Merge branch 'master' into drop-python2

# Conflicts:
#	.azure-pipelines/templates/jobs/standard-tests-jobs.yml

.azure-pipelines/main.yml

@@ -5,3 +5,4 @@ pr:
 
 jobs:
   - template: templates/jobs/standard-tests-jobs.yml
+

.azure-pipelines/templates/jobs/extended-tests-jobs.yml

@@ -22,25 +22,21 @@ jobs:
           TOXENV: py37
           CERTBOT_NO_PIN: 1
         linux-boulder-v1-integration-certbot-oldest:
+          PYTHON_VERSION: 3.6
           TOXENV: integration-certbot-oldest
           ACME_SERVER: boulder-v1
         linux-boulder-v2-integration-certbot-oldest:
+          PYTHON_VERSION: 3.6
           TOXENV: integration-certbot-oldest
           ACME_SERVER: boulder-v2
         linux-boulder-v1-integration-nginx-oldest:
+          PYTHON_VERSION: 3.6
           TOXENV: integration-nginx-oldest
           ACME_SERVER: boulder-v1
         linux-boulder-v2-integration-nginx-oldest:
+          PYTHON_VERSION: 3.6
           TOXENV: integration-nginx-oldest
           ACME_SERVER: boulder-v2
-        linux-boulder-v1-py27-integration:
-          PYTHON_VERSION: 2.7
-          TOXENV: integration
-          ACME_SERVER: boulder-v1
-        linux-boulder-v2-py27-integration:
-          PYTHON_VERSION: 2.7
-          TOXENV: integration
-          ACME_SERVER: boulder-v2
         linux-boulder-v1-py36-integration:
           PYTHON_VERSION: 3.6
           TOXENV: integration

.azure-pipelines/templates/jobs/packaging-jobs.yml

@@ -56,7 +56,7 @@ jobs:
     steps:
       - task: UsePythonVersion@0
         inputs:
-          versionSpec: 3.7
+          versionSpec: 3.8
           architecture: x86
           addToPath: true
       - script: python windows-installer/construct.py

.azure-pipelines/templates/jobs/standard-tests-jobs.yml

@@ -4,10 +4,10 @@ jobs:
       PYTHON_VERSION: 3.9
     strategy:
       matrix:
-        macos-py27:
+        macos-py36:
           IMAGE_NAME: macOS-10.15
-          PYTHON_VERSION: 2.7
-          TOXENV: py27
+          PYTHON_VERSION: 3.6
+          TOXENV: py36
         macos-py39:
           IMAGE_NAME: macOS-10.15
           PYTHON_VERSION: 3.9
@@ -16,24 +16,22 @@ jobs:
           IMAGE_NAME: vs2017-win2016
           PYTHON_VERSION: 3.6
           TOXENV: py36
-        windows-py37-cover:
+        windows-py38-cover:
           IMAGE_NAME: vs2017-win2016
-          PYTHON_VERSION: 3.7
-          TOXENV: py37-cover
+          PYTHON_VERSION: 3.8
+          TOXENV: py38-cover
         windows-integration-certbot:
           IMAGE_NAME: vs2017-win2016
-          PYTHON_VERSION: 3.7
+          PYTHON_VERSION: 3.8
           TOXENV: integration-certbot
         linux-oldest-tests-1:
           IMAGE_NAME: ubuntu-18.04
-          TOXENV: py27-{acme,apache,apache-v2,certbot}-oldest
+          PYTHON_VERSION: 3.6
+          TOXENV: '{acme,apache,apache-v2,certbot}-oldest'
         linux-oldest-tests-2:
           IMAGE_NAME: ubuntu-18.04
-          TOXENV: py27-{dns,nginx}-oldest
-        linux-py27:
-          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 2.7
-          TOXENV: py27
+          PYTHON_VERSION: 3.6
+          TOXENV: '{dns,nginx}-oldest'
         linux-py36:
           IMAGE_NAME: ubuntu-18.04
           PYTHON_VERSION: 3.6
@@ -63,13 +61,18 @@ jobs:
           TOXENV: modification
         apacheconftest:
           IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 2.7
+          PYTHON_VERSION: 3.6
           TOXENV: apacheconftest-with-pebble
         nginxroundtrip:
           IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 2.7
+          PYTHON_VERSION: 3.6
           TOXENV: nginxroundtrip
     pool:
       vmImage: $(IMAGE_NAME)
     steps:
       - template: ../steps/tox-steps.yml
+  - job: test_sphinx_builds
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+      - template: ../steps/sphinx-steps.yml

.azure-pipelines/templates/steps/sphinx-steps.yml

@@ -0,0 +1,23 @@
+steps:
+  - bash: |
+      FINAL_STATUS=0
+      declare -a FAILED_BUILDS
+      python3 -m venv .venv
+      source .venv/bin/activate
+      python tools/pipstrap.py
+      for doc_path in */docs
+      do
+        echo ""
+        echo "##[group]Building $doc_path"
+        pip install -q -e $doc_path/..[docs]
+        if ! sphinx-build -W --keep-going -b html $doc_path $doc_path/_build/html; then
+          FINAL_STATUS=1
+          FAILED_BUILDS[${#FAILED_BUILDS[@]}]="${doc_path%/docs}"
+        fi
+        echo "##[endgroup]"
+      done
+      if [[ $FINAL_STATUS -ne 0 ]]; then
+        echo "##[error]The following builds failed: ${FAILED_BUILDS[*]}"
+        exit 1
+      fi
+    displayName: Build Sphinx Documentation

.azure-pipelines/templates/steps/tox-steps.yml

@@ -45,11 +45,7 @@ steps:
       export TARGET_BRANCH="`echo "${BUILD_SOURCEBRANCH}" | sed -E 's!refs/(heads|tags)/!!g'`"
       [ -z "${SYSTEM_PULLREQUEST_TARGETBRANCH}" ] || export TARGET_BRANCH="${SYSTEM_PULLREQUEST_TARGETBRANCH}"
       env
-      if [[ "${TOXENV}" == *"oldest"* ]]; then
-        tools/run_oldest_tests.sh
-      else
-        python -m tox
-      fi
+      python -m tox
     env:
       AWS_ACCESS_KEY_ID: $(AWS_ACCESS_KEY_ID)
       AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)

AUTHORS.md

@@ -1,6 +1,7 @@
 Authors
 =======
 
+* [Aaron Gable](https://github.com/aarongable)
 * [Aaron Zirbes](https://github.com/aaronzirbes)
 * Aaron Zuehlke
 * Ada Lovelace
@@ -60,6 +61,7 @@ Authors
 * [DanCld](https://github.com/DanCld)
 * [Daniel Albers](https://github.com/AID)
 * [Daniel Aleksandersen](https://github.com/da2x)
+* [Daniel Almasi](https://github.com/almasen)
 * [Daniel Convissor](https://github.com/convissor)
 * [Daniel "Drex" Drexler](https://github.com/aeturnum)
 * [Daniel Huang](https://github.com/dhuang)

acme/acme/__init__.py

@@ -6,7 +6,6 @@ This module is an implementation of the `ACME protocol`_.
 
 """
 import sys
-import warnings
 
 # This code exists to keep backwards compatibility with people using acme.jose
 # before it became the standalone josepy package.
@@ -20,10 +19,3 @@ for mod in list(sys.modules):
     # preserved (acme.jose.* is josepy.*)
     if mod == 'josepy' or mod.startswith('josepy.'):
         sys.modules['acme.' + mod.replace('josepy', 'jose', 1)] = sys.modules[mod]
-
-if sys.version_info[0] == 2:
-    warnings.warn(
-        "Python 2 support will be dropped in the next release of acme. "
-        "Please upgrade your Python version.",
-        PendingDeprecationWarning,
-    )  # pragma: no cover

acme/acme/challenges.py

@@ -150,7 +150,7 @@ class KeyAuthorizationChallenge(_TokenChallenge):
     """Challenge based on Key Authorization.
 
     :param response_cls: Subclass of `KeyAuthorizationChallengeResponse`
-        that will be used to generate `response`.
+        that will be used to generate ``response``.
     :param str typ: type of the challenge
     """
     typ = NotImplemented

acme/acme/crypto_util.py

@@ -166,7 +166,7 @@ def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-argu
             " from {0}:{1}".format(
                 source_address[0],
                 source_address[1]
-            ) if socket_kwargs else ""
+            ) if any(source_address) else ""
         )
         socket_tuple = (host, port)  # type: Tuple[str, int]
         sock = socket.create_connection(socket_tuple, **socket_kwargs)  # type: ignore

acme/acme/errors.py

@@ -49,7 +49,7 @@ class MissingNonce(NonceError):
     Replay-Nonce header field in each successful response to a POST it
     provides to a client (...)".
 
-    :ivar requests.Response response: HTTP Response
+    :ivar requests.Response ~.response: HTTP Response
 
     """
     def __init__(self, response, *args, **kwargs):

acme/acme/messages.py

@@ -275,7 +275,7 @@ class Resource(jose.JSONObjectWithFields):
 class ResourceWithURI(Resource):
     """ACME Resource with URI.
 
-    :ivar unicode uri: Location of the resource.
+    :ivar unicode ~.uri: Location of the resource.
 
     """
     uri = jose.Field('uri')  # no ChallengeResource.uri
@@ -627,7 +627,7 @@ class Order(ResourceBody):
     :ivar str finalize: URL to POST to to request issuance once all
         authorizations have "valid" status.
     :ivar datetime.datetime expires: When the order expires.
-    :ivar .Error error: Any error that occurred during finalization, if applicable.
+    :ivar ~.Error error: Any error that occurred during finalization, if applicable.
     """
     identifiers = jose.Field('identifiers', omitempty=True)
     status = jose.Field('status', decoder=Status.from_json,

acme/docs/conf.py

@@ -85,7 +85,10 @@ language = 'en'
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
-exclude_patterns = ['_build']
+exclude_patterns = [
+    '_build',
+    'man/*'
+]
 
 # The reST default role (used for this markup: `text`) to use for all
 # documents.

acme/setup.py

@@ -5,25 +5,22 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
-    # load_pem_private/public_key (>=0.6)
-    # rsa_recover_prime_factors (>=0.8)
-    'cryptography>=1.2.3',
+    'cryptography>=2.1.4',
     # formerly known as acme.jose:
     # 1.1.0+ is required to avoid the warnings described at
     # https://github.com/certbot/josepy/issues/13.
     'josepy>=1.1.0',
-    # Connection.set_tlsext_host_name (>=0.13) + matching Xenial requirements (>=0.15.1)
-    'PyOpenSSL>=0.15.1',
+    'PyOpenSSL>=17.3.0',
     'pyrfc3339',
     'pytz',
     'requests[security]>=2.6.0',  # security extras added in 2.4.1
     'requests-toolbelt>=0.3.0',
-    'setuptools',
-    'six>=1.9.0',  # needed for python_2_unicode_compatible
+    'setuptools>=39.0.1',
+    'six>=1.11.0',
 ]
 
 setuptools_known_environment_markers = (LooseVersion(setuptools_version) >= LooseVersion('36.2'))
@@ -54,14 +51,12 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Intended Audience :: Developers',
         'License :: OSI Approved :: Apache Software License',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-apache/certbot_apache/_internal/override_suse.py

@@ -14,10 +14,10 @@ class OpenSUSEConfigurator(configurator.ApacheConfigurator):
         vhost_root="/etc/apache2/vhosts.d",
         vhost_files="*.conf",
         logs_root="/var/log/apache2",
-        ctl="apache2ctl",
-        version_cmd=['apache2ctl', '-v'],
-        restart_cmd=['apache2ctl', 'graceful'],
-        conftest_cmd=['apache2ctl', 'configtest'],
+        ctl="apachectl",
+        version_cmd=['apachectl', '-v'],
+        restart_cmd=['apachectl', 'graceful'],
+        conftest_cmd=['apachectl', 'configtest'],
         enmod="a2enmod",
         dismod="a2dismod",
         le_vhost_ext="-le-ssl.conf",

certbot-apache/setup.py

@@ -5,7 +5,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -13,7 +13,7 @@ install_requires = [
     'acme>=0.29.0',
     'certbot>=1.6.0',
     'python-augeas',
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.component',
     'zope.interface',
 ]
@@ -39,7 +39,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -47,8 +47,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-auto

