From d06c6f27bdfbde31e18d5a5f3fc40c0a85b723e7 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 16 Dec 2015 14:33:41 -0800 Subject: [PATCH 001/141] Removed duplicate cancel --- letsencrypt/cli.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py index 29519d430..6634b422d 100644 --- a/letsencrypt/cli.py +++ b/letsencrypt/cli.py @@ -276,12 +276,11 @@ def _handle_identical_cert_request(config, cert): elif config.verb == "certonly": keep_opt = "Keep the existing certificate for now" choices = [keep_opt, - "Renew & replace the cert (limit ~5 per 7 days)", - "Cancel this operation and do nothing"] + "Renew & replace the cert (limit ~5 per 7 days)"] display = zope.component.getUtility(interfaces.IDisplay) response = display.menu(question, choices, "OK", "Cancel") - if response[0] == "cancel" or response[1] == 2: + if response[0] == display_util.CANCEL: # TODO: Add notification related to command-line options for # skipping the menu for this case. raise errors.Error( From 177e42e9d67601e860db45df1c0121f4905b536d Mon Sep 17 00:00:00 2001 From: Eugene Kazakov Date: Sun, 20 Dec 2015 12:43:57 +0600 Subject: [PATCH 002/141] Remove warning "Root (sudo) is required" --- letsencrypt/cli.py | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py index 29519d430..f614e13f8 100644 --- a/letsencrypt/cli.py +++ b/letsencrypt/cli.py @@ -1384,17 +1384,6 @@ def main(cli_args=sys.argv[1:]): zope.component.provideUtility(report) atexit.register(report.atexit_print_messages) - if not os.geteuid() == 0: - logger.warning( - "Root (sudo) is required to run most of letsencrypt functionality.") - # check must be done after arg parsing as --help should work - # w/o root; on the other hand, e.g. "letsencrypt run - # --authenticator dns" or "letsencrypt plugins" does not - # require root as well - #return ( - # "{0}Root is required to run letsencrypt. Please use sudo.{0}" - # .format(os.linesep)) - return args.func(args, config, plugins) if __name__ == "__main__": From a04b92eb8e91e6f51b3a851313e16821057c9edf Mon Sep 17 00:00:00 2001 From: asaph Date: Tue, 22 Dec 2015 13:37:36 -0800 Subject: [PATCH 003/141] OSX: check if augeas, dialog are already installed This check avoids the following 2 noisy warnings: Warning: augeas-1.4.0 already installed Warning: dialog-1.2-20150528 already installed --- bootstrap/mac.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/bootstrap/mac.sh b/bootstrap/mac.sh index 4d1fb8208..4b6612336 100755 --- a/bootstrap/mac.sh +++ b/bootstrap/mac.sh @@ -4,8 +4,15 @@ if ! hash brew 2>/dev/null; then ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" fi -brew install augeas -brew install dialog +if [ -z "$(brew list --versions augeas)" ]; then + echo "augeas Not Installed\nInstalling augeas from Homebrew..." + brew install augeas +fi + +if [ -z "$(brew list --versions dialog)" ]; then + echo "dialog Not Installed\nInstalling dialog from Homebrew..." + brew install dialog +fi if ! hash pip 2>/dev/null; then echo "pip Not Installed\nInstalling python from Homebrew..." From bda9a49a6ab8d779e5da86e19b01b8b320650687 Mon Sep 17 00:00:00 2001 From: Philipp Spitzer Date: Wed, 6 Jan 2016 20:42:07 +0100 Subject: [PATCH 004/141] Added apache2 dav and dav_svn modules to debian_apache_2_4 two_vhost_80 test data. Also added symlinks in mods-enabled to the newly added files to include the modules in the test. After doing so, many tests fail with "AttributeError: 'NoneType' object has no attribute 'lower'" in letsencrypt_apache/parser.py", line 311. --- .../apache2/mods-available/authz_svn.load | 5 ++ .../apache2/mods-available/dav.load | 3 + .../apache2/mods-available/dav_svn.conf | 56 +++++++++++++++++++ .../apache2/mods-available/dav_svn.load | 7 +++ .../apache2/mods-enabled/authz_svn.load | 1 + .../apache2/mods-enabled/dav.load | 1 + .../apache2/mods-enabled/dav_svn.conf | 1 + .../apache2/mods-enabled/dav_svn.load | 1 + 8 files changed, 75 insertions(+) create mode 100644 letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/authz_svn.load create mode 100644 letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/dav.load create mode 100644 letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/dav_svn.conf create mode 100644 letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/dav_svn.load create mode 120000 letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/authz_svn.load create mode 120000 letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/dav.load create mode 120000 letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/dav_svn.conf create mode 120000 letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/dav_svn.load diff --git a/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/authz_svn.load b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/authz_svn.load new file mode 100644 index 000000000..c6df2733b --- /dev/null +++ b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/authz_svn.load @@ -0,0 +1,5 @@ +# Depends: dav_svn + + Include mods-enabled/dav_svn.load + +LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so diff --git a/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/dav.load b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/dav.load new file mode 100644 index 000000000..a5867fff3 --- /dev/null +++ b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/dav.load @@ -0,0 +1,3 @@ + + LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so + diff --git a/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/dav_svn.conf b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/dav_svn.conf new file mode 100644 index 000000000..801cbd6bd --- /dev/null +++ b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/dav_svn.conf @@ -0,0 +1,56 @@ +# dav_svn.conf - Example Subversion/Apache configuration +# +# For details and further options see the Apache user manual and +# the Subversion book. +# +# NOTE: for a setup with multiple vhosts, you will want to do this +# configuration in /etc/apache2/sites-available/*, not here. + +# ... +# URL controls how the repository appears to the outside world. +# In this example clients access the repository as http://hostname/svn/ +# Note, a literal /svn should NOT exist in your document root. +# + + # Uncomment this to enable the repository + #DAV svn + + # Set this to the path to your repository + #SVNPath /var/lib/svn + # Alternatively, use SVNParentPath if you have multiple repositories under + # under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, ...). + # You need either SVNPath and SVNParentPath, but not both. + #SVNParentPath /var/lib/svn + + # Access control is done at 3 levels: (1) Apache authentication, via + # any of several methods. A "Basic Auth" section is commented out + # below. (2) Apache and , also commented out + # below. (3) mod_authz_svn is a svn-specific authorization module + # which offers fine-grained read/write access control for paths + # within a repository. (The first two layers are coarse-grained; you + # can only enable/disable access to an entire repository.) Note that + # mod_authz_svn is noticeably slower than the other two layers, so if + # you don't need the fine-grained control, don't configure it. + + # Basic Authentication is repository-wide. It is not secure unless + # you are using https. See the 'htpasswd' command to create and + # manage the password file - and the documentation for the + # 'auth_basic' and 'authn_file' modules, which you will need for this + # (enable them with 'a2enmod'). + #AuthType Basic + #AuthName "Subversion Repository" + #AuthUserFile /etc/apache2/dav_svn.passwd + + # To enable authorization via mod_authz_svn (enable that module separately): + # + #AuthzSVNAccessFile /etc/apache2/dav_svn.authz + # + + # The following three lines allow anonymous read, but make + # committers authenticate themselves. It requires the 'authz_user' + # module (enable it with 'a2enmod'). + # + #Require valid-user + # + +# diff --git a/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/dav_svn.load b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/dav_svn.load new file mode 100644 index 000000000..e41e1581a --- /dev/null +++ b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-available/dav_svn.load @@ -0,0 +1,7 @@ +# Depends: dav + + + Include mods-enabled/dav.load + + LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so + diff --git a/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/authz_svn.load b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/authz_svn.load new file mode 120000 index 000000000..7ac0725dd --- /dev/null +++ b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/authz_svn.load @@ -0,0 +1 @@ +../mods-available/authz_svn.load \ No newline at end of file diff --git a/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/dav.load b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/dav.load new file mode 120000 index 000000000..9dcfef6da --- /dev/null +++ b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/dav.load @@ -0,0 +1 @@ +../mods-available/dav.load \ No newline at end of file diff --git a/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/dav_svn.conf b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/dav_svn.conf new file mode 120000 index 000000000..964c7bb0b --- /dev/null +++ b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/dav_svn.conf @@ -0,0 +1 @@ +../mods-available/dav_svn.conf \ No newline at end of file diff --git a/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/dav_svn.load b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/dav_svn.load new file mode 120000 index 000000000..4094e4173 --- /dev/null +++ b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/mods-enabled/dav_svn.load @@ -0,0 +1 @@ +../mods-available/dav_svn.load \ No newline at end of file From d3fddc351920ffce2a55c55f08b99899942dbf44 Mon Sep 17 00:00:00 2001 From: osirisinferi Date: Fri, 8 Jan 2016 13:38:57 +0100 Subject: [PATCH 005/141] Prevent recording of deps in world set --- bootstrap/_gentoo_common.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bootstrap/_gentoo_common.sh b/bootstrap/_gentoo_common.sh index f49dc00f0..aa0de650c 100755 --- a/bootstrap/_gentoo_common.sh +++ b/bootstrap/_gentoo_common.sh @@ -12,12 +12,12 @@ PACKAGES=" case "$PACKAGE_MANAGER" in (paludis) - cave resolve --keep-targets if-possible $PACKAGES -x + cave resolve --preserve-world --keep-targets if-possible $PACKAGES -x ;; (pkgcore) - pmerge --noreplace $PACKAGES + pmerge --noreplace --oneshot $PACKAGES ;; (portage|*) - emerge --noreplace $PACKAGES + emerge --noreplace --oneshot $PACKAGES ;; esac From aba11814cb666d7d6e1e55fb641d93cc9dad45e4 Mon Sep 17 00:00:00 2001 From: osirisinferi Date: Fri, 8 Jan 2016 13:47:55 +0100 Subject: [PATCH 006/141] Add Gentoo documentation --- docs/using.rst | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/using.rst b/docs/using.rst index 5da13f02c..78967b90c 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -64,7 +64,7 @@ or for full help, type: ``letsencrypt-auto`` is the recommended method of running the Let's Encrypt client beta releases on systems that don't have a packaged version. Debian, -Arch linux, FreeBSD, and OpenBSD now have native packages, so on those +Arch linux, Gentoo, FreeBSD, and OpenBSD now have native packages, so on those systems you can just install ``letsencrypt`` (and perhaps ``letsencrypt-apache``). If you'd like to run the latest copy from Git, or run your own locally modified copy of the client, follow the instructions in @@ -376,6 +376,23 @@ If you don't want to use the Apache plugin, you can omit the Packages for Debian Jessie are coming in the next few weeks. +**Gentoo** + +.. code-block:: shell + + emerge -av app-crypt/letsencrypt + +Currently, the Apache and nginx plugins are not included in Portage. You can +however use Layman to add the mrueg overlay which does include the plugin +packages: + +.. code-block:: shell + + emerge -av app-portage/layman + layman -S + layman -a mrueg + emerge -av app-crypt/letsencrypt-apache app-crypt/letsencrypt-nginx + **Other Operating Systems** OS packaging is an ongoing effort. If you'd like to package From 31a64a0e9ffe2d5cbbfc0f6eb87329ae8c75f007 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sun, 10 Jan 2016 18:01:58 +0000 Subject: [PATCH 007/141] ACME: default to new_authzr_uri form Directory --- acme/acme/client.py | 21 +++++++++++---------- acme/acme/client_test.py | 32 ++++++++++++++++++++++++-------- 2 files changed, 35 insertions(+), 18 deletions(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index c3e28ef47..b8d30461d 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -181,40 +181,41 @@ class Client(object): # pylint: disable=too-many-instance-attributes raise errors.UnexpectedUpdate(authzr) return authzr - def request_challenges(self, identifier, new_authzr_uri): + def request_challenges(self, identifier, new_authzr_uri=None): """Request challenges. - :param identifier: Identifier to be challenged. - :type identifier: `.messages.Identifier` - - :param str new_authzr_uri: new-authorization URI + :param .messages.Identifier identifier: Identifier to be challenged. + :param str new_authzr_uri: ``new-authorization`` URI. If omitted, + will default to value found in ``directory``. :returns: Authorization Resource. :rtype: `.AuthorizationResource` """ new_authz = messages.NewAuthorization(identifier=identifier) - response = self.net.post(new_authzr_uri, new_authz) + response = self.net.post(self.directory.new_authz + if new_authzr_uri is None else new_authzr_uri, + new_authz) # TODO: handle errors assert response.status_code == http_client.CREATED return self._authzr_from_response(response, identifier) - def request_domain_challenges(self, domain, new_authz_uri): + def request_domain_challenges(self, domain, new_authzr_uri=None): """Request challenges for domain names. This is simply a convenience function that wraps around `request_challenges`, but works with domain names instead of - generic identifiers. + generic identifiers. See ``request_challenges`` for more + documentation. :param str domain: Domain name to be challenged. - :param str new_authzr_uri: new-authorization URI :returns: Authorization Resource. :rtype: `.AuthorizationResource` """ return self.request_challenges(messages.Identifier( - typ=messages.IDENTIFIER_FQDN, value=domain), new_authz_uri) + typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri) def answer_challenge(self, challb, response): """Answer challenge. diff --git a/acme/acme/client_test.py b/acme/acme/client_test.py index 58f55b293..db5dcd6ed 100644 --- a/acme/acme/client_test.py +++ b/acme/acme/client_test.py @@ -36,6 +36,7 @@ class ClientTest(unittest.TestCase): self.directory = messages.Directory({ messages.NewRegistration: 'https://www.letsencrypt-demo.org/acme/new-reg', messages.Revocation: 'https://www.letsencrypt-demo.org/acme/revoke-cert', + messages.NewAuthorization: 'https://www.letsencrypt-demo.org/acme/new-authz', }) from acme.client import Client @@ -133,7 +134,7 @@ class ClientTest(unittest.TestCase): regr = self.client.update_registration.call_args[0][0] self.assertEqual(self.regr.terms_of_service, regr.body.agreement) - def test_request_challenges(self): + def _prepare_response_for_request_challenges(self): self.response.status_code = http_client.CREATED self.response.headers['Location'] = self.authzr.uri self.response.json.return_value = self.authz.to_json() @@ -141,10 +142,20 @@ class ClientTest(unittest.TestCase): 'next': {'url': self.authzr.new_cert_uri}, } - self.client.request_challenges(self.identifier, self.authzr.uri) - # TODO: test POST call arguments + def test_request_challenges(self): + self._prepare_response_for_request_challenges() + self.client.request_challenges(self.identifier) + self.net.post.assert_called_once_with( + self.directory.new_authz, + messages.NewAuthorization(identifier=self.identifier)) - # TODO: split here and separate test + def test_requets_challenges_custom_uri(self): + self._prepare_response_for_request_challenges() + self.client.request_challenges(self.identifier, 'URI') + self.net.post.assert_called_once_with('URI', mock.ANY) + + def test_request_challenges_unexpected_update(self): + self._prepare_response_for_request_challenges() self.response.json.return_value = self.authz.update( identifier=self.identifier.update(value='foo')).to_json() self.assertRaises( @@ -153,15 +164,20 @@ class ClientTest(unittest.TestCase): def test_request_challenges_missing_next(self): self.response.status_code = http_client.CREATED - self.assertRaises( - errors.ClientError, self.client.request_challenges, - self.identifier, self.regr) + self.assertRaises(errors.ClientError, self.client.request_challenges, + self.identifier) def test_request_domain_challenges(self): self.client.request_challenges = mock.MagicMock() self.assertEqual( self.client.request_challenges(self.identifier), - self.client.request_domain_challenges('example.com', self.regr)) + self.client.request_domain_challenges('example.com')) + + def test_request_domain_challenges_custom_uri(self): + self.client.request_challenges = mock.MagicMock() + self.assertEqual( + self.client.request_challenges(self.identifier, 'URI'), + self.client.request_domain_challenges('example.com', 'URI')) def test_answer_challenge(self): self.response.links['up'] = {'url': self.challr.authzr_uri} From 9fb42e21db1e6b53842366e613c23ff0e0e6fda9 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sun, 10 Jan 2016 18:05:30 +0000 Subject: [PATCH 008/141] Enfore PEP8 checking in ACME --- pep8.travis.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pep8.travis.sh b/pep8.travis.sh index ccac0a435..13a727596 100755 --- a/pep8.travis.sh +++ b/pep8.travis.sh @@ -1,7 +1,12 @@ #!/bin/sh + +set -e # Fail fast + +# PEP8 is not ignored in ACME +pep8 acme + pep8 \ setup.py \ - acme \ letsencrypt \ letsencrypt-apache \ letsencrypt-nginx \ From 20ab48820aec5762861867422124d7b4df4ba141 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sun, 10 Jan 2016 18:36:24 +0000 Subject: [PATCH 009/141] Remove unused `setup.py dev` alias --- setup.cfg | 3 --- 1 file changed, 3 deletions(-) diff --git a/setup.cfg b/setup.cfg index ca4c1b1ca..1ea06661e 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,9 +1,6 @@ [easy_install] zip_ok = false -[aliases] -dev = develop easy_install letsencrypt[dev,docs,testing] - [nosetests] nocapture=1 cover-package=letsencrypt,acme,letsencrypt_apache,letsencrypt_nginx From 86d6d2704511819a2974334ae93313229d3cb7d1 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sun, 10 Jan 2016 18:37:41 +0000 Subject: [PATCH 010/141] Clean up dev/testing extras messup (fixes #2140). --- Dockerfile-dev | 2 +- acme/setup.py | 13 +++++++------ bootstrap/dev/venv.sh | 4 ++-- bootstrap/dev/venv3.sh | 2 +- setup.py | 14 +++++--------- tox.ini | 14 +++++++------- 6 files changed, 23 insertions(+), 26 deletions(-) diff --git a/Dockerfile-dev b/Dockerfile-dev index 3c5b53966..0e9e62486 100644 --- a/Dockerfile-dev +++ b/Dockerfile-dev @@ -58,7 +58,7 @@ RUN virtualenv --no-site-packages -p python2 /opt/letsencrypt/venv && \ -e /opt/letsencrypt/src/letsencrypt-nginx \ -e /opt/letsencrypt/src/letshelp-letsencrypt \ -e /opt/letsencrypt/src/letsencrypt-compatibility-test \ - -e /opt/letsencrypt/src[dev,docs,testing] + -e /opt/letsencrypt/src[dev,docs] # install in editable mode (-e) to save space: it's not possible to # "rm -rf /opt/letsencrypt/src" (it's stays in the underlaying image); diff --git a/acme/setup.py b/acme/setup.py index 372c05b13..e7371e415 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -36,17 +36,18 @@ if sys.version_info < (2, 7, 9): install_requires.append('ndg-httpsclient') install_requires.append('pyasn1') +dev_extras = [ + 'nose', + 'pep8', + 'tox', +] + docs_extras = [ 'Sphinx>=1.0', # autodoc_member_order = 'bysource', autodoc_default_flags 'sphinx_rtd_theme', 'sphinxcontrib-programoutput', ] -testing_extras = [ - 'nose', - 'tox', -] - setup( name='acme', @@ -76,8 +77,8 @@ setup( include_package_data=True, install_requires=install_requires, extras_require={ + 'dev': dev_extras, 'docs': docs_extras, - 'testing': testing_extras, }, entry_points={ 'console_scripts': [ diff --git a/bootstrap/dev/venv.sh b/bootstrap/dev/venv.sh index 11ab417dd..eea79e846 100755 --- a/bootstrap/dev/venv.sh +++ b/bootstrap/dev/venv.sh @@ -4,8 +4,8 @@ export VENV_ARGS="--python python2" ./bootstrap/dev/_venv_common.sh \ - -e acme[testing] \ - -e .[dev,docs,testing] \ + -e acme[dev] \ + -e .[dev,docs] \ -e letsencrypt-apache \ -e letsencrypt-nginx \ -e letshelp-letsencrypt \ diff --git a/bootstrap/dev/venv3.sh b/bootstrap/dev/venv3.sh index ccffffb83..f1d2b581a 100755 --- a/bootstrap/dev/venv3.sh +++ b/bootstrap/dev/venv3.sh @@ -5,4 +5,4 @@ export VENV_NAME="${VENV_NAME:-venv3}" export VENV_ARGS="--python python3" ./bootstrap/dev/_venv_common.sh \ - -e acme[testing] \ + -e acme[dev] \ diff --git a/setup.py b/setup.py index ad7fb6909..370a9cdb5 100644 --- a/setup.py +++ b/setup.py @@ -64,7 +64,12 @@ else: dev_extras = [ # Pin astroid==1.3.5, pylint==1.4.2 as a workaround for #289 'astroid==1.3.5', + 'coverage', + 'nose', + 'nosexcover', + 'pep8', 'pylint==1.4.2', # upstream #248 + 'tox', 'twine', 'wheel', ] @@ -76,14 +81,6 @@ docs_extras = [ 'sphinxcontrib-programoutput', ] -testing_extras = [ - 'coverage', - 'nose', - 'nosexcover', - 'pep8', - 'tox', -] - setup( name='letsencrypt', version=version, @@ -119,7 +116,6 @@ setup( extras_require={ 'dev': dev_extras, 'docs': docs_extras, - 'testing': testing_extras, }, tests_require=install_requires, diff --git a/tox.ini b/tox.ini index c6cefb764..6b05efabd 100644 --- a/tox.ini +++ b/tox.ini @@ -15,9 +15,9 @@ envlist = py{26,27,33,34,35},py{26,27}-oldest,cover,lint # packages installed separately to ensure that dowstream deps problems # are detected, c.f. #1002 commands = - pip install -e acme[testing] + pip install -e acme[dev] nosetests -v acme - pip install -e .[testing] + pip install -e .[dev] nosetests -v letsencrypt pip install -e letsencrypt-apache nosetests -v letsencrypt_apache @@ -40,23 +40,23 @@ deps = [testenv:py33] commands = - pip install -e acme[testing] + pip install -e acme[dev] nosetests -v acme [testenv:py34] commands = - pip install -e acme[testing] + pip install -e acme[dev] nosetests -v acme [testenv:py35] commands = - pip install -e acme[testing] + pip install -e acme[dev] nosetests -v acme [testenv:cover] basepython = python2.7 commands = - pip install -e acme -e .[testing] -e letsencrypt-apache -e letsencrypt-nginx -e letshelp-letsencrypt + pip install -e acme[dev] -e .[dev] -e letsencrypt-apache -e letsencrypt-nginx -e letshelp-letsencrypt ./tox.cover.sh [testenv:lint] @@ -66,7 +66,7 @@ basepython = python2.7 # duplicate code checking; if one of the commands fails, others will # continue, but tox return code will reflect previous error commands = - pip install -e acme -e .[dev] -e letsencrypt-apache -e letsencrypt-nginx -e letsencrypt-compatibility-test -e letshelp-letsencrypt + pip install -e acme[dev] -e .