Test windows installer only.

.azure-pipelines/templates/jobs/extended-tests-jobs.yml

@@ -4,7 +4,7 @@ jobs:
       - name: IMAGE_NAME
         value: ubuntu-18.04
       - name: PYTHON_VERSION
-        value: 3.9
+        value: 3.8
       - group: certbot-common
     strategy:
       matrix:
@@ -14,9 +14,6 @@ jobs:
         linux-py37:
           PYTHON_VERSION: 3.7
           TOXENV: py37
-        linux-py38:
-          PYTHON_VERSION: 3.8
-          TOXENV: py38
         linux-py37-nopin:
           PYTHON_VERSION: 3.7
           TOXENV: py37
@@ -65,20 +62,10 @@ jobs:
           PYTHON_VERSION: 3.8
           TOXENV: integration
           ACME_SERVER: boulder-v2
-        linux-boulder-v1-py39-integration:
-          PYTHON_VERSION: 3.9
-          TOXENV: integration
-          ACME_SERVER: boulder-v1
-        linux-boulder-v2-py39-integration:
-          PYTHON_VERSION: 3.9
-          TOXENV: integration
-          ACME_SERVER: boulder-v2
         nginx-compat:
           TOXENV: nginx_compat
-        linux-integration-rfc2136:
-          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.8
-          TOXENV: integration-dns-rfc2136
+        le-auto-oraclelinux6:
+          TOXENV: le_auto_oraclelinux6
         docker-dev:
           TOXENV: docker_dev
         macos-farmtest-apache2:

.azure-pipelines/templates/jobs/packaging-jobs.yml

@@ -5,7 +5,7 @@ jobs:
     steps:
       - task: UsePythonVersion@0
         inputs:
-          versionSpec: 3.8
+          versionSpec: 3.7
           architecture: x86
           addToPath: true
       - script: python windows-installer/construct.py
@@ -47,9 +47,13 @@ jobs:
           artifact: windows-installer
           path: $(Build.SourcesDirectory)/bin
         displayName: Retrieve Windows installer
+      # pip 9.0 provided by pipstrap is not able to resolve properly the pywin32 dependency
+      # required by certbot-ci: as a temporary workaround until pipstrap is updated, we install
+      # a recent version of pip, but we also to disable the isolated feature as described in
+      # https://github.com/certbot/certbot/issues/8256
       - script: |
           python -m venv venv
-          venv\Scripts\python tools\pipstrap.py
+          venv\Scripts\python -m pip install pip==20.2.3 setuptools==50.3.0 wheel==0.35.1
           venv\Scripts\python tools\pip_install.py -e certbot-ci
         env:
           PIP_NO_BUILD_ISOLATION: no

.azure-pipelines/templates/jobs/standard-tests-jobs.yml

@@ -1,28 +1,28 @@
 jobs:
   - job: test
     variables:
-      PYTHON_VERSION: 3.9
+      PYTHON_VERSION: 3.8
     strategy:
       matrix:
         macos-py27:
           IMAGE_NAME: macOS-10.15
           PYTHON_VERSION: 2.7
           TOXENV: py27
-        macos-py39:
+        macos-py38:
           IMAGE_NAME: macOS-10.15
-          PYTHON_VERSION: 3.9
-          TOXENV: py39
+          PYTHON_VERSION: 3.8
+          TOXENV: py38
         windows-py36:
           IMAGE_NAME: vs2017-win2016
           PYTHON_VERSION: 3.6
           TOXENV: py36
-        windows-py38-cover:
+        windows-py37-cover:
           IMAGE_NAME: vs2017-win2016
-          PYTHON_VERSION: 3.8
-          TOXENV: py38-cover
+          PYTHON_VERSION: 3.7
+          TOXENV: py37-cover
         windows-integration-certbot:
           IMAGE_NAME: vs2017-win2016
-          PYTHON_VERSION: 3.8
+          PYTHON_VERSION: 3.7
           TOXENV: integration-certbot
         linux-oldest-tests-1:
           IMAGE_NAME: ubuntu-18.04
@@ -38,10 +38,10 @@ jobs:
           IMAGE_NAME: ubuntu-18.04
           PYTHON_VERSION: 3.6
           TOXENV: py36
-        linux-py39-cover:
+        linux-py38-cover:
           IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.9
-          TOXENV: py39-cover
+          PYTHON_VERSION: 3.8
+          TOXENV: py38-cover
         linux-py37-lint:
           IMAGE_NAME: ubuntu-18.04
           PYTHON_VERSION: 3.7
@@ -52,15 +52,15 @@ jobs:
           TOXENV: mypy
         linux-integration:
           IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.8
+          PYTHON_VERSION: 2.7
           TOXENV: integration
           ACME_SERVER: pebble
         apache-compat:
           IMAGE_NAME: ubuntu-18.04
           TOXENV: apache_compat
-        le-modification:
+        le-auto-centos6:
           IMAGE_NAME: ubuntu-18.04
-          TOXENV: modification
+          TOXENV: le_auto_centos6
         apacheconftest:
           IMAGE_NAME: ubuntu-18.04
           PYTHON_VERSION: 2.7

.azure-pipelines/templates/stages/test-and-package-stage.yml

@@ -1,5 +1,4 @@
 stages:
   - stage: TestAndPackage
     jobs:
-      - template: ../jobs/standard-tests-jobs.yml
       - template: ../jobs/packaging-jobs.yml

.azure-pipelines/templates/steps/tox-steps.yml

@@ -32,7 +32,7 @@ steps:
     # problems with its lack of real dependency resolution.
   - bash: |
       set -e
-      python tools/pipstrap.py
+      python letsencrypt-auto-source/pieces/pipstrap.py
       python tools/pip_install.py -I tox virtualenv
     displayName: Install runtime dependencies
   - task: DownloadSecureFile@1

.gitignore

@@ -64,4 +64,3 @@ certbot-dns*/certbot-dns*_amd64*.txt
 certbot-dns*/certbot-dns*_arm*.txt
 /certbot_amd64*.txt
 /certbot_arm*.txt
-certbot-dns*/snap

AUTHORS.md

@@ -149,13 +149,11 @@ Authors
 * [Lior Sabag](https://github.com/liorsbg)
 * [Lipis](https://github.com/lipis)
 * [lord63](https://github.com/lord63)
-* [Lorenzo Fundaró](https://github.com/lfundaro)
 * [Luca Beltrame](https://github.com/lbeltrame)
 * [Luca Ebach](https://github.com/lucebac)
 * [Luca Olivetti](https://github.com/olivluca)
 * [Luke Rogers](https://github.com/lukeroge)
 * [Maarten](https://github.com/mrtndwrd)
-* [Mads Jensen](https://github.com/atombrella)
 * [Maikel Martens](https://github.com/krukas)
 * [Malte Janduda](https://github.com/MalteJ)
 * [Mantas Mikulėnas](https://github.com/grawity)
@@ -215,7 +213,6 @@ Authors
 * [Richard Barnes](https://github.com/r-barnes)
 * [Richard Panek](https://github.com/kernelpanek)
 * [Robert Buchholz](https://github.com/rbu)
-* [Robert Dailey](https://github.com/pahrohfit)
 * [Robert Habermann](https://github.com/frennkie)
 * [Robert Xiao](https://github.com/nneonneo)
 * [Roland Shoemaker](https://github.com/rolandshoemaker)

acme/acme/__init__.py

@@ -20,10 +20,3 @@ for mod in list(sys.modules):
     # preserved (acme.jose.* is josepy.*)
     if mod == 'josepy' or mod.startswith('josepy.'):
         sys.modules['acme.' + mod.replace('josepy', 'jose', 1)] = sys.modules[mod]
-
-if sys.version_info[0] == 2:
-    warnings.warn(
-        "Python 2 support will be dropped in the next release of acme. "
-        "Please upgrade your Python version.",
-        PendingDeprecationWarning,
-    )  # pragma: no cover

acme/acme/client.py

@@ -201,7 +201,7 @@ class ClientBase(object):
             when = parsedate_tz(retry_after)
             if when is not None:
                 try:
-                    tz_secs = datetime.timedelta(when[-1] if when[-1] is not None else 0)
+                    tz_secs = datetime.timedelta(when[-1] if when[-1] else 0)
                     return datetime.datetime(*when[:7]) - tz_secs
                 except (ValueError, OverflowError):
                     pass

acme/acme/crypto_util.py

@@ -186,7 +186,6 @@ def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-argu
             raise errors.Error(error)
     return client_ssl.get_peer_certificate()
 
-
 def make_csr(private_key_pem, domains, must_staple=False):
     """Generate a CSR containing a list of domains as subjectAltNames.
 
@@ -218,7 +217,6 @@ def make_csr(private_key_pem, domains, must_staple=False):
     return crypto.dump_certificate_request(
         crypto.FILETYPE_PEM, csr)
 
-
 def _pyopenssl_cert_or_req_all_names(loaded_cert_or_req):
     common_name = loaded_cert_or_req.get_subject().CN
     sans = _pyopenssl_cert_or_req_san(loaded_cert_or_req)
@@ -227,7 +225,6 @@ def _pyopenssl_cert_or_req_all_names(loaded_cert_or_req):
         return sans
     return [common_name] + [d for d in sans if d != common_name]
 
-
 def _pyopenssl_cert_or_req_san(cert_or_req):
     """Get Subject Alternative Names from certificate or CSR using pyOpenSSL.
 
@@ -320,7 +317,6 @@ def gen_ss_cert(key, domains, not_before=None,
     cert.sign(key, "sha256")
     return cert
 
-
 def dump_pyopenssl_chain(chain, filetype=crypto.FILETYPE_PEM):
     """Dump certificate chain into a bundle.
 

acme/acme/magic_typing.py

@@ -12,5 +12,4 @@ try:
     from typing import *  # pylint: disable=wildcard-import, unused-wildcard-import
     from typing import Collection, IO  # type: ignore
 except ImportError:
-    # mypy complains because TypingClass is not a module
-    sys.modules[__name__] = TypingClass()  # type: ignore
+    sys.modules[__name__] = TypingClass()

acme/setup.py

@@ -5,7 +5,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.10.0.dev0'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
@@ -66,7 +66,6 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
     ],

acme/tests/messages_test.py

@@ -108,11 +108,11 @@ class ConstantTest(unittest.TestCase):
 
     def test_equality(self):
         const_a_prime = self.MockConstant('a')
-        self.assertNotEqual(self.const_a, self.const_b)
-        self.assertEqual(self.const_a, const_a_prime)
+        self.assertFalse(self.const_a == self.const_b)
+        self.assertTrue(self.const_a == const_a_prime)
 
-        self.assertNotEqual(self.const_a, self.const_b)
-        self.assertEqual(self.const_a, const_a_prime)
+        self.assertTrue(self.const_a != self.const_b)
+        self.assertFalse(self.const_a != const_a_prime)
 
 
 class DirectoryTest(unittest.TestCase):

certbot-apache/certbot_apache/_internal/configurator.py

@@ -9,6 +9,7 @@ import re
 import socket
 import time
 
+import six
 import zope.component
 import zope.interface
 try:
@@ -327,9 +328,6 @@ class ApacheConfigurator(common.Installer):
         if self.version < (2, 2):
             raise errors.NotSupportedError(
                 "Apache Version {0} not supported.".format(str(self.version)))
-        elif self.version < (2, 4):
-            logger.warning('Support for Apache 2.2 is deprecated and will be removed in a '
-                           'future release.')
 
         # Recover from previous crash before Augeas initialization to have the
         # correct parse tree from the get go.
@@ -466,6 +464,21 @@ class ApacheConfigurator(common.Installer):
             metadata=metadata
         )
 
+    def _wildcard_domain(self, domain):
+        """
+        Checks if domain is a wildcard domain
+
+        :param str domain: Domain to check
+
+        :returns: If the domain is wildcard domain
+        :rtype: bool
+        """
+        if isinstance(domain, six.text_type):
+            wildcard_marker = u"*."
+        else:
+            wildcard_marker = b"*."
+        return domain.startswith(wildcard_marker)
+
     def deploy_cert(self, domain, cert_path, key_path,
                     chain_path=None, fullchain_path=None):
         """Deploys certificate to specified virtual host.
@@ -500,7 +513,7 @@ class ApacheConfigurator(common.Installer):
         :rtype: `list` of :class:`~certbot_apache._internal.obj.VirtualHost`
         """
 
-        if util.is_wildcard_domain(domain):
+        if self._wildcard_domain(domain):
             if domain in self._wildcard_vhosts:
                 # Vhosts for a wildcard domain were already selected
                 return self._wildcard_vhosts[domain]

certbot-apache/setup.py

@@ -5,7 +5,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.10.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -53,7 +53,6 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-apache/tests/apache-conf-files/apache-conf-test

@@ -52,7 +52,7 @@ function Cleanup() {
 # if our environment asks us to enable modules, do our best!
 if [ "$1" = --debian-modules ] ; then
     sudo apt-get install -y apache2
-    sudo apt-get install -y libapache2-mod-wsgi-py3
+    sudo apt-get install -y libapache2-mod-wsgi
     sudo apt-get install -y libapache2-mod-macro
 
     for mod in  ssl rewrite macro wsgi deflate userdir version mime setenvif ; do

certbot-apache/tests/configurator_test.py

@@ -1337,6 +1337,13 @@ class MultipleVhostsTest(util.ApacheTest):
                           self.config.enable_mod,
                           "whatever")
 
+    def test_wildcard_domain(self):
+        # pylint: disable=protected-access
+        cases = {u"*.example.org": True, b"*.x.example.org": True,
+                 u"a.example.org": False, b"a.x.example.org": False}
+        for key in cases:
+            self.assertEqual(self.config._wildcard_domain(key), cases[key])
+
     def test_choose_vhosts_wildcard(self):
         # pylint: disable=protected-access
         mock_path = "certbot_apache._internal.display_ops.select_vhost_multiple"
@@ -1350,10 +1357,10 @@ class MultipleVhostsTest(util.ApacheTest):
 
             # And the actual returned values
             self.assertEqual(len(vhs), 1)
-            self.assertEqual(vhs[0].name, "certbot.demo")
+            self.assertTrue(vhs[0].name == "certbot.demo")
             self.assertTrue(vhs[0].ssl)
 
-            self.assertNotEqual(vhs[0], self.vh_truth[3])
+            self.assertFalse(vhs[0] == self.vh_truth[3])
 