@@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then
 fi
 VENV_BIN="$VENV_PATH/bin"
 BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
-LE_AUTO_VERSION="1.10.1"
+LE_AUTO_VERSION="1.11.0"
 BASENAME=$(basename $0)
 USAGE="Usage: $BASENAME [OPTIONS]
 A self-updating wrapper script for the Certbot ACME client. When run, updates
@@ -804,6 +804,7 @@ elif [ -f /etc/mageia-release ]; then
   # Mageia has both /etc/mageia-release and /etc/redhat-release
   DEPRECATED_OS=1
 elif [ -f /etc/redhat-release ]; then
+  DEPRECATED_OS=1
   # Run DeterminePythonVersion to decide on the basis of available Python versions
   # whether to use 2.x or 3.x on RedHat-like systems.
   # Then, revert LE_PYTHON to its previous state.
@@ -836,12 +837,7 @@ elif [ -f /etc/redhat-release ]; then
       INTERACTIVE_BOOTSTRAP=1
     fi
 
-    Bootstrap() {
-      BootstrapMessage "Legacy RedHat-based OSes that will use Python3"
-      BootstrapRpmPython3Legacy
-    }
     USE_PYTHON_3=1
-    BOOTSTRAP_VERSION="BootstrapRpmPython3Legacy $BOOTSTRAP_RPM_PYTHON3_LEGACY_VERSION"
 
     # Try now to enable SCL rh-python36 for systems already bootstrapped
     # NB: EnablePython36SCL has been defined along with BootstrapRpmPython3Legacy in certbot-auto
@@ -860,18 +856,7 @@ elif [ -f /etc/redhat-release ]; then
     fi
 
     if [ "$RPM_USE_PYTHON_3" = 1 ]; then
-      Bootstrap() {
-        BootstrapMessage "RedHat-based OSes that will use Python3"
-        BootstrapRpmPython3
-      }
       USE_PYTHON_3=1
-      BOOTSTRAP_VERSION="BootstrapRpmPython3 $BOOTSTRAP_RPM_PYTHON3_VERSION"
-    else
-      Bootstrap() {
-        BootstrapMessage "RedHat-based OSes"
-        BootstrapRpmCommon
-      }
-      BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
     fi
   fi
 
@@ -889,10 +874,7 @@ elif uname | grep -iq FreeBSD ; then
 elif uname | grep -iq Darwin ; then
   DEPRECATED_OS=1
 elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then
-  Bootstrap() {
-    ExperimentalBootstrap "Amazon Linux" BootstrapRpmCommon
-  }
-  BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
+  DEPRECATED_OS=1
 elif [ -f /etc/product ] && grep -q "Joyent Instance" /etc/product ; then
   DEPRECATED_OS=1
 else
@@ -1493,18 +1475,18 @@ letsencrypt==0.7.0 \
     --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
     --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9
 
-certbot==1.10.1 \
-    --hash=sha256:011ac980fa21b9f29e02c9b8d8b86e8a4bf4670b51b6ad91656e401e9d2d2231 \
-    --hash=sha256:0d9ee3fc09e0d03b2d1b1f1c4916e61ecfc6904b4216ddef4e6a5ca1424d9cb7
-acme==1.10.1 \
-    --hash=sha256:752d598e54e98ad1e874de53fd50c61044f1b566d6deb790db5676ce9c573546 \
-    --hash=sha256:fcbb559aedc96b404edf593e78517dcd7291984d5a37036c3fc77f3c5c122fd8
-certbot-apache==1.10.1 \
-    --hash=sha256:f077b4b7f166627ef5e0921fe7cde57700670fc86e9ad9dbdfaf2c573cc0f2fa \
-    --hash=sha256:97ed637b4c7b03820db6c69aa90145dc989933351d46a3d62baf6b71674f0a10
-certbot-nginx==1.10.1 \
-    --hash=sha256:7c36459021f8a1ec3b6c062e4c4fc866bfaa1dbf26ccd29e043dd6848003be08 \
-    --hash=sha256:c0bbeccf85f46b728fd95e6bb8c2649d32d3383d7f47ea4b9c312d12bf04d2f0
+certbot==1.11.0 \
+    --hash=sha256:b7faa66c40a1ce5a31bfc8668d8feb5d2db6f7af9e791079a6d95c77b6593bf4 \
+    --hash=sha256:6b0ce04e55379aff0a47f873fa05c084538ad0f4a9b79f33108dbb0a7a668b43
+acme==1.11.0 \
+    --hash=sha256:77d6ce61b155315d7d7031489bbd245c0ea42c0453a04d4304393414e741a56d \
+    --hash=sha256:092eb09a074a935da4c10f66cb8634ffb2cc2d2cc1035d2998d608996efab924
+certbot-apache==1.11.0 \
+    --hash=sha256:ea7ac88733aad91a89c700289effda2a0c0658778da1ae2c54a0aefaee351285 \
+    --hash=sha256:3ed001427ec0b49324f2b9af7170fa6e6e88948fa51c3678b07bf17f8138863d
+certbot-nginx==1.11.0 \
+    --hash=sha256:79de69782a1199e577787ff9790dee02a44aac17dbecd6a7287593030842a306 \
+    --hash=sha256:9afe611f99a78b8898941b8ad7bdcf7f3c2b6e0fce27125268f7c713e64b34ee
 
 UNLIKELY_EOF
     # -------------------------------------------------------------------------

certbot-ci/certbot_integration_tests/certbot_tests/test_main.py

@@ -9,7 +9,7 @@ import shutil
 import subprocess
 import time
 
-from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1, SECP384R1
+from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1, SECP384R1, SECP521R1
 from cryptography.x509 import NameOID
 
 import pytest
@@ -148,6 +148,17 @@ def test_certonly(context):
     """Test the certonly verb on certbot."""
     context.certbot(['certonly', '--cert-name', 'newname', '-d', context.get_domain('newname')])
 
+    assert_cert_count_for_lineage(context.config_dir, 'newname', 1)
+
+
+def test_certonly_webroot(context):
+    """Test the certonly verb with webroot plugin"""
+    with misc.create_http_server(context.http_01_port) as webroot:
+        certname = context.get_domain('webroot')
+        context.certbot(['certonly', '-a', 'webroot', '--webroot-path', webroot, '-d', certname])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 1)
+
 
 def test_auth_and_install_with_csr(context):
     """Test certificate issuance and install using an existing CSR."""
@@ -476,6 +487,28 @@ def test_default_curve_type(context):
     assert_elliptic_key(key1, SECP256R1)
 
 
+@pytest.mark.parametrize('curve,curve_cls,skip_servers', [
+    # Curve name, Curve class, ACME servers to skip
+    ('secp256r1', SECP256R1, []),
+    ('secp384r1', SECP384R1, []),
+    ('secp521r1', SECP521R1, ['boulder-v1', 'boulder-v2'])]
+)
+def test_ecdsa_curves(context, curve, curve_cls, skip_servers):
+    """Test issuance for each supported ECDSA curve"""
+    if context.acme_server in skip_servers:
+        pytest.skip('ACME server {} does not support ECDSA curve {}'
+                    .format(context.acme_server, curve))
+
+    domain = context.get_domain('curve')
+    context.certbot([
+        'certonly',
+        '--key-type', 'ecdsa', '--elliptic-curve', curve,
+        '--force-renewal', '-d', domain,
+    ])
+    key = join(context.config_dir, "live", domain, 'privkey.pem')
+    assert_elliptic_key(key, curve_cls)
+
+
 def test_renew_with_ec_keys(context):
     """Test proper renew with updated private key complexity."""
     certname = context.get_domain('renew')

certbot-ci/setup.py

@@ -40,14 +40,12 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 3 - Alpha',
         'Intended Audience :: Developers',
         'License :: OSI Approved :: Apache Software License',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-compatibility-test/setup.py

@@ -5,7 +5,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 install_requires = [
     'certbot',
@@ -38,14 +38,12 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 3 - Alpha',
         'Intended Audience :: Developers',
         'License :: OSI Approved :: Apache Software License',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-dns-cloudflare/docs/conf.py

@@ -111,7 +111,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-cloudflare/setup.py

@@ -6,13 +6,13 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
     'cloudflare>=1.5.1',
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.interface',
 ]
 
@@ -49,7 +49,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -57,8 +57,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-dns-cloudxns/docs/conf.py

@@ -111,7 +111,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-cloudxns/setup.py

@@ -6,13 +6,13 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
     'dns-lexicon>=2.2.1',  # Support for >1 TXT record per name
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.interface',
 ]
 
@@ -49,7 +49,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -57,8 +57,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-dns-digitalocean/docs/conf.py

@@ -111,7 +111,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-digitalocean/setup.py

@@ -6,14 +6,14 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
     'python-digitalocean>=1.11',
-    'setuptools',
-    'six',
+    'setuptools>=39.0.1',
+    'six>=1.11.0',
     'zope.interface',
 ]
 
@@ -50,7 +50,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -58,8 +58,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-dns-dnsimple/docs/conf.py

@@ -111,7 +111,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-dnsimple/setup.py

@@ -6,12 +6,12 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.interface',
 ]
 
@@ -60,7 +60,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -68,8 +68,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-dns-dnsmadeeasy/docs/conf.py

@@ -111,7 +111,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-dnsmadeeasy/setup.py

@@ -6,13 +6,13 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
     'dns-lexicon>=2.2.1',  # Support for >1 TXT record per name
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.interface',
 ]
 
@@ -49,7 +49,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -57,8 +57,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-dns-gehirn/docs/conf.py

@@ -111,7 +111,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-gehirn/setup.py

@@ -6,12 +6,12 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
     'dns-lexicon>=2.1.22',
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.interface',
 ]
 
@@ -48,7 +48,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -56,8 +56,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-dns-google/docs/conf.py

@@ -112,7 +112,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-google/setup.py

@@ -6,14 +6,14 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
     'google-api-python-client>=1.5.5',
     'oauth2client>=4.0',
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.interface',
     # already a dependency of google-api-python-client, but added for consistency
     'httplib2'
@@ -52,7 +52,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -60,8 +60,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-dns-linode/docs/conf.py

@@ -111,7 +111,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-linode/setup.py

@@ -6,12 +6,12 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
     'dns-lexicon>=2.2.3',
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.interface',
 ]
 
@@ -48,7 +48,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -56,8 +56,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-dns-luadns/docs/conf.py

@@ -111,7 +111,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-luadns/setup.py

@@ -6,13 +6,13 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
     'dns-lexicon>=2.2.1',  # Support for >1 TXT record per name
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.interface',
 ]
 
@@ -49,7 +49,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -57,8 +57,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-dns-nsone/docs/conf.py

@@ -111,7 +111,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-nsone/setup.py

@@ -6,13 +6,13 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
     'dns-lexicon>=2.2.1',  # Support for >1 TXT record per name
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.interface',
 ]
 
@@ -49,7 +49,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -57,8 +57,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-dns-ovh/docs/conf.py

@@ -111,7 +111,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-ovh/setup.py

@@ -6,13 +6,13 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
     'dns-lexicon>=2.7.14',  # Correct proxy use on OVH provider
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.interface',
 ]
 
@@ -49,7 +49,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -57,8 +57,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py

