns-google/tests/dns_google_test.py

@@ -107,6 +107,17 @@ class GoogleClientTest(unittest.TestCase):
         self.assertFalse(credential_mock.called)
         self.assertTrue(get_project_id_mock.called)
 
+    @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
+    def test_client_bad_credentials_file(self, credential_mock):
+        credential_mock.side_effect = ValueError('Some exception buried in oauth2client')
+        with self.assertRaises(errors.PluginError) as cm:
+            self._setUp_client_with_mock([])
+        self.assertEqual(
+            str(cm.exception),
+            "Error parsing credentials file '/not/a/real/path.json': "
+            "Some exception buried in oauth2client"
+        )
+
     @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
     @mock.patch('certbot_dns_google._internal.dns_google.open',
                 mock.mock_open(read_data='{"project_id": "' + PROJECT_ID + '"}'), create=True)

certbot-dns-linode/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
@@ -62,6 +62,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-linode/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-linode/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-linode
-summary: Linode DNS Authenticator plugin for Certbot
-description: Linode DNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-linode
-
-parts:
-  certbot-dns-linode:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-dns-luadns/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -63,6 +63,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-luadns/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-luadns/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-luadns
-summary: LuaDNS Authenticator plugin for Certbot
-description: LuaDNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-luadns
-
-parts:
-  certbot-dns-luadns:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-dns-nsone/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -63,6 +63,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-nsone/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-nsone/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-nsone
-summary: NS1 DNS Authenticator plugin for Certbot
-description: NS1 DNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-nsone
-
-parts:
-  certbot-dns-nsone:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-dns-ovh/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -63,6 +63,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-ovh/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-ovh/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-ovh
-summary: OVH DNS Authenticator plugin for Certbot
-description: OVH DNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-ovh
-
-parts:
-  certbot-dns-ovh:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py

@@ -1,3 +1,13 @@
+# type: ignore
+# pylint: disable=no-member
+# Many attributes of dnspython are now dynamically defined which causes both
+# mypy and pylint to error about accessing attributes they think do not exist.
+# This is the case even in up-to-date versions of mypy and pylint which as of
+# writing this are 0.790 and 2.6.0 respectively. This problem may be fixed in
+# dnspython 2.1.0. See https://github.com/rthalley/dnspython/issues/598. For
+# now, let's disable these checks. This is done at the very top of the file
+# like this because "type: ignore" must be the first line in the file to be
+# respected by mypy.
 """DNS Authenticator using RFC 2136 Dynamic Updates."""
 import logging
 

certbot-dns-rfc2136/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -63,6 +63,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-rfc2136/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-rfc2136/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-rfc2136
-summary: RFC 2136 DNS Authenticator plugin for Certbot
-description: RFC 2136 DNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-rfc2136
-
-parts:
-  certbot-dns-rfc2136:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-dns-rfc2136/tests/dns_rfc2136_test.py

@@ -154,7 +154,7 @@ class RFC2136ClientTest(unittest.TestCase):
         # _find_domain | pylint: disable=protected-access
         domain = self.rfc2136_client._find_domain('foo.bar.'+DOMAIN)
 
-        self.assertTrue(domain == DOMAIN)
+        self.assertEqual(domain, DOMAIN)
 
     def test_find_domain_wraps_errors(self):
         # _query_soa | pylint: disable=protected-access

certbot-dns-route53/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -58,6 +58,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-route53/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-route53/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-route53
-summary: Route53 DNS Authenticator plugin for Certbot
-description: Route53 DNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-route53
-
-parts:
-  certbot-dns-route53:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-dns-sakuracloud/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.10.0.dev0'
+version = '1.11.0.dev0'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
@@ -62,6 +62,7 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-sakuracloud/snap/hooks/post-refresh