     @mock.patch("certbot_apache._internal.configurator.ApacheConfigurator.make_vhost_ssl")
     def test_choose_vhosts_wildcard_no_ssl(self, mock_makessl):
@@ -1464,10 +1471,10 @@ class MultipleVhostsTest(util.ApacheTest):
         self.config.parser.aug.match = mock_match
         vhs = self.config.get_virtual_hosts()
         self.assertEqual(len(vhs), 2)
-        self.assertEqual(vhs[0], self.vh_truth[1])
+        self.assertTrue(vhs[0] == self.vh_truth[1])
         # mock_vhost should have replaced the vh_truth[0], because its filepath
         # isn't a symlink
-        self.assertEqual(vhs[1], mock_vhost)
+        self.assertTrue(vhs[1] == mock_vhost)
 
 
 class AugeasVhostsTest(util.ApacheTest):

certbot-apache/tests/dualnode_test.py

@@ -412,9 +412,9 @@ class DualParserNodeTest(unittest.TestCase):  # pylint: disable=too-many-public-
                                                     ancestor=self.block,
                                                     filepath="/path/to/whatever",
                                                     metadata=self.metadata)
-        self.assertNotEqual(self.block, ne_block)
-        self.assertNotEqual(self.directive, ne_directive)
-        self.assertNotEqual(self.comment, ne_comment)
+        self.assertFalse(self.block == ne_block)
+        self.assertFalse(self.directive == ne_directive)
+        self.assertFalse(self.comment == ne_comment)
 
     def test_parsed_paths(self):
         mock_p = mock.MagicMock(return_value=['/path/file.conf',

certbot-apache/tests/obj_test.py

@@ -27,14 +27,14 @@ class VirtualHostTest(unittest.TestCase):
             "certbot_apache._internal.obj.Addr(('127.0.0.1', '443'))")
 
     def test_eq(self):
-        self.assertEqual(self.vhost1b, self.vhost1)
-        self.assertNotEqual(self.vhost1, self.vhost2)
+        self.assertTrue(self.vhost1b == self.vhost1)
+        self.assertFalse(self.vhost1 == self.vhost2)
         self.assertEqual(str(self.vhost1b), str(self.vhost1))
-        self.assertNotEqual(self.vhost1b, 1234)
+        self.assertFalse(self.vhost1b == 1234)
 
     def test_ne(self):
-        self.assertNotEqual(self.vhost1, self.vhost2)
-        self.assertEqual(self.vhost1, self.vhost1b)
+        self.assertTrue(self.vhost1 != self.vhost2)
+        self.assertFalse(self.vhost1 != self.vhost1b)
 
     def test_conflicts(self):
         from certbot_apache._internal.obj import Addr
@@ -128,13 +128,13 @@ class AddrTest(unittest.TestCase):
         self.assertTrue(self.addr1.conflicts(self.addr2))
 
     def test_equal(self):
-        self.assertEqual(self.addr1, self.addr2)
-        self.assertNotEqual(self.addr, self.addr1)
-        self.assertNotEqual(self.addr, 123)
+        self.assertTrue(self.addr1 == self.addr2)
+        self.assertFalse(self.addr == self.addr1)
+        self.assertFalse(self.addr == 123)
 
     def test_not_equal(self):
-        self.assertEqual(self.addr1, self.addr2)
-        self.assertNotEqual(self.addr, self.addr1)
+        self.assertFalse(self.addr1 != self.addr2)
+        self.assertTrue(self.addr != self.addr1)
 
 
 if __name__ == "__main__":

certbot-auto

@@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then
 fi
 VENV_BIN="$VENV_PATH/bin"
 BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
-LE_AUTO_VERSION="1.10.1"
+LE_AUTO_VERSION="1.9.0"
 BASENAME=$(basename $0)
 USAGE="Usage: $BASENAME [OPTIONS]
 A self-updating wrapper script for the Certbot ACME client. When run, updates
@@ -799,7 +799,11 @@ BootstrapMageiaCommon() {
 # that function. If Bootstrap is set to a function that doesn't install any
 # packages BOOTSTRAP_VERSION is not set.
 if [ -f /etc/debian_version ]; then
-  DEPRECATED_OS=1
+  Bootstrap() {
+    BootstrapMessage "Debian-based OSes"
+    BootstrapDebCommon
+  }
+  BOOTSTRAP_VERSION="BootstrapDebCommon $BOOTSTRAP_DEB_COMMON_VERSION"
 elif [ -f /etc/mageia-release ]; then
   # Mageia has both /etc/mageia-release and /etc/redhat-release
   DEPRECATED_OS=1
@@ -1493,18 +1497,18 @@ letsencrypt==0.7.0 \
     --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
     --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9
 
-certbot==1.10.1 \
-    --hash=sha256:011ac980fa21b9f29e02c9b8d8b86e8a4bf4670b51b6ad91656e401e9d2d2231 \
-    --hash=sha256:0d9ee3fc09e0d03b2d1b1f1c4916e61ecfc6904b4216ddef4e6a5ca1424d9cb7
-acme==1.10.1 \
-    --hash=sha256:752d598e54e98ad1e874de53fd50c61044f1b566d6deb790db5676ce9c573546 \
-    --hash=sha256:fcbb559aedc96b404edf593e78517dcd7291984d5a37036c3fc77f3c5c122fd8
-certbot-apache==1.10.1 \
-    --hash=sha256:f077b4b7f166627ef5e0921fe7cde57700670fc86e9ad9dbdfaf2c573cc0f2fa \
-    --hash=sha256:97ed637b4c7b03820db6c69aa90145dc989933351d46a3d62baf6b71674f0a10
-certbot-nginx==1.10.1 \
-    --hash=sha256:7c36459021f8a1ec3b6c062e4c4fc866bfaa1dbf26ccd29e043dd6848003be08 \
-    --hash=sha256:c0bbeccf85f46b728fd95e6bb8c2649d32d3383d7f47ea4b9c312d12bf04d2f0
+certbot==1.9.0 \
+    --hash=sha256:d5a804d32e471050921f7b39ed9859e2e9de02824176ed78f57266222036b53a \
+    --hash=sha256:2ff9bf7d9af381c7efee22dec2dd6938d9d8fddcc9e11682b86e734164a30b57
+acme==1.9.0 \
+    --hash=sha256:d8061b396a22b21782c9b23ff9a945b23e50fca2573909a42f845e11d5658ac5 \
+    --hash=sha256:38a1630c98e144136c62eec4d2c545a1bdb1a3cd4eca82214be6b83a1f5a161f
+certbot-apache==1.9.0 \
+    --hash=sha256:09528a820d57e54984d490100644cd8a6603db97bf5776f86e95795ecfacf23d \
+    --hash=sha256:f47fb3f4a9bd927f4812121a0beefe56b163475a28f4db34c64dc838688d9e9e
+certbot-nginx==1.9.0 \
+    --hash=sha256:bb2e3f7fe17f071f350a3efa48571b8ef40a8e4b6db9c6da72539206a20b70be \
+    --hash=sha256:ab26a4f49d53b0e8bf0f903e58e2a840cda233fe1cbbc54c36ff17f973e57d65
 
 UNLIKELY_EOF
     # -------------------------------------------------------------------------

certbot-ci/certbot_integration_tests/assets/bind-config/conf/named.conf

@@ -1,60 +0,0 @@
-options {
-  directory "/var/cache/bind";
-
-  // Running inside Docker. Bind address on Docker host is 127.0.0.1.
-  listen-on { any; };
-  listen-on-v6 { any; };
-
-  // We are allowing BIND to service recursive queries, but only in an extremely limimited sense
-  // where it is entirely disconnected from public DNS:
-  // - Iterative queries are disabled. Only forwarding to a non-existent forwarder.
-  // - The only recursive answers we can get (that will not be a SERVFAIL) will come from the
-  //   RPZ "mock-recursion" zone. Effectively this means we are mocking out the entirety of
-  //   public DNS.
-  allow-recursion { any; };       // BIND will only answer using RPZ if recursion is enabled
-  forwarders { 192.0.2.254; };    // Nobody is listening, this is TEST-NET-1
-  forward only;                   // Do NOT perform iterative queries from the root zone
-  dnssec-validation no;           // Do not bother fetching the root DNSKEY set (performance)
-  response-policy {               // All recursive queries will be served from here.
-    zone "mock-recursion"
-    log yes;
-  } recursive-only no             // Allow RPZs to affect authoritative zones too.
-    qname-wait-recurse no         // No real recursion.
-    nsip-wait-recurse no;         // No real recursion.
-
-  allow-transfer { none; };
-  allow-update { none; };
-};
-
-key "default-key." {
-  algorithm hmac-sha512;
-  secret "91CgOwzihr0nAVEHKFXJPQCbuBBbBI19Ks5VAweUXgbF40NWTD83naeg3c5y2MPdEiFRXnRLJxL6M+AfHCGLNw==";
-};
-
-zone "mock-recursion" {
-  type primary;
-  file "/var/lib/bind/rpz.mock-recursion";
-  allow-query {
-    none;
-  };
-};
-
-zone "example.com." {
-  type primary;
-  file "/var/lib/bind/db.example.com";
-  journal "/var/cache/bind/db.example.com.jnl";
-
-  update-policy {
-    grant default-key zonesub TXT;
-  };
-};
-
-zone "sub.example.com." {
-  type primary;
-  file "/var/lib/bind/db.sub.example.com";
-  journal "/var/cache/bind/db.sub.example.com.jnl";
-
-  update-policy {
-    grant default-key zonesub TXT;
-  };
-};

certbot-ci/certbot_integration_tests/assets/bind-config/rfc2136-credentials-default.ini.tpl

@@ -1,10 +0,0 @@
-# Target DNS server
-dns_rfc2136_server = {server_address}
-# Target DNS port
-dns_rfc2136_port = {server_port}
-# TSIG key name
-dns_rfc2136_name = default-key.
-# TSIG key secret
-dns_rfc2136_secret = 91CgOwzihr0nAVEHKFXJPQCbuBBbBI19Ks5VAweUXgbF40NWTD83naeg3c5y2MPdEiFRXnRLJxL6M+AfHCGLNw==
-# TSIG key algorithm
-dns_rfc2136_algorithm = HMAC-SHA512

certbot-ci/certbot_integration_tests/assets/bind-config/zones/db.example.com

@@ -1,11 +0,0 @@
-$ORIGIN example.com.
-$TTL 3600
-example.com.  IN  SOA   ns1.example.com. admin.example.com. ( 2020091025 7200 3600 1209600 3600 )
-
-example.com.  IN  NS    ns1
-example.com.  IN  NS    ns2
-
-ns1           IN  A     192.0.2.2
-ns2           IN  A     192.0.2.3
-
-@         IN  A     192.0.2.1

certbot-ci/certbot_integration_tests/assets/bind-config/zones/db.sub.example.com

@@ -1,9 +0,0 @@
-$ORIGIN sub.example.com.
-$TTL 3600
-sub.example.com.  IN  SOA   ns1.example.com. admin.example.com. ( 2020091025 7200 3600 1209600 3600 )
-
-sub.example.com.  IN  NS    ns1
-sub.example.com.  IN  NS    ns2
-
-ns1           IN  A     192.0.2.2
-ns2           IN  A     192.0.2.3

certbot-ci/certbot_integration_tests/assets/bind-config/zones/rpz.mock-recursion

@@ -1,6 +0,0 @@
-$TTL 3600
-
-@        SOA ns1.example.test. dummy.example.test. 1 12h 15m 3w 2h
-         NS  ns1.example.test.
-
-_acme-challenge.aliased.example   IN     CNAME   _acme-challenge.example.com.

certbot-ci/certbot_integration_tests/assets/sample-config/archive/c.encryption-example.com/README

@@ -1,14 +0,0 @@
-This directory contains your keys and certificates.
-
-`privkey.pem`  : the private key for your certificate.
-`fullchain.pem`: the certificate file used in most server software.
-`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
-`cert.pem`     : will break many server configurations, and should not be used
-                 without reading further documentation (see link below).
-
-WARNING: DO NOT MOVE OR RENAME THESE FILES!
-         Certbot expects these files to remain in this location in order
-         to function properly!
-
-We recommend not moving these files. For more information, see the Certbot
-User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

certbot-ci/certbot_integration_tests/assets/sample-config/archive/c.encryption-example.com/cert.pem

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC2zCCAcOgAwIBAgIIBvrEnbPRYu8wDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UE
-AxMdUGViYmxlIEludGVybWVkaWF0ZSBDQSAxMjZjNGIwHhcNMjAxMDEyMjEwNzQw
-WhcNMjUxMDEyMjEwNzQwWjAjMSEwHwYDVQQDExhjLmVuY3J5cHRpb24tZXhhbXBs
-ZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARjMhuW0ENPPC33PjB5XsYU
-CRw640kPQENIDatcTJaENZIZdqKd6rI6jc+lpbmXot7Zi52clJlSJS+V6oDAt2Lh
-o4HYMIHVMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
-BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUj7Kd3ENqxlPf8B2bIGhsjydX
-mPswHwYDVR0jBBgwFoAUEiGxlkRsi+VvcogH5dVD3h1laAcwMQYIKwYBBQUHAQEE
-JTAjMCEGCCsGAQUFBzABhhVodHRwOi8vMTI3LjAuMC4xOjQwMDIwIwYDVR0RBBww
-GoIYYy5lbmNyeXB0aW9uLWV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCl
-k0JXsa8y7fg41WWMDhw60bPW77O0FtOmTcnhdI5daYNemQVk+Q5EMaBLQ/oGjgXd
-9QXFzXH1PL904YEnSLt+iTpXn++7rQSNzQsdYqw0neWk4f5pEBiN+WORpb6mwobV
-ifMtBOkNEHvrJ2Pkci9U1lLwtKD/DSew6QtJU5DSkmH1XdGuMJiubygEIvELtvgq
-cP9S368ZvPmPGmKaJQXBiuaR8MTjY/Bkr79aXQMjKbf+mpn7h0POCcePk1DY/rm6
-Da+X16lf0hHyQhSUa7Vgyim6rK1/hlw+Z00i+sQCKD9Ih7kXuuGqfSDC33cfO8Tj
-o/MXO8lcxkrem5zU5QWP
------END CERTIFICATE-----

certbot-ci/certbot_integration_tests/assets/sample-config/archive/c.encryption-example.com/chain.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDUDCCAjigAwIBAgIIbi787yVrcMAwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
-AxMVUGViYmxlIFJvb3QgQ0EgMGM1MjI1MCAXDTIwMTAxMjIwMjI0NloYDzIwNTAx
-MDEyMjEyMjQ2WjAoMSYwJAYDVQQDEx1QZWJibGUgSW50ZXJtZWRpYXRlIENBIDEy
-NmM0YjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGeVk1BMJraeqRq
-mJ2+hgso8VOAv2s2CVxUJjIVcn7f2adE8NyTsSQ1brlsnKCUYUw7yLTQH0izLQRB
-qKVIDFkUqo5/FuTJ2QlfA2EwBL8J7s/7L7vj3L0DiVpwgxPSyFEwdl/Y5y7ofsX5
-CIhCFcaMAmTIuKLiSfCJjGwkbEMuolm+lO8Mikxxc/JtDVUC479ugU7PU9O09bMH
-nm+sD6Bgd+KMoPkCCCoeShJS9X3Ziq9HGc7Z6nhM/zirFARt2XkonEdAZ8br01zY
-MRiY9txhlWQ7mUkOtzOSoEuYJNoUbvMUf0+tNzto26WRyF7dJmh7lTBsYrvAwUTx
-PzNyst0CAwEAAaOBgzCBgDAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYB
-BQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBIhsZZE
-bIvlb3KIB+XVQ94dZWgHMB8GA1UdIwQYMBaAFOaKTaXg37vKgRt7d79YOjAoAtJT
-MA0GCSqGSIb3DQEBCwUAA4IBAQAU2mZii7PH2pkw2lNM0QqPbcW/UYyvFoUeM8Aq
-uCtsI2s+oxCJTqzfLsA0N8NY4nHLQ5wAlNJfJekngni8hbmJTKU4JFTMe7kLQO8P
-fJbk0pTzhhHVQw7CVwB6Pwq3u2m/JV+d6xDIDc+AVkuEl19ZJU0rTWyooClfFLZV
-EdZmEiUtA3PGlxoYwYhoGHYlhFxsoFONhCsBEdN7k7FKtFGVxN7oc5SKmKp0YZTW
-fcrEtrdNThATO4ymhCC2zh33NI/MT1O74fpaAc2k6LcTl57MKiLfTYX4LTL6v9JG
-9tlNqjFVRRmzEbtXTPcCb+w9g1VqoOGok7mGXYLTYtShCuvE
------END CERTIFICATE-----

certbot-ci/certbot_integration_tests/assets/sample-config/archive/c.encryption-example.com/fullchain.pem