@@ -1,13 +1,3 @@
-# type: ignore
-# pylint: disable=no-member
-# Many attributes of dnspython are now dynamically defined which causes both
-# mypy and pylint to error about accessing attributes they think do not exist.
-# This is the case even in up-to-date versions of mypy and pylint which as of
-# writing this are 0.790 and 2.6.0 respectively. This problem may be fixed in
-# dnspython 2.1.0. See https://github.com/rthalley/dnspython/issues/598. For
-# now, let's disable these checks. This is done at the very top of the file
-# like this because "type: ignore" must be the first line in the file to be
-# respected by mypy.
 """DNS Authenticator using RFC 2136 Dynamic Updates."""
 import logging
 

certbot-dns-rfc2136/docs/conf.py

@@ -111,7 +111,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-rfc2136/setup.py

@@ -6,13 +6,13 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
     'dnspython',
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.interface',
 ]
 
@@ -49,7 +49,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -57,8 +57,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-dns-route53/MANIFEST.in

@@ -1,5 +1,5 @@
 include LICENSE.txt
-include README
+include README.rst
 recursive-include docs *
 recursive-include tests *
 global-exclude __pycache__

certbot-dns-route53/README.md

@@ -1,35 +0,0 @@
-## Route53 plugin for Let's Encrypt client
-
-### Before you start
-
-It's expected that the root hosted zone for the domain in question already
-exists in your account.
-
-### Setup
-
-1. Create a virtual environment
-
-2. Update its pip and setuptools (`VENV/bin/pip install -U setuptools pip`)
-to avoid problems with cryptography's dependency on setuptools>=11.3.
-
-3. Make sure you have libssl-dev and libffi (or your regional equivalents)
-installed. You might have to set compiler flags to pick things up (I have to
-use `CPPFLAGS=-I/usr/local/opt/openssl/include
-LDFLAGS=-L/usr/local/opt/openssl/lib` on my macOS to pick up brew's openssl,
-for example).
-
-4. Install this package.
-
-### How to use it
-
-Make sure you have access to AWS's Route53 service, either through IAM roles or
-via `.aws/credentials`. Check out
-[sample-aws-policy.json](examples/sample-aws-policy.json) for the necessary permissions.
-
-To generate a certificate:
-```
-certbot certonly \
-  -n --agree-tos --email DEVOPS@COMPANY.COM \
-  --dns-route53 \
-  -d MY.DOMAIN.NAME
-```

certbot-dns-route53/README.rst

@@ -0,0 +1 @@
+Amazon Web Services Route 53 DNS Authenticator plugin for Certbot

certbot-dns-route53/docs/conf.py

@@ -111,7 +111,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-route53/setup.py

@@ -6,13 +6,13 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
     'boto3',
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.interface',
 ]
 
@@ -36,6 +36,11 @@ elif 'bdist_wheel' in sys.argv[1:]:
 elif sys.version_info < (3,3):
     install_requires.append('mock')
 
+docs_extras = [
+    'Sphinx>=1.0',  # autodoc_member_order = 'bysource', autodoc_default_flags
+    'sphinx_rtd_theme',
+]
+
 setup(
     name='certbot-dns-route53',
     version=version,
@@ -44,7 +49,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -52,8 +57,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
@@ -70,6 +73,9 @@ setup(
     include_package_data=True,
     install_requires=install_requires,
     keywords=['certbot', 'route53', 'aws'],
+    extras_require={
+        'docs': docs_extras,
+    },
     entry_points={
         'certbot.plugins': [
             'dns-route53 = certbot_dns_route53._internal.dns_route53:Authenticator',

certbot-dns-sakuracloud/docs/conf.py

@@ -111,7 +111,7 @@ if not on_rtd:  # only import and set the theme if we're building docs locally
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+#html_static_path = ['_static']
 
 
 # -- Options for HTMLHelp output ------------------------------------------

certbot-dns-sakuracloud/setup.py

@@ -6,12 +6,12 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
     'dns-lexicon>=2.1.23',
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.interface',
 ]
 
@@ -48,7 +48,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -56,8 +56,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot-nginx/setup.py

@@ -5,16 +5,16 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.12.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
     'acme>=1.4.0',
     'certbot>=1.6.0',
-    'PyOpenSSL',
-    'pyparsing>=1.5.5',  # Python3 support
-    'setuptools',
+    'PyOpenSSL>=17.3.0',
+    'pyparsing>=2.2.0',
+    'setuptools>=39.0.1',
     'zope.interface',
 ]
 
@@ -35,7 +35,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Plugins',
@@ -43,8 +43,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot/CHANGELOG.md

@@ -2,7 +2,28 @@
 
 Certbot adheres to [Semantic Versioning](https://semver.org/).
 
-## 1.11.0 - master
+## 1.12.0 - master
+
+### Added
+
+*
+
+### Changed
+
+* The `--preferred-chain` flag now only checks the Issuer Common Name of the
+  topmost (closest to the root) certificate in the chain, instead of checking
+  every certificate in the chain.
+  See [#8577](https://github.com/certbot/certbot/issues/8577).
+
+### Fixed
+
+* Fixed the apache component on openSUSE Tumbleweed which no longer provides
+  an apache2ctl symlink and uses apachectl instead.
+* Fixed a typo in `certbot/crypto_util.py` causing an error upon attempting `secp521r1` key generation
+
+More details about these changes can be found on our GitHub repo.
+
+## 1.11.0 - 2021-01-05
 
 ### Added
 

certbot/certbot/__init__.py

@@ -1,13 +1,3 @@
 """Certbot client."""
-import warnings
-import sys
-
 # version number like 1.2.3a0, must have at least 2 parts, like 1.2
-__version__ = '1.11.0.dev0'
-
-if sys.version_info[0] == 2:
-    warnings.warn(
-        "Python 2 support will be dropped in the next release of Certbot. "
-        "Please upgrade your Python version.",
-        PendingDeprecationWarning,
-    )  # pragma: no cover
+__version__ = '1.12.0.dev0'

certbot/certbot/_internal/account.py

@@ -20,6 +20,7 @@ from certbot import interfaces
 from certbot import util
 from certbot._internal import constants
 from certbot.compat import os
+from certbot.compat import filesystem
 
 logger = logging.getLogger(__name__)
 
@@ -324,7 +325,7 @@ class AccountFileStorage(interfaces.AccountStorage):
             if server_path in reused_servers:
                 next_server_path = reused_servers[server_path]
                 next_dir_path = link_func(next_server_path)
-                if os.path.islink(next_dir_path) and os.readlink(next_dir_path) == dir_path:
+                if os.path.islink(next_dir_path) and filesystem.readlink(next_dir_path) == dir_path:
                     possible_next_link = True
                     server_path = next_server_path
                     dir_path = next_dir_path
@@ -332,7 +333,7 @@ class AccountFileStorage(interfaces.AccountStorage):
         # if there's not a next one up to delete, then delete me
         # and whatever I link to
         while os.path.islink(dir_path):
-            target = os.readlink(dir_path)
+            target = filesystem.readlink(dir_path)
             os.unlink(dir_path)
             dir_path = target
 

certbot/certbot/_internal/main.py

@@ -5,7 +5,6 @@ from __future__ import print_function
 import functools
 import logging.handlers
 import sys
-import warnings
 
 import configobj
 import josepy as jose
@@ -666,7 +665,7 @@ def unregister(config, unused_plugins):
     :type config: interfaces.IConfig
 
     :param unused_plugins: List of plugins (deprecated)
-    :type unused_plugins: `list` of `str`
+    :type unused_plugins: plugins_disco.PluginsRegistry
 
     :returns: `None`
     :rtype: None
@@ -706,7 +705,7 @@ def register(config, unused_plugins):
     :type config: interfaces.IConfig
 
     :param unused_plugins: List of plugins (deprecated)
-    :type unused_plugins: `list` of `str`
+    :type unused_plugins: plugins_disco.PluginsRegistry
 
     :returns: `None` or a string indicating and error
     :rtype: None or str
@@ -736,7 +735,7 @@ def update_account(config, unused_plugins):
     :type config: interfaces.IConfig
 
     :param unused_plugins: List of plugins (deprecated)
-    :type unused_plugins: `list` of `str`
+    :type unused_plugins: plugins_disco.PluginsRegistry
 
     :returns: `None` or a string indicating and error
     :rtype: None or str
@@ -813,7 +812,7 @@ def install(config, plugins):
     :type config: interfaces.IConfig
 
     :param plugins: List of plugins
-    :type plugins: `list` of `str`
+    :type plugins: plugins_disco.PluginsRegistry
 
     :returns: `None`
     :rtype: None
@@ -896,7 +895,7 @@ def plugins_cmd(config, plugins):
     :type config: interfaces.IConfig
 
     :param plugins: List of plugins
-    :type plugins: `list` of `str`
+    :type plugins: plugins_disco.PluginsRegistry
 
     :returns: `None`
     :rtype: None
@@ -935,7 +934,7 @@ def enhance(config, plugins):
     :type config: interfaces.IConfig
 
     :param plugins: List of plugins
-    :type plugins: `list` of `str`
+    :type plugins: plugins_disco.PluginsRegistry
 
     :returns: `None`
     :rtype: None
@@ -994,7 +993,7 @@ def rollback(config, plugins):
     :type config: interfaces.IConfig
 
     :param plugins: List of plugins
-    :type plugins: `list` of `str`
+    :type plugins: plugins_disco.PluginsRegistry
 
     :returns: `None`
     :rtype: None
@@ -1012,7 +1011,7 @@ def update_symlinks(config, unused_plugins):
     :type config: interfaces.IConfig
 
     :param unused_plugins: List of plugins (deprecated)
-    :type unused_plugins: `list` of `str`
+    :type unused_plugins: plugins_disco.PluginsRegistry
 
     :returns: `None`
     :rtype: None
@@ -1030,7 +1029,7 @@ def rename(config, unused_plugins):
     :type config: interfaces.IConfig
 
     :param unused_plugins: List of plugins (deprecated)
-    :type unused_plugins: `list` of `str`
+    :type unused_plugins: plugins_disco.PluginsRegistry
 
     :returns: `None`
     :rtype: None
@@ -1048,7 +1047,7 @@ def delete(config, unused_plugins):
     :type config: interfaces.IConfig
 
     :param unused_plugins: List of plugins (deprecated)
-    :type unused_plugins: `list` of `str`
+    :type unused_plugins: plugins_disco.PluginsRegistry
 
     :returns: `None`
     :rtype: None
@@ -1064,7 +1063,7 @@ def certificates(config, unused_plugins):
     :type config: interfaces.IConfig
 
     :param unused_plugins: List of plugins (deprecated)
-    :type unused_plugins: `list` of `str`
+    :type unused_plugins: plugins_disco.PluginsRegistry
 
     :returns: `None`
     :rtype: None
@@ -1081,7 +1080,7 @@ def revoke(config, unused_plugins):
     :type config: interfaces.IConfig
 
     :param unused_plugins: List of plugins (deprecated)
-    :type unused_plugins: `list` of `str`
+    :type unused_plugins: plugins_disco.PluginsRegistry
 
     :returns: `None` or string indicating error in case of error
     :rtype: None or str
@@ -1126,7 +1125,7 @@ def run(config, plugins):
     :type config: interfaces.IConfig
 
     :param plugins: List of plugins
-    :type plugins: `list` of `str`
+    :type plugins: plugins_disco.PluginsRegistry
 
     :returns: `None`
     :rtype: None
@@ -1213,7 +1212,7 @@ def renew_cert(config, plugins, lineage):
     :type config: interfaces.IConfig
 
     :param plugins: List of plugins
-    :type plugins: `list` of `str`
+    :type plugins: plugins_disco.PluginsRegistry
 
     :param lineage: Certificate lineage object
     :type lineage: storage.RenewableCert
@@ -1258,7 +1257,7 @@ def certonly(config, plugins):
     :type config: interfaces.IConfig
 
     :param plugins: List of plugins
-    :type plugins: `list` of `str`
+    :type plugins: plugins_disco.PluginsRegistry
 
     :returns: `None`
     :rtype: None
@@ -1308,7 +1307,7 @@ def renew(config, unused_plugins):
     :type config: interfaces.IConfig
 