[dev] -e letsencrypt-apache -e letsencrypt-nginx -e letsencrypt-compatibility-test -e letshelp-letsencrypt ./pep8.travis.sh pylint --rcfile=.pylintrc letsencrypt pylint --rcfile=acme/.pylintrc acme/acme From 15f492946893a6b460ad8ea40cffed323c9de7bd Mon Sep 17 00:00:00 2001 From: osirisinferi Date: Mon, 25 Jan 2016 22:23:30 +0100 Subject: [PATCH 011/141] Update and expansion of Gentoo documentation --- docs/using.rst | 37 +++++++++++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/docs/using.rst b/docs/using.rst index 78967b90c..6370de963 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -378,20 +378,49 @@ Packages for Debian Jessie are coming in the next few weeks. **Gentoo** +The official Let's Encrypt client is available in Gentoo Portage. If you +want to use the Apache plugin, it has to be installed separately: + .. code-block:: shell emerge -av app-crypt/letsencrypt + emerge -av app-crypt/letsencrypt-apache -Currently, the Apache and nginx plugins are not included in Portage. You can -however use Layman to add the mrueg overlay which does include the plugin -packages: +Currently, only the Apache plugin is included in Portage. However, if you +want the nginx plugin, you can use Layman to add the mrueg overlay which +does include the nginx plugin package: .. code-block:: shell emerge -av app-portage/layman layman -S layman -a mrueg - emerge -av app-crypt/letsencrypt-apache app-crypt/letsencrypt-nginx + emerge -av app-crypt/letsencrypt-nginx + +When using the Apache plugin, you will run into a "cannot find a cert or key +directive" error if you're sporting the default Gentoo ``httpd.conf``. +You can fix this by commenting out two lines in ``/etc/apache2/httpd.conf`` +as follows: + +Change + +.. code-block:: shell + + + LoadModule ssl_module modules/mod_ssl.so + + +to + +.. code-block:: shell + + # + LoadModule ssl_module modules/mod_ssl.so + # + +For the time being, this is the only way for the Apache plugin to recognise +the appropriate directives when installing the certificate. +Note: this change is not required for the other plugins. **Other Operating Systems** From e591a7666c84c41f7a67cf62fb15a72fe087f9ed Mon Sep 17 00:00:00 2001 From: Ola Bini Date: Tue, 26 Jan 2016 12:29:49 -0500 Subject: [PATCH 012/141] Guard reverter invocations and wrap in correct exceptions --- .../letsencrypt_nginx/configurator.py | 48 ++++++++++++++----- .../tests/configurator_test.py | 25 ++++++++++ 2 files changed, 62 insertions(+), 11 deletions(-) diff --git a/letsencrypt-nginx/letsencrypt_nginx/configurator.py b/letsencrypt-nginx/letsencrypt_nginx/configurator.py index efa7e08b4..88fa66843 100644 --- a/letsencrypt-nginx/letsencrypt_nginx/configurator.py +++ b/letsencrypt-nginx/letsencrypt_nginx/configurator.py @@ -190,6 +190,12 @@ class NginxConfigurator(common.Plugin): ", ".join(str(addr) for addr in vhost.addrs))) self.save_notes += "\tssl_certificate %s\n" % fullchain_path self.save_notes += "\tssl_certificate_key %s\n" % key_path + if len(stapling_directives) > 0: + self.save_notes += "\tssl_trusted_certificate %s\n" % chain_path + self.save_notes += "\tssl_stapling on\n" + self.save_notes += "\tssl_stapling_verify on\n" + + ####################### # Vhost parsing methods @@ -514,18 +520,26 @@ class NginxConfigurator(common.Plugin): """ save_files = set(self.parser.parsed.keys()) - # Create Checkpoint - if temporary: - self.reverter.add_to_temp_checkpoint( - save_files, self.save_notes) - else: - self.reverter.add_to_checkpoint(save_files, + try: + # Create Checkpoint + if temporary: + self.reverter.add_to_temp_checkpoint( + save_files, self.save_notes) + else: + self.reverter.add_to_checkpoint(save_files, self.save_notes) + except errors.ReverterError as err: + raise errors.PluginError(str(err)) + + self.save_notes = "" # Change 'ext' to something else to not override existing conf files self.parser.filedump(ext='') if title and not temporary: - self.reverter.finalize_checkpoint(title) + try: + self.reverter.finalize_checkpoint(title) + except errors.ReverterError as err: + raise errors.PluginError(str(err)) return True @@ -535,12 +549,18 @@ class NginxConfigurator(common.Plugin): Reverts all modified files that have not been saved as a checkpoint """ - self.reverter.recovery_routine() + try: + self.reverter.recovery_routine() + except errors.ReverterError as err: + raise errors.PluginError(str(err)) self.parser.load() def revert_challenge_config(self): """Used to cleanup challenge configurations.""" - self.reverter.revert_temporary_config() + try: + self.reverter.revert_temporary_config() + except errors.ReverterError as err: + raise errors.PluginError(str(err)) self.parser.load() def rollback_checkpoints(self, rollback=1): @@ -549,12 +569,18 @@ class NginxConfigurator(common.Plugin): :param int rollback: Number of checkpoints to revert """ - self.reverter.rollback_checkpoints(rollback) + try: + self.reverter.rollback_checkpoints(rollback) + except errors.ReverterError as err: + raise errors.PluginError(str(err)) self.parser.load() def view_config_changes(self): """Show all of the configuration changes that have taken place.""" - self.reverter.view_config_changes() + try: + self.reverter.view_config_changes() + except errors.ReverterError as err: + raise errors.PluginError(str(err)) ########################################################################### # Challenges Section for IAuthenticator diff --git a/letsencrypt-nginx/letsencrypt_nginx/tests/configurator_test.py b/letsencrypt-nginx/letsencrypt_nginx/tests/configurator_test.py index 4fce33079..4d15d6a75 100644 --- a/letsencrypt-nginx/letsencrypt_nginx/tests/configurator_test.py +++ b/letsencrypt-nginx/letsencrypt_nginx/tests/configurator_test.py @@ -371,6 +371,31 @@ class NginxConfiguratorTest(util.NginxTest): mock_run_script.side_effect = errors.SubprocessError self.assertRaises(errors.MisconfigurationError, self.config.config_test) + @mock.patch("letsencrypt.reverter.Reverter.recovery_routine") + def test_recovery_routine_throws_error_from_reverter(self, mock_recovery_routine): + mock_recovery_routine.side_effect = errors.ReverterError("foo") + self.assertRaises(errors.PluginError, self.config.recovery_routine) + + @mock.patch("letsencrypt.reverter.Reverter.view_config_changes") + def test_view_config_changes_throws_error_from_reverter(self, mock_view_config_changes): + mock_view_config_changes.side_effect = errors.ReverterError("foo") + self.assertRaises(errors.PluginError, self.config.view_config_changes) + + @mock.patch("letsencrypt.reverter.Reverter.rollback_checkpoints") + def test_rollback_checkpoints_throws_error_from_reverter(self, mock_rollback_checkpoints): + mock_rollback_checkpoints.side_effect = errors.ReverterError("foo") + self.assertRaises(errors.PluginError, self.config.rollback_checkpoints) + + @mock.patch("letsencrypt.reverter.Reverter.revert_temporary_config") + def test_revert_challenge_config_throws_error_from_reverter(self, mock_revert_temporary_config): + mock_revert_temporary_config.side_effect = errors.ReverterError("foo") + self.assertRaises(errors.PluginError, self.config.revert_challenge_config) + + @mock.patch("letsencrypt.reverter.Reverter.add_to_checkpoint") + def test_save_throws_error_from_reverter(self, mock_add_to_checkpoint): + mock_add_to_checkpoint.side_effect = errors.ReverterError("foo") + self.assertRaises(errors.PluginError, self.config.save) + def test_get_snakeoil_paths(self): # pylint: disable=protected-access cert, key = self.config._get_snakeoil_paths() From 15182d5aa487c2843502894cad851a4d31487a00 Mon Sep 17 00:00:00 2001 From: Ola Bini Date: Wed, 27 Jan 2016 09:06:56 -0500 Subject: [PATCH 013/141] Add comments about the exceptions raised --- .../letsencrypt_nginx/configurator.py | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/letsencrypt-nginx/letsencrypt_nginx/configurator.py b/letsencrypt-nginx/letsencrypt_nginx/configurator.py index 88fa66843..b0a1e76cd 100644 --- a/letsencrypt-nginx/letsencrypt_nginx/configurator.py +++ b/letsencrypt-nginx/letsencrypt_nginx/configurator.py @@ -517,6 +517,10 @@ class NginxConfigurator(common.Plugin): :param bool temporary: Indicates whether the changes made will be quickly reversed in the future (ie. challenges) + :raises .errors.PluginError: If there was an error in + an attempt to save the configuration, or an error creating a + checkpoint + """ save_files = set(self.parser.parsed.keys()) @@ -548,6 +552,8 @@ class NginxConfigurator(common.Plugin): Reverts all modified files that have not been saved as a checkpoint + :raises .errors.PluginError: If unable to recover the configuration + """ try: self.reverter.recovery_routine() @@ -556,7 +562,11 @@ class NginxConfigurator(common.Plugin): self.parser.load() def revert_challenge_config(self): - """Used to cleanup challenge configurations.""" + """Used to cleanup challenge configurations. + + :raises .errors.PluginError: If unable to revert the challenge config. + + """ try: self.reverter.revert_temporary_config() except errors.ReverterError as err: @@ -568,6 +578,9 @@ class NginxConfigurator(common.Plugin): :param int rollback: Number of checkpoints to revert + :raises .errors.PluginError: If there is a problem with the input or + the function is unable to correctly revert the configuration + """ try: self.reverter.rollback_checkpoints(rollback) @@ -576,7 +589,12 @@ class NginxConfigurator(common.Plugin): self.parser.load() def view_config_changes(self): - """Show all of the configuration changes that have taken place.""" + """Show all of the configuration changes that have taken place. + + :raises .errors.PluginError: If there is a problem while processing + the checkpoints directories. + + """ try: self.reverter.view_config_changes() except errors.ReverterError as err: From 113774746d2d08674c010623a79b95859a0f8dda Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 2 Feb 2016 13:44:44 -0800 Subject: [PATCH 014/141] Ignore venv in letstest dir --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 1becea3b4..341843f98 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ letsencrypt.log # letstest tests/letstest/letest-*/ tests/letstest/*.pem +tests/letstest/venv/ From f9327d553531ae04de0962a30b3ef05f338f41e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roy=20Wellington=20=E2=85=A3?= Date: Sat, 6 Feb 2016 21:43:52 -0800 Subject: [PATCH 015/141] Make this use of urlparse.urlparse Python 3 compatible. --- letsencrypt/configuration.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/letsencrypt/configuration.py b/letsencrypt/configuration.py index 2bbf1b019..c49751a6c 100644 --- a/letsencrypt/configuration.py +++ b/letsencrypt/configuration.py @@ -1,8 +1,8 @@ """Let's Encrypt user-supplied configuration.""" import copy import os -import urlparse +from six.moves.urllib import parse # pylint: disable=import-error import zope.interface from letsencrypt import constants @@ -50,7 +50,7 @@ class NamespaceConfig(object): @property def server_path(self): """File path based on ``server``.""" - parsed = urlparse.urlparse(self.namespace.server) + parsed = parse.urlparse(self.namespace.server) return (parsed.netloc + parsed.path).replace('/', os.path.sep) @property From 2369f1253bcd5eeb8d31ee135a78d59a5a207458 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roy=20Wellington=20=E2=85=A3?= Date: Sun, 7 Feb 2016 12:58:35 -0800 Subject: [PATCH 016/141] Fix import ordering s.t. future versions of pylint won't warn on it. pylint gets more strict about import order in the future, so adjust it now to make upgrading smoother. pylint is following the order from PEP-8: > Imports should be grouped in the following order: > > 1. standard library imports > 2. related third party imports > 3. local application/library specific imports > > You should put a blank line between each group of imports. --- letsencrypt/plugins/common.py | 2 +- letsencrypt/plugins/disco_test.py | 2 +- letsencrypt/tests/storage_test.py | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/letsencrypt/plugins/common.py b/letsencrypt/plugins/common.py index f18b1fb3b..2e9e15b2f 100644 --- a/letsencrypt/plugins/common.py +++ b/letsencrypt/plugins/common.py @@ -1,11 +1,11 @@ """Plugin common functions.""" import os -import pkg_resources import re import shutil import tempfile import OpenSSL +import pkg_resources import zope.interface from acme.jose import util as jose_util diff --git a/letsencrypt/plugins/disco_test.py b/letsencrypt/plugins/disco_test.py index 0df4f88f1..1aeaf81c1 100644 --- a/letsencrypt/plugins/disco_test.py +++ b/letsencrypt/plugins/disco_test.py @@ -1,8 +1,8 @@ """Tests for letsencrypt.plugins.disco.""" -import pkg_resources import unittest import mock +import pkg_resources import zope.interface from letsencrypt import errors diff --git a/letsencrypt/tests/storage_test.py b/letsencrypt/tests/storage_test.py index 9d402089c..5b9f393fe 100644 --- a/letsencrypt/tests/storage_test.py +++ b/letsencrypt/tests/storage_test.py @@ -1,13 +1,13 @@ """Tests for letsencrypt.storage.""" import datetime -import pytz import os -import tempfile import shutil +import tempfile import unittest import configobj import mock +import pytz from letsencrypt import configuration from letsencrypt import errors From ea31db75b7baa1e16e34b24ac8b8d748af29a11c Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 10 Feb 2016 16:35:14 -0800 Subject: [PATCH 017/141] Misc release script fixes --- tools/offline-sigrequest.sh | 2 +- tools/release.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/offline-sigrequest.sh b/tools/offline-sigrequest.sh index 07163dbdb..7706796ef 100755 --- a/tools/offline-sigrequest.sh +++ b/tools/offline-sigrequest.sh @@ -11,7 +11,7 @@ function sayhash { # $1 <-- HASH ; $2 <---SIGFILEBALL while read -p "Press Enter to read the hash aloud or type 'done': " INP && [ "$INP" = "" ] ; do cat $1 | (echo "(Parameter.set 'Duration_Stretch 1.8)"; \ echo -n '(SayText "'; \ - sha1sum | cut -c1-64 | fold -1 | sed 's/^a$/alpha/; s/^b$/bravo/; s/^c$/charlie/; s/^d$/delta/; s/^e$/echo/; s/^f$/foxtrot/'; \ + sha256sum | cut -c1-64 | fold -1 | sed 's/^a$/alpha/; s/^b$/bravo/; s/^c$/charlie/; s/^d$/delta/; s/^e$/echo/; s/^f$/foxtrot/'; \ echo '")' ) | festival done diff --git a/tools/release.sh b/tools/release.sh index 83b57657f..1472f856b 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -171,6 +171,7 @@ while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \ read -p "Please correctly sign letsencrypt-auto with offline-signrequest.sh" done +gid add letsencrypt-auto-source git diff --cached git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version" git tag --local-user "$RELEASE_GPG_KEY" \ From 24fa435f464adf6fe526b00039ff99bcf98b1e61 Mon Sep 17 00:00:00 2001 From: Minn Soe Date: Thu, 11 Feb 2016 00:38:24 +0000 Subject: [PATCH 018/141] Fix broken reference to script in old bootstrap directory --- tools/venv.sh | 2 +- tools/venv3.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/venv.sh b/tools/venv.sh index 11ab417dd..5a09efb0b 100755 --- a/tools/venv.sh +++ b/tools/venv.sh @@ -3,7 +3,7 @@ export VENV_ARGS="--python python2" -./bootstrap/dev/_venv_common.sh \ +./tools/_venv_common.sh \ -e acme[testing] \ -e .[dev,docs,testing] \ -e letsencrypt-apache \ diff --git a/tools/venv3.sh b/tools/venv3.sh index ccffffb83..158605f72 100755 --- a/tools/venv3.sh +++ b/tools/venv3.sh @@ -4,5 +4,5 @@ export VENV_NAME="${VENV_NAME:-venv3}" export VENV_ARGS="--python python3" -./bootstrap/dev/_venv_common.sh \ +./tools/_venv_common.sh \ -e acme[testing] \ From 4b86cabe5bb336b8926c0f764fb6433987f2cc8c Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 10 Feb 2016 18:33:08 -0800 Subject: [PATCH 019/141] Fix git typo --- tools/release.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tools/release.sh b/tools/release.sh index 1472f856b..6ec83053f 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -171,11 +171,10 @@ while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \ read -p "Please correctly sign letsencrypt-auto with offline-signrequest.sh" done -gid add letsencrypt-auto-source +git add letsencrypt-auto-source git diff --cached git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version" -git tag --local-user "$RELEASE_GPG_KEY" \ - --sign --message "Release $version" "$tag" +git tag --local-user "$RELEASE_GPG_KEY" --sign --message "Release $version" "$tag" cd .. echo Now in $PWD From 74063851e3330b3a52ce592d1319e0e1f0795728 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 10 Feb 2016 18:48:40 -0800 Subject: [PATCH 020/141] Release 0.4.0 --- acme/setup.py | 2 +- letsencrypt-apache/setup.py | 2 +- letsencrypt-auto-source/letsencrypt-auto | 20 +++++++++--------- letsencrypt-auto-source/letsencrypt-auto.sig | Bin 256 -> 256 bytes .../pieces/letsencrypt-auto-requirements.txt | 18 ++++++++-------- letsencrypt-compatibility-test/setup.py | 2 +- letsencrypt-nginx/setup.py | 2 +- letsencrypt/__init__.py | 2 +- letshelp-letsencrypt/setup.py | 2 +- 9 files changed, 25 insertions(+), 25 deletions(-) diff --git a/acme/setup.py b/acme/setup.py index b5bec3476..9f228f4ed 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.4.0.dev0' +version = '0.4.0' # Please update tox.ini when modifying dependency version requirements install_requires = [ diff --git a/letsencrypt-apache/setup.py b/letsencrypt-apache/setup.py index a6553d890..922cd0e8e 100644 --- a/letsencrypt-apache/setup.py +++ b/letsencrypt-apache/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.4.0.dev0' +version = '0.4.0' # Please update tox.ini when modifying dependency version requirements install_requires = [ diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 24b62e342..9218bdc52 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -19,7 +19,7 @@ XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share} VENV_NAME="letsencrypt" VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"} VENV_BIN=${VENV_PATH}/bin -LE_AUTO_VERSION="0.4.0.dev0" +LE_AUTO_VERSION="0.4.0" # This script takes the same arguments as the main letsencrypt program, but it # additionally responds to --verbose (more output) and --debug (allow support @@ -638,17 +638,17 @@ zope.event==4.1.0 # sha256: sJyMHUezUxxADgGVaX8UFKYyId5u9HhZik8UYPfZo5I zope.interface==4.1.3 -# sha256: QMIkIvGF3mcJhGLAKRX7n5EVIPjOrfLtklN6ePjbJes -# sha256: fNFWiij6VxfG5o7u3oNbtrYKQ4q9vhzOLATfxNlozvQ -acme==0.3.0 +# sha256: ilvjjTWOS86xchl0WBZ0YOAw_0rmqdnjNsxb1hq2RD8 +# sha256: T37KMj0TnsuvHIzCCmoww2fpfpOBTj7cd4NAqucXcpw +acme==0.4.0 -# sha256: qdnzpoRf_44QXKoktNoAKs2RBAxUta2Sr6GS0t_tAKo -# sha256: ELWJaHNvBZIqVPJYkla8yXLtXIuamqAf6f_VAFv16Uk -letsencrypt==0.3.0 +# sha256: 33BQiANlNLGqGpirTfdCEElTF9YbpaKiYpTbK4zeGD8 +# sha256: lwsV1OdEzzlMeb08C_PRxaCXZ2vOk_1AI2755rZHmPM +letsencrypt==0.4.0 -# sha256: EypLpEw3-Tr8unw4aSFsHXgRiU8ZYLrJKOJohP2tC9M -# sha256: HYvP13GzA-DDJYwlfOoaraJO0zuYO48TCSAyTUAGCqA -letsencrypt-apache==0.3.0 +# sha256: D3YDaVFjLsMSEfjI5B5D5tn5FeWUtNHYXCObw3ih2tg +# sha256: VTgvsePYGRmI4IOSAnxoYFHd8KciD73bxIuIHtbVFd8 +letsencrypt-apache==0.4.0 # sha256: uDndLZwRfHAUMMFJlWkYpCOphjtIsJyQ4wpgE-fS9E8 # sha256: j4MIDaoknQNsvM-4rlzG_wB7iNbZN1ITca-r57Gbrbw diff --git a/letsencrypt-auto-source/letsencrypt-auto.sig b/letsencrypt-auto-source/letsencrypt-auto.sig index 4bb5f97ea686dd282f99591ef1d8416dd002942d..532a482073932f4be88c1e25642d18ad947e7e64 100644 GIT binary patch literal 256 zcmV+b0ssC6h;!6XyQogJex_KK=DFx0Q?~h#$ZiK8LqF z9UK0?`*Aq5PynjWNy*-8JZ$G>+S9o<8P@27c@y3`uBda8X`#O+CjMrKVzMiqiCsyS zbqYMkAp~3&FJG3hply|GI7?14!p?ySpSW8X9EZ1FWtJRi4)+#lw>8^eI!3 G_s+-+c7oaf literal 256 zcmV+b0ssEr`(`t5&`>Jt>x>2a9mQS9O6fDHCDL_8lB$tS0lnsR{$ToQQaX9Rhs?!? zX%XvgMxhK&1EB+aICOQ`&uqrPI6(_);_;FS#$BTKNzITO>|85R;}$Z6Pp{SA92rI= zvvxGgNXBR}fB(IGMM=B{V{!z6R{|+^0bk>ltYeHHi|`ZE>5vLZ>vHm!!hF=F#iJxo z0S`3=R_LJTAg+Y6PoDi1aaPX67Osp_7_RB6^A#jZ>bB)#GwK^?2cp8L>3XHP!UlI| zY)FPzE6XOJSbgU_0rnDP8Sw9TYg1Y?Q5$Bb+pxBcip}z$e>44+VYR5nu7$TZnAP{R GaMfnHo`A#v diff --git a/letsencrypt-auto-source/pieces/letsencrypt-auto-requirements.txt b/letsencrypt-auto-source/pieces/letsencrypt-auto-requirements.txt index c83396de2..574e567c3 100644 --- a/letsencrypt-auto-source/pieces/letsencrypt-auto-requirements.txt +++ b/letsencrypt-auto-source/pieces/letsencrypt-auto-requirements.txt @@ -201,17 +201,17 @@ zope.event==4.1.0 # sha256: sJyMHUezUxxADgGVaX8UFKYyId5u9HhZik8UYPfZo5I zope.interface==4.1.3 -# sha256: QMIkIvGF3mcJhGLAKRX7n5EVIPjOrfLtklN6ePjbJes -# sha256: fNFWiij6VxfG5o7u3oNbtrYKQ4q9vhzOLATfxNlozvQ -acme==0.3.0 +# sha256: ilvjjTWOS86xchl0WBZ0YOAw_0rmqdnjNsxb1hq2RD8 +# sha256: T37KMj0TnsuvHIzCCmoww2fpfpOBTj7cd4NAqucXcpw +acme==0.4.0 -# sha256: qdnzpoRf_44QXKoktNoAKs2RBAxUta2Sr6GS0t_tAKo -# sha256: ELWJaHNvBZIqVPJYkla8yXLtXIuamqAf6f_VAFv16Uk -letsencrypt==0.3.0 +# sha256: 33BQiANlNLGqGpirTfdCEElTF9YbpaKiYpTbK4zeGD8 +# sha256: lwsV1OdEzzlMeb08C_PRxaCXZ2vOk_1AI2755rZHmPM +letsencrypt==0.4.0 -# sha256: EypLpEw3-Tr8unw4aSFsHXgRiU8ZYLrJKOJohP2tC9M -# sha256: HYvP13GzA-DDJYwlfOoaraJO0zuYO48TCSAyTUAGCqA -letsencrypt-apache==0.3.0 +# sha256: D3YDaVFjLsMSEfjI5B5D5tn5FeWUtNHYXCObw3ih2tg +# sha256: VTgvsePYGRmI4IOSAnxoYFHd8KciD73bxIuIHtbVFd8 +letsencrypt-apache==0.4.0 # sha256: uDndLZwRfHAUMMFJlWkYpCOphjtIsJyQ4wpgE-fS9E8 # sha256: j4MIDaoknQNsvM-4rlzG_wB7iNbZN1ITca-r57Gbrbw diff --git a/letsencrypt-compatibility-test/setup.py b/letsencrypt-compatibility-test/setup.py index b7f448e83..4af0cffcc 100644 --- a/letsencrypt-compatibility-test/setup.py +++ b/letsencrypt-compatibility-test/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.4.0.dev0' +version = '0.4.0' install_requires = [ 'letsencrypt=={0}'.format(version), diff --git a/letsencrypt-nginx/setup.py b/letsencrypt-nginx/setup.py index c1ff85185..8aab19a57 100644 --- a/letsencrypt-nginx/setup.py +++ b/letsencrypt-nginx/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.4.0.dev0' +version = '0.4.0' # Please update tox.ini when modifying dependency version requirements install_requires = [ diff --git a/letsencrypt/__init__.py b/letsencrypt/__init__.py index 1dd7d7eba..5e937310e 100644 --- a/letsencrypt/__init__.py +++ b/letsencrypt/__init__.py @@ -1,4 +1,4 @@ """Let's Encrypt client.""" # version number like 1.2.3a0, must have at least 2 parts, like 1.2 -__version__ = '0.4.0.dev0' +__version__ = '0.4.0' diff --git a/letshelp-letsencrypt/setup.py b/letshelp-letsencrypt/setup.py index 000f86c31..deaf9c9b5 100644 --- a/letshelp-letsencrypt/setup.py +++ b/letshelp-letsencrypt/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.4.0.dev0' +version = '0.4.0' install_requires = [ 'setuptools', # pkg_resources From 563c1150447217273d4f8b24c22d7556bfe7c408 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 10 Feb 2016 18:49:27 -0800 Subject: [PATCH 021/141] Bump version to 0.5.0 --- acme/setup.py | 2 +- letsencrypt-apache/setup.py | 2 +- letsencrypt-compatibility-test/setup.py | 2 +- letsencrypt-nginx/setup.py | 2 +- letsencrypt/__init__.py | 2 +- letshelp-letsencrypt/setup.py | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/acme/setup.py b/acme/setup.py index 9f228f4ed..8b7b040e5 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.4.0' +version = '0.5.0.dev0' # Please update tox.ini when modifying dependency version requirements install_requires = [ diff --git a/letsencrypt-apache/setup.py b/letsencrypt-apache/setup.py index 922cd0e8e..a8e010f0e 100644 --- a/letsencrypt-apache/setup.py +++ b/letsencrypt-apache/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.4.0' +version = '0.5.0.dev0' # Please update tox.ini when modifying dependency version requirements install_requires = [ diff --git a/letsencrypt-compatibility-test/setup.py b/letsencrypt-compatibility-test/setup.py index 4af0cffcc..67262ba72 100644 --- a/letsencrypt-compatibility-test/setup.py +++ b/letsencrypt-compatibility-test/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.4.0' +version = '0.5.0.dev0' install_requires = [ 'letsencrypt=={0}'.format(version), diff --git a/letsencrypt-nginx/setup.py b/letsencrypt-nginx/setup.py index 8aab19a57..656d6e04f 100644 --- a/letsencrypt-nginx/setup.py +++ b/letsencrypt-nginx/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.4.0' +version = '0.5.0.dev0' # Please update tox.ini when modifying dependency version requirements install_requires = [ diff --git a/letsencrypt/__init__.py b/letsencrypt/__init__.py index 5e937310e..0dbeb1567 100644 --- a/letsencrypt/__init__.py +++ b/letsencrypt/__init__.py @@ -1,4 +1,4 @@ """Let's Encrypt client.""" # version number like 1.2.3a0, must have at least 2 parts, like 1.2 -__version__ = '0.4.0' +__version__ = '0.5.0.dev0' diff --git a/letshelp-letsencrypt/setup.py b/letshelp-letsencrypt/setup.py index deaf9c9b5..fff8dcfc3 100644 --- a/letshelp-letsencrypt/setup.py +++ b/letshelp-letsencrypt/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.4.0' +version = '0.5.0.dev0' install_requires = [ 'setuptools', # pkg_resources From 1f31cf1a3096cc4f42041f29e1c390831768905e Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 10 Feb 2016 19:09:05 -0800 Subject: [PATCH 022/141] Quick test farm fix --- tests/letstest/multitester.py | 6 +++--- tools/venv.sh | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/letstest/multitester.py b/tests/letstest/multitester.py index 378670071..e27385002 100644 --- a/tests/letstest/multitester.py +++ b/tests/letstest/multitester.py @@ -241,21 +241,21 @@ def local_git_clone(repo_url): "clones master of repo_url" with lcd(LOGDIR): local('if [ -d letsencrypt ]; then rm -rf letsencrypt; fi') - local('git clone %s'% repo_url) + local('git clone %s letsencrypt'% repo_url) local('tar czf le.tar.gz letsencrypt') def local_git_branch(repo_url, branch_name): "clones branch of repo_url" with lcd(LOGDIR): local('if [ -d letsencrypt ]; then rm -rf letsencrypt; fi') - local('git clone %s --branch %s --single-branch'%(repo_url, branch_name)) + local('git clone %s letsencrypt --branch %s --single-branch'%(repo_url, branch_name)) local('tar czf le.tar.gz letsencrypt') def local_git_PR(repo_url, PRnumstr, merge_master=True): "clones specified pull request from repo_url and optionally merges into master" with lcd(LOGDIR): local('if [ -d letsencrypt ]; then rm -rf letsencrypt; fi') - local('git clone %s'% repo_url) + local('git clone %s letsencrypt'% repo_url) local('cd letsencrypt && git fetch origin pull/%s/head:lePRtest'%PRnumstr) local('cd letsencrypt && git co lePRtest') if merge_master: diff --git a/tools/venv.sh b/tools/venv.sh index 11ab417dd..5a09efb0b 100755 --- a/tools/venv.sh +++ b/tools/venv.sh @@ -3,7 +3,7 @@ export VENV_ARGS="--python python2" -./bootstrap/dev/_venv_common.sh \ +./tools/_venv_common.sh \ -e acme[testing] \ -e .[dev,docs,testing] \ -e letsencrypt-apache \ From 29737ab2caf90d23f17cd28a302d151991bc3f78 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 10 Feb 2016 19:24:25 -0800 Subject: [PATCH 023/141] More hacky fixes --- .../scripts/test_letsencrypt_auto_certonly_standalone.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/letstest/scripts/test_letsencrypt_auto_certonly_standalone.sh b/tests/letstest/scripts/test_letsencrypt_auto_certonly_standalone.sh index 10d7c3b5e..ecef9814b 100755 --- a/tests/letstest/scripts/test_letsencrypt_auto_certonly_standalone.sh +++ b/tests/letstest/scripts/test_letsencrypt_auto_certonly_standalone.sh @@ -8,7 +8,8 @@ #private_ip=$(curl -s http://169.254.169.254/2014-11-05/meta-data/local-ipv4) cd letsencrypt -./letsencrypt-auto certonly -v --standalone --debug \ +./letsencrypt-auto --os-packages-only +./letsencrypt-auto certonly --no-self-upgrade -v --standalone --debug \ --text --agree-dev-preview --agree-tos \ --renew-by-default --redirect \ --register-unsafely-without-email \ From e2a6bdf574d05fde3957a9eced067678051ac3b5 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 10 Feb 2016 20:05:34 -0800 Subject: [PATCH 024/141] letstest: work with a local repo, even if it isn't called letsencrypt * allows test farm tests to be run from release branches --- tests/letstest/multitester.