@@ -1,38 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC2zCCAcOgAwIBAgIILlmGtZhUFEwwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UE
-AxMdUGViYmxlIEludGVybWVkaWF0ZSBDQSAxMjZjNGIwHhcNMjAxMDEyMjA1MDM0
-WhcNMjUxMDEyMjA1MDM0WjAjMSEwHwYDVQQDExhjLmVuY3J5cHRpb24tZXhhbXBs
-ZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARHEzR8JPWrEmpmgM+F2bk5
-9mT0u6CjzmJG0QpbaqprLiG5NGpW84VQ5TFCrmC4KxYfigCfMhfHRNfFYvNUK3V/
-o4HYMIHVMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
-BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU1CsVL+bPnzaxxQ5jUENmQJIO
-lKwwHwYDVR0jBBgwFoAUEiGxlkRsi+VvcogH5dVD3h1laAcwMQYIKwYBBQUHAQEE
-JTAjMCEGCCsGAQUFBzABhhVodHRwOi8vMTI3LjAuMC4xOjQwMDIwIwYDVR0RBBww
-GoIYYy5lbmNyeXB0aW9uLWV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBn
-2D8loC7pfk28JYpFLr5lmFKJWWmtLGlpsWDj61fVjtTfGKLziJz+MM6il4Y3hIz5
-58qiFK0ue0M63dIBJ33N+XxSEXon4Q0gy/zRWfH9jtPJ3FwfjkU/RT9PAUClYi0G
-ptNWnTmgQkNzousbcAtRNXuuShH3856vhUnwkX+xM+cbIDi1JVmFjcGrEEQJ0rUF
-mv2ZTyfbWbUs3v4rReETi2NVzr1Ql6J+ByNcMvHODzFy3t0L6yelAw2ca1I+c9HU
-+Z0tnp/ykR7eXNuVLivok8UBf5OC413lh8ZO5g+Bgzh/LdtkUuavg1MYtEX0H6mX
-9U7y3nVI8WEbPGf+HDeu
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDUDCCAjigAwIBAgIIbi787yVrcMAwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
-AxMVUGViYmxlIFJvb3QgQ0EgMGM1MjI1MCAXDTIwMTAxMjIwMjI0NloYDzIwNTAx
-MDEyMjEyMjQ2WjAoMSYwJAYDVQQDEx1QZWJibGUgSW50ZXJtZWRpYXRlIENBIDEy
-NmM0YjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGeVk1BMJraeqRq
-mJ2+hgso8VOAv2s2CVxUJjIVcn7f2adE8NyTsSQ1brlsnKCUYUw7yLTQH0izLQRB
-qKVIDFkUqo5/FuTJ2QlfA2EwBL8J7s/7L7vj3L0DiVpwgxPSyFEwdl/Y5y7ofsX5
-CIhCFcaMAmTIuKLiSfCJjGwkbEMuolm+lO8Mikxxc/JtDVUC479ugU7PU9O09bMH
-nm+sD6Bgd+KMoPkCCCoeShJS9X3Ziq9HGc7Z6nhM/zirFARt2XkonEdAZ8br01zY
-MRiY9txhlWQ7mUkOtzOSoEuYJNoUbvMUf0+tNzto26WRyF7dJmh7lTBsYrvAwUTx
-PzNyst0CAwEAAaOBgzCBgDAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYB
-BQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBIhsZZE
-bIvlb3KIB+XVQ94dZWgHMB8GA1UdIwQYMBaAFOaKTaXg37vKgRt7d79YOjAoAtJT
-MA0GCSqGSIb3DQEBCwUAA4IBAQAU2mZii7PH2pkw2lNM0QqPbcW/UYyvFoUeM8Aq
-uCtsI2s+oxCJTqzfLsA0N8NY4nHLQ5wAlNJfJekngni8hbmJTKU4JFTMe7kLQO8P
-fJbk0pTzhhHVQw7CVwB6Pwq3u2m/JV+d6xDIDc+AVkuEl19ZJU0rTWyooClfFLZV
-EdZmEiUtA3PGlxoYwYhoGHYlhFxsoFONhCsBEdN7k7FKtFGVxN7oc5SKmKp0YZTW
-fcrEtrdNThATO4ymhCC2zh33NI/MT1O74fpaAc2k6LcTl57MKiLfTYX4LTL6v9JG
-9tlNqjFVRRmzEbtXTPcCb+w9g1VqoOGok7mGXYLTYtShCuvE
------END CERTIFICATE-----

certbot-ci/certbot_integration_tests/assets/sample-config/archive/c.encryption-example.com/privkey.pem

@@ -1,5 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgNgefv2dad4U1VYEi
-0WkdHuqywi5QXAe30OwNTTGjhbihRANCAARHEzR8JPWrEmpmgM+F2bk59mT0u6Cj
-zmJG0QpbaqprLiG5NGpW84VQ5TFCrmC4KxYfigCfMhfHRNfFYvNUK3V/
------END PRIVATE KEY-----

certbot-ci/certbot_integration_tests/assets/sample-config/live/c.encryption-example.com/README

@@ -1,14 +0,0 @@
-This directory contains your keys and certificates.
-
-`privkey.pem`  : the private key for your certificate.
-`fullchain.pem`: the certificate file used in most server software.
-`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
-`cert.pem`     : will break many server configurations, and should not be used
-                 without reading further documentation (see link below).
-
-WARNING: DO NOT MOVE OR RENAME THESE FILES!
-         Certbot expects these files to remain in this location in order
-         to function properly!
-
-We recommend not moving these files. For more information, see the Certbot
-User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

certbot-ci/certbot_integration_tests/assets/sample-config/live/c.encryption-example.com/cert.pem

@@ -1 +0,0 @@
-../../archive/c.encryption-example.com/cert.pem

certbot-ci/certbot_integration_tests/assets/sample-config/live/c.encryption-example.com/chain.pem

@@ -1 +0,0 @@
-../../archive/c.encryption-example.com/chain.pem

certbot-ci/certbot_integration_tests/assets/sample-config/live/c.encryption-example.com/fullchain.pem

@@ -1 +0,0 @@
-../../archive/c.encryption-example.com/fullchain.pem

certbot-ci/certbot_integration_tests/assets/sample-config/live/c.encryption-example.com/privkey.pem

@@ -1 +0,0 @@
-../../archive/c.encryption-example.com/privkey.pem

certbot-ci/certbot_integration_tests/assets/sample-config/renewal/c.encryption-example.com.conf

@@ -1,17 +0,0 @@
-# renew_before_expiry = 30 days
-version = 1.10.0.dev0
-archive_dir = sample-config/archive/c.encryption-example.com
-cert = sample-config/live/c.encryption-example.com/cert.pem
-privkey = sample-config/live/c.encryption-example.com/privkey.pem
-chain = sample-config/live/c.encryption-example.com/chain.pem
-fullchain = sample-config/live/c.encryption-example.com/fullchain.pem
-
-# Options used in the renewal process
-[renewalparams]
-authenticator = apache
-installer = apache
-account = 48d6b9e8d767eccf7e4d877d6ffa81e3
-key_type = ecdsa
-config_dir = sample-config-ec
-elliptic_curve = secp256r1
-manual_public_ip_logging_ok = True

certbot-ci/certbot_integration_tests/certbot_tests/__init__.py

@@ -1,4 +1,3 @@
-# pylint: disable=missing-module-docstring
 import pytest
 
 # Custom assertions defined in the following package need to be registered to be properly

certbot-ci/certbot_integration_tests/certbot_tests/assertions.py

@@ -2,11 +2,6 @@
 import io
 import os
 
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
-from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
-from cryptography.hazmat.primitives.serialization import load_pem_private_key
-
 try:
     import grp
     POSIX_MODE = True
@@ -21,33 +16,6 @@ SYSTEM_SID = 'S-1-5-18'
 ADMINS_SID = 'S-1-5-32-544'
 
 
-def assert_elliptic_key(key, curve):
-    """
-    Asserts that the key at the given path is an EC key using the given curve.
-    :param key: path to key
-    :param curve: name of the expected elliptic curve
-    """
-    with open(key, 'rb') as file:
-        privkey1 = file.read()
-
-    key = load_pem_private_key(data=privkey1, password=None, backend=default_backend())
-
-    assert isinstance(key, EllipticCurvePrivateKey)
-    assert isinstance(key.curve, curve)
-
-
-def assert_rsa_key(key):
-    """
-    Asserts that the key at the given path is an RSA key.
-    :param key: path to key
-    """
-    with open(key, 'rb') as file:
-        privkey1 = file.read()
-
-    key = load_pem_private_key(data=privkey1, password=None, backend=default_backend())
-    assert isinstance(key, RSAPrivateKey)
-
-
 def assert_hook_execution(probe_path, probe_content):
     """
     Assert that a certbot hook has been executed

certbot-ci/certbot_integration_tests/certbot_tests/context.py

@@ -77,6 +77,6 @@ class IntegrationTestsContext(object):
         appending the pytest worker id to the subdomain, using this pattern:
         {subdomain}.{worker_id}.wtf
         :param subdomain: the subdomain to use in the generated domain (default 'le')
-        :return: the well-formed domain suitable for redirection on
+        :return: the well-formed domain suitable for redirection on 
         """
         return '{0}.{1}.wtf'.format(subdomain, self.worker_id)

certbot-ci/certbot_integration_tests/certbot_tests/test_main.py

@@ -9,15 +9,12 @@ import shutil
 import subprocess
 import time
 
-from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1, SECP384R1
 from cryptography.x509 import NameOID
 
 import pytest
 
 from certbot_integration_tests.certbot_tests import context as certbot_context
 from certbot_integration_tests.certbot_tests.assertions import assert_cert_count_for_lineage
-from certbot_integration_tests.certbot_tests.assertions import assert_elliptic_key
-from certbot_integration_tests.certbot_tests.assertions import assert_rsa_key
 from certbot_integration_tests.certbot_tests.assertions import assert_equals_group_owner
 from certbot_integration_tests.certbot_tests.assertions import assert_equals_group_permissions
 from certbot_integration_tests.certbot_tests.assertions import assert_equals_world_read_permissions
@@ -29,9 +26,8 @@ from certbot_integration_tests.certbot_tests.assertions import EVERYBODY_SID
 from certbot_integration_tests.utils import misc
 
 
-@pytest.fixture(name='context')
-def test_context(request):
-    # pylint: disable=missing-function-docstring
+@pytest.fixture()
+def context(request):
     # Fixture request is a built-in pytest fixture describing current test request.
     integration_test_context = certbot_context.IntegrationTestsContext(request)
     try:
@@ -223,16 +219,14 @@ def test_renew_files_propagate_permissions(context):
     if os.name != 'nt':
         os.chmod(privkey1, 0o444)
     else:
-        import win32security  # pylint: disable=import-error
-        import ntsecuritycon  # pylint: disable=import-error
+        import win32security
+        import ntsecuritycon
         # Get the current DACL of the private key
         security = win32security.GetFileSecurity(privkey1, win32security.DACL_SECURITY_INFORMATION)
         dacl = security.GetSecurityDescriptorDacl()
         # Create a read permission for Everybody group
         everybody = win32security.ConvertStringSidToSid(EVERYBODY_SID)
-        dacl.AddAccessAllowedAce(
-            win32security.ACL_REVISION, ntsecuritycon.FILE_GENERIC_READ, everybody
-        )
+        dacl.AddAccessAllowedAce(win32security.ACL_REVISION, ntsecuritycon.FILE_GENERIC_READ, everybody)
         # Apply the updated DACL to the private key
         security.SetSecurityDescriptorDacl(1, dacl, 0)
         win32security.SetFileSecurity(privkey1, win32security.DACL_SECURITY_INFORMATION, security)
@@ -241,14 +235,12 @@ def test_renew_files_propagate_permissions(context):
 
     assert_cert_count_for_lineage(context.config_dir, certname, 2)
     if os.name != 'nt':
-        # On Linux, read world permissions + all group permissions
-        # will be copied from the previous private key
+        # On Linux, read world permissions + all group permissions will be copied from the previous private key
         assert_world_read_permissions(privkey2)
         assert_equals_world_read_permissions(privkey1, privkey2)
         assert_equals_group_permissions(privkey1, privkey2)
     else:
-        # On Windows, world will never have any permissions, and
-        # group permission is irrelevant for this platform
+        # On Windows, world will never have any permissions, and group permission is irrelevant for this platform
         assert_world_no_permissions(privkey2)
 
 
@@ -297,7 +289,7 @@ def test_renew_with_changed_private_key_complexity(context):
     assert_cert_count_for_lineage(context.config_dir, certname, 1)
 
     context.certbot(['renew'])
-
+    
     assert_cert_count_for_lineage(context.config_dir, certname, 2)
     key2 = join(context.config_dir, 'archive', certname, 'privkey2.pem')
     assert os.stat(key2).st_size > 3000
@@ -429,93 +421,20 @@ def test_reuse_key(context):
     assert len({cert1, cert2, cert3}) == 3
 
 
-def test_incorrect_key_type(context):
-    with pytest.raises(subprocess.CalledProcessError):
-        context.certbot(['--key-type="failwhale"'])
-
-
 def test_ecdsa(context):
-    """Test issuance for ECDSA CSR based request (legacy supported mode)."""
+    """Test certificate issuance with ECDSA key."""
     key_path = join(context.workspace, 'privkey-p384.pem')
     csr_path = join(context.workspace, 'csr-p384.der')
     cert_path = join(context.workspace, 'cert-p384.pem')
     chain_path = join(context.workspace, 'chain-p384.pem')
 
-    misc.generate_csr(
-        [context.get_domain('ecdsa')],
-        key_path, csr_path,
-        key_type=misc.ECDSA_KEY_TYPE
-    )
-    context.certbot([
-        'auth', '--csr', csr_path, '--cert-path', cert_path,
-        '--chain-path', chain_path,
-    ])
+    misc.generate_csr([context.get_domain('ecdsa')], key_path, csr_path, key_type=misc.ECDSA_KEY_TYPE)
+    context.certbot(['auth', '--csr', csr_path, '--cert-path', cert_path, '--chain-path', chain_path])
 
     certificate = misc.read_certificate(cert_path)
     assert 'ASN1 OID: secp384r1' in certificate
 
 
-def test_default_key_type(context):
-    """Test default key type is RSA"""
-    certname = context.get_domain('renew')
-    context.certbot([
-        'certonly',
-        '--cert-name', certname, '-d', certname
-    ])
-    filename = join(context.config_dir, 'archive/{0}/privkey1.pem').format(certname)
-    assert_rsa_key(filename)
-
-
-def test_default_curve_type(context):
-    """test that the curve used when not specifying any is secp256r1"""
-    certname = context.get_domain('renew')
-    context.certbot([
-        '--key-type', 'ecdsa', '--cert-name', certname, '-d', certname
-    ])
-    key1 = join(context.config_dir, 'archive/{0}/privkey1.pem'.format(certname))
-    assert_elliptic_key(key1, SECP256R1)
-
-
-def test_renew_with_ec_keys(context):
-    """Test proper renew with updated private key complexity."""
-    certname = context.get_domain('renew')
-    context.certbot([
-        'certonly',
-        '--cert-name', certname,
-        '--key-type', 'ecdsa', '--elliptic-curve', 'secp256r1',
-        '--force-renewal', '-d', certname,
-    ])
-
-    key1 = join(context.config_dir, "archive", certname, 'privkey1.pem')
-    assert 200 < os.stat(key1).st_size < 250  # ec keys of 256 bits are ~225 bytes
-    assert_elliptic_key(key1, SECP256R1)
-    assert_cert_count_for_lineage(context.config_dir, certname, 1)
-
-    context.certbot(['renew', '--elliptic-curve', 'secp384r1'])
-
-    assert_cert_count_for_lineage(context.config_dir, certname, 2)
-    key2 = join(context.config_dir, 'archive', certname, 'privkey2.pem')
-    assert_elliptic_key(key2, SECP384R1)
-    assert 280 < os.stat(key2).st_size < 320  # ec keys of 384 bits are ~310 bytes
-
-    # We expect here that the command will fail because without --key-type specified,
-    # Certbot must error out to prevent changing an existing certificate key type,
-    # without explicit user consent (by specifying both --cert-name and --key-type).
-    with pytest.raises(subprocess.CalledProcessError):
-        context.certbot([
-            'certonly',
-            '--force-renewal',
-            '-d', certname
-        ])
-
-    # We expect that the previous behavior of requiring both --cert-name and
-    # --key-type to be set to not apply to the renew subcommand.
-    context.certbot(['renew', '--force-renewal', '--key-type', 'rsa'])
-    assert_cert_count_for_lineage(context.config_dir, certname, 3)
-    key3 = join(context.config_dir, 'archive', certname, 'privkey3.pem')
-    assert_rsa_key(key3)
-
-
 def test_ocsp_must_staple(context):
     """Test that OCSP Must-Staple is correctly set in the generated certificate."""
     if context.acme_server == 'pebble':
@@ -614,22 +533,18 @@ def test_revoke_multiple_lineages(context):
     with open(join(context.config_dir, 'renewal', '{0}.conf'.format(cert2)), 'r') as file:
         data = file.read()
 
-    data = re.sub(
-        'archive_dir = .*\n',
-        'archive_dir = {0}\n'.format(
-            join(context.config_dir, 'archive', cert1).replace('\\', '\\\\')
-        ), data
-    )
+    data = re.sub('archive_dir = .*\n',
+                  'archive_dir = {0}\n'.format(join(context.config_dir, 'archive', cert1).replace('\\', '\\\\')),
+                  data)
 
     with open(join(context.config_dir, 'renewal', '{0}.conf'.format(cert2)), 'w') as file:
         file.write(data)
 