     :param unused_plugins: List of plugins (deprecated)
-    :type unused_plugins: `list` of `str`
+    :type unused_plugins: plugins_disco.PluginsRegistry
 
     :returns: `None`
     :rtype: None
@@ -1404,13 +1403,6 @@ def main(cli_args=None):
         if config.func != plugins_cmd:  # pylint: disable=comparison-with-callable
             raise
 
-    if sys.version_info[0] == 2:
-        warnings.warn(
-            "Python 2 support will be dropped in the next release of Certbot. "
-            "Please upgrade your Python version.",
-            PendingDeprecationWarning,
-        )  # pragma: no cover
-
     set_displayer(config)
 
     # Reporter

certbot/certbot/_internal/plugins/webroot.py

@@ -157,7 +157,8 @@ to serve all files under specified web root ({0})."""
                 "--webroot-path and --domains, or --webroot-map. Run with "
                 " --help webroot for examples.")
         for name, path in path_map.items():
-            self.full_roots[name] = os.path.join(path, challenges.HTTP01.URI_ROOT_PATH)
+            self.full_roots[name] = os.path.join(path, os.path.normcase(
+                challenges.HTTP01.URI_ROOT_PATH))
             logger.debug("Creating root challenges validation dir at %s",
                          self.full_roots[name])
 

certbot/certbot/_internal/storage.py

@@ -214,7 +214,7 @@ def get_link_target(link):
 
     """
     try:
-        target = os.readlink(link)
+        target = filesystem.readlink(link)
     except OSError:
         raise errors.CertStorageError(
             "Expected {0} to be a symlink".format(link))
@@ -223,6 +223,7 @@ def get_link_target(link):
         target = os.path.join(os.path.dirname(link), target)
     return os.path.abspath(target)
 
+
 def _write_live_readme_to(readme_path, is_base_dir=False):
     prefix = ""
     if is_base_dir:
@@ -665,7 +666,7 @@ class RenewableCert(interfaces.RenewableCert):
                 current_link = getattr(self, kind)
                 if os.path.lexists(current_link):
                     os.unlink(current_link)
-                os.symlink(os.readlink(previous_link), current_link)
+                os.symlink(filesystem.readlink(previous_link), current_link)
 
         for _, link in previous_symlinks:
             if os.path.exists(link):
@@ -846,7 +847,7 @@ class RenewableCert(interfaces.RenewableCert):
         link = getattr(self, kind)
         filename = "{0}{1}.pem".format(kind, version)
         # Relative rather than absolute target directory
-        target_directory = os.path.dirname(os.readlink(link))
+        target_directory = os.path.dirname(filesystem.readlink(link))
         # TODO: it could be safer to make the link first under a temporary
         #       filename, then unlink the old link, then rename the new link
         #       to the old link; this ensures that this process is able to
@@ -1121,7 +1122,7 @@ class RenewableCert(interfaces.RenewableCert):
             # The behavior below keeps the prior key by creating a new
             # symlink to the old key or the target of the old key symlink.
             if os.path.islink(old_privkey):
-                old_privkey = os.readlink(old_privkey)
+                old_privkey = filesystem.readlink(old_privkey)
             else:
                 old_privkey = "privkey{0}.pem".format(prior_version)
             logger.debug("Writing symlink to old private key, %s.", old_privkey)

certbot/certbot/_internal/updater.py

@@ -18,7 +18,7 @@ def run_generic_updaters(config, lineage, plugins):
     :type lineage: storage.RenewableCert
 
     :param plugins: List of plugins
-    :type plugins: `list` of `str`
+    :type plugins: certbot._internal.plugins.disco.PluginsRegistry
 
     :returns: `None`
     :rtype: None

certbot/certbot/achallenges.py

@@ -33,7 +33,7 @@ class AnnotatedChallenge(jose.ImmutableMap):
     Wraps around server provided challenge and annotates with data
     useful for the client.
 
-    :ivar challb: Wrapped `~.ChallengeBody`.
+    :ivar ~.challb: Wrapped `~.ChallengeBody`.
 
     """
     __slots__ = ('challb',)

certbot/certbot/compat/filesystem.py

@@ -4,6 +4,7 @@ from __future__ import absolute_import
 import errno
 import os  # pylint: disable=os-module-forbidden
 import stat
+import sys
 
 from acme.magic_typing import List
 
@@ -361,7 +362,8 @@ def realpath(file_path):
     """
     original_path = file_path
 
-    if POSIX_MODE:
+    # Since Python 3.8, os.path.realpath also resolves symlinks on Windows.
+    if POSIX_MODE or sys.version_info >= (3, 8):
         path = os.path.realpath(file_path)
         if os.path.islink(path):
             # If path returned by realpath is still a link, it means that it failed to
@@ -383,8 +385,36 @@ def realpath(file_path):
     return os.path.abspath(file_path)
 
 
+def readlink(link_path):
+    # type: (str) -> str
+    """
+    Return a string representing the path to which the symbolic link points.
+
+    :param str link_path: The symlink path to resolve
+    :return: The path the symlink points to
+    :returns: str
+    :raise: ValueError if a long path (260> characters) is encountered on Windows
+    """
+    path = os.readlink(link_path)
+
+    if POSIX_MODE or not path.startswith('\\\\?\\'):
+        return path
+
+    # At this point, we know we are on Windows and that the path returned uses
+    # the extended form which is done for all paths in Python 3.8+
+
+    # Max length of a normal path is 260 characters on Windows, including the non printable
+    # termination character "<NUL>". The termination character is not included in Python
+    # strings, giving a max length of 259 characters, + 4 characters for the extended form
+    # prefix, to an effective max length 263 characters on a string representing a normal path.
+    if len(path) < 264:
+        return path[4:]
+
+    raise ValueError("Long paths are not supported by Certbot on Windows.")
+
+
 # On Windows is_executable run from an unprivileged shell may claim that a path is
-# executable when it is excutable only if run from a privileged shell. This result
+# executable when it is executable only if run from a privileged shell. This result
 # is due to the fact that GetEffectiveRightsFromAcl calculate effective rights
 # without taking into consideration if the target user has currently required the
 # elevated privileges or not. However this is not a problem since certbot always

certbot/certbot/compat/os.py

@@ -7,6 +7,10 @@ This module has the same API as the os module in the Python standard library
 except for the functions defined below.
 
 """
+
+# NOTE: If adding a new documented function to compat.os, ensure that it is added to the
+#       ':members:' list in certbot/docs/api/certbot.compat.os.rst.
+
 # isort:skip_file
 # pylint: disable=function-redefined
 from __future__ import absolute_import
@@ -152,3 +156,14 @@ def fstat(*unused_args, **unused_kwargs):
     raise RuntimeError('Usage of os.fstat() is forbidden. '
                        'Use certbot.compat.filesystem functions instead '
                        '(eg. has_min_permissions, has_same_ownership).')
+
+
+# Method os.readlink has a significant behavior change with Python 3.8+. Starting
+# with this version, it will return the resolved path in its "extended-style" form
+# unconditionally, which allows to use more than 259 characters, and its string
+# representation is prepended with "\\?\". Problem is that it does it for any path,
+# and will make equality comparison fail with paths that will use the simple form.
+def readlink(*unused_args, **unused_kwargs):
+    """Method os.readlink() is forbidden"""
+    raise RuntimeError('Usage of os.readlink() is forbidden. '
+                       'Use certbot.compat.filesystem.realpath() instead.')

certbot/certbot/crypto_util.py

@@ -205,7 +205,7 @@ def make_key(bits=1024, key_type="rsa", elliptic_curve=None):
     elif key_type == 'ecdsa':
         try:
             name = elliptic_curve.upper()
-            if name in ('SECP256R1', 'SECP384R1', 'SECP512R1'):
+            if name in ('SECP256R1', 'SECP384R1', 'SECP521R1'):
                 _key = ec.generate_private_key(
                     curve=getattr(ec, elliptic_curve.upper(), None)(),
                     backend=default_backend()
@@ -291,7 +291,7 @@ def verify_signed_payload(public_key, signature, payload, signature_hash_algorit
     :param RSAPublicKey/EllipticCurvePublicKey public_key: the public_key to check signature
     :param bytes signature: the signature bytes
     :param bytes payload: the payload bytes
-    :param cryptography.hazmat.primitives.hashes.HashAlgorithm
+    :param cryptography.hazmat.primitives.hashes.HashAlgorithm \
            signature_hash_algorithm: algorithm used to hash the payload
 
     :raises InvalidSignature: If signature verification fails.
@@ -573,8 +573,9 @@ def get_serial_from_cert(cert_path):
 
 
 def find_chain_with_issuer(fullchains, issuer_cn, warn_on_no_match=False):
-    """Chooses the first certificate chain from fullchains which contains an
-    Issuer Subject Common Name matching issuer_cn.
+    """Chooses the first certificate chain from fullchains whose topmost
+    intermediate has an Issuer Common Name matching issuer_cn (in other words
+    the first chain which chains to a root whose name matches issuer_cn).
 
     :param fullchains: The list of fullchains in PEM chain format.
     :type fullchains: `list` of `str`
@@ -585,14 +586,11 @@ def find_chain_with_issuer(fullchains, issuer_cn, warn_on_no_match=False):
     :rtype: `str`
     """
     for chain in fullchains:
-        certs = [x509.load_pem_x509_certificate(cert, default_backend()) \
-                 for cert in CERT_PEM_REGEX.findall(chain.encode())]
-        # Iterate the fullchain beginning from the leaf. For each certificate encountered,
-        # match against Issuer Subject CN.
-        for cert in certs:
-            cert_issuer_cn = cert.issuer.get_attributes_for_oid(x509.NameOID.COMMON_NAME)
-            if cert_issuer_cn and cert_issuer_cn[0].value == issuer_cn:
-                return chain
+        certs = CERT_PEM_REGEX.findall(chain.encode())
+        top_cert = x509.load_pem_x509_certificate(certs[-1], default_backend())
+        top_issuer_cn = top_cert.issuer.get_attributes_for_oid(x509.NameOID.COMMON_NAME)
+        if top_issuer_cn and top_issuer_cn[0].value == issuer_cn:
+            return chain
 
     # Nothing matched, return whatever was first in the list.
     if warn_on_no_match:

certbot/certbot/interfaces.py

@@ -262,9 +262,9 @@ class IConfig(zope.interface.Interface):
         " with \"renew\" verb should be disabled.")
 
     preferred_chain = zope.interface.Attribute(
-        "If the CA offers multiple certificate chains, prefer the chain with "
-        "an issuer matching this Subject Common Name. If no match, the default "
-        "offered chain will be used."
+        "If the CA offers multiple certificate chains, prefer the chain whose "
+        "topmost certificate was issued from this Subject Common Name. "
+        "If no match, the default offered chain will be used."
     )
 
 

certbot/certbot/plugins/util.py

@@ -10,9 +10,11 @@ logger = logging.getLogger(__name__)
 
 def get_prefixes(path):
     """Retrieves all possible path prefixes of a path, in descending order
-    of length. For instance,
-        (linux) /a/b/c returns ['/a/b/c', '/a/b', '/a', '/']
-        (windows) C:\\a\\b\\c returns ['C:\\a\\b\\c', 'C:\\a\\b', 'C:\\a', 'C:']
+    of length. For instance:
+
+      * (Linux) `/a/b/c` returns `['/a/b/c', '/a/b', '/a', '/']`
+      * (Windows) `C:\\a\\b\\c` returns `['C:\\a\\b\\c', 'C:\\a\\b', 'C:\\a', 'C:']`
+
     :param str path: the path to break into prefixes
 
     :returns: all possible path prefixes of given path in descending order

certbot/docs/api/certbot.compat.os.rst

@@ -2,6 +2,4 @@ certbot.compat.os module
 ========================
 
 .. automodule:: certbot.compat.os
-    :members:
-    :undoc-members:
-    :show-inheritance:
+    :members: chmod, umask, chown, open, mkdir, makedirs, rename, replace, access, stat, fstat

certbot/docs/cli-help.txt

@@ -118,7 +118,7 @@ optional arguments:
                         case, and to know when to deprecate support for past
                         Python versions and flags. If you wish to hide this
                         information from the Let's Encrypt server, set this to
-                        "". (default: CertbotACMEClient/1.10.1
+                        "". (default: CertbotACMEClient/1.11.0
                         (certbot(-auto); OS_NAME OS_VERSION) Authenticator/XXX
                         Installer/YYY (SUBCOMMAND; flags: FLAGS)
                         Py/major.minor.patchlevel). The flags encoded in the
@@ -539,8 +539,8 @@ dns-cloudxns:
                         CloudXNS credentials INI file. (default: None)
 
 dns-digitalocean:
-  Obtain certs using a DNS TXT record (if you are using DigitalOcean for
-  DNS).
+  Obtain certificates using a DNS TXT record (if you are using DigitalOcean
+  for DNS).
 