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/letstest/multitester.py b/tests/letstest/multitester.py index 378670071..e27385002 100644 --- a/tests/letstest/multitester.py +++ b/tests/letstest/multitester.py @@ -241,21 +241,21 @@ def local_git_clone(repo_url): "clones master of repo_url" with lcd(LOGDIR): local('if [ -d letsencrypt ]; then rm -rf letsencrypt; fi') - local('git clone %s'% repo_url) + local('git clone %s letsencrypt'% repo_url) local('tar czf le.tar.gz letsencrypt') def local_git_branch(repo_url, branch_name): "clones branch of repo_url" with lcd(LOGDIR): local('if [ -d letsencrypt ]; then rm -rf letsencrypt; fi') - local('git clone %s --branch %s --single-branch'%(repo_url, branch_name)) + local('git clone %s letsencrypt --branch %s --single-branch'%(repo_url, branch_name)) local('tar czf le.tar.gz letsencrypt') def local_git_PR(repo_url, PRnumstr, merge_master=True): "clones specified pull request from repo_url and optionally merges into master" with lcd(LOGDIR): local('if [ -d letsencrypt ]; then rm -rf letsencrypt; fi') - local('git clone %s'% repo_url) + local('git clone %s letsencrypt'% repo_url) local('cd letsencrypt && git fetch origin pull/%s/head:lePRtest'%PRnumstr) local('cd letsencrypt && git co lePRtest') if merge_master: From 180117facb62c78cf91c6ae169249602cd817b7d Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Wed, 10 Feb 2016 22:13:27 -0800 Subject: [PATCH 025/141] Some preliminary documentation updates to mention renew verb --- docs/using.rst | 60 +++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 50 insertions(+), 10 deletions(-) diff --git a/docs/using.rst b/docs/using.rst index 9ee16dffd..c2962ea2e 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -71,7 +71,9 @@ Plugin Auth Inst Notes =========== ==== ==== =============================================================== apache_ Y Y Automates obtaining and installing a cert with Apache 2.4 on Debian-based distributions with ``libaugeas0`` 1.0+. -standalone_ Y N Uses a "standalone" webserver to obtain a cert. +standalone_ Y N Uses a "standalone" webserver to obtain a cert. This is useful + on systems with no webserver, or when direct integration with + the local webserver is not supported or not desired. webroot_ Y N Obtains a cert by writing to the webroot directory of an already running webserver. manual_ Y N Helps you obtain a cert by giving you instructions to perform @@ -171,21 +173,59 @@ Renewal days). Make sure you renew the certificates at least once in 3 months. -In order to renew certificates simply call the ``letsencrypt`` (or +The ``letsencrypt`` client now supports a ``renew`` action to check +all installed certificates for impending expiry and attempt to renew +them. The simplest form is simply + +``letsencrypt renew`` + +This will attempt to renew any previously-obtained certificates that +expire in less than 30 days. The same plugin and options that were used +at the time the certificate was originally issued will be used for the +renewal attempt, unless you specify other plugins or options. + +If you're sure that UI doesn't prompt for any details you can add the +command to ``crontab`` (make it less than every 90 days to avoid problems, +say every month); note that the current version provides detailed output +describing either renewal success or failure. + +The ``--force-renew`` flag may be helpful for automating renewal; +it causes the expiration time of the certificate(s) to be ignored when +considering renewal, and attempts to renew each and every installed +certificate regardless of its age. + +Note that options provided to ``letsencrypt renew`` will apply to +*every* certificate for which renewal is attempted; for example, +``letsencrypt renew --rsa-key-size 4096`` would try to replace every +near-expiry certificate with an equivalent certificate using a 4096-bit +RSA public key. If a certificate is successfully renewed using +specified options, those options will be saved and used for future +renewals of that certificate. + + +An alternative form that provides for more fine-grained control over the +renewal process (while renewing specified certificates one at a time), +is ``letsencrypt certonly`` with the complete set of subject domains of +a specific certificate specified via `-d` flags, like + +``letsencrypt certonly -d example.com -d www.example.com`` + +(All of the domains covered by the certificate must be specified in +this case in order to renew and replace the old certificate rather +than obtaining a new one; don't forget any `www.` domains!) The +``certonly`` form attempts to renew one individual certificate. + letsencrypt-auto_) again, and use the same values when prompted. You can automate it slightly by passing necessary flags on the CLI (see `--help -all`), or even further using the :ref:`config-file`. The ``--force-renew`` -flag may be helpful for automating renewal; it causes the expiration time -of the certificate(s) to be ignored when considering renewal. If you're -sure that UI doesn't prompt for any details you can add the command to -``crontab`` (make it less than every 90 days to avoid problems, say -every month). +all`), or even further using the :ref:`config-file`. + Please note that the CA will send notification emails to the address you provide if you do not renew certificates that are about to expire. -Let's Encrypt is working hard on automating the renewal process. Until -the tool is ready, we are sorry for the inconvenience! +Let's Encrypt is working hard on improving the renewal process, and we +apologize for any inconveniences you encounter in integrating these +commands into your individual environment. .. _where-certs: From 104fa3ad55bbf1be312130b3bb18fc704583afc0 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Thu, 11 Feb 2016 09:10:25 -0800 Subject: [PATCH 026/141] Separate error for -d with an IP address --- letsencrypt/le_util.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/letsencrypt/le_util.py b/letsencrypt/le_util.py index 527c9bdae..73d112eca 100644 --- a/letsencrypt/le_util.py +++ b/letsencrypt/le_util.py @@ -6,6 +6,7 @@ import logging import os import platform import re +import socket import stat import subprocess import sys @@ -317,6 +318,15 @@ def enforce_domain_sanity(domain): # Remove trailing dot domain = domain[:-1] if domain.endswith('.') else domain + # Explain separately that IP addresses aren't allowed (apart from not + # being FQDNs) because hope springs eternal on this point + try: + socket.inet_aton(domain) + raise errors.ConfigurationError("Requested name {0} is an IP address. The Let's Encrypt certificate authority will not issue certificates for a bare IP address.".format(domain)) + except socket.error: + # It wasn't an IP address, so that's good + pass + # FQDN checks from # http://www.mkyong.com/regular-expressions/domain-name-regular-expression-example/ # Characters used, domain parts < 63 chars, tld > 1 < 64 chars From a819cdcd9aa8ad6fa92d794fe12a397ae5563900 Mon Sep 17 00:00:00 2001 From: Robert Xiao Date: Thu, 11 Feb 2016 17:09:50 -0500 Subject: [PATCH 027/141] Support system-default Apache on OS X. Tested on Yosemite (10.10). --- .../letsencrypt_apache/constants.py | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/letsencrypt-apache/letsencrypt_apache/constants.py b/letsencrypt-apache/letsencrypt_apache/constants.py index 50156444b..77f71a461 100644 --- a/letsencrypt-apache/letsencrypt_apache/constants.py +++ b/letsencrypt-apache/letsencrypt_apache/constants.py @@ -54,6 +54,23 @@ CLI_DEFAULTS_GENTOO = dict( MOD_SSL_CONF_SRC=pkg_resources.resource_filename( "letsencrypt_apache", "options-ssl-apache.conf") ) +CLI_DEFAULTS_DARWIN = dict( + server_root="/etc/apache2", + vhost_root="/etc/apache2/other", + vhost_files="*.conf", + version_cmd=['/usr/sbin/httpd', '-v'], + define_cmd=['/usr/sbin/httpd', '-t', '-D', 'DUMP_RUN_CFG'], + restart_cmd=['apachectl', 'graceful'], + conftest_cmd=['apachectl', 'configtest'], + enmod=None, + dismod=None, + le_vhost_ext="-le-ssl.conf", + handle_mods=False, + handle_sites=False, + challenge_location="/etc/apache2/other", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "letsencrypt_apache", "options-ssl-apache.conf") +) CLI_DEFAULTS = { "debian": CLI_DEFAULTS_DEBIAN, "ubuntu": CLI_DEFAULTS_DEBIAN, @@ -61,7 +78,8 @@ CLI_DEFAULTS = { "centos linux": CLI_DEFAULTS_CENTOS, "fedora": CLI_DEFAULTS_CENTOS, "red hat enterprise linux server": CLI_DEFAULTS_CENTOS, - "gentoo base system": CLI_DEFAULTS_GENTOO + "gentoo base system": CLI_DEFAULTS_GENTOO, + "darwin": CLI_DEFAULTS_DARWIN, } """CLI defaults.""" From d791697b93d4e390336b189208e587968bf41d40 Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Thu, 11 Feb 2016 17:13:08 -0500 Subject: [PATCH 028/141] If le-auto's installation fails, delete the venv. Fix #2332. Leaving broken venvs around can, if it got as far as installing the venv/bin/letsencrypt script, wreck future le-auto runs, since the presence of that script means "a working LE is installed" to it. Waiting until a new version of le-auto comes out and running it would recover, but this lets re-running the same version recover as well. --- letsencrypt-auto-source/letsencrypt-auto | 3 ++- letsencrypt-auto-source/letsencrypt-auto.template | 1 + letsencrypt-auto-source/tests/auto_test.py | 8 +++++++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 9218bdc52..8cc90b64e 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -19,7 +19,7 @@ XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share} VENV_NAME="letsencrypt" VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"} VENV_BIN=${VENV_PATH}/bin -LE_AUTO_VERSION="0.4.0" +LE_AUTO_VERSION="0.5.0.dev0" # This script takes the same arguments as the main letsencrypt program, but it # additionally responds to --verbose (more output) and --debug (allow support @@ -1630,6 +1630,7 @@ UNLIKELY_EOF # Report error. (Otherwise, be quiet.) echo "Had a problem while downloading and verifying Python packages:" echo "$PEEP_OUT" + rm -rf "$VENV_PATH" exit 1 fi fi diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index ad8c97a7f..53838280b 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -207,6 +207,7 @@ UNLIKELY_EOF # Report error. (Otherwise, be quiet.) echo "Had a problem while downloading and verifying Python packages:" echo "$PEEP_OUT" + rm -rf "$VENV_PATH" exit 1 fi fi diff --git a/letsencrypt-auto-source/tests/auto_test.py b/letsencrypt-auto-source/tests/auto_test.py index 32d591190..90e09f57f 100644 --- a/letsencrypt-auto-source/tests/auto_test.py +++ b/letsencrypt-auto-source/tests/auto_test.py @@ -5,7 +5,7 @@ from contextlib import contextmanager from functools import partial from json import dumps from os import chmod, environ -from os.path import abspath, dirname, join +from os.path import abspath, dirname, exists, join import re from shutil import copy, rmtree import socket @@ -338,6 +338,12 @@ class AutoTests(TestCase): self.assertIn("THE FOLLOWING PACKAGES DIDN'T MATCH THE " "HASHES SPECIFIED IN THE REQUIREMENTS", exc.output) + ok_(not exists(join(venv_dir, 'letsencrypt')), + msg="The virtualenv was left around, even though " + "installation didn't succeed. We shouldn't do " + "this, as it foils our detection of whether we " + "need to recreate the virtualenv, which hinges " + "on the presence of $VENV_BIN/letsencrypt.") else: self.fail("Peep didn't detect a bad hash and stop the " "installation.") From 6eb2d60166f142d489f70a2e6076d2fe7c3b3769 Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Thu, 11 Feb 2016 18:02:27 -0500 Subject: [PATCH 029/141] Let --no-self-upgrade bootstrap OS packages. Fix #2432. --no-self-upgrade metamorphosed from a private flag to a public one, so add a new private flag, --le-auto-phase2 to take its original role of marking the division between phases. This flag must come first and, consequently, can be stripped off the arg list before calling through to letsencrypt, which means the client doesn't need to know about it. The downside is that anyone still (deprecatedly) running le-auto out of the root of a (recently updated) master checkout will get a "Hey, the current release version le-auto I just self-upgraded to doesn't understand the --le-auto-phase2 flag" error from when we merge this until the next release is made, but that's better than a documented option not working right. Also, remove a needless folder creation from the Dockerfile. --- letsencrypt-auto-source/Dockerfile | 2 +- letsencrypt-auto-source/letsencrypt-auto | 54 ++++++++++--------- .../letsencrypt-auto.template | 52 +++++++++--------- 3 files changed, 58 insertions(+), 50 deletions(-) diff --git a/letsencrypt-auto-source/Dockerfile b/letsencrypt-auto-source/Dockerfile index fd7fe4851..ad2465fda 100644 --- a/letsencrypt-auto-source/Dockerfile +++ b/letsencrypt-auto-source/Dockerfile @@ -17,7 +17,7 @@ RUN apt-get update && \ apt-get clean RUN pip install nose -RUN mkdir -p /home/lea/letsencrypt/letsencrypt +RUN mkdir -p /home/lea/letsencrypt # Install fake testing CA: COPY ./tests/certs/ca/my-root-ca.crt.pem /usr/local/share/ca-certificates/ diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 9218bdc52..16466dd89 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -19,7 +19,7 @@ XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share} VENV_NAME="letsencrypt" VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"} VENV_BIN=${VENV_PATH}/bin -LE_AUTO_VERSION="0.4.0" +LE_AUTO_VERSION="0.5.0.dev0" # This script takes the same arguments as the main letsencrypt program, but it # additionally responds to --verbose (more output) and --debug (allow support @@ -412,9 +412,10 @@ TempDir() { -if [ "$NO_SELF_UPGRADE" = 1 ]; then +if [ "$1" = "--le-auto-phase2" ]; then # Phase 2: Create venv, install LE, and run. + shift 1 # the --le-auto-phase2 arg if [ -f "$VENV_BIN/letsencrypt" ]; then INSTALLED_VERSION=$("$VENV_BIN/letsencrypt" --version 2>&1 | cut -d " " -f 2) else @@ -1653,10 +1654,11 @@ else exit 0 fi - echo "Checking for new version..." - TEMP_DIR=$(TempDir) - # --------------------------------------------------------------------------- - cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" + if [ "$NO_SELF_UPGRADE" != 1 ]; then + echo "Checking for new version..." + TEMP_DIR=$(TempDir) + # --------------------------------------------------------------------------- + cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" """Do downloading and JSON parsing without additional dependencies. :: # Print latest released version of LE to stdout: @@ -1785,25 +1787,27 @@ if __name__ == '__main__': exit(main()) UNLIKELY_EOF - # --------------------------------------------------------------------------- - DeterminePythonVersion - REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` - if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then - echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." + # --------------------------------------------------------------------------- + DeterminePythonVersion + REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` + if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then + echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." - # Now we drop into Python so we don't have to install even more - # dependencies (curl, etc.), for better flow control, and for the option of - # future Windows compatibility. - "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" + # Now we drop into Python so we don't have to install even more + # dependencies (curl, etc.), for better flow control, and for the option of + # future Windows compatibility. + "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" - # Install new copy of letsencrypt-auto. This preserves permissions and - # ownership from the old copy. - # TODO: Deal with quotes in pathnames. - echo "Replacing letsencrypt-auto..." - echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - # TODO: Clean up temp dir safely, even if it has quotes in its path. - rm -rf "$TEMP_DIR" - fi # should upgrade - "$0" --no-self-upgrade "$@" + # Install new copy of letsencrypt-auto. This preserves permissions and + # ownership from the old copy. + # TODO: Deal with quotes in pathnames. + echo "Replacing letsencrypt-auto..." + echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + # TODO: Clean up temp dir safely, even if it has quotes in its path. + rm -rf "$TEMP_DIR" + fi # A newer version is available. + fi # Self-upgrading is allowed. + + "$0" --le-auto-phase2 "$@" fi diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index ad8c97a7f..dbb823263 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -168,9 +168,10 @@ TempDir() { -if [ "$NO_SELF_UPGRADE" = 1 ]; then +if [ "$1" = "--le-auto-phase2" ]; then # Phase 2: Create venv, install LE, and run. + shift 1 # the --le-auto-phase2 arg if [ -f "$VENV_BIN/letsencrypt" ]; then INSTALLED_VERSION=$("$VENV_BIN/letsencrypt" --version 2>&1 | cut -d " " -f 2) else @@ -230,31 +231,34 @@ else exit 0 fi - echo "Checking for new version..." - TEMP_DIR=$(TempDir) - # --------------------------------------------------------------------------- - cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" + if [ "$NO_SELF_UPGRADE" != 1 ]; then + echo "Checking for new version..." + TEMP_DIR=$(TempDir) + # --------------------------------------------------------------------------- + cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" {{ fetch.py }} UNLIKELY_EOF - # --------------------------------------------------------------------------- - DeterminePythonVersion - REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` - if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then - echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." + # --------------------------------------------------------------------------- + DeterminePythonVersion + REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` + if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then + echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." - # Now we drop into Python so we don't have to install even more - # dependencies (curl, etc.), for better flow control, and for the option of - # future Windows compatibility. - "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" + # Now we drop into Python so we don't have to install even more + # dependencies (curl, etc.), for better flow control, and for the option of + # future Windows compatibility. + "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" - # Install new copy of letsencrypt-auto. This preserves permissions and - # ownership from the old copy. - # TODO: Deal with quotes in pathnames. - echo "Replacing letsencrypt-auto..." - echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - # TODO: Clean up temp dir safely, even if it has quotes in its path. - rm -rf "$TEMP_DIR" - fi # should upgrade - "$0" --no-self-upgrade "$@" + # Install new copy of letsencrypt-auto. This preserves permissions and + # ownership from the old copy. + # TODO: Deal with quotes in pathnames. + echo "Replacing letsencrypt-auto..." + echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + # TODO: Clean up temp dir safely, even if it has quotes in its path. + rm -rf "$TEMP_DIR" + fi # A newer version is available. + fi # Self-upgrading is allowed. + + "$0" --le-auto-phase2 "$@" fi From a43a21d4e250a8df293b81b73949ae7cf2785d11 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 11 Feb 2016 15:37:17 -0800 Subject: [PATCH 030/141] Use example domains in README --- README.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.rst b/README.rst index 57908e90f..522400a1f 100644 --- a/README.rst +++ b/README.rst @@ -51,11 +51,11 @@ client will guide you through the process of obtaining and installing certs interactively. You can also tell it exactly what you want it to do from the command line. -For instance, if you want to obtain a cert for ``thing.com``, -``www.thing.com``, and ``otherthing.net``, using the Apache plugin to both +For instance, if you want to obtain a cert for ``example.com``, +``www.example.com``, and ``other.example.net``, using the Apache plugin to both obtain and install the certs, you could do this:: - ./letsencrypt-auto --apache -d thing.com -d www.thing.com -d otherthing.net + ./letsencrypt-auto --apache -d example.com -d www.example.com -d other.example.net (The first time you run the command, it will make an account, and ask for an email and agreement to the Let's Encrypt Subscriber Agreement; you can @@ -64,7 +64,7 @@ automate those with ``--email`` and ``--agree-tos``) If you want to use a webserver that doesn't have full plugin support yet, you can still use "standalone" or "webroot" plugins to obtain a certificate:: - ./letsencrypt-auto certonly --standalone --email admin@thing.com -d thing.com -d www.thing.com -d otherthing.net + ./letsencrypt-auto certonly --standalone --email admin@example.com -d example.com -d www.example.com -d other.example.net Understanding the client in more depth From eb4e8bf59ebc13dbb9b92f4f4983b6906c0b506a Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Thu, 11 Feb 2016 18:42:27 -0500 Subject: [PATCH 031/141] Add a "success" message after installation. Fix #1621. Close #2214. --- letsencrypt-auto-source/letsencrypt-auto | 3 ++- letsencrypt-auto-source/letsencrypt-auto.template | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 9218bdc52..30d907690 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -19,7 +19,7 @@ XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share} VENV_NAME="letsencrypt" VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"} VENV_BIN=${VENV_PATH}/bin -LE_AUTO_VERSION="0.4.0" +LE_AUTO_VERSION="0.5.0.dev0" # This script takes the same arguments as the main letsencrypt program, but it # additionally responds to --verbose (more output) and --debug (allow support @@ -1632,6 +1632,7 @@ UNLIKELY_EOF echo "$PEEP_OUT" exit 1 fi + echo "Installation succeeded." fi echo "Requesting root privileges to run letsencrypt..." echo " " $SUDO "$VENV_BIN/letsencrypt" "$@" diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index ad8c97a7f..1fa12528f 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -209,6 +209,7 @@ UNLIKELY_EOF echo "$PEEP_OUT" exit 1 fi + echo "Installation succeeded." fi echo "Requesting root privileges to run letsencrypt..." echo " " $SUDO "$VENV_BIN/letsencrypt" "$@" From df383ee6e408f3be4bc3beb59aa33abc8e90f268 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 11 Feb 2016 15:40:31 -0800 Subject: [PATCH 032/141] Remove werkzeug dependency by parsing Retry-After ourselves Fixes #2409 Progress on #1301 --- acme/acme/client.py | 27 ++++++++++++++++++++------- acme/setup.py | 1 - 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index 478536ecc..7c366df90 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -11,13 +11,16 @@ from six.moves import http_client # pylint: disable=import-error import OpenSSL import requests import sys -import werkzeug from acme import errors from acme import jose from acme import jws from acme import messages +try: + from email.utils import parsedate_tz +except ImportError: # pragma: no cover + from email.Utils import parsedate_tz logger = logging.getLogger(__name__) @@ -245,7 +248,8 @@ class Client(object): # pylint: disable=too-many-instance-attributes @classmethod def retry_after(cls, response, default): - """Compute next `poll` time based on response ``Retry-After`` header. + """Compute next `poll` time based on response ``Retry-After`` header, + per https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.37 :param requests.Response response: Response from `poll`. :param int default: Default value (in seconds), used when @@ -256,17 +260,26 @@ class Client(object): # pylint: disable=too-many-instance-attributes """ retry_after = response.headers.get('Retry-After', str(default)) + now = datetime.datetime.now() + year_now = now[0] try: seconds = int(retry_after) except ValueError: # pylint: disable=no-member - decoded = werkzeug.parse_date(retry_after) # RFC1123 - if decoded is None: + t = parsedate_tz(value.strip()) + try: + year = t[0] # raises TypeError if t is None + # Handle two-digit years -- but any webserver that thinks + # "retry after 99" means "come back after 1999" is.. deprecated + if year >= 0 and year < 100: + year += 2000 + t_corrected = datetime(*([year] + t[1:7])) # raises ValueError + tz = t[-1] if t[-1] else 0 + return t_corrected - timedelta(tz) # raises OverflowError + except (TypeError, ValueError, OverflowError): seconds = default - else: - return decoded - return datetime.datetime.now() + datetime.timedelta(seconds=seconds) + return now + datetime.timedelta(seconds=seconds) def poll(self, authzr): """Poll Authorization Resource for status. diff --git a/acme/setup.py b/acme/setup.py index 8b7b040e5..2daf8ad25 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -20,7 +20,6 @@ install_requires = [ 'requests', 'setuptools', # pkg_resources 'six', - 'werkzeug', ] # env markers in extras_require cause problems with older pip: #517 From 52eee4fbfb3c583a59b9082e368b9b4f87e52f72 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 11 Feb 2016 15:45:26 -0800 Subject: [PATCH 033/141] Use example domains in using.rst --- docs/using.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/using.rst b/docs/using.rst index 9ee16dffd..15c3df869 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -118,11 +118,11 @@ directory of the files served by your webserver. For example, If you're getting a certificate for many domains at once, each domain will use the most recent ``--webroot-path``. So for instance: -``letsencrypt certonly --webroot -w /var/www/example/ -d www.example.com -d example.com -w /var/www/eg -d eg.is -d www.eg.is`` +``letsencrypt certonly --webroot -w /var/www/example/ -d www.example.com -d example.com -w /var/www/other -d other.example.net -d another.other.example.net`` Would obtain a single certificate for all of those names, using the ``/var/www/example`` webroot directory for the first two, and -``/var/www/eg`` for the second two. +``/var/www/other`` for the second two. The webroot plugin works by creating a temporary file for each of your requested domains in ``${webroot-path}/.well-known/acme-challenge``. Then the Let's From 0ecaa8abca893509a8dbc0a3aeb0c265398f8d23 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 11 Feb 2016 15:45:51 -0800 Subject: [PATCH 034/141] rm unused var --- acme/acme/client.py | 1 - 1 file changed, 1 deletion(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index 7c366df90..c545316b1 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -261,7 +261,6 @@ class Client(object): # pylint: disable=too-many-instance-attributes """ retry_after = response.headers.get('Retry-After', str(default)) now = datetime.datetime.now() - year_now = now[0] try: seconds = int(retry_after) except ValueError: From ef404d49857638bb61fa739f18d11ba566ecaf4c Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 11 Feb 2016 16:12:42 -0800 Subject: [PATCH 035/141] slightly simpler / more compact --- acme/acme/client.