-    context.certbot([
+    output = context.certbot([
         'revoke', '--cert-path', join(context.config_dir, 'live', cert1, 'cert.pem')
     ])
 
-    with open(join(context.workspace, 'logs', 'letsencrypt.log'), 'r') as f:
-        assert 'Not deleting revoked certificates due to overlapping archive dirs' in f.read()
+    assert 'Not deleting revoked certs due to overlapping archive dirs' in output
 
 
 def test_wildcard_certificates(context):
@@ -742,4 +657,4 @@ def test_preferred_chain(context):
 
         with open(conf_path, 'r') as f:
             assert 'preferred_chain = {}'.format(requested) in f.read(), \
-                   'Expected preferred_chain to be set in renewal config'
+                   'Expected preferred_chain to be set in renewal config'

certbot-ci/certbot_integration_tests/conftest.py

@@ -12,7 +12,6 @@ import subprocess
 import sys
 
 from certbot_integration_tests.utils import acme_server as acme_lib
-from certbot_integration_tests.utils import dns_server as dns_lib
 
 
 def pytest_addoption(parser):
@@ -24,10 +23,6 @@ def pytest_addoption(parser):
                      choices=['boulder-v1', 'boulder-v2', 'pebble'],
                      help='select the ACME server to use (boulder-v1, boulder-v2, '
                           'pebble), defaulting to pebble')
-    parser.addoption('--dns-server', default='challtestsrv',
-                     choices=['bind', 'challtestsrv'],
-                     help='select the DNS server to use (bind, challtestsrv), '
-                          'defaulting to challtestsrv')
 
 
 def pytest_configure(config):
@@ -37,7 +32,7 @@ def pytest_configure(config):
     """
     if not hasattr(config, 'slaveinput'):  # If true, this is the primary node
         with _print_on_err():
-            _setup_primary_node(config)
+            config.acme_xdist = _setup_primary_node(config)
 
 
 def pytest_configure_node(node):
@@ -46,7 +41,6 @@ def pytest_configure_node(node):
     :param node: current worker node
     """
     node.slaveinput['acme_xdist'] = node.config.acme_xdist
-    node.slaveinput['dns_xdist'] = node.config.dns_xdist
 
 
 @contextlib.contextmanager
@@ -67,18 +61,12 @@ def _print_on_err():
 def _setup_primary_node(config):
     """
     Setup the environment for integration tests.
-
-    This function will:
+    Will:
         - check runtime compatibility (Docker, docker-compose, Nginx)
         - create a temporary workspace and the persistent GIT repositories space
-        - configure and start a DNS server using Docker, if configured
         - configure and start paralleled ACME CA servers using Docker
-        - transfer ACME CA and DNS servers configurations to pytest nodes using env variables
-
-    This function modifies `config` by injecting the ACME CA and DNS server configurations,
-    in addition to cleanup functions for those servers.
-
-    :param config: Configuration of the pytest primary node. Is modified by this function.
+        - transfer ACME CA servers configurations to pytest nodes using env variables
+    :param config: Configuration of the pytest primary node
     """
     # Check for runtime compatibility: some tools are required to be available in PATH
     if 'boulder' in config.option.acme_server:
@@ -91,35 +79,18 @@ def _setup_primary_node(config):
         try:
             subprocess.check_output(['docker-compose', '-v'], stderr=subprocess.STDOUT)
         except (subprocess.CalledProcessError, OSError):
-            raise ValueError(
-                'Error: docker-compose is required in PATH to launch the integration tests, '
-                'but is not installed or not available for current user.'
-            )
+            raise ValueError('Error: docker-compose is required in PATH to launch the integration tests, '
+                             'but is not installed or not available for current user.')
 
     # Parameter numprocesses is added to option by pytest-xdist
     workers = ['primary'] if not config.option.numprocesses\
         else ['gw{0}'.format(i) for i in range(config.option.numprocesses)]
 
-    # If a non-default DNS server is configured, start it and feed it to the ACME server
-    dns_server = None
-    acme_dns_server = None
-    if config.option.dns_server == 'bind':
-        dns_server = dns_lib.DNSServer(workers)
-        config.add_cleanup(dns_server.stop)
-        print('DNS xdist config:\n{0}'.format(dns_server.dns_xdist))
-        dns_server.start()
-        acme_dns_server = '{}:{}'.format(
-            dns_server.dns_xdist['address'],
-            dns_server.dns_xdist['port']
-        )
-
     # By calling setup_acme_server we ensure that all necessary acme server instances will be
     # fully started. This runtime is reflected by the acme_xdist returned.
-    acme_server = acme_lib.ACMEServer(config.option.acme_server, workers,
-                                      dns_server=acme_dns_server)
+    acme_server = acme_lib.ACMEServer(config.option.acme_server, workers)
     config.add_cleanup(acme_server.stop)
     print('ACME xdist config:\n{0}'.format(acme_server.acme_xdist))
     acme_server.start()
 
-    config.acme_xdist = acme_server.acme_xdist
-    config.dns_xdist = dns_server.dns_xdist if dns_server else None
+    return acme_server.acme_xdist

certbot-ci/certbot_integration_tests/nginx_tests/context.py

@@ -1,4 +1,3 @@
-"""Module to handle the context of nginx integration tests."""
 import os
 import subprocess
 

certbot-ci/certbot_integration_tests/nginx_tests/nginx_config.py

@@ -1,4 +1,3 @@
-# -*- coding: utf-8 -*-
 """General purpose nginx test configuration generator."""
 import getpass
 
@@ -43,8 +42,6 @@ events {{
   worker_connections 1024;
 }}
 
-# “This comment contains valid Unicode”.
-
 http {{
   # Set an array of temp, cache and log file options that will otherwise default to
   # restricted locations accessible only to root.
@@ -54,61 +51,61 @@ http {{
   #scgi_temp_path {nginx_root}/scgi_temp;
   #uwsgi_temp_path {nginx_root}/uwsgi_temp;
   access_log {nginx_root}/error.log;
-
+  
   # This should be turned off in a Virtualbox VM, as it can cause some
   # interesting issues with data corruption in delivered files.
   sendfile off;
-
+  
   tcp_nopush on;
   tcp_nodelay on;
   keepalive_timeout 65;
   types_hash_max_size 2048;
-
+  
   #include /etc/nginx/mime.types;
   index index.html index.htm index.php;
-
+  
   log_format   main '$remote_addr - $remote_user [$time_local] $status '
     '"$request" $body_bytes_sent "$http_referer" '
     '"$http_user_agent" "$http_x_forwarded_for"';
-
+    
   default_type application/octet-stream;
-
+  
   server {{
     # IPv4.
     listen {http_port} {default_server};
     # IPv6.
     listen [::]:{http_port} {default_server};
     server_name nginx.{wtf_prefix}.wtf nginx2.{wtf_prefix}.wtf;
-
+    
     root {nginx_webroot};
-
+    
     location / {{
       # First attempt to serve request as file, then as directory, then fall
       # back to index.html.
       try_files $uri $uri/ /index.html;
     }}
   }}
-
+  
   server {{
     listen {http_port};
     listen [::]:{http_port};
     server_name nginx3.{wtf_prefix}.wtf;
-
+    
     root {nginx_webroot};
-
+    
     location /.well-known/ {{
       return 404;
     }}
-
+    
     return 301 https://$host$request_uri;
   }}
-
+  
   server {{
     listen {other_port};
     listen [::]:{other_port};
     server_name nginx4.{wtf_prefix}.wtf nginx5.{wtf_prefix}.wtf;
   }}
-
+  
   server {{
     listen {http_port};
     listen [::]:{http_port};

certbot-ci/certbot_integration_tests/nginx_tests/test_main.py

@@ -2,14 +2,13 @@
 import os
 import ssl
 
-from typing import List
 import pytest
 
 from certbot_integration_tests.nginx_tests import context as nginx_context
 
 
-@pytest.fixture(name='context')
-def test_context(request):
+@pytest.fixture()
+def context(request):
     # Fixture request is a built-in pytest fixture describing current test request.
     integration_test_context = nginx_context.IntegrationTestsContext(request)
     try:
@@ -28,12 +27,10 @@ def test_context(request):
     # No matching server block; default_server does not exist
     ('nginx5.{0}.wtf', ['--preferred-challenges', 'http'], {'default_server': False}),
     # Multiple domains, mix of matching and not
-    ('nginx6.{0}.wtf,nginx7.{0}.wtf', [
-        '--preferred-challenges', 'http'
-    ], {'default_server': False}),
+    ('nginx6.{0}.wtf,nginx7.{0}.wtf', ['--preferred-challenges', 'http'], {'default_server': False}),
 ], indirect=['context'])
 def test_certificate_deployment(certname_pattern, params, context):
-    # type: (str, List[str], nginx_context.IntegrationTestsContext) -> None
+    # type: (str, list, nginx_context.IntegrationTestsContext) -> None
     """
     Test various scenarios to deploy a certificate to nginx using certbot.
     """
@@ -44,9 +41,7 @@ def test_certificate_deployment(certname_pattern, params, context):
 
     lineage = domains.split(',')[0]
     server_cert = ssl.get_server_certificate(('localhost', context.tls_alpn_01_port))
-    with open(os.path.join(
-        context.workspace, 'conf/live/{0}/cert.pem'.format(lineage)), 'r'
-    ) as file:
+    with open(os.path.join(context.workspace, 'conf/live/{0}/cert.pem'.format(lineage)), 'r') as file:
         certbot_cert = file.read()
 
     assert server_cert == certbot_cert

certbot-ci/certbot_integration_tests/rfc2136_tests/context.py

@@ -1,66 +0,0 @@
-"""Module to handle the context of RFC2136 integration tests."""
-
-import tempfile
-from contextlib import contextmanager
-
-from pkg_resources import resource_filename
-from pytest import skip
-
-from certbot_integration_tests.certbot_tests import context as certbot_context
-from certbot_integration_tests.utils import certbot_call
-
-
-class IntegrationTestsContext(certbot_context.IntegrationTestsContext):
-    """Integration test context for certbot-dns-rfc2136"""
-    def __init__(self, request):
-        super(IntegrationTestsContext, self).__init__(request)
-
-        self.request = request
-
-        self._dns_xdist = None
-        if hasattr(request.config, 'slaveinput'):  # Worker node
-            self._dns_xdist = request.config.slaveinput['dns_xdist']
-        else:  # Primary node
-            self._dns_xdist = request.config.dns_xdist
-
-    def certbot_test_rfc2136(self, args):
-        """
-        Main command to execute certbot using the RFC2136 DNS authenticator.
-        :param list args: list of arguments to pass to Certbot
-        """
-        command = ['--authenticator', 'dns-rfc2136', '--dns-rfc2136-propagation-seconds', '2']
-        command.extend(args)
-        return certbot_call.certbot_test(
-            command, self.directory_url, self.http_01_port, self.tls_alpn_01_port,
-            self.config_dir, self.workspace, force_renew=True)
-
-    @contextmanager
-    def rfc2136_credentials(self, label='default'):
-        """
-        Produces the contents of a certbot-dns-rfc2136 credentials file.
-        :param str label: which RFC2136 credential to use
-        :yields: Path to credentials file
-        :rtype: str
-        """
-        src_file = resource_filename('certbot_integration_tests',
-                                     'assets/bind-config/rfc2136-credentials-{}.ini.tpl'
-                                     .format(label))
-        contents = None
-
-        with open(src_file, 'r') as f:
-            contents = f.read().format(
-                server_address=self._dns_xdist['address'],
-                server_port=self._dns_xdist['port']
-            )
-
-        with tempfile.NamedTemporaryFile('w+', prefix='rfc2136-creds-{}'.format(label),
-                                         suffix='.ini', dir=self.workspace) as fp:
-            fp.write(contents)
-            fp.flush()
-            yield fp.name
-
-    def skip_if_no_bind9_server(self):
-        """Skips the test if there was no RFC2136-capable DNS server configured
-        in the test environment"""
-        if not self._dns_xdist:
-            skip('No RFC2136-capable DNS server is configured')

certbot-ci/certbot_integration_tests/rfc2136_tests/test_main.py

@@ -1,26 +0,0 @@
-"""Module executing integration tests against Certbot with the RFC2136 DNS authenticator."""
-import pytest
-
-from certbot_integration_tests.rfc2136_tests import context as rfc2136_context
-
-
-@pytest.fixture(name="context")
-def pytest_context(request):
-    # pylint: disable=missing-function-docstring
-    # Fixture request is a built-in pytest fixture describing current test request.
-    integration_test_context = rfc2136_context.IntegrationTestsContext(request)
-    try:
-        yield integration_test_context
-    finally:
-        integration_test_context.cleanup()
-
-
-@pytest.mark.parametrize('domain', [('example.com'), ('sub.example.com')])
-def test_get_certificate(domain, context):
-    context.skip_if_no_bind9_server()
-
-    with context.rfc2136_credentials() as creds:
-        context.certbot_test_rfc2136([
-            'certonly', '--dns-rfc2136-credentials', creds,
-            '-d', domain, '-d', '*.{}'.format(domain)
-        ])

certbot-ci/certbot_integration_tests/utils/acme_server.py

@@ -2,7 +2,6 @@
 """Module to setup an ACME CA server environment able to run multiple tests in parallel"""
 from __future__ import print_function
 
-import argparse
 import errno
 import json
 import os
@@ -13,13 +12,11 @@ import sys
 import tempfile
 import time
 
-from typing import List
 import requests
 
 from certbot_integration_tests.utils import misc
 from certbot_integration_tests.utils import pebble_artifacts
 from certbot_integration_tests.utils import proxy
-# pylint: disable=wildcard-import,unused-wildcard-import
 from certbot_integration_tests.utils.constants import *
 
 
@@ -32,34 +29,24 @@ class ACMEServer(object):
     ACMEServer gives access the acme_xdist parameter, listing the ports and directory url to use
     for each pytest node. It exposes also start and stop methods in order to start the stack, and
     stop it with proper resources cleanup.
-    ACMEServer is also a context manager, and so can be used to ensure ACME server is
-    started/stopped upon context enter/exit.
+    ACMEServer is also a context manager, and so can be used to ensure ACME server is started/stopped
+    upon context enter/exit.
     """
-    def __init__(self, acme_server, nodes, http_proxy=True, stdout=False,
-                 dns_server=None, http_01_port=DEFAULT_HTTP_01_PORT):
+    def __init__(self, acme_server, nodes, http_proxy=True, stdout=False):
         """
         Create an ACMEServer instance.
         :param str acme_server: the type of acme server used (boulder-v1, boulder-v2 or pebble)
         :param list nodes: list of node names that will be setup by pytest xdist
         :param bool http_proxy: if False do not start the HTTP proxy
         :param bool stdout: if True stream all subprocesses stdout to standard stdout
-        :param str dns_server: if set, Pebble/Boulder will use it to resolve domains
-        :param int http_01_port: port to use for http-01 validation; currently
-            only supported for pebble without an HTTP proxy
         """
         self._construct_acme_xdist(acme_server, nodes)
 
         self._acme_type = 'pebble' if acme_server == 'pebble' else 'boulder'
         self._proxy = http_proxy
         self._workspace = tempfile.mkdtemp()
-        self._processes = []  # type: List[subprocess.Popen]
+        self._processes = []
         self._stdout = sys.stdout if stdout else open(os.devnull, 'w')
-        self._dns_server = dns_server
-        self._http_01_port = http_01_port
-        if http_01_port != DEFAULT_HTTP_01_PORT:
-            if self._acme_type != 'pebble' or self._proxy:
-                raise ValueError('setting http_01_port is not currently supported '
-                                  'with boulder or the HTTP proxy')
 
     def start(self):
         """Start the test stack"""
@@ -116,34 +103,26 @@ class ACMEServer(object):
         """Generate and return the acme_xdist dict"""
         acme_xdist = {'acme_server': acme_server, 'challtestsrv_port': CHALLTESTSRV_PORT}
 