   --dns-digitalocean-propagation-seconds DNS_DIGITALOCEAN_PROPAGATION_SECONDS
                         The number of seconds to wait for DNS to propagate
@@ -601,7 +601,8 @@ dns-google:
                         therequired permissions.) (default: None)
 
 dns-linode:
-  Obtain certs using a DNS TXT record (if you are using Linode for DNS).
+  Obtain certificates using a DNS TXT record (if you are using Linode for
+  DNS).
 
   --dns-linode-propagation-seconds DNS_LINODE_PROPAGATION_SECONDS
                         The number of seconds to wait for DNS to propagate

certbot/docs/conf.py

@@ -95,7 +95,12 @@ language = None
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
-exclude_patterns = ['_build']
+exclude_patterns = [
+    '_build',
+    'man',
+    'challenges.rst',
+    'ciphers.rst'
+]
 
 # The reST default role (used for this markup: `text`) to use for all
 # documents.

certbot/docs/contributing.rst

@@ -470,11 +470,8 @@ Mypy type annotations
 =====================
 
 Certbot uses the `mypy`_ static type checker. Python 3 natively supports official type annotations,
-which can then be tested for consistency using mypy. Python 2 doesn’t, but type annotations can
-be `added in comments`_. Mypy does some type checks even without type annotations; we can find
-bugs in Certbot even without a fully annotated codebase.
-
-Certbot supports both Python 2 and 3, so we’re using Python 2-style annotations.
+which can then be tested for consistency using mypy. Mypy does some type checks even without type
+annotations; we can find bugs in Certbot even without a fully annotated codebase.
 
 Zulip wrote a `great guide`_ to using mypy. It’s useful, but you don’t have to read the whole thing
 to start contributing to Certbot.

certbot/docs/install.rst

@@ -28,7 +28,7 @@ your system.
 System Requirements
 ===================
 
-Certbot currently requires Python 2.7 or 3.6+ running on a UNIX-like operating
+Certbot currently requires Python 3.6+ running on a UNIX-like operating
 system. By default, it requires root access in order to write to
 ``/etc/letsencrypt``, ``/var/log/letsencrypt``, ``/var/lib/letsencrypt``; to
 bind to port 80 (if you use the ``standalone`` plugin) and to read and
@@ -197,12 +197,12 @@ Optionally to install the Certbot Apache plugin, you can use:
 
 .. code-block:: shell
 
-    sudo dnf install certbot python2-certbot-apache
+    sudo dnf install certbot python3-certbot-apache
 
 **FreeBSD**
 
   * Port: ``cd /usr/ports/security/py-certbot && make install clean``
-  * Package: ``pkg install py27-certbot``
+  * Package: ``pkg install py37-certbot``
 
 **Gentoo**
 
@@ -223,7 +223,7 @@ They need to be installed separately if you require their functionality.
 **NetBSD**
 
   * Build from source: ``cd /usr/pkgsrc/security/py-certbot && make install clean``
-  * Install pre-compiled package: ``pkg_add py27-certbot``
+  * Install pre-compiled package: ``pkg_add py37-certbot``
 
 **OpenBSD**
 
@@ -240,6 +240,11 @@ look at the :doc:`packaging`.
 
 Certbot-Auto
 ------------
+.. toctree::
+   :hidden:
+
+   uninstall
+
 
 We used to have a shell script named ``certbot-auto`` to help people install
 Certbot on UNIX operating systems, however, this script is no longer supported.

certbot/setup.py

@@ -40,16 +40,16 @@ install_requires = [
     # saying so here causes a runtime error against our temporary fork of 0.9.3
     # in which we added 2.6 support (see #2243), so we relax the requirement.
     'ConfigArgParse>=0.9.3',
-    'configobj',
-    'cryptography>=1.2.3',  # load_pem_x509_certificate
+    'configobj>=5.0.6',
+    'cryptography>=2.1.4',
     'distro>=1.0.1',
     # 1.1.0+ is required to avoid the warnings described at
     # https://github.com/certbot/josepy/issues/13.
     'josepy>=1.1.0',
-    'parsedatetime>=1.3',  # Calendar.parseDT
+    'parsedatetime>=2.4',
     'pyrfc3339',
     'pytz',
-    'setuptools',
+    'setuptools>=39.0.1',
     'zope.component',
     'zope.interface',
 ]
@@ -59,7 +59,7 @@ install_requires = [
 # However environment markers are supported only with setuptools >= 36.2.
 # So this dependency is not added for old Linux distributions with old setuptools,
 # in order to allow these systems to build certbot from sources.
-pywin32_req = 'pywin32>=227'  # do not forget to edit pywin32 dependency accordingly in windows-installer/construct.py
+pywin32_req = 'pywin32>=300'  # do not forget to edit pywin32 dependency accordingly in windows-installer/construct.py
 setuptools_known_environment_markers = (LooseVersion(setuptools_version) >= LooseVersion('36.2'))
 if setuptools_known_environment_markers:
     install_requires.append(pywin32_req + " ; sys_platform == 'win32'")
@@ -116,7 +116,7 @@ setup(
     author="Certbot Project",
     author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=3.6',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Environment :: Console',
@@ -125,8 +125,6 @@ setup(
         'License :: OSI Approved :: Apache Software License',
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

certbot/tests/account_test.py

@@ -113,11 +113,16 @@ class AccountFileStorageTest(test_util.ConfigTestCase):
 
         from certbot._internal.account import Account
         new_authzr_uri = "hi"
+        meta = Account.Meta(
+            creation_host="test.example.org",
+            creation_dt=datetime.datetime(
+                2021, 1, 5, 14, 4, 10, tzinfo=pytz.UTC))
         self.acc = Account(
             regr=messages.RegistrationResource(
                 uri=None, body=messages.Registration(),
                 new_authzr_uri=new_authzr_uri),
-            key=KEY)
+            key=KEY,
+            meta=meta)
         self.mock_client = mock.MagicMock()
         self.mock_client.directory.new_authz = new_authzr_uri
 

certbot/tests/cert_manager_test.py

@@ -99,7 +99,7 @@ class UpdateLiveSymlinksTest(BaseCertManagerTest):
                 for kind in ALL_FOUR:
                     os.chdir(os.path.dirname(self.config_files[domain][kind]))
                     self.assertEqual(
-                        filesystem.realpath(os.readlink(self.config_files[domain][kind])),
+                        filesystem.realpath(filesystem.readlink(self.config_files[domain][kind])),
                         filesystem.realpath(archive_paths[domain][kind]))
         finally:
             os.chdir(prev_dir)

certbot/tests/compat/filesystem_test.py

@@ -597,6 +597,32 @@ class IsExecutableTest(test_util.TempDirTestCase):
             self.assertFalse(filesystem.is_executable("exe"))
 
 
+class ReadlinkTest(unittest.TestCase):
+    @unittest.skipUnless(POSIX_MODE, reason='Tests specific to Linux')
+    @mock.patch("certbot.compat.filesystem.os.readlink")
+    def test_path_posix(self, mock_readlink):
+        mock_readlink.return_value = "/normal/path"
+        self.assertEqual(filesystem.readlink("dummy"), "/normal/path")
+
+    @unittest.skipIf(POSIX_MODE, reason='Tests specific to Windows')
+    @mock.patch("certbot.compat.filesystem.os.readlink")
+    def test_normal_path_windows(self, mock_readlink):
+        # Python <3.8
+        mock_readlink.return_value = "C:\\short\\path"
+        self.assertEqual(filesystem.readlink("dummy"), "C:\\short\\path")
+
+        # Python >=3.8 (os.readlink always returns the extended form)
+        mock_readlink.return_value = "\\\\?\\C:\\short\\path"
+        self.assertEqual(filesystem.readlink("dummy"), "C:\\short\\path")
+
+    @unittest.skipIf(POSIX_MODE, reason='Tests specific to Windows')
+    @mock.patch("certbot.compat.filesystem.os.readlink")
+    def test_extended_path_windows(self, mock_readlink):
+        # Following path is largely over the 260 characters permitted in the normal form.
+        mock_readlink.return_value = "\\\\?\\C:\\long" + 1000 * "\\path"
+        with self.assertRaises(ValueError):
+            filesystem.readlink("dummy")
+
 @contextlib.contextmanager
 def _fix_windows_runtime():
     if os.name != 'nt':

certbot/tests/crypto_util_test.py

@@ -184,11 +184,13 @@ class MakeKeyTest(unittest.TestCase):
     def test_ec(self):  # pylint: disable=no-self-use
         # ECDSA Key Type Tests
         from certbot.crypto_util import make_key
-        # Do not test larger keys as it takes too long.
 
-        # Try a good key size for ECDSA
-        OpenSSL.crypto.load_privatekey(
-            OpenSSL.crypto.FILETYPE_PEM, make_key(elliptic_curve="secp256r1", key_type='ecdsa'))
+        for (name, bits) in [('secp256r1', 256), ('secp384r1', 384), ('secp521r1', 521)]:
+            pkey = OpenSSL.crypto.load_privatekey(
+                OpenSSL.crypto.FILETYPE_PEM,
+                make_key(elliptic_curve=name, key_type='ecdsa')
+            )
+            self.assertEqual(pkey.bits(), bits)
 
     def test_bad_key_sizes(self):
         from certbot.crypto_util import make_key
@@ -471,6 +473,19 @@ class FindChainWithIssuerTest(unittest.TestCase):
         matched = self._call(fullchains, "Pebble Root CA 0cc6f0")
         self.assertEqual(matched, fullchains[1])
 
+    @mock.patch('certbot.crypto_util.logger.info')
+    def test_intermediate_match(self, mock_info):
+        """Don't pick a chain where only an intermediate matches"""
+        fullchains = self._all_fullchains()
+        # Make the second chain actually only contain "Pebble Root CA 0cc6f0"
+        # as an intermediate, not as the root. This wouldn't be a valid chain
+        # (the CERT_ISSUER cert didn't issue the CERT_ALT_ISSUER cert), but the
+        # function under test here doesn't care about that.
+        fullchains[1] = fullchains[1] + CERT_ISSUER.decode()
+        matched = self._call(fullchains, "Pebble Root CA 0cc6f0")
+        self.assertEqual(matched, fullchains[0])
+        mock_info.assert_not_called()
+
     @mock.patch('certbot.crypto_util.logger.info')
     def test_no_match(self, mock_info):
         fullchains = self._all_fullchains()

certbot/tests/main_test.py

@@ -813,8 +813,10 @@ class MainTest(test_util.ConfigTestCase):
         self._call_no_clientmock(['delete'])
         self.assertEqual(1, mock_cert_manager.call_count)
 