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
-
-# get certbot version
-if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
-  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
-  exit 0
-fi
-cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
-
-# get required certbot version for plugin. certbot version must be at least the plugin's
-# version. note that this is not the required version in setup.py, but the version number itself.
-cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
-
-
-$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
-if [ "$exit_code" -eq 1 ]; then
-  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
-    "this plugin can be updated; will try again on next refresh."
-  exit 1
-fi

certbot-dns-sakuracloud/snap/snapcraft.yaml

@@ -1,41 +0,0 @@
-# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
-name: certbot-dns-sakuracloud
-summary: Sakura Cloud DNS Authenticator plugin for Certbot
-description: Sakura Cloud DNS Authenticator plugin for Certbot
-confinement: strict
-grade: stable
-base: core20
-adopt-info: certbot-dns-sakuracloud
-
-parts:
-  certbot-dns-sakuracloud:
-    plugin: python
-    source: .
-    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
-    override-pull: |
-        snapcraftctl pull
-        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
-    build-environment:
-      - SNAP_BUILD: "True"
-    # To build cryptography and cffi if needed
-    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
-  certbot-metadata:
-    plugin: dump
-    source: .
-    stage: [setup.py, certbot-shared]
-    override-pull: |
-        snapcraftctl pull
-        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
-
-slots:
-  certbot:
-    interface: content
-    content: certbot-1
-    read:
-      - $SNAP/lib/python3.8/site-packages
-
-plugs:
-  certbot-metadata:
-    interface: content
-    content: metadata-1
-    target: $SNAP/certbot-shared

certbot-nginx/certbot_nginx/_internal/configurator.py

@@ -16,6 +16,7 @@ from acme import crypto_util as acme_crypto_util
 from acme.magic_typing import Dict
 from acme.magic_typing import List
 from acme.magic_typing import Set
+from acme.magic_typing import Text
 from certbot import crypto_util
 from certbot import errors
 from certbot import interfaces
@@ -1175,7 +1176,7 @@ def nginx_restart(nginx_ctl, nginx_conf, sleep_duration):
 
     """
     try:
-        reload_output = "" # type: unicode
+        reload_output = u"" # type: Text
         with tempfile.TemporaryFile() as out:
             proc = subprocess.Popen([nginx_ctl, "-c", nginx_conf, "-s", "reload"],
                                     env=util.env_no_snap_for_external_calls(),

certbot-nginx/certbot_nginx/_internal/http_01.py

@@ -1,5 +1,6 @@
 """A class that performs HTTP-01 challenges for Nginx"""
 
+import io
 import logging
 
 from acme import challenges
@@ -102,7 +103,7 @@ class NginxHttp01(common.ChallengePerformer):
         self.configurator.reverter.register_file_creation(
             True, self.challenge_conf)
 
-        with open(self.challenge_conf, "w") as new_conf:
+        with io.open(self.challenge_conf, "w", encoding="utf-8") as new_conf:
             nginxparser.dump(config, new_conf)
 
     def _default_listen_addresses(self):

certbot-nginx/certbot_nginx/_internal/nginxparser.py

@@ -16,6 +16,7 @@ from pyparsing import stringEnd
 from pyparsing import White
 from pyparsing import ZeroOrMore
 import six
+from acme.magic_typing import IO, Any # pylint: disable=unused-import
 
 logger = logging.getLogger(__name__)
 
@@ -130,26 +131,27 @@ def load(_file):
 
 
 def dumps(blocks):
-    """Dump to a string.
+    # type: (UnspacedList) -> six.text_type
+    """Dump to a Unicode string.
 
     :param UnspacedList block: The parsed tree
-    :param int indentation: The number of spaces to indent
+    :rtype: six.text_type
-    :rtype: str
 
     """
-    return str(RawNginxDumper(blocks.spaced))
+    return six.text_type(RawNginxDumper(blocks.spaced))
 
 
 def dump(blocks, _file):
+    # type: (UnspacedList, IO[Any]) -> None
     """Dump to a file.
 
     :param UnspacedList block: The parsed tree
-    :param file _file: The file to dump to
+    :param IO[Any] _file: The file stream to dump to. It must be opened with
-    :param int indentation: The number of spaces to indent
+                          Unicode encoding.
-    :rtype: NoneType
+    :rtype: None
 
     """
-    return _file.write(dumps(blocks))
+    _file.write(dumps(blocks))
 
 
 spacey = lambda x: (isinstance(x, six.string_types) and x.isspace()) or x == ''