-        # Directory and ACME port are set implicitly in the docker-compose.yml
-        # files of Boulder/Pebble.
+        # Directory and ACME port are set implicitly in the docker-compose.yml files of Boulder/Pebble.
         if acme_server == 'pebble':
             acme_xdist['directory_url'] = PEBBLE_DIRECTORY_URL
         else:  # boulder
             acme_xdist['directory_url'] = BOULDER_V2_DIRECTORY_URL \
                 if acme_server == 'boulder-v2' else BOULDER_V1_DIRECTORY_URL
 
-        acme_xdist['http_port'] = {
-            node: port for (node, port) in  # pylint: disable=unnecessary-comprehension
-            zip(nodes, range(5200, 5200 + len(nodes)))
-        }
-        acme_xdist['https_port'] = {
-            node: port for (node, port) in  # pylint: disable=unnecessary-comprehension
-            zip(nodes, range(5100, 5100 + len(nodes)))
-        }
-        acme_xdist['other_port'] = {
-            node: port for (node, port) in  # pylint: disable=unnecessary-comprehension
-            zip(nodes, range(5300, 5300 + len(nodes)))
-        }
+        acme_xdist['http_port'] = {node: port for (node, port)
+                                   in zip(nodes, range(5200, 5200 + len(nodes)))}
+        acme_xdist['https_port'] = {node: port for (node, port)
+                                    in zip(nodes, range(5100, 5100 + len(nodes)))}
+        acme_xdist['other_port'] = {node: port for (node, port)
+                                    in zip(nodes, range(5300, 5300 + len(nodes)))}
 
         self.acme_xdist = acme_xdist
 
     def _prepare_pebble_server(self):
         """Configure and launch the Pebble server"""
         print('=> Starting pebble instance deployment...')
-        pebble_artifacts_rv = pebble_artifacts.fetch(self._workspace, self._http_01_port)
-        pebble_path, challtestsrv_path, pebble_config_path = pebble_artifacts_rv
+        pebble_path, challtestsrv_path, pebble_config_path = pebble_artifacts.fetch(self._workspace)
 
         # Configure Pebble at full speed (PEBBLE_VA_NOSLEEP=1) and not randomly refusing valid
         # nonce (PEBBLE_WFE_NONCEREJECT=0) to have a stable test environment.
@@ -153,23 +132,18 @@ class ACMEServer(object):
         environ['PEBBLE_AUTHZREUSE'] = '100'
         environ['PEBBLE_ALTERNATE_ROOTS'] = str(PEBBLE_ALTERNATE_ROOTS)
 
-        if self._dns_server:
-            dns_server = self._dns_server
-        else:
-            dns_server = '127.0.0.1:8053'
-            self._launch_process(
-                [challtestsrv_path, '-management', ':{0}'.format(CHALLTESTSRV_PORT),
-                 '-defaultIPv6', '""', '-defaultIPv4', '127.0.0.1', '-http01', '""',
-                 '-tlsalpn01', '""', '-https01', '""'])
-
         self._launch_process(
-            [pebble_path, '-config', pebble_config_path, '-dnsserver', dns_server, '-strict'],
+            [pebble_path, '-config', pebble_config_path, '-dnsserver', '127.0.0.1:8053', '-strict'],
             env=environ)
 
-        # pebble_ocsp_server is imported here and not at the top of module in order to avoid a
-        # useless ImportError, in the case where cryptography dependency is too old to support
-        # ocsp, but Boulder is used instead of Pebble, so pebble_ocsp_server is not used. This is
-        # the typical situation of integration-certbot-oldest tox testenv.
+        self._launch_process(
+            [challtestsrv_path, '-management', ':{0}'.format(CHALLTESTSRV_PORT), '-defaultIPv6', '""',
+             '-defaultIPv4', '127.0.0.1', '-http01', '""', '-tlsalpn01', '""', '-https01', '""'])
+
+        # pebble_ocsp_server is imported here and not at the top of module in order to avoid a useless
+        # ImportError, in the case where cryptography dependency is too old to support ocsp, but
+        # Boulder is used instead of Pebble, so pebble_ocsp_server is not used. This is the typical
+        # situation of integration-certbot-oldest tox testenv.
         from certbot_integration_tests.utils import pebble_ocsp_server
         self._launch_process([sys.executable, pebble_ocsp_server.__file__])
 
@@ -193,15 +167,6 @@ class ACMEServer(object):
         os.rename(join(instance_path, 'test/rate-limit-policies-b.yml'),
                   join(instance_path, 'test/rate-limit-policies.yml'))
 
-        if self._dns_server:
-            # Change Boulder config to use the provided DNS server
-            for suffix in ["", "-remote-a", "-remote-b"]:
-                with open(join(instance_path, 'test/config/va{}.json'.format(suffix)), 'r') as f:
-                    config = json.loads(f.read())
-                config['va']['dnsResolvers'] = [self._dns_server]
-                with open(join(instance_path, 'test/config/va{}.json'.format(suffix)), 'w') as f:
-                    f.write(json.dumps(config, indent=2, separators=(',', ': ')))
-
         try:
             # Launch the Boulder server
             self._launch_process(['docker-compose', 'up', '--force-recreate'], cwd=instance_path)
@@ -210,18 +175,14 @@ class ACMEServer(object):
             print('=> Waiting for boulder instance to respond...')
             misc.check_until_timeout(self.acme_xdist['directory_url'], attempts=300)
 
-            if not self._dns_server:
-                # Configure challtestsrv to answer any A record request with ip of the docker host.
-                response = requests.post('http://localhost:{0}/set-default-ipv4'.format(
-                    CHALLTESTSRV_PORT), json={'ip': '10.77.77.1'}
-                )
-                response.raise_for_status()
+            # Configure challtestsrv to answer any A record request with ip of the docker host.
+            response = requests.post('http://localhost:{0}/set-default-ipv4'.format(CHALLTESTSRV_PORT),
+                                     json={'ip': '10.77.77.1'})
+            response.raise_for_status()
         except BaseException:
             # If we failed to set up boulder, print its logs.
             print('=> Boulder setup failed. Boulder logs are:')
-            process = self._launch_process([
-                'docker-compose', 'logs'], cwd=instance_path, force_stderr=True
-            )
+            process = self._launch_process(['docker-compose', 'logs'], cwd=instance_path, force_stderr=True)
             process.wait()
             raise
 
@@ -232,7 +193,7 @@ class ACMEServer(object):
         print('=> Configuring the HTTP proxy...')
         mapping = {r'.+\.{0}\.wtf'.format(node): 'http://127.0.0.1:{0}'.format(port)
                    for node, port in self.acme_xdist['http_port'].items()}
-        command = [sys.executable, proxy.__file__, str(DEFAULT_HTTP_01_PORT), json.dumps(mapping)]
+        command = [sys.executable, proxy.__file__, str(HTTP_01_PORT), json.dumps(mapping)]
         self._launch_process(command)
         print('=> Finished configuring the HTTP proxy.')
 
@@ -241,34 +202,20 @@ class ACMEServer(object):
         if not env:
             env = os.environ
         stdout = sys.stderr if force_stderr else self._stdout
-        process = subprocess.Popen(
-            command, stdout=stdout, stderr=subprocess.STDOUT, cwd=cwd, env=env
-        )
+        process = subprocess.Popen(command, stdout=stdout, stderr=subprocess.STDOUT, cwd=cwd, env=env)
         self._processes.append(process)
         return process
 
 
 def main():
-    # pylint: disable=missing-function-docstring
-    parser = argparse.ArgumentParser(
-        description='CLI tool to start a local instance of Pebble or Boulder CA server.')
-    parser.add_argument('--server-type', '-s',
-                        choices=['pebble', 'boulder-v1', 'boulder-v2'], default='pebble',
-                        help='type of CA server to start: can be Pebble or Boulder '
-                             '(in ACMEv1 or ACMEv2 mode), Pebble is used if not set.')
-    parser.add_argument('--dns-server', '-d',
-                        help='specify the DNS server as `IP:PORT` to use by '
-                             'Pebble; if not specified, a local mock DNS server will be used to '
-                             'resolve domains to localhost.')
-    parser.add_argument('--http-01-port', type=int, default=DEFAULT_HTTP_01_PORT,
-                        help='specify the port to use for http-01 validation; '
-                             'this is currently only supported for Pebble.')
-    args = parser.parse_args()
+    args = sys.argv[1:]
+    server_type = args[0] if args else 'pebble'
+    possible_values = ('pebble', 'boulder-v1', 'boulder-v2')
+    if server_type not in possible_values:
+        raise ValueError('Invalid server value {0}, should be one of {1}'
+                         .format(server_type, possible_values))
 
-    acme_server = ACMEServer(
-        args.server_type, [], http_proxy=False, stdout=True,
-        dns_server=args.dns_server, http_01_port=args.http_01_port,
-    )
+    acme_server = ACMEServer(server_type, [], http_proxy=False, stdout=True)
 
     try:
         with acme_server as acme_xdist:

certbot-ci/certbot_integration_tests/utils/certbot_call.py

@@ -2,13 +2,12 @@
 """Module to call certbot in test mode"""
 from __future__ import absolute_import
 
+from distutils.version import LooseVersion
 import os
 import subprocess
 import sys
-from distutils.version import LooseVersion
 
 import certbot_integration_tests
-# pylint: disable=wildcard-import,unused-wildcard-import
 from certbot_integration_tests.utils.constants import *
 
 
@@ -36,8 +35,6 @@ def certbot_test(certbot_args, directory_url, http_01_port, tls_alpn_01_port,
 
 
 def _prepare_environ(workspace):
-    # pylint: disable=missing-function-docstring
-
     new_environ = os.environ.copy()
     new_environ['TMPDIR'] = workspace
 
@@ -61,13 +58,8 @@ def _prepare_environ(workspace):
         # certbot_integration_tests.__file__ is:
         # '/path/to/certbot/certbot-ci/certbot_integration_tests/__init__.pyc'
         # ... and we want '/path/to/certbot'
-        certbot_root = os.path.dirname(os.path.dirname(
-            os.path.dirname(certbot_integration_tests.__file__))
-        )
-        python_paths = [
-            path for path in new_environ['PYTHONPATH'].split(':')
-            if path != certbot_root
-        ]
+        certbot_root = os.path.dirname(os.path.dirname(os.path.dirname(certbot_integration_tests.__file__)))
+        python_paths = [path for path in new_environ['PYTHONPATH'].split(':') if path != certbot_root]
         new_environ['PYTHONPATH'] = ':'.join(python_paths)
 
     return new_environ
@@ -78,8 +70,7 @@ def _compute_additional_args(workspace, environ, force_renew):
     output = subprocess.check_output(['certbot', '--version'],
                                      universal_newlines=True, stderr=subprocess.STDOUT,
                                      cwd=workspace, env=environ)
-    # Typical response is: output = 'certbot 0.31.0.dev0'
-    version_str = output.split(' ')[1].strip()
+    version_str = output.split(' ')[1].strip()  # Typical response is: output = 'certbot 0.31.0.dev0'
     if LooseVersion(version_str) >= LooseVersion('0.30.0'):
         additional_args.append('--no-random-sleep-on-renew')
 
@@ -101,7 +92,6 @@ def _prepare_args_env(certbot_args, directory_url, http_01_port, tls_alpn_01_por
         '--no-verify-ssl',
         '--http-01-port', str(http_01_port),
         '--https-port', str(tls_alpn_01_port),
-        '--manual-public-ip-logging-ok',
         '--config-dir', config_dir,
         '--work-dir', os.path.join(workspace, 'work'),
         '--logs-dir', os.path.join(workspace, 'logs'),
@@ -122,12 +112,11 @@ def _prepare_args_env(certbot_args, directory_url, http_01_port, tls_alpn_01_por
 
 
 def main():
-    # pylint: disable=missing-function-docstring
     args = sys.argv[1:]
 
     # Default config is pebble
     directory_url = os.environ.get('SERVER', PEBBLE_DIRECTORY_URL)
-    http_01_port = int(os.environ.get('HTTP_01_PORT', DEFAULT_HTTP_01_PORT))
+    http_01_port = int(os.environ.get('HTTP_01_PORT', HTTP_01_PORT))
     tls_alpn_01_port = int(os.environ.get('TLS_ALPN_01_PORT', TLS_ALPN_01_PORT))
 
     # Execution of certbot in a self-contained workspace

certbot-ci/certbot_integration_tests/utils/constants.py

@@ -1,5 +1,5 @@
 """Some useful constants to use throughout certbot-ci integration tests"""
-DEFAULT_HTTP_01_PORT = 5002
+HTTP_01_PORT = 5002
 TLS_ALPN_01_PORT = 5001
 CHALLTESTSRV_PORT = 8055
 BOULDER_V1_DIRECTORY_URL = 'http://localhost:4000/directory'
@@ -7,4 +7,4 @@ BOULDER_V2_DIRECTORY_URL = 'http://localhost:4001/directory'
 PEBBLE_DIRECTORY_URL = 'https://localhost:14000/dir'
 PEBBLE_MANAGEMENT_URL = 'https://localhost:15000'
 MOCK_OCSP_SERVER_PORT = 4002
-PEBBLE_ALTERNATE_ROOTS = 2
+PEBBLE_ALTERNATE_ROOTS = 2

certbot-ci/certbot_integration_tests/utils/dns_server.py

@@ -1,155 +0,0 @@
-#!/usr/bin/env python
-"""Module to setup an RFC2136-capable DNS server"""
-from __future__ import print_function
-
-import os
-import os.path
-import shutil
-import socket
-import subprocess
-import sys
-import tempfile
-import time
-
-from pkg_resources import resource_filename
-
-BIND_DOCKER_IMAGE = "internetsystemsconsortium/bind9:9.16"
-BIND_BIND_ADDRESS = ("127.0.0.1", 45953)
-
-# A TCP DNS message which is a query for '. CH A' transaction ID 0xcb37. This is used
-# by _wait_until_ready to check that BIND is responding without depending on dnspython.
-BIND_TEST_QUERY = bytearray.fromhex("0011cb37000000010000000000000000010003")
-
-
-class DNSServer(object):
-    """
-    DNSServer configures and handles the lifetime of an RFC2136-capable server.
-    DNServer provides access to the dns_xdist parameter, listing the address and port
-    to use for each pytest node.
-
-    At this time, DNSServer should only be used with a single node, but may be expanded in
-    future to support parallelization (https://github.com/certbot/certbot/issues/8455).
-    """
-
-    def __init__(self, unused_nodes, show_output=False):
-        """
-        Create an DNSServer instance.
-        :param list nodes: list of node names that will be setup by pytest xdist
-        :param bool show_output: if True, print the output of the DNS server
-        """
-
-        self.bind_root = tempfile.mkdtemp()
-
-        self.process = None  # type: subprocess.Popen
-
-        self.dns_xdist = {"address": BIND_BIND_ADDRESS[0], "port": BIND_BIND_ADDRESS[1]}
-
-        # Unfortunately the BIND9 image forces everything to stderr with -g and we can't
-        # modify the verbosity.
-        self._output = sys.stderr if show_output else open(os.devnull, "w")
-
-    def start(self):
-        """Start the DNS server"""
-        try:
-            self._configure_bind()
-            self._start_bind()
-        except:
-            self.stop()
-            raise
-
-    def stop(self):
-        """Stop the DNS server, and clean its resources"""
-        if self.process:
-            try:
-                self.process.terminate()
-                self.process.wait()
-            except BaseException as e:
-                print("BIND9 did not stop cleanly: {}".format(e), file=sys.stderr)
-
-        shutil.rmtree(self.bind_root, ignore_errors=True)
-
-        if self._output != sys.stderr:
-            self._output.close()
-
-    def _configure_bind(self):
-        """Configure the BIND9 server based on the prebaked configuration"""
-        bind_conf_src = resource_filename(
-            "certbot_integration_tests", "assets/bind-config"
-        )
-        for directory in ("conf", "zones"):
-            shutil.copytree(
-                os.path.join(bind_conf_src, directory), os.path.join(self.bind_root, directory)
-            )
-
-    def _start_bind(self):
-        """Launch the BIND9 server as a Docker container"""
-        addr_str = "{}:{}".format(BIND_BIND_ADDRESS[0], BIND_BIND_ADDRESS[1])
-        self.process = subprocess.Popen(
-            [
-                "docker",
-                "run",
-                "--rm",
-                "-p",
-                "{}:53/udp".format(addr_str),
-                "-p",
-                "{}:53/tcp".format(addr_str),
-                "-v",
-                "{}/conf:/etc/bind".format(self.bind_root),
-                "-v",
-                "{}/zones:/var/lib/bind".format(self.bind_root),
-                BIND_DOCKER_IMAGE,
-            ],
-            stdout=self._output,
-            stderr=self._output,
-        )
-
-        if self.process.poll():
-            raise ValueError("BIND9 server stopped unexpectedly")
-
-        try:
-            self._wait_until_ready()
-        except:
-            # The container might be running even if we think it isn't
-            self.stop()
-            raise
-
-    def _wait_until_ready(self, attempts=30):
-        # type: (int) -> None
-        """
-        Polls the DNS server over TCP until it gets a response, or until
-        it runs out of attempts and raises a ValueError.
-        The DNS response message must match the txn_id of the DNS query message,
-        but otherwise the contents are ignored.
-        :param int attempts: The number of attempts to make.
-        """
-        for _ in range(attempts):
-            if self.process.poll():
-                raise ValueError("BIND9 server stopped unexpectedly")
-
-            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-            sock.settimeout(5.0)
-            try:
-                sock.connect(BIND_BIND_ADDRESS)
-                sock.sendall(BIND_TEST_QUERY)
-                buf = sock.recv(1024)
-                # We should receive a DNS message with the same tx_id
-                if buf and len(buf) > 4 and buf[2:4] == BIND_TEST_QUERY[2:4]:
-                    return
-                # If we got a response but it wasn't the one we wanted, wait a little
-                time.sleep(1)
-            except:  # pylint: disable=bare-except
-                # If there was a network error, wait a little
-                time.sleep(1)
-            finally:
-                sock.close()
-
-        raise ValueError(
-            "Gave up waiting for DNS server {} to respond".format(BIND_BIND_ADDRESS)
-        )
-
-    def __enter__(self):
-        self.start()
-        return self.dns_xdist
-
-    def __exit__(self, exc_type, exc_val, exc_tb):
-        self.stop()