+    @mock.patch('certbot._internal.main.plugins_disco')
+    @mock.patch('certbot._internal.main.cli.HelpfulArgumentParser.determine_help_topics')
     @mock.patch('certbot._internal.log.post_arg_parse_setup')
-    def test_plugins(self, _):
+    def test_plugins(self, _, _det, mock_disco):
         flags = ['--init', '--prepare', '--authenticators', '--installers']
         for args in itertools.chain(
                 *(itertools.combinations(flags, r)

certbot/tests/storage_test.py

@@ -330,7 +330,7 @@ class RenewableCertTests(BaseRenewableCertTest):
         self.test_rc._update_link_to("chain", 3000)
         # However, current_version doesn't allow querying the resulting
         # version (because it's a broken link).
-        self.assertEqual(os.path.basename(os.readlink(self.test_rc.chain)),
+        self.assertEqual(os.path.basename(filesystem.readlink(self.test_rc.chain)),
                          "chain3000.pem")
 
     def test_version(self):
@@ -514,7 +514,7 @@ class RenewableCertTests(BaseRenewableCertTest):
         # privkey.
         for i in (6, 7, 8):
             self.assertTrue(os.path.islink(self.test_rc.version("privkey", i)))
-            self.assertEqual("privkey3.pem", os.path.basename(os.readlink(
+            self.assertEqual("privkey3.pem", os.path.basename(filesystem.readlink(
                 self.test_rc.version("privkey", i))))
 
         for kind in ALL_FOUR:

letsencrypt-auto

@@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then
 fi
 VENV_BIN="$VENV_PATH/bin"
 BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
-LE_AUTO_VERSION="1.10.1"
+LE_AUTO_VERSION="1.11.0"
 BASENAME=$(basename $0)
 USAGE="Usage: $BASENAME [OPTIONS]
 A self-updating wrapper script for the Certbot ACME client. When run, updates
@@ -804,6 +804,7 @@ elif [ -f /etc/mageia-release ]; then
   # Mageia has both /etc/mageia-release and /etc/redhat-release
   DEPRECATED_OS=1
 elif [ -f /etc/redhat-release ]; then
+  DEPRECATED_OS=1
   # Run DeterminePythonVersion to decide on the basis of available Python versions
   # whether to use 2.x or 3.x on RedHat-like systems.
   # Then, revert LE_PYTHON to its previous state.
@@ -836,12 +837,7 @@ elif [ -f /etc/redhat-release ]; then
       INTERACTIVE_BOOTSTRAP=1
     fi
 
-    Bootstrap() {
-      BootstrapMessage "Legacy RedHat-based OSes that will use Python3"
-      BootstrapRpmPython3Legacy
-    }
     USE_PYTHON_3=1
-    BOOTSTRAP_VERSION="BootstrapRpmPython3Legacy $BOOTSTRAP_RPM_PYTHON3_LEGACY_VERSION"
 
     # Try now to enable SCL rh-python36 for systems already bootstrapped
     # NB: EnablePython36SCL has been defined along with BootstrapRpmPython3Legacy in certbot-auto
@@ -860,18 +856,7 @@ elif [ -f /etc/redhat-release ]; then
     fi
 
     if [ "$RPM_USE_PYTHON_3" = 1 ]; then
-      Bootstrap() {
-        BootstrapMessage "RedHat-based OSes that will use Python3"
-        BootstrapRpmPython3
-      }
       USE_PYTHON_3=1
-      BOOTSTRAP_VERSION="BootstrapRpmPython3 $BOOTSTRAP_RPM_PYTHON3_VERSION"
-    else
-      Bootstrap() {
-        BootstrapMessage "RedHat-based OSes"
-        BootstrapRpmCommon
-      }
-      BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
     fi
   fi
 
@@ -889,10 +874,7 @@ elif uname | grep -iq FreeBSD ; then
 elif uname | grep -iq Darwin ; then
   DEPRECATED_OS=1
 elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then
-  Bootstrap() {
-    ExperimentalBootstrap "Amazon Linux" BootstrapRpmCommon
-  }
-  BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
+  DEPRECATED_OS=1
 elif [ -f /etc/product ] && grep -q "Joyent Instance" /etc/product ; then
   DEPRECATED_OS=1
 else
@@ -1493,18 +1475,18 @@ letsencrypt==0.7.0 \
     --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
     --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9
 
-certbot==1.10.1 \
-    --hash=sha256:011ac980fa21b9f29e02c9b8d8b86e8a4bf4670b51b6ad91656e401e9d2d2231 \
-    --hash=sha256:0d9ee3fc09e0d03b2d1b1f1c4916e61ecfc6904b4216ddef4e6a5ca1424d9cb7
-acme==1.10.1 \
-    --hash=sha256:752d598e54e98ad1e874de53fd50c61044f1b566d6deb790db5676ce9c573546 \
-    --hash=sha256:fcbb559aedc96b404edf593e78517dcd7291984d5a37036c3fc77f3c5c122fd8
-certbot-apache==1.10.1 \
-    --hash=sha256:f077b4b7f166627ef5e0921fe7cde57700670fc86e9ad9dbdfaf2c573cc0f2fa \
-    --hash=sha256:97ed637b4c7b03820db6c69aa90145dc989933351d46a3d62baf6b71674f0a10
-certbot-nginx==1.10.1 \
-    --hash=sha256:7c36459021f8a1ec3b6c062e4c4fc866bfaa1dbf26ccd29e043dd6848003be08 \
-    --hash=sha256:c0bbeccf85f46b728fd95e6bb8c2649d32d3383d7f47ea4b9c312d12bf04d2f0
+certbot==1.11.0 \
+    --hash=sha256:b7faa66c40a1ce5a31bfc8668d8feb5d2db6f7af9e791079a6d95c77b6593bf4 \
+    --hash=sha256:6b0ce04e55379aff0a47f873fa05c084538ad0f4a9b79f33108dbb0a7a668b43
+acme==1.11.0 \
+    --hash=sha256:77d6ce61b155315d7d7031489bbd245c0ea42c0453a04d4304393414e741a56d \
+    --hash=sha256:092eb09a074a935da4c10f66cb8634ffb2cc2d2cc1035d2998d608996efab924
+certbot-apache==1.11.0 \
+    --hash=sha256:ea7ac88733aad91a89c700289effda2a0c0658778da1ae2c54a0aefaee351285 \
+    --hash=sha256:3ed001427ec0b49324f2b9af7170fa6e6e88948fa51c3678b07bf17f8138863d
+certbot-nginx==1.11.0 \
+    --hash=sha256:79de69782a1199e577787ff9790dee02a44aac17dbecd6a7287593030842a306 \
+    --hash=sha256:9afe611f99a78b8898941b8ad7bdcf7f3c2b6e0fce27125268f7c713e64b34ee
 
 UNLIKELY_EOF
     # -------------------------------------------------------------------------

letsencrypt-auto-source/certbot-auto.asc

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQEzBAABCAAdFiEEos+1H6J1pyhiNOeyTRfJlc2XdfIFAl/JL3kACgkQTRfJlc2X
-dfKJMwf/RXjfg5KScEjWiR+YMAcTVxGl4ITDMNBvmPoqCfrPwIJQewy1k6yQUITr
-tMe0tkPneGgGccJreLAuO4+RdmNqm2MKBO3wMW9YZobJxcbMmrtVxyBD2OP4K/lL
-oCZvjcN5pLvje6OlMwJ/fQ+zGY8mFUpfKIluxKrqkkO3p6Q+i/wPXF5Gjjb2J/bI
-N+TczQJYUkDWAw7Tp4ho3J9xpqIn3zyOc2hI3wQDMC1o9sU5a80Vyc/mEqpE8SQ3
-qOWg9Gdx3DXTWOztcx2IxZtFEkIukPM8iD/Fkr//3XHeIc3+mqRAQdY+w7EopzbP
-hLwjHVEJs1EMYq8ntWmMFjZ4+ImFgw==
-=Peuv
+iQEzBAABCAAdFiEEos+1H6J1pyhiNOeyTRfJlc2XdfIFAl/0pwwACgkQTRfJlc2X
+dfL4eQf+MyI6XGuG9jKbfRRfYWNjc3B4nxjvpeaOys6ZNIFoI5sElR/8siv6lexc
+iDZ0h6PkIfh4NkIOQJQqgGP885P4aPZBg1mOTnssa6u3+1R3QRb/L/QcppysQZnf
+Jve+94Zpkz1r2pF8KI4mZYDl5iN01TrMlQLddEeWOzY1tzoEVBq19KBEUwnk8awt
+WOxKfhITFPbU2jyR5O4przDJLGsqG6WC6etCbmWYnb/he3pWa70ITsv2a1RCoTDf
+EsBb5QVa3SEw+NT3jyE9P3FothSQZyvsYojd6/B4/bwZarWwqh1mTMz55U2rJl87
+XpjglPXfhrv/s5oWNWthXTpz+11xvA==
+=nhC8
 -----END PGP SIGNATURE-----

letsencrypt-auto-source/letsencrypt-auto

@@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then
 fi
 VENV_BIN="$VENV_PATH/bin"
 BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
-LE_AUTO_VERSION="1.11.0.dev0"
+LE_AUTO_VERSION="1.12.0.dev0"
 BASENAME=$(basename $0)
 USAGE="Usage: $BASENAME [OPTIONS]
 A self-updating wrapper script for the Certbot ACME client. When run, updates
@@ -1475,18 +1475,18 @@ letsencrypt==0.7.0 \
     --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
     --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9
 
-certbot==1.10.1 \
-    --hash=sha256:011ac980fa21b9f29e02c9b8d8b86e8a4bf4670b51b6ad91656e401e9d2d2231 \
-    --hash=sha256:0d9ee3fc09e0d03b2d1b1f1c4916e61ecfc6904b4216ddef4e6a5ca1424d9cb7
-acme==1.10.1 \
-    --hash=sha256:752d598e54e98ad1e874de53fd50c61044f1b566d6deb790db5676ce9c573546 \
-    --hash=sha256:fcbb559aedc96b404edf593e78517dcd7291984d5a37036c3fc77f3c5c122fd8
-certbot-apache==1.10.1 \
-    --hash=sha256:f077b4b7f166627ef5e0921fe7cde57700670fc86e9ad9dbdfaf2c573cc0f2fa \
-    --hash=sha256:97ed637b4c7b03820db6c69aa90145dc989933351d46a3d62baf6b71674f0a10
-certbot-nginx==1.10.1 \
-    --hash=sha256:7c36459021f8a1ec3b6c062e4c4fc866bfaa1dbf26ccd29e043dd6848003be08 \
-    --hash=sha256:c0bbeccf85f46b728fd95e6bb8c2649d32d3383d7f47ea4b9c312d12bf04d2f0
+certbot==1.11.0 \
+    --hash=sha256:b7faa66c40a1ce5a31bfc8668d8feb5d2db6f7af9e791079a6d95c77b6593bf4 \
+    --hash=sha256:6b0ce04e55379aff0a47f873fa05c084538ad0f4a9b79f33108dbb0a7a668b43
+acme==1.11.0 \
+    --hash=sha256:77d6ce61b155315d7d7031489bbd245c0ea42c0453a04d4304393414e741a56d \
+    --hash=sha256:092eb09a074a935da4c10f66cb8634ffb2cc2d2cc1035d2998d608996efab924
+certbot-apache==1.11.0 \
+    --hash=sha256:ea7ac88733aad91a89c700289effda2a0c0658778da1ae2c54a0aefaee351285 \
+    --hash=sha256:3ed001427ec0b49324f2b9af7170fa6e6e88948fa51c3678b07bf17f8138863d
+certbot-nginx==1.11.0 \
+    --hash=sha256:79de69782a1199e577787ff9790dee02a44aac17dbecd6a7287593030842a306 \
+    --hash=sha256:9afe611f99a78b8898941b8ad7bdcf7f3c2b6e0fce27125268f7c713e64b34ee
 
