Change tests path in tox.ini

Exclude pycache and .py[cod]
Refactor tests out of packaged module for apache plugin
2019-11-26 18:28:34 -08:00 · 2019-11-26 15:21:12 -08:00 · 2019-11-26 14:30:28 -08:00
517 changed files with 7011 additions and 11812 deletions
--- a/.azure-pipelines/INSTALL.md
+++ b/.azure-pipelines/INSTALL.md
@@ -69,12 +69,12 @@ Access can be defined for all or only selected repositories, which is nice.
 ```

 - Redirected to Azure DevOps, select the account created in _Having an Azure DevOps account_ section.
- Select the organization, and click "Create a new project" (let's name it the same than the targeted github repo)
+- Select the organization, and click "Create a new project" (let's name it the same than the targetted github repo)
 - The Visibility is public, to profit from 10 parallel jobs

 ```
 !!! ACCESS !!!
-Azure Pipelines needs access to the GitHub account (in term of being able to check it is valid), and the Resources shared between the GitHub account and Azure Pipelines.
+Azure Pipelines needs access to the GitHub account (in term of beeing able to check it is valid), and the Resources shared between the GitHub account and Azure Pipelines.
 ```

 _Done. We can move to pipelines configuration._
--- a/.azure-pipelines/advanced-test.yml
+++ b/.azure-pipelines/advanced-test.yml
@@ -1,13 +0,0 @@
-# Advanced pipeline for running our full test suite on demand.
-trigger:
-  # When changing these triggers, please ensure the documentation under
-  # "Running tests in CI" is still correct.
-  - azure-test-*
-  - test-*
-pr: none
-
-jobs:
-  # Any addition here should be reflected in the advanced and release pipelines.
-  # It is advised to declare all jobs here as templates to improve maintainability.
-  - template: templates/tests-suite.yml
-  - template: templates/installer-tests.yml
--- a/.azure-pipelines/advanced.yml
+++ b/.azure-pipelines/advanced.yml
@@ -1,7 +1,9 @@
-# Advanced pipeline for running our full test suite on protected branches.
+# Advanced pipeline for isolated checks and release purpose
 trigger:
+  - test-*
  - '*.x'
-pr: none
+pr:
+  - test-*
 # This pipeline is also nightly run on master
 schedules:
  - cron: "0 4 * * *"
@@ -12,7 +14,7 @@ schedules:
    always: true

 jobs:
-  # Any addition here should be reflected in the advanced-test and release pipelines.
+  # Any addition here should be reflected in the release pipeline.
  # It is advised to declare all jobs here as templates to improve maintainability.
  - template: templates/tests-suite.yml
  - template: templates/installer-tests.yml
--- a/.azure-pipelines/release.yml
+++ b/.azure-pipelines/release.yml
@@ -6,7 +6,7 @@ trigger:
 pr: none

 jobs:
-  # Any addition here should be reflected in the advanced and advanced-test pipelines.
+  # Any addition here should be reflected in the advanced pipeline.
  # It is advised to declare all jobs here as templates to improve maintainability.
  - template: templates/tests-suite.yml
  - template: templates/installer-tests.yml
--- a/.azure-pipelines/templates/installer-tests.yml
+++ b/.azure-pipelines/templates/installer-tests.yml
@@ -1,5 +1,5 @@
 jobs:
-  - job: installer_build
+  - job: installer
    pool:
      vmImage: vs2017-win2016
    steps:
@@ -20,42 +20,13 @@ jobs:
          path: $(Build.ArtifactStagingDirectory)
          artifact: windows-installer
        displayName: Publish Windows installer
-  - job: installer_run
-    dependsOn: installer_build
-    strategy:
-      matrix:
-        win2019:
-          imageName: windows-2019
-        win2016:
-          imageName: vs2017-win2016
-    pool:
-      vmImage: $(imageName)
-    steps:
-      - powershell: |
-          $currentVersion = $PSVersionTable.PSVersion
-          if ($currentVersion.Major -ne 5) {
-              throw "Powershell version is not 5.x"
-          }
-        condition: eq(variables['imageName'], 'vs2017-win2016')
-        displayName: Check Powershell 5.x is used in vs2017-win2016
-      - task: UsePythonVersion@0
-        inputs:
-          versionSpec: 3.8
-          addToPath: true
-      - task: DownloadPipelineArtifact@2
-        inputs:
-          artifact: windows-installer
-          path: $(Build.SourcesDirectory)/bin
-        displayName: Retrieve Windows installer
+      - script: $(Build.ArtifactStagingDirectory)\certbot-beta-installer-win32.exe /S
+        displayName: Install Certbot
      - script: |
-          py -3 -m venv venv
+          python -m venv venv
          venv\Scripts\python tools\pip_install.py -e certbot-ci
        displayName: Prepare Certbot-CI
-      - script: |
-          set PATH=%ProgramFiles(x86)%\Certbot\bin;%PATH%
-          venv\Scripts\python -m pytest certbot-ci\windows_installer_integration_tests --allow-persistent-changes --installer-path $(Build.SourcesDirectory)\bin\certbot-beta-installer-win32.exe
-        displayName: Run windows installer integration tests
      - script: |
          set PATH=%ProgramFiles(x86)%\Certbot\bin;%PATH%
          venv\Scripts\python -m pytest certbot-ci\certbot_integration_tests\certbot_tests -n 4
-        displayName: Run certbot integration tests
+        displayName: Run integration tests
--- a/.azure-pipelines/templates/tests-suite.yml
+++ b/.azure-pipelines/templates/tests-suite.yml
@@ -1,34 +1,22 @@
 jobs:
  - job: test
+    pool:
+      vmImage: vs2017-win2016
    strategy:
      matrix:
-        macos-py27:
-          IMAGE_NAME: macOS-10.14
-          PYTHON_VERSION: 2.7
-          TOXENV: py27
-        macos-py38:
-          IMAGE_NAME: macOS-10.14
-          PYTHON_VERSION: 3.8
-          TOXENV: py38
-        windows-py35:
-          IMAGE_NAME: vs2017-win2016
+        py35:
          PYTHON_VERSION: 3.5
          TOXENV: py35
-        windows-py37-cover:
-          IMAGE_NAME: vs2017-win2016
+        py37-cover:
          PYTHON_VERSION: 3.7
          TOXENV: py37-cover
-        windows-integration-certbot:
-          IMAGE_NAME: vs2017-win2016
+        integration-certbot:
          PYTHON_VERSION: 3.7
          TOXENV: integration-certbot
          PYTEST_ADDOPTS: --numprocesses 4
-    pool:
-      vmImage: $(IMAGE_NAME)
+    variables:
+    - group: certbot-common
    steps:
-    - bash: brew install augeas
-      condition: startswith(variables['IMAGE_NAME'], 'macOS')
-      displayName: Install Augeas
    - task: UsePythonVersion@0
      inputs:
        versionSpec: $(PYTHON_VERSION)
@@ -37,3 +25,14 @@ jobs:
      displayName: Install dependencies
    - script: python -m tox
      displayName: Run tox
+    # We do not require codecov report upload to succeed. So to avoid to break the pipeline if
+    # something goes wrong, each command is suffixed with a command that hides any non zero exit
+    # codes and echoes an informative message instead.
+    - bash: |
+        curl -s https://codecov.io/bash -o codecov-bash || echo "Failed to download codecov-bash"
+        chmod +x codecov-bash || echo "Failed to apply execute permissions on codecov-bash"
+        ./codecov-bash -F windows  || echo "Codecov did not collect coverage reports"
+      condition: in(variables['TOXENV'], 'py37-cover', 'integration-certbot')
+      env:
+        CODECOV_TOKEN: $(codecov_token)
+      displayName: Publish coverage
--- a/.codecov.yml
+++ b/.codecov.yml
@@ -0,0 +1,18 @@
+coverage:
+  status:
+    project:
+      default: off
+      linux:
+        flags: linux
+        # Fixed target instead of auto set by #7173, can
+        # be removed when flags in Codecov are added back.
+        target: 97.4
+        threshold: 0.1
+        base: auto
+      windows:
+        flags: windows
+        # Fixed target instead of auto set by #7173, can
+        # be removed when flags in Codecov are added back.
+        target: 97.4
+        threshold: 0.1
+        base: auto
--- a/.gitignore
+++ b/.gitignore
@@ -26,7 +26,6 @@ tags
 \#*#
 .idea
 .ropeproject
-.vscode

 # auth --cert-path --chain-path
 /*.pem
@@ -35,7 +34,6 @@ tags
 tests/letstest/letest-*/
 tests/letstest/*.pem
 tests/letstest/venv/
-tests/letstest/venv3/

 .venv

--- a/.isort.cfg
+++ b/.isort.cfg
@@ -1,7 +0,0 @@
-[settings]
-skip_glob=venv*
-skip=letsencrypt-auto-source
-force_sort_within_sections=True
-force_single_line=True
-order_by_type=False
-line_length=400
--- a/.pylintrc
+++ b/.pylintrc
@@ -24,11 +24,6 @@ persistent=yes
 # usually to register additional checkers.
 load-plugins=linter_plugin

-# A comma-separated list of package or module names from where C extensions may
-# be loaded. Extensions are loading into the active Python interpreter and may
-# run arbitrary code.
-extension-pkg-whitelist=pywintypes,win32api,win32file,win32security
-

 [MESSAGES CONTROL]

@@ -46,14 +41,10 @@ extension-pkg-whitelist=pywintypes,win32api,win32file,win32security
 # --enable=similarities". If you want to run only the classes checker, but have
 # no Warning level messages displayed, use"--disable=all --enable=classes
 # --disable=W"
-# CERTBOT COMMENT
-# 1) Once certbot codebase is claimed to be compatible exclusively with Python 3,
-#    the useless-object-inheritance check can be enabled again, and code fixed accordingly.
-# 2) Check unsubscriptable-object tends to create a lot of false positives. Let's disable it.
-#    See https://github.com/PyCQA/pylint/issues/1498.
-# 3) Same as point 2 for no-value-for-parameter.
-#    See https://github.com/PyCQA/pylint/issues/2820.
-disable=fixme,locally-disabled,locally-enabled,bad-continuation,no-self-use,invalid-name,cyclic-import,duplicate-code,design,import-outside-toplevel,useless-object-inheritance,unsubscriptable-object,no-value-for-parameter,no-else-return,no-else-raise,no-else-break,no-else-continue
+disable=fixme,locally-disabled,locally-enabled,abstract-class-not-used,abstract-class-little-used,bad-continuation,no-self-use,invalid-name,cyclic-import,duplicate-code,design
+# abstract-class-not-used cannot be disabled locally (at least in
+# pylint 1.4.1), same for abstract-class-little-used
+

 [REPORTS]

--- a/.travis.yml
+++ b/.travis.yml
@@ -6,6 +6,7 @@ cache:
        - $HOME/.cache/pip

 before_script:
+  - 'if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then ulimit -n 1024 ; fi'
  # On Travis, the fastest parallelization for integration tests has proved to be 4.
  - 'if [[ "$TOXENV" == *"integration"* ]]; then export PYTEST_ADDOPTS="--numprocesses 4"; fi'
  # Use Travis retry feature for farm tests since they are flaky
@@ -13,19 +14,17 @@ before_script:
  - export TOX_TESTENV_PASSENV=TRAVIS

 # Only build pushes to the master branch, PRs, and branches beginning with
-# `test-`, `travis-test-`, or of the form `digit(s).digit(s).x`. This reduces
-# the number of simultaneous Travis runs, which speeds turnaround time on
-# review since there is a cap of on the number of simultaneous runs.
+# `test-` or of the form `digit(s).digit(s).x`. This reduces the number of
+# simultaneous Travis runs, which speeds turnaround time on review since there
+# is a cap of on the number of simultaneous runs.
 branches:
-  # When changing these branches, please ensure the documentation under
-  # "Running tests in CI" is still correct.
  only:
    # apache-parser-v2 is a temporary branch for doing work related to
    # rewriting the parser in the Apache plugin.
    - apache-parser-v2
    - master
    - /^\d+\.\d+\.x$/
-    - /^(travis-)?test-.*$/
+    - /^test-.*$/

 # Jobs for the main test suite are always executed (including on PRs) except for pushes on master.
 not-on-master: &not-on-master
@@ -44,12 +43,15 @@ matrix:
      <<: *not-on-master

    # This job is always executed, including on master
-    - python: "3.8"
-      env: TOXENV=py38-cover FYI="py38 tests + code coverage"
+    - python: "2.7"
+      env: TOXENV=py27-cover FYI="py27 tests + code coverage"

-    - python: "3.7"
+    - python: "2.7"
      env: TOXENV=lint
      <<: *not-on-master
+    - python: "3.4"
+      env: TOXENV=mypy
+      <<: *not-on-master
    - python: "3.5"
      env: TOXENV=mypy
      <<: *not-on-master
@@ -58,13 +60,16 @@ matrix:
      # cryptography we support cannot be compiled against the version of
      # OpenSSL in Xenial or newer.
      dist: trusty
-      env: TOXENV='py27-{acme,apache,apache-v2,certbot,dns,nginx}-oldest'
+      env: TOXENV='py27-{acme,apache,certbot,dns,nginx}-oldest'
      <<: *not-on-master
-    - python: "2.7"
-      env: TOXENV=py27
+    - python: "3.4"
+      env: TOXENV=py34
      <<: *not-on-master
-    - python: "3.5"
-      env: TOXENV=py35
+    - python: "3.7"
+      env: TOXENV=py37
+      <<: *not-on-master
+    - python: "3.8"
+      env: TOXENV=py38
      <<: *not-on-master
    - sudo: required
      env: TOXENV=apache_compat
@@ -90,24 +95,24 @@ matrix:
      before_install:
      addons:
      <<: *extended-test-suite
-    - python: "3.7"
+    - python: "2.7"
      env:
        - TOXENV=travis-test-farm-apache2
        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
      <<: *extended-test-suite
-    - python: "3.7"
+    - python: "2.7"
      env:
        - TOXENV=travis-test-farm-leauto-upgrades
        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
      git:
        depth: false  # This is needed to have the history to checkout old versions of certbot-auto.
      <<: *extended-test-suite
-    - python: "3.7"
+    - python: "2.7"
      env:
        - TOXENV=travis-test-farm-certonly-standalone
        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
      <<: *extended-test-suite
-    - python: "3.7"
+    - python: "2.7"
      env:
        - TOXENV=travis-test-farm-sdists
        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
@@ -161,12 +166,31 @@ matrix:
      sudo: required
      services: docker
      <<: *extended-test-suite
+    - python: "3.4"
+      env: TOXENV=py34
+      <<: *extended-test-suite
+    - python: "3.5"
+      env: TOXENV=py35
+      <<: *extended-test-suite
    - python: "3.6"
      env: TOXENV=py36
      <<: *extended-test-suite
    - python: "3.7"
      env: TOXENV=py37
      <<: *extended-test-suite
+    - python: "3.8-dev"
+      env: TOXENV=py38
+      <<: *extended-test-suite
+    - python: "3.4"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.4"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
    - python: "3.5"
      env: ACME_SERVER=boulder-v1 TOXENV=integration
      sudo: required
@@ -197,10 +221,10 @@ matrix:
      sudo: required
      services: docker
      <<: *extended-test-suite
-    - python: "3.8"
+    - python: "3.8-dev"
      env: ACME_SERVER=boulder-v1 TOXENV=integration
      <<: *extended-test-suite
-    - python: "3.8"
+    - python: "3.8-dev"
      env: ACME_SERVER=boulder-v2 TOXENV=integration
      <<: *extended-test-suite
    - sudo: required
@@ -211,10 +235,6 @@ matrix:
      env: TOXENV=le_auto_centos6
      services: docker
      <<: *extended-test-suite
-    - sudo: required
-      env: TOXENV=le_auto_oraclelinux6
-      services: docker
-      <<: *extended-test-suite
    - sudo: required
      env: TOXENV=docker_dev
      services: docker
@@ -223,6 +243,30 @@ matrix:
          packages:  # don't install nginx and apache
            - libaugeas0
      <<: *extended-test-suite
+    - language: generic
+      env: TOXENV=py27
+      os: osx
+      # Using this osx_image is a workaround for
+      # https://travis-ci.community/t/xcode-8-3-homebrew-outdated-error/3798.
+      osx_image: xcode10.2
+      addons:
+        homebrew:
+          packages:
+            - augeas
+            - python2
+      <<: *extended-test-suite
+    - language: generic
+      env: TOXENV=py3
+      os: osx
+      # Using this osx_image is a workaround for
+      # https://travis-ci.community/t/xcode-8-3-homebrew-outdated-error/3798.
+      osx_image: xcode10.2
+      addons:
+        homebrew:
+          packages:
+            - augeas
+            - python3
+      <<: *extended-test-suite

 # container-based infrastructure
 sudo: false
@@ -244,20 +288,19 @@ addons:
 # except in tests where the environment variable CERTBOT_NO_PIN is set.
 # virtualenv is listed here explicitly to make sure it is upgraded when
 # CERTBOT_NO_PIN is set to work around failures we've seen when using an older
-# version of virtualenv. The option "-I" is set so when CERTBOT_NO_PIN is also
-# set, pip updates dependencies it thinks are already satisfied to avoid some
-# problems with its lack of real dependency resolution.
-install: 'tools/pip_install.py -I tox virtualenv'
+# version of virtualenv.
+install: 'tools/pip_install.py -U codecov tox virtualenv'
 # Most of the time TRAVIS_RETRY is an empty string, and has no effect on the
 # script command. It is set only to `travis_retry` during farm tests, in
 # order to trigger the Travis retry feature, and compensate the inherent
 # flakiness of these specific tests.
 script: '$TRAVIS_RETRY tox'

+after_success: '[ "$TOXENV" == "py27-cover" ] && codecov -F linux'
+
 notifications:
  email: false
  irc:
-    if: NOT branch =~ ^(travis-)?test-.*$
    channels:
      # This is set to a secure variable to prevent forks from sending
      # notifications. This value was created by installing
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -21,7 +21,6 @@ Authors
 * [Andrzej Górski](https://github.com/andrzej3393)
 * [Anselm Levskaya](https://github.com/levskaya)
 * [Antoine Jacoutot](https://github.com/ajacoutot)
-* [April King](https://github.com/april)
 * [asaph](https://github.com/asaph)
 * [Axel Beckert](https://github.com/xtaran)
 * [Bas](https://github.com/Mechazawa)
@@ -37,7 +36,6 @@ Authors
 * [Brad Warren](https://github.com/bmw)
 * [Brandon Kraft](https://github.com/kraftbj)
 * [Brandon Kreisel](https://github.com/kraftbj)
-* [Cameron Steel](https://github.com/Tugzrida)
 * [Ceesjan Luiten](https://github.com/quinox)
 * [Chad Whitacre](https://github.com/whit537)
 * [Chhatoi Pritam Baral](https://github.com/pritambaral)
@@ -102,9 +100,7 @@ Authors
 * [Harlan Lieberman-Berg](https://github.com/hlieberman)
 * [Henri Salo](https://github.com/fgeek)
 * [Henry Chen](https://github.com/henrychen95)
-* [Hugo van Kemenade](https://github.com/hugovk)
 * [Ingolf Becker](https://github.com/watercrossing)
-* [Ivan Nejgebauer](https://github.com/inejge)
 * [Jaap Eldering](https://github.com/eldering)
 * [Jacob Hoffman-Andrews](https://github.com/jsha)
 * [Jacob Sachs](https://github.com/jsachs)
@@ -128,7 +124,6 @@ Authors
 * [Jonathan Herlin](https://github.com/Jonher937)
 * [Jon Walsh](https://github.com/code-tree)
 * [Joona Hoikkala](https://github.com/joohoi)
-* [Josh McCullough](https://github.com/JoshMcCullough)
 * [Josh Soref](https://github.com/jsoref)
 * [Joubin Jabbari](https://github.com/joubin)
 * [Juho Juopperi](https://github.com/jkjuopperi)
@@ -268,6 +263,5 @@ Authors
 * [Yomna](https://github.com/ynasser)
 * [Yoni Jah](https://github.com/yonjah)
 * [YourDaddyIsHere](https://github.com/YourDaddyIsHere)
-* [Yuseong Cho](https://github.com/g6123)
 * [Zach Shepherd](https://github.com/zjs)
 * [陈三](https://github.com/chenxsan)
--- a/9
+++ b/9
@@ -6,15 +6,16 @@ EXPOSE 80 443

 WORKDIR /opt/certbot/src

+# TODO: Install Apache/Nginx for plugin development.
 COPY . .
 RUN apt-get update && \
-    apt-get install apache2 git python3-dev python3-venv gcc libaugeas0 \
-                    libssl-dev libffi-dev ca-certificates openssl nginx-light -y && \
+    apt-get install apache2 git nginx-light -y && \
+    letsencrypt-auto-source/letsencrypt-auto --os-packages-only && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* \
           /tmp/* \
           /var/tmp/*

-RUN VENV_NAME="../venv3" python3 tools/venv3.py
+RUN VENV_NAME="../venv" python tools/venv.py

-ENV PATH /opt/certbot/venv3/bin:$PATH
+ENV PATH /opt/certbot/venv/bin:$PATH
--- a/acme/MANIFEST.in
+++ b/acme/MANIFEST.in
@@ -3,6 +3,4 @@ include README.rst
 include pytest.ini
 recursive-include docs *
 recursive-include examples *
-recursive-include tests *
-global-exclude __pycache__
-global-exclude *.py[cod]
+recursive-include acme/testdata *
--- a/acme/acme/init.py
+++ b/acme/acme/init.py
@@ -13,6 +13,7 @@ import warnings
 #
 # It is based on
 # https://github.com/requests/requests/blob/1278ecdf71a312dc2268f3bfc0aabfab3c006dcf/requests/packages.py
+
 import josepy as jose

 for mod in list(sys.modules):
--- a/acme/acme/challenges.py
+++ b/acme/acme/challenges.py
@@ -1,22 +1,15 @@
 """ACME Identifier Validation Challenges."""
 import abc
-import codecs
 import functools
 import hashlib
 import logging
-import socket

 from cryptography.hazmat.primitives import hashes  # type: ignore
 import josepy as jose
 import requests
 import six
-from OpenSSL import SSL  # type: ignore # https://github.com/python/typeshed/issues/2052
-from OpenSSL import crypto

-from acme import crypto_util
-from acme import errors
 from acme import fields
-from acme.mixins import ResourceMixin, TypeMixin

 logger = logging.getLogger(__name__)

@@ -35,7 +28,7 @@ class Challenge(jose.TypedJSONObjectWithFields):
            return UnrecognizedChallenge.from_json(jobj)


-class ChallengeResponse(ResourceMixin, TypeMixin, jose.TypedJSONObjectWithFields):
+class ChallengeResponse(jose.TypedJSONObjectWithFields):
    # _fields_to_partial_json
    """ACME challenge response."""
    TYPES = {}  # type: dict
@@ -61,7 +54,8 @@ class UnrecognizedChallenge(Challenge):
        object.__setattr__(self, "jobj", jobj)

    def to_partial_json(self):
-        return self.jobj  # pylint: disable=no-member
+        # pylint: disable=no-member
+        return self.jobj

    @classmethod
    def from_json(cls, jobj):
@@ -119,7 +113,7 @@ class KeyAuthorizationChallengeResponse(ChallengeResponse):
        :rtype: bool

        """
-        parts = self.key_authorization.split('.')
+        parts = self.key_authorization.split('.')  # pylint: disable=no-member
        if len(parts) != 2:
            logger.debug("Key authorization (%r) is not well formed",
                         self.key_authorization)
@@ -310,7 +304,7 @@ class HTTP01Response(KeyAuthorizationChallengeResponse):
        uri = chall.uri(domain)
        logger.debug("Verifying %s at %s...", chall.typ, uri)
        try:
-            http_response = requests.get(uri, verify=False)
+            http_response = requests.get(uri)
        except requests.exceptions.RequestException as error:
            logger.error("Unable to reach %s: %s", uri, error)
            return False
@@ -369,163 +363,29 @@ class HTTP01(KeyAuthorizationChallenge):

@ChallengeResponse.register
 class TLSALPN01Response(KeyAuthorizationChallengeResponse):
-    """ACME tls-alpn-01 challenge response."""
+    """ACME TLS-ALPN-01 challenge response.
+
+    This class only allows initiating a TLS-ALPN-01 challenge returned from the
+    CA. Full support for responding to TLS-ALPN-01 challenges by generating and
+    serving the expected response certificate is not currently provided.
+    """
    typ = "tls-alpn-01"

-    PORT = 443
-    """Verification port as defined by the protocol.

-    You can override it (e.g. for testing) by passing ``port`` to
-    `simple_verify`.
+@Challenge.register
+class TLSALPN01(KeyAuthorizationChallenge):
+    """ACME tls-alpn-01 challenge.
+
+    This class simply allows parsing the TLS-ALPN-01 challenge returned from
+    the CA. Full TLS-ALPN-01 support is not currently provided.

    """
-
-    ID_PE_ACME_IDENTIFIER_V1 = b"1.3.6.1.5.5.7.1.30.1"
-    ACME_TLS_1_PROTOCOL = "acme-tls/1"
-
-    @property
-    def h(self):
-        """Hash value stored in challenge certificate"""
-        return hashlib.sha256(self.key_authorization.encode('utf-8')).digest()
-
-    def gen_cert(self, domain, key=None, bits=2048):
-        """Generate tls-alpn-01 certificate.
-
-        :param unicode domain: Domain verified by the challenge.
-        :param OpenSSL.crypto.PKey key: Optional private key used in
-            certificate generation. If not provided (``None``), then
-            fresh key will be generated.
-        :param int bits: Number of bits for newly generated key.
-
-        :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`
-
-        """
-        if key is None:
-            key = crypto.PKey()
-            key.generate_key(crypto.TYPE_RSA, bits)
-
-
-        der_value = b"DER:" + codecs.encode(self.h, 'hex')
-        acme_extension = crypto.X509Extension(self.ID_PE_ACME_IDENTIFIER_V1,
-                critical=True, value=der_value)
-
-        return crypto_util.gen_ss_cert(key, [domain], force_san=True,
-                extensions=[acme_extension]), key
-
-    def probe_cert(self, domain, host=None, port=None):
-        """Probe tls-alpn-01 challenge certificate.
-
-        :param unicode domain: domain being validated, required.
-        :param string host: IP address used to probe the certificate.
-        :param int port: Port used to probe the certificate.
-
-        """
-        if host is None:
-            host = socket.gethostbyname(domain)
-            logger.debug('%s resolved to %s', domain, host)
-        if port is None:
-            port = self.PORT
-
-        return crypto_util.probe_sni(host=host, port=port, name=domain,
-                alpn_protocols=[self.ACME_TLS_1_PROTOCOL])
-
-    def verify_cert(self, domain, cert):
-        """Verify tls-alpn-01 challenge certificate.
-
-        :param unicode domain: Domain name being validated.
-        :param OpensSSL.crypto.X509 cert: Challenge certificate.
-
-        :returns: Whether the certificate was successfully verified.
-        :rtype: bool
-
-        """
-        # pylint: disable=protected-access
-        names = crypto_util._pyopenssl_cert_or_req_all_names(cert)
-        logger.debug('Certificate %s. SANs: %s', cert.digest('sha256'), names)
-        if len(names) != 1 or names[0].lower() != domain.lower():
-            return False
-
-        for i in range(cert.get_extension_count()):
-            ext = cert.get_extension(i)
-            # FIXME: assume this is the ACME extension. Currently there is no
-            # way to get full OID of an unknown extension from pyopenssl.
-            if ext.get_short_name() == b'UNDEF':
-                data = ext.get_data()
-                return data == self.h
-
-        return False
-
-    # pylint: disable=too-many-arguments
-    def simple_verify(self, chall, domain, account_public_key,
-                      cert=None, host=None, port=None):
-        """Simple verify.
-
-        Verify ``validation`` using ``account_public_key``, optionally
-        probe tls-alpn-01 certificate and check using `verify_cert`.
-
-        :param .challenges.TLSALPN01 chall: Corresponding challenge.
-        :param str domain: Domain name being validated.
-        :param JWK account_public_key:
-        :param OpenSSL.crypto.X509 cert: Optional certificate. If not
-            provided (``None``) certificate will be retrieved using
-            `probe_cert`.
-        :param string host: IP address used to probe the certificate.
-        :param int port: Port used to probe the certificate.
-
-
-        :returns: ``True`` if and only if client's control of the domain has been verified.
-        :rtype: bool
-
-        """
-        if not self.verify(chall, account_public_key):
-            logger.debug("Verification of key authorization in response failed")
-            return False
-
-        if cert is None:
-            try:
-                cert = self.probe_cert(domain=domain, host=host, port=port)
-            except errors.Error as error:
-                logger.debug(str(error), exc_info=True)
-                return False
-
-        return self.verify_cert(domain, cert)
-
-
-@Challenge.register  # pylint: disable=too-many-ancestors
-class TLSALPN01(KeyAuthorizationChallenge):
-    """ACME tls-alpn-01 challenge."""
+    typ = "tls-alpn-01"
    response_cls = TLSALPN01Response
-    typ = response_cls.typ

    def validation(self, account_key, **kwargs):
-        """Generate validation.
-
-        :param JWK account_key:
-        :param unicode domain: Domain verified by the challenge.
-        :param OpenSSL.crypto.PKey cert_key: Optional private key used
-            in certificate generation. If not provided (``None``), then
-            fresh key will be generated.
-
-        :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`
-
-        """
-        return self.response(account_key).gen_cert(
-            key=kwargs.get('cert_key'),
-            domain=kwargs.get('domain'))
-
-    @staticmethod
-    def is_supported():
-        """
-        Check if TLS-ALPN-01 challenge is supported on this machine.
-        This implies that a recent version of OpenSSL is installed (>= 1.0.2),
-        or a recent cryptography version shipped with the OpenSSL library is installed.
-
-        :returns: ``True`` if TLS-ALPN-01 is supported on this machine, ``False`` otherwise.
-        :rtype: bool
-
-        """
-        return (hasattr(SSL.Connection, "set_alpn_protos")
-                and hasattr(SSL.Context, "set_alpn_select_callback"))
+        """Generate validation for the challenge."""
+        raise NotImplementedError()


@Challenge.register
--- a/acme/tests/challenges_test.py
+++ b/acme/tests/challenges_test.py
@@ -2,17 +2,12 @@
 import unittest

 import josepy as jose
-import OpenSSL
-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
+import mock
 import requests
-from six.moves.urllib import parse as urllib_parse

-from acme import errors
+from six.moves.urllib import parse as urllib_parse  # pylint: disable=relative-import

-import test_util
+from acme import test_util

 CERT = test_util.load_comparable_cert('cert.pem')
 KEY = jose.JWKRSA(key=test_util.load_rsa_private_key('rsa512_key.pem'))
@@ -24,6 +19,7 @@ class ChallengeTest(unittest.TestCase):
        from acme.challenges import Challenge
        from acme.challenges import UnrecognizedChallenge
        chall = UnrecognizedChallenge({"type": "foo"})
+        # pylint: disable=no-member
        self.assertEqual(chall, Challenge.from_json(chall.jobj))


@@ -187,7 +183,7 @@ class HTTP01ResponseTest(unittest.TestCase):
        mock_get.return_value = mock.MagicMock(text=validation)
        self.assertTrue(self.response.simple_verify(
            self.chall, "local", KEY.public_key()))
-        mock_get.assert_called_once_with(self.chall.uri("local"), verify=False)
+        mock_get.assert_called_once_with(self.chall.uri("local"))

    @mock.patch("acme.challenges.requests.get")
    def test_simple_verify_bad_validation(self, mock_get):
@@ -203,7 +199,7 @@ class HTTP01ResponseTest(unittest.TestCase):
                  HTTP01Response.WHITESPACE_CUTSET))
        self.assertTrue(self.response.simple_verify(
            self.chall, "local", KEY.public_key()))
-        mock_get.assert_called_once_with(self.chall.uri("local"), verify=False)
+        mock_get.assert_called_once_with(self.chall.uri("local"))

    @mock.patch("acme.challenges.requests.get")
    def test_simple_verify_connection_error(self, mock_get):
@@ -262,87 +258,30 @@ class HTTP01Test(unittest.TestCase):
 class TLSALPN01ResponseTest(unittest.TestCase):

    def setUp(self):
-        from acme.challenges import TLSALPN01
-        self.chall = TLSALPN01(
-            token=jose.b64decode(b'a82d5ff8ef740d12881f6d3c2277ab2e'))
-        self.domain = u'example.com'
-        self.domain2 = u'example2.com'
-
-        self.response = self.chall.response(KEY)
+        from acme.challenges import TLSALPN01Response
+        self.msg = TLSALPN01Response(key_authorization=u'foo')
        self.jmsg = {
            'resource': 'challenge',
            'type': 'tls-alpn-01',
-            'keyAuthorization': self.response.key_authorization,
+            'keyAuthorization': u'foo',
        }

+        from acme.challenges import TLSALPN01
+        self.chall = TLSALPN01(token=(b'x' * 16))
+        self.response = self.chall.response(KEY)
+
    def test_to_partial_json(self):
        self.assertEqual({k: v for k, v in self.jmsg.items() if k != 'keyAuthorization'},
-                         self.response.to_partial_json())
+                         self.msg.to_partial_json())

    def test_from_json(self):
        from acme.challenges import TLSALPN01Response
-        self.assertEqual(self.response, TLSALPN01Response.from_json(self.jmsg))
+        self.assertEqual(self.msg, TLSALPN01Response.from_json(self.jmsg))

    def test_from_json_hashable(self):
        from acme.challenges import TLSALPN01Response
        hash(TLSALPN01Response.from_json(self.jmsg))

-    def test_gen_verify_cert(self):
-        key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem')
-        cert, key2 = self.response.gen_cert(self.domain, key1)
-        self.assertEqual(key1, key2)
-        self.assertTrue(self.response.verify_cert(self.domain, cert))
-
-    def test_gen_verify_cert_gen_key(self):
-        cert, key = self.response.gen_cert(self.domain)
-        self.assertTrue(isinstance(key, OpenSSL.crypto.PKey))
-        self.assertTrue(self.response.verify_cert(self.domain, cert))
-
-    def test_verify_bad_cert(self):
-        self.assertFalse(self.response.verify_cert(self.domain,
-            test_util.load_cert('cert.pem')))
-
-    def test_verify_bad_domain(self):
-        key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem')
-        cert, key2 = self.response.gen_cert(self.domain, key1)
-        self.assertEqual(key1, key2)
-        self.assertFalse(self.response.verify_cert(self.domain2, cert))
-
-    def test_simple_verify_bad_key_authorization(self):
-        key2 = jose.JWKRSA.load(test_util.load_vector('rsa256_key.pem'))
-        self.response.simple_verify(self.chall, "local", key2.public_key())
-
-    @mock.patch('acme.challenges.TLSALPN01Response.verify_cert', autospec=True)
-    def test_simple_verify(self, mock_verify_cert):
-        mock_verify_cert.return_value = mock.sentinel.verification
-        self.assertEqual(
-            mock.sentinel.verification, self.response.simple_verify(
-                self.chall, self.domain, KEY.public_key(),
-                cert=mock.sentinel.cert))
-        mock_verify_cert.assert_called_once_with(
-            self.response, self.domain, mock.sentinel.cert)
-
-    @mock.patch('acme.challenges.socket.gethostbyname')
-    @mock.patch('acme.challenges.crypto_util.probe_sni')
-    def test_probe_cert(self, mock_probe_sni, mock_gethostbyname):
-        mock_gethostbyname.return_value = '127.0.0.1'
-        self.response.probe_cert('foo.com')
-        mock_gethostbyname.assert_called_once_with('foo.com')
-        mock_probe_sni.assert_called_once_with(
-            host='127.0.0.1', port=self.response.PORT, name='foo.com',
-            alpn_protocols=['acme-tls/1'])
-
-        self.response.probe_cert('foo.com', host='8.8.8.8')
-        mock_probe_sni.assert_called_with(
-            host='8.8.8.8', port=mock.ANY, name='foo.com',
-            alpn_protocols=['acme-tls/1'])
-
-    @mock.patch('acme.challenges.TLSALPN01Response.probe_cert')
-    def test_simple_verify_false_on_probe_error(self, mock_probe_cert):
-        mock_probe_cert.side_effect = errors.Error
-        self.assertFalse(self.response.simple_verify(
-            self.chall, self.domain, KEY.public_key()))
-

 class TLSALPN01Test(unittest.TestCase):

@@ -372,13 +311,8 @@ class TLSALPN01Test(unittest.TestCase):
        self.assertRaises(
            jose.DeserializationError, TLSALPN01.from_json, self.jmsg)

-    @mock.patch('acme.challenges.TLSALPN01Response.gen_cert')
-    def test_validation(self, mock_gen_cert):
-        mock_gen_cert.return_value = ('cert', 'key')
-        self.assertEqual(('cert', 'key'), self.msg.validation(
-            KEY, cert_key=mock.sentinel.cert_key, domain=mock.sentinel.domain))
-        mock_gen_cert.assert_called_once_with(key=mock.sentinel.cert_key,
-                                              domain=mock.sentinel.domain)
+    def test_validation(self):
+        self.assertRaises(NotImplementedError, self.msg.validation, KEY)


 class DNSTest(unittest.TestCase):
@@ -481,18 +415,5 @@ class DNSResponseTest(unittest.TestCase):
            self.msg.check_validation(self.chall, KEY.public_key()))


-class JWSPayloadRFC8555Compliant(unittest.TestCase):
-    """Test for RFC8555 compliance of JWS generated from resources/challenges"""
-    def test_challenge_payload(self):
-        from acme.challenges import HTTP01Response
-
-        challenge_body = HTTP01Response()
-        challenge_body.le_acme_version = 2
-
-        jobj = challenge_body.json_dumps(indent=2).encode()
-        # RFC8555 states that challenge responses must have an empty payload.