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index c545316b1..c1407c464 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -265,16 +265,15 @@ class Client(object): # pylint: disable=too-many-instance-attributes seconds = int(retry_after) except ValueError: # pylint: disable=no-member - t = parsedate_tz(value.strip()) + t = list(parsedate_tz(value.strip())) # returns None on fail try: year = t[0] # raises TypeError if t is None # Handle two-digit years -- but any webserver that thinks # "retry after 99" means "come back after 1999" is.. deprecated if year >= 0 and year < 100: - year += 2000 - t_corrected = datetime(*([year] + t[1:7])) # raises ValueError + t[0] = year + 2000 tz = t[-1] if t[-1] else 0 - return t_corrected - timedelta(tz) # raises OverflowError + return datetime(*t) - timedelta(tz) # raises Value/OverflowError except (TypeError, ValueError, OverflowError): seconds = default From a34dc94b1ce67f704b7b93556491b4fdea86d7f0 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 11 Feb 2016 17:28:07 -0800 Subject: [PATCH 036/141] bugfixes & minimalism --- acme/acme/client.py | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index c1407c464..9f583fda4 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -1,10 +1,11 @@ """ACME client API.""" import collections -import datetime import heapq import logging import time +from datetime import datetime, timedelta + import six from six.moves import http_client # pylint: disable=import-error @@ -259,13 +260,12 @@ class Client(object): # pylint: disable=too-many-instance-attributes :rtype: `datetime.datetime` """ - retry_after = response.headers.get('Retry-After', str(default)) - now = datetime.datetime.now() + retry_after = response.headers.get('Retry-After', str(default)).strip() try: seconds = int(retry_after) except ValueError: # pylint: disable=no-member - t = list(parsedate_tz(value.strip())) # returns None on fail + t = list(parsedate_tz(retry_after)) try: year = t[0] # raises TypeError if t is None # Handle two-digit years -- but any webserver that thinks @@ -273,11 +273,12 @@ class Client(object): # pylint: disable=too-many-instance-attributes if year >= 0 and year < 100: t[0] = year + 2000 tz = t[-1] if t[-1] else 0 - return datetime(*t) - timedelta(tz) # raises Value/OverflowError + # raises ValueError/OverflowError + return datetime(*t) - timedelta(tz) except (TypeError, ValueError, OverflowError): seconds = default - return now + datetime.timedelta(seconds=seconds) + return datetime.now() + timedelta(seconds=seconds) def poll(self, authzr): """Poll Authorization Resource for status. @@ -369,7 +370,7 @@ class Client(object): # pylint: disable=too-many-instance-attributes # priority queue with datetime (based on Retry-After) as key, # and original Authorization Resource as value - waiting = [(datetime.datetime.now(), authzr) for authzr in authzrs] + waiting = [(datetime.now(), authzr) for authzr in authzrs] # mapping between original Authorization Resource and the most # recently updated one updated = dict((authzr, authzr) for authzr in authzrs) @@ -377,7 +378,7 @@ class Client(object): # pylint: disable=too-many-instance-attributes while waiting: # find the smallest Retry-After, and sleep if necessary when, authzr = heapq.heappop(waiting) - now = datetime.datetime.now() + now = datetime.now() if when > now: seconds = (when - now).seconds logger.debug('Sleeping for %d seconds', seconds) From e1e52a9d56f684cf2cb289a0661da65c132843c7 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 11 Feb 2016 17:47:15 -0800 Subject: [PATCH 037/141] Verify both symlink and target --- letsencrypt/storage.py | 37 ++++++++++++++++++++----------- letsencrypt/tests/storage_test.py | 4 ++++ 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/letsencrypt/storage.py b/letsencrypt/storage.py index 6f7f54646..6786ac745 100644 --- a/letsencrypt/storage.py +++ b/letsencrypt/storage.py @@ -112,6 +112,21 @@ def update_configuration(lineagename, target, cli_config): return configobj.ConfigObj(config_filename) +def get_link_target(link): + """Get an absolute path to the target of link. + + :param str link: Path to a symbolic link + + :returns: Absolute path to the target of link + :rtype: str + + """ + target = os.readlink(link) + if not os.path.isabs(target): + target = os.path.join(os.path.dirname(link), target) + return os.path.abspath(target) + + class RenewableCert(object): # pylint: disable=too-many-instance-attributes """Renewable certificate. @@ -194,13 +209,15 @@ class RenewableCert(object): # pylint: disable=too-many-instance-attributes def _check_symlinks(self): """Raises an exception if a symlink doesn't exist""" - def check(link): - """Checks if symlink points to a file that exists""" - return os.path.exists(os.path.realpath(link)) for kind in ALL_FOUR: - if not check(getattr(self, kind)): + link = getattr(self, kind) + if not os.path.islink(link): raise errors.CertStorageError( - "link: {0} does not exist".format(getattr(self, kind))) + "expected {0} to be a symlink".format(link)) + target = get_link_target(link) + if not os.path.exists(target): + raise errors.CertStorageError("target {0} of symlink {1} does " + "not exist".format(target, link)) def _consistent(self): """Are the files associated with this lineage self-consistent? @@ -225,10 +242,7 @@ class RenewableCert(object): # pylint: disable=too-many-instance-attributes return False for kind in ALL_FOUR: link = getattr(self, kind) - where = os.path.dirname(link) - target = os.readlink(link) - if not os.path.isabs(target): - target = os.path.join(where, target) + target = get_link_target(link) # Each element's link must point within the cert lineage's # directory within the official archive directory @@ -343,10 +357,7 @@ class RenewableCert(object): # pylint: disable=too-many-instance-attributes logger.debug("Expected symlink %s for %s does not exist.", link, kind) return None - target = os.readlink(link) - if not os.path.isabs(target): - target = os.path.join(os.path.dirname(link), target) - return os.path.abspath(target) + return get_link_target(link) def current_version(self, kind): """Returns numerical version of the specified item. diff --git a/letsencrypt/tests/storage_test.py b/letsencrypt/tests/storage_test.py index 9d402089c..071d6d7bb 100644 --- a/letsencrypt/tests/storage_test.py +++ b/letsencrypt/tests/storage_test.py @@ -687,6 +687,10 @@ class RenewableCertTests(BaseRenewableCertTest): self.assertRaises(errors.CertStorageError, storage.RenewableCert, self.config.filename, self.cli_config) + os.symlink("missing", self.config[ALL_FOUR[0]]) + self.assertRaises(errors.CertStorageError, + storage.RenewableCert, + self.config.filename, self.cli_config) if __name__ == "__main__": From 73b81a35c282e520d7c597877c3443bd6a07485b Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Thu, 11 Feb 2016 17:57:46 -0800 Subject: [PATCH 038/141] More documentation edits; prioritize webroot over standalone --- docs/using.rst | 90 +++++++++++++++++++++++++++++--------------------- 1 file changed, 52 insertions(+), 38 deletions(-) diff --git a/docs/using.rst b/docs/using.rst index c2962ea2e..22e6b5e5e 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -49,7 +49,7 @@ or for full help, type: ``letsencrypt-auto`` is the recommended method of running the Let's Encrypt client beta releases on systems that don't have a packaged version. Debian, -Arch linux, FreeBSD, and OpenBSD now have native packages, so on those +Arch Linux, FreeBSD, and OpenBSD now have native packages, so on those systems you can just install ``letsencrypt`` (and perhaps ``letsencrypt-apache``). If you'd like to run the latest copy from Git, or run your own locally modified copy of the client, follow the instructions in @@ -93,36 +93,27 @@ This automates both obtaining *and* installing certs on an Apache webserver. To specify this plugin on the command line, simply include ``--apache``. -Standalone ----------- - -To obtain a cert using a "standalone" webserver, you can use the -standalone plugin by including ``certonly`` and ``--standalone`` -on the command line. This plugin needs to bind to port 80 or 443 in -order to perform domain validation, so you may need to stop your -existing webserver. To control which port the plugin uses, include -one of the options shown below on the command line. - - * ``--standalone-supported-challenges http-01`` to use port 80 - * ``--standalone-supported-challenges tls-sni-01`` to use port 443 - Webroot ------- -If you're running a webserver that you don't want to stop to use -standalone, you can use the webroot plugin to obtain a cert by -including ``certonly`` and ``--webroot`` on the command line. In -addition, you'll need to specify ``--webroot-path`` or ``-w`` with the root -directory of the files served by your webserver. For example, -``--webroot-path /var/www/html`` or -``--webroot-path /usr/share/nginx/html`` are two common webroot paths. +If you're running a local webserver for which you have the ability +to modify the content being served, and you'd prefer not to stop the +webserver during the certificate issuance process, you can use the webroot +plugin to obtain a cert by including ``certonly`` and ``--webroot`` on +the command line. In addition, you'll need to specify ``--webroot-path`` +or ``-w`` with the top-level directory ("web root") containing the files +served by your webserver. For example, ``--webroot-path /var/www/html`` +or ``--webroot-path /usr/share/nginx/html`` are two common webroot paths. -If you're getting a certificate for many domains at once, each domain will use -the most recent ``--webroot-path``. So for instance: +If you're getting a certificate for many domains at once, the plugin +needs to know where each domain's files are served from, which could +potentially be a separate directory for each domain. When requested a +certificate for multiple domains, each domain will use the most recently +specified ``--webroot-path``. So, for instance, ``letsencrypt certonly --webroot -w /var/www/example/ -d www.example.com -d example.com -w /var/www/eg -d eg.is -d www.eg.is`` -Would obtain a single certificate for all of those names, using the +would obtain a single certificate for all of those names, using the ``/var/www/example`` webroot directory for the first two, and ``/var/www/eg`` for the second two. @@ -137,8 +128,28 @@ made to your web server would look like: 66.133.109.36 - - [05/Jan/2016:20:11:24 -0500] "GET /.well-known/acme-challenge/HGr8U1IeTW4kY_Z6UIyaakzOkyQgPr_7ArlLgtZE8SX HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" Note that to use the webroot plugin, your server must be configured to serve -files from hidden directories. +files from hidden directories. If ``/.well-known`` is treated specially by +your webserver configuration, you might need to modify the configuration +to ensure that files inside ``/.well-known/ache-challenge`` are served by +the webserver. +Standalone +---------- + +To obtain a cert using a "standalone" webserver, you can use the +standalone plugin by including ``certonly`` and ``--standalone`` +on the command line. This plugin needs to bind to port 80 or 443 in +order to perform domain validation, so you may need to stop your +existing webserver. To control which port the plugin uses, include +one of the options shown below on the command line. + + * ``--standalone-supported-challenges http-01`` to use port 80 + * ``--standalone-supported-challenges tls-sni-01`` to use port 443 + +The standalone plugin does not rely on any other server software running +on the machine where you obtain the certificate. It must still be possible +for that machine to accept inbound connections from the Internet on the +specified port using each requested domain name. Manual ------ @@ -148,7 +159,8 @@ other than your target webserver or perform the steps for domain validation yourself, you can use the manual plugin. While hidden from the UI, you can use the plugin to obtain a cert by specifying ``certonly`` and ``--manual`` on the command line. This requires you -to copy and paste commands into another terminal session. +to copy and paste commands into another terminal session, which may +be on a different computer. Nginx ----- @@ -159,7 +171,7 @@ is still experimental, however, and is not installed with letsencrypt-auto_. If installed, you can select this plugin on the command line by including ``--nginx``. -Third party plugins +Third-party plugins ------------------- These plugins are listed at @@ -184,15 +196,19 @@ expire in less than 30 days. The same plugin and options that were used at the time the certificate was originally issued will be used for the renewal attempt, unless you specify other plugins or options. -If you're sure that UI doesn't prompt for any details you can add the -command to ``crontab`` (make it less than every 90 days to avoid problems, -say every month); note that the current version provides detailed output -describing either renewal success or failure. +If you're sure that this command executes successfully without human +intervention, you can add the command to ``crontab`` (since certificates +are only renewed when they're determined to be near expiry, the command +can run on a regular basis, like every week or every day); note that +the current version provides detailed output describing either renewal +success or failure. The ``--force-renew`` flag may be helpful for automating renewal; it causes the expiration time of the certificate(s) to be ignored when considering renewal, and attempts to renew each and every installed -certificate regardless of its age. +certificate regardless of its age. (This form is not appropriate to run +daily because each certificate will be renewed every day, which will +quickly run into the certificate authority rate limit.) Note that options provided to ``letsencrypt renew`` will apply to *every* certificate for which renewal is attempted; for example, @@ -212,12 +228,10 @@ a specific certificate specified via `-d` flags, like (All of the domains covered by the certificate must be specified in this case in order to renew and replace the old certificate rather -than obtaining a new one; don't forget any `www.` domains!) The -``certonly`` form attempts to renew one individual certificate. - -letsencrypt-auto_) again, and use the same values when prompted. You can -automate it slightly by passing necessary flags on the CLI (see `--help -all`), or even further using the :ref:`config-file`. +than obtaining a new one; don't forget any `www.` domains! Specifying +a subset of the domains creates a new, separate certificate containing +only those domains, rather than replacing the original certificate.) +The ``certonly`` form attempts to renew one individual certificate. Please note that the CA will send notification emails to the address From 6f99d9f3d9dbf86cdf4a3a1806fc460ea40ce75e Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 11 Feb 2016 18:22:41 -0800 Subject: [PATCH 039/141] fixen --- acme/acme/client.py | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index 9f583fda4..b07009a11 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -4,7 +4,7 @@ import heapq import logging import time -from datetime import datetime, timedelta +import datetime import six from six.moves import http_client # pylint: disable=import-error @@ -21,7 +21,8 @@ from acme import messages try: from email.utils import parsedate_tz except ImportError: # pragma: no cover - from email.Utils import parsedate_tz + # pylint: disable=import-error,no-name-in-module + from email.Utils import parsedate_tz logger = logging.getLogger(__name__) @@ -257,7 +258,7 @@ class Client(object): # pylint: disable=too-many-instance-attributes ``Retry-After`` header is not present or invalid. :returns: Time point when next `poll` should be performed. - :rtype: `datetime.datetime` + :rtype: `datetime.datetime.datetime` """ retry_after = response.headers.get('Retry-After', str(default)).strip() @@ -265,20 +266,20 @@ class Client(object): # pylint: disable=too-many-instance-attributes seconds = int(retry_after) except ValueError: # pylint: disable=no-member - t = list(parsedate_tz(retry_after)) + when = parsedate_tz(retry_after) try: - year = t[0] # raises TypeError if t is None + year = when[0] # raises TypeError if t is None # Handle two-digit years -- but any webserver that thinks # "retry after 99" means "come back after 1999" is.. deprecated if year >= 0 and year < 100: - t[0] = year + 2000 - tz = t[-1] if t[-1] else 0 + when = [year + 2000] + when[1:] + tzone = when[-1] if when[-1] else 0 # raises ValueError/OverflowError - return datetime(*t) - timedelta(tz) + return datetime.datetime(*when[:7]) - datetime.timedelta(tzone) except (TypeError, ValueError, OverflowError): seconds = default - return datetime.now() + timedelta(seconds=seconds) + return datetime.datetime.now() + datetime.timedelta(seconds=seconds) def poll(self, authzr): """Poll Authorization Resource for status. @@ -368,9 +369,9 @@ class Client(object): # pylint: disable=too-many-instance-attributes attempts = collections.defaultdict(int) exhausted = set() - # priority queue with datetime (based on Retry-After) as key, + # priority queue with datetime.datetime (based on Retry-After) as key, # and original Authorization Resource as value - waiting = [(datetime.now(), authzr) for authzr in authzrs] + waiting = [(datetime.datetime.now(), authzr) for authzr in authzrs] # mapping between original Authorization Resource and the most # recently updated one updated = dict((authzr, authzr) for authzr in authzrs) @@ -378,7 +379,7 @@ class Client(object): # pylint: disable=too-many-instance-attributes while waiting: # find the smallest Retry-After, and sleep if necessary when, authzr = heapq.heappop(waiting) - now = datetime.now() + now = datetime.datetime.now() if when > now: seconds = (when - now).seconds logger.debug('Sleeping for %d seconds', seconds) From c80535b2dfadfb9d700cb03a1d5c8735332567d6 Mon Sep 17 00:00:00 2001 From: freezy Date: Fri, 12 Feb 2016 09:49:17 +0100 Subject: [PATCH 040/141] Fixed typo in Webroot section --- docs/using.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/using.rst b/docs/using.rst index 7263452b5..be877b17e 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -130,7 +130,7 @@ made to your web server would look like: Note that to use the webroot plugin, your server must be configured to serve files from hidden directories. If ``/.well-known`` is treated specially by your webserver configuration, you might need to modify the configuration -to ensure that files inside ``/.well-known/ache-challenge`` are served by +to ensure that files inside ``/.well-known/acme-challenge`` are served by the webserver. Standalone @@ -439,8 +439,8 @@ want to use the Apache plugin, it has to be installed separately: emerge -av app-crypt/letsencrypt emerge -av app-crypt/letsencrypt-apache -Currently, only the Apache plugin is included in Portage. However, if you -want the nginx plugin, you can use Layman to add the mrueg overlay which +Currently, only the Apache plugin is included in Portage. However, if you +want the nginx plugin, you can use Layman to add the mrueg overlay which does include the nginx plugin package: .. code-block:: shell @@ -450,9 +450,9 @@ does include the nginx plugin package: layman -a mrueg emerge -av app-crypt/letsencrypt-nginx -When using the Apache plugin, you will run into a "cannot find a cert or key +When using the Apache plugin, you will run into a "cannot find a cert or key directive" error if you're sporting the default Gentoo ``httpd.conf``. -You can fix this by commenting out two lines in ``/etc/apache2/httpd.conf`` +You can fix this by commenting out two lines in ``/etc/apache2/httpd.conf`` as follows: Change @@ -471,7 +471,7 @@ to LoadModule ssl_module modules/mod_ssl.so # -For the time being, this is the only way for the Apache plugin to recognise +For the time being, this is the only way for the Apache plugin to recognise the appropriate directives when installing the certificate. Note: this change is not required for the other plugins. From caf959997cbe4c10cf37df47efed2518c0e245b6 Mon Sep 17 00:00:00 2001 From: TheNavigat Date: Thu, 14 Jan 2016 03:10:12 +0200 Subject: [PATCH 041/141] Adding boulder integration support to Vagrant --- Vagrantfile | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Vagrantfile b/Vagrantfile index 678abdf72..89b512b8c 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -5,10 +5,20 @@ VAGRANTFILE_API_VERSION = "2" # Setup instructions from docs/contributing.rst +# Script for installing dependencies for tox and boulder integration +# TODO: Check if the GO PATH lines already exist. If they do, don't add them. +# If they don't, add them before the exit line $ubuntu_setup_script = <> ~/.profile +echo "export PATH=\\$GOROOT/bin:\\$PATH" >> ~/.profile +echo "export GOPATH=\\$HOME/go" >> ~/.profile +export DEBIAN_FRONTEND=noninteractive +sudo -E apt-get -q -y install git mysql-server-5.5 libltdl-dev rabbitmq-server make nginx SETUP_SCRIPT Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| From a89b187186aab050cccd04f97f3e034833566e9c Mon Sep 17 00:00:00 2001 From: TheNavigat Date: Tue, 19 Jan 2016 19:15:22 +0200 Subject: [PATCH 042/141] Adding conditions for adding export lines to ~/.profile --- Vagrantfile | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 89b512b8c..7cc3fbece 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -5,18 +5,16 @@ VAGRANTFILE_API_VERSION = "2" # Setup instructions from docs/contributing.rst -# Script for installing dependencies for tox and boulder integration -# TODO: Check if the GO PATH lines already exist. If they do, don't add them. -# If they don't, add them before the exit line +# Script installs dependencies for tox and boulder integration $ubuntu_setup_script = <> ~/.profile -echo "export PATH=\\$GOROOT/bin:\\$PATH" >> ~/.profile -echo "export GOPATH=\\$HOME/go" >> ~/.profile +if ! grep -Fxq "export GOROOT=/usr/local/go" ~/.profile ; then echo "export GOROOT=/usr/local/go" >> ~/.profile; fi +if ! grep -Fxq "export PATH=\\$GOROOT/bin:\\$PATH" ~/.profile ; then echo "export PATH=\\$GOROOT/bin:\\$PATH" >> ~/.profile; fi +if ! grep -Fxq "export GOPATH=\\$HOME/go" ~/.profile ; then echo "export GOPATH=\\$HOME/go" >> ~/.profile; fi export DEBIAN_FRONTEND=noninteractive sudo -E apt-get -q -y install git mysql-server-5.5 libltdl-dev rabbitmq-server make nginx SETUP_SCRIPT From a4f46aa90a063bea5a2457e66e2ff950bb5cd77f Mon Sep 17 00:00:00 2001 From: TheNavigat Date: Sat, 23 Jan 2016 02:31:50 +0200 Subject: [PATCH 043/141] Replacing MySQL with MariaDB and nginx with nginx-light --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 7cc3fbece..0475761d1 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -16,7 +16,7 @@ if ! grep -Fxq "export GOROOT=/usr/local/go" ~/.profile ; then echo "export GORO if ! grep -Fxq "export PATH=\\$GOROOT/bin:\\$PATH" ~/.profile ; then echo "export PATH=\\$GOROOT/bin:\\$PATH" >> ~/.profile; fi if ! grep -Fxq "export GOPATH=\\$HOME/go" ~/.profile ; then echo "export GOPATH=\\$HOME/go" >> ~/.profile; fi export DEBIAN_FRONTEND=noninteractive -sudo -E apt-get -q -y install git mysql-server-5.5 libltdl-dev rabbitmq-server make nginx +sudo -E apt-get -q -y install git make libltdl-dev mariadb-server rabbitmq-server nginx-light SETUP_SCRIPT Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| From 037cc4e150eff2da9a4830ec27bdd3265e613232 Mon Sep 17 00:00:00 2001 From: TheNavigat Date: Sat, 23 Jan 2016 03:09:49 +0200 Subject: [PATCH 044/141] Adding running boulder-start.sh on boot --- Vagrantfile | 1 + docs/contributing.rst | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/Vagrantfile b/Vagrantfile index 0475761d1..3798085c0 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -15,6 +15,7 @@ sudo tar -C /usr/local -xzf /tmp/go1.5.3.linux-amd64.tar.gz if ! grep -Fxq "export GOROOT=/usr/local/go" ~/.profile ; then echo "export GOROOT=/usr/local/go" >> ~/.profile; fi if ! grep -Fxq "export PATH=\\$GOROOT/bin:\\$PATH" ~/.profile ; then echo "export PATH=\\$GOROOT/bin:\\$PATH" >> ~/.profile; fi if ! grep -Fxq "export GOPATH=\\$HOME/go" ~/.profile ; then echo "export GOPATH=\\$HOME/go" >> ~/.profile; fi +if ! grep -Fxq "cd /vagrant/tests/; ./boulder-start.sh &" /etc/rc.local ; then sed -i -e '$i \cd /vagrant/tests/; ./boulder-start.sh &\n' /etc/rc.local; fi export DEBIAN_FRONTEND=noninteractive sudo -E apt-get -q -y install git make libltdl-dev mariadb-server rabbitmq-server nginx-light SETUP_SCRIPT diff --git a/docs/contributing.rst b/docs/contributing.rst index 36dff01b9..ce4078ea3 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -96,6 +96,14 @@ Integration testing with the boulder CA Generally it is sufficient to open a pull request and let Github and Travis run integration tests for you. +However, if you prefer to run tests, you can use Vagrant, using the Vagrantfile +in Let's Encrypt's repository. To execute the tests on a Vagrant box, the only +command you are required to run is:: + + ./tests/boulder-integration.sh + +Otherwise, please follow the following instructions. + Mac OS X users: Run ``./tests/mac-bootstrap.sh`` instead of ``boulder-start.sh`` to install dependencies, configure the environment, and start boulder. From 14b85c6d6f3e25c5800e8ae4bd19524e835502a0 Mon Sep 17 00:00:00 2001 From: TheNavigat Date: Sat, 23 Jan 2016 03:10:40 +0200 Subject: [PATCH 045/141] Replacing relative ~/.profile paths with absolute /home/vagrant/.profile ones --- Vagrantfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 3798085c0..7c304c227 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -12,9 +12,9 @@ cd /vagrant ./tools/venv.sh wget https://storage.googleapis.com/golang/go1.5.3.linux-amd64.tar.gz -P /tmp/ sudo tar -C /usr/local -xzf /tmp/go1.5.3.linux-amd64.tar.gz -if ! grep -Fxq "export GOROOT=/usr/local/go" ~/.profile ; then echo "export GOROOT=/usr/local/go" >> ~/.profile; fi -if ! grep -Fxq "export PATH=\\$GOROOT/bin:\\$PATH" ~/.profile ; then echo "export PATH=\\$GOROOT/bin:\\$PATH" >> ~/.profile; fi -if ! grep -Fxq "export GOPATH=\\$HOME/go" ~/.profile ; then echo "export GOPATH=\\$HOME/go" >> ~/.profile; fi +if ! grep -Fxq "export GOROOT=/usr/local/go" /home/vagrant/.profile ; then echo "export GOROOT=/usr/local/go" >> /home/vagrant/.profile; fi +if ! grep -Fxq "export PATH=\\$GOROOT/bin:\\$PATH" /home/vagrant/.profile ; then echo "export PATH=\\$GOROOT/bin:\\$PATH" >> /home/vagrant/.profile; fi +if ! grep -Fxq "export GOPATH=\\$HOME/go" /home/vagrant/.profile ; then echo "export GOPATH=\\$HOME/go" >> /home/vagrant/.profile; fi if ! grep -Fxq "cd /vagrant/tests/; ./boulder-start.sh &" /etc/rc.local ; then sed -i -e '$i \cd /vagrant/tests/; ./boulder-start.sh &\n' /etc/rc.local; fi export DEBIAN_FRONTEND=noninteractive sudo -E apt-get -q -y install git make libltdl-dev mariadb-server rabbitmq-server nginx-light From da1542e57f52801f8b02092707b56217a4109c0e Mon Sep 17 00:00:00 2001 From: TheNavigat Date: Fri, 12 Feb 2016 13:52:05 +0200 Subject: [PATCH 046/141] Fixing path from which boulder-start.sh is executed --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 7c304c227..e5975442f 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -15,7 +15,7 @@ sudo tar -C /usr/local -xzf /tmp/go1.5.3.linux-amd64.tar.gz if ! grep -Fxq "export GOROOT=/usr/local/go" /home/vagrant/.profile ; then echo "export GOROOT=/usr/local/go" >> /home/vagrant/.profile; fi if ! grep -Fxq "export PATH=\\$GOROOT/bin:\\$PATH" /home/vagrant/.profile ; then echo "export PATH=\\$GOROOT/bin:\\$PATH" >> /home/vagrant/.profile; fi if ! grep -Fxq "export GOPATH=\\$HOME/go" /home/vagrant/.profile ; then echo "export GOPATH=\\$HOME/go" >> /home/vagrant/.profile; fi -if ! grep -Fxq "cd /vagrant/tests/; ./boulder-start.sh &" /etc/rc.local ; then sed -i -e '$i \cd /vagrant/tests/; ./boulder-start.sh &\n' /etc/rc.local; fi +if ! grep -Fxq "cd /vagrant/; ./tests/boulder-start.sh &" /etc/rc.local ; then sed -i -e '$i \cd /vagrant/; ./tests/boulder-start.sh &\n' /etc/rc.local; fi export DEBIAN_FRONTEND=noninteractive sudo -E apt-get -q -y install git make libltdl-dev mariadb-server rabbitmq-server nginx-light SETUP_SCRIPT From cedcad137391e277552b9a8a5dbc636b2f081b77 Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Fri, 12 Feb 2016 11:49:01 -0500 Subject: [PATCH 047/141] Use python -V instead of python --version. Fix #2039. Python 2.4 doesn't support --version, and we want to be able to at least complain that it's too old without crashing. Also, bring built le-auto up to date. --- letsencrypt-auto-source/letsencrypt-auto | 8 ++++---- letsencrypt-auto-source/letsencrypt-auto.template | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 30d907690..4ee16af95 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -104,7 +104,7 @@ DeterminePythonVersion() { exit 1 fi - PYVER=`"$LE_PYTHON" --version 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//'` + PYVER=`"$LE_PYTHON" -V 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//'` if [ $PYVER -lt 26 ]; then echo "You have an ancient version of Python entombed in your operating system..." echo "This isn't going to work; you'll need at least version 2.6." @@ -324,13 +324,13 @@ BootstrapGentooCommon() { case "$PACKAGE_MANAGER" in (paludis) - "$SUDO" cave resolve --keep-targets if-possible $PACKAGES -x + "$SUDO" cave resolve --preserve-world --keep-targets if-possible $PACKAGES -x ;; (pkgcore) - "$SUDO" pmerge --noreplace $PACKAGES + "$SUDO" pmerge --noreplace --oneshot $PACKAGES ;; (portage|*) - "$SUDO" emerge --noreplace $PACKAGES + "$SUDO" emerge --noreplace --oneshot $PACKAGES ;; esac } diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index 1fa12528f..b65b55163 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -104,7 +104,7 @@ DeterminePythonVersion() { exit 1 fi - PYVER=`"$LE_PYTHON" --version 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//'` + PYVER=`"$LE_PYTHON" -V 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//'` if [ $PYVER -lt 26 ]; then echo "You have an ancient version of Python entombed in your operating system..." echo "This isn't going to work; you'll need at least version 2.6." From ca7f190efc3b0899439f82cf06e03292e1280582 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 12 Feb 2016 11:29:36 -0800 Subject: [PATCH 048/141] lint & cover --- acme/acme/client.py | 2 +- acme/acme/client_test.py | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index b07009a11..46384cd85 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -22,7 +22,7 @@ try: from email.utils import parsedate_tz except ImportError: # pragma: no cover # pylint: disable=import-error,no-name-in-module - from email.Utils import parsedate_tz + from email.Utils import parsedate_tz logger = logging.getLogger(__name__) diff --git a/acme/acme/client_test.py b/acme/acme/client_test.py index 9abc69c7c..5a43272f2 100644 --- a/acme/acme/client_test.py +++ b/acme/acme/client_test.py @@ -194,6 +194,10 @@ class ClientTest(unittest.TestCase): self.assertEqual( datetime.datetime(1999, 12, 31, 23, 59, 59), self.client.retry_after(response=self.response, default=10)) + self.response.headers['Retry-After'] = 'Fri, 31 Dec 17 23:59:59 GMT' + self.assertEqual( + datetime.datetime(2017, 12, 31, 23, 59, 59), + self.client.retry_after(response=self.response, default=10)) @mock.patch('acme.client.datetime') def test_retry_after_invalid(self, dt_mock): From ae69a7446587794cbaeed2cb522c7e4378dc26aa Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 12 Feb 2016 11:38:26 -0800 Subject: [PATCH 049/141] Tidy --- acme/acme/client.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index 46384cd85..4c02fde94 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -1,11 +1,10 @@ """ACME client API.""" import collections +import datetime import heapq import logging import time -import datetime - import six from six.moves import http_client # pylint: disable=import-error From dc8bdfac565d0fbb6920a550ee758000b39cd8dc Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Fri, 12 Feb 2016 15:07:01 -0500 Subject: [PATCH 050/141] Quote the remaining variable expansions in le-auto. Refs #1899. ...except for $SUDO, which is always either "sudo", "su_sudo", or "", never having a quote-needing char in it. It's unlikely that $PYVER would have a space in it, but it doesn't hurt. --- letsencrypt-auto-source/letsencrypt-auto | 4 ++-- letsencrypt-auto-source/letsencrypt-auto.template | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index ea3f7a4bb..420e6263b 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -18,7 +18,7 @@ set -e # Work even if somebody does "sh thisscript.sh". XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share} VENV_NAME="letsencrypt" VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"} -VENV_BIN=${VENV_PATH}/bin +VENV_BIN="$VENV_PATH/bin" LE_AUTO_VERSION="0.5.0.dev0" # This script takes the same arguments as the main letsencrypt program, but it @@ -105,7 +105,7 @@ DeterminePythonVersion() { fi PYVER=`"$LE_PYTHON" -V 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//'` - if [ $PYVER -lt 26 ]; then + if [ "$PYVER" -lt 26 ]; then echo "You have an ancient version of Python entombed in your operating system..." echo "This isn't going to work; you'll need at least version 2.6." exit 1 diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index b65b55163..042a448f5 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -18,7 +18,7 @@ set -e # Work even if somebody does "sh thisscript.sh". XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share} VENV_NAME="letsencrypt" VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"} -VENV_BIN=${VENV_PATH}/bin +VENV_BIN="$VENV_PATH/bin" LE_AUTO_VERSION="{{ LE_AUTO_VERSION }}" # This script takes the same arguments as the main letsencrypt program, but it @@ -105,7 +105,7 @@ DeterminePythonVersion() { fi PYVER=`"$LE_PYTHON" -V 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//'` - if [ $PYVER -lt 26 ]; then + if [ "$PYVER" -lt 26 ]; then echo "You have an ancient version of Python entombed in your operating system..." echo "This isn't going to work; you'll need at least version 2.6." exit 1 From 0afb4241734ddaafdbc46b522dc224fef63a2e1a Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 12 Feb 2016 12:29:13 -0800 Subject: [PATCH 051/141] py26 doesn't like adding lists & tuples --- acme/acme/client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index 4c02fde94..c1bdcb69f 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -271,7 +271,7 @@ class Client(object): # pylint: disable=too-many-instance-attributes # Handle two-digit years -- but any webserver that thinks # "retry after 99" means "come back after 1999" is.. deprecated if year >= 0 and year < 100: - when = [year + 2000] + when[1:] + when = [year + 2000] + list(when[1:]) tzone = when[-1] if when[-1] else 0 # raises ValueError/OverflowError return datetime.datetime(*when[:7]) - datetime.timedelta(tzone) From 043273960e2f6351c0493693666d108548a066e6 Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Fri, 12 Feb 2016 15:47:24 -0500 Subject: [PATCH 052/141] Always install the homebrew version of Python. Fix #1437. Otherwise, we sometimes end up using the system Python, for which we'd need to use sudo to install virtualenv. Brew complicates this by yelling at you if you do use sudo. So let's simplify things by always using the homebrew python, which is more up to date anyway. --- letsencrypt-auto-source/letsencrypt-auto | 4 ++-- letsencrypt-auto-source/pieces/bootstrappers/mac.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index ea3f7a4bb..2e12315ff 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -359,8 +359,8 @@ BootstrapMac() { brew install dialog fi - if ! hash pip 2>/dev/null; then - echo "pip not installed.\nInstalling python from Homebrew..." + if [ -z "$(brew list --versions python)" ]; then + echo "python not installed.\nInstalling python from Homebrew..." brew install python fi diff --git a/letsencrypt-auto-source/pieces/bootstrappers/mac.sh b/letsencrypt-auto-source/pieces/bootstrappers/mac.sh index 23c12eec3..4bdf34116 100755 --- a/letsencrypt-auto-source/pieces/bootstrappers/mac.sh +++ b/letsencrypt-auto-source/pieces/bootstrappers/mac.sh @@ -14,8 +14,8 @@ BootstrapMac() { brew install dialog fi - if ! hash pip 2>/dev/null; then - echo "pip not installed.\nInstalling python from Homebrew..." + if [ -z "$(brew list --versions python)" ]; then + echo "python not installed.\nInstalling python from Homebrew..." brew install python fi From f1faedaa72e7833da49e6f33ecb2e3ce6a12cf6d Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 12 Feb 2016 12:48:20 -0800 Subject: [PATCH 053/141] This two digit year case is hard to trigger --- acme/acme/client_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme/acme/client_test.py b/acme/acme/client_test.py index 5a43272f2..dee78910f 100644 --- a/acme/acme/client_test.py +++ b/acme/acme/client_test.py @@ -194,7 +194,7 @@ class ClientTest(unittest.TestCase): self.assertEqual( datetime.datetime(1999, 12, 31, 23, 59, 59), self.client.retry_after(response=self.response, default=10)) - self.response.headers['Retry-After'] = 'Fri, 31 Dec 17 23:59:59 GMT' + self.response.headers['Retry-After'] = 'Fri, 31-Dec-17 23:59:59 GMT' self.assertEqual( datetime.datetime(2017, 12, 31, 23, 59, 59), self.client.retry_after(response=self.response, default=10)) From c3ddb47cfa02d06f347430dd2fb0642845023f9d Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 12 Feb 2016 12:59:53 -0800 Subject: [PATCH 054/141] All this import voodoo is not required for py2.6+ --- acme/acme/client.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index c1bdcb69f..1d1ea406f 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -17,11 +17,7 @@ from acme import jose from acme import jws from acme import messages -try: - from email.utils import parsedate_tz -except ImportError: # pragma: no cover - # pylint: disable=import-error,no-name-in-module - from email.Utils import parsedate_tz +from email.utils import parsedate_tz logger = logging.getLogger(__name__) From 4c2c80dcdaf78ebdd44185762484f9db9ff147b8 Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Fri, 12 Feb 2016 17:23:29 -0500 Subject: [PATCH 055/141] Fix DeterminePythonVersion(). Ported from #1751. * Make sure any Python passed in as $LE_PYTHON actually exists. * Dodge a word-splitting bug: `a='a b'; export a=${a:-c}; echo $a` gives `a` instead of `a b` under shells that respect POSIX.1, like dash. --- letsencrypt-auto-source/letsencrypt-auto | 17 +++++++---------- .../letsencrypt-auto.template | 17 +++++++---------- 2 files changed, 14 insertions(+), 20 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index ea3f7a4bb..bfb41e240 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -91,18 +91,15 @@ ExperimentalBootstrap() { } DeterminePythonVersion() { - if command -v python2.7 > /dev/null ; then - export LE_PYTHON=${LE_PYTHON:-python2.7} - elif command -v python27 > /dev/null ; then - export LE_PYTHON=${LE_PYTHON:-python27} - elif command -v python2 > /dev/null ; then - export LE_PYTHON=${LE_PYTHON:-python2} - elif command -v python > /dev/null ; then - export LE_PYTHON=${LE_PYTHON:-python} - else - echo "Cannot find any Pythons... please install one!" + for LE_PYTHON in "$LE_PYTHON" python2.7 python27 python2 python; do + # Break (while keeping the LE_PYTHON value) if found. + command -v "$LE_PYTHON" > /dev/null && break + done + if [ "$?" != "0" ]; then + echo "Cannot find any Pythons; please install one!" exit 1 fi + export LE_PYTHON PYVER=`"$LE_PYTHON" -V 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//'` if [ $PYVER -lt 26 ]; then diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index b65b55163..2572e13d6 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -91,18 +91,15 @@ ExperimentalBootstrap() { } DeterminePythonVersion() { - if command -v python2.7 > /dev/null ; then - export LE_PYTHON=${LE_PYTHON:-python2.7} - elif command -v python27 > /dev/null ; then - export LE_PYTHON=${LE_PYTHON:-python27} - elif command -v python2 > /dev/null ; then - export LE_PYTHON=${LE_PYTHON:-python2} - elif command -v python > /dev/null ; then - export LE_PYTHON=${LE_PYTHON:-python} - else - echo "Cannot find any Pythons... please install one!" + for LE_PYTHON in "$LE_PYTHON" python2.7 python27 python2 python; do + # Break (while keeping the LE_PYTHON value) if found. + command -v "$LE_PYTHON" > /dev/null && break + done + if [ "$?" != "0" ]; then + echo "Cannot find any Pythons; please install one!" exit 1 fi + export LE_PYTHON PYVER=`"$LE_PYTHON" -V 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//'` if [ $PYVER -lt 26 ]; then From e08aa36a4ea5d4a1d60364f544e733a8e79fe97a Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Fri, 12 Feb 2016 17:36:48 -0500 Subject: [PATCH 056/141] Switch to case statement for arg parsing in le-auto. Ported from #1751. * It's more lines but fewer tokens, less room for quote errors, and more idiomatic (see any init.d script). * Also, fix a bug in which any option containing "-v", e.g. --eat-vertical-pizza, would be construed as --verbose. --- letsencrypt-auto-source/letsencrypt-auto | 30 +++++++++++-------- .../letsencrypt-auto.template | 30 +++++++++++-------- 2 files changed, 36 insertions(+), 24 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index bfb41e240..1837120e8 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -25,18 +25,24 @@ LE_AUTO_VERSION="0.5.0.dev0" # additionally responds to --verbose (more output) and --debug (allow support # for experimental platforms) for arg in "$@" ; do - # This first clause is redundant with the third, but hedging on portability - if [ "$arg" = "-v" ] || [ "$arg" = "--verbose" ] || echo "$arg" | grep -E -- "-v+$" ; then - VERBOSE=1 - elif [ "$arg" = "--no-self-upgrade" ] ; then - # Do not upgrade this script (also prevents client upgrades, because each - # copy of the script pins a hash of the python client) - NO_SELF_UPGRADE=1 - elif [ "$arg" = "--os-packages-only" ] ; then - OS_PACKAGES_ONLY=1 - elif [ "$arg" = "--debug" ]; then - DEBUG=1 - fi + case "$arg" in + --debug) + DEBUG=1;; + --os-packages-only) + OS_PACKAGES_ONLY=1;; + --no-self-upgrade) + # Do not upgrade this script (also prevents client upgrades, because each + # copy of the script pins a hash of the python client) + NO_SELF_UPGRADE=1;; + --verbose) + VERBOSE=1;; + [!-]*|-*[!v]*|-) + # Anything that isn't -v, -vv, etc.: that is, anything that does not + # start with a -, contains anything that's not a v, or is just "-" + ;; + *) # -v+ remains. + VERBOSE=1;; + esac done # letsencrypt-auto needs root access to bootstrap OS dependencies, and diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index 2572e13d6..f0e87cf14 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -25,18 +25,24 @@ LE_AUTO_VERSION="{{ LE_AUTO_VERSION }}" # additionally responds to --verbose (more output) and --debug (allow support # for experimental platforms) for arg in "$@" ; do - # This first clause is redundant with the third, but hedging on portability - if [ "$arg" = "-v" ] || [ "$arg" = "--verbose" ] || echo "$arg" | grep -E -- "-v+$" ; then - VERBOSE=1 - elif [ "$arg" = "--no-self-upgrade" ] ; then - # Do not upgrade this script (also prevents client upgrades, because each - # copy of the script pins a hash of the python client) - NO_SELF_UPGRADE=1 - elif [ "$arg" = "--os-packages-only" ] ; then - OS_PACKAGES_ONLY=1 - elif [ "$arg" = "--debug" ]; then - DEBUG=1 - fi + case "$arg" in + --debug) + DEBUG=1;; + --os-packages-only) + OS_PACKAGES_ONLY=1;; + --no-self-upgrade) + # Do not upgrade this script (also prevents client upgrades, because each + # copy of the script pins a hash of the python client) + NO_SELF_UPGRADE=1;; + --verbose) + VERBOSE=1;; + [!-]*|-*[!v]*|-) + # Anything that isn't -v, -vv, etc.: that is, anything that does not + # start with a -, contains anything that's not a v, or is just "-" + ;; + *) # -v+ remains. + VERBOSE=1;; + esac done # letsencrypt-auto needs root access to bootstrap OS dependencies, and From 42a61537e6f34b40b458aae44e1a138b8e0d555e Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 12 Feb 2016 14:48:14 -0800 Subject: [PATCH 057/141] Remove unecessary check and use constant --- letsencrypt/cli.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py index bfedea15a..fcc6d3bd5 100644 --- a/letsencrypt/cli.py +++ b/letsencrypt/cli.py @@ -323,7 +323,7 @@ def _handle_identical_cert_request(config, cert): display = zope.component.getUtility(interfaces.IDisplay) response = display.menu(question, choices, "OK", "Cancel", default=0) - if response[0] == "cancel" or response[1] == 2: + if response[0] == display_util.CANCEL: # TODO: Add notification related to command-line options for # skipping the menu for this case. raise errors.Error( From 6fd3dba737a8de2c2f2d43d52d932418762762bb Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 12 Feb 2016 15:08:32 -0800 Subject: [PATCH 058/141] Two digit years are used/tested in py26 only --- acme/acme/client.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index 1d1ea406f..a00ff5be4 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -264,10 +264,10 @@ class Client(object): # pylint: disable=too-many-instance-attributes when = parsedate_tz(retry_after) try: year = when[0] # raises TypeError if t is None - # Handle two-digit years -- but any webserver that thinks + # py26: Handle two-digit years -- but any server that thinks # "retry after 99" means "come back after 1999" is.. deprecated if year >= 0 and year < 100: - when = [year + 2000] + list(when[1:]) + when = [year + 2000] + list(when[1:]) # pragma: no cover tzone = when[-1] if when[-1] else 0 # raises ValueError/OverflowError return datetime.datetime(*when[:7]) - datetime.timedelta(tzone) From 462d60def9ead9d7d5005c5242c40ece4c206490 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 12 Feb 2016 15:31:18 -0800 Subject: [PATCH 059/141] Reorder travis matrix by typical runtime Since that makes most efficient use of travis's parallelism --- .travis.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.travis.yml b/.travis.yml index 1d2f7b1db..8b298196f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -38,20 +38,20 @@ matrix: env: TOXENV=py27 BOULDER_INTEGRATION=1 - python: "2.7" env: TOXENV=py27-oldest BOULDER_INTEGRATION=1 - - python: "2.7" - env: TOXENV=cover - python: "2.7" env: TOXENV=lint + - sudo: required + env: TOXENV=le_auto + services: docker + before_install: + - python: "2.7" + env: TOXENV=cover - python: "3.3" env: TOXENV=py33 - python: "3.4" env: TOXENV=py34 - python: "3.5" env: TOXENV=py35 - - sudo: required - env: TOXENV=le_auto - services: docker - before_install: # Only build pushes to the master branch, PRs, and branches beginning with # `test-`. This reduces the number of simultaneous Travis runs, which speeds From 049c1fa114552f074c0206f9ce2a76329bdbeaf5 Mon Sep 17 00:00:00 2001 From: rugk Date: Sun, 14 Feb 2016 14:47:21 +0100 Subject: [PATCH 060/141] Fix typo --- docs/ciphers.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ciphers.rst b/docs/ciphers.rst index c8ff26117..ef644b7a0 100644 --- a/docs/ciphers.rst +++ b/docs/ciphers.rst @@ -139,7 +139,7 @@ client's priorities. The Mozilla security team is likely to have more resources and expertise to bring to bear on evaluating reasons why its recommendations should be updated. -The Let's Encrpyt project will entertain proposals to create a *very* +The Let's Encrypt project will entertain proposals to create a *very* small number of alternative configurations (apart from Modern, Intermediate, and Old) that there's reason to believe would be widely used by sysadmins; this would usually be a preferable course to modifying From e4fb4108ff69d1119ef91cb57f152b92d9a13dc7 Mon Sep 17 00:00:00 2001 From: TheNavigat Date: Sun, 14 Feb 2016 21:50:49 +0200 Subject: [PATCH 061/141] Adding test for client, register_unsafely_without_email=True --- letsencrypt/tests/client_test.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/letsencrypt/tests/client_test.py b/letsencrypt/tests/client_test.py index dbc57565e..f712ea94c 100644 --- a/letsencrypt/tests/client_test.py +++ b/letsencrypt/tests/client_test.py @@ -74,6 +74,15 @@ class RegisterTest(unittest.TestCase): self.config.email = None self.assertRaises(errors.Error, self._call) + @mock.patch("letsencrypt.client.logger") + def test_without_email(self, mock_logger): + with mock.patch("letsencrypt.client.acme_client.Client"): + with mock.patch("letsencrypt.account.report_new_account"): + self.config.email = None + self.config.register_unsafely_without_email = True + self._call() + mock_logger.warn.assert_called_once_with(mock.ANY) + class ClientTest(unittest.TestCase): """Tests for letsencrypt.client.Client.""" From c83517c6f1f635e650319771a98e1643cb8d55fb Mon Sep 17 00:00:00 2001 From: David Date: Mon, 15 Feb 2016 09:29:29 +0100 Subject: [PATCH 062/141] sudo: not found Executed as root git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt/ ./letsencrypt-auto --help failed with message ./letsencrypt-auto: 171: ./letsencrypt-auto: sudo: not found --- letsencrypt-auto-source/letsencrypt-auto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 0630c649a..19d834490 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -168,7 +168,7 @@ BootstrapDebCommon() { /bin/echo '(Backports are only installed if explicitly requested via "apt-get install -t wheezy-backports")' fi - sudo sh -c "echo $BACKPORT_SOURCELINE >> /etc/apt/sources.list.d/$BACKPORT_NAME.list" + $SUDO sh -c "echo $BACKPORT_SOURCELINE >> /etc/apt/sources.list.d/$BACKPORT_NAME.list" $SUDO apt-get update fi fi From 4bbea4e30b8ca1cd144ca40f6323e75ece9a4ab2 Mon Sep 17 00:00:00 2001 From: TheNavigat Date: Wed, 30 Dec 2015 23:19:52 +0200 Subject: [PATCH 063/141] Updating perform method documentation in interfaces.py --- letsencrypt/interfaces.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/letsencrypt/interfaces.py b/letsencrypt/interfaces.py index db5d2c5e8..1921b1e54 100644 --- a/letsencrypt/interfaces.py +++ b/letsencrypt/interfaces.py @@ -169,7 +169,9 @@ class IAuthenticator(IPlugin): Authenticator will never be able to perform (error). :rtype: :class:`list` of - :class:`acme.challenges.ChallengeResponse` + :class:`acme.challenges.ChallengeResponse`, + where responses are required to be returned in + the same order as corresponding input challenges :raises .PluginError: If challenges cannot be performed From 953aa2aa852cac62e864d7b49c83bf02523e3009 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=B4she=20van=20der=20Sterre?= Date: Mon, 15 Feb 2016 17:31:28 +0100 Subject: [PATCH 064/141] Adding required /etc/hosts entries to .travis.yml --- .travis.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 1d2f7b1db..127c6e680 100644 --- a/.travis.yml +++ b/.travis.yml @@ -65,9 +65,14 @@ branches: sudo: false addons: - # make sure simplehttp simple verification works (custom /etc/hosts) + # Custom /etc/hosts required for SimpleHTTP simple verification, + # simple_verify for http01 and tls-sni-01, and letsencrypt_test_nginx hosts: - le.wtf + - le1.wtf + - le2.wtf + - le3.wtf + - nginx.wtf mariadb: "10.0" apt: sources: From 89916e726cc6eb1831ad63411b328ee741bc90a0 Mon Sep 17 00:00:00 2001 From: TheNavigat Date: Sun, 10 Jan 2016 10:40:27 +0200 Subject: [PATCH 065/141] Adding required /etc/hosts entries to docs/contributing.rst --- docs/contributing.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/contributing.rst b/docs/contributing.rst index 36dff01b9..3045c31aa 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -127,9 +127,9 @@ Afterwards, you'd be able to start Boulder_ using the following command:: The script will download, compile and run the executable; please be patient - it will take some time... Once its ready, you will see -``Server running, listening on 127.0.0.1:4000...