certbot-ci/certbot_integration_tests/utils/misc.py

@@ -39,7 +39,6 @@ def _suppress_x509_verification_warnings():
         urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
     except ImportError:
         # Handle old versions of request with vendorized urllib3
-        # pylint: disable=no-member
         from requests.packages.urllib3.exceptions import InsecureRequestWarning
         requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 
@@ -257,8 +256,7 @@ def generate_csr(domains, key_path, csr_path, key_type=RSA_KEY_TYPE):
 
 def read_certificate(cert_path):
     """
-    Load the certificate from the provided path, and return a human readable version
-    of it (TEXT mode).
+    Load the certificate from the provided path, and return a human readable version of it (TEXT mode).
     :param str cert_path: the path to the certificate
     :returns: the TEXT version of the certificate, as it would be displayed by openssl binary
     """
@@ -282,11 +280,7 @@ def load_sample_data_path(workspace):
 
     if os.name == 'nt':
         # Fix the symlinks on Windows if GIT is not configured to create them upon checkout
-        for lineage in [
-            'a.encryption-example.com',
-            'b.encryption-example.com',
-            'c.encryption-example.com',
-        ]:
+        for lineage in ['a.encryption-example.com', 'b.encryption-example.com']:
             current_live = os.path.join(copied, 'live', lineage)
             for name in os.listdir(current_live):
                 if name != 'README':

certbot-ci/certbot_integration_tests/utils/pebble_artifacts.py

@@ -1,5 +1,3 @@
-# pylint: disable=missing-module-docstring
-
 import json
 import os
 import stat
@@ -7,19 +5,18 @@ import stat
 import pkg_resources
 import requests
 
-from certbot_integration_tests.utils.constants import DEFAULT_HTTP_01_PORT, MOCK_OCSP_SERVER_PORT
+from certbot_integration_tests.utils.constants import MOCK_OCSP_SERVER_PORT
 
 PEBBLE_VERSION = 'v2.3.0'
 ASSETS_PATH = pkg_resources.resource_filename('certbot_integration_tests', 'assets')
 
 
-def fetch(workspace, http_01_port=DEFAULT_HTTP_01_PORT):
-    # pylint: disable=missing-function-docstring
+def fetch(workspace):
     suffix = 'linux-amd64' if os.name != 'nt' else 'windows-amd64.exe'
 
     pebble_path = _fetch_asset('pebble', suffix)
     challtestsrv_path = _fetch_asset('pebble-challtestsrv', suffix)
-    pebble_config_path = _build_pebble_config(workspace, http_01_port)
+    pebble_config_path = _build_pebble_config(workspace)
 
     return pebble_path, challtestsrv_path, pebble_config_path
 
@@ -38,7 +35,7 @@ def _fetch_asset(asset, suffix):
     return asset_path
 
 
-def _build_pebble_config(workspace, http_01_port):
+def _build_pebble_config(workspace):
     config_path = os.path.join(workspace, 'pebble-config.json')
     with open(config_path, 'w') as file_h:
         file_h.write(json.dumps({
@@ -47,7 +44,7 @@ def _build_pebble_config(workspace, http_01_port):
                 'managementListenAddress': '0.0.0.0:15000',
                 'certificate': os.path.join(ASSETS_PATH, 'cert.pem'),
                 'privateKey': os.path.join(ASSETS_PATH, 'key.pem'),
-                'httpPort': http_01_port,
+                'httpPort': 5002,
                 'tlsPort': 5001,
                 'ocspResponderURL': 'http://127.0.0.1:{0}'.format(MOCK_OCSP_SERVER_PORT),
             },

certbot-ci/certbot_integration_tests/utils/pebble_ocsp_server.py

@@ -21,7 +21,6 @@ from certbot_integration_tests.utils.misc import GracefulTCPServer
 
 
 class _ProxyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
-    # pylint: disable=missing-function-docstring
     def do_POST(self):
         request = requests.get(PEBBLE_MANAGEMENT_URL + '/intermediate-keys/0', verify=False)
         issuer_key = serialization.load_pem_private_key(request.content, None, default_backend())
@@ -36,28 +35,20 @@ class _ProxyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
 
         ocsp_request = ocsp.load_der_ocsp_request(self.rfile.read(content_len))
         response = requests.get('{0}/cert-status-by-serial/{1}'.format(
-            PEBBLE_MANAGEMENT_URL, str(hex(ocsp_request.serial_number)).replace('0x', '')),
-            verify=False
-        )
+            PEBBLE_MANAGEMENT_URL, str(hex(ocsp_request.serial_number)).replace('0x', '')), verify=False)
 
         if not response.ok:
-            ocsp_response = ocsp.OCSPResponseBuilder.build_unsuccessful(
-                ocsp.OCSPResponseStatus.UNAUTHORIZED
-            )
+            ocsp_response = ocsp.OCSPResponseBuilder.build_unsuccessful(ocsp.OCSPResponseStatus.UNAUTHORIZED)
         else:
             data = response.json()
 
             now = datetime.datetime.utcnow()
             cert = x509.load_pem_x509_certificate(data['Certificate'].encode(), default_backend())
             if data['Status'] != 'Revoked':
-                ocsp_status = ocsp.OCSPCertStatus.GOOD
-                revocation_time = None
-                revocation_reason = None
+                ocsp_status, revocation_time, revocation_reason = ocsp.OCSPCertStatus.GOOD, None, None
             else:
-                ocsp_status = ocsp.OCSPCertStatus.REVOKED
-                revocation_reason = x509.ReasonFlags.unspecified
-                # "... +0000 UTC" => "+0000"
-                revoked_at = re.sub(r'( \+\d{4}).*$', r'\1', data['RevokedAt'])
+                ocsp_status, revocation_reason = ocsp.OCSPCertStatus.REVOKED, x509.ReasonFlags.unspecified
+                revoked_at = re.sub(r'( \+\d{4}).*$', r'\1', data['RevokedAt'])  # "... +0000 UTC" => "+0000"
                 revocation_time = parser.parse(revoked_at)
 
             ocsp_response = ocsp.OCSPResponseBuilder().add_response(

certbot-ci/certbot_integration_tests/utils/proxy.py

@@ -1,6 +1,4 @@
 #!/usr/bin/env python
-# pylint: disable=missing-module-docstring
-
 import json
 import re
 import sys
@@ -12,9 +10,7 @@ from certbot_integration_tests.utils.misc import GracefulTCPServer
 
 
 def _create_proxy(mapping):
-    # pylint: disable=missing-function-docstring
     class ProxyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
-        # pylint: disable=missing-class-docstring
         def do_GET(self):
             headers = {key.lower(): value for key, value in self.headers.items()}
             backend = [backend for pattern, backend in mapping.items()

certbot-ci/setup.py

@@ -18,7 +18,7 @@ install_requires = [
     'python-dateutil',
     'pyyaml',
     'requests',
-    'six'
+    'six',
 ]
 
 # Add pywin32 on Windows platforms to handle low-level system calls.
@@ -52,7 +52,6 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
     ],

certbot-ci/windows_installer_integration_tests/conftest.py

@@ -9,6 +9,8 @@ See https://docs.pytest.org/en/latest/reference.html#hook-reference
 from __future__ import print_function
 import os
 
+import pytest
+
 ROOT_PATH = os.path.dirname(os.path.dirname(os.path.dirname(__file__)))
 
 

certbot-compatibility-test/certbot_compatibility_test/configurators/common.py

@@ -69,10 +69,11 @@ class Proxy(object):
         shutil.copy(cert_path, cert)
         key = os.path.join(cert_and_key_dir, "key")
         shutil.copy(key_path, key)
-        chain = None
         if chain_path:
             chain = os.path.join(cert_and_key_dir, "chain")
             shutil.copy(chain_path, chain)
+        else:
+            chain = None
 
         return cert, key, chain
 

certbot-compatibility-test/certbot_compatibility_test/validator.py

@@ -18,7 +18,7 @@ class Validator(object):
     def certificate(self, cert, name, alt_host=None, port=443):
         """Verifies the certificate presented at name is cert"""
         if alt_host is None:
-            host = socket.gethostbyname(name).encode()
+            host = socket.gethostbyname(name)
         elif isinstance(alt_host, six.binary_type):
             host = alt_host
         else:

certbot-compatibility-test/setup.py

@@ -5,7 +5,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.10.0.dev0'
 
 install_requires = [
     'certbot',
@@ -50,7 +50,6 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
     ],

certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py

@@ -3,10 +3,6 @@ The `~certbot_dns_cloudflare.dns_cloudflare` plugin automates the process of
 completing a ``dns-01`` challenge (`~acme.challenges.DNS01`) by creating, and
 subsequently removing, TXT records using the Cloudflare API.
 
-.. note::
-   The plugin is not installed by default. It can be installed by heading to
-   `certbot.eff.org <https://certbot.eff.org/instructions#wildcard>`_, choosing your system and
-   selecting the Wildcard tab.
 
 Named Arguments
 ---------------

certbot-dns-cloudflare/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.10.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -63,7 +63,6 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-cloudflare/snap/hooks/post-refresh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
+
+# get certbot version
+if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
+  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
+  exit 0
+fi
+cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
+
+# get required certbot version for plugin. certbot version must be at least the plugin's
+# version. note that this is not the required version in setup.py, but the version number itself.
+cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
+
+
+$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
+if [ "$exit_code" -eq 1 ]; then
+  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
+    "this plugin can be updated; will try again on next refresh."
+  exit 1
+fi

certbot-dns-cloudflare/snap/snapcraft.yaml

@@ -0,0 +1,41 @@
+# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
+name: certbot-dns-cloudflare
+summary: Cloudflare DNS Authenticator plugin for Certbot
+description: Cloudflare DNS Authenticator plugin for Certbot
+confinement: strict
+grade: stable
+base: core20
+adopt-info: certbot-dns-cloudflare
+
+parts:
+  certbot-dns-cloudflare:
+    plugin: python
+    source: .
+    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
+    override-pull: |
+        snapcraftctl pull
+        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
+    build-environment:
+      - SNAP_BUILD: "True"
+    # To build cryptography and cffi if needed
+    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
+  certbot-metadata:
+    plugin: dump
+    source: .
+    stage: [setup.py, certbot-shared]
+    override-pull: |
+        snapcraftctl pull
+        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
+
+slots:
+  certbot:
+    interface: content
+    content: certbot-1
+    read:
+      - $SNAP/lib/python3.8/site-packages
+
+plugs:
+  certbot-metadata:
+    interface: content
+    content: metadata-1
+    target: $SNAP/certbot-shared

certbot-dns-cloudxns/certbot_dns_cloudxns/__init__.py

@@ -3,10 +3,6 @@ The `~certbot_dns_cloudxns.dns_cloudxns` plugin automates the process of
 completing a ``dns-01`` challenge (`~acme.challenges.DNS01`) by creating, and
 subsequently removing, TXT records using the CloudXNS API.
 
-.. note::
-   The plugin is not installed by default. It can be installed by heading to
-   `certbot.eff.org <https://certbot.eff.org/instructions#wildcard>`_, choosing your system and
-   selecting the Wildcard tab.
 
 Named Arguments
 ---------------

certbot-dns-cloudxns/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.10.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -63,7 +63,6 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-cloudxns/snap/hooks/post-refresh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
+
+# get certbot version
+if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
+  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
+  exit 0
+fi
+cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
+
+# get required certbot version for plugin. certbot version must be at least the plugin's
+# version. note that this is not the required version in setup.py, but the version number itself.
+cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
+
+
+$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
+if [ "$exit_code" -eq 1 ]; then
+  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
+    "this plugin can be updated; will try again on next refresh."
+  exit 1
+fi

certbot-dns-cloudxns/snap/snapcraft.yaml

@@ -0,0 +1,41 @@
+# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
+name: certbot-dns-cloudxns
+summary: CloudXNS DNS Authenticator plugin for Certbot
+description: CloudXNS DNS Authenticator plugin for Certbot
+confinement: strict
+grade: stable
+base: core20
+adopt-info: certbot-dns-cloudxns
+
+parts:
+  certbot-dns-cloudxns:
+    plugin: python
+    source: .
+    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
+    override-pull: |
+        snapcraftctl pull
+        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
+    build-environment:
+      - SNAP_BUILD: "True"
+    # To build cryptography and cffi if needed
+    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
+  certbot-metadata:
+    plugin: dump
+    source: .
+    stage: [setup.py, certbot-shared]
+    override-pull: |
+        snapcraftctl pull
+        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
+
+slots:
+  certbot:
+    interface: content
+    content: certbot-1
+    read:
+      - $SNAP/lib/python3.8/site-packages
+
+plugs:
+  certbot-metadata:
+    interface: content
+    content: metadata-1
+    target: $SNAP/certbot-shared

certbot-dns-digitalocean/certbot_dns_digitalocean/__init__.py

@@ -3,10 +3,6 @@ The `~certbot_dns_digitalocean.dns_digitalocean` plugin automates the process of
 completing a ``dns-01`` challenge (`~acme.challenges.DNS01`) by creating, and
 subsequently removing, TXT records using the DigitalOcean API.
 
-.. note::
-   The plugin is not installed by default. It can be installed by heading to
-   `certbot.eff.org <https://certbot.eff.org/instructions#wildcard>`_, choosing your system and
-   selecting the Wildcard tab.
 