-        self.assertEqual(jobj, b'{}')
-
-
 if __name__ == '__main__':
    unittest.main()  # pragma: no cover
--- a/acme/acme/client.py
+++ b/acme/acme/client.py
@@ -5,27 +5,25 @@ import datetime
 from email.utils import parsedate_tz
 import heapq
 import logging
+import time
 import re
 import sys
-import time

+import six
+from six.moves import http_client  # pylint: disable=import-error
 import josepy as jose
 import OpenSSL
 import requests
 from requests.adapters import HTTPAdapter
 from requests_toolbelt.adapters.source import SourceAddressAdapter
-import six
-from six.moves import http_client

 from acme import crypto_util
 from acme import errors
 from acme import jws
 from acme import messages
-from acme.magic_typing import Dict
-from acme.magic_typing import List
-from acme.magic_typing import Set
-from acme.magic_typing import Text
-from acme.mixins import VersionedLEACMEMixin
+# pylint: disable=unused-import, no-name-in-module
+from acme.magic_typing import Dict, List, Set, Text
+

 logger = logging.getLogger(__name__)

@@ -35,9 +33,10 @@ logger = logging.getLogger(__name__)
 # https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
 if sys.version_info < (2, 7, 9):  # pragma: no cover
    try:
+        # pylint: disable=no-member
        requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()  # type: ignore
    except AttributeError:
-        import urllib3.contrib.pyopenssl
+        import urllib3.contrib.pyopenssl  # pylint: disable=import-error
        urllib3.contrib.pyopenssl.inject_into_urllib3()

 DEFAULT_NETWORK_TIMEOUT = 45
@@ -280,6 +279,7 @@ class Client(ClientBase):
        assert response.status_code == http_client.CREATED

        # "Instance of 'Field' has no key/contact member" bug:
+        # pylint: disable=no-member
        return self._regr_from_response(response)

    def query_registration(self, regr):
@@ -464,6 +464,7 @@ class Client(ClientBase):
            updated[authzr] = updated_authzr

            attempts[authzr] += 1
+            # pylint: disable=no-member
            if updated_authzr.body.status not in (
                    messages.STATUS_VALID, messages.STATUS_INVALID):
                if attempts[authzr] < max_attempts:
@@ -604,6 +605,7 @@ class ClientV2(ClientBase):
        if response.status_code == 200 and 'Location' in response.headers:
            raise errors.ConflictError(response.headers.get('Location'))
        # "Instance of 'Field' has no key/contact member" bug:
+        # pylint: disable=no-member
        regr = self._regr_from_response(response)
        self.net.account = regr
        return regr
@@ -667,7 +669,7 @@ class ClientV2(ClientBase):
        response = self._post(self.directory['newOrder'], order)
        body = messages.Order.from_json(response.json())
        authorizations = []
-        for url in body.authorizations:
+        for url in body.authorizations:  # pylint: disable=not-an-iterable
            authorizations.append(self._authzr_from_response(self._post_as_get(url), uri=url))
        return messages.OrderResource(
            body=body,
@@ -727,7 +729,7 @@ class ClientV2(ClientBase):
        for authzr in responses:
            if authzr.body.status != messages.STATUS_VALID:
                for chall in authzr.body.challenges:
-                    if chall.error is not None:
+                    if chall.error != None:
                        failed.append(authzr)
        if failed:
            raise errors.ValidationError(failed)
@@ -777,13 +779,29 @@ class ClientV2(ClientBase):

    def _post_as_get(self, *args, **kwargs):
        """
-        Send GET request using the POST-as-GET protocol.
+        Send GET request using the POST-as-GET protocol if needed.
+        The request will be first issued using POST-as-GET for ACME v2. If the ACME CA servers do
+        not support this yet and return an error, request will be retried using GET.
+        For ACME v1, only GET request will be tried, as POST-as-GET is not supported.
        :param args:
        :param kwargs:
        :return:
        """
-        new_args = args[:1] + (None,) + args[1:]
-        return self._post(*new_args, **kwargs)
+        if self.acme_version >= 2:
+            # We add an empty payload for POST-as-GET requests
+            new_args = args[:1] + (None,) + args[1:]
+            try:
+                return self._post(*new_args, **kwargs)
+            except messages.Error as error:
+                if error.code == 'malformed':
+                    logger.debug('Error during a POST-as-GET request, '
+                                 'your ACME CA server may not support it:\n%s', error)
+                    logger.debug('Retrying request with GET.')
+                else:  # pragma: no cover
+                    raise
+
+        # If POST-as-GET is not supported yet, we use a GET instead.
+        return self.net.get(*args, **kwargs)


 class BackwardsCompatibleClientV2(object):
@@ -943,7 +961,7 @@ class ClientNetwork(object):
    :param messages.RegistrationResource account: Account object. Required if you are
            planning to use .post() with acme_version=2 for anything other than
            creating a new account; may be set later after registering.
-    :param josepy.JWASignature alg: Algorithm to use in signing JWS.
+    :param josepy.JWASignature alg: Algoritm to use in signing JWS.
    :param bool verify_ssl: Whether to verify certificates on SSL connections.
    :param str user_agent: String to send as User-Agent header.
    :param float timeout: Timeout for requests.
@@ -988,8 +1006,6 @@ class ClientNetwork(object):
        :rtype: `josepy.JWS`

        """
-        if isinstance(obj, VersionedLEACMEMixin):
-            obj.le_acme_version = acme_version
        jobj = obj.json_dumps(indent=2).encode() if obj else b''
        logger.debug('JWS payload:\n%s', jobj)
        kwargs = {
@@ -1025,9 +1041,6 @@ class ClientNetwork(object):

        """
        response_ct = response.headers.get('Content-Type')
-        # Strip parameters from the media-type (rfc2616#section-3.7)
-        if response_ct:
-            response_ct = response_ct.split(';')[0].strip()
        try:
            # TODO: response.json() is called twice, once here, and
            # once in _get and _post clients
@@ -1111,9 +1124,10 @@ class ClientNetwork(object):
            err_regex = r".*host='(\S*)'.*Max retries exceeded with url\: (\/\w*).*(\[Errno \d+\])([A-Za-z ]*)"
            m = re.match(err_regex, str(e))
            if m is None:
-                raise  # pragma: no cover
-            host, path, _err_no, err_msg = m.groups()
-            raise ValueError("Requesting {0}{1}:{2}".format(host, path, err_msg))
+                raise # pragma: no cover
+            else:
+                host, path, _err_no, err_msg = m.groups()
+                raise ValueError("Requesting {0}{1}:{2}".format(host, path, err_msg))

        # If content is DER, log the base64 of it instead of raw bytes, to keep
        # binary data out of the logs.
@@ -1123,8 +1137,8 @@ class ClientNetwork(object):
            debug_content = response.content.decode("utf-8")
        logger.debug('Received response:\nHTTP %d\n%s\n\n%s',
                     response.status_code,
-                     "\n".join("{0}: {1}".format(k, v)
-                                for k, v in response.headers.items()),
+                     "\n".join(["{0}: {1}".format(k, v)
+                                for k, v in response.headers.items()]),
                     debug_content)
        return response

@@ -1179,7 +1193,8 @@ class ClientNetwork(object):
            if error.code == 'badNonce':
                logger.debug('Retrying request after error:\n%s', error)
                return self._post_once(*args, **kwargs)
-            raise
+            else:
+                raise

    def _post_once(self, url, obj, content_type=JOSE_CONTENT_TYPE,
            acme_version=1, **kwargs):
--- a/acme/tests/client_test.py
+++ b/acme/tests/client_test.py
@@ -5,22 +5,21 @@ import datetime
 import json
 import unittest

+from six.moves import http_client  # pylint: disable=import-error
+
 import josepy as jose
-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
+import mock
 import OpenSSL
 import requests
-from six.moves import http_client  # pylint: disable=import-error

 from acme import challenges
 from acme import errors
 from acme import jws as acme_jws
 from acme import messages
-from acme.mixins import VersionedLEACMEMixin
-import messages_test
-import test_util
+from acme import messages_test
+from acme import test_util
+from acme.magic_typing import Dict # pylint: disable=unused-import, no-name-in-module
+

 CERT_DER = test_util.load_vector('cert.der')
 CERT_SAN_PEM = test_util.load_vector('cert-san.pem')
@@ -64,7 +63,7 @@ class ClientTestBase(unittest.TestCase):
        self.contact = ('mailto:cert-admin@example.com', 'tel:+12025551212')
        reg = messages.Registration(
            contact=self.contact, key=KEY.public_key())
-        the_arg = dict(reg)  # type: Dict
+        the_arg = dict(reg) # type: Dict
        self.new_reg = messages.NewRegistration(**the_arg)
        self.regr = messages.RegistrationResource(
            body=reg, uri='https://www.letsencrypt-demo.org/acme/reg/1')
@@ -888,8 +887,21 @@ class ClientV2Test(ClientTestBase):
                new_nonce_url='https://www.letsencrypt-demo.org/acme/new-nonce')
            self.client.net.get.assert_not_called()

+            class FakeError(messages.Error):
+                """Fake error to reproduce a malformed request ACME error"""
+                def __init__(self):  # pylint: disable=super-init-not-called
+                    pass
+                @property
+                def code(self):
+                    return 'malformed'
+            self.client.net.post.side_effect = FakeError()

-class MockJSONDeSerializable(VersionedLEACMEMixin, jose.JSONDeSerializable):
+            self.client.poll(self.authzr2)  # pylint: disable=protected-access
+
+            self.client.net.get.assert_called_once_with(self.authzr2.uri)
+
+
+class MockJSONDeSerializable(jose.JSONDeSerializable):
    # pylint: disable=missing-docstring
    def __init__(self, value):
        self.value = value
@@ -953,8 +965,8 @@ class ClientNetworkTest(unittest.TestCase):

    def test_check_response_not_ok_jobj_error(self):
        self.response.ok = False
-        self.response.json.return_value = messages.Error.with_code(
-            'serverInternal', detail='foo', title='some title').to_json()
+        self.response.json.return_value = messages.Error(
+            detail='foo', typ='serverInternal', title='some title').to_json()
        # pylint: disable=protected-access
        self.assertRaises(
            messages.Error, self.net._check_response, self.response)
@@ -979,39 +991,10 @@ class ClientNetworkTest(unittest.TestCase):
        self.response.json.side_effect = ValueError
        for response_ct in [self.net.JSON_CONTENT_TYPE, 'foo']:
            self.response.headers['Content-Type'] = response_ct
-            # pylint: disable=protected-access
+            # pylint: disable=protected-access,no-value-for-parameter
            self.assertEqual(
                self.response, self.net._check_response(self.response))

-    @mock.patch('acme.client.logger')
-    def test_check_response_ok_ct_with_charset(self, mock_logger):
-        self.response.json.return_value = {}
-        self.response.headers['Content-Type'] = 'application/json; charset=utf-8'
-        # pylint: disable=protected-access
-        self.assertEqual(self.response, self.net._check_response(
-            self.response, content_type='application/json'))
-        try:
-            mock_logger.debug.assert_called_with(
-                'Ignoring wrong Content-Type (%r) for JSON decodable response',
-                'application/json; charset=utf-8'
-            )
-        except AssertionError:
-            return
-        raise AssertionError('Expected Content-Type warning ' #pragma: no cover
-            'to not have been logged')
-
-    @mock.patch('acme.client.logger')
-    def test_check_response_ok_bad_ct(self, mock_logger):
-        self.response.json.return_value = {}
-        self.response.headers['Content-Type'] = 'text/plain'
-        # pylint: disable=protected-access
-        self.assertEqual(self.response, self.net._check_response(
-            self.response, content_type='application/json'))
-        mock_logger.debug.assert_called_with(
-            'Ignoring wrong Content-Type (%r) for JSON decodable response',
-            'text/plain'
-        )
-
    def test_check_response_conflict(self):
        self.response.ok = False
        self.response.status_code = 409
@@ -1022,7 +1005,7 @@ class ClientNetworkTest(unittest.TestCase):
        self.response.json.return_value = {}
        for response_ct in [self.net.JSON_CONTENT_TYPE, 'foo']:
            self.response.headers['Content-Type'] = response_ct
-            # pylint: disable=protected-access
+            # pylint: disable=protected-access,no-value-for-parameter
            self.assertEqual(
                self.response, self.net._check_response(self.response))

@@ -1147,8 +1130,8 @@ class ClientNetworkWithMockedResponseTest(unittest.TestCase):
        self.response.headers = {}
        self.response.links = {}
        self.response.checked = False
-        self.acmev1_nonce_response = mock.MagicMock(
-            ok=False, status_code=http_client.METHOD_NOT_ALLOWED)
+        self.acmev1_nonce_response = mock.MagicMock(ok=False,
+            status_code=http_client.METHOD_NOT_ALLOWED)
        self.acmev1_nonce_response.headers = {}
        self.obj = mock.MagicMock()
        self.wrapped_obj = mock.MagicMock()
--- a/acme/acme/crypto_util.py
+++ b/acme/acme/crypto_util.py
@@ -6,14 +6,15 @@ import os
 import re
 import socket

-import josepy as jose
 from OpenSSL import crypto
-from OpenSSL import SSL  # type: ignore # https://github.com/python/typeshed/issues/2052
+from OpenSSL import SSL # type: ignore # https://github.com/python/typeshed/issues/2052
+import josepy as jose

 from acme import errors
-from acme.magic_typing import Callable
-from acme.magic_typing import Tuple
-from acme.magic_typing import Union
+# pylint: disable=unused-import, no-name-in-module
+from acme.magic_typing import Callable, Union, Tuple, Optional
+# pylint: enable=unused-import, no-name-in-module
+

 logger = logging.getLogger(__name__)

@@ -27,41 +28,19 @@ logger = logging.getLogger(__name__)
 _DEFAULT_SSL_METHOD = SSL.SSLv23_METHOD  # type: ignore


-class _DefaultCertSelection(object):
-    def __init__(self, certs):
-        self.certs = certs
-
-    def __call__(self, connection):
-        server_name = connection.get_servername()
-        return self.certs.get(server_name, None)
-
-
-class SSLSocket(object):  # pylint: disable=too-few-public-methods
+class SSLSocket(object):
    """SSL wrapper for sockets.

    :ivar socket sock: Original wrapped socket.
    :ivar dict certs: Mapping from domain names (`bytes`) to
        `OpenSSL.crypto.X509`.
    :ivar method: See `OpenSSL.SSL.Context` for allowed values.
-    :ivar alpn_selection: Hook to select negotiated ALPN protocol for
-        connection.
-    :ivar cert_selection: Hook to select certificate for connection. If given,
-        `certs` parameter would be ignored, and therefore must be empty.

    """
-    def __init__(self, sock, certs=None,
-            method=_DEFAULT_SSL_METHOD, alpn_selection=None,
-            cert_selection=None):
+    def __init__(self, sock, certs, method=_DEFAULT_SSL_METHOD):
        self.sock = sock
-        self.alpn_selection = alpn_selection
+        self.certs = certs
        self.method = method
-        if not cert_selection and not certs:
-            raise ValueError("Neither cert_selection or certs specified.")
-        if cert_selection and certs:
-            raise ValueError("Both cert_selection and certs specified.")
-        if cert_selection is None:
-            cert_selection = _DefaultCertSelection(certs)
-        self.cert_selection = cert_selection

    def __getattr__(self, name):
        return getattr(self.sock, name)
@@ -78,25 +57,24 @@ class SSLSocket(object):  # pylint: disable=too-few-public-methods
        :type connection: :class:`OpenSSL.Connection`

        """
-        pair = self.cert_selection(connection)
-        if pair is None:
-            logger.debug("Certificate selection for server name %s failed, dropping SSL",
-                         connection.get_servername())
+        server_name = connection.get_servername()
+        try:
+            key, cert = self.certs[server_name]
+        except KeyError:
+            logger.debug("Server name (%s) not recognized, dropping SSL",
+                         server_name)
            return
-        key, cert = pair
        new_context = SSL.Context(self.method)
        new_context.set_options(SSL.OP_NO_SSLv2)
        new_context.set_options(SSL.OP_NO_SSLv3)
        new_context.use_privatekey(key)
        new_context.use_certificate(cert)
-        if self.alpn_selection is not None:
-            new_context.set_alpn_select_callback(self.alpn_selection)
        connection.set_context(new_context)

    class FakeConnection(object):
        """Fake OpenSSL.SSL.Connection."""

-        # pylint: disable=missing-function-docstring
+        # pylint: disable=missing-docstring

        def __init__(self, connection):
            self._wrapped = connection
@@ -108,15 +86,13 @@ class SSLSocket(object):  # pylint: disable=too-few-public-methods
            # OpenSSL.SSL.Connection.shutdown doesn't accept any args
            return self._wrapped.shutdown()

-    def accept(self):  # pylint: disable=missing-function-docstring
+    def accept(self):  # pylint: disable=missing-docstring
        sock, addr = self.sock.accept()

        context = SSL.Context(self.method)
        context.set_options(SSL.OP_NO_SSLv2)
        context.set_options(SSL.OP_NO_SSLv3)
        context.set_tlsext_servername_callback(self._pick_certificate_cb)
-        if self.alpn_selection is not None:
-            context.set_alpn_select_callback(self.alpn_selection)

        ssl_sock = self.FakeConnection(SSL.Connection(context, sock))
        ssl_sock.set_accept_state()
@@ -132,9 +108,8 @@ class SSLSocket(object):  # pylint: disable=too-few-public-methods
        return ssl_sock, addr


-def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-arguments
-              method=_DEFAULT_SSL_METHOD, source_address=('', 0),
-              alpn_protocols=None):
+def probe_sni(name, host, port=443, timeout=300,
+              method=_DEFAULT_SSL_METHOD, source_address=('', 0)):
    """Probe SNI server for SSL certificate.

    :param bytes name: Byte string to send as the server name in the
@@ -146,8 +121,6 @@ def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-argu
    :param tuple source_address: Enables multi-path probing (selection
        of source interface). See `socket.creation_connection` for more
        info. Available only in Python 2.7+.
-    :param alpn_protocols: Protocols to request using ALPN.
-    :type alpn_protocols: `list` of `bytes`

    :raises acme.errors.Error: In case of any problems.

@@ -177,8 +150,6 @@ def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-argu
        client_ssl = SSL.Connection(context, client)
        client_ssl.set_connect_state()
        client_ssl.set_tlsext_host_name(name)  # pyOpenSSL>=0.13
-        if alpn_protocols is not None:
-            client_ssl.set_alpn_protos(alpn_protocols)
        try:
            client_ssl.do_handshake()
            client_ssl.shutdown()
@@ -269,14 +240,12 @@ def _pyopenssl_cert_or_req_san(cert_or_req):


 def gen_ss_cert(key, domains, not_before=None,
-                validity=(7 * 24 * 60 * 60), force_san=True, extensions=None):
+                validity=(7 * 24 * 60 * 60), force_san=True):
    """Generate new self-signed certificate.

    :type domains: `list` of `unicode`
    :param OpenSSL.crypto.PKey key:
    :param bool force_san:
-    :param extensions: List of additional extensions to include in the cert.
-    :type extensions: `list` of `OpenSSL.crypto.X509Extension`

    If more than one domain is provided, all of the domains are put into
    ``subjectAltName`` X.509 extension and first domain is set as the
@@ -289,13 +258,10 @@ def gen_ss_cert(key, domains, not_before=None,
    cert.set_serial_number(int(binascii.hexlify(os.urandom(16)), 16))
    cert.set_version(2)

-    if extensions is None:
-        extensions = []
-
-    extensions.append(
+    extensions = [
        crypto.X509Extension(
            b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
-    )
+    ]

    cert.get_subject().CN = domains[0]
    # TODO: what to put into cert.get_subject()?
@@ -332,6 +298,7 @@ def dump_pyopenssl_chain(chain, filetype=crypto.FILETYPE_PEM):

    def _dump_cert(cert):
        if isinstance(cert, jose.ComparableX509):
+            # pylint: disable=protected-access
            cert = cert.wrapped
        return crypto.dump_certificate(filetype, cert)

--- a/acme/tests/crypto_util_test.py
+++ b/acme/tests/crypto_util_test.py
@@ -5,18 +5,21 @@ import threading
 import time
 import unittest

+import six
+from six.moves import socketserver  #type: ignore  # pylint: disable=import-error
+
 import josepy as jose
 import OpenSSL
-import six
-from six.moves import socketserver  # type: ignore  # pylint: disable=import-error

 from acme import errors
-import test_util
+from acme import test_util
+from acme.magic_typing import List # pylint: disable=unused-import, no-name-in-module


 class SSLSocketAndProbeSNITest(unittest.TestCase):
    """Tests for acme.crypto_util.SSLSocket/probe_sni."""

+
    def setUp(self):
        self.cert = test_util.load_comparable_cert('rsa2048_cert.pem')
        key = test_util.load_pyopenssl_private_key('rsa2048_key.pem')
@@ -30,13 +33,13 @@ class SSLSocketAndProbeSNITest(unittest.TestCase):
            # six.moves.* | pylint: disable=attribute-defined-outside-init,no-init

            def server_bind(self):  # pylint: disable=missing-docstring
-                self.socket = SSLSocket(socket.socket(),
-                        certs)
+                self.socket = SSLSocket(socket.socket(), certs=certs)
                socketserver.TCPServer.server_bind(self)

        self.server = _TestServer(('', 0), socketserver.BaseRequestHandler)
        self.port = self.server.socket.getsockname()[1]
        self.server_thread = threading.Thread(
+            # pylint: disable=no-member
            target=self.server.handle_request)

    def tearDown(self):
@@ -63,7 +66,7 @@ class SSLSocketAndProbeSNITest(unittest.TestCase):

    def test_probe_connection_error(self):
        # pylint has a hard time with six
-        self.server.server_close()
+        self.server.server_close()  # pylint: disable=no-member
        original_timeout = socket.getdefaulttimeout()
        try:
            socket.setdefaulttimeout(1)
@@ -72,18 +75,6 @@ class SSLSocketAndProbeSNITest(unittest.TestCase):
            socket.setdefaulttimeout(original_timeout)


-class SSLSocketTest(unittest.TestCase):
-    """Tests for acme.crypto_util.SSLSocket."""
-
-    def test_ssl_socket_invalid_arguments(self):
-        from acme.crypto_util import SSLSocket
-        with self.assertRaises(ValueError):
-            _ = SSLSocket(None, {'sni': ('key', 'cert')},
-                    cert_selection=lambda _: None)
-        with self.assertRaises(ValueError):
-            _ = SSLSocket(None)
-
-
 class PyOpenSSLCertOrReqAllNamesTest(unittest.TestCase):
    """Test for acme.crypto_util._pyopenssl_cert_or_req_all_names."""

--- a/acme/acme/errors.py
+++ b/acme/acme/errors.py
@@ -29,12 +29,7 @@ class NonceError(ClientError):
 class BadNonce(NonceError):
    """Bad nonce error."""
    def __init__(self, nonce, error, *args, **kwargs):
-        # MyPy complains here that there is too many arguments for BaseException constructor.
-        # This is an error fixed in typeshed, see https://github.com/python/mypy/issues/4183
-        # The fix is included in MyPy>=0.740, but upgrading it would bring dozen of errors due to
-        #   new types definitions. So we ignore the error until the code base is fixed to match
-        #   with MyPy>=0.740 referential.
-        super(BadNonce, self).__init__(*args, **kwargs)  # type: ignore
+        super(BadNonce, self).__init__(*args, **kwargs)
        self.nonce = nonce
        self.error = error

@@ -53,8 +48,7 @@ class MissingNonce(NonceError):

    """
    def __init__(self, response, *args, **kwargs):
-        # See comment in BadNonce constructor above for an explanation of type: ignore here.
-        super(MissingNonce, self).__init__(*args, **kwargs)  # type: ignore
+        super(MissingNonce, self).__init__(*args, **kwargs)
        self.response = response

    def __str__(self):
@@ -89,7 +83,6 @@ class PollError(ClientError):
        return '{0}(exhausted={1!r}, updated={2!r})'.format(
            self.__class__.__name__, self.exhausted, self.updated)

-
 class ValidationError(Error):
    """Error for authorization failures. Contains a list of authorization
    resources, each of which is invalid and should have an error field.
@@ -98,11 +91,9 @@ class ValidationError(Error):
        self.failed_authzrs = failed_authzrs
        super(ValidationError, self).__init__()

-
-class TimeoutError(Error):  # pylint: disable=redefined-builtin
+class TimeoutError(Error):
    """Error for when polling an authorization or an order times out."""

-
 class IssuanceError(Error):
    """Error sent by the server after requesting issuance of a certificate."""

@@ -114,7 +105,6 @@ class IssuanceError(Error):
        self.error = error
        super(IssuanceError, self).__init__()

-
 class ConflictError(ClientError):
    """Error for when the server returns a 409 (Conflict) HTTP status.

--- a/acme/tests/errors_test.py
+++ b/acme/tests/errors_test.py
@@ -1,10 +1,7 @@
 """Tests for acme.errors."""
 import unittest

-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
+import mock


 class BadNonceTest(unittest.TestCase):
@@ -38,7 +35,7 @@ class PollErrorTest(unittest.TestCase):
    def setUp(self):
        from acme.errors import PollError
        self.timeout = PollError(
-            exhausted={mock.sentinel.AR},
+            exhausted=set([mock.sentinel.AR]),
            updated={})
        self.invalid = PollError(exhausted=set(), updated={
            mock.sentinel.AR: mock.sentinel.AR2})
--- a/acme/acme/fields.py
+++ b/acme/acme/fields.py
@@ -4,6 +4,7 @@ import logging
 import josepy as jose
 import pyrfc3339

+
 logger = logging.getLogger(__name__)


--- a/acme/tests/fields_test.py
+++ b/acme/tests/fields_test.py
--- a/acme/tests/jose_test.py
+++ b/acme/tests/jose_test.py
@@ -2,7 +2,6 @@
 import importlib
 import unittest

-
 class JoseTest(unittest.TestCase):
    """Tests for acme.jose shim."""

@@ -21,10 +20,11 @@ class JoseTest(unittest.TestCase):

        # We use the imports below with eval, but pylint doesn't
        # understand that.
-        import acme  # pylint: disable=unused-import
-        import josepy  # pylint: disable=unused-import
-        acme_jose_mod = eval(acme_jose_path)  # pylint: disable=eval-used
-        josepy_mod = eval(josepy_path)  # pylint: disable=eval-used
+        # pylint: disable=eval-used,unused-variable
+        import acme
+        import josepy
+        acme_jose_mod = eval(acme_jose_path)
+        josepy_mod = eval(josepy_path)
        self.assertIs(acme_jose_mod, josepy_mod)
        self.assertIs(getattr(acme_jose_mod, attribute), getattr(josepy_mod, attribute))

--- a/acme/acme/jws.py
+++ b/acme/acme/jws.py
@@ -15,7 +15,7 @@ class Header(jose.Header):
    url = jose.Field('url', omitempty=True)

    @nonce.decoder
-    def nonce(value):  # pylint: disable=no-self-argument,missing-function-docstring
+    def nonce(value):  # pylint: disable=missing-docstring,no-self-argument
        try:
            return jose.decode_b64jose(value)
        except jose.DeserializationError as error:
@@ -40,7 +40,7 @@ class Signature(jose.Signature):
 class JWS(jose.JWS):
    """ACME-specific JWS. Includes none, url, and kid in protected header."""
    signature_cls = Signature
-    __slots__ = jose.JWS._orig_slots
+    __slots__ = jose.JWS._orig_slots  # pylint: disable=no-member

    @classmethod
    # pylint: disable=arguments-differ
--- a/acme/tests/jws_test.py
+++ b/acme/tests/jws_test.py
@@ -3,7 +3,8 @@ import unittest

 import josepy as jose

-import test_util
+from acme import test_util
+

 KEY = jose.JWKRSA.load(test_util.load_vector('rsa512_key.pem'))

--- a/acme/acme/magic_typing.py
+++ b/acme/acme/magic_typing.py
@@ -1,7 +1,6 @@
 """Shim class to not have to depend on typing module in prod."""
 import sys

-
 class TypingClass(object):
    """Ignore import errors by getting anything"""
    def __getattr__(self, name):
@@ -10,6 +9,8 @@ class TypingClass(object):
 try:
    # mypy doesn't respect modifying sys.modules
    from typing import *  # pylint: disable=wildcard-import, unused-wildcard-import
+    # pylint: disable=unused-import
    from typing import Collection, IO  # type: ignore
+    # pylint: enable=unused-import
 except ImportError:
    sys.modules[__name__] = TypingClass()
--- a/acme/tests/magic_typing_test.py
+++ b/acme/tests/magic_typing_test.py
@@ -2,10 +2,7 @@
 import sys
 import unittest

-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
+import mock


 class MagicTypingTest(unittest.TestCase):
@@ -21,7 +18,7 @@ class MagicTypingTest(unittest.TestCase):
        sys.modules['typing'] = typing_class_mock
        if 'acme.magic_typing' in sys.modules:
            del sys.modules['acme.magic_typing'] # pragma: no cover
-        from acme.magic_typing import Text
+        from acme.magic_typing import Text # pylint: disable=no-name-in-module
        self.assertEqual(Text, text_mock)
        del sys.modules['acme.magic_typing']
        sys.modules['typing'] = temp_typing
@@ -34,7 +31,7 @@ class MagicTypingTest(unittest.TestCase):
        sys.modules['typing'] = None
        if 'acme.magic_typing' in sys.modules:
            del sys.modules['acme.magic_typing'] # pragma: no cover
-        from acme.magic_typing import Text
+        from acme.magic_typing import Text # pylint: disable=no-name-in-module
        self.assertTrue(Text is None)
        del sys.modules['acme.magic_typing']
        sys.modules['typing'] = temp_typing
--- a/acme/acme/messages.py
+++ b/acme/acme/messages.py
@@ -1,22 +1,18 @@
 """ACME protocol messages."""
 import json
+import six
+try:
+    from collections.abc import Hashable  # pylint: disable=no-name-in-module
+except ImportError:  # pragma: no cover
+    from collections import Hashable

 import josepy as jose
-import six

 from acme import challenges
 from acme import errors
 from acme import fields
-from acme import jws
 from acme import util
-from acme.mixins import ResourceMixin
-
-try:
-    from collections.abc import Hashable
-except ImportError:  # pragma: no cover
-    from collections import Hashable
-
-
+from acme import jws

 OLD_ERROR_PREFIX = "urn:acme:error:"
 ERROR_PREFIX = "urn:ietf:params:acme:error:"
@@ -37,7 +33,7 @@ ERROR_CODES = {
                   ' domain'),
    'dns': 'There was a problem with a DNS query during identifier validation',
    'dnssec': 'The server could not validate a DNSSEC signed domain',
-    'incorrectResponse': 'Response received didn\'t match the challenge\'s requirements',
+    'incorrectResponse': 'Response recieved didn\'t match the challenge\'s requirements',
    # deprecate invalidEmail
    'invalidEmail': 'The provided email for a registration was invalid',
    'invalidContact': 'The provided contact URI was invalid',
@@ -147,7 +143,7 @@ class _Constant(jose.JSONDeSerializable, Hashable):  # type: ignore
        if jobj not in cls.POSSIBLE_NAMES:  # pylint: disable=unsupported-membership-test
            raise jose.DeserializationError(
                '{0} not recognized'.format(cls.__name__))
-        return cls.POSSIBLE_NAMES[jobj]
+        return cls.POSSIBLE_NAMES[jobj]  # pylint: disable=unsubscriptable-object

    def __repr__(self):
        return '{0}({1})'.format(self.__class__.__name__, self.name)
@@ -246,13 +242,13 @@ class Directory(jose.JSONDeSerializable):
        try:
            return self[name.replace('_', '-')]
        except KeyError as error:
-            raise AttributeError(str(error))
+            raise AttributeError(str(error) + ': ' + name)

    def __getitem__(self, name):
        try:
            return self._jobj[self._canon_key(name)]
        except KeyError:
-            raise KeyError('Directory field "' + self._canon_key(name) + '" not found')
+            raise KeyError('Directory field not found')

    def to_partial_json(self):
        return self._jobj
@@ -357,13 +353,13 @@ class Registration(ResourceBody):


@Directory.register
-class NewRegistration(ResourceMixin, Registration):
+class NewRegistration(Registration):
    """New registration."""
    resource_type = 'new-reg'
    resource = fields.Resource(resource_type)


-class UpdateRegistration(ResourceMixin, Registration):
+class UpdateRegistration(Registration):
    """Update registration."""
    resource_type = 'reg'
    resource = fields.Resource(resource_type)
@@ -461,6 +457,7 @@ class ChallengeResource(Resource):
    @property
    def uri(self):
        """The URL of the challenge body."""
+        # pylint: disable=function-redefined,no-member
        return self.body.uri


@@ -488,7 +485,7 @@ class Authorization(ResourceBody):
    wildcard = jose.Field('wildcard', omitempty=True)

    @challenges.decoder
-    def challenges(value):  # pylint: disable=no-self-argument,missing-function-docstring
+    def challenges(value):  # pylint: disable=missing-docstring,no-self-argument
        return tuple(ChallengeBody.from_json(chall) for chall in value)

    @property
@@ -499,13 +496,13 @@ class Authorization(ResourceBody):


@Directory.register
-class NewAuthorization(ResourceMixin, Authorization):
+class NewAuthorization(Authorization):
    """New authorization."""
    resource_type = 'new-authz'
    resource = fields.Resource(resource_type)


-class UpdateAuthorization(ResourceMixin, Authorization):
+class UpdateAuthorization(Authorization):
    """Update authorization."""
    resource_type = 'authz'
    resource = fields.Resource(resource_type)
@@ -523,7 +520,7 @@ class AuthorizationResource(ResourceWithURI):


@Directory.register
-class CertificateRequest(ResourceMixin, jose.JSONObjectWithFields):
+class CertificateRequest(jose.JSONObjectWithFields):
    """ACME new-cert request.

    :ivar josepy.util.ComparableX509 csr:
@@ -549,7 +546,7 @@ class CertificateResource(ResourceWithURI):


@Directory.register
-class Revocation(ResourceMixin, jose.JSONObjectWithFields):
+class Revocation(jose.JSONObjectWithFields):
    """Revocation message.

    :ivar .ComparableX509 certificate: `OpenSSL.crypto.X509` wrapped in
@@ -585,7 +582,7 @@ class Order(ResourceBody):
    error = jose.Field('error', omitempty=True, decoder=Error.from_json)

    @identifiers.decoder
-    def identifiers(value):  # pylint: disable=no-self-argument,missing-function-docstring
+    def identifiers(value):  # pylint: disable=missing-docstring,no-self-argument
        return tuple(Identifier.from_json(identifier) for identifier in value)

 class OrderResource(ResourceWithURI):
--- a/acme/tests/messages_test.py
+++ b/acme/tests/messages_test.py
@@ -2,13 +2,12 @@
 import unittest

 import josepy as jose
-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
+import mock

 from acme import challenges
-import test_util
+from acme import test_util
+from acme.magic_typing import Dict # pylint: disable=unused-import, no-name-in-module
+

 CERT = test_util.load_comparable_cert('cert.der')
 CSR = test_util.load_comparable_csr('csr.der')
@@ -20,7 +19,8 @@ class ErrorTest(unittest.TestCase):

    def setUp(self):
        from acme.messages import Error, ERROR_PREFIX
-        self.error = Error.with_code('malformed', detail='foo', title='title')
+        self.error = Error(
+            detail='foo', typ=ERROR_PREFIX + 'malformed', title='title')
        self.jobj = {
            'detail': 'foo',
            'title': 'some title',
@@ -28,6 +28,7 @@ class ErrorTest(unittest.TestCase):
        }
        self.error_custom = Error(typ='custom', detail='bar')
        self.empty_error = Error()
+        self.jobj_custom = {'type': 'custom', 'detail': 'bar'}

    def test_default_typ(self):
        from acme.messages import Error
@@ -42,7 +43,8 @@ class ErrorTest(unittest.TestCase):
        hash(Error.from_json(self.error.to_json()))

    def test_description(self):
-        self.assertEqual('The request message was malformed', self.error.description)
+        self.assertEqual(
+            'The request message was malformed', self.error.description)
        self.assertTrue(self.error_custom.description is None)

    def test_code(self):
@@ -52,17 +54,17 @@ class ErrorTest(unittest.TestCase):
        self.assertEqual(None, Error().code)

    def test_is_acme_error(self):
-        from acme.messages import is_acme_error, Error
+        from acme.messages import is_acme_error
        self.assertTrue(is_acme_error(self.error))
        self.assertFalse(is_acme_error(self.error_custom))
-        self.assertFalse(is_acme_error(Error()))
        self.assertFalse(is_acme_error(self.empty_error))
        self.assertFalse(is_acme_error("must pet all the {dogs|rabbits}"))

    def test_unicode_error(self):
-        from acme.messages import Error, is_acme_error
-        arabic_error = Error.with_code(
-            'malformed', detail=u'\u0639\u062f\u0627\u0644\u0629', title='title')
+        from acme.messages import Error, ERROR_PREFIX, is_acme_error
+        arabic_error = Error(
+                detail=u'\u0639\u062f\u0627\u0644\u0629', typ=ERROR_PREFIX + 'malformed',
+            title='title')
        self.assertTrue(is_acme_error(arabic_error))

    def test_with_code(self):
@@ -303,7 +305,8 @@ class ChallengeBodyTest(unittest.TestCase):
        from acme.messages import Error
        from acme.messages import STATUS_INVALID
        self.status = STATUS_INVALID
-        error = Error.with_code('serverInternal', detail='Unable to communicate with DNS server')
+        error = Error(typ='urn:ietf:params:acme:error:serverInternal',
+                      detail='Unable to communicate with DNS server')
        self.challb = ChallengeBody(
            uri='http://challb', chall=self.chall, status=self.status,
            error=error)
@@ -455,7 +458,6 @@ class OrderResourceTest(unittest.TestCase):
            'authorizations': None,
        })

-
 class NewOrderTest(unittest.TestCase):
    """Tests for acme.messages.NewOrder."""