``. Add an -``/etc/hosts`` entry pointing ``le.wtf`` to 127.0.0.1. You may now -run (in a separate terminal):: +``Server running, listening on 127.0.0.1:4000...``. Add ``/etc/hosts`` +entries pointing ``le.wtf``, ``le1.wtf``, ``le2.wtf``, ``le3.wtf`` +and ``nginx.wtf`` to 127.0.0.1. You may now run (in a separate terminal):: ./tests/boulder-integration.sh && echo OK || echo FAIL From 607c48d0a3d670ddbdf5f7056af7da44e537fc8f Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 15 Feb 2016 12:08:20 -0800 Subject: [PATCH 066/141] [test farm] Fix use of the newleauto in test_letsencrypt_auto_certonly_standalone.sh --- .../scripts/test_letsencrypt_auto_certonly_standalone.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/letstest/scripts/test_letsencrypt_auto_certonly_standalone.sh b/tests/letstest/scripts/test_letsencrypt_auto_certonly_standalone.sh index ecef9814b..f4aef11fe 100755 --- a/tests/letstest/scripts/test_letsencrypt_auto_certonly_standalone.sh +++ b/tests/letstest/scripts/test_letsencrypt_auto_certonly_standalone.sh @@ -8,7 +8,7 @@ #private_ip=$(curl -s http://169.254.169.254/2014-11-05/meta-data/local-ipv4) cd letsencrypt -./letsencrypt-auto --os-packages-only +./letsencrypt-auto --os-packages-only --debug --version ./letsencrypt-auto certonly --no-self-upgrade -v --standalone --debug \ --text --agree-dev-preview --agree-tos \ --renew-by-default --redirect \ From 49aeffdebb03ba6165e93c4486ec7c89b8a5e626 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 15 Feb 2016 12:53:10 -0800 Subject: [PATCH 067/141] Address some review comments --- acme/acme/client.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index a00ff5be4..6a4457430 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -245,15 +245,17 @@ class Client(object): # pylint: disable=too-many-instance-attributes @classmethod def retry_after(cls, response, default): - """Compute next `poll` time based on response ``Retry-After`` header, - per https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.37 + """Compute next `poll` time based on response ``Retry-After`` header. + + Handles integers and various datestring formats per + https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.37 :param requests.Response response: Response from `poll`. :param int default: Default value (in seconds), used when ``Retry-After`` header is not present or invalid. :returns: Time point when next `poll` should be performed. - :rtype: `datetime.datetime.datetime` + :rtype: `datetime.datetime` """ retry_after = response.headers.get('Retry-After', str(default)).strip() From 69e1c6285989bda8dbb88d23e1b37085e51210f4 Mon Sep 17 00:00:00 2001 From: Filip Ochnik Date: Tue, 16 Feb 2016 20:33:22 +0800 Subject: [PATCH 068/141] Add test for cleaning up acme-challenge --- letsencrypt/plugins/webroot_test.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/letsencrypt/plugins/webroot_test.py b/letsencrypt/plugins/webroot_test.py index e3f926c7f..4899c94e6 100644 --- a/letsencrypt/plugins/webroot_test.py +++ b/letsencrypt/plugins/webroot_test.py @@ -30,8 +30,10 @@ class AuthenticatorTest(unittest.TestCase): def setUp(self): from letsencrypt.plugins.webroot import Authenticator self.path = tempfile.mkdtemp() + self.root_challenge_path = os.path.join( + self.path, ".well-known", "acme-challenge") self.validation_path = os.path.join( - self.path, ".well-known", "acme-challenge", + self.root_challenge_path, "ZXZhR3hmQURzNnBTUmIyTEF2OUlaZjE3RHQzanV4R0orUEN0OTJ3citvQQ") self.config = mock.MagicMock(webroot_path=self.path, webroot_map={"thing.com": self.path}) @@ -137,6 +139,7 @@ class AuthenticatorTest(unittest.TestCase): self.auth.cleanup([self.achall]) self.assertFalse(os.path.exists(self.validation_path)) + self.assertFalse(os.path.exists(self.root_challenge_path)) if __name__ == "__main__": From 780c9ce2aedef97e85135c86816e8ccb093f4dc4 Mon Sep 17 00:00:00 2001 From: Filip Ochnik Date: Tue, 16 Feb 2016 20:36:46 +0800 Subject: [PATCH 069/141] Refactor path logic in webroot plugin --- letsencrypt/plugins/webroot.py | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/letsencrypt/plugins/webroot.py b/letsencrypt/plugins/webroot.py index 3f5bc6d28..82a6e20a7 100644 --- a/letsencrypt/plugins/webroot.py +++ b/letsencrypt/plugins/webroot.py @@ -97,7 +97,7 @@ to serve all files under specified web root ({0}).""" assert self.full_roots, "Webroot plugin appears to be missing webroot map" return [self._perform_single(achall) for achall in achalls] - def _path_for_achall(self, achall): + def _get_root_path(self, achall): try: path = self.full_roots[achall.domain] except KeyError: @@ -106,19 +106,23 @@ to serve all files under specified web root ({0}).""" if not os.path.exists(path): raise errors.PluginError("Mysteriously missing path {0} for domain: {1}" .format(path, achall.domain)) - return os.path.join(path, achall.chall.encode("token")) + return path + + def _get_validation_path(self, root_path, achall): + return os.path.join(root_path, achall.chall.encode("token")) def _perform_single(self, achall): response, validation = achall.response_and_validation() - path = self._path_for_achall(achall) - logger.debug("Attempting to save validation to %s", path) + root_path = self._get_root_path(achall) + validation_path = self._get_validation_path(root_path, achall) + logger.debug("Attempting to save validation to %s", validation_path) # Change permissions to be world-readable, owner-writable (GH #1795) old_umask = os.umask(0o022) try: - with open(path, "w") as validation_file: + with open(validation_path, "w") as validation_file: validation_file.write(validation.encode()) finally: os.umask(old_umask) @@ -127,6 +131,7 @@ to serve all files under specified web root ({0}).""" def cleanup(self, achalls): # pylint: disable=missing-docstring for achall in achalls: - path = self._path_for_achall(achall) - logger.debug("Removing %s", path) - os.remove(path) + root_path = self._get_root_path(achall) + validation_path = self._get_validation_path(root_path, achall) + logger.debug("Removing %s", validation_path) + os.remove(validation_path) From 9b5ff7bcd725592b97fcd86521f99bb5b46eb97f Mon Sep 17 00:00:00 2001 From: Filip Ochnik Date: Tue, 16 Feb 2016 20:46:42 +0800 Subject: [PATCH 070/141] Remove acme-challenge after cleaning up all challenges --- letsencrypt/plugins/webroot.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/letsencrypt/plugins/webroot.py b/letsencrypt/plugins/webroot.py index 82a6e20a7..b774a39ed 100644 --- a/letsencrypt/plugins/webroot.py +++ b/letsencrypt/plugins/webroot.py @@ -2,8 +2,10 @@ import errno import logging import os +from collections import defaultdict import zope.interface +import six from acme import challenges @@ -44,6 +46,7 @@ to serve all files under specified web root ({0}).""" def __init__(self, *args, **kwargs): super(Authenticator, self).__init__(*args, **kwargs) self.full_roots = {} + self.performed = defaultdict(set) def prepare(self): # pylint: disable=missing-docstring path_map = self.conf("map") @@ -127,6 +130,8 @@ to serve all files under specified web root ({0}).""" finally: os.umask(old_umask) + self.performed[root_path].add(achall) + return response def cleanup(self, achalls): # pylint: disable=missing-docstring @@ -135,3 +140,10 @@ to serve all files under specified web root ({0}).""" validation_path = self._get_validation_path(root_path, achall) logger.debug("Removing %s", validation_path) os.remove(validation_path) + self.performed[root_path].remove(achall) + + for root_path, achalls in six.iteritems(self.performed): + if not achalls: + logger.debug("All challenges cleaned up, removing %s", + root_path) + os.rmdir(root_path) From d6b213d1e36b20a102b594f0a6772f6fcef2fdbd Mon Sep 17 00:00:00 2001 From: Paul Feitzinger Date: Tue, 16 Feb 2016 12:00:11 -0500 Subject: [PATCH 071/141] wrap csr in ComparableX509 --- acme/examples/example_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme/examples/example_client.py b/acme/examples/example_client.py index f6b0329f5..261b37603 100644 --- a/acme/examples/example_client.py +++ b/acme/examples/example_client.py @@ -42,7 +42,7 @@ csr = OpenSSL.crypto.load_certificate_request( OpenSSL.crypto.FILETYPE_ASN1, pkg_resources.resource_string( 'acme', os.path.join('testdata', 'csr.der'))) try: - acme.request_issuance(csr, (authzr,)) + acme.request_issuance(jose.util.ComparableX509(csr), (authzr,)) except messages.Error as error: print ("This script is doomed to fail as no authorization " "challenges are ever solved. Error from server: {0}".format(error)) From 7c8638f108552647c468f176e1ba6e4bcd3fc36e Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 16 Feb 2016 11:04:52 -0800 Subject: [PATCH 072/141] Life is simpler if we don't support HTTP/1.0 ACME servers (Though in practice with py27+ we still support them) --- acme/acme/client.py | 19 +++++++------------ acme/acme/client_test.py | 4 ---- 2 files changed, 7 insertions(+), 16 deletions(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index 6a4457430..470ffc41f 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -262,19 +262,14 @@ class Client(object): # pylint: disable=too-many-instance-attributes try: seconds = int(retry_after) except ValueError: - # pylint: disable=no-member when = parsedate_tz(retry_after) - try: - year = when[0] # raises TypeError if t is None - # py26: Handle two-digit years -- but any server that thinks - # "retry after 99" means "come back after 1999" is.. deprecated - if year >= 0 and year < 100: - when = [year + 2000] + list(when[1:]) # pragma: no cover - tzone = when[-1] if when[-1] else 0 - # raises ValueError/OverflowError - return datetime.datetime(*when[:7]) - datetime.timedelta(tzone) - except (TypeError, ValueError, OverflowError): - seconds = default + if when is not None: + try: + tz_secs = datetime.timedelta(when[-1] if when[-1] else 0) + return datetime.datetime(*when[:7]) - tz_secs + except (ValueError, OverflowError): + pass + seconds = default return datetime.datetime.now() + datetime.timedelta(seconds=seconds) diff --git a/acme/acme/client_test.py b/acme/acme/client_test.py index dee78910f..9abc69c7c 100644 --- a/acme/acme/client_test.py +++ b/acme/acme/client_test.py @@ -194,10 +194,6 @@ class ClientTest(unittest.TestCase): self.assertEqual( datetime.datetime(1999, 12, 31, 23, 59, 59), self.client.retry_after(response=self.response, default=10)) - self.response.headers['Retry-After'] = 'Fri, 31-Dec-17 23:59:59 GMT' - self.assertEqual( - datetime.datetime(2017, 12, 31, 23, 59, 59), - self.client.retry_after(response=self.response, default=10)) @mock.patch('acme.client.datetime') def test_retry_after_invalid(self, dt_mock): From 7f2ca5d065cffa83645d84aa13e8a4a56cd28d95 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 16 Feb 2016 11:13:10 -0800 Subject: [PATCH 073/141] Document use of email.utils parser --- acme/acme/client.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/acme/acme/client.py b/acme/acme/client.py index 470ffc41f..0f4286def 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -262,6 +262,8 @@ class Client(object): # pylint: disable=too-many-instance-attributes try: seconds = int(retry_after) except ValueError: + # The RFC 2822 parser handles all of RFC 2616's cases in modern + # environments (primarily HTTP 1.1+ but also py27+) when = parsedate_tz(retry_after) if when is not None: try: From a9780c2ddcee8aee7d9ed33205e512a23c3c4a49 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 16 Feb 2016 11:13:25 -0800 Subject: [PATCH 074/141] Test trailing whitespace in headers --- acme/acme/client_test.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/acme/acme/client_test.py b/acme/acme/client_test.py index 9abc69c7c..00fb1c73c 100644 --- a/acme/acme/client_test.py +++ b/acme/acme/client_test.py @@ -205,6 +205,11 @@ class ClientTest(unittest.TestCase): datetime.datetime(2015, 3, 27, 0, 0, 10), self.client.retry_after(response=self.response, default=10)) + self.response.headers['Retry-After'] = '20 ' + self.assertEqual( + datetime.datetime(2015, 3, 27, 0, 0, 20), + self.client.retry_after(response=self.response, default=10)) + @mock.patch('acme.client.datetime') def test_retry_after_seconds(self, dt_mock): dt_mock.datetime.now.return_value = datetime.datetime(2015, 3, 27) From 9fc723f3166131bcd583df9ed63fc66450228f8d Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 16 Feb 2016 11:52:48 -0800 Subject: [PATCH 075/141] Exceptional coverage --- acme/acme/client_test.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/acme/acme/client_test.py b/acme/acme/client_test.py index 00fb1c73c..79000190d 100644 --- a/acme/acme/client_test.py +++ b/acme/acme/client_test.py @@ -210,6 +210,13 @@ class ClientTest(unittest.TestCase): datetime.datetime(2015, 3, 27, 0, 0, 20), self.client.retry_after(response=self.response, default=10)) + # wrong date -> ValueError + dt_mock.datetime.side_effect = datetime.datetime + self.response.headers['Retry-After'] = "Tue, 116 Feb 2016 11:50:00 MST" + self.assertEqual( + datetime.datetime(2015, 3, 27, 0, 0, 10), + self.client.retry_after(response=self.response, default=10)) + @mock.patch('acme.client.datetime') def test_retry_after_seconds(self, dt_mock): dt_mock.datetime.now.return_value = datetime.datetime(2015, 3, 27) From beeb65d2f24f10a19a31b3bcf97322f7d11ce8bf Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Tue, 16 Feb 2016 12:24:29 -0800 Subject: [PATCH 076/141] Add test --- letsencrypt/tests/cli_test.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/letsencrypt/tests/cli_test.py b/letsencrypt/tests/cli_test.py index 8184a557e..77a4b5892 100644 --- a/letsencrypt/tests/cli_test.py +++ b/letsencrypt/tests/cli_test.py @@ -351,6 +351,11 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods self._call, ['-d', '*.wildcard.tld']) + # Bare IP address (this is actually a different error message now) + self.assertRaises(errors.ConfigurationError, + self._call, + ['-d', '204.11.231.35']) + def _get_argument_parser(self): plugins = disco.PluginsRegistry.find_all() return functools.partial(cli.prepare_and_parse_args, plugins) From 16761bc8367497d2a00221d5165de1f11dcaaea0 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Tue, 16 Feb 2016 13:00:08 -0800 Subject: [PATCH 077/141] Fix lint line-too-long complaint --- letsencrypt/le_util.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/letsencrypt/le_util.py b/letsencrypt/le_util.py index 73d112eca..1178d1968 100644 --- a/letsencrypt/le_util.py +++ b/letsencrypt/le_util.py @@ -322,7 +322,10 @@ def enforce_domain_sanity(domain): # being FQDNs) because hope springs eternal on this point try: socket.inet_aton(domain) - raise errors.ConfigurationError("Requested name {0} is an IP address. The Let's Encrypt certificate authority will not issue certificates for a bare IP address.".format(domain)) + raise errors.ConfigurationError( + "Requested name {0} is an IP address. The Let's Encrypt " + "certificate authority will not issue certificates for a " + "bare IP address.".format(domain)) except socket.error: # It wasn't an IP address, so that's good pass From 95efab93b7616a8bd7d836b0f59334b678ecfd78 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 16 Feb 2016 13:59:28 -0800 Subject: [PATCH 078/141] Remove quotes around $SUDO --- letsencrypt-auto-source/letsencrypt-auto | 4 ++-- letsencrypt-auto-source/pieces/bootstrappers/arch_common.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 0630c649a..255ba2793 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -307,10 +307,10 @@ BootstrapArchCommon() { pkg-config " - missing=$("$SUDO" pacman -T $deps) + missing=$($SUDO pacman -T $deps) if [ "$missing" ]; then - "$SUDO" pacman -S --needed $missing + $SUDO pacman -S --needed $missing fi } diff --git a/letsencrypt-auto-source/pieces/bootstrappers/arch_common.sh b/letsencrypt-auto-source/pieces/bootstrappers/arch_common.sh index 90a9d43c4..2e11e0ae9 100755 --- a/letsencrypt-auto-source/pieces/bootstrappers/arch_common.sh +++ b/letsencrypt-auto-source/pieces/bootstrappers/arch_common.sh @@ -18,9 +18,9 @@ BootstrapArchCommon() { pkg-config " - missing=$("$SUDO" pacman -T $deps) + missing=$($SUDO pacman -T $deps) if [ "$missing" ]; then - "$SUDO" pacman -S --needed $missing + $SUDO pacman -S --needed $missing fi } From 4b25d6543fe6df6d33d610637c49f5594a17463c Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 16 Feb 2016 14:19:27 -0800 Subject: [PATCH 079/141] Don't exit without installing packages --- letsencrypt-auto-source/letsencrypt-auto | 3 ++- letsencrypt-auto-source/pieces/bootstrappers/arch_common.sh | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 255ba2793..59767a4d0 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -307,7 +307,8 @@ BootstrapArchCommon() { pkg-config " - missing=$($SUDO pacman -T $deps) + # pacman -T exits with 127 if there are missing dependencies + missing=$($SUDO pacman -T $deps) || true if [ "$missing" ]; then $SUDO pacman -S --needed $missing diff --git a/letsencrypt-auto-source/pieces/bootstrappers/arch_common.sh b/letsencrypt-auto-source/pieces/bootstrappers/arch_common.sh index 2e11e0ae9..b2fc01a14 100755 --- a/letsencrypt-auto-source/pieces/bootstrappers/arch_common.sh +++ b/letsencrypt-auto-source/pieces/bootstrappers/arch_common.sh @@ -18,7 +18,8 @@ BootstrapArchCommon() { pkg-config " - missing=$($SUDO pacman -T $deps) + # pacman -T exits with 127 if there are missing dependencies + missing=$($SUDO pacman -T $deps) || true if [ "$missing" ]; then $SUDO pacman -S --needed $missing From 55228e2df4a98a5b2214c77fbd04c4d8d878815b Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 16 Feb 2016 14:30:35 -0800 Subject: [PATCH 080/141] Remove quotes around SUDO in other bootstrap scripts --- letsencrypt-auto-source/letsencrypt-auto | 8 ++++---- letsencrypt-auto-source/pieces/bootstrappers/free_bsd.sh | 2 +- .../pieces/bootstrappers/gentoo_common.sh | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 59767a4d0..58534ee32 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -328,19 +328,19 @@ BootstrapGentooCommon() { case "$PACKAGE_MANAGER" in (paludis) - "$SUDO" cave resolve --preserve-world --keep-targets if-possible $PACKAGES -x + $SUDO cave resolve --preserve-world --keep-targets if-possible $PACKAGES -x ;; (pkgcore) - "$SUDO" pmerge --noreplace --oneshot $PACKAGES + $SUDO pmerge --noreplace --oneshot $PACKAGES ;; (portage|*) - "$SUDO" emerge --noreplace --oneshot $PACKAGES + $SUDO emerge --noreplace --oneshot $PACKAGES ;; esac } BootstrapFreeBsd() { - "$SUDO" pkg install -Ay \ + $SUDO pkg install -Ay \ python \ py27-virtualenv \ augeas \ diff --git a/letsencrypt-auto-source/pieces/bootstrappers/free_bsd.sh b/letsencrypt-auto-source/pieces/bootstrappers/free_bsd.sh index c9abd22eb..deb2e2115 100755 --- a/letsencrypt-auto-source/pieces/bootstrappers/free_bsd.sh +++ b/letsencrypt-auto-source/pieces/bootstrappers/free_bsd.sh @@ -1,5 +1,5 @@ BootstrapFreeBsd() { - "$SUDO" pkg install -Ay \ + $SUDO pkg install -Ay \ python \ py27-virtualenv \ augeas \ diff --git a/letsencrypt-auto-source/pieces/bootstrappers/gentoo_common.sh b/letsencrypt-auto-source/pieces/bootstrappers/gentoo_common.sh index 1d8211df4..580b69a0d 100755 --- a/letsencrypt-auto-source/pieces/bootstrappers/gentoo_common.sh +++ b/letsencrypt-auto-source/pieces/bootstrappers/gentoo_common.sh @@ -11,13 +11,13 @@ BootstrapGentooCommon() { case "$PACKAGE_MANAGER" in (paludis) - "$SUDO" cave resolve --preserve-world --keep-targets if-possible $PACKAGES -x + $SUDO cave resolve --preserve-world --keep-targets if-possible $PACKAGES -x ;; (pkgcore) - "$SUDO" pmerge --noreplace --oneshot $PACKAGES + $SUDO pmerge --noreplace --oneshot $PACKAGES ;; (portage|*) - "$SUDO" emerge --noreplace --oneshot $PACKAGES + $SUDO emerge --noreplace --oneshot $PACKAGES ;; esac } From 31a27f675ae00a7762170bee1b8ad683a3a8e9ac Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Tue, 16 Feb 2016 14:41:02 -0800 Subject: [PATCH 081/141] Trivial change to re-run tests after spurious integration test failure --- letsencrypt/le_util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt/le_util.py b/letsencrypt/le_util.py index 1178d1968..c8a9d24c2 100644 --- a/letsencrypt/le_util.py +++ b/letsencrypt/le_util.py @@ -319,7 +319,7 @@ def enforce_domain_sanity(domain): domain = domain[:-1] if domain.endswith('.') else domain # Explain separately that IP addresses aren't allowed (apart from not - # being FQDNs) because hope springs eternal on this point + # being FQDNs) because hope springs eternal concerning this point try: socket.inet_aton(domain) raise errors.ConfigurationError( From c71fa444569da3ffefefe3396306b9fe52b9c94c Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Tue, 16 Feb 2016 17:51:08 -0500 Subject: [PATCH 082/141] Upgrade peep to 3.1.1. Fix bad LE experience reported at https://github.com/erikrose/peep/issues/119. --- letsencrypt-auto-source/letsencrypt-auto | 23 ++++++++++++++++------- letsencrypt-auto-source/pieces/peep.py | 23 ++++++++++++++++------- 2 files changed, 32 insertions(+), 14 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 743770f35..08390c0c4 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -756,6 +756,7 @@ except ImportError: from pip.util import url_to_path # 0.7.0 except ImportError: from pip.util import url_to_filename as url_to_path # 0.6.2 +from pip.exceptions import InstallationError from pip.index import PackageFinder, Link try: from pip.log import logger @@ -774,7 +775,7 @@ except ImportError: DownloadProgressBar = DownloadProgressSpinner = NullProgressBar -__version__ = 3, 0, 0 +__version__ = 3, 1, 1 try: from pip.index import FormatControl # noqa @@ -792,6 +793,7 @@ ITS_FINE_ITS_FINE = 0 SOMETHING_WENT_WRONG = 1 # "Traditional" for command-line errors according to optparse docs: COMMAND_LINE_ERROR = 2 +UNHANDLED_EXCEPTION = 3 ARCHIVE_EXTENSIONS = ('.tar.bz2', '.tar.gz', '.tgz', '.tar', '.zip') @@ -1554,7 +1556,7 @@ def peep_install(argv): first_every_last(buckets[SatisfiedReq], *printers) return ITS_FINE_ITS_FINE - except (UnsupportedRequirementError, DownloadError) as exc: + except (UnsupportedRequirementError, InstallationError, DownloadError) as exc: out(str(exc)) return SOMETHING_WENT_WRONG finally: @@ -1574,16 +1576,23 @@ def peep_port(paths): print('Please specify one or more requirements files so I have ' 'something to port.\n') return COMMAND_LINE_ERROR + + comes_from = None for req in chain.from_iterable( _parse_requirements(path, package_finder(argv)) for path in paths): + req_path, req_line = path_and_line(req) hashes = [hexlify(urlsafe_b64decode((hash + '=').encode('ascii'))).decode('ascii') - for hash in hashes_above(*path_and_line(req))] + for hash in hashes_above(req_path, req_line)] + if req_path != comes_from: + print() + print('# from %s' % req_path) + print() + comes_from = req_path + if not hashes: print(req.req) - elif len(hashes) == 1: - print('%s --hash=sha256:%s' % (req.req, hashes[0])) else: - print('%s' % req.req, end='') + print('%s' % (req.link if getattr(req, 'link', None) else req.req), end='') for hash in hashes: print(' \\') print(' --hash=sha256:%s' % hash, end='') @@ -1628,7 +1637,7 @@ if __name__ == '__main__': exit(main()) except Exception: exception_handler(*sys.exc_info()) - exit(SOMETHING_WENT_WRONG) + exit(UNHANDLED_EXCEPTION) UNLIKELY_EOF # ------------------------------------------------------------------------- diff --git a/letsencrypt-auto-source/pieces/peep.py b/letsencrypt-auto-source/pieces/peep.py index c4e51f483..eee823ff2 100755 --- a/letsencrypt-auto-source/pieces/peep.py +++ b/letsencrypt-auto-source/pieces/peep.py @@ -86,6 +86,7 @@ except ImportError: from pip.util import url_to_path # 0.7.0 except ImportError: from pip.util import url_to_filename as url_to_path # 0.6.2 +from pip.exceptions import InstallationError from pip.index import PackageFinder, Link try: from pip.log import logger @@ -104,7 +105,7 @@ except ImportError: DownloadProgressBar = DownloadProgressSpinner = NullProgressBar -__version__ = 3, 0, 0 +__version__ = 3, 1, 1 try: from pip.index import FormatControl # noqa @@ -122,6 +123,7 @@ ITS_FINE_ITS_FINE = 0 SOMETHING_WENT_WRONG = 1 # "Traditional" for command-line errors according to optparse docs: COMMAND_LINE_ERROR = 2 +UNHANDLED_EXCEPTION = 3 ARCHIVE_EXTENSIONS = ('.tar.bz2', '.tar.gz', '.tgz', '.tar', '.zip') @@ -884,7 +886,7 @@ def peep_install(argv): first_every_last(buckets[SatisfiedReq], *printers) return ITS_FINE_ITS_FINE - except (UnsupportedRequirementError, DownloadError) as exc: + except (UnsupportedRequirementError, InstallationError, DownloadError) as exc: out(str(exc)) return SOMETHING_WENT_WRONG finally: @@ -904,16 +906,23 @@ def peep_port(paths): print('Please specify one or more requirements files so I have ' 'something to port.\n') return COMMAND_LINE_ERROR + + comes_from = None for req in chain.from_iterable( _parse_requirements(path, package_finder(argv)) for path in paths): + req_path, req_line = path_and_line(req) hashes = [hexlify(urlsafe_b64decode((hash + '=').encode('ascii'))).decode('ascii') - for hash in hashes_above(*path_and_line(req))] + for hash in hashes_above(req_path, req_line)] + if req_path != comes_from: + print() + print('# from %s' % req_path) + print() + comes_from = req_path + if not hashes: print(req.req) - elif len(hashes) == 1: - print('%s --hash=sha256:%s' % (req.req, hashes[0])) else: - print('%s' % req.req, end='') + print('%s' % (req.link if getattr(req, 'link', None) else req.req), end='') for hash in hashes: print(' \\') print(' --hash=sha256:%s' % hash, end='') @@ -958,4 +967,4 @@ if __name__ == '__main__': exit(main()) except Exception: exception_handler(*sys.exc_info()) - exit(SOMETHING_WENT_WRONG) + exit(UNHANDLED_EXCEPTION) From 36c6f734a8fe2ffb2337062cf52edda8086b9560 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 16 Feb 2016 14:56:26 -0800 Subject: [PATCH 083/141] fix #2470 --- letsencrypt-apache/letsencrypt_apache/configurator.