 Named Arguments
 ---------------

certbot-dns-digitalocean/certbot_dns_digitalocean/_internal/dns_digitalocean.py

@@ -19,8 +19,7 @@ class Authenticator(dns_common.DNSAuthenticator):
     This Authenticator uses the DigitalOcean API to fulfill a dns-01 challenge.
     """
 
-    description = 'Obtain certificates using a DNS TXT record (if you are ' + \
-                  'using DigitalOcean for DNS).'
+    description = 'Obtain certs using a DNS TXT record (if you are using DigitalOcean for DNS).'
 
     def __init__(self, *args, **kwargs):
         super(Authenticator, self).__init__(*args, **kwargs)

certbot-dns-digitalocean/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.10.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -64,7 +64,6 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-digitalocean/snap/hooks/post-refresh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
+
+# get certbot version
+if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
+  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
+  exit 0
+fi
+cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
+
+# get required certbot version for plugin. certbot version must be at least the plugin's
+# version. note that this is not the required version in setup.py, but the version number itself.
+cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
+
+
+$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
+if [ "$exit_code" -eq 1 ]; then
+  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
+    "this plugin can be updated; will try again on next refresh."
+  exit 1
+fi

certbot-dns-digitalocean/snap/snapcraft.yaml

@@ -0,0 +1,41 @@
+# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
+name: certbot-dns-digitalocean
+summary: DigitalOcean DNS Authenticator plugin for Certbot
+description: DigitalOcean DNS Authenticator plugin for Certbot
+confinement: strict
+grade: stable
+base: core20
+adopt-info: certbot-dns-digitalocean
+
+parts:
+  certbot-dns-digitalocean:
+    plugin: python
+    source: .
+    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
+    override-pull: |
+        snapcraftctl pull
+        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
+    build-environment:
+      - SNAP_BUILD: "True"
+    # To build cryptography and cffi if needed
+    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
+  certbot-metadata:
+    plugin: dump
+    source: .
+    stage: [setup.py, certbot-shared]
+    override-pull: |
+        snapcraftctl pull
+        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
+
+slots:
+  certbot:
+    interface: content
+    content: certbot-1
+    read:
+      - $SNAP/lib/python3.8/site-packages
+
+plugs:
+  certbot-metadata:
+    interface: content
+    content: metadata-1
+    target: $SNAP/certbot-shared

certbot-dns-dnsimple/certbot_dns_dnsimple/__init__.py

@@ -3,10 +3,6 @@ The `~certbot_dns_dnsimple.dns_dnsimple` plugin automates the process of
 completing a ``dns-01`` challenge (`~acme.challenges.DNS01`) by creating, and
 subsequently removing, TXT records using the DNSimple API.
 
-.. note::
-   The plugin is not installed by default. It can be installed by heading to
-   `certbot.eff.org <https://certbot.eff.org/instructions#wildcard>`_, choosing your system and
-   selecting the Wildcard tab.
 
 Named Arguments
 ---------------

certbot-dns-dnsimple/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.10.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -74,7 +74,6 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-dnsimple/snap/hooks/post-refresh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
+
+# get certbot version
+if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
+  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
+  exit 0
+fi
+cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
+
+# get required certbot version for plugin. certbot version must be at least the plugin's
+# version. note that this is not the required version in setup.py, but the version number itself.
+cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
+
+
+$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
+if [ "$exit_code" -eq 1 ]; then
+  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
+    "this plugin can be updated; will try again on next refresh."
+  exit 1
+fi

certbot-dns-dnsimple/snap/snapcraft.yaml

@@ -0,0 +1,41 @@
+# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
+name: certbot-dns-dnsimple
+summary: DNSimple DNS Authenticator plugin for Certbot
+description: DNSimple DNS Authenticator plugin for Certbot
+confinement: strict
+grade: stable
+base: core20
+adopt-info: certbot-dns-dnsimple
+
+parts:
+  certbot-dns-dnsimple:
+    plugin: python
+    source: .
+    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
+    override-pull: |
+        snapcraftctl pull
+        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
+    build-environment:
+      - SNAP_BUILD: "True"
+    # To build cryptography and cffi if needed
+    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
+  certbot-metadata:
+    plugin: dump
+    source: .
+    stage: [setup.py, certbot-shared]
+    override-pull: |
+        snapcraftctl pull
+        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
+
+slots:
+  certbot:
+    interface: content
+    content: certbot-1
+    read:
+      - $SNAP/lib/python3.8/site-packages
+
+plugs:
+  certbot-metadata:
+    interface: content
+    content: metadata-1
+    target: $SNAP/certbot-shared

certbot-dns-dnsmadeeasy/certbot_dns_dnsmadeeasy/__init__.py

@@ -3,10 +3,6 @@ The `~certbot_dns_dnsmadeeasy.dns_dnsmadeeasy` plugin automates the process of
 completing a ``dns-01`` challenge (`~acme.challenges.DNS01`) by creating, and
 subsequently removing, TXT records using the DNS Made Easy API.
 
-.. note::
-   The plugin is not installed by default. It can be installed by heading to
-   `certbot.eff.org <https://certbot.eff.org/instructions#wildcard>`_, choosing your system and
-   selecting the Wildcard tab.
 
 Named Arguments
 ---------------

certbot-dns-dnsmadeeasy/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.10.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -63,7 +63,6 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-dnsmadeeasy/snap/hooks/post-refresh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
+
+# get certbot version
+if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
+  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
+  exit 0
+fi
+cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
+
+# get required certbot version for plugin. certbot version must be at least the plugin's
+# version. note that this is not the required version in setup.py, but the version number itself.
+cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
+
+
+$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
+if [ "$exit_code" -eq 1 ]; then
+  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
+    "this plugin can be updated; will try again on next refresh."
+  exit 1
+fi

certbot-dns-dnsmadeeasy/snap/snapcraft.yaml

@@ -0,0 +1,41 @@
+# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
+name: certbot-dns-dnsmadeeasy
+summary: DNS Made Easy DNS Authenticator plugin for Certbot
+description: DNS Made Easy DNS Authenticator plugin for Certbot
+confinement: strict
+grade: stable
+base: core20
+adopt-info: certbot-dns-dnsmadeeasy
+
+parts:
+  certbot-dns-dnsmadeeasy:
+    plugin: python
+    source: .
+    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
+    override-pull: |
+        snapcraftctl pull
+        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
+    build-environment:
+      - SNAP_BUILD: "True"
+    # To build cryptography and cffi if needed
+    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
+  certbot-metadata:
+    plugin: dump
+    source: .
+    stage: [setup.py, certbot-shared]
+    override-pull: |
+        snapcraftctl pull
+        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
+
+slots:
+  certbot:
+    interface: content
+    content: certbot-1
+    read:
+      - $SNAP/lib/python3.8/site-packages
+
+plugs:
+  certbot-metadata:
+    interface: content
+    content: metadata-1
+    target: $SNAP/certbot-shared

certbot-dns-gehirn/certbot_dns_gehirn/__init__.py

@@ -3,10 +3,6 @@ The `~certbot_dns_gehirn.dns_gehirn` plugin automates the process of completing
 a ``dns-01`` challenge (`~acme.challenges.DNS01`) by creating, and subsequently
 removing, TXT records using the Gehirn Infrastructure Service DNS API.
 
-.. note::
-   The plugin is not installed by default. It can be installed by heading to
-   `certbot.eff.org <https://certbot.eff.org/instructions#wildcard>`_, choosing your system and
-   selecting the Wildcard tab.
 
 Named Arguments
 ---------------

certbot-dns-gehirn/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.10.0.dev0'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
@@ -62,7 +62,6 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-gehirn/snap/hooks/post-refresh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
+
+# get certbot version
+if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
+  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
+  exit 0
+fi
+cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
+
+# get required certbot version for plugin. certbot version must be at least the plugin's
+# version. note that this is not the required version in setup.py, but the version number itself.
+cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
+
+
+$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
+if [ "$exit_code" -eq 1 ]; then
+  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
+    "this plugin can be updated; will try again on next refresh."
+  exit 1
+fi

certbot-dns-gehirn/snap/snapcraft.yaml

@@ -0,0 +1,41 @@
+# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
+name: certbot-dns-gehirn
+summary: Gehirn Infrastructure Service DNS Authenticator plugin for Certbot
+description: Gehirn Infrastructure Service DNS Authenticator plugin for Certbot
+confinement: strict
+grade: stable
+base: core20
+adopt-info: certbot-dns-gehirn
+
+parts:
+  certbot-dns-gehirn:
+    plugin: python
+    source: .
+    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
+    override-pull: |
+        snapcraftctl pull
+        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
+    build-environment:
+      - SNAP_BUILD: "True"
+    # To build cryptography and cffi if needed
+    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
+  certbot-metadata:
+    plugin: dump
+    source: .
+    stage: [setup.py, certbot-shared]
+    override-pull: |
+        snapcraftctl pull
+        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
+
+slots:
+  certbot:
+    interface: content
+    content: certbot-1
+    read:
+      - $SNAP/lib/python3.8/site-packages
+
+plugs:
+  certbot-metadata:
+    interface: content
+    content: metadata-1
+    target: $SNAP/certbot-shared

certbot-dns-google/certbot_dns_google/__init__.py

@@ -3,10 +3,6 @@ The `~certbot_dns_google.dns_google` plugin automates the process of
 completing a ``dns-01`` challenge (`~acme.challenges.DNS01`) by creating, and
 subsequently removing, TXT records using the Google Cloud DNS API.
 
-.. note::
-   The plugin is not installed by default. It can be installed by heading to
-   `certbot.eff.org <https://certbot.eff.org/instructions#wildcard>`_, choosing your system and
-   selecting the Wildcard tab.
 
 Named Arguments
 ---------------

certbot-dns-google/certbot_dns_google/_internal/dns_google.py

@@ -85,13 +85,9 @@ class _GoogleClient(object):
 
         scopes = ['https://www.googleapis.com/auth/ndev.clouddns.readwrite']
         if account_json is not None:
-            try:
-                credentials = ServiceAccountCredentials.from_json_keyfile_name(account_json, scopes)
-                with open(account_json) as account:
-                    self.project_id = json.load(account)['project_id']
-            except Exception as e:
-                raise errors.PluginError(
-                    "Error parsing credentials file '{}': {}".format(account_json, e))
+            credentials = ServiceAccountCredentials.from_json_keyfile_name(account_json, scopes)
+            with open(account_json) as account:
+                self.project_id = json.load(account)['project_id']
         else:
             credentials = None
             self.project_id = self.get_project_id()
@@ -118,13 +114,10 @@ class _GoogleClient(object):
 
         record_contents = self.get_existing_txt_rrset(zone_id, record_name)
         if record_contents is None:
-        # If it wasn't possible to fetch the records at this label (missing .list permission),
-        # assume there aren't any (#5678). If there are actually records here, this will fail
-        # with HTTP 409/412 API errors.
-            record_contents = {"rrdatas": []}
-        add_records = record_contents["rrdatas"][:]
+            record_contents = []
+        add_records = record_contents[:]
 
-        if "\""+record_content+"\"" in record_contents["rrdatas"]:
+        if "\""+record_content+"\"" in record_contents:
             # The process was interrupted previously and validation token exists
             return
 
@@ -143,15 +136,15 @@ class _GoogleClient(object):
             ],
         }
 
-        if record_contents["rrdatas"]:
+        if record_contents:
             # We need to remove old records in the same request
             data["deletions"] = [
                 {
                     "kind": "dns#resourceRecordSet",
                     "type": "TXT",
                     "name": record_name + ".",
-                    "rrdatas": record_contents["rrdatas"],
-                    "ttl": record_contents["ttl"],
+                    "rrdatas": record_contents,
+                    "ttl": record_ttl,
                 },
             ]
 
@@ -191,10 +184,7 @@ class _GoogleClient(object):
 
         record_contents = self.get_existing_txt_rrset(zone_id, record_name)
         if record_contents is None:
-            # If it wasn't possible to fetch the records at this label (missing .list permission),
-            # assume there aren't any (#5678). If there are actually records here, this will fail
-            # with HTTP 409/412 API errors.
-            record_contents = {"rrdatas": ["\"" + record_content + "\""], "ttl": record_ttl}
+            record_contents = ["\"" + record_content + "\""]
 
         data = {
             "kind": "dns#change",
@@ -203,15 +193,14 @@ class _GoogleClient(object):
                     "kind": "dns#resourceRecordSet",
                     "type": "TXT",
                     "name": record_name + ".",
-                    "rrdatas": record_contents["rrdatas"],
-                    "ttl": record_contents["ttl"],
+                    "rrdatas": record_contents,
+                    "ttl": record_ttl,
                 },
             ],
         }
 
         # Remove the record being deleted from the list
-        readd_contents = [r for r in record_contents["rrdatas"]
-                            if r != "\"" + record_content + "\""]
+        readd_contents = [r for r in record_contents if r != "\"" + record_content + "\""]
         if readd_contents:
             # We need to remove old records in the same request
             data["additions"] = [
@@ -220,7 +209,7 @@ class _GoogleClient(object):
                     "type": "TXT",
                     "name": record_name + ".",
                     "rrdatas": readd_contents,
-                    "ttl": record_contents["ttl"],
+                    "ttl": record_ttl,
                 },
             ]
 
@@ -242,15 +231,14 @@ class _GoogleClient(object):
         :param str zone_id: The ID of the managed zone.
         :param str record_name: The record name (typically beginning with '_acme-challenge.').
 
-        :returns: The resourceRecordSet corresponding to `record_name` or None
-        :rtype: `resourceRecordSet <https://cloud.google.com/dns/docs/reference/v1/resourceRecordSets#resource>` or `None` # pylint: disable=line-too-long
+        :returns: List of TXT record values or None
+        :rtype: `list` of `string` or `None`
 
         """
         rrs_request = self.dns.resourceRecordSets()
+        request = rrs_request.list(managedZone=zone_id, project=self.project_id)
         # Add dot as the API returns absolute domains
         record_name += "."
-        request = rrs_request.list(project=self.project_id, managedZone=zone_id, name=record_name,
-                                   type="TXT")
         try:
             response = request.execute()
         except googleapiclient_errors.Error:
@@ -258,8 +246,10 @@ class _GoogleClient(object):
                         "requesting a wildcard certificate, this might not work.")
             logger.debug("Error was:", exc_info=True)
         else:
-            if response and response["rrsets"]:
-                return response["rrsets"][0]
+            if response:
+                for rr in response["rrsets"]:
+                    if rr["name"] == record_name and rr["type"] == "TXT":
+                        return rr["rrdatas"]
         return None
 
     def _find_managed_zone_id(self, domain):

certbot-dns-google/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.10.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -66,7 +66,6 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-google/snap/hooks/post-refresh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
+
+# get certbot version
+if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
+  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
+  exit 0
+fi
+cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
+
+# get required certbot version for plugin. certbot version must be at least the plugin's
+# version. note that this is not the required version in setup.py, but the version number itself.
+cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
+
+
+$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
+if [ "$exit_code" -eq 1 ]; then
+  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
+    "this plugin can be updated; will try again on next refresh."
+  exit 1
+fi

certbot-dns-google/snap/snapcraft.yaml

@@ -0,0 +1,41 @@
+# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
+name: certbot-dns-google
+summary: Google Cloud DNS Authenticator plugin for Certbot
+description: Google Cloud DNS Authenticator plugin for Certbot
+confinement: strict
+grade: stable
+base: core20
+adopt-info: certbot-dns-google
+
+parts:
+  certbot-dns-google:
+    plugin: python
+    source: .
+    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
+    override-pull: |
+        snapcraftctl pull
+        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
+    build-environment:
+      - SNAP_BUILD: "True"
+    # To build cryptography and cffi if needed
+    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
+  certbot-metadata:
+    plugin: dump
+    source: .
+    stage: [setup.py, certbot-shared]
+    override-pull: |
+        snapcraftctl pull
+        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
+
+slots:
+  certbot:
+    interface: content
+    content: certbot-1
+    read:
+      - $SNAP/lib/python3.8/site-packages
+
+plugs:
+  certbot-metadata:
+    interface: content
+    content: metadata-1
+    target: $SNAP/certbot-shared

certbot-dns-google/tests/dns_google_test.py

@@ -70,7 +70,7 @@ class GoogleClientTest(unittest.TestCase):
     zone = "ZONE_ID"
     change = "an-id"
 
-    def _setUp_client_with_mock(self, zone_request_side_effect, rrs_list_side_effect=None):
+    def _setUp_client_with_mock(self, zone_request_side_effect):
         from certbot_dns_google._internal.dns_google import _GoogleClient
 
         pwd = os.path.dirname(__file__)
@@ -86,16 +86,9 @@ class GoogleClientTest(unittest.TestCase):
         mock_mz.list.return_value.execute.side_effect = zone_request_side_effect
 
         mock_rrs = mock.MagicMock()
-        def rrs_list(project=None, managedZone=None, name=None, type=None):
-            response = {"rrsets": []}
-            if name == "_acme-challenge.example.org.":
-                response = {"rrsets": [{"name": "_acme-challenge.example.org.", "type": "TXT",
-                              "rrdatas": ["\"example-txt-contents\""], "ttl": 60}]}
-            mock_return = mock.MagicMock()
-            mock_return.execute.return_value = response
-            mock_return.execute.side_effect = rrs_list_side_effect
-            return mock_return
-        mock_rrs.list.side_effect = rrs_list
+        rrsets = {"rrsets": [{"name": "_acme-challenge.example.org.", "type": "TXT",
+                              "rrdatas": ["\"example-txt-contents\""]}]}
+        mock_rrs.list.return_value.execute.return_value = rrsets
         mock_changes = mock.MagicMock()
 
         client.dns.managedZones = mock.MagicMock(return_value=mock_mz)
@@ -114,17 +107,6 @@ class GoogleClientTest(unittest.TestCase):
         self.assertFalse(credential_mock.called)
         self.assertTrue(get_project_id_mock.called)
 