@@ -470,18 +472,5 @@ class NewOrderTest(unittest.TestCase):
        })


-class JWSPayloadRFC8555Compliant(unittest.TestCase):
-    """Test for RFC8555 compliance of JWS generated from resources/challenges"""
-    def test_message_payload(self):
-        from acme.messages import NewAuthorization
-
-        new_order = NewAuthorization()
-        new_order.le_acme_version = 2
-
-        jobj = new_order.json_dumps(indent=2).encode()
-        # RFC8555 states that JWS bodies must not have a resource field.
-        self.assertEqual(jobj, b'{}')
-
-
 if __name__ == '__main__':
    unittest.main()  # pragma: no cover
--- a/acme/acme/mixins.py
+++ b/acme/acme/mixins.py
@@ -1,65 +0,0 @@
-"""Useful mixins for Challenge and Resource objects"""
-
-
-class VersionedLEACMEMixin(object):
-    """This mixin stores the version of Let's Encrypt's endpoint being used."""
-    @property
-    def le_acme_version(self):
-        """Define the version of ACME protocol to use"""
-        return getattr(self, '_le_acme_version', 1)
-
-    @le_acme_version.setter
-    def le_acme_version(self, version):
-        # We need to use object.__setattr__ to not depend on the specific implementation of
-        # __setattr__  in current class (eg. jose.TypedJSONObjectWithFields raises AttributeError
-        # for any attempt to set an attribute to make objects immutable).
-        object.__setattr__(self, '_le_acme_version', version)
-
-    def __setattr__(self, key, value):
-        if key == 'le_acme_version':
-            # Required for @property to operate properly. See comment above.
-            object.__setattr__(self, key, value)
-        else:
-            super(VersionedLEACMEMixin, self).__setattr__(key, value)  # pragma: no cover
-
-
-class ResourceMixin(VersionedLEACMEMixin):
-    """
-    This mixin generates a RFC8555 compliant JWS payload
-    by removing the `resource` field if needed (eg. ACME v2 protocol).
-    """
-    def to_partial_json(self):
-        """See josepy.JSONDeserializable.to_partial_json()"""
-        return _safe_jobj_compliance(super(ResourceMixin, self),
-                                     'to_partial_json', 'resource')
-
-    def fields_to_partial_json(self):
-        """See josepy.JSONObjectWithFields.fields_to_partial_json()"""
-        return _safe_jobj_compliance(super(ResourceMixin, self),
-                                     'fields_to_partial_json', 'resource')
-
-
-class TypeMixin(VersionedLEACMEMixin):
-    """
-    This mixin allows generation of a RFC8555 compliant JWS payload
-    by removing the `type` field if needed (eg. ACME v2 protocol).
-    """
-    def to_partial_json(self):
-        """See josepy.JSONDeserializable.to_partial_json()"""
-        return _safe_jobj_compliance(super(TypeMixin, self),
-                                     'to_partial_json', 'type')
-
-    def fields_to_partial_json(self):
-        """See josepy.JSONObjectWithFields.fields_to_partial_json()"""
-        return _safe_jobj_compliance(super(TypeMixin, self),
-                                     'fields_to_partial_json', 'type')
-
-
-def _safe_jobj_compliance(instance, jobj_method, uncompliant_field):
-    if hasattr(instance, jobj_method):
-        jobj = getattr(instance, jobj_method)()
-        if instance.le_acme_version == 2:
-            jobj.pop(uncompliant_field, None)
-        return jobj
-
-    raise AttributeError('Method {0}() is not implemented.'.format(jobj_method))  # pragma: no cover
--- a/acme/acme/standalone.py
+++ b/acme/acme/standalone.py
@@ -5,16 +5,20 @@ import logging
 import socket
 import threading

-from six.moves import BaseHTTPServer  # type: ignore
-from six.moves import http_client
-from six.moves import socketserver  # type: ignore
+from six.moves import BaseHTTPServer  # type: ignore  # pylint: disable=import-error
+from six.moves import http_client  # pylint: disable=import-error
+from six.moves import socketserver  # type: ignore  # pylint: disable=import-error

 from acme import challenges
 from acme import crypto_util
-from acme.magic_typing import List
+from acme.magic_typing import List # pylint: disable=unused-import, no-name-in-module
+

 logger = logging.getLogger(__name__)

+# six.moves.* | pylint: disable=no-member,attribute-defined-outside-init
+# pylint: disable=no-init
+

 class TLSServer(socketserver.TCPServer):
    """Generic TLS Server."""
@@ -27,27 +31,21 @@ class TLSServer(socketserver.TCPServer):
            self.address_family = socket.AF_INET
        self.certs = kwargs.pop("certs", {})
        self.method = kwargs.pop(
+            # pylint: disable=protected-access
            "method", crypto_util._DEFAULT_SSL_METHOD)
        self.allow_reuse_address = kwargs.pop("allow_reuse_address", True)
        socketserver.TCPServer.__init__(self, *args, **kwargs)

    def _wrap_sock(self):
        self.socket = crypto_util.SSLSocket(
-            self.socket, cert_selection=self._cert_selection,
-            alpn_selection=getattr(self, '_alpn_selection', None),
-            method=self.method)
+            self.socket, certs=self.certs, method=self.method)

-    def _cert_selection(self, connection):  # pragma: no cover
-        """Callback selecting certificate for connection."""
-        server_name = connection.get_servername()
-        return self.certs.get(server_name, None)
-
-    def server_bind(self):
+    def server_bind(self):  # pylint: disable=missing-docstring
        self._wrap_sock()
        return socketserver.TCPServer.server_bind(self)


-class ACMEServerMixin:
+class ACMEServerMixin:  # pylint: disable=old-style-class
    """ACME server common settings mixin."""
    # TODO: c.f. #858
    server_version = "ACME client standalone challenge solver"
@@ -108,6 +106,7 @@ class BaseDualNetworkedServers(object):
        """Wraps socketserver.TCPServer.serve_forever"""
        for server in self.servers:
            thread = threading.Thread(
+                # pylint: disable=no-member
                target=server.serve_forever)
            thread.start()
            self.threads.append(thread)
@@ -127,40 +126,6 @@ class BaseDualNetworkedServers(object):
        self.threads = []


-class TLSALPN01Server(TLSServer, ACMEServerMixin):
-    """TLSALPN01 Server."""
-
-    ACME_TLS_1_PROTOCOL = b"acme-tls/1"
-
-    def __init__(self, server_address, certs, challenge_certs, ipv6=False):
-        TLSServer.__init__(
-            self, server_address, _BaseRequestHandlerWithLogging, certs=certs,
-            ipv6=ipv6)
-        self.challenge_certs = challenge_certs
-
-    def _cert_selection(self, connection):
-        # TODO: We would like to serve challenge cert only if asked for it via
-        # ALPN. To do this, we need to retrieve the list of protos from client
-        # hello, but this is currently impossible with openssl [0], and ALPN
-        # negotiation is done after cert selection.
-        # Therefore, currently we always return challenge cert, and terminate
-        # handshake in alpn_selection() if ALPN protos are not what we expect.
-        # [0] https://github.com/openssl/openssl/issues/4952
-        server_name = connection.get_servername()
-        logger.debug("Serving challenge cert for server name %s", server_name)
-        return self.challenge_certs.get(server_name, None)
-
-    def _alpn_selection(self, _connection, alpn_protos):
-        """Callback to select alpn protocol."""
-        if len(alpn_protos) == 1 and alpn_protos[0] == self.ACME_TLS_1_PROTOCOL:
-            logger.debug("Agreed on %s ALPN", self.ACME_TLS_1_PROTOCOL)
-            return self.ACME_TLS_1_PROTOCOL
-        logger.debug("Cannot agree on ALPN proto. Got: %s", str(alpn_protos))
-        # Explicitly close the connection now, by returning an empty string.
-        # See https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_alpn_select_callback  # pylint: disable=line-too-long
-        return b""
-
-
 class HTTPServer(BaseHTTPServer.HTTPServer):
    """Generic HTTP Server."""

@@ -176,10 +141,10 @@ class HTTPServer(BaseHTTPServer.HTTPServer):
 class HTTP01Server(HTTPServer, ACMEServerMixin):
    """HTTP01 Server."""

-    def __init__(self, server_address, resources, ipv6=False, timeout=30):
+    def __init__(self, server_address, resources, ipv6=False):
        HTTPServer.__init__(
            self, server_address, HTTP01RequestHandler.partial_init(
-                simple_http_resources=resources, timeout=timeout), ipv6=ipv6)
+                simple_http_resources=resources), ipv6=ipv6)


 class HTTP01DualNetworkedServers(BaseDualNetworkedServers):
@@ -204,7 +169,6 @@ class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):

    def __init__(self, *args, **kwargs):
        self.simple_http_resources = kwargs.pop("simple_http_resources", set())
-        self.timeout = kwargs.pop('timeout', 30)
        BaseHTTPServer.BaseHTTPRequestHandler.__init__(self, *args, **kwargs)

    def log_message(self, format, *args):  # pylint: disable=redefined-builtin
@@ -216,7 +180,7 @@ class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
        self.log_message("Incoming request")
        BaseHTTPServer.BaseHTTPRequestHandler.handle(self)

-    def do_GET(self):  # pylint: disable=invalid-name,missing-function-docstring
+    def do_GET(self):  # pylint: disable=invalid-name,missing-docstring
        if self.path == "/":
            self.handle_index()
        elif self.path.startswith("/" + challenges.HTTP01.URI_ROOT_PATH):
@@ -254,7 +218,7 @@ class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
                         self.path)

    @classmethod
-    def partial_init(cls, simple_http_resources, timeout):
+    def partial_init(cls, simple_http_resources):
        """Partially initialize this handler.

        This is useful because `socketserver.BaseServer` takes
@@ -263,18 +227,4 @@ class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):

        """
        return functools.partial(
-            cls, simple_http_resources=simple_http_resources,
-            timeout=timeout)
-
-
-class _BaseRequestHandlerWithLogging(socketserver.BaseRequestHandler):
-    """BaseRequestHandler with logging."""
-
-    def log_message(self, format, *args):  # pylint: disable=redefined-builtin
-        """Log arbitrary message."""
-        logger.debug("%s - - %s", self.client_address[0], format % args)
-
-    def handle(self):
-        """Handle request."""
-        self.log_message("Incoming request")
-        socketserver.BaseRequestHandler.handle(self)
+            cls, simple_http_resources=simple_http_resources)
--- a/acme/tests/standalone_test.py
+++ b/acme/tests/standalone_test.py
@@ -3,20 +3,16 @@ import socket
 import threading
 import unittest

-import josepy as jose
-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
-import requests
 from six.moves import http_client  # pylint: disable=import-error
 from six.moves import socketserver  # type: ignore  # pylint: disable=import-error

-from acme import challenges
-from acme import crypto_util
-from acme import errors
+import josepy as jose
+import mock
+import requests

-import test_util
+from acme import challenges
+from acme import test_util
+from acme.magic_typing import Set # pylint: disable=unused-import, no-name-in-module


 class TLSServerTest(unittest.TestCase):
@@ -88,81 +84,6 @@ class HTTP01ServerTest(unittest.TestCase):
    def test_http01_not_found(self):
        self.assertFalse(self._test_http01(add=False))

-    def test_timely_shutdown(self):
-        from acme.standalone import HTTP01Server
-        server = HTTP01Server(('', 0), resources=set(), timeout=0.05)
-        server_thread = threading.Thread(target=server.serve_forever)
-        server_thread.start()
-
-        client = socket.socket()
-        client.connect(('localhost', server.socket.getsockname()[1]))
-
-        stop_thread = threading.Thread(target=server.shutdown)
-        stop_thread.start()
-        server_thread.join(5.)
-
-        is_hung = server_thread.is_alive()
-        try:
-            client.shutdown(socket.SHUT_RDWR)
-        except: # pragma: no cover, pylint: disable=bare-except
-            # may raise error because socket could already be closed
-            pass
-
-        self.assertFalse(is_hung, msg='Server shutdown should not be hung')
-
-
-@unittest.skipIf(not challenges.TLSALPN01.is_supported(), "pyOpenSSL too old")
-class TLSALPN01ServerTest(unittest.TestCase):
-    """Test for acme.standalone.TLSALPN01Server."""
-
-    def setUp(self):
-        self.certs = {b'localhost': (
-            test_util.load_pyopenssl_private_key('rsa2048_key.pem'),
-            test_util.load_cert('rsa2048_cert.pem'),
-        )}
-        # Use different certificate for challenge.
-        self.challenge_certs = {b'localhost': (
-            test_util.load_pyopenssl_private_key('rsa1024_key.pem'),
-            test_util.load_cert('rsa1024_cert.pem'),
-        )}
-        from acme.standalone import TLSALPN01Server
-        self.server = TLSALPN01Server(("localhost", 0), certs=self.certs,
-                challenge_certs=self.challenge_certs)
-        # pylint: disable=no-member
-        self.thread = threading.Thread(target=self.server.serve_forever)
-        self.thread.start()
-
-    def tearDown(self):
-        self.server.shutdown()  # pylint: disable=no-member
-        self.thread.join()
-
-    # TODO: This is not implemented yet, see comments in standalone.py
-    # def test_certs(self):
-    #    host, port = self.server.socket.getsockname()[:2]
-    #    cert = crypto_util.probe_sni(
-    #        b'localhost', host=host, port=port, timeout=1)
-    #    # Expect normal cert when connecting without ALPN.
-    #    self.assertEqual(jose.ComparableX509(cert),
-    #                     jose.ComparableX509(self.certs[b'localhost'][1]))
-
-    def test_challenge_certs(self):
-        host, port = self.server.socket.getsockname()[:2]
-        cert = crypto_util.probe_sni(
-            b'localhost', host=host, port=port, timeout=1,
-            alpn_protocols=[b"acme-tls/1"])
-        #  Expect challenge cert when connecting with ALPN.
-        self.assertEqual(
-                jose.ComparableX509(cert),
-                jose.ComparableX509(self.challenge_certs[b'localhost'][1])
-        )
-
-    def test_bad_alpn(self):
-        host, port = self.server.socket.getsockname()[:2]
-        with self.assertRaises(errors.Error):
-            crypto_util.probe_sni(
-                b'localhost', host=host, port=port, timeout=1,
-                alpn_protocols=[b"bad-alpn"])
-

 class BaseDualNetworkedServersTest(unittest.TestCase):
    """Test for acme.standalone.BaseDualNetworkedServers."""
@@ -218,6 +139,7 @@ class BaseDualNetworkedServersTest(unittest.TestCase):
 class HTTP01DualNetworkedServersTest(unittest.TestCase):
    """Tests for acme.standalone.HTTP01DualNetworkedServers."""

+
    def setUp(self):
        self.account_key = jose.JWK.load(
            test_util.load_vector('rsa1024_key.pem'))
--- a/acme/tests/test_util.py
+++ b/acme/tests/test_util.py
@@ -4,12 +4,12 @@

 """
 import os
+import pkg_resources

 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 import josepy as jose
 from OpenSSL import crypto
-import pkg_resources


 def load_vector(*names):
@@ -25,7 +25,8 @@ def _guess_loader(filename, loader_pem, loader_der):
        return loader_pem
    elif ext.lower() == '.der':
        return loader_der
-    raise ValueError("Loader could not be recognized based on extension")  # pragma: no cover
+    else:  # pragma: no cover
+        raise ValueError("Loader could not be recognized based on extension")


 def load_cert(*names):
--- a/acme/tests/testdata/README
+++ b/acme/tests/testdata/README
@@ -10,8 +10,6 @@ and for the CSR:

  openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -outform DER > csr.der

-and for the certificates:
+and for the certificate:

-  openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 -outform DER > cert.der
-  openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 > rsa2048_cert.pem
-  openssl req -key rsa1024_key.pem -new -subj '/CN=example.com' -x509 > rsa1024_cert.pem
+  openssl req -key rsa2047_key.pem -new -subj '/CN=example.com' -x509 -outform DER > cert.der
--- a/acme/tests/testdata/cert-100sans.pem
+++ b/acme/tests/testdata/cert-100sans.pem
--- a/acme/tests/testdata/cert-idnsans.pem
+++ b/acme/tests/testdata/cert-idnsans.pem
--- a/acme/tests/testdata/cert-nocn.der
+++ b/acme/tests/testdata/cert-nocn.der
--- a/acme/tests/testdata/cert-san.pem
+++ b/acme/tests/testdata/cert-san.pem
--- a/acme/tests/testdata/cert.der
+++ b/acme/tests/testdata/cert.der
--- a/acme/tests/testdata/cert.pem
+++ b/acme/tests/testdata/cert.pem
--- a/acme/tests/testdata/critical-san.pem
+++ b/acme/tests/testdata/critical-san.pem
--- a/acme/tests/testdata/csr-100sans.pem
+++ b/acme/tests/testdata/csr-100sans.pem
--- a/acme/tests/testdata/csr-6sans.pem
+++ b/acme/tests/testdata/csr-6sans.pem
--- a/acme/tests/testdata/csr-idnsans.pem
+++ b/acme/tests/testdata/csr-idnsans.pem
--- a/acme/tests/testdata/csr-nosans.pem
+++ b/acme/tests/testdata/csr-nosans.pem
--- a/acme/tests/testdata/csr-san.pem
+++ b/acme/tests/testdata/csr-san.pem
--- a/acme/tests/testdata/csr.der
+++ b/acme/tests/testdata/csr.der
--- a/acme/tests/testdata/csr.pem
+++ b/acme/tests/testdata/csr.pem
--- a/acme/tests/testdata/dsa512_key.pem
+++ b/acme/tests/testdata/dsa512_key.pem
--- a/acme/tests/testdata/rsa1024_key.pem
+++ b/acme/tests/testdata/rsa1024_key.pem
--- a/acme/tests/testdata/rsa2048_cert.pem
+++ b/acme/tests/testdata/rsa2048_cert.pem
--- a/acme/tests/testdata/rsa2048_key.pem
+++ b/acme/tests/testdata/rsa2048_key.pem
--- a/acme/tests/testdata/rsa256_key.pem
+++ b/acme/tests/testdata/rsa256_key.pem
--- a/acme/tests/testdata/rsa512_key.pem
+++ b/acme/tests/testdata/rsa512_key.pem
--- a/acme/tests/util_test.py
+++ b/acme/tests/util_test.py
--- a/acme/docs/conf.py
+++ b/acme/docs/conf.py
@@ -12,8 +12,10 @@
 # All configuration values have a default; values that are commented out
 # serve to show the default.

-import os
 import sys
+import os
+import shlex
+

 here = os.path.abspath(os.path.dirname(__file__))

@@ -40,7 +42,7 @@ extensions = [
 ]

 autodoc_member_order = 'bysource'
-autodoc_default_flags = ['show-inheritance']
+autodoc_default_flags = ['show-inheritance', 'private-members']

 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
@@ -112,7 +114,7 @@ pygments_style = 'sphinx'
 #keep_warnings = False

 # If true, `todo` and `todoList` produce output, else they produce nothing.
-todo_include_todos = False
+todo_include_todos = True


 # -- Options for HTML output ----------------------------------------------
--- a/acme/examples/http01_example.py
+++ b/acme/examples/http01_example.py
@@ -26,10 +26,8 @@ Workflow:
    - Deactivate Account
 """
 from contextlib import contextmanager
-
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import rsa
-import josepy as jose
 import OpenSSL

 from acme import challenges
@@ -38,6 +36,7 @@ from acme import crypto_util
 from acme import errors
 from acme import messages
 from acme import standalone
+import josepy as jose

 # Constants:

--- a/acme/setup.py
+++ b/acme/setup.py
@@ -1,12 +1,9 @@
-from distutils.version import StrictVersion
+from setuptools import setup
+from setuptools import find_packages
+from setuptools.command.test import test as TestCommand
 import sys

-from setuptools import __version__ as setuptools_version
-from setuptools import find_packages
-from setuptools import setup
-from setuptools.command.test import test as TestCommand
-
-version = '1.4.0.dev0'
+version = '1.0.0.dev0'

 # Please update tox.ini when modifying dependency version requirements
 install_requires = [
@@ -18,6 +15,7 @@ install_requires = [
    # https://github.com/certbot/josepy/issues/13.
    'josepy>=1.1.0',
    # Connection.set_tlsext_host_name (>=0.13)
+    'mock',
    'PyOpenSSL>=0.13.1',
    'pyrfc3339',
    'pytz',
@@ -27,15 +25,6 @@ install_requires = [
    'six>=1.9.0',  # needed for python_2_unicode_compatible
 ]

-setuptools_known_environment_markers = (StrictVersion(setuptools_version) >= StrictVersion('36.2'))
-if setuptools_known_environment_markers:
-    install_requires.append('mock ; python_version < "3.3"')
-elif 'bdist_wheel' in sys.argv[1:]:
-    raise RuntimeError('Error, you are trying to build certbot wheels using an old version '
-                       'of setuptools. Version 36.2+ of setuptools is required.')
-elif sys.version_info < (3,3):
-    install_requires.append('mock')
-
 dev_extras = [
    'pytest',
    'pytest-xdist',
@@ -71,7 +60,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Intended Audience :: Developers',
@@ -80,6 +69,7 @@ setup(
        'Programming Language :: Python :: 2',
        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
+        'Programming Language :: Python :: 3.4',
        'Programming Language :: Python :: 3.5',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
--- a/acme/tests/testdata/rsa1024_cert.pem
+++ b/acme/tests/testdata/rsa1024_cert.pem
@@ -1,13 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIB/TCCAWagAwIBAgIJAOyRIBs3QT8QMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
-BAMMC2V4YW1wbGUuY29tMB4XDTE4MDQyMzEwMzE0NFoXDTE4MDUyMzEwMzE0NFow
-FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
-AoGBAJqJ87R8aVwByONxgQA9hwgvQd/QqI1r1UInXhEF2VnEtZGtUWLi100IpIqr
-Mq4qusDwNZ3g8cUPtSkvJGs89djoajMDIJP7lQUEKUYnYrI0q755Tr/DgLWSk7iW
-l5ezym0VzWUD0/xXUz8yRbNMTjTac80rS5SZk2ja2wWkYlRJAgMBAAGjUzBRMB0G
-A1UdDgQWBBSsaX0IVZ4XXwdeffVAbG7gnxSYjTAfBgNVHSMEGDAWgBSsaX0IVZ4X
-XwdeffVAbG7gnxSYjTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GB
-ADe7SVmvGH2nkwVfONk8TauRUDkePN1CJZKFb2zW1uO9ANJ2v5Arm/OQp0BG/xnI
-Djw/aLTNVESF89oe15dkrUErtcaF413MC1Ld5lTCaJLHLGqDKY69e02YwRuxW7jY
-qarpt7k7aR5FbcfO5r4V/FK/Gvp4Dmoky8uap7SJIW6x
-----END CERTIFICATE-----
--- a/certbot-apache/MANIFEST.in
+++ b/certbot-apache/MANIFEST.in
@@ -1,7 +1,8 @@
 include LICENSE.txt
 include README.rst
 recursive-include tests *
+include certbot_apache/_internal/centos-options-ssl-apache.conf
+include certbot_apache/_internal/options-ssl-apache.conf
 recursive-include certbot_apache/_internal/augeas_lens *.aug
-recursive-include certbot_apache/_internal/tls_configs *.conf
 global-exclude __pycache__
 global-exclude *.py[cod]
--- a/certbot-apache/certbot_apache/_internal/apache_util.py
+++ b/certbot-apache/certbot_apache/_internal/apache_util.py
@@ -1,19 +1,9 @@
 """ Utility functions for certbot-apache plugin """
 import binascii
-import fnmatch
-import logging
-import re
-import subprocess

-import pkg_resources
-
-from certbot import errors
 from certbot import util
-
 from certbot.compat import os

-logger = logging.getLogger(__name__)
-

 def get_mod_deps(mod_name):
    """Get known module dependencies.
@@ -115,142 +105,3 @@ def parse_define_file(filepath, varname):
 def unique_id():
    """ Returns an unique id to be used as a VirtualHost identifier"""
    return binascii.hexlify(os.urandom(16)).decode("utf-8")
-
-
-def included_in_paths(filepath, paths):
-    """
-    Returns true if the filepath is included in the list of paths
-    that may contain full paths or wildcard paths that need to be
-    expanded.
-
-    :param str filepath: Filepath to check
-    :params list paths: List of paths to check against
-
-    :returns: True if included
-    :rtype: bool
-    """
-
-    return any(fnmatch.fnmatch(filepath, path) for path in paths)
-
-
-def parse_defines(apachectl):
-    """
-    Gets Defines from httpd process and returns a dictionary of
-    the defined variables.
-
-    :param str apachectl: Path to apachectl executable
-
-    :returns: dictionary of defined variables
-    :rtype: dict
-    """
-
-    variables = {}
-    define_cmd = [apachectl, "-t", "-D",
-                  "DUMP_RUN_CFG"]
-    matches = parse_from_subprocess(define_cmd, r"Define: ([^ \n]*)")
-    try:
-        matches.remove("DUMP_RUN_CFG")
-    except ValueError:
-        return {}
-
-    for match in matches:
-        if match.count("=") > 1:
-            logger.error("Unexpected number of equal signs in "
-                         "runtime config dump.")
-            raise errors.PluginError(
-                "Error parsing Apache runtime variables")
-        parts = match.partition("=")
-        variables[parts[0]] = parts[2]
-
-    return variables
-
-
-def parse_includes(apachectl):
-    """
-    Gets Include directives from httpd process and returns a list of
-    their values.
-
-    :param str apachectl: Path to apachectl executable
-
-    :returns: list of found Include directive values
-    :rtype: list of str
-    """
-
-    inc_cmd = [apachectl, "-t", "-D",
-               "DUMP_INCLUDES"]
-    return parse_from_subprocess(inc_cmd, r"\(.*\) (.*)")
-
-
-def parse_modules(apachectl):
-    """
-    Get loaded modules from httpd process, and return the list
-    of loaded module names.
-
-    :param str apachectl: Path to apachectl executable
-
-    :returns: list of found LoadModule module names
-    :rtype: list of str
-    """
-
-    mod_cmd = [apachectl, "-t", "-D",
-               "DUMP_MODULES"]
-    return parse_from_subprocess(mod_cmd, r"(.*)_module")
-
-
-def parse_from_subprocess(command, regexp):
-    """Get values from stdout of subprocess command
-
-    :param list command: Command to run
-    :param str regexp: Regexp for parsing
-
-    :returns: list parsed from command output
-    :rtype: list
-
-    """
-    stdout = _get_runtime_cfg(command)
-    return re.compile(regexp).findall(stdout)
-
-
-def _get_runtime_cfg(command):
-    """
-    Get runtime configuration info.
-
-    :param command: Command to run
-
-    :returns: stdout from command
-
-    """
-    try:
-        proc = subprocess.Popen(
-            command,
-            stdout=subprocess.PIPE,
-            stderr=subprocess.PIPE,
-            universal_newlines=True)
-        stdout, stderr = proc.communicate()
-
-    except (OSError, ValueError):
-        logger.error(
-            "Error running command %s for runtime parameters!%s",
-            command, os.linesep)
-        raise errors.MisconfigurationError(
-            "Error accessing loaded Apache parameters: {0}".format(
-                command))
-    # Small errors that do not impede
-    if proc.returncode != 0:
-        logger.warning("Error in checking parameter list: %s", stderr)
-        raise errors.MisconfigurationError(
-            "Apache is unable to check whether or not the module is "
-            "loaded because Apache is misconfigured.")
-
-    return stdout
-
-def find_ssl_apache_conf(prefix):
-    """
-    Find a TLS Apache config file in the dedicated storage.
-    :param str prefix: prefix of the TLS Apache config file to find
-    :return: the path the TLS Apache config file
-    :rtype: str
-    """
-    return pkg_resources.resource_filename(
-        "certbot_apache",
-        os.path.join("_internal", "tls_configs", "{0}-options-ssl-apache.conf".format(prefix)))
--- a/certbot-apache/certbot_apache/_internal/apacheparser.py
+++ b/certbot-apache/certbot_apache/_internal/apacheparser.py
@@ -1,172 +0,0 @@
-""" apacheconfig implementation of the ParserNode interfaces """
-
-from certbot_apache._internal import assertions
-from certbot_apache._internal import interfaces
-from certbot_apache._internal import parsernode_util as util
-
-
-class ApacheParserNode(interfaces.ParserNode):
-    """ apacheconfig implementation of ParserNode interface.
-
-        Expects metadata `ac_ast` to be passed in, where `ac_ast` is the AST provided
-        by parsing the equivalent configuration text using the apacheconfig library.
-    """
-
-    def __init__(self, **kwargs):
-        ancestor, dirty, filepath, metadata = util.parsernode_kwargs(kwargs)  # pylint: disable=unused-variable
-        super(ApacheParserNode, self).__init__(**kwargs)
-        self.ancestor = ancestor
-        self.filepath = filepath
-        self.dirty = dirty
-        self.metadata = metadata
-        self._raw = self.metadata["ac_ast"]
-
-    def save(self, msg): # pragma: no cover
-        pass
-
-    def find_ancestors(self, name):  # pylint: disable=unused-variable
-        """Find ancestor BlockNodes with a given name"""
-        return [ApacheBlockNode(name=assertions.PASS,
-                                parameters=assertions.PASS,
-                                ancestor=self,
-                                filepath=assertions.PASS,
-                                metadata=self.metadata)]
-
-
-class ApacheCommentNode(ApacheParserNode):
-    """ apacheconfig implementation of CommentNode interface """
-
-    def __init__(self, **kwargs):
-        comment, kwargs = util.commentnode_kwargs(kwargs)  # pylint: disable=unused-variable
-        super(ApacheCommentNode, self).__init__(**kwargs)
-        self.comment = comment
-
-    def __eq__(self, other):  # pragma: no cover
-        if isinstance(other, self.__class__):
-            return (self.comment == other.comment and
-                    self.dirty == other.dirty and
-                    self.ancestor == other.ancestor and
-                    self.metadata == other.metadata and
-                    self.filepath == other.filepath)
-        return False
-
-
-class ApacheDirectiveNode(ApacheParserNode):
-    """ apacheconfig implementation of DirectiveNode interface """
-
-    def __init__(self, **kwargs):
-        name, parameters, enabled, kwargs = util.directivenode_kwargs(kwargs)
-        super(ApacheDirectiveNode, self).__init__(**kwargs)
-        self.name = name
-        self.parameters = parameters
-        self.enabled = enabled
-        self.include = None
-
-    def __eq__(self, other):  # pragma: no cover
-        if isinstance(other, self.__class__):
-            return (self.name == other.name and
-                    self.filepath == other.filepath and
-                    self.parameters == other.parameters and
-                    self.enabled == other.enabled and
-                    self.dirty == other.dirty and
-                    self.ancestor == other.ancestor and
-                    self.metadata == other.metadata)
-        return False
-
-    def set_parameters(self, _parameters):  # pragma: no cover
-        """Sets the parameters for DirectiveNode"""
-        return
-
-
-class ApacheBlockNode(ApacheDirectiveNode):
-    """ apacheconfig implementation of BlockNode interface """
-
-    def __init__(self, **kwargs):
-        super(ApacheBlockNode, self).__init__(**kwargs)
-        self.children = ()
-
-    def __eq__(self, other):  # pragma: no cover
-        if isinstance(other, self.__class__):
-            return (self.name == other.name and
-                    self.filepath == other.filepath and
-                    self.parameters == other.parameters and
-                    self.children == other.children and
-                    self.enabled == other.enabled and
-                    self.dirty == other.dirty and
-                    self.ancestor == other.ancestor and
-                    self.metadata == other.metadata)
-        return False
-
-    # pylint: disable=unused-argument
-    def add_child_block(self, name, parameters=None, position=None):  # pragma: no cover
-        """Adds a new BlockNode to the sequence of children"""
-        new_block = ApacheBlockNode(name=assertions.PASS,
-                                    parameters=assertions.PASS,
-                                    ancestor=self,
-                                    filepath=assertions.PASS,
-                                    metadata=self.metadata)
-        self.children += (new_block,)
-        return new_block
-
-    # pylint: disable=unused-argument
-    def add_child_directive(self, name, parameters=None, position=None):  # pragma: no cover
-        """Adds a new DirectiveNode to the sequence of children"""
-        new_dir = ApacheDirectiveNode(name=assertions.PASS,
-                                      parameters=assertions.PASS,
-                                      ancestor=self,
-                                      filepath=assertions.PASS,
-                                      metadata=self.metadata)
-        self.children += (new_dir,)
-        return new_dir
-
-    # pylint: disable=unused-argument
-    def add_child_comment(self, comment="", position=None):  # pragma: no cover
-
-        """Adds a new CommentNode to the sequence of children"""
-        new_comment = ApacheCommentNode(comment=assertions.PASS,
-                                        ancestor=self,
-                                        filepath=assertions.PASS,
-                                        metadata=self.metadata)
-        self.children += (new_comment,)
-        return new_comment
-
-    def find_blocks(self, name, exclude=True): # pylint: disable=unused-argument
-        """Recursive search of BlockNodes from the sequence of children"""
-        return [ApacheBlockNode(name=assertions.PASS,
-                                parameters=assertions.PASS,
-                                ancestor=self,
-                                filepath=assertions.PASS,
-                                metadata=self.metadata)]
-
-    def find_directives(self, name, exclude=True): # pylint: disable=unused-argument
-        """Recursive search of DirectiveNodes from the sequence of children"""
-        return [ApacheDirectiveNode(name=assertions.PASS,
-                                    parameters=assertions.PASS,
-                                    ancestor=self,
-                                    filepath=assertions.PASS,
-                                    metadata=self.metadata)]
-
-    # pylint: disable=unused-argument
-    def find_comments(self, comment, exact=False):  # pragma: no cover
-        """Recursive search of DirectiveNodes from the sequence of children"""
-        return [ApacheCommentNode(comment=assertions.PASS,
-                                  ancestor=self,
-                                  filepath=assertions.PASS,
-                                  metadata=self.metadata)]
-
-    def delete_child(self, child):  # pragma: no cover
-        """Deletes a ParserNode from the sequence of children"""
-        return
-
-    def unsaved_files(self):  # pragma: no cover
-        """Returns a list of unsaved filepaths"""
-        return [assertions.PASS]
-
-    def parsed_paths(self):  # pragma: no cover
-        """Returns a list of parsed configuration file paths"""
-        return [assertions.PASS]
-
-
-interfaces.CommentNode.register(ApacheCommentNode)
-interfaces.DirectiveNode.register(ApacheDirectiveNode)
-interfaces.BlockNode.register(ApacheBlockNode)
--- a/certbot-apache/certbot_apache/_internal/assertions.py
+++ b/certbot-apache/certbot_apache/_internal/assertions.py
@@ -1,142 +0,0 @@
-"""Dual parser node assertions"""
-import fnmatch
-
-from certbot_apache._internal import interfaces
-
-
-PASS = "CERTBOT_PASS_ASSERT"
-
-
-def assertEqual(first, second):
-    """ Equality assertion """
-
-    if isinstance(first, interfaces.CommentNode):
-        assertEqualComment(first, second)
-    elif isinstance(first, interfaces.DirectiveNode):
-        assertEqualDirective(first, second)
-
-    # Do an extra interface implementation assertion, as the contents were
-    # already checked for BlockNode in the assertEqualDirective
-    if isinstance(first, interfaces.BlockNode):
-        assert isinstance(second, interfaces.BlockNode)
-
-    # Skip tests if filepath includes the pass value. This is done
-    # because filepath is variable of the base ParserNode interface, and
-    # unless the implementation is actually done, we cannot assume getting
-    # correct results from boolean assertion for dirty
-    if not isPass(first.filepath) and not isPass(second.filepath):
-        assert first.dirty == second.dirty
-        # We might want to disable this later if testing with two separate
-        # (but identical) directory structures.