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index cbc451ac9..b2d143f26 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -895,9 +895,10 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): for addr in vhost.addrs: # In Apache 2.2, when a NameVirtualHost directive is not # set, "*" and "_default_" will conflict when sharing a port + addrs = set((addr,)) if addr.get_addr() in ("*", "_default_"): - addrs = [obj.Addr((a, addr.get_port(),)) - for a in ("*", "_default_")] + addrs.update(obj.Addr((a, addr.get_port(),)) + for a in ("*", "_default_")) for test_vh in self.vhosts: if (vhost.filep != test_vh.filep and From 3964357eb3417b4bb3e3c61b611852983f8f08d4 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Tue, 16 Feb 2016 15:48:36 -0800 Subject: [PATCH 084/141] rewrite generic files --- .../letsencrypt_apache/configurator.py | 7 +++++++ letsencrypt-apache/letsencrypt_apache/obj.py | 17 +++++++++++------ 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index cbc451ac9..694767f2a 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -1074,6 +1074,9 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): if not self._is_rewrite_engine_on(general_vh): self.parser.add_dir(general_vh.path, "RewriteEngine", "on") + for name in ssl_vhost.get_names(): + self.parser.add_dir(general_vh.path, "RewriteCond", + ["%{SERVER_NAME}", "={0}".format(name), "[OR]"] if self.get_version() >= (2, 3, 9): self.parser.add_dir(general_vh.path, "RewriteRule", constants.REWRITE_HTTPS_ARGS_WITH_END) @@ -1243,6 +1246,10 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): for http_vh in candidate_http_vhs: if http_vh.same_server(ssl_vhost): return http_vh + # Third filter - if none with same names, return generic + for http_vh in candidate_http_vhs: + if http_vh.same_server(ssl_vhost, generic=True): + return http_vh return None diff --git a/letsencrypt-apache/letsencrypt_apache/obj.py b/letsencrypt-apache/letsencrypt_apache/obj.py index 175ce3f92..c98ca4b99 100644 --- a/letsencrypt-apache/letsencrypt_apache/obj.py +++ b/letsencrypt-apache/letsencrypt_apache/obj.py @@ -189,7 +189,7 @@ class VirtualHost(object): # pylint: disable=too-few-public-methods return True return False - def same_server(self, vhost): + def same_server(self, vhost, generic=False): """Determines if the vhost is the same 'server'. Used in redirection - indicates whether or not the two virtual hosts @@ -199,12 +199,17 @@ class VirtualHost(object): # pylint: disable=too-few-public-methods """ - if vhost.get_names() != self.get_names(): - return False + if not generic: + if vhost.get_names() != self.get_names(): + return False - # If equal and set is not empty... assume same server - if self.name is not None or self.aliases: - return True + # If equal and set is not empty... assume same server + if self.name is not None or self.aliases: + return True + # If we're looking for a generic vhost, don't return one with a ServerName + else: + if self.name: + return False # Both sets of names are empty. From bf30e54a32f91178d8d84305e2db4fb11592bb70 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Tue, 16 Feb 2016 15:58:53 -0800 Subject: [PATCH 085/141] fix syntax and don't have unneeded ors --- letsencrypt-apache/letsencrypt_apache/configurator.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index 694767f2a..2198cbdfb 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -1073,10 +1073,13 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # even with save() and load() if not self._is_rewrite_engine_on(general_vh): self.parser.add_dir(general_vh.path, "RewriteEngine", "on") - - for name in ssl_vhost.get_names(): + cond = "[OR]" + names = ssl_vhost.get_names() + for idx, name in enumerate(names): + if idx == len(names) - 1: + cond = "" self.parser.add_dir(general_vh.path, "RewriteCond", - ["%{SERVER_NAME}", "={0}".format(name), "[OR]"] + ["%{SERVER_NAME}", "={0}".format(name), cond]) if self.get_version() >= (2, 3, 9): self.parser.add_dir(general_vh.path, "RewriteRule", constants.REWRITE_HTTPS_ARGS_WITH_END) From 109d6caf6525e1673e4d126bd1a73530645be9bf Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Tue, 16 Feb 2016 16:07:03 -0800 Subject: [PATCH 086/141] fix how OR is added --- letsencrypt-apache/letsencrypt_apache/configurator.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index 2198cbdfb..9cff002f1 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -1073,13 +1073,12 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # even with save() and load() if not self._is_rewrite_engine_on(general_vh): self.parser.add_dir(general_vh.path, "RewriteEngine", "on") - cond = "[OR]" names = ssl_vhost.get_names() for idx, name in enumerate(names): + args = ["%{SERVER_NAME}", "={0}".format(name), "[OR]"] if idx == len(names) - 1: - cond = "" - self.parser.add_dir(general_vh.path, "RewriteCond", - ["%{SERVER_NAME}", "={0}".format(name), cond]) + args.pop() + self.parser.add_dir(general_vh.path, "RewriteCond", args) if self.get_version() >= (2, 3, 9): self.parser.add_dir(general_vh.path, "RewriteRule", constants.REWRITE_HTTPS_ARGS_WITH_END) From c8a9da844294829d8f7c3f5a882f7d9ce5f2a4e1 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Tue, 16 Feb 2016 16:47:29 -0800 Subject: [PATCH 087/141] update test to hit new line in configurator --- .../letsencrypt_apache/tests/configurator_test.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py b/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py index 5b15a20d1..58ec3fe21 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py @@ -746,9 +746,9 @@ class TwoVhost80Test(util.ApacheTest): self.config.parser.modules.add("rewrite_module") mock_exe.return_value = True ssl_vh = obj.VirtualHost( - "fp", "ap", set([obj.Addr(("*", "443")), - obj.Addr(("satoshi.com",))]), + "fp", "ap", set([obj.Addr(("*", "443"))]), True, False) + ssl_vh.name = "satoshi.com" self.config.vhosts.append(ssl_vh) self.assertRaises( errors.PluginError, From dbc81490e5257ee3dbdb82b85140144ce85ef4bf Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 16 Feb 2016 17:10:59 -0800 Subject: [PATCH 088/141] Revert "Let --no-self-upgrade bootstrap OS packages. Fix #2432." This reverts commit 6eb2d60166f142d489f70a2e6076d2fe7c3b3769. --- letsencrypt-auto-source/Dockerfile | 2 +- letsencrypt-auto-source/letsencrypt-auto | 52 +++++++++---------- .../letsencrypt-auto.template | 52 +++++++++---------- 3 files changed, 49 insertions(+), 57 deletions(-) diff --git a/letsencrypt-auto-source/Dockerfile b/letsencrypt-auto-source/Dockerfile index ad2465fda..fd7fe4851 100644 --- a/letsencrypt-auto-source/Dockerfile +++ b/letsencrypt-auto-source/Dockerfile @@ -17,7 +17,7 @@ RUN apt-get update && \ apt-get clean RUN pip install nose -RUN mkdir -p /home/lea/letsencrypt +RUN mkdir -p /home/lea/letsencrypt/letsencrypt # Install fake testing CA: COPY ./tests/certs/ca/my-root-ca.crt.pem /usr/local/share/ca-certificates/ diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 743770f35..b542c8d3e 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -422,10 +422,9 @@ TempDir() { -if [ "$1" = "--le-auto-phase2" ]; then +if [ "$NO_SELF_UPGRADE" = 1 ]; then # Phase 2: Create venv, install LE, and run. - shift 1 # the --le-auto-phase2 arg if [ -f "$VENV_BIN/letsencrypt" ]; then INSTALLED_VERSION=$("$VENV_BIN/letsencrypt" --version 2>&1 | cut -d " " -f 2) else @@ -1666,11 +1665,10 @@ else exit 0 fi - if [ "$NO_SELF_UPGRADE" != 1 ]; then - echo "Checking for new version..." - TEMP_DIR=$(TempDir) - # --------------------------------------------------------------------------- - cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" + echo "Checking for new version..." + TEMP_DIR=$(TempDir) + # --------------------------------------------------------------------------- + cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" """Do downloading and JSON parsing without additional dependencies. :: # Print latest released version of LE to stdout: @@ -1799,27 +1797,25 @@ if __name__ == '__main__': exit(main()) UNLIKELY_EOF - # --------------------------------------------------------------------------- - DeterminePythonVersion - REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` - if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then - echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." + # --------------------------------------------------------------------------- + DeterminePythonVersion + REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` + if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then + echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." - # Now we drop into Python so we don't have to install even more - # dependencies (curl, etc.), for better flow control, and for the option of - # future Windows compatibility. - "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" + # Now we drop into Python so we don't have to install even more + # dependencies (curl, etc.), for better flow control, and for the option of + # future Windows compatibility. + "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" - # Install new copy of letsencrypt-auto. This preserves permissions and - # ownership from the old copy. - # TODO: Deal with quotes in pathnames. - echo "Replacing letsencrypt-auto..." - echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - # TODO: Clean up temp dir safely, even if it has quotes in its path. - rm -rf "$TEMP_DIR" - fi # A newer version is available. - fi # Self-upgrading is allowed. - - "$0" --le-auto-phase2 "$@" + # Install new copy of letsencrypt-auto. This preserves permissions and + # ownership from the old copy. + # TODO: Deal with quotes in pathnames. + echo "Replacing letsencrypt-auto..." + echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + # TODO: Clean up temp dir safely, even if it has quotes in its path. + rm -rf "$TEMP_DIR" + fi # should upgrade + "$0" --no-self-upgrade "$@" fi diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index 204813daf..bccd9e2c9 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -171,10 +171,9 @@ TempDir() { -if [ "$1" = "--le-auto-phase2" ]; then +if [ "$NO_SELF_UPGRADE" = 1 ]; then # Phase 2: Create venv, install LE, and run. - shift 1 # the --le-auto-phase2 arg if [ -f "$VENV_BIN/letsencrypt" ]; then INSTALLED_VERSION=$("$VENV_BIN/letsencrypt" --version 2>&1 | cut -d " " -f 2) else @@ -236,34 +235,31 @@ else exit 0 fi - if [ "$NO_SELF_UPGRADE" != 1 ]; then - echo "Checking for new version..." - TEMP_DIR=$(TempDir) - # --------------------------------------------------------------------------- - cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" + echo "Checking for new version..." + TEMP_DIR=$(TempDir) + # --------------------------------------------------------------------------- + cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" {{ fetch.py }} UNLIKELY_EOF - # --------------------------------------------------------------------------- - DeterminePythonVersion - REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` - if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then - echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." + # --------------------------------------------------------------------------- + DeterminePythonVersion + REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` + if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then + echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." - # Now we drop into Python so we don't have to install even more - # dependencies (curl, etc.), for better flow control, and for the option of - # future Windows compatibility. - "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" + # Now we drop into Python so we don't have to install even more + # dependencies (curl, etc.), for better flow control, and for the option of + # future Windows compatibility. + "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" - # Install new copy of letsencrypt-auto. This preserves permissions and - # ownership from the old copy. - # TODO: Deal with quotes in pathnames. - echo "Replacing letsencrypt-auto..." - echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - # TODO: Clean up temp dir safely, even if it has quotes in its path. - rm -rf "$TEMP_DIR" - fi # A newer version is available. - fi # Self-upgrading is allowed. - - "$0" --le-auto-phase2 "$@" + # Install new copy of letsencrypt-auto. This preserves permissions and + # ownership from the old copy. + # TODO: Deal with quotes in pathnames. + echo "Replacing letsencrypt-auto..." + echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + # TODO: Clean up temp dir safely, even if it has quotes in its path. + rm -rf "$TEMP_DIR" + fi # should upgrade + "$0" --no-self-upgrade "$@" fi From fe1ab15f4b5f69fb7a773f37512c8eb7f18d03d0 Mon Sep 17 00:00:00 2001 From: TheNavigat Date: Wed, 17 Feb 2016 05:33:00 +0200 Subject: [PATCH 089/141] Adding test for unsupported MX error --- letsencrypt/tests/client_test.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/letsencrypt/tests/client_test.py b/letsencrypt/tests/client_test.py index f712ea94c..1f53fdc35 100644 --- a/letsencrypt/tests/client_test.py +++ b/letsencrypt/tests/client_test.py @@ -83,6 +83,14 @@ class RegisterTest(unittest.TestCase): self._call() mock_logger.warn.assert_called_once_with(mock.ANY) + def test_unsupported_error(self): + from acme import messages + msg = "Test" + mx_err = messages.Error(detail=msg, typ="malformed", title="title") + with mock.patch("letsencrypt.client.acme_client.Client") as mock_client: + mock_client().register.side_effect = [mx_err, mock.MagicMock()] + self.assertRaises(messages.Error, self._call) + class ClientTest(unittest.TestCase): """Tests for letsencrypt.client.Client.""" From 8b7f72b5bc2db2bd8dd922b27048383e89e1e2d9 Mon Sep 17 00:00:00 2001 From: TheNavigat Date: Wed, 17 Feb 2016 06:22:50 +0200 Subject: [PATCH 090/141] Adding test for obtain_certificate_from_csr with auth_handler set to None --- letsencrypt/tests/client_test.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/letsencrypt/tests/client_test.py b/letsencrypt/tests/client_test.py index 1f53fdc35..14f4340f0 100644 --- a/letsencrypt/tests/client_test.py +++ b/letsencrypt/tests/client_test.py @@ -127,8 +127,9 @@ class ClientTest(unittest.TestCase): self.acme.fetch_chain.assert_called_once_with(mock.sentinel.certr) # FIXME move parts of this to test_cli.py... + @mock.patch("letsencrypt.client.logger") @mock.patch("letsencrypt.cli._process_domain") - def test_obtain_certificate_from_csr(self, mock_process_domain): + def test_obtain_certificate_from_csr(self, mock_process_domain, mock_logger): self._mock_obtain_certificate() from letsencrypt import cli test_csr = le_util.CSR(form="der", file=None, data=CSR_SAN) @@ -153,6 +154,14 @@ class ClientTest(unittest.TestCase): # and that the cert was obtained correctly self._check_obtain_certificate() + # Test for no auth_handler + self.client.auth_handler = None + self.assertRaises( + errors.Error, + self.client.obtain_certificate_from_csr, + self.eg_domains, + test_csr) + mock_logger.warning.assert_called_once_with(mock.ANY) @mock.patch("letsencrypt.client.crypto_util") def test_obtain_certificate(self, mock_crypto_util): From 560ad7152da5e4a521d5a77837ea52f19aa6ad0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=B4she=20van=20der=20Sterre?= Date: Wed, 17 Feb 2016 06:38:07 +0100 Subject: [PATCH 091/141] Removed a mention of SimpleHTTP from comments --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index e253081d9..0e4c8c0f6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -65,8 +65,8 @@ branches: sudo: false addons: - # Custom /etc/hosts required for SimpleHTTP simple verification, - # simple_verify for http01 and tls-sni-01, and letsencrypt_test_nginx + # Custom /etc/hosts required for simple verification of http-01 + # and tls-sni-01, and for letsencrypt_test_nginx hosts: - le.wtf - le1.wtf From 4d9f487e893de6c40136078dbdae0d56c2cbb264 Mon Sep 17 00:00:00 2001 From: Filip Ochnik Date: Wed, 17 Feb 2016 17:04:10 +0800 Subject: [PATCH 092/141] Handle rmdir failure --- letsencrypt/plugins/webroot.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/letsencrypt/plugins/webroot.py b/letsencrypt/plugins/webroot.py index b774a39ed..49f779bb8 100644 --- a/letsencrypt/plugins/webroot.py +++ b/letsencrypt/plugins/webroot.py @@ -144,6 +144,13 @@ to serve all files under specified web root ({0}).""" for root_path, achalls in six.iteritems(self.performed): if not achalls: - logger.debug("All challenges cleaned up, removing %s", - root_path) - os.rmdir(root_path) + try: + os.rmdir(root_path) + logger.debug("All challenges cleaned up, removing %s", + root_path) + except OSError as exc: + if exc.errno == errno.ENOTEMPTY: + logger.debug("Challenges cleaned up but %s not empty", + root_path) + else: + raise From 0554163ff974b2b2385dd82e57892d1119a3e7fa Mon Sep 17 00:00:00 2001 From: Filip Ochnik Date: Wed, 17 Feb 2016 17:21:25 +0800 Subject: [PATCH 093/141] Additional tests for webroot cleanup --- letsencrypt/plugins/webroot_test.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/letsencrypt/plugins/webroot_test.py b/letsencrypt/plugins/webroot_test.py index 4899c94e6..7a34b3fcc 100644 --- a/letsencrypt/plugins/webroot_test.py +++ b/letsencrypt/plugins/webroot_test.py @@ -141,6 +141,32 @@ class AuthenticatorTest(unittest.TestCase): self.assertFalse(os.path.exists(self.validation_path)) self.assertFalse(os.path.exists(self.root_challenge_path)) + def test_cleanup_leftovers(self): + self.auth.prepare() + self.auth.perform([self.achall]) + + leftover_path = os.path.join(self.root_challenge_path, 'leftover') + os.mkdir(leftover_path) + + self.auth.cleanup([self.achall]) + self.assertFalse(os.path.exists(self.validation_path)) + self.assertTrue(os.path.exists(self.root_challenge_path)) + + os.rmdir(leftover_path) + + @mock.patch('os.rmdir') + def test_cleanup_oserror(self, mock_rmdir): + self.auth.prepare() + self.auth.perform([self.achall]) + + os_error = OSError() + os_error.errno = errno.EACCES + mock_rmdir.side_effect = os_error + + self.assertRaises(OSError, self.auth.cleanup, [self.achall]) + self.assertFalse(os.path.exists(self.validation_path)) + self.assertTrue(os.path.exists(self.root_challenge_path)) + if __name__ == "__main__": unittest.main() # pragma: no cover From f72bcb5ea40b3aaa9f94ce4ddded6032c5bed448 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Wed, 17 Feb 2016 15:57:14 -0800 Subject: [PATCH 094/141] print only challenge changes to configs --- letsencrypt-apache/letsencrypt_apache/configurator.py | 1 - letsencrypt-apache/letsencrypt_apache/tls_sni_01.py | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index cbc451ac9..b2dc2e974 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -1429,7 +1429,6 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): """ self.config_test() - logger.debug(self.reverter.view_config_changes(for_logging=True)) self._reload() def _reload(self): diff --git a/letsencrypt-apache/letsencrypt_apache/tls_sni_01.py b/letsencrypt-apache/letsencrypt_apache/tls_sni_01.py index cc1d749a0..d78910149 100644 --- a/letsencrypt-apache/letsencrypt_apache/tls_sni_01.py +++ b/letsencrypt-apache/letsencrypt_apache/tls_sni_01.py @@ -108,7 +108,7 @@ class ApacheTlsSni01(common.TLSSNI01): self.configurator.reverter.register_file_creation( True, self.challenge_conf) - logger.debug("writing a config file with text: %s", config_text) + logger.debug("writing a config file with text:\n %s", config_text) with open(self.challenge_conf, "w") as new_conf: new_conf.write(config_text) @@ -144,6 +144,8 @@ class ApacheTlsSni01(common.TLSSNI01): if len(self.configurator.parser.find_dir( parser.case_i("Include"), self.challenge_conf)) == 0: # print "Including challenge virtual host(s)" + logger.debug("Adding Include {0} to {1}".format( + self.challenge_conf, parser.get_aug_path(main_config))) self.configurator.parser.add_dir( parser.get_aug_path(main_config), "Include", self.challenge_conf) From 8d61c86c8c4934539ca74dc31661c07e3b3b17ee Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 17 Feb 2016 16:11:50 -0800 Subject: [PATCH 095/141] Well actually We don't need stripping after all. --- acme/acme/client.py | 2 +- acme/acme/client_test.py | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index 0f4286def..eaca6dc7d 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -258,7 +258,7 @@ class Client(object): # pylint: disable=too-many-instance-attributes :rtype: `datetime.datetime` """ - retry_after = response.headers.get('Retry-After', str(default)).strip() + retry_after = response.headers.get('Retry-After', str(default)) try: seconds = int(retry_after) except ValueError: diff --git a/acme/acme/client_test.py b/acme/acme/client_test.py index 79000190d..29f60c25d 100644 --- a/acme/acme/client_test.py +++ b/acme/acme/client_test.py @@ -205,11 +205,6 @@ class ClientTest(unittest.TestCase): datetime.datetime(2015, 3, 27, 0, 0, 10), self.client.retry_after(response=self.response, default=10)) - self.response.headers['Retry-After'] = '20 ' - self.assertEqual( - datetime.datetime(2015, 3, 27, 0, 0, 20), - self.client.retry_after(response=self.response, default=10)) - # wrong date -> ValueError dt_mock.datetime.side_effect = datetime.datetime self.response.headers['Retry-After'] = "Tue, 116 Feb 2016 11:50:00 MST" From 812d6e7ae99e55c35854d551748f7540982ab165 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Wed, 17 Feb 2016 16:30:55 -0800 Subject: [PATCH 096/141] fix linting --- letsencrypt-apache/letsencrypt_apache/tls_sni_01.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/tls_sni_01.py b/letsencrypt-apache/letsencrypt_apache/tls_sni_01.py index d78910149..671686433 100644 --- a/letsencrypt-apache/letsencrypt_apache/tls_sni_01.py +++ b/letsencrypt-apache/letsencrypt_apache/tls_sni_01.py @@ -144,8 +144,8 @@ class ApacheTlsSni01(common.TLSSNI01): if len(self.configurator.parser.find_dir( parser.case_i("Include"), self.challenge_conf)) == 0: # print "Including challenge virtual host(s)" - logger.debug("Adding Include {0} to {1}".format( - self.challenge_conf, parser.get_aug_path(main_config))) + logger.debug("Adding Include %s to %s", + self.challenge_conf, parser.get_aug_path(main_config)) self.configurator.parser.add_dir( parser.get_aug_path(main_config), "Include", self.challenge_conf) From 6135ba7a59e2b361669bbcfeb04da31c7355a521 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 17 Feb 2016 17:24:57 -0800 Subject: [PATCH 097/141] break --- letsencrypt-apache/letsencrypt_apache/configurator.py | 1 + 1 file changed, 1 insertion(+) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index b2d143f26..f4a407974 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -908,6 +908,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): self.add_name_vhost(addr) logger.info("Enabling NameVirtualHosts on %s", addr) need_to_save = True + break if need_to_save: self.save() From eec6287d12ce70410abbe5f77de960c723af7651 Mon Sep 17 00:00:00 2001 From: dave-cz Date: Thu, 18 Feb 2016 09:57:06 +0100 Subject: [PATCH 098/141] change in the source file --- letsencrypt-auto-source/pieces/bootstrappers/deb_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt-auto-source/pieces/bootstrappers/deb_common.sh b/letsencrypt-auto-source/pieces/bootstrappers/deb_common.sh index b45e43ba9..bbafb39d7 100644 --- a/letsencrypt-auto-source/pieces/bootstrappers/deb_common.sh +++ b/letsencrypt-auto-source/pieces/bootstrappers/deb_common.sh @@ -51,7 +51,7 @@ BootstrapDebCommon() { /bin/echo '(Backports are only installed if explicitly requested via "apt-get install -t wheezy-backports")' fi - sudo sh -c "echo $BACKPORT_SOURCELINE >> /etc/apt/sources.list.d/$BACKPORT_NAME.list" + $SUDO sh -c "echo $BACKPORT_SOURCELINE >> /etc/apt/sources.list.d/$BACKPORT_NAME.list" $SUDO apt-get update fi fi From 1de66b3d7d2f8b7681a28d4cd7ed60ad30a2c3f9 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Thu, 18 Feb 2016 16:02:07 -0800 Subject: [PATCH 099/141] Explicit error message for #2206 --- letsencrypt/cli.py | 5 +++++ letsencrypt/tests/cli_test.py | 9 +++++++++ 2 files changed, 14 insertions(+) diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py index 855c7a467..d245f096d 100644 --- a/letsencrypt/cli.py +++ b/letsencrypt/cli.py @@ -649,6 +649,11 @@ def record_chosen_plugins(config, plugins, auth, inst): # Possible difficulties: config.csr was hacked into auth def run(config, plugins): # pylint: disable=too-many-branches,too-many-locals """Obtain a certificate and install.""" + if config.csr is not None: + raise errors.Error("Currently, the default 'run' verb cannot be used " + "when specifying a CSR file. Please try the " + "certonly command instead.") + try: installer, authenticator = choose_configurator_plugins(config, plugins, "run") except errors.PluginSelectionError as e: diff --git a/letsencrypt/tests/cli_test.py b/letsencrypt/tests/cli_test.py index 77a4b5892..60fa3ebec 100644 --- a/letsencrypt/tests/cli_test.py +++ b/letsencrypt/tests/cli_test.py @@ -356,6 +356,15 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods self._call, ['-d', '204.11.231.35']) + def test_run_with_csr(self): + # This is an error because you can only use --csr with certonly + try: + self._call(['--csr', CSR]) + except errors.Error as e: + assert "Please try the certonly" in e.message + return + assert False, "Expected supplying --csr to fail with default verb" + def _get_argument_parser(self): plugins = disco.PluginsRegistry.find_all() return functools.partial(cli.prepare_and_parse_args, plugins) From 5eba011f8e57487b35cfab6fcc36a85233aee29a Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Thu, 18 Feb 2016 18:35:45 -0800 Subject: [PATCH 100/141] Generalize and move check inside handle_csr --- letsencrypt/cli.py | 15 ++++++--------- letsencrypt/tests/client_test.py | 3 +++ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py index d245f096d..74084692d 100644 --- a/letsencrypt/cli.py +++ b/letsencrypt/cli.py @@ -649,11 +649,6 @@ def record_chosen_plugins(config, plugins, auth, inst): # Possible difficulties: config.csr was hacked into auth def run(config, plugins): # pylint: disable=too-many-branches,too-many-locals """Obtain a certificate and install.""" - if config.csr is not None: - raise errors.Error("Currently, the default 'run' verb cannot be used " - "when specifying a CSR file. Please try the " - "certonly command instead.") - try: installer, authenticator = choose_configurator_plugins(config, plugins, "run") except errors.PluginSelectionError as e: @@ -988,10 +983,6 @@ def renew(config, unused_plugins): "renew specific certificates, use the certonly " "command. The renew verb may provide other options " "for selecting certificates to renew in the future.") - if config.csr is not None: - raise errors.Error("Currently, the renew verb cannot be used when " - "specifying a CSR file. Please try the certonly " - "command instead.") renewer_config = configuration.RenewerConfiguration(config) renew_successes = [] renew_failures = [] @@ -1249,6 +1240,12 @@ class HelpfulArgumentParser(object): Process a --csr flag. This needs to happen early enough that the webroot plugin can know about the calls to _process_domain """ + if parsed_args.verb != "certonly": + raise errors.Error("Currently, a CSR file may only be specified " + "when obtaining a new or replacement " + "via the certonly command. Please try the " + "certonly command instead.") + try: csr = le_util.CSR(file=parsed_args.csr[0], data=parsed_args.csr[1], form="der") typ = OpenSSL.crypto.FILETYPE_ASN1 diff --git a/letsencrypt/tests/client_test.py b/letsencrypt/tests/client_test.py index f712ea94c..daaea4f97 100644 --- a/letsencrypt/tests/client_test.py +++ b/letsencrypt/tests/client_test.py @@ -125,6 +125,9 @@ class ClientTest(unittest.TestCase): from letsencrypt import cli test_csr = le_util.CSR(form="der", file=None, data=CSR_SAN) mock_parsed_args = mock.MagicMock() + # The CLI should believe that this is a certonly request, because + # a CSR would not be allowed with other kinds of requests! + mock_parsed_args.verb = "certonly" with mock.patch("letsencrypt.client.le_util.CSR") as mock_CSR: mock_CSR.return_value = test_csr mock_parsed_args.domains = self.eg_domains[:] From 0e12b1fd86027cc026134d3c4ae975d3a68b0989 Mon Sep 17 00:00:00 2001 From: TheNavigat Date: Fri, 19 Feb 2016 05:00:47 +0200 Subject: [PATCH 101/141] Enabling apache-conf-test in Travis --- .travis.