-    @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
-    def test_client_bad_credentials_file(self, credential_mock):
-        credential_mock.side_effect = ValueError('Some exception buried in oauth2client')
-        with self.assertRaises(errors.PluginError) as cm:
-            self._setUp_client_with_mock([])
-        self.assertEqual(
-            str(cm.exception),
-            "Error parsing credentials file '/not/a/real/path.json': "
-            "Some exception buried in oauth2client"
-        )
-
     @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
     @mock.patch('certbot_dns_google._internal.dns_google.open',
                 mock.mock_open(read_data='{"project_id": "' + PROJECT_ID + '"}'), create=True)
@@ -180,29 +162,11 @@ class GoogleClientTest(unittest.TestCase):
         # pylint: disable=line-too-long
         mock_get_rrs = "certbot_dns_google._internal.dns_google._GoogleClient.get_existing_txt_rrset"
         with mock.patch(mock_get_rrs) as mock_rrs:
-            mock_rrs.return_value = {"rrdatas": ["sample-txt-contents"], "ttl": self.record_ttl}
+            mock_rrs.return_value = ["sample-txt-contents"]
             client.add_txt_record(DOMAIN, self.record_name, self.record_content, self.record_ttl)
             self.assertTrue(changes.create.called)
-            deletions = changes.create.call_args_list[0][1]["body"]["deletions"][0]
-            self.assertTrue("sample-txt-contents" in deletions["rrdatas"])
-            self.assertEqual(self.record_ttl, deletions["ttl"])
-
-    @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
-    @mock.patch('certbot_dns_google._internal.dns_google.open',
-                mock.mock_open(read_data='{"project_id": "' + PROJECT_ID + '"}'), create=True)
-    def test_add_txt_record_delete_old_ttl_case(self, unused_credential_mock):
-        client, changes = self._setUp_client_with_mock(
-            [{'managedZones': [{'id': self.zone}]}])
-        # pylint: disable=line-too-long
-        mock_get_rrs = "certbot_dns_google._internal.dns_google._GoogleClient.get_existing_txt_rrset"
-        with mock.patch(mock_get_rrs) as mock_rrs:
-            custom_ttl = 300
-            mock_rrs.return_value = {"rrdatas": ["sample-txt-contents"], "ttl": custom_ttl}
-            client.add_txt_record(DOMAIN, self.record_name, self.record_content, self.record_ttl)
-            self.assertTrue(changes.create.called)
-            deletions = changes.create.call_args_list[0][1]["body"]["deletions"][0]
-            self.assertTrue("sample-txt-contents" in deletions["rrdatas"])
-            self.assertEqual(custom_ttl, deletions["ttl"]) #otherwise HTTP 412
+            self.assertTrue("sample-txt-contents" in
+                changes.create.call_args_list[0][1]["body"]["deletions"][0]["rrdatas"])
 
     @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
     @mock.patch('certbot_dns_google._internal.dns_google.open',
@@ -246,13 +210,14 @@ class GoogleClientTest(unittest.TestCase):
     @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
     @mock.patch('certbot_dns_google._internal.dns_google.open',
                 mock.mock_open(read_data='{"project_id": "' + PROJECT_ID + '"}'), create=True)
-    def test_del_txt_record_multi_rrdatas(self, unused_credential_mock):
+    def test_del_txt_record(self, unused_credential_mock):
         client, changes = self._setUp_client_with_mock([{'managedZones': [{'id': self.zone}]}])
+
         # pylint: disable=line-too-long
         mock_get_rrs = "certbot_dns_google._internal.dns_google._GoogleClient.get_existing_txt_rrset"
         with mock.patch(mock_get_rrs) as mock_rrs:
-            mock_rrs.return_value = {"rrdatas": ["\"sample-txt-contents\"",
-                                     "\"example-txt-contents\""], "ttl": self.record_ttl}
+            mock_rrs.return_value = ["\"sample-txt-contents\"",
+                                     "\"example-txt-contents\""]
             client.del_txt_record(DOMAIN, "_acme-challenge.example.org",
                                 "example-txt-contents", self.record_ttl)
 
@@ -282,51 +247,22 @@ class GoogleClientTest(unittest.TestCase):
                                                managedZone=self.zone,
                                                project=PROJECT_ID)
 
-    @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
-    @mock.patch('certbot_dns_google._internal.dns_google.open',
-                mock.mock_open(read_data='{"project_id": "' + PROJECT_ID + '"}'), create=True)
-    def test_del_txt_record_single_rrdatas(self, unused_credential_mock):
-        client, changes = self._setUp_client_with_mock([{'managedZones': [{'id': self.zone}]}])
-        # pylint: disable=line-too-long
-        mock_get_rrs = "certbot_dns_google._internal.dns_google._GoogleClient.get_existing_txt_rrset"
-        with mock.patch(mock_get_rrs) as mock_rrs:
-            mock_rrs.return_value = {"rrdatas": ["\"example-txt-contents\""], "ttl": self.record_ttl}
-            client.del_txt_record(DOMAIN, "_acme-challenge.example.org",
-                                "example-txt-contents", self.record_ttl)
-
-        expected_body = {
-            "kind": "dns#change",
-            "deletions": [
-                {
-                    "kind": "dns#resourceRecordSet",
-                    "type": "TXT",
-                    "name": "_acme-challenge.example.org.",
-                    "rrdatas": ["\"example-txt-contents\""],
-                    "ttl": self.record_ttl,
-                },
-            ],
-        }
-
-        changes.create.assert_called_with(body=expected_body,
-                                               managedZone=self.zone,
-                                               project=PROJECT_ID)
-
     @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
     @mock.patch('certbot_dns_google._internal.dns_google.open',
                 mock.mock_open(read_data='{"project_id": "' + PROJECT_ID + '"}'), create=True)
     def test_del_txt_record_error_during_zone_lookup(self, unused_credential_mock):
-        client, changes = self._setUp_client_with_mock(API_ERROR)
+        client, unused_changes = self._setUp_client_with_mock(API_ERROR)
+
         client.del_txt_record(DOMAIN, self.record_name, self.record_content, self.record_ttl)
-        changes.create.assert_not_called()
 
     @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
     @mock.patch('certbot_dns_google._internal.dns_google.open',
                 mock.mock_open(read_data='{"project_id": "' + PROJECT_ID + '"}'), create=True)
     def test_del_txt_record_zone_not_found(self, unused_credential_mock):
-        client, changes = self._setUp_client_with_mock([{'managedZones': []},
+        client, unused_changes = self._setUp_client_with_mock([{'managedZones': []},
                                                                {'managedZones': []}])
+
         client.del_txt_record(DOMAIN, self.record_name, self.record_content, self.record_ttl)
-        changes.create.assert_not_called()
 
     @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
     @mock.patch('certbot_dns_google._internal.dns_google.open',
@@ -340,39 +276,24 @@ class GoogleClientTest(unittest.TestCase):
     @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
     @mock.patch('certbot_dns_google._internal.dns_google.open',
                 mock.mock_open(read_data='{"project_id": "' + PROJECT_ID + '"}'), create=True)
-    def test_get_existing_found(self, unused_credential_mock):
+    def test_get_existing(self, unused_credential_mock):
         client, unused_changes = self._setUp_client_with_mock(
             [{'managedZones': [{'id': self.zone}]}])
         # Record name mocked in setUp
         found = client.get_existing_txt_rrset(self.zone, "_acme-challenge.example.org")
-        self.assertEqual(found["rrdatas"], ["\"example-txt-contents\""])
-        self.assertEqual(found["ttl"], 60)
-
-    @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
-    @mock.patch('certbot_dns_google._internal.dns_google.open',
-                mock.mock_open(read_data='{"project_id": "' + PROJECT_ID + '"}'), create=True)
-    def test_get_existing_not_found(self, unused_credential_mock):
-        client, unused_changes = self._setUp_client_with_mock(
-            [{'managedZones': [{'id': self.zone}]}])
+        self.assertEqual(found, ["\"example-txt-contents\""])
         not_found = client.get_existing_txt_rrset(self.zone, "nonexistent.tld")
         self.assertEqual(not_found, None)
 
-    @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
-    @mock.patch('certbot_dns_google._internal.dns_google.open',
-                mock.mock_open(read_data='{"project_id": "' + PROJECT_ID + '"}'), create=True)
-    def test_get_existing_with_error(self, unused_credential_mock):
-        client, unused_changes = self._setUp_client_with_mock(
-            [{'managedZones': [{'id': self.zone}]}], API_ERROR)
-        # Record name mocked in setUp
-        found = client.get_existing_txt_rrset(self.zone, "_acme-challenge.example.org")
-        self.assertEqual(found, None)
-
     @mock.patch('oauth2client.service_account.ServiceAccountCredentials.from_json_keyfile_name')
     @mock.patch('certbot_dns_google._internal.dns_google.open',
                 mock.mock_open(read_data='{"project_id": "' + PROJECT_ID + '"}'), create=True)
     def test_get_existing_fallback(self, unused_credential_mock):
         client, unused_changes = self._setUp_client_with_mock(
-            [{'managedZones': [{'id': self.zone}]}], API_ERROR)
+            [{'managedZones': [{'id': self.zone}]}])
+        mock_execute = client.dns.resourceRecordSets.return_value.list.return_value.execute
+        mock_execute.side_effect = API_ERROR
+
         rrset = client.get_existing_txt_rrset(self.zone, "_acme-challenge.example.org")
         self.assertFalse(rrset)
 

certbot-dns-linode/certbot_dns_linode/__init__.py

@@ -3,10 +3,6 @@ The `~certbot_dns_linode.dns_linode` plugin automates the process of
 completing a ``dns-01`` challenge (`~acme.challenges.DNS01`) by creating, and
 subsequently removing, TXT records using the Linode API.
 
-.. note::
-   The plugin is not installed by default. It can be installed by heading to
-   `certbot.eff.org <https://certbot.eff.org/instructions#wildcard>`_, choosing your system and
-   selecting the Wildcard tab.
 
 Named Arguments
 ---------------

certbot-dns-linode/certbot_dns_linode/_internal/dns_linode.py

@@ -24,7 +24,7 @@ class Authenticator(dns_common.DNSAuthenticator):
     This Authenticator uses the Linode API to fulfill a dns-01 challenge.
     """
 
-    description = 'Obtain certificates using a DNS TXT record (if you are using Linode for DNS).'
+    description = 'Obtain certs using a DNS TXT record (if you are using Linode for DNS).'
 
     def __init__(self, *args, **kwargs):
         super(Authenticator, self).__init__(*args, **kwargs)

certbot-dns-linode/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.10.0.dev0'
 
 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
@@ -62,7 +62,6 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-linode/snap/hooks/post-refresh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
+
+# get certbot version
+if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
+  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
+  exit 0
+fi
+cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
+
+# get required certbot version for plugin. certbot version must be at least the plugin's
+# version. note that this is not the required version in setup.py, but the version number itself.
+cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
+
+
+$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
+if [ "$exit_code" -eq 1 ]; then
+  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
+    "this plugin can be updated; will try again on next refresh."
+  exit 1
+fi

certbot-dns-linode/snap/snapcraft.yaml

@@ -0,0 +1,41 @@
+# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
+name: certbot-dns-linode
+summary: Linode DNS Authenticator plugin for Certbot
+description: Linode DNS Authenticator plugin for Certbot
+confinement: strict
+grade: stable
+base: core20
+adopt-info: certbot-dns-linode
+
+parts:
+  certbot-dns-linode:
+    plugin: python
+    source: .
+    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
+    override-pull: |
+        snapcraftctl pull
+        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
+    build-environment:
+      - SNAP_BUILD: "True"
+    # To build cryptography and cffi if needed
+    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
+  certbot-metadata:
+    plugin: dump
+    source: .
+    stage: [setup.py, certbot-shared]
+    override-pull: |
+        snapcraftctl pull
+        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
+
+slots:
+  certbot:
+    interface: content
+    content: certbot-1
+    read:
+      - $SNAP/lib/python3.8/site-packages
+
+plugs:
+  certbot-metadata:
+    interface: content
+    content: metadata-1
+    target: $SNAP/certbot-shared

certbot-dns-luadns/certbot_dns_luadns/__init__.py

@@ -3,10 +3,6 @@ The `~certbot_dns_luadns.dns_luadns` plugin automates the process of
 completing a ``dns-01`` challenge (`~acme.challenges.DNS01`) by creating, and
 subsequently removing, TXT records using the LuaDNS API.
 
-.. note::
-   The plugin is not installed by default. It can be installed by heading to
-   `certbot.eff.org <https://certbot.eff.org/instructions#wildcard>`_, choosing your system and
-   selecting the Wildcard tab.
 
 Named Arguments
 ---------------

certbot-dns-luadns/setup.py

@@ -6,7 +6,7 @@ from setuptools import __version__ as setuptools_version
 from setuptools import find_packages
 from setuptools import setup
 
-version = '1.11.0.dev0'
+version = '1.10.0.dev0'
 
 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
@@ -63,7 +63,6 @@ setup(
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
         'Topic :: System :: Installation/Setup',

certbot-dns-luadns/snap/hooks/post-refresh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+# This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
+
+# get certbot version
+if [ ! -f "$SNAP/certbot-shared/certbot-version.txt" ]; then
+  echo "No certbot version available; not doing version comparison check" >> "$SNAP_DATA/debuglog"
+  exit 0
+fi
+cb_installed=$(cat $SNAP/certbot-shared/certbot-version.txt)
+
+# get required certbot version for plugin. certbot version must be at least the plugin's
+# version. note that this is not the required version in setup.py, but the version number itself.
+cb_required=$(grep -oP "version = '\K.*(?=')" $SNAP/setup.py)
+
+
+$SNAP/bin/python3 -c "import sys; from packaging import version; sys.exit(1) if  version.parse('$cb_installed') < version.parse('$cb_required') else sys.exit(0)" || exit_code=$?
+if [ "$exit_code" -eq 1 ]; then
+  echo "Certbot is version $cb_installed but needs to be at least $cb_required before" \
+    "this plugin can be updated; will try again on next refresh."
+  exit 1
+fi

certbot-dns-luadns/snap/snapcraft.yaml

@@ -0,0 +1,41 @@
+# This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
+name: certbot-dns-luadns
+summary: LuaDNS Authenticator plugin for Certbot
+description: LuaDNS Authenticator plugin for Certbot
+confinement: strict
+grade: stable
+base: core20
+adopt-info: certbot-dns-luadns
+
+parts:
+  certbot-dns-luadns:
+    plugin: python
+    source: .
+    constraints: [$SNAPCRAFT_PART_SRC/snap-constraints.txt]
+    override-pull: |
+        snapcraftctl pull
+        snapcraftctl set-version `grep ^version $SNAPCRAFT_PART_SRC/setup.py | cut -f2 -d= | tr -d "'[:space:]"`
+    build-environment:
+      - SNAP_BUILD: "True"
+    # To build cryptography and cffi if needed
+    build-packages: [gcc, libffi-dev, libssl-dev, python3-dev]
+  certbot-metadata:
+    plugin: dump
+    source: .
+    stage: [setup.py, certbot-shared]
+    override-pull: |
+        snapcraftctl pull
+        mkdir -p $SNAPCRAFT_PART_SRC/certbot-shared
+
+slots:
+  certbot:
+    interface: content
+    content: certbot-1
+    read:
+      - $SNAP/lib/python3.8/site-packages
+
+plugs:
+  certbot-metadata:
+    interface: content
+    content: metadata-1
+    target: $SNAP/certbot-shared