-        assert first.filepath == second.filepath
-
-def assertEqualComment(first, second): # pragma: no cover
-    """ Equality assertion for CommentNode """
-
-    assert isinstance(first, interfaces.CommentNode)
-    assert isinstance(second, interfaces.CommentNode)
-
-    if not isPass(first.comment) and not isPass(second.comment):  # type: ignore
-        assert first.comment == second.comment  # type: ignore
-
-def _assertEqualDirectiveComponents(first, second): # pragma: no cover
-    """ Handles assertion for instance variables for DirectiveNode and BlockNode"""
-
-    # Enabled value cannot be asserted, because Augeas implementation
-    # is unable to figure that out.
-    # assert first.enabled == second.enabled
-    if not isPass(first.name) and not isPass(second.name):
-        assert first.name == second.name
-
-    if not isPass(first.parameters) and not isPass(second.parameters):
-        assert first.parameters == second.parameters
-
-def assertEqualDirective(first, second):
-    """ Equality assertion for DirectiveNode """
-
-    assert isinstance(first, interfaces.DirectiveNode)
-    assert isinstance(second, interfaces.DirectiveNode)
-    _assertEqualDirectiveComponents(first, second)
-
-def isPass(value): # pragma: no cover
-    """Checks if the value is set to PASS"""
-    if isinstance(value, bool):
-        return True
-    return PASS in value
-
-def isPassDirective(block):
-    """ Checks if BlockNode or DirectiveNode should pass the assertion """
-
-    if isPass(block.name):
-        return True
-    if isPass(block.parameters): # pragma: no cover
-        return True
-    if isPass(block.filepath): # pragma: no cover
-        return True
-    return False
-
-def isPassComment(comment):
-    """ Checks if CommentNode should pass the assertion """
-
-    if isPass(comment.comment):
-        return True
-    if isPass(comment.filepath): # pragma: no cover
-        return True
-    return False
-
-def isPassNodeList(nodelist): # pragma: no cover
-    """ Checks if a ParserNode in the nodelist should pass the assertion,
-    this function is used for results of find_* methods. Unimplemented find_*
-    methods should return a sequence containing a single ParserNode instance
-    with assertion pass string."""
-
-    try:
-        node = nodelist[0]
-    except IndexError:
-        node = None
-
-    if not node: # pragma: no cover
-        return False
-
-    if isinstance(node, interfaces.DirectiveNode):
-        return isPassDirective(node)
-    return isPassComment(node)
-
-def assertEqualSimple(first, second):
-    """ Simple assertion """
-    if not isPass(first) and not isPass(second):
-        assert first == second
-
-def isEqualVirtualHost(first, second):
-    """
-    Checks that two VirtualHost objects are similar. There are some built
-    in differences with the implementations: VirtualHost created by ParserNode
-    implementation doesn't have "path" defined, as it was used for Augeas path
-    and that cannot obviously be used in the future. Similarly the legacy
-    version lacks "node" variable, that has a reference to the BlockNode for the
-    VirtualHost.
-    """
-    return (
-        first.name == second.name and
-        first.aliases == second.aliases and
-        first.filep == second.filep and
-        first.addrs == second.addrs and
-        first.ssl == second.ssl and
-        first.enabled == second.enabled and
-        first.modmacro == second.modmacro and
-        first.ancestor == second.ancestor
-    )
-
-def assertEqualPathsList(first, second):  # pragma: no cover
-    """
-    Checks that the two lists of file paths match. This assertion allows for wildcard
-    paths.
-    """
-    if any(isPass(path) for path in first):
-        return
-    if any(isPass(path) for path in second):
-        return
-    for fpath in first:
-        assert any([fnmatch.fnmatch(fpath, spath) for spath in second])
-    for spath in second:
-        assert any([fnmatch.fnmatch(fpath, spath) for fpath in first])
--- a/certbot-apache/certbot_apache/_internal/augeasparser.py
+++ b/certbot-apache/certbot_apache/_internal/augeasparser.py
@@ -1,538 +0,0 @@
-"""
-Augeas implementation of the ParserNode interfaces.
-
-Augeas works internally by using XPATH notation. The following is a short example
-of how this all works internally, to better understand what's going on under the
-hood.
-
-A configuration file /etc/apache2/apache2.conf with the following content:
-
-    # First comment line
-    # Second comment line
-    WhateverDirective whatevervalue
-    <ABlock>
-        DirectiveInABlock dirvalue
-    </ABlock>
-    SomeDirective somedirectivevalue
-    <ABlock>
-        AnotherDirectiveInABlock dirvalue
-    </ABlock>
-    # Yet another comment
-
-
-Translates over to Augeas path notation (of immediate children), when calling
-for example: aug.match("/files/etc/apache2/apache2.conf/*")
-
-[
-    "/files/etc/apache2/apache2.conf/#comment[1]",
-    "/files/etc/apache2/apache2.conf/#comment[2]",
-    "/files/etc/apache2/apache2.conf/directive[1]",
-    "/files/etc/apache2/apache2.conf/ABlock[1]",
-    "/files/etc/apache2/apache2.conf/directive[2]",
-    "/files/etc/apache2/apache2.conf/ABlock[2]",
-    "/files/etc/apache2/apache2.conf/#comment[3]"
-]
-
-Regardless of directives name, its key in the Augeas tree is always "directive",
-with index where needed of course. Comments work similarly, while blocks
-have their own key in the Augeas XPATH notation.
-
-It's important to note that all of the unique keys have their own indices.
-
-Augeas paths are case sensitive, while Apache configuration is case insensitive.
-It looks like this:
-
-    <block>
-        directive value
-    </block>
-    <Block>
-        Directive Value
-    </Block>
-    <block>
-        directive value
-    </block>
-    <bLoCk>
-        DiReCtiVe VaLuE
-    </bLoCk>
-
-Translates over to:
-
-[
-    "/files/etc/apache2/apache2.conf/block[1]",
-    "/files/etc/apache2/apache2.conf/Block[1]",
-    "/files/etc/apache2/apache2.conf/block[2]",
-    "/files/etc/apache2/apache2.conf/bLoCk[1]",
-]
-"""
-from acme.magic_typing import Set
-from certbot import errors
-from certbot.compat import os
-
-from certbot_apache._internal import apache_util
-from certbot_apache._internal import assertions
-from certbot_apache._internal import interfaces
-from certbot_apache._internal import parser
-from certbot_apache._internal import parsernode_util as util
-
-
-class AugeasParserNode(interfaces.ParserNode):
-    """ Augeas implementation of ParserNode interface """
-
-    def __init__(self, **kwargs):
-        ancestor, dirty, filepath, metadata = util.parsernode_kwargs(kwargs)  # pylint: disable=unused-variable
-        super(AugeasParserNode, self).__init__(**kwargs)
-        self.ancestor = ancestor
-        self.filepath = filepath
-        self.dirty = dirty
-        self.metadata = metadata
-        self.parser = self.metadata.get("augeasparser")
-        try:
-            if self.metadata["augeaspath"].endswith("/"):
-                raise errors.PluginError(
-                    "Augeas path: {} has a trailing slash".format(
-                        self.metadata["augeaspath"]
-                    )
-                )
-        except KeyError:
-            raise errors.PluginError("Augeas path is required")
-
-    def save(self, msg):
-        self.parser.save(msg)
-
-    def find_ancestors(self, name):
-        """
-        Searches for ancestor BlockNodes with a given name.
-
-        :param str name: Name of the BlockNode parent to search for
-
-        :returns: List of matching ancestor nodes.
-        :rtype: list of AugeasBlockNode
-        """
-
-        ancestors = []
-
-        parent = self.metadata["augeaspath"]
-        while True:
-            # Get the path of ancestor node
-            parent = parent.rpartition("/")[0]
-            # Root of the tree
-            if not parent or parent == "/files":
-                break
-            anc = self._create_blocknode(parent)
-            if anc.name.lower() == name.lower():
-                ancestors.append(anc)
-
-        return ancestors
-
-    def _create_blocknode(self, path):
-        """
-        Helper function to create a BlockNode from Augeas path. This is used by
-        AugeasParserNode.find_ancestors and AugeasBlockNode.
-        and AugeasBlockNode.find_blocks
-
-        """
-
-        name = self._aug_get_name(path)
-        metadata = {"augeasparser": self.parser, "augeaspath": path}
-
-        # Check if the file was included from the root config or initial state
-        enabled = self.parser.parsed_in_original(
-            apache_util.get_file_path(path)
-        )
-
-        return AugeasBlockNode(name=name,
-                               enabled=enabled,
-                               ancestor=assertions.PASS,
-                               filepath=apache_util.get_file_path(path),
-                               metadata=metadata)
-
-    def _aug_get_name(self, path):
-        """
-        Helper function to get name of a configuration block or variable from path.
-        """
-
-        # Remove the ending slash if any
-        if path[-1] == "/":  # pragma: no cover
-            path = path[:-1]
-
-        # Get the block name
-        name = path.split("/")[-1]
-
-        # remove [...], it's not allowed in Apache configuration and is used
-        # for indexing within Augeas
-        name = name.split("[")[0]
-        return name
-
-
-class AugeasCommentNode(AugeasParserNode):
-    """ Augeas implementation of CommentNode interface """
-
-    def __init__(self, **kwargs):
-        comment, kwargs = util.commentnode_kwargs(kwargs)  # pylint: disable=unused-variable
-        super(AugeasCommentNode, self).__init__(**kwargs)
-        # self.comment = comment
-        self.comment = comment
-
-    def __eq__(self, other):
-        if isinstance(other, self.__class__):
-            return (self.comment == other.comment and
-                    self.filepath == other.filepath and
-                    self.dirty == other.dirty and
-                    self.ancestor == other.ancestor and
-                    self.metadata == other.metadata)
-        return False
-
-
-class AugeasDirectiveNode(AugeasParserNode):
-    """ Augeas implementation of DirectiveNode interface """
-
-    def __init__(self, **kwargs):
-        name, parameters, enabled, kwargs = util.directivenode_kwargs(kwargs)
-        super(AugeasDirectiveNode, self).__init__(**kwargs)
-        self.name = name
-        self.enabled = enabled
-        if parameters:
-            self.set_parameters(parameters)
-
-    def __eq__(self, other):
-        if isinstance(other, self.__class__):
-            return (self.name == other.name and
-                    self.filepath == other.filepath and
-                    self.parameters == other.parameters and
-                    self.enabled == other.enabled and
-                    self.dirty == other.dirty and
-                    self.ancestor == other.ancestor and
-                    self.metadata == other.metadata)
-        return False
-
-    def set_parameters(self, parameters):
-        """
-        Sets parameters of a DirectiveNode or BlockNode object.
-
-        :param list parameters: List of all parameters for the node to set.
-        """
-        orig_params = self._aug_get_params(self.metadata["augeaspath"])
-
-        # Clear out old parameters
-        for _ in orig_params:
-            # When the first parameter is removed, the indices get updated
-            param_path = "{}/arg[1]".format(self.metadata["augeaspath"])
-            self.parser.aug.remove(param_path)
-        # Insert new ones
-        for pi, param in enumerate(parameters):
-            param_path = "{}/arg[{}]".format(self.metadata["augeaspath"], pi+1)
-            self.parser.aug.set(param_path, param)
-
-    @property
-    def parameters(self):
-        """
-        Fetches the parameters from Augeas tree, ensuring that the sequence always
-        represents the current state
-
-        :returns: Tuple of parameters for this DirectiveNode
-        :rtype: tuple:
-        """
-        return tuple(self._aug_get_params(self.metadata["augeaspath"]))
-
-    def _aug_get_params(self, path):
-        """Helper function to get parameters for DirectiveNodes and BlockNodes"""
-
-        arg_paths = self.parser.aug.match(path + "/arg")
-        return [self.parser.get_arg(apath) for apath in arg_paths]
-
-
-class AugeasBlockNode(AugeasDirectiveNode):
-    """ Augeas implementation of BlockNode interface """
-
-    def __init__(self, **kwargs):
-        super(AugeasBlockNode, self).__init__(**kwargs)
-        self.children = ()
-
-    def __eq__(self, other):
-        if isinstance(other, self.__class__):
-            return (self.name == other.name and
-                    self.filepath == other.filepath and
-                    self.parameters == other.parameters and
-                    self.children == other.children and
-                    self.enabled == other.enabled and
-                    self.dirty == other.dirty and
-                    self.ancestor == other.ancestor and
-                    self.metadata == other.metadata)
-        return False
-
-    # pylint: disable=unused-argument
-    def add_child_block(self, name, parameters=None, position=None):  # pragma: no cover
-        """Adds a new BlockNode to the sequence of children"""
-
-        insertpath, realpath, before = self._aug_resolve_child_position(
-            name,
-            position
-        )
-        new_metadata = {"augeasparser": self.parser, "augeaspath": realpath}
-
-        # Create the new block
-        self.parser.aug.insert(insertpath, name, before)
-        # Check if the file was included from the root config or initial state
-        enabled = self.parser.parsed_in_original(
-            apache_util.get_file_path(realpath)
-        )
-
-        # Parameters will be set at the initialization of the new object
-        new_block = AugeasBlockNode(name=name,
-                                    parameters=parameters,
-                                    enabled=enabled,
-                                    ancestor=assertions.PASS,
-                                    filepath=apache_util.get_file_path(realpath),
-                                    metadata=new_metadata)
-        return new_block
-
-    # pylint: disable=unused-argument
-    def add_child_directive(self, name, parameters=None, position=None):  # pragma: no cover
-        """Adds a new DirectiveNode to the sequence of children"""
-
-        if not parameters:
-            raise errors.PluginError("Directive requires parameters and none were set.")
-
-        insertpath, realpath, before = self._aug_resolve_child_position(
-            "directive",
-            position
-        )
-        new_metadata = {"augeasparser": self.parser, "augeaspath": realpath}
-
-        # Create the new directive
-        self.parser.aug.insert(insertpath, "directive", before)
-        # Set the directive key
-        self.parser.aug.set(realpath, name)
-        # Check if the file was included from the root config or initial state
-        enabled = self.parser.parsed_in_original(
-            apache_util.get_file_path(realpath)
-        )
-
-        new_dir = AugeasDirectiveNode(name=name,
-                                      parameters=parameters,
-                                      enabled=enabled,
-                                      ancestor=assertions.PASS,
-                                      filepath=apache_util.get_file_path(realpath),
-                                      metadata=new_metadata)
-        return new_dir
-
-    def add_child_comment(self, comment="", position=None):
-        """Adds a new CommentNode to the sequence of children"""
-
-        insertpath, realpath, before = self._aug_resolve_child_position(
-            "#comment",
-            position
-        )
-        new_metadata = {"augeasparser": self.parser, "augeaspath": realpath}
-
-        # Create the new comment
-        self.parser.aug.insert(insertpath, "#comment", before)
-        # Set the comment content
-        self.parser.aug.set(realpath, comment)
-
-        new_comment = AugeasCommentNode(comment=comment,
-                                        ancestor=assertions.PASS,
-                                        filepath=apache_util.get_file_path(realpath),
-                                        metadata=new_metadata)
-        return new_comment
-
-    def find_blocks(self, name, exclude=True):
-        """Recursive search of BlockNodes from the sequence of children"""
-
-        nodes = []
-        paths = self._aug_find_blocks(name)
-        if exclude:
-            paths = self.parser.exclude_dirs(paths)
-        for path in paths:
-            nodes.append(self._create_blocknode(path))
-
-        return nodes
-
-    def find_directives(self, name, exclude=True):
-        """Recursive search of DirectiveNodes from the sequence of children"""
-
-        nodes = []
-        ownpath = self.metadata.get("augeaspath")
-
-        directives = self.parser.find_dir(name, start=ownpath, exclude=exclude)
-        already_parsed = set()  # type: Set[str]
-        for directive in directives:
-            # Remove the /arg part from the Augeas path
-            directive = directive.partition("/arg")[0]
-            # find_dir returns an object for each _parameter_ of a directive
-            # so we need to filter out duplicates.
-            if directive not in already_parsed:
-                nodes.append(self._create_directivenode(directive))
-                already_parsed.add(directive)
-
-        return nodes
-
-    def find_comments(self, comment):
-        """
-        Recursive search of DirectiveNodes from the sequence of children.
-
-        :param str comment: Comment content to search for.
-        """
-
-        nodes = []
-        ownpath = self.metadata.get("augeaspath")
-
-        comments = self.parser.find_comments(comment, start=ownpath)
-        for com in comments:
-            nodes.append(self._create_commentnode(com))
-
-        return nodes
-
-    def delete_child(self, child):
-        """
-        Deletes a ParserNode from the sequence of children, and raises an
-        exception if it's unable to do so.
-        :param AugeasParserNode: child: A node to delete.
-        """
-        if not self.parser.aug.remove(child.metadata["augeaspath"]):
-
-            raise errors.PluginError(
-                ("Could not delete child node, the Augeas path: {} doesn't " +
-                 "seem to exist.").format(child.metadata["augeaspath"])
-            )
-
-    def unsaved_files(self):
-        """Returns a list of unsaved filepaths"""
-        return self.parser.unsaved_files()
-
-    def parsed_paths(self):
-        """
-        Returns a list of file paths that have currently been parsed into the parser
-        tree. The returned list may include paths with wildcard characters, for
-        example: ['/etc/apache2/conf.d/*.load']
-
-        This is typically called on the root node of the ParserNode tree.
-
-        :returns: list of file paths of files that have been parsed
-        """
-
-        res_paths = []
-
-        paths = self.parser.existing_paths
-        for directory in paths:
-            for filename in paths[directory]:
-                res_paths.append(os.path.join(directory, filename))
-
-        return res_paths
-
-    def _create_commentnode(self, path):
-        """Helper function to create a CommentNode from Augeas path"""
-
-        comment = self.parser.aug.get(path)
-        metadata = {"augeasparser": self.parser, "augeaspath": path}
-
-        # Because of the dynamic nature of AugeasParser and the fact that we're
-        # not populating the complete node tree, the ancestor has a dummy value
-        return AugeasCommentNode(comment=comment,
-                                 ancestor=assertions.PASS,
-                                 filepath=apache_util.get_file_path(path),
-                                 metadata=metadata)
-
-    def _create_directivenode(self, path):
-        """Helper function to create a DirectiveNode from Augeas path"""
-
-        name = self.parser.get_arg(path)
-        metadata = {"augeasparser": self.parser, "augeaspath": path}
-
-        # Check if the file was included from the root config or initial state
-        enabled = self.parser.parsed_in_original(
-            apache_util.get_file_path(path)
-        )
-        return AugeasDirectiveNode(name=name,
-                                   ancestor=assertions.PASS,
-                                   enabled=enabled,
-                                   filepath=apache_util.get_file_path(path),
-                                   metadata=metadata)
-
-    def _aug_find_blocks(self, name):
-        """Helper function to perform a search to Augeas DOM tree to search
-        configuration blocks with a given name"""
-
-        # The code here is modified from configurator.get_virtual_hosts()
-        blk_paths = set()
-        for vhost_path in list(self.parser.parser_paths):
-            paths = self.parser.aug.match(
-                ("/files%s//*[label()=~regexp('%s')]" %
-                    (vhost_path, parser.case_i(name))))
-            blk_paths.update([path for path in paths if
-                              name.lower() in os.path.basename(path).lower()])
-        return blk_paths
-
-    def _aug_resolve_child_position(self, name, position):
-        """
-        Helper function that iterates through the immediate children and figures
-        out the insertion path for a new AugeasParserNode.
-
-        Augeas also generalizes indices for directives and comments, simply by
-        using "directive" or "comment" respectively as their names.
-
-        This function iterates over the existing children of the AugeasBlockNode,
-        returning their insertion path, resulting Augeas path and if the new node
-        should be inserted before or after the returned insertion path.
-
-        Note: while Apache is case insensitive, Augeas is not, and blocks like
-        Nameofablock and NameOfABlock have different indices.
-
-        :param str name: Name of the AugeasBlockNode to insert, "directive" for
-            AugeasDirectiveNode or "comment" for AugeasCommentNode
-        :param int position: The position to insert the child AugeasParserNode to
-
-        :returns: Tuple of insert path, resulting path and a boolean if the new
-            node should be inserted before it.
-        :rtype: tuple of str, str, bool
-        """
-
-        # Default to appending
-        before = False
-
-        all_children = self.parser.aug.match("{}/*".format(
-            self.metadata["augeaspath"])
-        )
-
-        # Calculate resulting_path
-        # Augeas indices start at 1. We use counter to calculate the index to
-        # be used in resulting_path.
-        counter = 1
-        for i, child in enumerate(all_children):
-            if position is not None and i >= position:
-                # We're not going to insert the new node to an index after this
-                break
-            childname = self._aug_get_name(child)
-            if name == childname:
-                counter += 1
-
-        resulting_path = "{}/{}[{}]".format(
-            self.metadata["augeaspath"],
-            name,
-            counter
-        )
-
-        # Form the correct insert_path
-        # Inserting the only child and appending as the last child work
-        # similarly in Augeas.
-        append = not all_children or position is None or position >= len(all_children)
-        if append:
-            insert_path = "{}/*[last()]".format(
-                self.metadata["augeaspath"]
-            )
-        elif position == 0:
-            # Insert as the first child, before the current first one.
-            insert_path = all_children[0]
-            before = True
-        else:
-            insert_path = "{}/*[{}]".format(
-                self.metadata["augeaspath"],
-                position
-            )
-
-        return (insert_path, resulting_path, before)
-
-
-interfaces.CommentNode.register(AugeasCommentNode)
-interfaces.DirectiveNode.register(AugeasDirectiveNode)
-interfaces.BlockNode.register(AugeasBlockNode)
--- a/certbot-apache/certbot_apache/_internal/centos-options-ssl-apache.conf
+++ b/certbot-apache/certbot_apache/_internal/centos-options-ssl-apache.conf
@@ -0,0 +1,25 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+SSLEngine on
+
+# Intermediate configuration, tweak to your needs
+SSLProtocol             all -SSLv2 -SSLv3
+SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+SSLHonorCipherOrder     on
+
+SSLOptions +StrictRequire
+
+# Add vhost name to log entries:
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
+LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
+
+#CustomLog /var/log/apache2/access.log vhost_combined
+#LogLevel warn
+#ErrorLog /var/log/apache2/error.log
+
+# Always ensure Cookies have "Secure" set (JAH 2012/1)
+#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
--- a/certbot-apache/certbot_apache/_internal/configurator.py
+++ b/certbot-apache/certbot_apache/_internal/configurator.py
@@ -1,7 +1,5 @@
 """Apache Configurator."""
 # pylint: disable=too-many-lines
-from collections import defaultdict
-from distutils.version import LooseVersion
 import copy
 import fnmatch
 import logging
@@ -9,35 +7,31 @@ import re
 import socket
 import time

+from collections import defaultdict
+
+import pkg_resources
 import six
+
 import zope.component
 import zope.interface
-try:
-    import apacheconfig
-    HAS_APACHECONFIG = True
-except ImportError:  # pragma: no cover
-    HAS_APACHECONFIG = False

 from acme import challenges
-from acme.magic_typing import DefaultDict
-from acme.magic_typing import Dict
-from acme.magic_typing import List
-from acme.magic_typing import Set
-from acme.magic_typing import Union
+from acme.magic_typing import DefaultDict, Dict, List, Set, Union  # pylint: disable=unused-import, no-name-in-module
+
 from certbot import errors
 from certbot import interfaces
 from certbot import util
+
 from certbot.achallenges import KeyAuthorizationAnnotatedChallenge  # pylint: disable=unused-import
 from certbot.compat import filesystem
 from certbot.compat import os
 from certbot.plugins import common
-from certbot.plugins.enhancements import AutoHSTSEnhancement
 from certbot.plugins.util import path_surgery
+from certbot.plugins.enhancements import AutoHSTSEnhancement
+
 from certbot_apache._internal import apache_util
-from certbot_apache._internal import assertions
 from certbot_apache._internal import constants
 from certbot_apache._internal import display_ops
-from certbot_apache._internal import dualparser
 from certbot_apache._internal import http_01
 from certbot_apache._internal import obj
 from certbot_apache._internal import parser
@@ -115,29 +109,14 @@ class ApacheConfigurator(common.Installer):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/apache2",
+        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
+            "certbot_apache", os.path.join("_internal", "options-ssl-apache.conf"))
    )

    def option(self, key):
        """Get a value from options"""
        return self.options.get(key)

-    def pick_apache_config(self, warn_on_no_mod_ssl=True):
-        """
-        Pick the appropriate TLS Apache configuration file for current version of Apache and OS.
-
-        :param bool warn_on_no_mod_ssl: True if we should warn if mod_ssl is not found.
-
-        :return: the path to the TLS Apache configuration file to use
-        :rtype: str
-        """
-        # Disabling TLS session tickets is supported by Apache 2.4.11+ and OpenSSL 1.0.2l+.
-        # So for old versions of Apache we pick a configuration without this option.
-        openssl_version = self.openssl_version(warn_on_no_mod_ssl)
-        if self.version < (2, 4, 11) or not openssl_version or\
-            LooseVersion(openssl_version) < LooseVersion('1.0.2l'):
-            return apache_util.find_ssl_apache_conf("old")
-        return apache_util.find_ssl_apache_conf("current")
-
    def _prepare_options(self):
        """
        Set the values possibly changed by command line parameters to
@@ -203,34 +182,26 @@ class ApacheConfigurator(common.Installer):

        """
        version = kwargs.pop("version", None)
-        use_parsernode = kwargs.pop("use_parsernode", False)
-        openssl_version = kwargs.pop("openssl_version", None)
        super(ApacheConfigurator, self).__init__(*args, **kwargs)

        # Add name_server association dict
-        self.assoc = {}  # type: Dict[str, obj.VirtualHost]
+        self.assoc = dict()  # type: Dict[str, obj.VirtualHost]
        # Outstanding challenges
        self._chall_out = set()  # type: Set[KeyAuthorizationAnnotatedChallenge]
        # List of vhosts configured per wildcard domain on this run.
        # used by deploy_cert() and enhance()
-        self._wildcard_vhosts = {}  # type: Dict[str, List[obj.VirtualHost]]
+        self._wildcard_vhosts = dict()  # type: Dict[str, List[obj.VirtualHost]]
        # Maps enhancements to vhosts we've enabled the enhancement for
        self._enhanced_vhosts = defaultdict(set)  # type: DefaultDict[str, Set[obj.VirtualHost]]
        # Temporary state for AutoHSTS enhancement
        self._autohsts = {}  # type: Dict[str, Dict[str, Union[int, float]]]
        # Reverter save notes
        self.save_notes = ""
-        # Should we use ParserNode implementation instead of the old behavior
-        self.USE_PARSERNODE = use_parsernode
-        # Saves the list of file paths that were parsed initially, and
-        # not added to parser tree by self.conf("vhost-root") for example.
-        self.parsed_paths = []  # type: List[str]
+
        # These will be set in the prepare function
        self._prepared = False
        self.parser = None
-        self.parser_root = None
        self.version = version
-        self._openssl_version = openssl_version
        self.vhosts = None
        self.options = copy.deepcopy(self.OS_DEFAULTS)
        self._enhance_func = {"redirect": self._enable_redirect,
@@ -247,52 +218,6 @@ class ApacheConfigurator(common.Installer):
        """Full absolute path to digest of updated SSL configuration file."""
        return os.path.join(self.config.config_dir, constants.UPDATED_MOD_SSL_CONF_DIGEST)

-    def _open_module_file(self, ssl_module_location):
-        """Extract the open lines of openssl_version for testing purposes"""
-        try:
-            with open(ssl_module_location, mode="rb") as f:
-                contents = f.read()
-        except IOError as error:
-            logger.debug(str(error), exc_info=True)
-            return None
-        return contents
-
-    def openssl_version(self, warn_on_no_mod_ssl=True):
-        """Lazily retrieve openssl version
-
-        :param bool warn_on_no_mod_ssl: `True` if we should warn if mod_ssl is not found. Set to
-            `False` when we know we'll try to enable mod_ssl later. This is currently debian/ubuntu,
-            when called from `prepare`.
-
-        :return: the OpenSSL version as a string, or None.
-        :rtype: str or None
-        """
-        if self._openssl_version:
-            return self._openssl_version
-        # Step 1. Check for LoadModule directive
-        try:
-            ssl_module_location = self.parser.modules['ssl_module']
-        except KeyError:
-            if warn_on_no_mod_ssl:
-                logger.warning("Could not find ssl_module; not disabling session tickets.")
-            return None
-        if not ssl_module_location:
-            logger.warning("Could not find ssl_module; not disabling session tickets.")
-            return None
-        ssl_module_location = self.parser.standard_path_from_server_root(ssl_module_location)
-        # Step 2. Grep in the .so for openssl version
-        contents = self._open_module_file(ssl_module_location)
-        if not contents:
-            logger.warning("Unable to read ssl_module file; not disabling session tickets.")
-            return None
-        # looks like: OpenSSL 1.0.2s  28 May 2019
-        matches = re.findall(br"OpenSSL ([0-9]\.[^ ]+) ", contents)
-        if not matches:
-            logger.warning("Could not find OpenSSL version; not disabling session tickets.")
-            return None
-        self._openssl_version = matches[0].decode('UTF-8')
-        return self._openssl_version
-
    def prepare(self):
        """Prepare the authenticator/installer.

@@ -325,26 +250,14 @@ class ApacheConfigurator(common.Installer):
        # Perform the actual Augeas initialization to be able to react
        self.parser = self.get_parser()

-        # Set up ParserNode root
-        pn_meta = {"augeasparser": self.parser,
-                   "augeaspath": self.parser.get_root_augpath(),
-                   "ac_ast": None}
-        if self.USE_PARSERNODE:
-            self.parser_root = self.get_parsernode_root(pn_meta)
-            self.parsed_paths = self.parser_root.parsed_paths()
-
        # Check for errors in parsing files with Augeas
        self.parser.check_parsing_errors("httpd.aug")

        # Get all of the available vhosts
        self.vhosts = self.get_virtual_hosts()

-        # We may try to enable mod_ssl later. If so, we shouldn't warn if we can't find it now.
-        # This is currently only true for debian/ubuntu.
-        warn_on_no_mod_ssl = not self.option("handle_modules")
        self.install_ssl_options_conf(self.mod_ssl_conf,
-                                      self.updated_mod_ssl_conf_digest,
-                                      warn_on_no_mod_ssl)
+                                      self.updated_mod_ssl_conf_digest)

        # Prevent two Apache plugins from modifying a config at once
        try:
@@ -432,28 +345,6 @@ class ApacheConfigurator(common.Installer):
            self.option("server_root"), self.conf("vhost-root"),
            self.version, configurator=self)

-    def get_parsernode_root(self, metadata):
-        """Initializes the ParserNode parser root instance."""
-
-        if HAS_APACHECONFIG:
-            apache_vars = {}
-            apache_vars["defines"] = apache_util.parse_defines(self.option("ctl"))
-            apache_vars["includes"] = apache_util.parse_includes(self.option("ctl"))
-            apache_vars["modules"] = apache_util.parse_modules(self.option("ctl"))
-            metadata["apache_vars"] = apache_vars
-
-            with open(self.parser.loc["root"]) as f:
-                with apacheconfig.make_loader(writable=True,
-                      **apacheconfig.flavors.NATIVE_APACHE) as loader:
-                    metadata["ac_ast"] = loader.loads(f.read())
-
-        return dualparser.DualBlockNode(
-            name=assertions.PASS,
-            ancestor=None,
-            filepath=self.parser.loc["root"],
-            metadata=metadata
-        )
-
    def _wildcard_domain(self, domain):
        """
        Checks if domain is a wildcard domain
@@ -548,7 +439,7 @@ class ApacheConfigurator(common.Installer):

        # Go through the vhosts, making sure that we cover all the names
        # present, but preferring the SSL vhosts
-        filtered_vhosts = {}
+        filtered_vhosts = dict()
        for vhost in vhosts:
            for name in vhost.get_names():
                if vhost.ssl:
@@ -559,7 +450,7 @@ class ApacheConfigurator(common.Installer):
                    filtered_vhosts[name] = vhost

        # Only unique VHost objects
-        dialog_input = set(filtered_vhosts.values())
+        dialog_input = set([vhost for vhost in filtered_vhosts.values()])

        # Ask the user which of names to enable, expect list of names back
        dialog_output = display_ops.select_vhost_multiple(list(dialog_input))
@@ -574,7 +465,7 @@ class ApacheConfigurator(common.Installer):

        # Make sure we create SSL vhosts for the ones that are HTTP only
        # if requested.
-        return_vhosts = []
+        return_vhosts = list()
        for vhost in dialog_output:
            if not vhost.ssl:
                return_vhosts.append(self.make_vhost_ssl(vhost))
@@ -710,9 +601,9 @@ class ApacheConfigurator(common.Installer):
                "in the Apache config.",
                target_name)
            raise errors.PluginError("No vhost selected")
-        if temp:
+        elif temp:
            return vhost
-        if not vhost.ssl:
+        elif not vhost.ssl:
            addrs = self._get_proposed_addrs(vhost, "443")
            # TODO: Conflicts is too conservative
            if not any(vhost.enabled and vhost.conflicts(addrs) for
@@ -870,7 +761,7 @@ class ApacheConfigurator(common.Installer):

        return util.get_filtered_names(all_names)

-    def get_name_from_ip(self, addr):
+    def get_name_from_ip(self, addr):  # pylint: disable=no-self-use
        """Returns a reverse dns name if available.

        :param addr: IP Address
@@ -978,29 +869,6 @@ class ApacheConfigurator(common.Installer):
        return vhost

    def get_virtual_hosts(self):
-        """
-        Temporary wrapper for legacy and ParserNode version for
-        get_virtual_hosts. This should be replaced with the ParserNode
-        implementation when ready.
-        """
-
-        v1_vhosts = self.get_virtual_hosts_v1()
-        if self.USE_PARSERNODE and HAS_APACHECONFIG:
-            v2_vhosts = self.get_virtual_hosts_v2()
-
-            for v1_vh in v1_vhosts:
-                found = False
-                for v2_vh in v2_vhosts:
-                    if assertions.isEqualVirtualHost(v1_vh, v2_vh):
-                        found = True
-                        break
-                if not found:
-                    raise AssertionError("Equivalent for {} was not found".format(v1_vh.path))
-
-            return v2_vhosts
-        return v1_vhosts
-
-    def get_virtual_hosts_v1(self):
        """Returns list of virtual hosts found in the Apache configuration.

        :returns: List of :class:`~certbot_apache._internal.obj.VirtualHost`
@@ -1053,80 +921,6 @@ class ApacheConfigurator(common.Installer):
                    vhs.append(new_vhost)
        return vhs

-    def get_virtual_hosts_v2(self):
-        """Returns list of virtual hosts found in the Apache configuration using
-        ParserNode interface.
-        :returns: List of :class:`~certbot_apache.obj.VirtualHost`
-            objects found in configuration
-        :rtype: list
-        """
-
-        vhs = []
-        vhosts = self.parser_root.find_blocks("VirtualHost", exclude=False)
-        for vhblock in vhosts:
-            vhs.append(self._create_vhost_v2(vhblock))
-        return vhs
-
-    def _create_vhost_v2(self, node):
-        """Used by get_virtual_hosts_v2 to create vhost objects using ParserNode
-        interfaces.
-        :param interfaces.BlockNode node: The BlockNode object of VirtualHost block
-        :returns: newly created vhost
-        :rtype: :class:`~certbot_apache.obj.VirtualHost`
-        """
-        addrs = set()
-        for param in node.parameters:
-            addrs.add(obj.Addr.fromstring(param))
-
-        is_ssl = False
-        # Exclusion to match the behavior in get_virtual_hosts_v2
-        sslengine = node.find_directives("SSLEngine", exclude=False)
-        if sslengine:
-            for directive in sslengine:
-                if directive.parameters[0].lower() == "on":
-                    is_ssl = True
-                    break
-
-        # "SSLEngine on" might be set outside of <VirtualHost>
-        # Treat vhosts with port 443 as ssl vhosts
-        for addr in addrs:
-            if addr.get_port() == "443":
-                is_ssl = True
-
-        enabled = apache_util.included_in_paths(node.filepath, self.parsed_paths)
-
-        macro = False
-        # Check if the VirtualHost is contained in a mod_macro block
-        if node.find_ancestors("Macro"):
-            macro = True
-        vhost = obj.VirtualHost(
-            node.filepath, None, addrs, is_ssl, enabled, modmacro=macro, node=node
-        )
-        self._populate_vhost_names_v2(vhost)
-        return vhost
-
-    def _populate_vhost_names_v2(self, vhost):
-        """Helper function that populates the VirtualHost names.