 UNLIKELY_EOF
     # -------------------------------------------------------------------------

letsencrypt-auto-source/pieces/certbot-requirements.txt

@@ -1,12 +1,12 @@
-certbot==1.10.1 \
-    --hash=sha256:011ac980fa21b9f29e02c9b8d8b86e8a4bf4670b51b6ad91656e401e9d2d2231 \
-    --hash=sha256:0d9ee3fc09e0d03b2d1b1f1c4916e61ecfc6904b4216ddef4e6a5ca1424d9cb7
-acme==1.10.1 \
-    --hash=sha256:752d598e54e98ad1e874de53fd50c61044f1b566d6deb790db5676ce9c573546 \
-    --hash=sha256:fcbb559aedc96b404edf593e78517dcd7291984d5a37036c3fc77f3c5c122fd8
-certbot-apache==1.10.1 \
-    --hash=sha256:f077b4b7f166627ef5e0921fe7cde57700670fc86e9ad9dbdfaf2c573cc0f2fa \
-    --hash=sha256:97ed637b4c7b03820db6c69aa90145dc989933351d46a3d62baf6b71674f0a10
-certbot-nginx==1.10.1 \
-    --hash=sha256:7c36459021f8a1ec3b6c062e4c4fc866bfaa1dbf26ccd29e043dd6848003be08 \
-    --hash=sha256:c0bbeccf85f46b728fd95e6bb8c2649d32d3383d7f47ea4b9c312d12bf04d2f0
+certbot==1.11.0 \
+    --hash=sha256:b7faa66c40a1ce5a31bfc8668d8feb5d2db6f7af9e791079a6d95c77b6593bf4 \
+    --hash=sha256:6b0ce04e55379aff0a47f873fa05c084538ad0f4a9b79f33108dbb0a7a668b43
+acme==1.11.0 \
+    --hash=sha256:77d6ce61b155315d7d7031489bbd245c0ea42c0453a04d4304393414e741a56d \
+    --hash=sha256:092eb09a074a935da4c10f66cb8634ffb2cc2d2cc1035d2998d608996efab924
+certbot-apache==1.11.0 \
+    --hash=sha256:ea7ac88733aad91a89c700289effda2a0c0658778da1ae2c54a0aefaee351285 \
+    --hash=sha256:3ed001427ec0b49324f2b9af7170fa6e6e88948fa51c3678b07bf17f8138863d
+certbot-nginx==1.11.0 \
+    --hash=sha256:79de69782a1199e577787ff9790dee02a44aac17dbecd6a7287593030842a306 \
+    --hash=sha256:9afe611f99a78b8898941b8ad7bdcf7f3c2b6e0fce27125268f7c713e64b34ee

tools/_release.sh

@@ -216,8 +216,13 @@ fi
 # ensure we have the latest built version of leauto
 letsencrypt-auto-source/build.py
 
-# and that it's signed correctly
-tools/offline-sigrequest.sh || true
+# Now we have to sign the built version of leauto.
+SignLEAuto() {
+    yubico-piv-tool -a verify-pin --sign -s 9c -i letsencrypt-auto-source/letsencrypt-auto -o letsencrypt-auto-source/letsencrypt-auto.sig
+}
+
+# Loop until letsencrypt-auto is signed correctly.
+SignLEAuto || true
 while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
         letsencrypt-auto-source/letsencrypt-auto.sig \
         letsencrypt-auto-source/letsencrypt-auto            ; do
@@ -225,7 +230,7 @@ while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
     read -p "Would you like this script to try and sign it again [Y/n]?" response
     case $response in
       [yY][eE][sS]|[yY]|"")
-        tools/offline-sigrequest.sh || true;;
+        SignLEAuto || true;;
       *)
         ;;
     esac

tools/dev_constraints.txt

@@ -26,13 +26,7 @@ coverage==4.5.4
 decorator==4.4.1
 deprecated==1.2.10
 dns-lexicon==3.3.17
-# There is no version of dnspython that works on both Python 2 and Python 3.9.
-# To work around this, we make use of the fact that subject to other
-# constraints, pip will install the newest version of a package while ignoring
-# versions that don't support the version of Python being used. The result of
-# this is dnspython 2.0.0 is installed in Python 3 while dnspython 1.16.0 is
-# installed in Python 2.
-dnspython<=2.0.0
+dnspython==2.1.0
 docker==4.3.1
 docker-compose==1.26.2
 docker-pycreds==0.4.0
@@ -91,7 +85,7 @@ pylint==2.4.3
 # If pynsist version is upgraded, our NSIS template windows-installer/template.nsi
 # must be upgraded if necessary using the new built-in one from pynsist.
 pynacl==1.3.0
-pynsist==2.4
+pynsist==2.6
 pytest==3.2.5
 pytest-cov==2.5.1
 pytest-forked==0.2
@@ -101,7 +95,7 @@ pytest-rerunfailures==4.2
 python-dateutil==2.8.1
 python-digitalocean==1.11
 python-dotenv==0.14.0
-pywin32==227
+pywin32==300
 PyYAML==5.3.1
 repoze.sphinx.autointerface==0.8
 requests-file==1.4.2

tools/offline-sigrequest.sh

@@ -1,51 +0,0 @@
-#!/bin/bash
-
-set -o errexit
-
-function sayhash { # $1 <-- HASH ; $2 <---SIGFILEBALL
-  while read -p "Press Enter to read the hash aloud or type 'done':  " INP && [ "$INP" = "" ] ; do
-    if ! `which festival > /dev/null` ; then
-      echo \`festival\` is not installed!
-      echo Please install it to read the hash aloud
-    else
-      cat $1 | (echo "(Parameter.set 'Duration_Stretch 1.8)"; \
-                  echo -n '(SayText "'; \
-                  sha256sum | cut -c1-64 | fold -1 | sed 's/^a$/alpha/; s/^b$/bravo/; s/^c$/charlie/; s/^d$/delta/; s/^e$/echo/; s/^f$/foxtrot/'; \
-                  echo '")' ) | festival
-    fi
-  done
-
-  echo 'Paste in the data from the QR code, then type Ctrl-D:'
-  cat > $2
-}
-
-function offlinesign {  # $1 <-- INPFILE ; $2 <---SIGFILE
-  echo HASH FOR SIGNING:
-  SIGFILEBALL="$2.lzma.base64"
-  #echo "(place the resulting raw binary signature in $SIGFILEBALL)"
-  sha256sum $1
-  echo metahash for confirmation only $(sha256sum $1   |cut -d' ' -f1 | tr -d '\n' | sha256sum  | cut -c1-6) ...
-  echo
-  sayhash $1 $SIGFILEBALL
-}
-
-function oncesigned { # $1 <-- INPFILE ; $2 <--SIGFILE
-  SIGFILEBALL="$2.lzma.base64"
-  cat $SIGFILEBALL | tr -d '\r' | base64 -d | unlzma -c > $2 || exit 1
-  if ! [ -f $2 ] ; then
-    echo "Failed to find $2"'!'
-    exit 1
-  fi
-
-  if file $2 | grep -qv " data" ; then
-    echo "WARNING WARNING $2 does not look like a binary signature:"
-    echo `file $2`
-    exit 1
-  fi
-}
-
-HERE=`dirname $0`
-LEAUTO="`realpath $HERE`/../letsencrypt-auto-source/letsencrypt-auto"
-SIGFILE="$LEAUTO".sig
-offlinesign $LEAUTO $SIGFILE
-oncesigned $LEAUTO $SIGFILE

tools/oldest_constraints.txt

@@ -1,76 +1,79 @@
-# This file contains the oldest versions of our dependencies we say we require
-# in our packages or versions we need to support to maintain compatibility with
-# the versions included in the various Linux distros where we are packaged.
+# This file contains the oldest versions of our dependencies we're trying to
+# support. Usually these version numbers are taken from the packages of our
+# dependencies available in popular LTS Linux distros. Keeping compatibility
+# with those versions makes it much easier for OS maintainers to update their
+# Certbot packages.
+#
+# When updating these dependencies, we should try to only update them to the
+# oldest version of the package that is found in a non-EOL'd version of
+# CentOS, Debian, or Ubuntu that has Certbot packages in their OS repositories
+# using a version of Python we support. If the distro is EOL'd or using a
+# version of Python we don't support, it can be ignored.
 
 # CentOS/RHEL 7 EPEL constraints
-cffi==1.6.0
+# Some of these constraints may be stricter than necessary because they
+# initially referred to the Python 2 packages in CentOS/RHEL 7 with EPEL.
+cffi==1.9.1
 chardet==2.2.1
-configobj==4.7.2
 ipaddress==1.0.16
 mock==1.0.1
 ndg-httpsclient==0.3.2
 ply==3.4
+pyOpenSSL==17.3.0
 pyasn1==0.1.9
 pycparser==2.14
 pyRFC3339==1.0
 python-augeas==0.5.0
 oauth2client==4.0.0
-six==1.9.0
-# setuptools 0.9.8 is the actual version packaged, but some other dependencies
-# in this file require setuptools>=1.0 and there are no relevant changes for us
-# between these versions.
-setuptools==1.0.0
 urllib3==1.10.2
 zope.component==4.1.0
 zope.event==4.0.3
 zope.interface==4.0.5
 
 # Debian Jessie Backports constraints
-# Debian Jessie has reached end of life. However:
-# When it becomes necessary to upgrade any of these dependencies, you should only update them to the oldest version of the package found
-# in a non-EOL'd version of CentOS, Debian, or Ubuntu that has Certbot packages in their OS repositories.
-PyICU==1.8
+# Debian Jessie has reached end of life so these dependencies can probably be
+# updated as needed or desired.
 colorama==0.3.2
 enum34==1.0.3
 html5lib==0.999
-idna==2.0
 pbr==1.8.0
 pytz==2012rc0
 
 # Debian Buster constraints
 google-api-python-client==1.5.5
+pyparsing==2.2.0
 
 # Our setup.py constraints
 apacheconfig==0.3.2
 cloudflare==1.5.1
-cryptography==1.2.3
-parsedatetime==1.3
-pyparsing==1.5.5
 python-digitalocean==1.11
 requests[security]==2.6.0
 
 # Ubuntu Xenial constraints
+# Ubuntu Xenial only has versions of Python which we do not support available
+# so these dependencies can probably be updated as needed or desired.
 ConfigArgParse==0.10.0
-pyOpenSSL==0.15.1
 funcsigs==0.4
 zope.hookable==4.0.4
 
 # Ubuntu Bionic constraints.
+cryptography==2.1.4
 distro==1.0.1
 # Lexicon oldest constraint is overridden appropriately on relevant DNS provider plugins
 # using their local-oldest-requirements.txt
 dns-lexicon==2.2.1
 httplib2==0.9.2
+idna==2.6
+setuptools==39.0.1
+six==1.11.0
+
+# Ubuntu Focal constraints
+asn1crypto==0.24.0
+configobj==5.0.6
+parsedatetime==2.4
 
 # Plugin constraints
 # These aren't necessarily the oldest versions we need to support
 # Tracking at https://github.com/certbot/certbot/issues/6473
 boto3==1.4.7
 botocore==1.7.41
-
-# Old certbot[dev] constraints
-# Old versions of certbot[dev] required ipdb and our normally pinned version of
-# ipython which ipdb depends on doesn't support Python 2 so we pin an older
-# version here to keep tests working while we have Python 2 support.
-ipython==5.8.0
-prompt-toolkit==1.0.18

tools/run_oldest_tests.sh

@@ -1,37 +0,0 @@
-#!/bin/bash
-set -e
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-
-pushd "${DIR}/../"
-
-function cleanup() {
-  rm -f "${DOCKERFILE}"
-  popd
-}
-
-trap cleanup EXIT
-
-DOCKERFILE=$(mktemp /tmp/Dockerfile.XXXXXX)
-
-cat << "EOF" >> "${DOCKERFILE}"
-FROM ubuntu:16.04
-COPY letsencrypt-auto-source/pieces/dependency-requirements.txt /tmp/letsencrypt-auto-source/pieces/
-COPY tools/ /tmp/tools/
-RUN apt-get update \
- && apt-get install -y --no-install-recommends \
-        python-dev python-pip python-setuptools \
-        gcc libaugeas0 libssl-dev libffi-dev \
-        git ca-certificates nginx-light openssl curl \
- && curl -fsSL https://get.docker.com | bash /dev/stdin \
- && python /tmp/tools/pipstrap.py \
- && python /tmp/tools/pip_install.py tox \
- && rm -rf /var/lib/apt/lists/*
-EOF
-
-docker build -f "${DOCKERFILE}" -t oldest-worker .
-docker run --rm --network=host -w "${PWD}" \
-  -v /var/run/docker.sock:/var/run/docker.sock \
-  -v "${PWD}:${PWD}" -v /tmp:/tmp \
-  -e TOXENV -e ACME_SERVER -e PYTEST_ADDOPTS \
-  oldest-worker python -m tox

tox.ini

@@ -77,49 +77,65 @@ setenv =
     PYTEST_ADDOPTS = {env:PYTEST_ADDOPTS:--numprocesses auto}
     PYTHONHASHSEED = 0
 