-        :param host: In progress vhost whose names will be added
-        :type host: :class:`~certbot_apache.obj.VirtualHost`
-        """
-
-        servername_match = vhost.node.find_directives("ServerName",
-                                                      exclude=False)
-        serveralias_match = vhost.node.find_directives("ServerAlias",
-                                                       exclude=False)
-
-        servername = None
-        if servername_match:
-            servername = servername_match[-1].parameters[-1]
-
-        if not vhost.modmacro:
-            for alias in serveralias_match:
-                for serveralias in alias.parameters:
-                    vhost.aliases.add(serveralias)
-            vhost.name = servername
-
-
    def is_name_vhost(self, target_addr):
        """Returns if vhost is a name based vhost

@@ -1158,12 +952,13 @@ class ApacheConfigurator(common.Installer):

        loc = parser.get_aug_path(self.parser.loc["name"])
        if addr.get_port() == "443":
-            self.parser.add_dir_to_ifmodssl(
+            path = self.parser.add_dir_to_ifmodssl(
                loc, "NameVirtualHost", [str(addr)])
        else:
-            self.parser.add_dir(loc, "NameVirtualHost", [str(addr)])
+            path = self.parser.add_dir(loc, "NameVirtualHost", [str(addr)])

-        msg = "Setting {0} to be NameBasedVirtualHost\n".format(addr)
+        msg = ("Setting %s to be NameBasedVirtualHost\n"
+               "\tDirective added to %s\n" % (addr, path))
        logger.debug(msg)
        self.save_notes += msg

@@ -1319,14 +1114,6 @@ class ApacheConfigurator(common.Installer):
                self.enable_mod("socache_shmcb", temp=temp)
            if "ssl_module" not in self.parser.modules:
                self.enable_mod("ssl", temp=temp)
-                # Make sure we're not throwing away any unwritten changes to the config
-                self.parser.ensure_augeas_state()
-                self.parser.aug.load()
-                self.parser.reset_modules() # Reset to load the new ssl_module path
-                # Call again because now we can gate on openssl version
-                self.install_ssl_options_conf(self.mod_ssl_conf,
-                                              self.updated_mod_ssl_conf_digest,
-                                              warn_on_no_mod_ssl=True)

    def make_vhost_ssl(self, nonssl_vhost):
        """Makes an ssl_vhost version of a nonssl_vhost.
@@ -1579,9 +1366,12 @@ class ApacheConfigurator(common.Installer):
                        result.append(comment)
                        sift = True

-                    result.append('\n'.join('# ' + l for l in chunk))
+                    result.append('\n'.join(
+                        ['# ' + l for l in chunk]))
+                    continue
                else:
                    result.append('\n'.join(chunk))
+                    continue
        return result, sift

    def _get_vhost_block(self, vhost):
@@ -1719,7 +1509,7 @@ class ApacheConfigurator(common.Installer):
        for addr in vhost.addrs:
            # In Apache 2.2, when a NameVirtualHost directive is not
            # set, "*" and "_default_" will conflict when sharing a port
-            addrs = {addr,}
+            addrs = set((addr,))
            if addr.get_addr() in ("*", "_default_"):
                addrs.update(obj.Addr((a, addr.get_port(),))
                             for a in ("*", "_default_"))
@@ -1812,7 +1602,7 @@ class ApacheConfigurator(common.Installer):
    ######################################################################
    # Enhancements
    ######################################################################
-    def supported_enhancements(self):
+    def supported_enhancements(self):  # pylint: disable=no-self-use
        """Returns currently supported enhancements."""
        return ["redirect", "ensure-http-header", "staple-ocsp"]

@@ -1910,7 +1700,7 @@ class ApacheConfigurator(common.Installer):
        try:
            self._autohsts = self.storage.fetch("autohsts")
        except KeyError:
-            self._autohsts = {}
+            self._autohsts = dict()

    def _autohsts_save_state(self):
        """
@@ -2032,7 +1822,7 @@ class ApacheConfigurator(common.Installer):
                    ssl_vhost.filep)

    def _verify_no_matching_http_header(self, ssl_vhost, header_substring):
-        """Checks to see if there is an existing Header directive that
+        """Checks to see if an there is an existing Header directive that
        contains the string header_substring.

        :param ssl_vhost: vhost to check
@@ -2378,7 +2168,7 @@ class ApacheConfigurator(common.Installer):
            vhost.enabled = True
        return

-    def enable_mod(self, mod_name, temp=False):
+    def enable_mod(self, mod_name, temp=False):  # pylint: disable=unused-argument
        """Enables module in Apache.

        Both enables and reloads Apache so module is active.
@@ -2436,7 +2226,7 @@ class ApacheConfigurator(common.Installer):
                error = str(err)
            raise errors.MisconfigurationError(error)

-    def config_test(self):
+    def config_test(self):  # pylint: disable=no-self-use
        """Check the configuration of Apache for errors.

        :raises .errors.MisconfigurationError: If config_test fails
@@ -2471,7 +2261,7 @@ class ApacheConfigurator(common.Installer):
        if len(matches) != 1:
            raise errors.PluginError("Unable to find Apache version")

-        return tuple(int(i) for i in matches[0].split("."))
+        return tuple([int(i) for i in matches[0].split(".")])

    def more_info(self):
        """Human-readable string to help understand the module"""
@@ -2486,7 +2276,7 @@ class ApacheConfigurator(common.Installer):
    ###########################################################################
    # Challenges Section
    ###########################################################################
-    def get_chall_pref(self, unused_domain):
+    def get_chall_pref(self, unused_domain):  # pylint: disable=no-self-use
        """Return list of challenge preferences."""
        return [challenges.HTTP01]

@@ -2540,19 +2330,14 @@ class ApacheConfigurator(common.Installer):
            self.restart()
            self.parser.reset_modules()

-    def install_ssl_options_conf(self, options_ssl, options_ssl_digest, warn_on_no_mod_ssl=True):
-        """Copy Certbot's SSL options file into the system's config dir if required.
-
-        :param bool warn_on_no_mod_ssl: True if we should warn if mod_ssl is not found.
-        """
+    def install_ssl_options_conf(self, options_ssl, options_ssl_digest):
+        """Copy Certbot's SSL options file into the system's config dir if required."""

        # XXX if we ever try to enforce a local privilege boundary (eg, running
        # certbot for unprivileged users via setuid), this function will need
        # to be modified.
-        apache_config_path = self.pick_apache_config(warn_on_no_mod_ssl)
-
-        return common.install_version_controlled_file(
-            options_ssl, options_ssl_digest, apache_config_path, constants.ALL_SSL_OPTIONS_HASHES)
+        return common.install_version_controlled_file(options_ssl, options_ssl_digest,
+            self.option("MOD_SSL_CONF_SRC"), constants.ALL_SSL_OPTIONS_HASHES)

    def enable_autohsts(self, _unused_lineage, domains):
        """
@@ -2562,7 +2347,7 @@ class ApacheConfigurator(common.Installer):
        :type _unused_lineage: certbot._internal.storage.RenewableCert

        :param domains: List of domains in certificate to enhance
-        :type domains: `list` of `str`
+        :type domains: str
        """

        self._autohsts_fetch_state()
@@ -2729,4 +2514,4 @@ class ApacheConfigurator(common.Installer):
        self._autohsts_save_state()


-AutoHSTSEnhancement.register(ApacheConfigurator)
+AutoHSTSEnhancement.register(ApacheConfigurator)  # pylint: disable=no-member
--- a/certbot-apache/certbot_apache/_internal/constants.py
+++ b/certbot-apache/certbot_apache/_internal/constants.py
@@ -3,6 +3,7 @@ import pkg_resources

 from certbot.compat import os

+
 MOD_SSL_CONF_DEST = "options-ssl-apache.conf"
 """Name of the mod_ssl config file as saved in `IConfig.config_dir`."""

@@ -24,9 +25,6 @@ ALL_SSL_OPTIONS_HASHES = [
    '0fcdc81280cd179a07ec4d29d3595068b9326b455c488de4b09f585d5dafc137',
    '86cc09ad5415cd6d5f09a947fe2501a9344328b1e8a8b458107ea903e80baa6c',
    '06675349e457eae856120cdebb564efe546f0b87399f2264baeb41e442c724c7',
-    '5cc003edd93fb9cd03d40c7686495f8f058f485f75b5e764b789245a386e6daf',
-    '007cd497a56a3bb8b6a2c1aeb4997789e7e38992f74e44cc5d13a625a738ac73',
-    '34783b9e2210f5c4a23bced2dfd7ec289834716673354ed7c7abf69fe30192a3',
 ]
 """SHA256 hashes of the contents of previous versions of all versions of MOD_SSL_CONF_SRC"""

--- a/certbot-apache/certbot_apache/_internal/display_ops.py
+++ b/certbot-apache/certbot_apache/_internal/display_ops.py
@@ -3,10 +3,10 @@ import logging

 import zope.component

+import certbot.display.util as display_util
 from certbot import errors
 from certbot import interfaces
 from certbot.compat import os
-import certbot.display.util as display_util

 logger = logging.getLogger(__name__)

@@ -21,7 +21,7 @@ def select_vhost_multiple(vhosts):
    :rtype: :class:`list`of type `~obj.Vhost`
    """
    if not vhosts:
-        return []
+        return list()
    tags_list = [vhost.display_repr()+"\n" for vhost in vhosts]
    # Remove the extra newline from the last entry
    if tags_list:
@@ -37,7 +37,7 @@ def select_vhost_multiple(vhosts):
 def _reversemap_vhosts(names, vhosts):
    """Helper function for select_vhost_multiple for mapping string
    representations back to actual vhost objects"""
-    return_vhosts = []
+    return_vhosts = list()

    for selection in names:
        for vhost in vhosts:
--- a/certbot-apache/certbot_apache/_internal/dualparser.py
+++ b/certbot-apache/certbot_apache/_internal/dualparser.py
@@ -1,306 +0,0 @@
-""" Dual ParserNode implementation """
-from certbot_apache._internal import assertions
-from certbot_apache._internal import augeasparser
-from certbot_apache._internal import apacheparser
-
-
-class DualNodeBase(object):
-    """ Dual parser interface for in development testing. This is used as the
-    base class for dual parser interface classes. This class handles runtime
-    attribute value assertions."""
-
-    def save(self, msg):  # pragma: no cover
-        """ Call save for both parsers """
-        self.primary.save(msg)
-        self.secondary.save(msg)
-
-    def __getattr__(self, aname):
-        """ Attribute value assertion """
-        firstval = getattr(self.primary, aname)
-        secondval = getattr(self.secondary, aname)
-        exclusions = [
-            # Metadata will inherently be different, as ApacheParserNode does
-            # not have Augeas paths and so on.
-            aname == "metadata",
-            callable(firstval)
-        ]
-        if not any(exclusions):
-            assertions.assertEqualSimple(firstval, secondval)
-        return firstval
-
-    def find_ancestors(self, name):
-        """ Traverses the ancestor tree and returns ancestors matching name """
-        return self._find_helper(DualBlockNode, "find_ancestors", name)
-
-    def _find_helper(self, nodeclass, findfunc, search, **kwargs):
-        """A helper for find_* functions. The function specific attributes should
-        be passed as keyword arguments.
-
-        :param interfaces.ParserNode nodeclass: The node class for results.
-        :param str findfunc: Name of the find function to call
-        :param str search: The search term
-        """
-
-        primary_res = getattr(self.primary, findfunc)(search, **kwargs)
-        secondary_res = getattr(self.secondary, findfunc)(search, **kwargs)
-
-        # The order of search results for Augeas implementation cannot be
-        # assured.
-
-        pass_primary = assertions.isPassNodeList(primary_res)
-        pass_secondary = assertions.isPassNodeList(secondary_res)
-        new_nodes = []
-
-        if pass_primary and pass_secondary:
-            # Both unimplemented
-            new_nodes.append(nodeclass(primary=primary_res[0],
-                                       secondary=secondary_res[0]))  # pragma: no cover
-        elif pass_primary:
-            for c in secondary_res:
-                new_nodes.append(nodeclass(primary=primary_res[0],
-                                           secondary=c))
-        elif pass_secondary:
-            for c in primary_res:
-                new_nodes.append(nodeclass(primary=c,
-                                           secondary=secondary_res[0]))
-        else:
-            assert len(primary_res) == len(secondary_res)
-            matches = self._create_matching_list(primary_res, secondary_res)
-            for p, s in matches:
-                new_nodes.append(nodeclass(primary=p, secondary=s))
-
-        return new_nodes
-
-
-class DualCommentNode(DualNodeBase):
-    """ Dual parser implementation of CommentNode interface """
-
-    def __init__(self, **kwargs):
-        """ This initialization implementation allows ordinary initialization
-        of CommentNode objects as well as creating a DualCommentNode object
-        using precreated or fetched CommentNode objects if provided as optional
-        arguments primary and secondary.
-
-        Parameters other than the following are from interfaces.CommentNode:
-
-        :param CommentNode primary: Primary pre-created CommentNode, mainly
-            used when creating new DualParser nodes using add_* methods.
-        :param CommentNode secondary: Secondary pre-created CommentNode
-        """
-
-        kwargs.setdefault("primary", None)
-        kwargs.setdefault("secondary", None)
-        primary = kwargs.pop("primary")
-        secondary = kwargs.pop("secondary")
-
-        if primary or secondary:
-            assert primary and secondary
-            self.primary = primary
-            self.secondary = secondary
-        else:
-            self.primary = augeasparser.AugeasCommentNode(**kwargs)
-            self.secondary = apacheparser.ApacheCommentNode(**kwargs)
-
-        assertions.assertEqual(self.primary, self.secondary)
-
-
-class DualDirectiveNode(DualNodeBase):
-    """ Dual parser implementation of DirectiveNode interface """
-
-    def __init__(self, **kwargs):
-        """ This initialization implementation allows ordinary initialization
-        of DirectiveNode objects as well as creating a DualDirectiveNode object
-        using precreated or fetched DirectiveNode objects if provided as optional
-        arguments primary and secondary.
-
-        Parameters other than the following are from interfaces.DirectiveNode:
-
-        :param DirectiveNode primary: Primary pre-created DirectiveNode, mainly
-            used when creating new DualParser nodes using add_* methods.
-        :param DirectiveNode secondary: Secondary pre-created DirectiveNode
-
-
-        """
-
-        kwargs.setdefault("primary", None)
-        kwargs.setdefault("secondary", None)
-        primary = kwargs.pop("primary")
-        secondary = kwargs.pop("secondary")
-
-        if primary or secondary:
-            assert primary and secondary
-            self.primary = primary
-            self.secondary = secondary
-        else:
-            self.primary = augeasparser.AugeasDirectiveNode(**kwargs)
-            self.secondary = apacheparser.ApacheDirectiveNode(**kwargs)
-
-        assertions.assertEqual(self.primary, self.secondary)
-
-    def set_parameters(self, parameters):
-        """ Sets parameters and asserts that both implementation successfully
-        set the parameter sequence """
-
-        self.primary.set_parameters(parameters)
-        self.secondary.set_parameters(parameters)
-        assertions.assertEqual(self.primary, self.secondary)
-
-
-class DualBlockNode(DualNodeBase):
-    """ Dual parser implementation of BlockNode interface """
-
-    def __init__(self, **kwargs):
-        """ This initialization implementation allows ordinary initialization
-        of BlockNode objects as well as creating a DualBlockNode object
-        using precreated or fetched BlockNode objects if provided as optional
-        arguments primary and secondary.
-
-        Parameters other than the following are from interfaces.BlockNode:
-
-        :param BlockNode primary: Primary pre-created BlockNode, mainly
-            used when creating new DualParser nodes using add_* methods.
-        :param BlockNode secondary: Secondary pre-created BlockNode
-        """
-
-        kwargs.setdefault("primary", None)
-        kwargs.setdefault("secondary", None)
-        primary = kwargs.pop("primary")
-        secondary = kwargs.pop("secondary")
-
-        if primary or secondary:
-            assert primary and secondary
-            self.primary = primary
-            self.secondary = secondary
-        else:
-            self.primary = augeasparser.AugeasBlockNode(**kwargs)
-            self.secondary = apacheparser.ApacheBlockNode(**kwargs)
-
-        assertions.assertEqual(self.primary, self.secondary)
-
-    def add_child_block(self, name, parameters=None, position=None):
-        """ Creates a new child BlockNode, asserts that both implementations
-        did it in a similar way, and returns a newly created DualBlockNode object
-        encapsulating both of the newly created objects """
-
-        primary_new = self.primary.add_child_block(name, parameters, position)
-        secondary_new = self.secondary.add_child_block(name, parameters, position)
-        assertions.assertEqual(primary_new, secondary_new)
-        new_block = DualBlockNode(primary=primary_new, secondary=secondary_new)
-        return new_block
-
-    def add_child_directive(self, name, parameters=None, position=None):
-        """ Creates a new child DirectiveNode, asserts that both implementations
-        did it in a similar way, and returns a newly created DualDirectiveNode
-        object encapsulating both of the newly created objects """
-
-        primary_new = self.primary.add_child_directive(name, parameters, position)
-        secondary_new = self.secondary.add_child_directive(name, parameters, position)
-        assertions.assertEqual(primary_new, secondary_new)
-        new_dir = DualDirectiveNode(primary=primary_new, secondary=secondary_new)
-        return new_dir
-
-    def add_child_comment(self, comment="", position=None):
-        """ Creates a new child CommentNode, asserts that both implementations
-        did it in a similar way, and returns a newly created DualCommentNode
-        object encapsulating both of the newly created objects """
-
-        primary_new = self.primary.add_child_comment(comment, position)
-        secondary_new = self.secondary.add_child_comment(comment, position)
-        assertions.assertEqual(primary_new, secondary_new)
-        new_comment = DualCommentNode(primary=primary_new, secondary=secondary_new)
-        return new_comment
-
-    def _create_matching_list(self, primary_list, secondary_list):
-        """ Matches the list of primary_list to a list of secondary_list and
-        returns a list of tuples. This is used to create results for find_
-        methods.
-
-        This helper function exists, because we cannot ensure that the list of
-        search results returned by primary.find_* and secondary.find_* are ordered
-        in a same way. The function pairs the same search results from both
-        implementations to a list of tuples.
-        """
-
-        matched = []
-        for p in primary_list:
-            match = None
-            for s in secondary_list:
-                try:
-                    assertions.assertEqual(p, s)
-                    match = s
-                    break
-                except AssertionError:
-                    continue
-            if match:
-                matched.append((p, match))
-            else:
-                raise AssertionError("Could not find a matching node.")
-        return matched
-
-    def find_blocks(self, name, exclude=True):
-        """
-        Performs a search for BlockNodes using both implementations and does simple
-        checks for results. This is built upon the assumption that unimplemented
-        find_* methods return a list with a single assertion passing object.
-        After the assertion, it creates a list of newly created DualBlockNode
-        instances that encapsulate the pairs of returned BlockNode objects.
-        """
-
-        return self._find_helper(DualBlockNode, "find_blocks", name,
-                                 exclude=exclude)
-
-    def find_directives(self, name, exclude=True):
-        """
-        Performs a search for DirectiveNodes using both implementations and
-        checks the results. This is built upon the assumption that unimplemented
-        find_* methods return a list with a single assertion passing object.
-        After the assertion, it creates a list of newly created DualDirectiveNode
-        instances that encapsulate the pairs of returned DirectiveNode objects.
-        """
-
-        return self._find_helper(DualDirectiveNode, "find_directives", name,
-                                 exclude=exclude)
-
-    def find_comments(self, comment):
-        """
-        Performs a search for CommentNodes using both implementations and
-        checks the results. This is built upon the assumption that unimplemented
-        find_* methods return a list with a single assertion passing object.
-        After the assertion, it creates a list of newly created DualCommentNode
-        instances that encapsulate the pairs of returned CommentNode objects.
-        """
-
-        return self._find_helper(DualCommentNode, "find_comments", comment)
-
-    def delete_child(self, child):
-        """Deletes a child from the ParserNode implementations. The actual
-        ParserNode implementations are used here directly in order to be able
-        to match a child to the list of children."""
-
-        self.primary.delete_child(child.primary)
-        self.secondary.delete_child(child.secondary)
-
-    def unsaved_files(self):
-        """ Fetches the list of unsaved file paths and asserts that the lists
-        match """
-        primary_files = self.primary.unsaved_files()
-        secondary_files = self.secondary.unsaved_files()
-        assertions.assertEqualSimple(primary_files, secondary_files)
-
-        return primary_files
-
-    def parsed_paths(self):
-        """
-        Returns a list of file paths that have currently been parsed into the parser
-        tree. The returned list may include paths with wildcard characters, for
-        example: ['/etc/apache2/conf.d/*.load']
-
-        This is typically called on the root node of the ParserNode tree.
-
-        :returns: list of file paths of files that have been parsed
-        """
-
-        primary_paths = self.primary.parsed_paths()
-        secondary_paths = self.secondary.parsed_paths()
-        assertions.assertEqualPathsList(primary_paths, secondary_paths)
-        return primary_paths
--- a/certbot-apache/certbot_apache/_internal/entrypoint.py
+++ b/certbot-apache/certbot_apache/_internal/entrypoint.py
@@ -1,13 +1,16 @@
 """ Entry point for Apache Plugin """
-from distutils.version import LooseVersion
+# Pylint does not like disutils.version when running inside a venv.
+# See: https://github.com/PyCQA/pylint/issues/73
+from distutils.version import LooseVersion  # pylint: disable=no-name-in-module,import-error

 from certbot import util
+
 from certbot_apache._internal import configurator
 from certbot_apache._internal import override_arch
-from certbot_apache._internal import override_centos
+from certbot_apache._internal import override_fedora
 from certbot_apache._internal import override_darwin
 from certbot_apache._internal import override_debian
-from certbot_apache._internal import override_fedora
+from certbot_apache._internal import override_centos
 from certbot_apache._internal import override_gentoo
 from certbot_apache._internal import override_suse

--- a/certbot-apache/certbot_apache/_internal/http_01.py
+++ b/certbot-apache/certbot_apache/_internal/http_01.py
@@ -1,13 +1,13 @@
 """A class that performs HTTP-01 challenges for Apache"""
 import logging
-import errno

-from acme.magic_typing import List
-from acme.magic_typing import Set
+from acme.magic_typing import List, Set  # pylint: disable=unused-import, no-name-in-module
+
 from certbot import errors
-from certbot.compat import filesystem
 from certbot.compat import os
+from certbot.compat import filesystem
 from certbot.plugins import common
+
 from certbot_apache._internal.obj import VirtualHost  # pylint: disable=unused-import
 from certbot_apache._internal.parser import get_aug_path

@@ -169,15 +169,7 @@ class ApacheHttp01(common.ChallengePerformer):

    def _set_up_challenges(self):
        if not os.path.isdir(self.challenge_dir):
-            old_umask = os.umask(0o022)
-            try:
-                filesystem.makedirs(self.challenge_dir, 0o755)
-            except OSError as exception:
-                if exception.errno not in (errno.EEXIST, errno.EISDIR):
-                    raise errors.PluginError(
-                        "Couldn't create root for http-01 challenge")
-            finally:
-                os.umask(old_umask)
+            filesystem.makedirs(self.challenge_dir, 0o755)

        responses = []
        for achall in self.achalls:
@@ -203,8 +195,8 @@ class ApacheHttp01(common.ChallengePerformer):

        if vhost not in self.moded_vhosts:
            logger.debug(
-                "Adding a temporary challenge validation Include for name: %s in: %s",
-                vhost.name, vhost.filep)
+                "Adding a temporary challenge validation Include for name: %s " +
+                "in: %s", vhost.name, vhost.filep)
            self.configurator.parser.add_dir_beginning(
                vhost.path, "Include", self.challenge_conf_pre)
            self.configurator.parser.add_dir(
--- a/certbot-apache/certbot_apache/_internal/interfaces.py
+++ b/certbot-apache/certbot_apache/_internal/interfaces.py
@@ -1,515 +0,0 @@
-"""ParserNode interface for interacting with configuration tree.
-
-General description
-------------------
-
-The ParserNode interfaces are designed to be able to contain all the parsing logic,
-while allowing their users to interact with the configuration tree in a Pythonic
-and well structured manner.
-
-The structure allows easy traversal of the tree of ParserNodes. Each ParserNode
-stores a reference to its ancestor and immediate children, allowing the user to
-traverse the tree using built in interface methods as well as accessing the interface
-properties directly.
-
-ParserNode interface implementation should stand between the actual underlying
-parser functionality and the business logic within Configurator code, interfacing
-with both. The ParserNode tree is a result of configuration parsing action.
-
-ParserNode tree will be in charge of maintaining the parser state and hence the
-abstract syntax tree (AST). Interactions between ParserNode tree and underlying
-parser should involve only parsing the configuration files to this structure, and
-writing it back to the filesystem - while preserving the format including whitespaces.
-
-For some implementations (Apache for example) it's important to keep track of and
-to use state information while parsing conditional blocks and directives. This
-allows the implementation to set a flag to parts of the parsed configuration
-structure as not being in effect in a case of unmatched conditional block. It's
-important to store these blocks in the tree as well in order to not to conduct
-destructive actions (failing to write back parts of the configuration) while writing
-the AST back to the filesystem.
-
-The ParserNode tree is in charge of maintaining the its own structure while every
-child node fetched with find - methods or by iterating its list of children can be
-changed in place. When making changes the affected nodes should be flagged as "dirty"
-in order for the parser implementation to figure out the parts of the configuration
-that need to be written back to disk during the save() operation.
-
-
-Metadata
--------
-
-The metadata holds all the implementation specific attributes of the ParserNodes -
-things like the positional information related to the AST, file paths, whitespacing,
-and any other information relevant to the underlying parser engine.
-
-Access to the metadata should be handled by implementation specific methods, allowing
-the Configurator functionality to access the underlying information where needed.
-
-For some implementations the node can be initialized using the information carried
-in metadata alone. This is useful especially when populating the ParserNode tree
-while parsing the configuration.
-
-
-Apache implementation
---------------------
-
-The Apache implementation of ParserNode interface requires some implementation
-specific functionalities that are not described by the interface itself.
-
-Initialization
-
-When the user of a ParserNode class is creating these objects, they must specify
-the parameters as described in the documentation for the __init__ methods below.
-When these objects are created internally, however, some parameters may not be
-needed because (possibly more detailed) information is included in the metadata
-parameter. In this case, implementations can deviate from the required parameters
-from __init__, however, they should still behave the same when metadata is not
-provided.
-
-For consistency internally, if an argument is provided directly in the ParserNode
-initialization parameters as well as within metadata it's recommended to establish
-clear behavior around this scenario within the implementation.
-
-Conditional blocks
-
-Apache configuration can have conditional blocks, for example: <IfModule ...>,
-resulting the directives and subblocks within it being either enabled or disabled.
-While find_* interface methods allow including the disabled parts of the configuration
-tree in searches a special care needs to be taken while parsing the structure in
-order to reflect the active state of configuration.
-
-Whitespaces
-
-Each ParserNode object is responsible of storing its prepending whitespace characters
-in order to be able to write the AST back to filesystem like it was, preserving the
-format, this applies for parameters of BlockNode and DirectiveNode as well.
-When parameters of ParserNode are changed, the pre-existing whitespaces in the
-parameter sequence are discarded, as the general reason for storing them is to
-maintain the ability to write the configuration back to filesystem exactly like
-it was. This loses its meaning when we have to change the directives or blocks
-parameters for other reasons.
-
-Searches and matching
-
-Apache configuration is largely case insensitive, so the Apache implementation of
-ParserNode interface needs to provide the user means to match block and directive
-names and parameters in case insensitive manner. This does not apply to everything
-however, for example the parameters of a conditional statement may be case sensitive.
-For this reason the internal representation of data should not ignore the case.
-"""
-
-import abc
-import six
-
-
-
-@six.add_metaclass(abc.ABCMeta)
-class ParserNode(object):
-    """
-    ParserNode is the basic building block of the tree of such nodes,
-    representing the structure of the configuration. It is largely meant to keep
-    the structure information intact and idiomatically accessible.
-
-    The root node as well as the child nodes of it should be instances of ParserNode.
-    Nodes keep track of their differences to on-disk representation of configuration
-    by marking modified ParserNodes as dirty to enable partial write-to-disk for
-    different files in the configuration structure.
-
-    While for the most parts the usage and the child types are obvious, "include"-
-    and similar directives are an exception to this rule. This is because of the
-    nature of include directives - which unroll the contents of another file or
-    configuration block to their place. While we could unroll the included nodes
-    to the parent tree, it remains important to keep the context of include nodes
-    separate in order to write back the original configuration as it was.
-
-    For parsers that require the implementation to keep track of the whitespacing,
-    it's responsibility of each ParserNode object itself to store its prepending
-    whitespaces in order to be able to reconstruct the complete configuration file
-    as it was when originally read from the disk.
-
-    ParserNode objects should have the following attributes:
-
-    # Reference to ancestor node, or None if the node is the root node of the
-    # configuration tree.
-    ancestor: Optional[ParserNode]
-
-    # True if this node has been modified since last save.
-    dirty: bool
-
-    # Filepath of the file where the configuration element for this ParserNode
-    # object resides. For root node, the value for filepath is the httpd root
-    # configuration file. Filepath can be None if a configuration directive is
-    # defined in for example the httpd command line.
-    filepath: Optional[str]
-
-    # Metadata dictionary holds all the implementation specific key-value pairs
-    # for the ParserNode instance.
-    metadata: Dict[str, Any]
-    """
-
-    @abc.abstractmethod
-    def __init__(self, **kwargs):
-        """
-        Initializes the ParserNode instance, and sets the ParserNode specific
-        instance variables. This is not meant to be used directly, but through
-        specific classes implementing ParserNode interface.
-
-        :param ancestor: BlockNode ancestor for this CommentNode. Required.
-        :type ancestor: BlockNode or None
-
-        :param filepath: Filesystem path for the file where this CommentNode
-            does or should exist in the filesystem. Required.
-        :type filepath: str or None
-
-        :param dirty: Boolean flag for denoting if this CommentNode has been
-            created or changed after the last save. Default: False.
-        :type dirty: bool
-
-        :param metadata: Dictionary of metadata values for this ParserNode object.
-            Metadata information should be used only internally in the implementation.
-            Default: {}
-        :type metadata: dict
-        """
-
-    @abc.abstractmethod
-    def save(self, msg):
-        """
-        Save traverses the children, and attempts to write the AST to disk for
-        all the objects that are marked dirty. The actual operation of course
-        depends on the underlying implementation. save() shouldn't be called
-        from the Configurator outside of its designated save() method in order
-        to ensure that the Reverter checkpoints are created properly.
-
-        Note: this approach of keeping internal structure of the configuration
-        within the ParserNode tree does not represent the file inclusion structure
-        of actual configuration files that reside in the filesystem. To handle
-        file writes properly, the file specific temporary trees should be extracted
-        from the full ParserNode tree where necessary when writing to disk.
-
-        :param str msg: Message describing the reason for the save.
-
-        """
-
-    @abc.abstractmethod
-    def find_ancestors(self, name):
-        """
-        Traverses the ancestor tree up, searching for BlockNodes with a specific
-        name.
-
-        :param str name: Name of the ancestor BlockNode to search for
-
-        :returns: A list of ancestor BlockNodes that match the name
-        :rtype: list of BlockNode
-        """
-
-
-# Linter rule exclusion done because of https://github.com/PyCQA/pylint/issues/179
-@six.add_metaclass(abc.ABCMeta)  # pylint: disable=abstract-method
-class CommentNode(ParserNode):
-    """
-    CommentNode class is used for representation of comments within the parsed
-    configuration structure. Because of the nature of comments, it is not able
-    to have child nodes and hence it is always treated as a leaf node.
-
-    CommentNode stores its contents in class variable 'comment' and does not
-    have a specific name.
-
-    CommentNode objects should have the following attributes in addition to
-    the ones described in ParserNode:
-
-    # Contains the contents of the comment without the directive notation
-    # (typically # or /* ... */).
-    comment: str
-
-    """
-
-    @abc.abstractmethod
-    def __init__(self, **kwargs):
-        """
-        Initializes the CommentNode instance and sets its instance variables.
-
-        :param comment: Contents of the comment. Required.
-        :type comment: str
-
-        :param ancestor: BlockNode ancestor for this CommentNode. Required.
-        :type ancestor: BlockNode or None
-
-        :param filepath: Filesystem path for the file where this CommentNode
-            does or should exist in the filesystem. Required.
-        :type filepath: str or None
-
-        :param dirty: Boolean flag for denoting if this CommentNode has been
-            created or changed after the last save. Default: False.
-        :type dirty: bool
-        """
-        super(CommentNode, self).__init__(ancestor=kwargs['ancestor'],
-                                          dirty=kwargs.get('dirty', False),
-                                          filepath=kwargs['filepath'],
-                                          metadata=kwargs.get('metadata', {}))  # pragma: no cover
-
-
-@six.add_metaclass(abc.ABCMeta)
-class DirectiveNode(ParserNode):
-    """
-    DirectiveNode class represents a configuration directive within the configuration.
-    It can have zero or more parameters attached to it. Because of the nature of
-    single directives, it is not able to have child nodes and hence it is always
-    treated as a leaf node.
-
-    If a this directive was defined on the httpd command line, the ancestor instance
-    variable for this DirectiveNode should be None, and it should be inserted to the
-    beginning of root BlockNode children sequence.
-
-    DirectiveNode objects should have the following attributes in addition to
-    the ones described in ParserNode:
-
-    # True if this DirectiveNode is enabled and False if it is inside of an
-    # inactive conditional block.
-    enabled: bool
-
-    # Name, or key of the configuration directive. If BlockNode subclass of
-    # DirectiveNode is the root configuration node, the name should be None.
-    name: Optional[str]
-
-    # Tuple of parameters of this ParserNode object, excluding whitespaces.
-    parameters: Tuple[str, ...]
-
-    """
-
-    @abc.abstractmethod
-    def __init__(self, **kwargs):
-        """
-        Initializes the DirectiveNode instance and sets its instance variables.
-
-        :param name: Name or key of the DirectiveNode object. Required.
-        :type name: str or None
-
-        :param tuple parameters: Tuple of str parameters for this DirectiveNode.
-            Default: ().
-        :type parameters: tuple
-
-        :param ancestor: BlockNode ancestor for this DirectiveNode, or None for
-            root configuration node. Required.
-        :type ancestor: BlockNode or None
-
-        :param filepath: Filesystem path for the file where this DirectiveNode
-            does or should exist in the filesystem, or None for directives introduced
-            in the httpd command line. Required.
-        :type filepath: str or None
-
-        :param dirty: Boolean flag for denoting if this DirectiveNode has been
-            created or changed after the last save. Default: False.
-        :type dirty: bool
-
-        :param enabled: True if this DirectiveNode object is parsed in the active
-            configuration of the httpd. False if the DirectiveNode exists within a
-            unmatched conditional configuration block. Default: True.
-        :type enabled: bool
-
-        """
-        super(DirectiveNode, self).__init__(ancestor=kwargs['ancestor'],
-                                            dirty=kwargs.get('dirty', False),
-                                            filepath=kwargs['filepath'],
-                                            metadata=kwargs.get('metadata', {}))  # pragma: no cover
-
-    @abc.abstractmethod
-    def set_parameters(self, parameters):
-        """
-        Sets the sequence of parameters for this ParserNode object without
-        whitespaces. While the whitespaces for parameters are discarded when using
-        this method, the whitespacing preceeding the ParserNode itself should be
-        kept intact.
-
-        :param list parameters: sequence of parameters
-        """
-
-
-@six.add_metaclass(abc.ABCMeta)
-class BlockNode(DirectiveNode):
-    """
-    BlockNode class represents a block of nested configuration directives, comments
-    and other blocks as its children. A BlockNode can have zero or more parameters
-    attached to it.
-
-    Configuration blocks typically consist of one or more child nodes of all possible
-    types. Because of this, the BlockNode class has various discovery and structure
-    management methods.
-
-    Lists of parameters used as an optional argument for some of the methods should
-    be lists of strings that are applicable parameters for each specific BlockNode
-    or DirectiveNode type. As an example, for a following configuration example:
-
-        <VirtualHost *:80>
-           ...
-        </VirtualHost>
-
-    The node type would be BlockNode, name would be 'VirtualHost' and its parameters
-    would be: ['*:80'].
-
-    While for the following example:
-
-        LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so
-
-    The node type would be DirectiveNode, name would be 'LoadModule' and its
-    parameters would be: ['alias_module', '/usr/lib/apache2/modules/mod_alias.so']
-
-    The applicable parameters are dependent on the underlying configuration language
-    and its grammar.
-
-    BlockNode objects should have the following attributes in addition to
-    the ones described in DirectiveNode:
-
-    # Tuple of direct children of this BlockNode object. The order of children
-    # in this tuple retain the order of elements in the parsed configuration
-    # block.
-    children: Tuple[ParserNode, ...]
-
-    """
-
-    @abc.abstractmethod
-    def add_child_block(self, name, parameters=None, position=None):
-        """
-        Adds a new BlockNode child node with provided values and marks the callee
-        BlockNode dirty. This is used to add new children to the AST. The preceeding
-        whitespaces should not be added based on the ancestor or siblings for the
-        newly created object. This is to match the current behavior of the legacy
-        parser implementation.
-
-        :param str name: The name of the child node to add
-        :param list parameters: list of parameters for the node
-        :param int position: Position in the list of children to add the new child
-            node to. Defaults to None, which appends the newly created node to the list.
-            If an integer is given, the child is inserted before that index in the
-            list similar to list().insert.
-
-        :returns: BlockNode instance of the created child block
-
-        """
-
-    @abc.abstractmethod
-    def add_child_directive(self, name, parameters=None, position=None):
-        """
-        Adds a new DirectiveNode child node with provided values and marks the
-        callee BlockNode dirty. This is used to add new children to the AST. The
-        preceeding whitespaces should not be added based on the ancestor or siblings
-        for the newly created object. This is to match the current behavior of the
-        legacy parser implementation.
-
-
-        :param str name: The name of the child node to add
-        :param list parameters: list of parameters for the node
-        :param int position: Position in the list of children to add the new child
-            node to. Defaults to None, which appends the newly created node to the list.
-            If an integer is given, the child is inserted before that index in the
-            list similar to list().insert.
-
-        :returns: DirectiveNode instance of the created child directive
-
-        """
-
-    @abc.abstractmethod
-    def add_child_comment(self, comment="", position=None):
-        """
-        Adds a new CommentNode child node with provided value and marks the
-        callee BlockNode dirty. This is used to add new children to the AST. The
-        preceeding whitespaces should not be added based on the ancestor or siblings
-        for the newly created object. This is to match the current behavior of the
-        legacy parser implementation.
-
-
-        :param str comment: Comment contents
-        :param int position: Position in the list of children to add the new child
-            node to. Defaults to None, which appends the newly created node to the list.
-            If an integer is given, the child is inserted before that index in the
-            list similar to list().insert.
-
-        :returns: CommentNode instance of the created child comment
-
-        """
-
-    @abc.abstractmethod
-    def find_blocks(self, name, exclude=True):
-        """
-        Find a configuration block by name. This method walks the child tree of
-        ParserNodes under the instance it was called from. This way it is possible
-        to search for the whole configuration tree, when starting from root node or
-        to do a partial search when starting from a specified branch. The lookup
-        should be case insensitive.
-
-        :param str name: The name of the directive to search for
-        :param bool exclude: If the search results should exclude the contents of
-            ParserNode objects that reside within conditional blocks and because
-            of current state are not enabled.
-
-        :returns: A list of found BlockNode objects.
-        """
-
-    @abc.abstractmethod
-    def find_directives(self, name, exclude=True):
-        """
-        Find a directive by name. This method walks the child tree of ParserNodes
-        under the instance it was called from. This way it is possible to search
-        for the whole configuration tree, when starting from root node, or to do
-        a partial search when starting from a specified branch. The lookup should
-        be case insensitive.
-
-        :param str name: The name of the directive to search for
-        :param bool exclude: If the search results should exclude the contents of
-            ParserNode objects that reside within conditional blocks and because
-            of current state are not enabled.
-
-        :returns: A list of found DirectiveNode objects.
-
-        """
-
-    @abc.abstractmethod
-    def find_comments(self, comment):
-        """
-        Find comments with value containing the search term.
-
-        This method walks the child tree of ParserNodes under the instance it was
-        called from. This way it is possible to search for the whole configuration
-        tree, when starting from root node, or to do a partial search when starting
-        from a specified branch. The lookup should be case sensitive.
-
-        :param str comment: The content of comment to search for
-
-        :returns: A list of found CommentNode objects.
-
-        """
-
-    @abc.abstractmethod
-    def delete_child(self, child):
-        """
-        Remove a specified child node from the list of children of the called
-        BlockNode object.
-
-        :param ParserNode child: Child ParserNode object to remove from the list
-            of children of the callee.
-        """
-
-    @abc.abstractmethod
-    def unsaved_files(self):
-        """
-        Returns a list of file paths that have been changed since the last save
-        (or the initial configuration parse). The intended use for this method
-        is to tell the Reverter which files need to be included in a checkpoint.
-
-        This is typically called for the root of the ParserNode tree.
-
-        :returns: list of file paths of files that have been changed but not yet
-            saved to disk.
-        """
-
-    @abc.abstractmethod
-    def parsed_paths(self):
-        """
-        Returns a list of file paths that have currently been parsed into the parser
-        tree. The returned list may include paths with wildcard characters, for
-        example: ['/etc/apache2/conf.d/*.load']
-
-        This is typically called on the root node of the ParserNode tree.
-
-        :returns: list of file paths of files that have been parsed
-        """
--- a/certbot-apache/certbot_apache/_internal/obj.py
+++ b/certbot-apache/certbot_apache/_internal/obj.py
@@ -1,7 +1,7 @@
 """Module contains classes used by the Apache Configurator."""
 import re

-from acme.magic_typing import Set
+from acme.magic_typing import Set # pylint: disable=unused-import, no-name-in-module
 from certbot.plugins import common


@@ -124,7 +124,7 @@ class VirtualHost(object):
    strip_name = re.compile(r"^(?:.+://)?([^ :$]*)")

    def __init__(self, filep, path, addrs, ssl, enabled, name=None,
-                 aliases=None, modmacro=False, ancestor=None, node=None):
+                 aliases=None, modmacro=False, ancestor=None):

        """Initialize a VH."""
        self.filep = filep
@@ -136,7 +136,6 @@ class VirtualHost(object):
        self.enabled = enabled
        self.modmacro = modmacro
        self.ancestor = ancestor
-        self.node = node

    def get_names(self):
        """Return a set of all names."""
--- a/certbot-apache/certbot_apache/_internal/options-ssl-apache.conf
+++ b/certbot-apache/certbot_apache/_internal/options-ssl-apache.conf
@@ -0,0 +1,26 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+SSLEngine on
+
+# Intermediate configuration, tweak to your needs
+SSLProtocol             all -SSLv2 -SSLv3
+SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+SSLHonorCipherOrder     on
+SSLCompression          off
+
+SSLOptions +StrictRequire
+
+# Add vhost name to log entries:
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
+LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
+
+#CustomLog /var/log/apache2/access.log vhost_combined
+#LogLevel warn
+#ErrorLog /var/log/apache2/error.log
+
+# Always ensure Cookies have "Secure" set (JAH 2012/1)
+#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
--- a/certbot-apache/certbot_apache/_internal/override_arch.py
+++ b/certbot-apache/certbot_apache/_internal/override_arch.py
@@ -1,9 +1,12 @@
 """ Distribution specific override class for Arch Linux """
+import pkg_resources
+
 import zope.interface

 from certbot import interfaces
-from certbot_apache._internal import configurator
+from certbot.compat import os

+from certbot_apache._internal import configurator

@zope.interface.provider(interfaces.IPluginFactory)
 class ArchConfigurator(configurator.ApacheConfigurator):
@@ -24,4 +27,6 @@ class ArchConfigurator(configurator.ApacheConfigurator):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/httpd/conf",
+        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
+            "certbot_apache", os.path.join("_internal", "options-ssl-apache.conf"))
    )
--- a/certbot-apache/certbot_apache/_internal/override_centos.py
+++ b/certbot-apache/certbot_apache/_internal/override_centos.py
@@ -1,17 +1,22 @@
 """ Distribution specific override class for CentOS family (RHEL, Fedora) """
 import logging

+import pkg_resources
 import zope.interface

-from acme.magic_typing import List
 from certbot import errors
 from certbot import interfaces
 from certbot import util
+from certbot.compat import os
 from certbot.errors import MisconfigurationError
+
+from acme.magic_typing import List  # pylint: disable=unused-import, no-name-in-module
+
 from certbot_apache._internal import apache_util
 from certbot_apache._internal import configurator
 from certbot_apache._internal import parser

+
 logger = logging.getLogger(__name__)


@@ -35,6 +40,8 @@ class CentOSConfigurator(configurator.ApacheConfigurator):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/httpd/conf.d",
+        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
+            "certbot_apache", os.path.join("_internal", "centos-options-ssl-apache.conf"))
    )

    def config_test(self):
--- a/certbot-apache/certbot_apache/_internal/override_darwin.py
+++ b/certbot-apache/certbot_apache/_internal/override_darwin.py
@@ -1,9 +1,12 @@
 """ Distribution specific override class for macOS """
+import pkg_resources
+
 import zope.interface

 from certbot import interfaces
-from certbot_apache._internal import configurator
+from certbot.compat import os

+from certbot_apache._internal import configurator

@zope.interface.provider(interfaces.IPluginFactory)
 class DarwinConfigurator(configurator.ApacheConfigurator):
@@ -24,4 +27,6 @@ class DarwinConfigurator(configurator.ApacheConfigurator):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/apache2/other",
+        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
+            "certbot_apache", os.path.join("_internal", "options-ssl-apache.conf"))
    )
--- a/certbot-apache/certbot_apache/_internal/override_debian.py
+++ b/certbot-apache/certbot_apache/_internal/override_debian.py
@@ -1,6 +1,7 @@
 """ Distribution specific override class for Debian family (Ubuntu/Debian) """
 import logging

+import pkg_resources
 import zope.interface

 from certbot import errors
@@ -8,6 +9,7 @@ from certbot import interfaces
 from certbot import util
 from certbot.compat import filesystem
 from certbot.compat import os
+
 from certbot_apache._internal import apache_util
 from certbot_apache._internal import configurator

@@ -33,6 +35,8 @@ class DebianConfigurator(configurator.ApacheConfigurator):
        handle_modules=True,
        handle_sites=True,
        challenge_location="/etc/apache2",
+        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
+            "certbot_apache", os.path.join("_internal", "options-ssl-apache.conf"))
    )

    def enable_site(self, vhost):
@@ -67,14 +71,15 @@ class DebianConfigurator(configurator.ApacheConfigurator):
                # Already in shape
                vhost.enabled = True
                return None
-            logger.warning(
-                "Could not symlink %s to %s, got error: %s", enabled_path,
-                vhost.filep, err.strerror)
-            errstring = ("Encountered error while trying to enable a " +
-                         "newly created VirtualHost located at {0} by " +
-                         "linking to it from {1}")
-            raise errors.NotSupportedError(errstring.format(vhost.filep,
-                                                            enabled_path))
+            else:
+                logger.warning(
+                    "Could not symlink %s to %s, got error: %s", enabled_path,
+                    vhost.filep, err.strerror)
+                errstring = ("Encountered error while trying to enable a " +
+                             "newly created VirtualHost located at {0} by " +
+                             "linking to it from {1}")
+                raise errors.NotSupportedError(errstring.format(vhost.filep,
+                                                                enabled_path))
        vhost.enabled = True
        logger.info("Enabling available site: %s", vhost.filep)
        self.save_notes += "Enabled site %s\n" % vhost.filep
--- a/certbot-apache/certbot_apache/_internal/override_fedora.py
+++ b/certbot-apache/certbot_apache/_internal/override_fedora.py
@@ -1,9 +1,12 @@
 """ Distribution specific override class for Fedora 29+ """
+import pkg_resources
 import zope.interface

 from certbot import errors
 from certbot import interfaces
 from certbot import util
+from certbot.compat import os
+
 from certbot_apache._internal import apache_util
 from certbot_apache._internal import configurator
 from certbot_apache._internal import parser
@@ -29,6 +32,9 @@ class FedoraConfigurator(configurator.ApacheConfigurator):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/httpd/conf.d",
+        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
+            # TODO: eventually newest version of Fedora will need their own config
+            "certbot_apache", os.path.join("_internal", "centos-options-ssl-apache.conf"))
    )

    def config_test(self):
--- a/certbot-apache/certbot_apache/_internal/override_gentoo.py
+++ b/certbot-apache/certbot_apache/_internal/override_gentoo.py
@@ -1,12 +1,15 @@
 """ Distribution specific override class for Gentoo Linux """
+import pkg_resources
+
 import zope.interface

 from certbot import interfaces
+from certbot.compat import os
+
 from certbot_apache._internal import apache_util
 from certbot_apache._internal import configurator
 from certbot_apache._internal import parser

-
@zope.interface.provider(interfaces.IPluginFactory)
 class GentooConfigurator(configurator.ApacheConfigurator):
    """Gentoo specific ApacheConfigurator override class"""
@@ -27,6 +30,8 @@ class GentooConfigurator(configurator.ApacheConfigurator):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/apache2/vhosts.d",
+        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
+            "certbot_apache", os.path.join("_internal", "options-ssl-apache.conf"))
    )

    def _prepare_options(self):
@@ -66,6 +71,6 @@ class GentooParser(parser.ApacheParser):
    def update_modules(self):
        """Get loaded modules from httpd process, and add them to DOM"""
        mod_cmd = [self.configurator.option("ctl"), "modules"]
-        matches = apache_util.parse_from_subprocess(mod_cmd, r"(.*)_module")
+        matches = self.parse_from_subprocess(mod_cmd, r"(.*)_module")
        for mod in matches:
            self.add_mod(mod.strip())
--- a/certbot-apache/certbot_apache/_internal/override_suse.py
+++ b/certbot-apache/certbot_apache/_internal/override_suse.py
@@ -1,9 +1,12 @@
 """ Distribution specific override class for OpenSUSE """
+import pkg_resources
+
 import zope.interface

 from certbot import interfaces
-from certbot_apache._internal import configurator
+from certbot.compat import os

+from certbot_apache._internal import configurator

@zope.interface.provider(interfaces.IPluginFactory)
 class OpenSUSEConfigurator(configurator.ApacheConfigurator):
@@ -24,4 +27,6 @@ class OpenSUSEConfigurator(configurator.ApacheConfigurator):
        handle_modules=False,
        handle_sites=False,
        challenge_location="/etc/apache2/vhosts.d",
+        MOD_SSL_CONF_SRC=pkg_resources.resource_filename(
+            "certbot_apache", os.path.join("_internal", "options-ssl-apache.conf"))
    )
--- a/certbot-apache/certbot_apache/_internal/parser.py
+++ b/certbot-apache/certbot_apache/_internal/parser.py
@@ -3,15 +3,16 @@ import copy
 import fnmatch
 import logging
 import re
+import subprocess
 import sys

 import six

-from acme.magic_typing import Dict
-from acme.magic_typing import List
+from acme.magic_typing import Dict, List, Set  # pylint: disable=unused-import, no-name-in-module
+
 from certbot import errors
 from certbot.compat import os
-from certbot_apache._internal import apache_util
+
 from certbot_apache._internal import constants

 logger = logging.getLogger(__name__)
@@ -30,7 +31,7 @@ class ApacheParser(object):

    """
    arg_var_interpreter = re.compile(r"\$\{[^ \}]*}")
-    fnmatch_chars = {"*", "?", "\\", "[", "]"}
+    fnmatch_chars = set(["*", "?", "\\", "[", "]"])

    def __init__(self, root, vhostroot=None, version=(2, 4),
                 configurator=None):
@@ -51,7 +52,7 @@ class ApacheParser(object):
                "version 1.2.0 or higher, please make sure you have you have "
                "those installed.")

-        self.modules = {}  # type: Dict[str, str]
+        self.modules = set()  # type: Set[str]
        self.parser_paths = {}  # type: Dict[str, List[str]]
        self.variables = {}  # type: Dict[str, str]

@@ -248,14 +249,14 @@ class ApacheParser(object):
    def add_mod(self, mod_name):
        """Shortcut for updating parser modules."""
        if mod_name + "_module" not in self.modules:
-            self.modules[mod_name + "_module"] = None
+            self.modules.add(mod_name + "_module")
        if "mod_" + mod_name + ".c" not in self.modules:
-            self.modules["mod_" + mod_name + ".c"] = None
+            self.modules.add("mod_" + mod_name + ".c")

    def reset_modules(self):
        """Reset the loaded modules list. This is called from cleanup to clear
        temporarily loaded modules."""
-        self.modules = {}
+        self.modules = set()
        self.update_modules()
        self.parse_modules()

@@ -266,7 +267,7 @@ class ApacheParser(object):
            the iteration issue.  Else... parse and enable mods at same time.

        """
-        mods = {}  # type: Dict[str, str]
+        mods = set()  # type: Set[str]
        matches = self.find_dir("LoadModule")
        iterator = iter(matches)
        # Make sure prev_size != cur_size for do: while: iteration
@@ -280,24 +281,41 @@ class ApacheParser(object):
                mod_name = self.get_arg(match_name)
                mod_filename = self.get_arg(match_filename)
                if mod_name and mod_filename:
-                    mods[mod_name] = mod_filename
-                    mods[os.path.basename(mod_filename)[:-2] + "c"] = mod_filename
+                    mods.add(mod_name)
+                    mods.add(os.path.basename(mod_filename)[:-2] + "c")
                else:
-                    logger.debug("Could not read LoadModule directive from Augeas path: %s",
-                                 match_name[6:])
+                    logger.debug("Could not read LoadModule directive from " +
+                                 "Augeas path: %s", match_name[6:])
        self.modules.update(mods)

    def update_runtime_variables(self):
        """Update Includes, Defines and Includes from httpd config dump data"""
-
        self.update_defines()
        self.update_includes()
        self.update_modules()

    def update_defines(self):
-        """Updates the dictionary of known variables in the configuration"""
+        """Get Defines from httpd process"""

-        self.variables = apache_util.parse_defines(self.configurator.option("ctl"))
+        variables = dict()
+        define_cmd = [self.configurator.option("ctl"), "-t", "-D",
+                      "DUMP_RUN_CFG"]
+        matches = self.parse_from_subprocess(define_cmd, r"Define: ([^ \n]*)")
+        try:
+            matches.remove("DUMP_RUN_CFG")
+        except ValueError:
+            return
+
+        for match in matches:
+            if match.count("=") > 1:
+                logger.error("Unexpected number of equal signs in "
+                             "runtime config dump.")
+                raise errors.PluginError(
+                    "Error parsing Apache runtime variables")
+            parts = match.partition("=")
+            variables[parts[0]] = parts[2]
+
+        self.variables = variables

    def update_includes(self):
        """Get includes from httpd process, and add them to DOM if needed"""
@@ -307,7 +325,9 @@ class ApacheParser(object):
        # configuration files
        _ = self.find_dir("Include")

-        matches = apache_util.parse_includes(self.configurator.option("ctl"))
+        inc_cmd = [self.configurator.option("ctl"), "-t", "-D",
+                   "DUMP_INCLUDES"]
+        matches = self.parse_from_subprocess(inc_cmd, r"\(.*\) (.*)")
        if matches:
            for i in matches:
                if not self.parsed_in_current(i):
@@ -316,11 +336,57 @@ class ApacheParser(object):
    def update_modules(self):
        """Get loaded modules from httpd process, and add them to DOM"""

-        matches = apache_util.parse_modules(self.configurator.option("ctl"))
+        mod_cmd = [self.configurator.option("ctl"), "-t", "-D",
+                       "DUMP_MODULES"]
+        matches = self.parse_from_subprocess(mod_cmd, r"(.*)_module")
        for mod in matches:
            self.add_mod(mod.strip())

-    def filter_args_num(self, matches, args):
+    def parse_from_subprocess(self, command, regexp):
+        """Get values from stdout of subprocess command
+
+        :param list command: Command to run
+        :param str regexp: Regexp for parsing
+
+        :returns: list parsed from command output
+        :rtype: list
+
+        """
+        stdout = self._get_runtime_cfg(command)
+        return re.compile(regexp).findall(stdout)
+
+    def _get_runtime_cfg(self, command):  # pylint: disable=no-self-use
+        """Get runtime configuration info.
+        :param command: Command to run
+
+        :returns: stdout from command
+
+        """
+        try:
+            proc = subprocess.Popen(
+                command,
+                stdout=subprocess.PIPE,
+                stderr=subprocess.PIPE,
+                universal_newlines=True)
+            stdout, stderr = proc.communicate()
+
+        except (OSError, ValueError):
+            logger.error(
+                "Error running command %s for runtime parameters!%s",
+                command, os.linesep)
+            raise errors.MisconfigurationError(
+                "Error accessing loaded Apache parameters: {0}".format(
+                command))
+        # Small errors that do not impede
+        if proc.returncode != 0:
+            logger.warning("Error in checking parameter list: %s", stderr)
+            raise errors.MisconfigurationError(
+                "Apache is unable to check whether or not the module is "
+                "loaded because Apache is misconfigured.")
+
+        return stdout
+
+    def filter_args_num(self, matches, args):  # pylint: disable=no-self-use
        """Filter out directives with specific number of arguments.

        This function makes the assumption that all related arguments are given
@@ -546,7 +612,7 @@ class ApacheParser(object):
            "%s//*[self::directive=~regexp('%s')]" % (start, regex))

        if exclude:
-            matches = self.exclude_dirs(matches)
+            matches = self._exclude_dirs(matches)

        if arg is None:
            arg_suffix = "/arg"
@@ -559,7 +625,7 @@ class ApacheParser(object):
        # https://httpd.apache.org/docs/2.4/mod/core.html#include
        for match in matches:
            dir_ = self.aug.get(match).lower()
-            if dir_ in ("include", "includeoptional"):
+            if dir_ == "include" or dir_ == "includeoptional":
                ordered_matches.extend(self.find_dir(
                    directive, arg,
                    self._get_include_path(self.get_arg(match + "/arg")),
@@ -599,7 +665,8 @@ class ApacheParser(object):
        # e.g. strip now, not later
        if not value:
            return None
-        value = value.strip("'\"")
+        else:
+            value = value.strip("'\"")

        variables = ApacheParser.arg_var_interpreter.findall(value)

@@ -612,15 +679,9 @@ class ApacheParser(object):

        return value

-    def get_root_augpath(self):
-        """
-        Returns the Augeas path of root configuration.
-        """
-        return get_aug_path(self.loc["root"])
-
-    def exclude_dirs(self, matches):
+    def _exclude_dirs(self, matches):
        """Exclude directives that are not loaded into the configuration."""
-        filters = [("ifmodule", self.modules.keys()), ("ifdefine", self.variables)]
+        filters = [("ifmodule", self.modules), ("ifdefine", self.variables)]

        valid_matches = []

@@ -661,25 +722,6 @@ class ApacheParser(object):

        return True

-    def standard_path_from_server_root(self, arg):
-        """Ensure paths are consistent and absolute
-
-        :param str arg: Argument of directive
-
-        :returns: Standardized argument path
-        :rtype: str
-        """
-        # Remove beginning and ending quotes
-        arg = arg.strip("'\"")
-
-        # Standardize the include argument based on server root
-        if not arg.startswith("/"):
-            # Normpath will condense ../
-            arg = os.path.normpath(os.path.join(self.root, arg))
-        else:
-            arg = os.path.normpath(arg)
-        return arg
-
    def _get_include_path(self, arg):
        """Converts an Apache Include directive into Augeas path.

@@ -700,7 +742,16 @@ class ApacheParser(object):
        # if matchObj.group() != arg:
        #     logger.error("Error: Invalid regexp characters in %s", arg)
        #     return []
-        arg = self.standard_path_from_server_root(arg)
+
+        # Remove beginning and ending quotes
+        arg = arg.strip("'\"")
+
+        # Standardize the include argument based on server root
+        if not arg.startswith("/"):
+            # Normpath will condense ../
+            arg = os.path.normpath(os.path.join(self.root, arg))
+        else:
+            arg = os.path.normpath(arg)

        # Attempts to add a transform to the file if one does not already exist
        if os.path.isdir(arg):
@@ -714,7 +765,7 @@ class ApacheParser(object):
        split_arg = arg.split("/")
        for idx, split in enumerate(split_arg):
            if any(char in ApacheParser.fnmatch_chars for char in split):
-                # Turn it into an augeas regex
+                # Turn it into a augeas regex
                # TODO: Can this instead be an augeas glob instead of regex
                split_arg[idx] = ("* [label()=~regexp('%s')]" %
                                  self.fnmatch_to_re(split))
@@ -724,7 +775,7 @@ class ApacheParser(object):

        return get_aug_path(arg)

-    def fnmatch_to_re(self, clean_fn_match):
+    def fnmatch_to_re(self, clean_fn_match):  # pylint: disable=no-self-use
        """Method converts Apache's basic fnmatch to regular expression.

        Assumption - Configs are assumed to be well-formed and only writable by
@@ -741,7 +792,7 @@ class ApacheParser(object):
        """
        if sys.version_info < (3, 6):
            # This strips off final /Z(?ms)
-            return fnmatch.translate(clean_fn_match)[:-7]  # pragma: no cover
+            return fnmatch.translate(clean_fn_match)[:-7]
        # Since Python 3.6, it returns a different pattern like (?s:.*\.load)\Z
        return fnmatch.translate(clean_fn_match)[4:-3]  # pragma: no cover

@@ -945,8 +996,8 @@ def case_i(string):
    :param str string: string to make case i regex

    """
-    return "".join("[" + c.upper() + c.lower() + "]"
-                    if c.isalpha() else c for c in re.escape(string))
+    return "".join(["[" + c.upper() + c.lower() + "]"
+                    if c.isalpha() else c for c in re.escape(string)])


 def get_aug_path(file_path):
--- a/certbot-apache/certbot_apache/_internal/parsernode_util.py
+++ b/certbot-apache/certbot_apache/_internal/parsernode_util.py
@@ -1,129 +0,0 @@
-"""ParserNode utils"""
-
-
-def validate_kwargs(kwargs, required_names):
-    """
-    Ensures that the kwargs dict has all the expected values. This function modifies
-    the kwargs dictionary, and hence the returned dictionary should be used instead
-    in the caller function instead of the original kwargs.
-
-    :param dict kwargs: Dictionary of keyword arguments to validate.
-    :param list required_names: List of required parameter names.
-    """
-
-    validated_kwargs = {}
-    for name in required_names:
-        try:
-            validated_kwargs[name] = kwargs.pop(name)
-        except KeyError:
-            raise TypeError("Required keyword argument: {} undefined.".format(name))
-
-    # Raise exception if unknown key word arguments are found.
-    if kwargs:
-        unknown = ", ".join(kwargs.keys())
-        raise TypeError("Unknown keyword argument(s): {}".format(unknown))
-    return validated_kwargs
-
-
-def parsernode_kwargs(kwargs):
-    """
-    Validates keyword arguments for ParserNode. This function modifies the kwargs
-    dictionary, and hence the returned dictionary should be used instead in the
-    caller function instead of the original kwargs.
-
-    If metadata is provided, the otherwise required argument "filepath" may be
-    omitted if the implementation is able to extract its value from the metadata.
-    This usecase is handled within this function. Filepath defaults to None.
-
-    :param dict kwargs: Keyword argument dictionary to validate.
-
-    :returns: Tuple of validated and prepared arguments.
-    """
-
-    # As many values of ParserNode instances can be derived from the metadata,
-    # (ancestor being a common exception here) make sure we permit it here as well.
-    if "metadata" in kwargs:
-        # Filepath can be derived from the metadata in Augeas implementation.
-        # Default is None, as in this case the responsibility of populating this
-        # variable lies on the implementation.
-        kwargs.setdefault("filepath", None)
-
-    kwargs.setdefault("dirty", False)
-    kwargs.setdefault("metadata", {})
-
-    kwargs = validate_kwargs(kwargs, ["ancestor", "dirty", "filepath", "metadata"])
-    return kwargs["ancestor"], kwargs["dirty"], kwargs["filepath"], kwargs["metadata"]
-
-
-def commentnode_kwargs(kwargs):
-    """
-    Validates keyword arguments for CommentNode and sets the default values for
-    optional kwargs. This function modifies the kwargs dictionary, and hence the
-    returned dictionary should be used instead in the caller function instead of
-    the original kwargs.
-
-    If metadata is provided, the otherwise required argument "comment" may be
-    omitted if the implementation is able to extract its value from the metadata.
-    This usecase is handled within this function.
-
-    :param dict kwargs: Keyword argument dictionary to validate.
-
-    :returns: Tuple of validated and prepared arguments and ParserNode kwargs.
-    """
-
-    # As many values of ParserNode instances can be derived from the metadata,
-    # (ancestor being a common exception here) make sure we permit it here as well.
-    if "metadata" in kwargs:
-        kwargs.setdefault("comment", None)
-        # Filepath can be derived from the metadata in Augeas implementation.
-        # Default is None, as in this case the responsibility of populating this
-        # variable lies on the implementation.
-        kwargs.setdefault("filepath", None)
-
-    kwargs.setdefault("dirty", False)
-    kwargs.setdefault("metadata", {})
-
-    kwargs = validate_kwargs(kwargs, ["ancestor", "dirty", "filepath", "comment",
-                                      "metadata"])
-
-    comment = kwargs.pop("comment")
-    return comment, kwargs
-
-
-def directivenode_kwargs(kwargs):
-    """
-    Validates keyword arguments for DirectiveNode and BlockNode and sets the
-    default values for optional kwargs. This function modifies the kwargs
-    dictionary, and hence the returned dictionary should be used instead in the
-    caller function instead of the original kwargs.
-
-    If metadata is provided, the otherwise required argument "name" may be
-    omitted if the implementation is able to extract its value from the metadata.
-    This usecase is handled within this function.
-
-    :param dict kwargs: Keyword argument dictionary to validate.
-
-    :returns: Tuple of validated and prepared arguments and ParserNode kwargs.
-    """
-
-    # As many values of ParserNode instances can be derived from the metadata,
-    # (ancestor being a common exception here) make sure we permit it here as well.
-    if "metadata" in kwargs:
-        kwargs.setdefault("name", None)
-        # Filepath can be derived from the metadata in Augeas implementation.
-        # Default is None, as in this case the responsibility of populating this
-        # variable lies on the implementation.
-        kwargs.setdefault("filepath", None)
-
-    kwargs.setdefault("dirty", False)
-    kwargs.setdefault("enabled", True)
-    kwargs.setdefault("parameters", ())
-    kwargs.setdefault("metadata", {})
-
-    kwargs = validate_kwargs(kwargs, ["ancestor", "dirty", "filepath", "name",
-                                      "parameters", "enabled", "metadata"])
-
-    name = kwargs.pop("name")
-    parameters = kwargs.pop("parameters")
-    enabled = kwargs.pop("enabled")
-    return name, parameters, enabled, kwargs
--- a/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
+++ b/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
@@ -1,19 +0,0 @@
-# This file contains important security parameters. If you modify this file
-# manually, Certbot will be unable to automatically provide future security
-# updates. Instead, Certbot will print and log an error message with a path to
-# the up-to-date file that you will need to refer to when manually updating
-# this file.
-
-SSLEngine on
-
-# Intermediate configuration, tweak to your needs
-SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-SSLHonorCipherOrder     off
-SSLSessionTickets       off
-
-SSLOptions +StrictRequire
-
-# Add vhost name to log entries:
-LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
-LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
--- a/certbot-apache/certbot_apache/_internal/tls_configs/old-options-ssl-apache.conf
+++ b/certbot-apache/certbot_apache/_internal/tls_configs/old-options-ssl-apache.conf
@@ -1,18 +0,0 @@
-# This file contains important security parameters. If you modify this file
-# manually, Certbot will be unable to automatically provide future security
-# updates. Instead, Certbot will print and log an error message with a path to
-# the up-to-date file that you will need to refer to when manually updating
-# this file.
-
-SSLEngine on
-
-# Intermediate configuration, tweak to your needs
-SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-SSLHonorCipherOrder     off
-
-SSLOptions +StrictRequire
-
-# Add vhost name to log entries:
-LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
-LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
--- a/certbot-apache/local-oldest-requirements.txt
+++ b/certbot-apache/local-oldest-requirements.txt
@@ -1,3 +1,3 @@
 # Remember to update setup.py to match the package versions below.
 acme[dev]==0.29.0
-certbot[dev]==1.1.0
+certbot[dev]==0.39.0
--- a/certbot-apache/setup.py
+++ b/certbot-apache/setup.py
@@ -1,36 +1,23 @@
-from distutils.version import StrictVersion
+from setuptools import setup
+from setuptools import find_packages
+from setuptools.command.test import test as TestCommand
 import sys

-from setuptools import __version__ as setuptools_version
-from setuptools import find_packages
-from setuptools import setup
-from setuptools.command.test import test as TestCommand

-version = '1.4.0.dev0'
+version = '1.0.0.dev0'

 # Remember to update local-oldest-requirements.txt when changing the minimum
 # acme/certbot version.
 install_requires = [
    'acme>=0.29.0',
-    'certbot>=1.1.0',
+    'certbot>=0.39.0',
+    'mock',
    'python-augeas',
    'setuptools',
    'zope.component',
    'zope.interface',
 ]

-setuptools_known_environment_markers = (StrictVersion(setuptools_version) >= StrictVersion('36.2'))
-if setuptools_known_environment_markers:
-    install_requires.append('mock ; python_version < "3.3"')
-elif 'bdist_wheel' in sys.argv[1:]:
-    raise RuntimeError('Error, you are trying to build certbot wheels using an old version '
-                       'of setuptools. Version 36.2+ of setuptools is required.')