-[testenv:py27-oldest]
+[testenv:oldest]
+# Setting basepython allows the tests to fail fast if that version of Python
+# isn't available instead of potentially trying to use a newer version of
+# Python which is unlikely to work.
+basepython = python3.6
 commands =
     {[testenv]commands}
 setenv =
     {[testenv]setenv}
     CERTBOT_OLDEST=1
 
-[testenv:py27-acme-oldest]
+[testenv:acme-oldest]
+basepython =
+    {[testenv:oldest]basepython}
 commands =
     {[base]install_and_test} acme[dev]
 setenv =
-    {[testenv:py27-oldest]setenv}
+    {[testenv:oldest]setenv}
 
-[testenv:py27-apache-oldest]
+[testenv:apache-oldest]
+basepython =
+    {[testenv:oldest]basepython}
 commands =
     {[base]install_and_test} certbot-apache
 setenv =
-    {[testenv:py27-oldest]setenv}
+    {[testenv:oldest]setenv}
 
-[testenv:py27-apache-v2-oldest]
+[testenv:apache-v2-oldest]
+basepython =
+    {[testenv:oldest]basepython}
 commands =
     {[base]install_and_test} certbot-apache[dev]
 setenv =
-    {[testenv:py27-oldest]setenv}
+    {[testenv:oldest]setenv}
 
-[testenv:py27-certbot-oldest]
+[testenv:certbot-oldest]
+basepython =
+    {[testenv:oldest]basepython}
 commands =
     {[base]install_and_test} certbot[dev]
 setenv =
-    {[testenv:py27-oldest]setenv}
+    {[testenv:oldest]setenv}
 
-[testenv:py27-dns-oldest]
+[testenv:dns-oldest]
+basepython =
+    {[testenv:oldest]basepython}
 commands =
     {[base]install_and_test} {[base]dns_packages}
 setenv =
-    {[testenv:py27-oldest]setenv}
+    {[testenv:oldest]setenv}
 
-[testenv:py27-nginx-oldest]
+[testenv:nginx-oldest]
+basepython =
+    {[testenv:oldest]basepython}
 commands =
     {[base]install_and_test} certbot-nginx
     python tests/lock_test.py
 setenv =
-    {[testenv:py27-oldest]setenv}
+    {[testenv:oldest]setenv}
 
 [testenv:lint]
 basepython = python3
@@ -238,22 +254,26 @@ commands =
 passenv = DOCKER_*
 
 [testenv:integration-certbot-oldest]
+basepython =
+    {[testenv:oldest]basepython}
 commands =
     {[base]pip_install} certbot
     {[base]pip_install} certbot-ci
     pytest certbot-ci/certbot_integration_tests/certbot_tests \
         --acme-server={env:ACME_SERVER:pebble}
 passenv = DOCKER_*
-setenv = {[testenv:py27-oldest]setenv}
+setenv = {[testenv:oldest]setenv}
 
 [testenv:integration-nginx-oldest]
+basepython =
+    {[testenv:oldest]basepython}
 commands =
     {[base]pip_install} certbot-nginx
     {[base]pip_install} certbot-ci
     pytest certbot-ci/certbot_integration_tests/nginx_tests \
         --acme-server={env:ACME_SERVER:pebble}
 passenv = DOCKER_*
-setenv = {[testenv:py27-oldest]setenv}
+setenv = {[testenv:oldest]setenv}
 
 [testenv:test-farm-tests-base]
 changedir = tests/letstest

windows-installer/construct.py

@@ -9,10 +9,10 @@ import sys
 import tempfile
 import time
 
-PYTHON_VERSION = (3, 7, 4)
+PYTHON_VERSION = (3, 8, 6)
 PYTHON_BITNESS = 32
-PYWIN32_VERSION = 227  # do not forget to edit pywin32 dependency accordingly in setup.py
-NSIS_VERSION = '3.04'
+PYWIN32_VERSION = 300  # do not forget to edit pywin32 dependency accordingly in setup.py
+NSIS_VERSION = '3.06.1'
 
 
 def main():
@@ -98,32 +98,6 @@ def _copy_assets(build_path, repo_path):
 def _generate_pynsist_config(repo_path, build_path):
     print('Generate pynsist configuration')
 
-    pywin32_paths_file = os.path.join(build_path, 'pywin32_paths.py')
-
-    # Pywin32 uses non-standard folders to hold its packages. We need to instruct pynsist bootstrap
-    # explicitly to add them into sys.path. This is done with a custom "pywin32_paths.py" that is
-    # referred in the pynsist configuration as an "extra_preamble".
-    # Reference example: https://github.com/takluyver/pynsist/tree/master/examples/pywebview
-    with open(pywin32_paths_file, 'w') as file_h:
-        file_h.write('''\
-pkgdir = os.path.join(os.path.dirname(installdir), 'pkgs')
-
-sys.path.extend([
-    os.path.join(pkgdir, 'win32'),
-    os.path.join(pkgdir, 'win32', 'lib'),
-])
-
-# Preload pywintypes and pythoncom
-pwt = os.path.join(pkgdir, 'pywin32_system32', 'pywintypes{0}{1}.dll')
-pcom = os.path.join(pkgdir, 'pywin32_system32', 'pythoncom{0}{1}.dll')
-import warnings
-with warnings.catch_warnings():
-    warnings.simplefilter("ignore")
-    import imp
-imp.load_dynamic('pywintypes', pwt)
-imp.load_dynamic('pythoncom', pcom)
-'''.format(PYTHON_VERSION[0], PYTHON_VERSION[1]))
-
     installer_cfg_path = os.path.join(build_path, 'installer.cfg')
 
     certbot_pkg_path = os.path.join(repo_path, 'certbot')
@@ -158,7 +132,6 @@ files=run.bat
 
 [Command certbot]
 entry_point=certbot.main:main
-extra_preamble=pywin32_paths.py
 '''.format(certbot_version=certbot_version,
            installer_suffix='win_amd64' if PYTHON_BITNESS == 64 else 'win32',
            python_bitness=PYTHON_BITNESS,

windows-installer/template.nsi

@@ -1,7 +1,7 @@
-; This NSIS template is based on the built-in one in pynsist 2.3.
+; This NSIS template is based on the built-in one in pynsist 2.6.
 ; Added lines are enclosed within "CERTBOT CUSTOM BEGIN/END" comments.
 ; If pynsist is upgraded, this template must be updated if necessary using the new built-in one.
-; Original file can be found here: https://github.com/takluyver/pynsist/blob/2.4/nsist/pyapp.nsi
+; Original file can be found here: https://github.com/takluyver/pynsist/blob/2.6/nsist/pyapp.nsi
 
 !define PRODUCT_NAME "[[ib.appname]]"
 !define PRODUCT_VERSION "[[ib.version]]"
@@ -14,9 +14,14 @@
 
 ; Marker file to tell the uninstaller that it's a user installation
 !define USER_INSTALL_MARKER _user_install_marker
- 
+
 SetCompressor lzma
 
+!if "${NSIS_PACKEDVERSION}" >= 0x03000000
+  Unicode true
+  ManifestDPIAware true
+!endif
+
 ; CERTBOT CUSTOM BEGIN
 ; Administrator privileges are required to insert a new task in Windows Scheduler.
 ; Also comment out some options to disable ability to choose AllUsers/CurrentUser install mode.
@@ -35,9 +40,10 @@ SetCompressor lzma
 !define MULTIUSER_INSTALLMODE_FUNCTION correct_prog_files
 [% endif %]
 !include MultiUser.nsh
+!include FileFunc.nsh
 
 [% block modernui %]
-; Modern UI installer stuff 
+; Modern UI installer stuff
 !include "MUI2.nsh"
 !define MUI_ABORTWARNING
 !define MUI_ICON "[[icon]]"
@@ -67,6 +73,8 @@ Name "${PRODUCT_NAME} (beta) ${PRODUCT_VERSION}"
 OutFile "${INSTALLER_NAME}"
 ShowInstDetails show
 
+Var cmdLineInstallDir
+
 Section -SETTINGS
   SetOutPath "$INSTDIR"
   SetOverwrite ifnewer
@@ -96,14 +104,14 @@ Section "!${PRODUCT_NAME}" sec_app
       File "[[ file ]]"
     [% endfor %]
   [% endfor %]
-  
+
   ; Install directories
   [% for dir, destination in ib.install_dirs %]
     SetOutPath "[[ pjoin(destination, dir) ]]"
     File /r "[[dir]]\*.*"
   [% endfor %]
   [% endblock install_files %]
-  
+
   [% block install_shortcuts %]
   ; Install shortcuts
   ; The output path becomes the working directory for shortcuts
@@ -127,7 +135,6 @@ Section "!${PRODUCT_NAME}" sec_app
   [% block install_commands %]
   [% if has_commands %]
     DetailPrint "Setting up command-line launchers..."
-    nsExec::ExecToLog '[[ python ]] -Es "$INSTDIR\_assemble_launchers.py" [[ python ]] "$INSTDIR\bin"'
 
     StrCmp $MultiUser.InstallMode CurrentUser 0 AddSysPathSystem
       ; Add to PATH for current user
@@ -139,7 +146,7 @@ Section "!${PRODUCT_NAME}" sec_app
     AddedSysPath:
   [% endif %]
   [% endblock install_commands %]
-  
+
   ; Byte-compile Python files.
   DetailPrint "Byte-compiling Python modules..."
   nsExec::ExecToLog '[[ python ]] -m compileall -q "$INSTDIR\pkgs"'
@@ -238,12 +245,25 @@ Function .onMouseOverSection
     [% block mouseover_messages %]
     StrCmp $0 ${sec_app} "" +2
       SendMessage $R0 ${WM_SETTEXT} 0 "STR:${PRODUCT_NAME}"
-    
+
     [% endblock mouseover_messages %]
 FunctionEnd
 
 Function .onInit
+  ; Multiuser.nsh breaks /D command line parameter. Parse /INSTDIR instead.
+  ; Cribbing from https://nsis-dev.github.io/NSIS-Forums/html/t-299280.html
+  ${GetParameters} $0
+  ClearErrors
+  ${GetOptions} '$0' "/INSTDIR=" $1
+  IfErrors +2  ; Error means flag not found
+    StrCpy $cmdLineInstallDir $1
+  ClearErrors
+
   !insertmacro MULTIUSER_INIT
+
+  ; If cmd line included /INSTDIR, override the install dir set by MultiUser
+  StrCmp $cmdLineInstallDir "" +2
+    StrCpy $INSTDIR $cmdLineInstallDir
 FunctionEnd
 
 Function un.onInit
@@ -257,4 +277,4 @@ Function correct_prog_files
   StrCmp $MultiUser.InstallMode AllUsers 0 +2
     StrCpy $INSTDIR "$PROGRAMFILES64\${MULTIUSER_INSTALLMODE_INSTDIR}"
 FunctionEnd
-[% endif %]
+[% endif %]