-elif sys.version_info < (3,3):
-    install_requires.append('mock')
-
-dev_extras = [
-    'apacheconfig>=0.3.2',
-]

 class PyTest(TestCommand):
    user_options = []
@@ -55,7 +42,7 @@ setup(
    author="Certbot Project",
    author_email='client-dev@letsencrypt.org',
    license='Apache License 2.0',
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Environment :: Plugins',
@@ -66,6 +53,7 @@ setup(
        'Programming Language :: Python :: 2',
        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
+        'Programming Language :: Python :: 3.4',
        'Programming Language :: Python :: 3.5',
        'Programming Language :: Python :: 3.6',
        'Programming Language :: Python :: 3.7',
@@ -81,9 +69,6 @@ setup(
    packages=find_packages(),
    include_package_data=True,
    install_requires=install_requires,
-    extras_require={
-        'dev': dev_extras,
-    },
    entry_points={
        'certbot.plugins': [
            'apache = certbot_apache._internal.entrypoint:ENTRYPOINT',
--- a/certbot-apache/tests/augeasnode_test.py
+++ b/certbot-apache/tests/augeasnode_test.py
@@ -1,335 +0,0 @@
-"""Tests for AugeasParserNode classes"""
-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
-
-import os
-import util
-
-from certbot import errors
-
-from certbot_apache._internal import assertions
-from certbot_apache._internal import augeasparser
-
-
-def _get_augeasnode_mock(filepath):
-    """ Helper function for mocking out DualNode instance with an AugeasNode """
-    def augeasnode_mock(metadata):
-        return augeasparser.AugeasBlockNode(
-            name=assertions.PASS,
-            ancestor=None,
-            filepath=filepath,
-            metadata=metadata)
-    return augeasnode_mock
-
-class AugeasParserNodeTest(util.ApacheTest):  # pylint: disable=too-many-public-methods
-    """Test AugeasParserNode using available test configurations"""
-
-    def setUp(self):  # pylint: disable=arguments-differ
-        super(AugeasParserNodeTest, self).setUp()
-
-        with mock.patch("certbot_apache._internal.configurator.ApacheConfigurator.get_parsernode_root") as mock_parsernode:
-            mock_parsernode.side_effect = _get_augeasnode_mock(
-                                              os.path.join(self.config_path, "apache2.conf"))
-            self.config = util.get_apache_configurator(
-                self.config_path, self.vhost_path, self.config_dir, self.work_dir, use_parsernode=True)
-        self.vh_truth = util.get_vh_truth(
-            self.temp_dir, "debian_apache_2_4/multiple_vhosts")
-
-    def test_save(self):
-        with mock.patch('certbot_apache._internal.parser.ApacheParser.save') as mock_save:
-            self.config.parser_root.save("A save message")
-        self.assertTrue(mock_save.called)
-        self.assertEqual(mock_save.call_args[0][0], "A save message")
-
-    def test_unsaved_files(self):
-        with mock.patch('certbot_apache._internal.parser.ApacheParser.unsaved_files') as mock_uf:
-            mock_uf.return_value = ["first", "second"]
-            files = self.config.parser_root.unsaved_files()
-        self.assertEqual(files, ["first", "second"])
-
-    def test_get_block_node_name(self):
-        from certbot_apache._internal.augeasparser import AugeasBlockNode
-        block = AugeasBlockNode(
-            name=assertions.PASS,
-            ancestor=None,
-            filepath=assertions.PASS,
-            metadata={"augeasparser": mock.Mock(), "augeaspath": "/files/anything"}
-        )
-        testcases = {
-            "/some/path/FirstNode/SecondNode": "SecondNode",
-            "/some/path/FirstNode/SecondNode/": "SecondNode",
-            "OnlyPathItem": "OnlyPathItem",
-            "/files/etc/apache2/apache2.conf/VirtualHost": "VirtualHost",
-            "/Anything": "Anything",
-        }
-        for test in testcases:
-            self.assertEqual(block._aug_get_name(test), testcases[test])  # pylint: disable=protected-access
-
-    def test_find_blocks(self):
-        blocks = self.config.parser_root.find_blocks("VirtualHost", exclude=False)
-        self.assertEqual(len(blocks), 12)
-
-    def test_find_blocks_case_insensitive(self):
-        vhs = self.config.parser_root.find_blocks("VirtualHost")
-        vhs2 = self.config.parser_root.find_blocks("viRtuAlHoST")
-        self.assertEqual(len(vhs), len(vhs2))
-
-    def test_find_directive_found(self):
-        directives = self.config.parser_root.find_directives("Listen")
-        self.assertEqual(len(directives), 1)
-        self.assertTrue(directives[0].filepath.endswith("/apache2/ports.conf"))
-        self.assertEqual(directives[0].parameters, (u'80',))
-
-    def test_find_directive_notfound(self):
-        directives = self.config.parser_root.find_directives("Nonexistent")
-        self.assertEqual(len(directives), 0)
-
-    def test_find_directive_from_block(self):
-        blocks = self.config.parser_root.find_blocks("virtualhost")
-        found = False
-        for vh in blocks:
-            if vh.filepath.endswith("sites-enabled/certbot.conf"):
-                servername = vh.find_directives("servername")
-                self.assertEqual(servername[0].parameters[0], "certbot.demo")
-                found = True
-        self.assertTrue(found)
-
-    def test_find_comments(self):
-        rootcomment = self.config.parser_root.find_comments(
-            "This is the main Apache server configuration file. "
-        )
-        self.assertEqual(len(rootcomment), 1)
-        self.assertTrue(rootcomment[0].filepath.endswith(
-            "debian_apache_2_4/multiple_vhosts/apache2/apache2.conf"
-        ))
-
-    def test_set_parameters(self):
-        servernames = self.config.parser_root.find_directives("servername")
-        names = []  # type: List[str]
-        for servername in servernames:
-            names += servername.parameters
-        self.assertFalse("going_to_set_this" in names)
-        servernames[0].set_parameters(["something", "going_to_set_this"])
-        servernames = self.config.parser_root.find_directives("servername")
-        names = []
-        for servername in servernames:
-            names += servername.parameters
-        self.assertTrue("going_to_set_this" in names)
-
-    def test_set_parameters_atinit(self):
-        from certbot_apache._internal.augeasparser import AugeasDirectiveNode
-        servernames = self.config.parser_root.find_directives("servername")
-        setparam = "certbot_apache._internal.augeasparser.AugeasDirectiveNode.set_parameters"
-        with mock.patch(setparam) as mock_set:
-            AugeasDirectiveNode(
-                name=servernames[0].name,
-                parameters=["test", "setting", "these"],
-                ancestor=assertions.PASS,
-                metadata=servernames[0].metadata
-            )
-            self.assertTrue(mock_set.called)
-            self.assertEqual(
-                mock_set.call_args_list[0][0][0],
-                ["test", "setting", "these"]
-            )
-
-    def test_set_parameters_delete(self):
-        # Set params
-        servername = self.config.parser_root.find_directives("servername")[0]
-        servername.set_parameters(["thisshouldnotexistpreviously", "another",
-                                   "third"])
-
-        # Delete params
-        servernames = self.config.parser_root.find_directives("servername")
-        found = False
-        for servername in servernames:
-            if "thisshouldnotexistpreviously" in servername.parameters:
-                self.assertEqual(len(servername.parameters), 3)
-                servername.set_parameters(["thisshouldnotexistpreviously"])
-                found = True
-        self.assertTrue(found)
-
-        # Verify params
-        servernames = self.config.parser_root.find_directives("servername")
-        found = False
-        for servername in servernames:
-            if "thisshouldnotexistpreviously" in servername.parameters:
-                self.assertEqual(len(servername.parameters), 1)
-                servername.set_parameters(["thisshouldnotexistpreviously"])
-                found = True
-        self.assertTrue(found)
-
-    def test_add_child_comment(self):
-        newc = self.config.parser_root.add_child_comment("The content")
-        comments = self.config.parser_root.find_comments("The content")
-        self.assertEqual(len(comments), 1)
-        self.assertEqual(
-            newc.metadata["augeaspath"],
-            comments[0].metadata["augeaspath"]
-        )
-        self.assertEqual(newc.comment, comments[0].comment)
-
-    def test_delete_child(self):
-        listens = self.config.parser_root.find_directives("Listen")
-        self.assertEqual(len(listens), 1)
-        self.config.parser_root.delete_child(listens[0])
-
-        listens = self.config.parser_root.find_directives("Listen")
-        self.assertEqual(len(listens), 0)
-
-    def test_delete_child_not_found(self):
-        listen = self.config.parser_root.find_directives("Listen")[0]
-        listen.metadata["augeaspath"] = "/files/something/nonexistent"
-
-        self.assertRaises(
-            errors.PluginError,
-            self.config.parser_root.delete_child,
-            listen
-        )
-
-    def test_add_child_block(self):
-        nb = self.config.parser_root.add_child_block(
-            "NewBlock",
-            ["first", "second"]
-        )
-        rpath, _, directive = nb.metadata["augeaspath"].rpartition("/")
-        self.assertEqual(
-            rpath,
-            self.config.parser_root.metadata["augeaspath"]
-        )
-        self.assertTrue(directive.startswith("NewBlock"))
-
-    def test_add_child_block_beginning(self):
-        self.config.parser_root.add_child_block(
-            "Beginning",
-            position=0
-        )
-        parser = self.config.parser_root.parser
-        root_path = self.config.parser_root.metadata["augeaspath"]
-        # Get first child
-        first = parser.aug.match("{}/*[1]".format(root_path))
-        self.assertTrue(first[0].endswith("Beginning"))
-
-    def test_add_child_block_append(self):
-        self.config.parser_root.add_child_block(
-            "VeryLast",
-        )
-        parser = self.config.parser_root.parser
-        root_path = self.config.parser_root.metadata["augeaspath"]
-        # Get last child
-        last = parser.aug.match("{}/*[last()]".format(root_path))
-        self.assertTrue(last[0].endswith("VeryLast"))
-
-    def test_add_child_block_append_alt(self):
-        self.config.parser_root.add_child_block(
-            "VeryLastAlt",
-            position=99999
-        )
-        parser = self.config.parser_root.parser
-        root_path = self.config.parser_root.metadata["augeaspath"]
-        # Get last child
-        last = parser.aug.match("{}/*[last()]".format(root_path))
-        self.assertTrue(last[0].endswith("VeryLastAlt"))
-
-    def test_add_child_block_middle(self):
-        self.config.parser_root.add_child_block(
-            "Middle",
-            position=5
-        )
-        parser = self.config.parser_root.parser
-        root_path = self.config.parser_root.metadata["augeaspath"]
-        # Augeas indices start at 1 :(
-        middle = parser.aug.match("{}/*[6]".format(root_path))
-        self.assertTrue(middle[0].endswith("Middle"))
-
-    def test_add_child_block_existing_name(self):
-        parser = self.config.parser_root.parser
-        root_path = self.config.parser_root.metadata["augeaspath"]
-        # There already exists a single VirtualHost in the base config
-        new_block = parser.aug.match("{}/VirtualHost[2]".format(root_path))
-        self.assertEqual(len(new_block), 0)
-        vh = self.config.parser_root.add_child_block(
-            "VirtualHost",
-        )
-        new_block = parser.aug.match("{}/VirtualHost[2]".format(root_path))
-        self.assertEqual(len(new_block), 1)
-        self.assertTrue(vh.metadata["augeaspath"].endswith("VirtualHost[2]"))
-
-    def test_node_init_error_bad_augeaspath(self):
-        from certbot_apache._internal.augeasparser import AugeasBlockNode
-        parameters = {
-            "name": assertions.PASS,
-            "ancestor": None,
-            "filepath": assertions.PASS,
-            "metadata": {
-                "augeasparser": mock.Mock(),
-                "augeaspath": "/files/path/endswith/slash/"
-            }
-        }
-        self.assertRaises(
-            errors.PluginError,
-            AugeasBlockNode,
-            **parameters
-        )
-
-    def test_node_init_error_missing_augeaspath(self):
-        from certbot_apache._internal.augeasparser import AugeasBlockNode
-        parameters = {
-            "name": assertions.PASS,
-            "ancestor": None,
-            "filepath": assertions.PASS,
-            "metadata": {
-                "augeasparser": mock.Mock(),
-            }
-        }
-        self.assertRaises(
-            errors.PluginError,
-            AugeasBlockNode,
-            **parameters
-        )
-
-    def test_add_child_directive(self):
-        self.config.parser_root.add_child_directive(
-            "ThisWasAdded",
-            ["with", "parameters"],
-            position=0
-        )
-        dirs = self.config.parser_root.find_directives("ThisWasAdded")
-        self.assertEqual(len(dirs), 1)
-        self.assertEqual(dirs[0].parameters, ("with", "parameters"))
-        # The new directive was added to the very first line of the config
-        self.assertTrue(dirs[0].metadata["augeaspath"].endswith("[1]"))
-
-    def test_add_child_directive_exception(self):
-        self.assertRaises(
-            errors.PluginError,
-            self.config.parser_root.add_child_directive,
-            "ThisRaisesErrorBecauseMissingParameters"
-        )
-
-    def test_parsed_paths(self):
-        paths = self.config.parser_root.parsed_paths()
-        self.assertEqual(len(paths), 6)
-
-    def test_find_ancestors(self):
-        vhsblocks = self.config.parser_root.find_blocks("VirtualHost")
-        macro_test = False
-        nonmacro_test = False
-        for vh in vhsblocks:
-            if "/macro/" in vh.metadata["augeaspath"].lower():
-                ancs = vh.find_ancestors("Macro")
-                self.assertEqual(len(ancs), 1)
-                macro_test = True
-            else:
-                ancs = vh.find_ancestors("Macro")
-                self.assertEqual(len(ancs), 0)
-                nonmacro_test = True
-        self.assertTrue(macro_test)
-        self.assertTrue(nonmacro_test)
-
-    def test_find_ancestors_bad_path(self):
-        self.config.parser_root.metadata["augeaspath"] = ""
-        ancs = self.config.parser_root.find_ancestors("Anything")
-        self.assertEqual(len(ancs), 0)
--- a/certbot-apache/tests/autohsts_test.py
+++ b/certbot-apache/tests/autohsts_test.py
@@ -2,15 +2,13 @@
 """Test for certbot_apache._internal.configurator AutoHSTS functionality"""
 import re
 import unittest
-
-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
-import six  # pylint: disable=unused-import  # six is used in mock.patch()
+import mock
+# six is used in mock.patch()
+import six  # pylint: disable=unused-import

 from certbot import errors
 from certbot_apache._internal import constants
+
 import util


@@ -23,10 +21,10 @@ class AutoHSTSTest(util.ApacheTest):

        self.config = util.get_apache_configurator(
            self.config_path, self.vhost_path, self.config_dir, self.work_dir)
-        self.config.parser.modules["headers_module"] = None
-        self.config.parser.modules["mod_headers.c"] = None
-        self.config.parser.modules["ssl_module"] = None
-        self.config.parser.modules["mod_ssl.c"] = None
+        self.config.parser.modules.add("headers_module")
+        self.config.parser.modules.add("mod_headers.c")
+        self.config.parser.modules.add("ssl_module")
+        self.config.parser.modules.add("mod_ssl.c")

        self.vh_truth = util.get_vh_truth(
            self.temp_dir, "debian_apache_2_4/multiple_vhosts")
@@ -45,8 +43,8 @@ class AutoHSTSTest(util.ApacheTest):
    @mock.patch("certbot_apache._internal.configurator.ApacheConfigurator.restart")
    @mock.patch("certbot_apache._internal.configurator.ApacheConfigurator.enable_mod")
    def test_autohsts_enable_headers_mod(self, mock_enable, _restart):
-        self.config.parser.modules.pop("headers_module", None)
-        self.config.parser.modules.pop("mod_header.c", None)
+        self.config.parser.modules.discard("headers_module")
+        self.config.parser.modules.discard("mod_header.c")
        self.config.enable_autohsts(mock.MagicMock(), ["ocspvhost.com"])
        self.assertTrue(mock_enable.called)

--- a/certbot-apache/tests/centos6_test.py
+++ b/certbot-apache/tests/centos6_test.py
@@ -3,9 +3,11 @@ import unittest

 from certbot.compat import os
 from certbot.errors import MisconfigurationError
+
 from certbot_apache._internal import obj
 from certbot_apache._internal import override_centos
 from certbot_apache._internal import parser
+
 import util


@@ -19,12 +21,12 @@ def get_vh_truth(temp_dir, config_name):
        obj.VirtualHost(
            os.path.join(prefix, "test.example.com.conf"),
            os.path.join(aug_pre, "test.example.com.conf/VirtualHost"),
-            {obj.Addr.fromstring("*:80")},
+            set([obj.Addr.fromstring("*:80")]),
            False, True, "test.example.com"),
        obj.VirtualHost(
            os.path.join(prefix, "ssl.conf"),
            os.path.join(aug_pre, "ssl.conf/VirtualHost"),
-            {obj.Addr.fromstring("_default_:443")},
+            set([obj.Addr.fromstring("_default_:443")]),
            True, True, None)
    ]
    return vh_truth
@@ -104,7 +106,7 @@ class CentOS6Tests(util.ApacheTest):
        pre_loadmods = self.config.parser.find_dir(
            "LoadModule", "ssl_module", exclude=False)
        # LoadModules are not within IfModule blocks
-        self.assertFalse(any("ifmodule" in m.lower() for m in pre_loadmods))
+        self.assertFalse(any(["ifmodule" in m.lower() for m in pre_loadmods]))
        self.config.assoc["test.example.com"] = self.vh_truth[0]
        self.config.deploy_cert(
            "random.demo", "example/cert.pem", "example/key.pem",
--- a/certbot-apache/tests/centos_test.py
+++ b/certbot-apache/tests/centos_test.py
@@ -1,16 +1,15 @@
 """Test for certbot_apache._internal.configurator for Centos overrides"""
 import unittest

-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
+import mock

 from certbot import errors
 from certbot.compat import filesystem
 from certbot.compat import os
+
 from certbot_apache._internal import obj
 from certbot_apache._internal import override_centos
+
 import util


@@ -24,12 +23,12 @@ def get_vh_truth(temp_dir, config_name):
        obj.VirtualHost(
            os.path.join(prefix, "centos.example.com.conf"),
            os.path.join(aug_pre, "centos.example.com.conf/VirtualHost"),
-            {obj.Addr.fromstring("*:80")},
+            set([obj.Addr.fromstring("*:80")]),
            False, True, "centos.example.com"),
        obj.VirtualHost(
            os.path.join(prefix, "ssl.conf"),
            os.path.join(aug_pre, "ssl.conf/VirtualHost"),
-            {obj.Addr.fromstring("_default_:443")},
+            set([obj.Addr.fromstring("_default_:443")]),
            True, True, None)
    ]
    return vh_truth
@@ -109,7 +108,7 @@ class MultipleVhostsTestCentOS(util.ApacheTest):
    def test_get_parser(self):
        self.assertIsInstance(self.config.parser, override_centos.CentOSParser)

-    @mock.patch("certbot_apache._internal.apache_util._get_runtime_cfg")
+    @mock.patch("certbot_apache._internal.parser.ApacheParser._get_runtime_cfg")
    def test_opportunistic_httpd_runtime_parsing(self, mock_get):
        define_val = (
            'Define: TEST1\n'
@@ -129,7 +128,7 @@ class MultipleVhostsTestCentOS(util.ApacheTest):
                return mod_val
            return ""
        mock_get.side_effect = mock_get_cfg
-        self.config.parser.modules = {}
+        self.config.parser.modules = set()
        self.config.parser.variables = {}

        with mock.patch("certbot.util.get_os_info") as mock_osi:
@@ -158,7 +157,7 @@ class MultipleVhostsTestCentOS(util.ApacheTest):
                raise Exception("Missed: %s" % vhost)  # pragma: no cover
        self.assertEqual(found, 2)

-    @mock.patch("certbot_apache._internal.apache_util._get_runtime_cfg")
+    @mock.patch("certbot_apache._internal.parser.ApacheParser._get_runtime_cfg")
    def test_get_sysconfig_vars(self, mock_cfg):
        """Make sure we read the sysconfig OPTIONS variable correctly"""
        # Return nothing for the process calls
--- a/certbot-apache/tests/complex_parsing_test.py
+++ b/certbot-apache/tests/complex_parsing_test.py
@@ -4,6 +4,7 @@ import unittest

 from certbot import errors
 from certbot.compat import os
+
 import util


--- a/certbot-apache/tests/configurator_reverter_test.py
+++ b/certbot-apache/tests/configurator_reverter_test.py
@@ -2,12 +2,10 @@
 import shutil
 import unittest

-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
+import mock

 from certbot import errors
+
 import util


--- a/certbot-apache/tests/configurator_test.py
+++ b/certbot-apache/tests/configurator_test.py
@@ -6,24 +6,25 @@ import socket
 import tempfile
 import unittest

-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
-import six  # pylint: disable=unused-import  # six is used in mock.patch()
+import mock
+# six is used in mock.patch()
+import six  # pylint: disable=unused-import

 from acme import challenges
+
 from certbot import achallenges
 from certbot import crypto_util
 from certbot import errors
-from certbot.compat import filesystem
 from certbot.compat import os
+from certbot.compat import filesystem
 from certbot.tests import acme_util
 from certbot.tests import util as certbot_util
+
 from certbot_apache._internal import apache_util
 from certbot_apache._internal import constants
 from certbot_apache._internal import obj
 from certbot_apache._internal import parser
+
 import util


@@ -78,8 +79,7 @@ class MultipleVhostsTest(util.ApacheTest):

    @mock.patch("certbot_apache._internal.parser.ApacheParser")
    @mock.patch("certbot_apache._internal.configurator.util.exe_exists")
-    @mock.patch("certbot_apache._internal.configurator.ApacheConfigurator.get_parsernode_root")
-    def _test_prepare_locked(self, _node, _exists, _parser):
+    def _test_prepare_locked(self, unused_parser, unused_exe_exists):
        try:
            self.config.prepare()
        except errors.PluginError as err:
@@ -102,7 +102,7 @@ class MultipleVhostsTest(util.ApacheTest):
        parserargs = ["server_root", "enmod", "dismod", "le_vhost_ext",
                      "vhost_root", "logs_root", "challenge_location",
                      "handle_modules", "handle_sites", "ctl"]
-        exp = {}
+        exp = dict()

        for k in ApacheConfigurator.OS_DEFAULTS:
            if k in parserargs:
@@ -143,9 +143,11 @@ class MultipleVhostsTest(util.ApacheTest):
        mock_utility = mock_getutility()
        mock_utility.notification = mock.MagicMock(return_value=True)
        names = self.config.get_all_names()
-        self.assertEqual(names, {"certbot.demo", "ocspvhost.com", "encryption-example.demo",
+        self.assertEqual(names, set(
+            ["certbot.demo", "ocspvhost.com", "encryption-example.demo",
             "nonsym.link", "vhost.in.rootconf", "www.certbot.demo",
-             "duplicate.example.com"})
+             "duplicate.example.com"]
+        ))

    @certbot_util.patch_get_utility()
    @mock.patch("certbot_apache._internal.configurator.socket.gethostbyaddr")
@@ -155,9 +157,9 @@ class MultipleVhostsTest(util.ApacheTest):
        mock_utility.notification.return_value = True
        vhost = obj.VirtualHost(
            "fp", "ap",
-            {obj.Addr(("8.8.8.8", "443")),
+            set([obj.Addr(("8.8.8.8", "443")),
                 obj.Addr(("zombo.com",)),
-                 obj.Addr(("192.168.1.2"))},
+                 obj.Addr(("192.168.1.2"))]),
            True, False)

        self.config.vhosts.append(vhost)
@@ -186,7 +188,7 @@ class MultipleVhostsTest(util.ApacheTest):

    def test_bad_servername_alias(self):
        ssl_vh1 = obj.VirtualHost(
-            "fp1", "ap1", {obj.Addr(("*", "443"))},
+            "fp1", "ap1", set([obj.Addr(("*", "443"))]),
            True, False)
        # pylint: disable=protected-access
        self.config._add_servernames(ssl_vh1)
@@ -199,7 +201,7 @@ class MultipleVhostsTest(util.ApacheTest):
        # pylint: disable=protected-access
        self.config._add_servernames(self.vh_truth[2])
        self.assertEqual(
-            self.vh_truth[2].get_names(), {"*.le.co", "ip-172-30-0-17"})
+            self.vh_truth[2].get_names(), set(["*.le.co", "ip-172-30-0-17"]))

    def test_get_virtual_hosts(self):
        """Make sure all vhosts are being properly found."""
@@ -270,7 +272,7 @@ class MultipleVhostsTest(util.ApacheTest):
    def test_choose_vhost_select_vhost_conflicting_non_ssl(self, mock_select):
        mock_select.return_value = self.vh_truth[3]
        conflicting_vhost = obj.VirtualHost(
-            "path", "aug_path", {obj.Addr.fromstring("*:443")},
+            "path", "aug_path", set([obj.Addr.fromstring("*:443")]),
            True, True)
        self.config.vhosts.append(conflicting_vhost)

@@ -279,14 +281,14 @@ class MultipleVhostsTest(util.ApacheTest):

    def test_find_best_http_vhost_default(self):
        vh = obj.VirtualHost(
-            "fp", "ap", {obj.Addr.fromstring("_default_:80")}, False, True)
+            "fp", "ap", set([obj.Addr.fromstring("_default_:80")]), False, True)
        self.config.vhosts = [vh]
        self.assertEqual(self.config.find_best_http_vhost("foo.bar", False), vh)

    def test_find_best_http_vhost_port(self):
        port = "8080"
        vh = obj.VirtualHost(
-            "fp", "ap", {obj.Addr.fromstring("*:" + port)},
+            "fp", "ap", set([obj.Addr.fromstring("*:" + port)]),
            False, True, "encryption-example.demo")
        self.config.vhosts.append(vh)
        self.assertEqual(self.config.find_best_http_vhost("foo.bar", False, port), vh)
@@ -314,8 +316,8 @@ class MultipleVhostsTest(util.ApacheTest):
    def test_find_best_vhost_variety(self):
        # pylint: disable=protected-access
        ssl_vh = obj.VirtualHost(
-            "fp", "ap", {obj.Addr(("*", "443")),
-                             obj.Addr(("zombo.com",))},
+            "fp", "ap", set([obj.Addr(("*", "443")),
+                             obj.Addr(("zombo.com",))]),
            True, False)
        self.config.vhosts.append(ssl_vh)
        self.assertEqual(self.config._find_best_vhost("zombo.com"), ssl_vh)
@@ -342,9 +344,9 @@ class MultipleVhostsTest(util.ApacheTest):
    def test_deploy_cert_enable_new_vhost(self):
        # Create
        ssl_vhost = self.config.make_vhost_ssl(self.vh_truth[0])
-        self.config.parser.modules["ssl_module"] = None
-        self.config.parser.modules["mod_ssl.c"] = None
-        self.config.parser.modules["socache_shmcb_module"] = None
+        self.config.parser.modules.add("ssl_module")
+        self.config.parser.modules.add("mod_ssl.c")
+        self.config.parser.modules.add("socache_shmcb_module")

        self.assertFalse(ssl_vhost.enabled)
        self.config.deploy_cert(
@@ -378,9 +380,9 @@ class MultipleVhostsTest(util.ApacheTest):
                    # pragma: no cover

    def test_deploy_cert(self):
-        self.config.parser.modules["ssl_module"] = None
-        self.config.parser.modules["mod_ssl.c"] = None
-        self.config.parser.modules["socache_shmcb_module"] = None
+        self.config.parser.modules.add("ssl_module")
+        self.config.parser.modules.add("mod_ssl.c")
+        self.config.parser.modules.add("socache_shmcb_module")
        # Patch _add_dummy_ssl_directives to make sure we write them correctly
        # pylint: disable=protected-access
        orig_add_dummy = self.config._add_dummy_ssl_directives
@@ -460,9 +462,9 @@ class MultipleVhostsTest(util.ApacheTest):
        method is called with an invalid vhost parameter. Currently this tests
        that a PluginError is appropriately raised when important directives
        are missing in an SSL module."""
-        self.config.parser.modules["ssl_module"] = None
-        self.config.parser.modules["mod_ssl.c"] = None
-        self.config.parser.modules["socache_shmcb_module"] = None
+        self.config.parser.modules.add("ssl_module")
+        self.config.parser.modules.add("mod_ssl.c")
+        self.config.parser.modules.add("socache_shmcb_module")

        def side_effect(*args):
            """Mocks case where an SSLCertificateFile directive can be found
@@ -545,8 +547,7 @@ class MultipleVhostsTest(util.ApacheTest):
                call_found = True
        self.assertTrue(call_found)

-    @mock.patch("certbot_apache._internal.parser.ApacheParser.reset_modules")
-    def test_prepare_server_https(self, mock_reset):
+    def test_prepare_server_https(self):
        mock_enable = mock.Mock()
        self.config.enable_mod = mock_enable

@@ -572,8 +573,7 @@ class MultipleVhostsTest(util.ApacheTest):

        self.assertEqual(mock_add_dir.call_count, 2)

-    @mock.patch("certbot_apache._internal.parser.ApacheParser.reset_modules")
-    def test_prepare_server_https_named_listen(self, mock_reset):
+    def test_prepare_server_https_named_listen(self):
        mock_find = mock.Mock()
        mock_find.return_value = ["test1", "test2", "test3"]
        mock_get = mock.Mock()
@@ -611,8 +611,7 @@ class MultipleVhostsTest(util.ApacheTest):
        # self.config.prepare_server_https("8080", temp=True)
        # self.assertEqual(self.listens, 0)

-    @mock.patch("certbot_apache._internal.parser.ApacheParser.reset_modules")
-    def test_prepare_server_https_needed_listen(self, mock_reset):
+    def test_prepare_server_https_needed_listen(self):
        mock_find = mock.Mock()
        mock_find.return_value = ["test1", "test2"]
        mock_get = mock.Mock()
@@ -628,8 +627,8 @@ class MultipleVhostsTest(util.ApacheTest):
        self.config.prepare_server_https("443")
        self.assertEqual(mock_add_dir.call_count, 1)

-    @mock.patch("certbot_apache._internal.parser.ApacheParser.reset_modules")
-    def test_prepare_server_https_mixed_listen(self, mock_reset):
+    def test_prepare_server_https_mixed_listen(self):
+
        mock_find = mock.Mock()
        mock_find.return_value = ["test1", "test2"]
        mock_get = mock.Mock()
@@ -686,7 +685,7 @@ class MultipleVhostsTest(util.ApacheTest):
        self.assertEqual(ssl_vhost.path,
                         "/files" + ssl_vhost.filep + "/IfModule/Virtualhost")
        self.assertEqual(len(ssl_vhost.addrs), 1)
-        self.assertEqual({obj.Addr.fromstring("*:443")}, ssl_vhost.addrs)
+        self.assertEqual(set([obj.Addr.fromstring("*:443")]), ssl_vhost.addrs)
        self.assertEqual(ssl_vhost.name, "encryption-example.demo")
        self.assertTrue(ssl_vhost.ssl)
        self.assertFalse(ssl_vhost.enabled)
@@ -804,7 +803,7 @@ class MultipleVhostsTest(util.ApacheTest):
        self.assertEqual(mock_restart.call_count, 1)

    @mock.patch("certbot_apache._internal.configurator.ApacheConfigurator.restart")
-    @mock.patch("certbot_apache._internal.apache_util._get_runtime_cfg")
+    @mock.patch("certbot_apache._internal.parser.ApacheParser._get_runtime_cfg")
    def test_cleanup(self, mock_cfg, mock_restart):
        mock_cfg.return_value = ""
        _, achalls = self.get_key_and_achalls()
@@ -820,7 +819,7 @@ class MultipleVhostsTest(util.ApacheTest):
                self.assertFalse(mock_restart.called)

    @mock.patch("certbot_apache._internal.configurator.ApacheConfigurator.restart")
-    @mock.patch("certbot_apache._internal.apache_util._get_runtime_cfg")
+    @mock.patch("certbot_apache._internal.parser.ApacheParser._get_runtime_cfg")
    def test_cleanup_no_errors(self, mock_cfg, mock_restart):
        mock_cfg.return_value = ""
        _, achalls = self.get_key_and_achalls()
@@ -908,10 +907,10 @@ class MultipleVhostsTest(util.ApacheTest):
    @mock.patch("certbot_apache._internal.display_ops.select_vhost")
    @mock.patch("certbot.util.exe_exists")
    def test_enhance_unknown_vhost(self, mock_exe, mock_sel_vhost, mock_get):
-        self.config.parser.modules["rewrite_module"] = None
+        self.config.parser.modules.add("rewrite_module")
        mock_exe.return_value = True
        ssl_vh1 = obj.VirtualHost(
-            "fp1", "ap1", {obj.Addr(("*", "443"))},
+            "fp1", "ap1", set([obj.Addr(("*", "443"))]),
            True, False)
        ssl_vh1.name = "satoshi.com"
        self.config.vhosts.append(ssl_vh1)
@@ -946,8 +945,8 @@ class MultipleVhostsTest(util.ApacheTest):
    @mock.patch("certbot.util.exe_exists")
    def test_ocsp_stapling(self, mock_exe):
        self.config.parser.update_runtime_variables = mock.Mock()
-        self.config.parser.modules["mod_ssl.c"] = None
-        self.config.parser.modules["socache_shmcb_module"] = None
+        self.config.parser.modules.add("mod_ssl.c")
+        self.config.parser.modules.add("socache_shmcb_module")
        self.config.get_version = mock.Mock(return_value=(2, 4, 7))
        mock_exe.return_value = True

@@ -973,8 +972,8 @@ class MultipleVhostsTest(util.ApacheTest):
    @mock.patch("certbot.util.exe_exists")
    def test_ocsp_stapling_twice(self, mock_exe):
        self.config.parser.update_runtime_variables = mock.Mock()
-        self.config.parser.modules["mod_ssl.c"] = None
-        self.config.parser.modules["socache_shmcb_module"] = None
+        self.config.parser.modules.add("mod_ssl.c")
+        self.config.parser.modules.add("socache_shmcb_module")
        self.config.get_version = mock.Mock(return_value=(2, 4, 7))
        mock_exe.return_value = True

@@ -1001,8 +1000,8 @@ class MultipleVhostsTest(util.ApacheTest):
    def test_ocsp_unsupported_apache_version(self, mock_exe):
        mock_exe.return_value = True
        self.config.parser.update_runtime_variables = mock.Mock()
-        self.config.parser.modules["mod_ssl.c"] = None
-        self.config.parser.modules["socache_shmcb_module"] = None
+        self.config.parser.modules.add("mod_ssl.c")
+        self.config.parser.modules.add("socache_shmcb_module")
        self.config.get_version = mock.Mock(return_value=(2, 2, 0))
        self.config.choose_vhost("certbot.demo")

@@ -1012,7 +1011,7 @@ class MultipleVhostsTest(util.ApacheTest):

    def test_get_http_vhost_third_filter(self):
        ssl_vh = obj.VirtualHost(
-            "fp", "ap", {obj.Addr(("*", "443"))},
+            "fp", "ap", set([obj.Addr(("*", "443"))]),
            True, False)
        ssl_vh.name = "satoshi.com"
        self.config.vhosts.append(ssl_vh)
@@ -1025,8 +1024,8 @@ class MultipleVhostsTest(util.ApacheTest):
    @mock.patch("certbot.util.exe_exists")
    def test_http_header_hsts(self, mock_exe, _):
        self.config.parser.update_runtime_variables = mock.Mock()
-        self.config.parser.modules["mod_ssl.c"] = None
-        self.config.parser.modules["headers_module"] = None
+        self.config.parser.modules.add("mod_ssl.c")
+        self.config.parser.modules.add("headers_module")
        mock_exe.return_value = True

        # This will create an ssl vhost for certbot.demo
@@ -1046,9 +1045,9 @@ class MultipleVhostsTest(util.ApacheTest):
        self.assertEqual(len(hsts_header), 4)

    def test_http_header_hsts_twice(self):
-        self.config.parser.modules["mod_ssl.c"] = None
+        self.config.parser.modules.add("mod_ssl.c")
        # skip the enable mod
-        self.config.parser.modules["headers_module"] = None
+        self.config.parser.modules.add("headers_module")

        # This will create an ssl vhost for encryption-example.demo
        self.config.choose_vhost("encryption-example.demo")
@@ -1064,8 +1063,8 @@ class MultipleVhostsTest(util.ApacheTest):
    @mock.patch("certbot.util.exe_exists")
    def test_http_header_uir(self, mock_exe, _):
        self.config.parser.update_runtime_variables = mock.Mock()
-        self.config.parser.modules["mod_ssl.c"] = None
-        self.config.parser.modules["headers_module"] = None
+        self.config.parser.modules.add("mod_ssl.c")
+        self.config.parser.modules.add("headers_module")

        mock_exe.return_value = True

@@ -1088,9 +1087,9 @@ class MultipleVhostsTest(util.ApacheTest):
        self.assertEqual(len(uir_header), 4)

    def test_http_header_uir_twice(self):
-        self.config.parser.modules["mod_ssl.c"] = None
+        self.config.parser.modules.add("mod_ssl.c")
        # skip the enable mod
-        self.config.parser.modules["headers_module"] = None
+        self.config.parser.modules.add("headers_module")

        # This will create an ssl vhost for encryption-example.demo
        self.config.choose_vhost("encryption-example.demo")
@@ -1105,7 +1104,7 @@ class MultipleVhostsTest(util.ApacheTest):
    @mock.patch("certbot.util.run_script")
    @mock.patch("certbot.util.exe_exists")
    def test_redirect_well_formed_http(self, mock_exe, _):
-        self.config.parser.modules["rewrite_module"] = None
+        self.config.parser.modules.add("rewrite_module")
        self.config.parser.update_runtime_variables = mock.Mock()
        mock_exe.return_value = True
        self.config.get_version = mock.Mock(return_value=(2, 2))
@@ -1131,7 +1130,7 @@ class MultipleVhostsTest(util.ApacheTest):

    def test_rewrite_rule_exists(self):
        # Skip the enable mod
-        self.config.parser.modules["rewrite_module"] = None
+        self.config.parser.modules.add("rewrite_module")
        self.config.get_version = mock.Mock(return_value=(2, 3, 9))
        self.config.parser.add_dir(
            self.vh_truth[3].path, "RewriteRule", ["Unknown"])
@@ -1140,7 +1139,7 @@ class MultipleVhostsTest(util.ApacheTest):

    def test_rewrite_engine_exists(self):
        # Skip the enable mod
-        self.config.parser.modules["rewrite_module"] = None
+        self.config.parser.modules.add("rewrite_module")
        self.config.get_version = mock.Mock(return_value=(2, 3, 9))
        self.config.parser.add_dir(
            self.vh_truth[3].path, "RewriteEngine", "on")
@@ -1150,7 +1149,7 @@ class MultipleVhostsTest(util.ApacheTest):
    @mock.patch("certbot.util.run_script")
    @mock.patch("certbot.util.exe_exists")
    def test_redirect_with_existing_rewrite(self, mock_exe, _):
-        self.config.parser.modules["rewrite_module"] = None
+        self.config.parser.modules.add("rewrite_module")
        self.config.parser.update_runtime_variables = mock.Mock()
        mock_exe.return_value = True
        self.config.get_version = mock.Mock(return_value=(2, 2, 0))
@@ -1184,7 +1183,7 @@ class MultipleVhostsTest(util.ApacheTest):
    @mock.patch("certbot.util.run_script")
    @mock.patch("certbot.util.exe_exists")
    def test_redirect_with_old_https_redirection(self, mock_exe, _):
-        self.config.parser.modules["rewrite_module"] = None
+        self.config.parser.modules.add("rewrite_module")
        self.config.parser.update_runtime_variables = mock.Mock()
        mock_exe.return_value = True
        self.config.get_version = mock.Mock(return_value=(2, 2, 0))
@@ -1213,10 +1212,10 @@ class MultipleVhostsTest(util.ApacheTest):


    def test_redirect_with_conflict(self):
-        self.config.parser.modules["rewrite_module"] = None
+        self.config.parser.modules.add("rewrite_module")
        ssl_vh = obj.VirtualHost(
-            "fp", "ap", {obj.Addr(("*", "443")),
-                             obj.Addr(("zombo.com",))},
+            "fp", "ap", set([obj.Addr(("*", "443")),
+                             obj.Addr(("zombo.com",))]),
            True, False)
        # No names ^ this guy should conflict.

@@ -1226,7 +1225,7 @@ class MultipleVhostsTest(util.ApacheTest):

    def test_redirect_two_domains_one_vhost(self):
        # Skip the enable mod
-        self.config.parser.modules["rewrite_module"] = None
+        self.config.parser.modules.add("rewrite_module")
        self.config.get_version = mock.Mock(return_value=(2, 3, 9))

        # Creates ssl vhost for the domain
@@ -1241,7 +1240,7 @@ class MultipleVhostsTest(util.ApacheTest):

    def test_redirect_from_previous_run(self):
        # Skip the enable mod
-        self.config.parser.modules["rewrite_module"] = None
+        self.config.parser.modules.add("rewrite_module")
        self.config.get_version = mock.Mock(return_value=(2, 3, 9))
        self.config.choose_vhost("red.blue.purple.com")
        self.config.enhance("red.blue.purple.com", "redirect")
@@ -1254,22 +1253,22 @@ class MultipleVhostsTest(util.ApacheTest):
            self.config.enhance, "green.blue.purple.com", "redirect")

    def test_create_own_redirect(self):
-        self.config.parser.modules["rewrite_module"] = None
+        self.config.parser.modules.add("rewrite_module")
        self.config.get_version = mock.Mock(return_value=(2, 3, 9))
        # For full testing... give names...
        self.vh_truth[1].name = "default.com"
-        self.vh_truth[1].aliases = {"yes.default.com"}
+        self.vh_truth[1].aliases = set(["yes.default.com"])

        # pylint: disable=protected-access
        self.config._enable_redirect(self.vh_truth[1], "")
        self.assertEqual(len(self.config.vhosts), 13)

    def test_create_own_redirect_for_old_apache_version(self):
-        self.config.parser.modules["rewrite_module"] = None
+        self.config.parser.modules.add("rewrite_module")
        self.config.get_version = mock.Mock(return_value=(2, 2))
        # For full testing... give names...
        self.vh_truth[1].name = "default.com"
-        self.vh_truth[1].aliases = {"yes.default.com"}
+        self.vh_truth[1].aliases = set(["yes.default.com"])

        # pylint: disable=protected-access
        self.config._enable_redirect(self.vh_truth[1], "")
@@ -1330,9 +1329,9 @@ class MultipleVhostsTest(util.ApacheTest):
    def test_deploy_cert_not_parsed_path(self):
        # Make sure that we add include to root config for vhosts when
        # handle-sites is false
-        self.config.parser.modules["ssl_module"] = None
-        self.config.parser.modules["mod_ssl.c"] = None
-        self.config.parser.modules["socache_shmcb_module"] = None
+        self.config.parser.modules.add("ssl_module")
+        self.config.parser.modules.add("mod_ssl.c")
+        self.config.parser.modules.add("socache_shmcb_module")
        tmp_path = filesystem.realpath(tempfile.mkdtemp("vhostroot"))
        filesystem.chmod(tmp_path, 0o755)
        mock_p = "certbot_apache._internal.configurator.ApacheConfigurator._get_ssl_vhost_path"
@@ -1445,8 +1444,8 @@ class MultipleVhostsTest(util.ApacheTest):
    @mock.patch("certbot_apache._internal.configurator.ApacheConfigurator._choose_vhosts_wildcard")
    def test_enhance_wildcard_after_install(self, mock_choose):
        # pylint: disable=protected-access
-        self.config.parser.modules["mod_ssl.c"] = None
-        self.config.parser.modules["headers_module"] = None
+        self.config.parser.modules.add("mod_ssl.c")
+        self.config.parser.modules.add("headers_module")
        self.vh_truth[3].ssl = True
        self.config._wildcard_vhosts["*.certbot.demo"] = [self.vh_truth[3]]
        self.config.enhance("*.certbot.demo", "ensure-http-header",
@@ -1457,8 +1456,8 @@ class MultipleVhostsTest(util.ApacheTest):
    def test_enhance_wildcard_no_install(self, mock_choose):
        self.vh_truth[3].ssl = True
        mock_choose.return_value = [self.vh_truth[3]]
-        self.config.parser.modules["mod_ssl.c"] = None
-        self.config.parser.modules["headers_module"] = None
+        self.config.parser.modules.add("mod_ssl.c")
+        self.config.parser.modules.add("headers_module")
        self.config.enhance("*.certbot.demo", "ensure-http-header",
                            "Upgrade-Insecure-Requests")
        self.assertTrue(mock_choose.called)
@@ -1610,7 +1609,7 @@ class MultiVhostsTest(util.ApacheTest):
        self.assertEqual(ssl_vhost.path,
                         "/files" + ssl_vhost.filep + "/IfModule/VirtualHost")
        self.assertEqual(len(ssl_vhost.addrs), 1)
-        self.assertEqual({obj.Addr.fromstring("*:443")}, ssl_vhost.addrs)
+        self.assertEqual(set([obj.Addr.fromstring("*:443")]), ssl_vhost.addrs)
        self.assertEqual(ssl_vhost.name, "banana.vomit.com")
        self.assertTrue(ssl_vhost.ssl)
        self.assertFalse(ssl_vhost.enabled)
@@ -1642,7 +1641,7 @@ class MultiVhostsTest(util.ApacheTest):

    @certbot_util.patch_get_utility()
    def test_make_vhost_ssl_with_existing_rewrite_rule(self, mock_get_utility):
-        self.config.parser.modules["rewrite_module"] = None
+        self.config.parser.modules.add("rewrite_module")

        ssl_vhost = self.config.make_vhost_ssl(self.vh_truth[4])

@@ -1662,7 +1661,7 @@ class MultiVhostsTest(util.ApacheTest):

    @certbot_util.patch_get_utility()
    def test_make_vhost_ssl_with_existing_rewrite_conds(self, mock_get_utility):
-        self.config.parser.modules["rewrite_module"] = None
+        self.config.parser.modules.add("rewrite_module")

        ssl_vhost = self.config.make_vhost_ssl(self.vh_truth[3])

@@ -1704,7 +1703,7 @@ class InstallSslOptionsConfTest(util.ApacheTest):
                                             self.config.updated_mod_ssl_conf_digest)

    def _current_ssl_options_hash(self):
-        return crypto_util.sha256sum(self.config.pick_apache_config())
+        return crypto_util.sha256sum(self.config.option("MOD_SSL_CONF_SRC"))

    def _assert_current_file(self):
        self.assertTrue(os.path.isfile(self.config.mod_ssl_conf))
@@ -1740,7 +1739,7 @@ class InstallSslOptionsConfTest(util.ApacheTest):
            self.assertFalse(mock_logger.warning.called)
        self.assertTrue(os.path.isfile(self.config.mod_ssl_conf))
        self.assertEqual(crypto_util.sha256sum(
-            self.config.pick_apache_config()),
+            self.config.option("MOD_SSL_CONF_SRC")),
            self._current_ssl_options_hash())
        self.assertNotEqual(crypto_util.sha256sum(self.config.mod_ssl_conf),
            self._current_ssl_options_hash())
@@ -1756,99 +1755,19 @@ class InstallSslOptionsConfTest(util.ApacheTest):
                "%s has been manually modified; updated file "
                "saved to %s. We recommend updating %s for security purposes.")
        self.assertEqual(crypto_util.sha256sum(
-            self.config.pick_apache_config()),
+            self.config.option("MOD_SSL_CONF_SRC")),
            self._current_ssl_options_hash())
        # only print warning once
        with mock.patch("certbot.plugins.common.logger") as mock_logger:
            self._call()
            self.assertFalse(mock_logger.warning.called)

-    def test_ssl_config_files_hash_in_all_hashes(self):
-        """
-        It is really critical that all TLS Apache config files have their SHA256 hash registered in
-        constants.ALL_SSL_OPTIONS_HASHES. Otherwise Certbot will mistakenly assume that the config
-        file has been manually edited by the user, and will refuse to update it.
-        This test ensures that all necessary hashes are present.
-        """
+    def test_current_file_hash_in_all_hashes(self):
        from certbot_apache._internal.constants import ALL_SSL_OPTIONS_HASHES
-        import pkg_resources
+        self.assertTrue(self._current_ssl_options_hash() in ALL_SSL_OPTIONS_HASHES,
+            "Constants.ALL_SSL_OPTIONS_HASHES must be appended"
+            " with the sha256 hash of self.config.mod_ssl_conf when it is updated.")

-        tls_configs_dir = pkg_resources.resource_filename(
-            "certbot_apache", os.path.join("_internal", "tls_configs"))
-        all_files = [os.path.join(tls_configs_dir, name) for name in os.listdir(tls_configs_dir)
-                     if name.endswith('options-ssl-apache.conf')]
-        self.assertTrue(all_files)
-        for one_file in all_files:
-            file_hash = crypto_util.sha256sum(one_file)
-            self.assertTrue(file_hash in ALL_SSL_OPTIONS_HASHES,
-                            "Constants.ALL_SSL_OPTIONS_HASHES must be appended with the sha256 "
-                            "hash of {0} when it is updated.".format(one_file))
-
-    def test_openssl_version(self):
-        self.config._openssl_version = None
-        some_string_contents = b"""
-            SSLOpenSSLConfCmd
-            OpenSSL configuration command
-            SSLv3 not supported by this version of OpenSSL
-            '%s': invalid OpenSSL configuration command
-            OpenSSL 1.0.2g  1 Mar 2016
-            OpenSSL
-            AH02407: "SSLOpenSSLConfCmd %s %s" failed for %s
-            AH02556: "SSLOpenSSLConfCmd %s %s" applied to %s
-            OpenSSL 1.0.2g  1 Mar 2016
-            """
-        self.config.parser.modules['ssl_module'] = '/fake/path'
-        with mock.patch("certbot_apache._internal.configurator."
-            "ApacheConfigurator._open_module_file") as mock_omf:
-            mock_omf.return_value = some_string_contents
-            self.assertEqual(self.config.openssl_version(), "1.0.2g")
-
-    def test_current_version(self):
-        self.config.version = (2, 4, 10)
-        self.config._openssl_version = '1.0.2m'
-        self.assertTrue('old' in self.config.pick_apache_config())
-
-        self.config.version = (2, 4, 11)
-        self.config._openssl_version = '1.0.2m'
-        self.assertTrue('current' in self.config.pick_apache_config())
-
-        self.config._openssl_version = '1.0.2a'
-        self.assertTrue('old' in self.config.pick_apache_config())
-
-    def test_openssl_version_warns(self):
-        self.config._openssl_version = '1.0.2a'
-        self.assertEqual(self.config.openssl_version(), '1.0.2a')
-
-        self.config._openssl_version = None
-        with mock.patch("certbot_apache._internal.configurator.logger.warning") as mock_log:
-            self.assertEqual(self.config.openssl_version(), None)
-            self.assertTrue("Could not find ssl_module" in mock_log.call_args[0][0])
-
-        self.config._openssl_version = None
-        self.config.parser.modules['ssl_module'] = None
-        with mock.patch("certbot_apache._internal.configurator.logger.warning") as mock_log:
-            self.assertEqual(self.config.openssl_version(), None)
-            self.assertTrue("Could not find ssl_module" in mock_log.call_args[0][0])
-
-        self.config.parser.modules['ssl_module'] = "/fake/path"
-        with mock.patch("certbot_apache._internal.configurator.logger.warning") as mock_log:
-            # Check that correct logger.warning was printed
-            self.assertEqual(self.config.openssl_version(), None)
-            self.assertTrue("Unable to read" in mock_log.call_args[0][0])
-
-        contents_missing_openssl = b"these contents won't match the regex"
-        with mock.patch("certbot_apache._internal.configurator."
-            "ApacheConfigurator._open_module_file") as mock_omf:
-            mock_omf.return_value = contents_missing_openssl
-            with mock.patch("certbot_apache._internal.configurator.logger.warning") as mock_log:
-                # Check that correct logger.warning was printed
-                self.assertEqual(self.config.openssl_version(), None)
-                self.assertTrue("Could not find OpenSSL" in mock_log.call_args[0][0])
-
-    def test_open_module_file(self):
-        mock_open = mock.mock_open(read_data="testing 12 3")
-        with mock.patch("six.moves.builtins.open", mock_open):
-            self.assertEqual(self.config._open_module_file("/nonsense/"), "testing 12 3")

 if __name__ == "__main__":
    unittest.main()  # pragma: no cover
--- a/certbot-apache/tests/debian_test.py
+++ b/certbot-apache/tests/debian_test.py
@@ -2,15 +2,14 @@
 import shutil
 import unittest

-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
+import mock

 from certbot import errors
 from certbot.compat import os
+
 from certbot_apache._internal import apache_util
 from certbot_apache._internal import obj
+
 import util


@@ -49,7 +48,7 @@ class MultipleVhostsTestDebian(util.ApacheTest):

    @mock.patch("certbot.util.run_script")
    @mock.patch("certbot.util.exe_exists")
-    @mock.patch("certbot_apache._internal.apache_util.subprocess.Popen")
+    @mock.patch("certbot_apache._internal.parser.subprocess.Popen")
    def test_enable_mod(self, mock_popen, mock_exe_exists, mock_run_script):
        mock_popen().communicate.return_value = ("Define: DUMP_RUN_CFG", "")
        mock_popen().returncode = 0
@@ -64,8 +63,8 @@ class MultipleVhostsTestDebian(util.ApacheTest):
    def test_deploy_cert_enable_new_vhost(self):
        # Create
        ssl_vhost = self.config.make_vhost_ssl(self.vh_truth[0])
-        self.config.parser.modules["ssl_module"] = None
-        self.config.parser.modules["mod_ssl.c"] = None
+        self.config.parser.modules.add("ssl_module")
+        self.config.parser.modules.add("mod_ssl.c")
        self.assertFalse(ssl_vhost.enabled)
        self.config.deploy_cert(
            "encryption-example.demo", "example/cert.pem", "example/key.pem",
@@ -95,8 +94,8 @@ class MultipleVhostsTestDebian(util.ApacheTest):
            self.config_path, self.vhost_path, self.config_dir,
            self.work_dir, version=(2, 4, 16))
        self.config = self.mock_deploy_cert(self.config)
-        self.config.parser.modules["ssl_module"] = None
-        self.config.parser.modules["mod_ssl.c"] = None
+        self.config.parser.modules.add("ssl_module")
+        self.config.parser.modules.add("mod_ssl.c")

        # Get the default 443 vhost
        self.config.assoc["random.demo"] = self.vh_truth[1]
@@ -131,8 +130,8 @@ class MultipleVhostsTestDebian(util.ApacheTest):
            self.config_path, self.vhost_path, self.config_dir,
            self.work_dir, version=(2, 4, 16))
        self.config = self.mock_deploy_cert(self.config)
-        self.config.parser.modules["ssl_module"] = None
-        self.config.parser.modules["mod_ssl.c"] = None
+        self.config.parser.modules.add("ssl_module")
+        self.config.parser.modules.add("mod_ssl.c")

        # Get the default 443 vhost
        self.config.assoc["random.demo"] = self.vh_truth[1]
@@ -146,8 +145,8 @@ class MultipleVhostsTestDebian(util.ApacheTest):
            self.config_path, self.vhost_path, self.config_dir,
            self.work_dir, version=(2, 4, 7))
        self.config = self.mock_deploy_cert(self.config)
-        self.config.parser.modules["ssl_module"] = None
-        self.config.parser.modules["mod_ssl.c"] = None
+        self.config.parser.modules.add("ssl_module")
+        self.config.parser.modules.add("mod_ssl.c")

        # Get the default 443 vhost
        self.config.assoc["random.demo"] = self.vh_truth[1]
@@ -160,7 +159,7 @@ class MultipleVhostsTestDebian(util.ApacheTest):
    @mock.patch("certbot.util.exe_exists")
    def test_ocsp_stapling_enable_mod(self, mock_exe, _):
        self.config.parser.update_runtime_variables = mock.Mock()
-        self.config.parser.modules["mod_ssl.c"] = None
+        self.config.parser.modules.add("mod_ssl.c")
        self.config.get_version = mock.Mock(return_value=(2, 4, 7))
        mock_exe.return_value = True
        # This will create an ssl vhost for certbot.demo
@@ -172,7 +171,7 @@ class MultipleVhostsTestDebian(util.ApacheTest):
    @mock.patch("certbot.util.exe_exists")
    def test_ensure_http_header_enable_mod(self, mock_exe, _):
        self.config.parser.update_runtime_variables = mock.Mock()
-        self.config.parser.modules["mod_ssl.c"] = None
+        self.config.parser.modules.add("mod_ssl.c")
        mock_exe.return_value = True

        # This will create an ssl vhost for certbot.demo
--- a/certbot-apache/tests/display_ops_test.py
+++ b/certbot-apache/tests/display_ops_test.py
@@ -1,16 +1,18 @@
 """Test certbot_apache._internal.display_ops."""
 import unittest

-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
+import mock

 from certbot import errors
+
 from certbot.display import util as display_util
+
 from certbot.tests import util as certbot_util
+
 from certbot_apache._internal import obj
+
 from certbot_apache._internal.display_ops import select_vhost_multiple
+
 import util


@@ -96,9 +98,9 @@ class SelectVhostTest(unittest.TestCase):

        self.vhosts.append(
            obj.VirtualHost(
-                "path", "aug_path", {obj.Addr.fromstring("*:80")},
+                "path", "aug_path", set([obj.Addr.fromstring("*:80")]),
                False, False,
-                "wildcard.com", {"*.wildcard.com"}))
+                "wildcard.com", set(["*.wildcard.com"])))

        self.assertEqual(self.vhosts[5], self._call(self.vhosts))

--- a/certbot-apache/tests/dualnode_test.py
+++ b/certbot-apache/tests/dualnode_test.py
@@ -1,445 +0,0 @@
-"""Tests for DualParserNode implementation"""
-import unittest
-
-try:
-    import mock
-except ImportError: # pragma: no cover
-    from unittest import mock # type: ignore
-
-from certbot_apache._internal import assertions
-from certbot_apache._internal import augeasparser
-from certbot_apache._internal import dualparser
-
-
-class DualParserNodeTest(unittest.TestCase):  # pylint: disable=too-many-public-methods
-    """DualParserNode tests"""
-
-    def setUp(self):  # pylint: disable=arguments-differ
-        parser_mock = mock.MagicMock()
-        parser_mock.aug.match.return_value = []
-        parser_mock.get_arg.return_value = []
-        self.metadata = {"augeasparser": parser_mock, "augeaspath": "/invalid", "ac_ast": None}
-        self.block = dualparser.DualBlockNode(name="block",
-                                              ancestor=None,
-                                              filepath="/tmp/something",
-                                              metadata=self.metadata)
-        self.block_two = dualparser.DualBlockNode(name="block",
-                                                  ancestor=self.block,
-                                                  filepath="/tmp/something",
-                                                  metadata=self.metadata)
-        self.directive = dualparser.DualDirectiveNode(name="directive",
-                                                      ancestor=self.block,
-                                                      filepath="/tmp/something",
-                                                      metadata=self.metadata)
-        self.comment = dualparser.DualCommentNode(comment="comment",
-                                                  ancestor=self.block,
-                                                  filepath="/tmp/something",
-                                                  metadata=self.metadata)
-
-    def test_create_with_precreated(self):
-        cnode = dualparser.DualCommentNode(comment="comment",
-                                           ancestor=self.block,
-                                           filepath="/tmp/something",
-                                           primary=self.comment.secondary,
-                                           secondary=self.comment.primary)
-        dnode = dualparser.DualDirectiveNode(name="directive",
-                                             ancestor=self.block,
-                                             filepath="/tmp/something",
-                                             primary=self.directive.secondary,
-                                             secondary=self.directive.primary)
-        bnode = dualparser.DualBlockNode(name="block",
-                                         ancestor=self.block,
-                                         filepath="/tmp/something",
-                                         primary=self.block.secondary,
-                                         secondary=self.block.primary)
-        # Switched around
-        self.assertTrue(cnode.primary is self.comment.secondary)
-        self.assertTrue(cnode.secondary is self.comment.primary)
-        self.assertTrue(dnode.primary is self.directive.secondary)
-        self.assertTrue(dnode.secondary is self.directive.primary)
-        self.assertTrue(bnode.primary is self.block.secondary)
-        self.assertTrue(bnode.secondary is self.block.primary)
-
-    def test_set_params(self):
-        params = ("first", "second")
-        self.directive.primary.set_parameters = mock.Mock()
-        self.directive.secondary.set_parameters = mock.Mock()
-        self.directive.set_parameters(params)
-        self.assertTrue(self.directive.primary.set_parameters.called)
-        self.assertTrue(self.directive.secondary.set_parameters.called)
-
-    def test_set_parameters(self):
-        pparams = mock.MagicMock()
-        sparams = mock.MagicMock()
-        pparams.parameters = ("a", "b")
-        sparams.parameters = ("a", "b")
-        self.directive.primary.set_parameters = pparams
-        self.directive.secondary.set_parameters = sparams
-        self.directive.set_parameters(("param", "seq"))
-        self.assertTrue(pparams.called)
-        self.assertTrue(sparams.called)
-
-    def test_delete_child(self):
-        pdel = mock.MagicMock()
-        sdel = mock.MagicMock()
-        self.block.primary.delete_child = pdel
-        self.block.secondary.delete_child = sdel
-        self.block.delete_child(self.comment)
-        self.assertTrue(pdel.called)
-        self.assertTrue(sdel.called)
-
-    def test_unsaved_files(self):
-        puns = mock.MagicMock()
-        suns = mock.MagicMock()
-        puns.return_value = assertions.PASS
-        suns.return_value = assertions.PASS
-        self.block.primary.unsaved_files = puns
-        self.block.secondary.unsaved_files = suns
-        self.block.unsaved_files()
-        self.assertTrue(puns.called)
-        self.assertTrue(suns.called)
-
-    def test_getattr_equality(self):
-        self.directive.primary.variableexception = "value"
-        self.directive.secondary.variableexception = "not_value"
-        with self.assertRaises(AssertionError):
-            _ = self.directive.variableexception
-
-        self.directive.primary.variable = "value"
-        self.directive.secondary.variable = "value"
-        try:
-            self.directive.variable
-        except AssertionError: # pragma: no cover
-            self.fail("getattr check raised an AssertionError where it shouldn't have")
-
-    def test_parsernode_dirty_assert(self):
-        # disable assertion pass
-        self.comment.primary.comment = "value"
-        self.comment.secondary.comment = "value"
-        self.comment.primary.filepath = "x"
-        self.comment.secondary.filepath = "x"
-
-        self.comment.primary.dirty = False
-        self.comment.secondary.dirty = True
-        with self.assertRaises(AssertionError):
-            assertions.assertEqual(self.comment.primary, self.comment.secondary)
-
-    def test_parsernode_filepath_assert(self):
-        # disable assertion pass
-        self.comment.primary.comment = "value"
-        self.comment.secondary.comment = "value"
-
-        self.comment.primary.filepath = "first"
-        self.comment.secondary.filepath = "second"
-        with self.assertRaises(AssertionError):
-            assertions.assertEqual(self.comment.primary, self.comment.secondary)
-
-    def test_add_child_block(self):
-        mock_first = mock.MagicMock(return_value=self.block.primary)
-        mock_second = mock.MagicMock(return_value=self.block.secondary)
-        self.block.primary.add_child_block = mock_first
-        self.block.secondary.add_child_block = mock_second
-        self.block.add_child_block("Block")
-        self.assertTrue(mock_first.called)
-        self.assertTrue(mock_second.called)
-
-    def test_add_child_directive(self):
-        mock_first = mock.MagicMock(return_value=self.directive.primary)
-        mock_second = mock.MagicMock(return_value=self.directive.secondary)
-        self.block.primary.add_child_directive = mock_first
-        self.block.secondary.add_child_directive = mock_second
-        self.block.add_child_directive("Directive")
-        self.assertTrue(mock_first.called)
-        self.assertTrue(mock_second.called)
-
-    def test_add_child_comment(self):
-        mock_first = mock.MagicMock(return_value=self.comment.primary)
-        mock_second = mock.MagicMock(return_value=self.comment.secondary)
-        self.block.primary.add_child_comment = mock_first
-        self.block.secondary.add_child_comment = mock_second
-        self.block.add_child_comment("Comment")
-        self.assertTrue(mock_first.called)
-        self.assertTrue(mock_second.called)
-
-    def test_find_comments(self):
-        pri_comments = [augeasparser.AugeasCommentNode(comment="some comment",
-                                                       ancestor=self.block,
-                                                       filepath="/path/to/whatever",
-                                                       metadata=self.metadata)]
-        sec_comments = [augeasparser.AugeasCommentNode(comment=assertions.PASS,
-                                                       ancestor=self.block,
-                                                       filepath=assertions.PASS,
-                                                       metadata=self.metadata)]
-        find_coms_primary = mock.MagicMock(return_value=pri_comments)
-        find_coms_secondary = mock.MagicMock(return_value=sec_comments)
-        self.block.primary.find_comments = find_coms_primary
-        self.block.secondary.find_comments = find_coms_secondary
-
-        dcoms = self.block.find_comments("comment")
-        p_dcoms = [d.primary for d in dcoms]
-        s_dcoms = [d.secondary for d in dcoms]
-        p_coms = self.block.primary.find_comments("comment")
-        s_coms = self.block.secondary.find_comments("comment")
-        # Check that every comment response is represented in the list of
-        # DualParserNode instances.
-        for p in p_dcoms:
-            self.assertTrue(p in p_coms)
-        for s in s_dcoms:
-            self.assertTrue(s in s_coms)
-
-    def test_find_blocks_first_passing(self):
-        youshallnotpass = [augeasparser.AugeasBlockNode(name="notpassing",
-                                                        ancestor=self.block,
-                                                        filepath="/path/to/whatever",
-                                                        metadata=self.metadata)]
-        youshallpass = [augeasparser.AugeasBlockNode(name=assertions.PASS,
-                                                     ancestor=self.block,
-                                                     filepath=assertions.PASS,
-                                                     metadata=self.metadata)]
-        find_blocks_primary = mock.MagicMock(return_value=youshallpass)
-        find_blocks_secondary = mock.MagicMock(return_value=youshallnotpass)
-        self.block.primary.find_blocks = find_blocks_primary
-        self.block.secondary.find_blocks = find_blocks_secondary
-
-        blocks = self.block.find_blocks("something")
-        for block in blocks:
-            try:
-                assertions.assertEqual(block.primary, block.secondary)
-            except AssertionError: # pragma: no cover
-                self.fail("Assertion should have passed")
-            self.assertTrue(assertions.isPassDirective(block.primary))
-            self.assertFalse(assertions.isPassDirective(block.secondary))
-
-    def test_find_blocks_second_passing(self):
-        youshallnotpass = [augeasparser.AugeasBlockNode(name="notpassing",
-                                                        ancestor=self.block,
-                                                        filepath="/path/to/whatever",
-                                                        metadata=self.metadata)]
-        youshallpass = [augeasparser.AugeasBlockNode(name=assertions.PASS,
-                                                     ancestor=self.block,
-                                                     filepath=assertions.PASS,
-                                                     metadata=self.metadata)]
-        find_blocks_primary = mock.MagicMock(return_value=youshallnotpass)
-        find_blocks_secondary = mock.MagicMock(return_value=youshallpass)
-        self.block.primary.find_blocks = find_blocks_primary
-        self.block.secondary.find_blocks = find_blocks_secondary
-
-        blocks = self.block.find_blocks("something")
-        for block in blocks:
-            try:
-                assertions.assertEqual(block.primary, block.secondary)
-            except AssertionError: # pragma: no cover
-                self.fail("Assertion should have passed")
-            self.assertFalse(assertions.isPassDirective(block.primary))
-            self.assertTrue(assertions.isPassDirective(block.secondary))
-
-    def test_find_dirs_first_passing(self):
-        notpassing = [augeasparser.AugeasDirectiveNode(name="notpassing",
-                                                       ancestor=self.block,
-                                                       filepath="/path/to/whatever",
-                                                       metadata=self.metadata)]
-        passing = [augeasparser.AugeasDirectiveNode(name=assertions.PASS,
-                                                    ancestor=self.block,
-                                                    filepath=assertions.PASS,
-                                                    metadata=self.metadata)]
-        find_dirs_primary = mock.MagicMock(return_value=passing)
-        find_dirs_secondary = mock.MagicMock(return_value=notpassing)
-        self.block.primary.find_directives = find_dirs_primary
-        self.block.secondary.find_directives = find_dirs_secondary
-
-        directives = self.block.find_directives("something")
-        for directive in directives:
-            try:
-                assertions.assertEqual(directive.primary, directive.secondary)
-            except AssertionError: # pragma: no cover
-                self.fail("Assertion should have passed")
-            self.assertTrue(assertions.isPassDirective(directive.primary))
-            self.assertFalse(assertions.isPassDirective(directive.secondary))
-
-    def test_find_dirs_second_passing(self):
-        notpassing = [augeasparser.AugeasDirectiveNode(name="notpassing",
-                                                       ancestor=self.block,
-                                                       filepath="/path/to/whatever",
-                                                       metadata=self.metadata)]
-        passing = [augeasparser.AugeasDirectiveNode(name=assertions.PASS,
-                                                    ancestor=self.block,
-                                                    filepath=assertions.PASS,
-                                                    metadata=self.metadata)]
-        find_dirs_primary = mock.MagicMock(return_value=notpassing)
-        find_dirs_secondary = mock.MagicMock(return_value=passing)
-        self.block.primary.find_directives = find_dirs_primary
-        self.block.secondary.find_directives = find_dirs_secondary
-
-        directives = self.block.find_directives("something")
-        for directive in directives:
-            try:
-                assertions.assertEqual(directive.primary, directive.secondary)
-            except AssertionError: # pragma: no cover
-                self.fail("Assertion should have passed")
-            self.assertFalse(assertions.isPassDirective(directive.primary))
-            self.assertTrue(assertions.isPassDirective(directive.secondary))
-
-    def test_find_coms_first_passing(self):
-        notpassing = [augeasparser.AugeasCommentNode(comment="notpassing",
-                                                     ancestor=self.block,
-                                                     filepath="/path/to/whatever",
-                                                     metadata=self.metadata)]
-        passing = [augeasparser.AugeasCommentNode(comment=assertions.PASS,
-                                                  ancestor=self.block,
-                                                  filepath=assertions.PASS,
-                                                  metadata=self.metadata)]
-        find_coms_primary = mock.MagicMock(return_value=passing)
-        find_coms_secondary = mock.MagicMock(return_value=notpassing)
-        self.block.primary.find_comments = find_coms_primary
-        self.block.secondary.find_comments = find_coms_secondary
-
-        comments = self.block.find_comments("something")
-        for comment in comments:
-            try:
-                assertions.assertEqual(comment.primary, comment.secondary)
-            except AssertionError: # pragma: no cover
-                self.fail("Assertion should have passed")
-            self.assertTrue(assertions.isPassComment(comment.primary))
-            self.assertFalse(assertions.isPassComment(comment.secondary))
-
-    def test_find_coms_second_passing(self):
-        notpassing = [augeasparser.AugeasCommentNode(comment="notpassing",
-                                                     ancestor=self.block,
-                                                     filepath="/path/to/whatever",
-                                                     metadata=self.metadata)]
-        passing = [augeasparser.AugeasCommentNode(comment=assertions.PASS,
-                                                  ancestor=self.block,
-                                                  filepath=assertions.PASS,
-                                                  metadata=self.metadata)]
-        find_coms_primary = mock.MagicMock(return_value=notpassing)
-        find_coms_secondary = mock.MagicMock(return_value=passing)
-        self.block.primary.find_comments = find_coms_primary
-        self.block.secondary.find_comments = find_coms_secondary
-
-        comments = self.block.find_comments("something")
-        for comment in comments:
-            try:
-                assertions.assertEqual(comment.primary, comment.secondary)
-            except AssertionError: # pragma: no cover
-                self.fail("Assertion should have passed")
-            self.assertFalse(assertions.isPassComment(comment.primary))
-            self.assertTrue(assertions.isPassComment(comment.secondary))
-
-    def test_find_blocks_no_pass_equal(self):
-        notpassing1 = [augeasparser.AugeasBlockNode(name="notpassing",
-                                                    ancestor=self.block,
-                                                    filepath="/path/to/whatever",
-                                                    metadata=self.metadata)]
-        notpassing2 = [augeasparser.AugeasBlockNode(name="notpassing",
-                                                    ancestor=self.block,
-                                                    filepath="/path/to/whatever",
-                                                    metadata=self.metadata)]
-        find_blocks_primary = mock.MagicMock(return_value=notpassing1)
-        find_blocks_secondary = mock.MagicMock(return_value=notpassing2)
-        self.block.primary.find_blocks = find_blocks_primary
-        self.block.secondary.find_blocks = find_blocks_secondary
-
-        blocks = self.block.find_blocks("anything")
-        for block in blocks:
-            self.assertEqual(block.primary, block.secondary)
-            self.assertTrue(block.primary is not block.secondary)
-
-    def test_find_dirs_no_pass_equal(self):
-        notpassing1 = [augeasparser.AugeasDirectiveNode(name="notpassing",
-                                                        ancestor=self.block,
-                                                        filepath="/path/to/whatever",
-                                                        metadata=self.metadata)]
-        notpassing2 = [augeasparser.AugeasDirectiveNode(name="notpassing",
-                                                        ancestor=self.block,
-                                                        filepath="/path/to/whatever",
-                                                        metadata=self.metadata)]
-        find_dirs_primary = mock.MagicMock(return_value=notpassing1)
-        find_dirs_secondary = mock.MagicMock(return_value=notpassing2)
-        self.block.primary.find_directives = find_dirs_primary
-        self.block.secondary.find_directives = find_dirs_secondary
-
-        directives = self.block.find_directives("anything")
-        for directive in directives:
-            self.assertEqual(directive.primary, directive.secondary)
-            self.assertTrue(directive.primary is not directive.secondary)
-
-    def test_find_comments_no_pass_equal(self):
-        notpassing1 = [augeasparser.AugeasCommentNode(comment="notpassing",
-                                                      ancestor=self.block,
-                                                      filepath="/path/to/whatever",
-                                                      metadata=self.metadata)]
-        notpassing2 = [augeasparser.AugeasCommentNode(comment="notpassing",
-                                                      ancestor=self.block,
-                                                      filepath="/path/to/whatever",
-                                                      metadata=self.metadata)]
-        find_coms_primary = mock.MagicMock(return_value=notpassing1)
-        find_coms_secondary = mock.MagicMock(return_value=notpassing2)
-        self.block.primary.find_comments = find_coms_primary
-        self.block.secondary.find_comments = find_coms_secondary
-
-        comments = self.block.find_comments("anything")
-        for comment in comments:
-            self.assertEqual(comment.primary, comment.secondary)
-            self.assertTrue(comment.primary is not comment.secondary)
-
-    def test_find_blocks_no_pass_notequal(self):
-        notpassing1 = [augeasparser.AugeasBlockNode(name="notpassing",
-                                                    ancestor=self.block,
-                                                    filepath="/path/to/whatever",
-                                                    metadata=self.metadata)]
-        notpassing2 = [augeasparser.AugeasBlockNode(name="different",
-                                                    ancestor=self.block,
-                                                    filepath="/path/to/whatever",
-                                                    metadata=self.metadata)]
-        find_blocks_primary = mock.MagicMock(return_value=notpassing1)
-        find_blocks_secondary = mock.MagicMock(return_value=notpassing2)
-        self.block.primary.find_blocks = find_blocks_primary
-        self.block.secondary.find_blocks = find_blocks_secondary
-
-        with self.assertRaises(AssertionError):
-            _ = self.block.find_blocks("anything")
-
-    def test_parsernode_notequal(self):
-        ne_block = augeasparser.AugeasBlockNode(name="different",
-                                                ancestor=self.block,
-                                                filepath="/path/to/whatever",
-                                                metadata=self.metadata)
-        ne_directive = augeasparser.AugeasDirectiveNode(name="different",
-                                                        ancestor=self.block,
-                                                        filepath="/path/to/whatever",
-                                                        metadata=self.metadata)
-        ne_comment = augeasparser.AugeasCommentNode(comment="different",
-                                                    ancestor=self.block,
-                                                    filepath="/path/to/whatever",
-                                                    metadata=self.metadata)
-        self.assertFalse(self.block == ne_block)
-        self.assertFalse(self.directive == ne_directive)
-        self.assertFalse(self.comment == ne_comment)
-
-    def test_parsed_paths(self):
-        mock_p = mock.MagicMock(return_value=['/path/file.conf',
-                                              '/another/path',
-                                              '/path/other.conf'])
-        mock_s = mock.MagicMock(return_value=['/path/*.conf', '/another/path'])
-        self.block.primary.parsed_paths = mock_p
-        self.block.secondary.parsed_paths = mock_s
-        self.block.parsed_paths()
-        self.assertTrue(mock_p.called)
-        self.assertTrue(mock_s.called)
-
-    def test_parsed_paths_error(self):
-        mock_p = mock.MagicMock(return_value=['/path/file.conf'])
-        mock_s = mock.MagicMock(return_value=['/path/*.conf', '/another/path'])
-        self.block.primary.parsed_paths = mock_p
-        self.block.secondary.parsed_paths = mock_s
-        with self.assertRaises(AssertionError):
-            self.block.parsed_paths()
-
-    def test_find_ancestors(self):
-        primarymock = mock.MagicMock(return_value=[])
-        secondarymock = mock.MagicMock(return_value=[])
-        self.block.primary.find_ancestors = primarymock
-        self.block.secondary.find_ancestors = secondarymock
-        self.block.find_ancestors("anything")
-        self.assertTrue(primarymock.called)
-        self.assertTrue(secondarymock.called)
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Erica Portnoy	e3ce28e75e	Change tests path in tox.ini	2019-11-26 18:28:34 -08:00
Erica Portnoy	4147033165	Exclude pycache and .py[cod]	2019-11-26 15:21:12 -08:00
Erica Portnoy	2f0b1aa1aa	Refactor tests out of packaged module for apache plugin	2019-11-26 14:30:28 -08:00