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index e253081d9..2dd7a1b30 100644 --- a/.travis.yml +++ b/.travis.yml @@ -30,10 +30,9 @@ matrix: env: TOXENV=py26 BOULDER_INTEGRATION=1 - python: "2.6" env: TOXENV=py26-oldest BOULDER_INTEGRATION=1 -# Disabled for now due to requiring sudo -> causing more boulder integration -# DNS timeouts :( -# - python: "2.7" -# env: TOXENV=apacheconftest + - python: "2.7" + env: TOXENV=apacheconftest + sudo: required - python: "2.7" env: TOXENV=py27 BOULDER_INTEGRATION=1 - python: "2.7" From 4ce926315dd6461f8910aee3bdfe23f3a80c3401 Mon Sep 17 00:00:00 2001 From: Nikos Roussos Date: Fri, 19 Feb 2016 12:15:26 +0200 Subject: [PATCH 102/141] Add Fedora package installation on docs --- docs/using.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/using.rst b/docs/using.rst index 37fca2c57..fd736c2f9 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -429,6 +429,12 @@ If you don't want to use the Apache plugin, you can omit the Packages for Debian Jessie are coming in the next few weeks. +**Fedora** + +.. code-block:: shell + + sudo dnf install letsencrypt + **Gentoo** The official Let's Encrypt client is available in Gentoo Portage. If you From b95a01a15cb20cfd5249180d3a1e9e7da2110d36 Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Fri, 19 Feb 2016 12:36:11 -0500 Subject: [PATCH 103/141] Turn the root-level letsencrypt-auto symlink into a regular file. Close #2501. It will always be a copy of the latest release version, 0.4 in this case. (Modify the release script to make that so.) This way, people using the old method of running le-auto from a git checkout will not end up using a bleeding-edge version, letting us work on the tip-of-tree version more freely. --- letsencrypt-auto | 1810 +++++++++++++++++++++++++++++++++++++++++++++- tools/release.sh | 5 +- 2 files changed, 1813 insertions(+), 2 deletions(-) mode change 120000 => 100755 letsencrypt-auto diff --git a/letsencrypt-auto b/letsencrypt-auto deleted file mode 120000 index af7e83a70..000000000 --- a/letsencrypt-auto +++ /dev/null @@ -1 +0,0 @@ -letsencrypt-auto-source/letsencrypt-auto \ No newline at end of file diff --git a/letsencrypt-auto b/letsencrypt-auto new file mode 100755 index 000000000..9218bdc52 --- /dev/null +++ b/letsencrypt-auto @@ -0,0 +1,1809 @@ +#!/bin/sh +# +# Download and run the latest release version of the Let's Encrypt client. +# +# NOTE: THIS SCRIPT IS AUTO-GENERATED AND SELF-UPDATING +# +# IF YOU WANT TO EDIT IT LOCALLY, *ALWAYS* RUN YOUR COPY WITH THE +# "--no-self-upgrade" FLAG +# +# IF YOU WANT TO SEND PULL REQUESTS, THE REAL SOURCE FOR THIS FILE IS +# letsencrypt-auto-source/letsencrypt-auto.template AND +# letsencrypt-auto-source/pieces/bootstrappers/* + +set -e # Work even if somebody does "sh thisscript.sh". + +# Note: you can set XDG_DATA_HOME or VENV_PATH before running this script, +# if you want to change where the virtual environment will be installed +XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share} +VENV_NAME="letsencrypt" +VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"} +VENV_BIN=${VENV_PATH}/bin +LE_AUTO_VERSION="0.4.0" + +# This script takes the same arguments as the main letsencrypt program, but it +# additionally responds to --verbose (more output) and --debug (allow support +# for experimental platforms) +for arg in "$@" ; do + # This first clause is redundant with the third, but hedging on portability + if [ "$arg" = "-v" ] || [ "$arg" = "--verbose" ] || echo "$arg" | grep -E -- "-v+$" ; then + VERBOSE=1 + elif [ "$arg" = "--no-self-upgrade" ] ; then + # Do not upgrade this script (also prevents client upgrades, because each + # copy of the script pins a hash of the python client) + NO_SELF_UPGRADE=1 + elif [ "$arg" = "--os-packages-only" ] ; then + OS_PACKAGES_ONLY=1 + elif [ "$arg" = "--debug" ]; then + DEBUG=1 + fi +done + +# letsencrypt-auto needs root access to bootstrap OS dependencies, and +# letsencrypt itself needs root access for almost all modes of operation +# The "normal" case is that sudo is used for the steps that need root, but +# this script *can* be run as root (not recommended), or fall back to using +# `su` +if test "`id -u`" -ne "0" ; then + if command -v sudo 1>/dev/null 2>&1; then + SUDO=sudo + else + echo \"sudo\" is not available, will use \"su\" for installation steps... + # Because the parameters in `su -c` has to be a string, + # we need properly escape it + su_sudo() { + args="" + # This `while` loop iterates over all parameters given to this function. + # For each parameter, all `'` will be replace by `'"'"'`, and the escaped string + # will be wrapped in a pair of `'`, then appended to `$args` string + # For example, `echo "It's only 1\$\!"` will be escaped to: + # 'echo' 'It'"'"'s only 1$!' + # │ │└┼┘│ + # │ │ │ └── `'s only 1$!'` the literal string + # │ │ └── `\"'\"` is a single quote (as a string) + # │ └── `'It'`, to be concatenated with the strings following it + # └── `echo` wrapped in a pair of `'`, it's totally fine for the shell command itself + while [ $# -ne 0 ]; do + args="$args'$(printf "%s" "$1" | sed -e "s/'/'\"'\"'/g")' " + shift + done + su root -c "$args" + } + SUDO=su_sudo + fi +else + SUDO= +fi + +ExperimentalBootstrap() { + # Arguments: Platform name, bootstrap function name + if [ "$DEBUG" = 1 ]; then + if [ "$2" != "" ]; then + echo "Bootstrapping dependencies via $1..." + $2 + fi + else + echo "WARNING: $1 support is very experimental at present..." + echo "if you would like to work on improving it, please ensure you have backups" + echo "and then run this script again with the --debug flag!" + exit 1 + fi +} + +DeterminePythonVersion() { + if command -v python2.7 > /dev/null ; then + export LE_PYTHON=${LE_PYTHON:-python2.7} + elif command -v python27 > /dev/null ; then + export LE_PYTHON=${LE_PYTHON:-python27} + elif command -v python2 > /dev/null ; then + export LE_PYTHON=${LE_PYTHON:-python2} + elif command -v python > /dev/null ; then + export LE_PYTHON=${LE_PYTHON:-python} + else + echo "Cannot find any Pythons... please install one!" + exit 1 + fi + + PYVER=`"$LE_PYTHON" --version 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//'` + if [ $PYVER -lt 26 ]; then + echo "You have an ancient version of Python entombed in your operating system..." + echo "This isn't going to work; you'll need at least version 2.6." + exit 1 + fi +} + +BootstrapDebCommon() { + # Current version tested with: + # + # - Ubuntu + # - 14.04 (x64) + # - 15.04 (x64) + # - Debian + # - 7.9 "wheezy" (x64) + # - sid (2015-10-21) (x64) + + # Past versions tested with: + # + # - Debian 8.0 "jessie" (x64) + # - Raspbian 7.8 (armhf) + + # Believed not to work: + # + # - Debian 6.0.10 "squeeze" (x64) + + $SUDO apt-get update || echo apt-get update hit problems but continuing anyway... + + # virtualenv binary can be found in different packages depending on + # distro version (#346) + + virtualenv= + if apt-cache show virtualenv > /dev/null 2>&1; then + virtualenv="virtualenv" + fi + + if apt-cache show python-virtualenv > /dev/null 2>&1; then + virtualenv="$virtualenv python-virtualenv" + fi + + augeas_pkg="libaugeas0 augeas-lenses" + AUGVERSION=`apt-cache show --no-all-versions libaugeas0 | grep ^Version: | cut -d" " -f2` + + AddBackportRepo() { + # ARGS: + BACKPORT_NAME="$1" + BACKPORT_SOURCELINE="$2" + if ! grep -v -e ' *#' /etc/apt/sources.list | grep -q "$BACKPORT_NAME" ; then + # This can theoretically error if sources.list.d is empty, but in that case we don't care. + if ! grep -v -e ' *#' /etc/apt/sources.list.d/* 2>/dev/null | grep -q "$BACKPORT_NAME"; then + /bin/echo -n "Installing augeas from $BACKPORT_NAME in 3 seconds..." + sleep 1s + /bin/echo -ne "\e[0K\rInstalling augeas from $BACKPORT_NAME in 2 seconds..." + sleep 1s + /bin/echo -e "\e[0K\rInstalling augeas from $BACKPORT_NAME in 1 second ..." + sleep 1s + if echo $BACKPORT_NAME | grep -q wheezy ; then + /bin/echo '(Backports are only installed if explicitly requested via "apt-get install -t wheezy-backports")' + fi + + sudo sh -c "echo $BACKPORT_SOURCELINE >> /etc/apt/sources.list.d/$BACKPORT_NAME.list" + $SUDO apt-get update + fi + fi + $SUDO apt-get install -y --no-install-recommends -t "$BACKPORT_NAME" $augeas_pkg + augeas_pkg= + + } + + + if dpkg --compare-versions 1.0 gt "$AUGVERSION" ; then + if lsb_release -a | grep -q wheezy ; then + AddBackportRepo wheezy-backports "deb http://http.debian.net/debian wheezy-backports main" + elif lsb_release -a | grep -q precise ; then + # XXX add ARM case + AddBackportRepo precise-backports "deb http://archive.ubuntu.com/ubuntu precise-backports main restricted universe multiverse" + else + echo "No libaugeas0 version is available that's new enough to run the" + echo "Let's Encrypt apache plugin..." + fi + # XXX add a case for ubuntu PPAs + fi + + $SUDO apt-get install -y --no-install-recommends \ + python \ + python-dev \ + $virtualenv \ + gcc \ + dialog \ + $augeas_pkg \ + libssl-dev \ + libffi-dev \ + ca-certificates \ + + + + if ! command -v virtualenv > /dev/null ; then + echo Failed to install a working \"virtualenv\" command, exiting + exit 1 + fi +} + +BootstrapRpmCommon() { + # Tested with: + # - Fedora 22, 23 (x64) + # - Centos 7 (x64: on DigitalOcean droplet) + # - CentOS 7 Minimal install in a Hyper-V VM + + if type dnf 2>/dev/null + then + tool=dnf + elif type yum 2>/dev/null + then + tool=yum + + else + echo "Neither yum nor dnf found. Aborting bootstrap!" + exit 1 + fi + + # Some distros and older versions of current distros use a "python27" + # instead of "python" naming convention. Try both conventions. + if ! $SUDO $tool install -y \ + python \ + python-devel \ + python-virtualenv \ + python-tools \ + python-pip + then + if ! $SUDO $tool install -y \ + python27 \ + python27-devel \ + python27-virtualenv \ + python27-tools \ + python27-pip + then + echo "Could not install Python dependencies. Aborting bootstrap!" + exit 1 + fi + fi + + if ! $SUDO $tool install -y \ + gcc \ + dialog \ + augeas-libs \ + openssl \ + openssl-devel \ + libffi-devel \ + redhat-rpm-config \ + ca-certificates + then + echo "Could not install additional dependencies. Aborting bootstrap!" + exit 1 + fi + + + if $SUDO $tool list installed "httpd" >/dev/null 2>&1; then + if ! $SUDO $tool install -y mod_ssl + then + echo "Apache found, but mod_ssl could not be installed." + fi + fi +} + +BootstrapSuseCommon() { + # SLE12 don't have python-virtualenv + + $SUDO zypper -nq in -l \ + python \ + python-devel \ + python-virtualenv \ + gcc \ + dialog \ + augeas-lenses \ + libopenssl-devel \ + libffi-devel \ + ca-certificates +} + +BootstrapArchCommon() { + # Tested with: + # - ArchLinux (x86_64) + # + # "python-virtualenv" is Python3, but "python2-virtualenv" provides + # only "virtualenv2" binary, not "virtualenv" necessary in + # ./tools/_venv_common.sh + + deps=" + python2 + python-virtualenv + gcc + dialog + augeas + openssl + libffi + ca-certificates + pkg-config + " + + missing=$("$SUDO" pacman -T $deps) + + if [ "$missing" ]; then + "$SUDO" pacman -S --needed $missing + fi +} + +BootstrapGentooCommon() { + PACKAGES=" + dev-lang/python:2.7 + dev-python/virtualenv + dev-util/dialog + app-admin/augeas + dev-libs/openssl + dev-libs/libffi + app-misc/ca-certificates + virtual/pkgconfig" + + case "$PACKAGE_MANAGER" in + (paludis) + "$SUDO" cave resolve --keep-targets if-possible $PACKAGES -x + ;; + (pkgcore) + "$SUDO" pmerge --noreplace $PACKAGES + ;; + (portage|*) + "$SUDO" emerge --noreplace $PACKAGES + ;; + esac +} + +BootstrapFreeBsd() { + "$SUDO" pkg install -Ay \ + python \ + py27-virtualenv \ + augeas \ + libffi +} + +BootstrapMac() { + if ! hash brew 2>/dev/null; then + echo "Homebrew Not Installed\nDownloading..." + ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" + fi + + brew install augeas + brew install dialog + + if ! hash pip 2>/dev/null; then + echo "pip Not Installed\nInstalling python from Homebrew..." + brew install python + fi + + if ! hash virtualenv 2>/dev/null; then + echo "virtualenv Not Installed\nInstalling with pip" + pip install virtualenv + fi +} + + +# Install required OS packages: +Bootstrap() { + if [ -f /etc/debian_version ]; then + echo "Bootstrapping dependencies for Debian-based OSes..." + BootstrapDebCommon + elif [ -f /etc/redhat-release ]; then + echo "Bootstrapping dependencies for RedHat-based OSes..." + BootstrapRpmCommon + elif [ -f /etc/os-release ] && `grep -q openSUSE /etc/os-release` ; then + echo "Bootstrapping dependencies for openSUSE-based OSes..." + BootstrapSuseCommon + elif [ -f /etc/arch-release ]; then + if [ "$DEBUG" = 1 ]; then + echo "Bootstrapping dependencies for Archlinux..." + BootstrapArchCommon + else + echo "Please use pacman to install letsencrypt packages:" + echo "# pacman -S letsencrypt letsencrypt-apache" + echo + echo "If you would like to use the virtualenv way, please run the script again with the" + echo "--debug flag." + exit 1 + fi + elif [ -f /etc/manjaro-release ]; then + ExperimentalBootstrap "Manjaro Linux" BootstrapArchCommon + elif [ -f /etc/gentoo-release ]; then + ExperimentalBootstrap "Gentoo" BootstrapGentooCommon + elif uname | grep -iq FreeBSD ; then + ExperimentalBootstrap "FreeBSD" BootstrapFreeBsd + elif uname | grep -iq Darwin ; then + ExperimentalBootstrap "Mac OS X" BootstrapMac + elif grep -iq "Amazon Linux" /etc/issue ; then + ExperimentalBootstrap "Amazon Linux" BootstrapRpmCommon + else + echo "Sorry, I don't know how to bootstrap Let's Encrypt on your operating system!" + echo + echo "You will need to bootstrap, configure virtualenv, and run a peep install manually." + echo "Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites" + echo "for more info." + fi +} + +TempDir() { + mktemp -d 2>/dev/null || mktemp -d -t 'le' # Linux || OS X +} + + + +if [ "$NO_SELF_UPGRADE" = 1 ]; then + # Phase 2: Create venv, install LE, and run. + + if [ -f "$VENV_BIN/letsencrypt" ]; then + INSTALLED_VERSION=$("$VENV_BIN/letsencrypt" --version 2>&1 | cut -d " " -f 2) + else + INSTALLED_VERSION="none" + fi + if [ "$LE_AUTO_VERSION" != "$INSTALLED_VERSION" ]; then + echo "Creating virtual environment..." + DeterminePythonVersion + rm -rf "$VENV_PATH" + if [ "$VERBOSE" = 1 ]; then + virtualenv --no-site-packages --python "$LE_PYTHON" "$VENV_PATH" + else + virtualenv --no-site-packages --python "$LE_PYTHON" "$VENV_PATH" > /dev/null + fi + + echo "Installing Python packages..." + TEMP_DIR=$(TempDir) + # There is no $ interpolation due to quotes on starting heredoc delimiter. + # ------------------------------------------------------------------------- + cat << "UNLIKELY_EOF" > "$TEMP_DIR/letsencrypt-auto-requirements.txt" +# This is the flattened list of packages letsencrypt-auto installs. To generate +# this, do `pip install --no-cache-dir -e acme -e . -e letsencrypt-apache`, and +# then use `hashin` or a more secure method to gather the hashes. + +# sha256: wxZH7baf09RlqEfqMVfTe-0flfGXYLEaR6qRwEtmYxQ +# sha256: YrCJpVvh2JSc0rx-DfC9254Cj678jDIDjMhIYq791uQ +argparse==1.4.0 + +# sha256: U8HJ3bMEMVE-t_PN7wo-BrDxJSGIqqd0SvD1pM1F268 +# sha256: pWj0nfyhKo2fNwGHJX78WKOBCeHu5xTZKFYdegGKZPg +# sha256: gJxsqM-8ruv71DK0V2ABtA04_yRjdzy1dXfXXhoCC8M +# sha256: hs3KLNnLpBQiIwOQ3xff6qnzRKkR45dci-naV7NVSOk +# sha256: JLE9uErsOFyiPHuN7YPvi7QXe8GB0UdY-fl1vl0CDYY +# sha256: lprv_XwOCX9r4e_WgsFWriJlkaB5OpS2wtXkKT9MjU4 +# sha256: AA81jUsPokn-qrnBzn1bL-fgLnvfaAbCZBhQX8aF4mg +# sha256: qdhvRgu9g1ii1ROtd54_P8h447k6ALUAL66_YW_-a5w +# sha256: MSezqzPrI8ysBx-aCAJ0jlz3xcvNAkgrsGPjW0HbsLA +# sha256: 4rLUIjZGmkAiTTnntsYFdfOIsvQj81TH7pClt_WMgGU +# sha256: jC3Mr-6JsbQksL7GrS3ZYiyUnSAk6Sn12h7YAerHXx0 +# sha256: pN56TRGu1Ii6tPsU9JiFh6gpvs5aIEM_eA1uM7CAg8s +# sha256: XKj-MEJSZaSSdOSwITobyY9LE0Sa5elvmEdx5dg-WME +# sha256: pP04gC9Z5xTrqBoCT2LbcQsn2-J6fqEukRU3MnqoTTA +# sha256: hs1pErvIPpQF1Kc81_S07oNTZS0tvHyCAQbtW00bqzo +# sha256: jx0XfTZOo1kAQVriTKPkcb49UzTtBBkpQGjEn0WROZg +cffi==1.4.2 + +# sha256: O1CoPdWBSd_O6Yy2VlJl0QtT6cCivKfu73-19VJIkKc +ConfigArgParse==0.10.0 + +# sha256: ovVlB3DhyH-zNa8Zqbfrc_wFzPIhROto230AzSvLCQI +configobj==5.0.6 + +# sha256: 1U_hszrB4J8cEj4vl0948z6V1h1PSALdISIKXD6MEX0 +# sha256: B1X2aE4RhSAFs2MTdh7ctbqEOmTNAizhrC3L1JqTYG0 +# sha256: zjhNo4lZlluh90VKJfVp737yqxRd8ueiml4pS3TgRnc +# sha256: GvQDkV3LmWHDB2iuZRr6tpKC0dpaut-mN1IhrBGHdQM +# sha256: ag08d91PH-W8ZfJ--3fsjQSjiNpesl66DiBAwJgZ30o +# sha256: KdelgcO6_wTh--IAaltHjZ7cfPmib8ijWUkkf09lA3k +# sha256: IPAWEKpAh_bVadjMIMR4uB8DhIYnWqqx3Dx12VAsZ-A +# sha256: l9hGUIulDVomml82OK4cFmWbNTFaH0B_oVF2cH2j0Jc +# sha256: djfqRMLL1NsvLKccsmtmPRczORqnafi8g2xZVilbd5g +# sha256: gR-eqJVbPquzLgQGU0XDB4Ui5rPuPZLz0n08fNcWpjM +# sha256: DXCMjYz97Qm4fCoLqHY856ZjWG4EPmrEL9eDHpKQHLY +# sha256: Efnq11YqPgATWGytM5o_em9Yg8zhw7S5jhrGnft3p_Y +# sha256: dNhnm55-0ePs-wq1NNyTUruxz3PTYsmQkJTAlyivqJY +# sha256: z1Hd-123eBaiB1OKZgEUuC4w4IAD_uhJmwILi4SA2sU +# sha256: 47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU +# sha256: dITvgYGUFB3_eUdf-74vd6-FHiw7v-Lk1ZEjEi-KTjM +# sha256: 7gLB6J7l7pUBV6VK1YTXN8Ec83putMCFPozz8n6WLcA +# sha256: pfGPaxhQpVVKV9v2YsrSUSpGBW5paHJqmFjngN1bnQo +# sha256: 26GA8xrb5xi6qdbPirY0hJSwlLK4GAL_8zvVDSfRPnM +# sha256: 5RinlLjzjoOC9_B3kUGBPOtIE6z9MRVBwNsOGJ69eN4 +# sha256: f1FFn4TWcERCdeYVg59FQsk1R6Euk4oKSQba_l994VM +cryptography==1.1.2 + +# sha256: JHXX_N31lR6S_1RpcnWIAt5SYL9Akxmp8ZNOa7yLHcc +# sha256: NZB977D5krdat3iPZf7cHPIP-iJojg5vbxKvwGs-pQE +enum34==1.1.2 + +# sha256: _1rZ4vjZ5dHou_vPR3IqtSfPDVHK7u2dptD0B5k4P94 +# sha256: 2Dzm3wsOpmGHAP4ds1NSY5Goo62ht6ulL-16Ydp3IDM +funcsigs==0.4 + +# sha256: my_FC9PEujBrllG2lBHvIgJtTYM1uTr8IhTO8SRs5wc +# sha256: FhmarZOLKQ9b4QV8Dh78ZUYik5HCPOphypQMEV99PTs +idna==2.0 + +# sha256: k1cSgAzkdgcB2JrWd2Zs1SaR_S9vCzQMi0I5o8F5iKU +# sha256: WjGCsyKnBlJcRigspvBk0noCz_vUSfn0dBbx3JaqcbA +ipaddress==1.0.16 + +# sha256: 54vpwKDfy6xxL-BPv5K5bN2ugLG4QvJCSCFMhJbwBu8 +# sha256: Syb_TnEQ23butvWntkqCYjg51ZXCA47tpmLyott46Xw +linecache2==1.0.0 + +# sha256: 6MFV_evZxLywgQtO0BrhmHVUse4DTddTLXuP2uOKYnQ +ndg-httpsclient==0.4.0 + +# sha256: HDW0rCBs7y0kgWyJ-Jzyid09OM98RJuz-re_bUPwGx8 +ordereddict==1.1 + +# sha256: OnTxAPkNZZGDFf5kkHca0gi8PxOv0y01_P5OjQs7gSs +# sha256: Paa-K-UG9ZzOMuGeMOIBBT4btNB-JWaJGOAPikmtQKs +parsedatetime==1.5 + +# sha256: Rsjbda51oFa9HMB_ohc0_i5gPRGgeDPswe63TDXHLgw +# sha256: 4hJ2JqkebIhduJZol22zECDwry2nKJJLVkgPx8zwlkk +pbr==1.8.1 + +# sha256: WE8LKfzF1SO0M8uJGLL8dNZ-MO4LRKlbrwMVKPQkYZ8 +# sha256: KMoLbp2Zqo3Chuh0ekRxNitpgSolKR3im2qNcKFUWg0 +# sha256: FnrV__UqZyxN3BwaCyUUbWgT67CKmqsKOsRfiltmnDs +# sha256: 5t6mFzqYhye7Ij00lzSa1c3vXAsoLv8tg-X5BlxT-F8 +# sha256: KvXgpKrWYEmVXQc0qk49yMqhep6vi0waJ6Xx7m5A9vw +# sha256: 2YhNwNwuVeJEjklXeNyYmcHIvzeusvQ0wb6nSvk8JoM +# sha256: 4nwv5t_Mhzi-PSxaAi94XrcpcQV-Gp4eNPunO86KcaY +# sha256: Za_W_syPOu0J7kvmNYO8jrRy8GzqpP4kxNHVoaPA4T8 +# sha256: uhxVj7_N-UUVwjlLEVXB3FbivCqcF9MDSYJ8ntimfkY +# sha256: upXqACLctk028MEzXAYF-uNb3z4P6o2S9dD2RWo15Vs +# sha256: QhtlkdFrUJqqjYwVgh1mu5TLSo3EOFytXFG4XUoJbYU +# sha256: MmswXL22-U2vv-LCaxHaiLCrB7igf4GIq511_wxuhBo +# sha256: mu3lsrb-RrN0jqjlIURDiQ0WNAJ77z0zt9rRZVaDAng +# sha256: c77R24lNGqnDx-YR0wLN6reuig3A7q92cnh42xrFzYc +# sha256: k1td1tVYr1EvQlAafAj0HXr_E5rxuzlZ2qOruFkjTWw +# sha256: TKARHPFX3MDy9poyPFtUeHGNaNRfyUNdhL4OwPGGIVs +# sha256: tvE8lTmKP88CJsTc-kSFYLpYZSWc2W7CgQZYZR6TIYk +# sha256: 7mvjDRY1u96kxDJdUH3IoNu95-HBmL1i3bn0MZi54hQ +# sha256: 36eGhYwmjX-74bYXXgAewCc418-uCnzne_m2Ua9nZyk +# sha256: qnf53nKvnBbMKIzUokz1iCQ4j1fXqB5ADEYWRXYphw4 +# sha256: 9QAJM1fQTagUDYeTLKwuVO9ZKlTKinQ6uyhQ9gwsIus +psutil==3.3.0 + +# sha256: YfnZnjzvZf6xv-Oi7vepPrk4GdNFv1S81C9OY9UgTa4 +# sha256: GAKm3TIEXkcqQZ2xRBrsq0adM-DSdJ4ZKr3sUhAXJK8 +# sha256: NQJc2UIsllBJEvBOLxX-eTkKhZe0MMLKXQU0z5MJ_6A +# sha256: L5btWgwynKFiMLMmyhK3Rh7I9l4L4-T5l1FvNr-Co0U +# sha256: KP7kQheZHPrZ5qC59-PyYEHiHryWYp6U5YXM0F1J-mU +# sha256: Mm56hUoX-rB2kSBHR2lfj2ktZ0WIo1XEQfsU9mC_Tmg +# sha256: zaWpBIVwnKZ5XIYFbD5f5yZgKLBeU_HVJ_35OmNlprg +# sha256: DLKhR0K1Q_3Wj5MaFM44KRhu0rGyJnoGeHOIyWst2b4 +# sha256: UZH_a5Em0sA53Yf4_wJb7SdLrwf6eK-kb1VrGtcmXW4 +# sha256: gyPgNjey0HLMcEEwC6xuxEjDwolQq0A3YDZ4jpoa9ik +# sha256: hTys2W0fcB3dZ6oD7MBfUYkBNbcmLpInEBEvEqLtKn8 +pyasn1==0.1.9 + +# sha256: eVm0p0q9wnsxL-0cIebK-TCc4LKeqGtZH9Lpns3yf3M +pycparser==2.14 + +# sha256: iORea7Jd_tJyoe8ucoRh1EtjTCzWiemJtuVqNJxaOuU +# sha256: 8KJgcNbbCIHei8x4RpNLfDyTDY-cedRYg-5ImEvA1nI +pyOpenSSL==0.15.1 + +# sha256: 7qMYNcVuIJavQ2OldFp4SHimHQQ-JH06bWoKMql0H1Y +# sha256: jfvGxFi42rocDzYgqMeACLMjomiye3NZ6SpK5BMl9TU +pyRFC3339==1.0 + +# sha256: Z9WdZs26jWJOA4m4eyqDoXbyHxaodVO1D1cDsj8pusI +python-augeas==0.5.0 + +# sha256: BOk_JJlcQ92Q8zjV2GXKcs4_taU1jU2qSWVXHbNfw-w +# sha256: Pm9ZP-rZj4pSa8PjBpM1MyNuM3KfVS9SiW6lBPVTE_o +python2-pythondialog==3.3.0 + +# sha256: Or5qbT_C-75MYBRCEfRdou2-MYKm9lEa9ru6BZix-ZI +# sha256: k575weEiTZgEBWial__PeCjFbRUXsx1zRkNWwfK3dp4 +# sha256: 6tSu-nAHJJ4F5RsBCVcZ1ajdlXYAifVzCqxWmLGTKRg +# sha256: PMoN8IvQ7ZhDI5BJTOPe0AP15mGqRgvnpzS__jWYNgU +# sha256: Pt5HDT0XujwHY436DRBFK8G25a0yYSemW6d-aq6xG-w +# sha256: aMR5ZPcYbuwwaxNilidyK5B5zURH7Z5eyuzU6shMpzQ +# sha256: 3V05kZUKrkCmyB3hV4lC5z1imAjO_FHRLNFXmA5s_Bg +# sha256: p3xSBiwH63x7MFRdvHPjKZW34Rfup1Axe1y1x6RhjxQ +# sha256: ga-a7EvJYKmgEnxIjxh3La5GNGiSM_BvZUQ-exHr61E +# sha256: 4Hmx2txcBiRswbtv4bI6ULHRFz8u3VEE79QLtzoo9AY +# sha256: -9JnRncsJMuTyLl8va1cueRshrvbG52KdD7gDi-x_F0 +# sha256: mSZu8wo35Dky3uwrfKc-g8jbw7n_cD7HPsprHa5r7-o +# sha256: i2zhyZOQl4O8luC0806iI7_3pN8skL25xODxrJKGieM +pytz==2015.7 + +# sha256: ET-7pVManjSUW302szoIToul0GZLcDyBp8Vy2RkZpbg +# sha256: xXeBXdAPE5QgP8ROuXlySwmPiCZKnviY7kW45enPWH8 +requests==2.9.1 + +# sha256: D_eMQD2bzPWkJabTGhKqa0fxwhyk3CVzp-LzKpczXrE +# sha256: EF-NaGFvgkjiS_DpNy7wTTzBAQTxmA9U1Xss5zpa1Wo +six==1.10.0 + +# sha256: glPOvsSxkJTWfMXtWvmb8duhKFKSIm6Yoxkp-HpdayM +# sha256: BazGegmYDC7P7dNCP3rgEEg57MtV_GRXc-HKoJUcMDA +traceback2==1.4.0 + +# sha256: E_d9CHXbbZtDXh1PQedK1MwutuHVyCSZYJKzQw8Ii7g +# sha256: IogqDkGMKE4fcYqCKzsCKUTVPS2QjhaQsxmp0-ssBXk +unittest2==1.1.0 + +# sha256: aUkbUwUVfDxuDwSnAZhNaud_1yn8HJrNJQd_HfOFMms +# sha256: 619wCpv8lkILBVY1r5AC02YuQ9gMP_0x8iTCW8DV9GI +Werkzeug==0.11.3 + +# sha256: KCwRK1XdjjyGmjVx-GdnwVCrEoSprOK97CJsWSrK-Bo +zope.component==4.2.2 + +# sha256: 3HpZov2Rcw03kxMaXSYbKek-xOKpfxvEh86N7-4v54Y +zope.event==4.1.0 + +# sha256: 8HtjH3pgHNjL0zMtVPQxQscIioMpn4WTVvCNHU1CWbM +# sha256: 3lzKCDuUOdgAL7drvmtJmMWlpyH6sluEKYln8ALfTJQ +# sha256: Z4hBb36n9bipe-lIJTd6ol6L3HNGPge6r5hYsp5zcHc +# sha256: bzIw9yVFGCAeWjcIy7LemMhIME8G497Yv7OeWCXLouE +# sha256: X6V1pSQPBCAMMIhCfQ1Le3N_bpAYgYpR2ND5J6aiUXo +# sha256: UiGUrWpUVzXt11yKg_SNZdGvBk5DKn0yDWT1a6_BLpk +# sha256: 6Mey1AlD9xyZFIyX9myqf1E0FH9XQj-NtbSCUJnOmgk +# sha256: J5Ak8CCGAcPKqQfFOHbjetiGJffq8cs4QtvjYLIocBc +# sha256: LiIanux8zFiImieOoT3P7V75OdgLB4Gamos8scaBSE8 +# sha256: aRGJZUEOyG1E3GuQF-4929WC4MCr7vYrOhnb9sitEys +# sha256: 0E34aG7IZNDK3ozxmff4OuzUFhCaIINNVo-DEN7RLeo +# sha256: 51qUfhXul-fnHgLqMC_rL8YtOiu0Zov5377UOlBqx-c +# sha256: TkXSL7iDIipaufKCoRb-xe4ujRpWjM_2otdbvQ62vPw +# sha256: vOkzm7PHpV4IA7Y9IcWDno5Hm8hcSt9CrkFbcvlPrLI +# sha256: koE4NlJFoOiGmlmZ-8wqRUdaCm7VKklNYNvcVAM1_t0 +# sha256: DYQbobuEDuoOZIncXsr6YSVVSXH1O1rLh3ZEQeYbzro +# sha256: sJyMHUezUxxADgGVaX8UFKYyId5u9HhZik8UYPfZo5I +zope.interface==4.1.3 + +# sha256: ilvjjTWOS86xchl0WBZ0YOAw_0rmqdnjNsxb1hq2RD8 +# sha256: T37KMj0TnsuvHIzCCmoww2fpfpOBTj7cd4NAqucXcpw +acme==0.4.0 + +# sha256: 33BQiANlNLGqGpirTfdCEElTF9YbpaKiYpTbK4zeGD8 +# sha256: lwsV1OdEzzlMeb08C_PRxaCXZ2vOk_1AI2755rZHmPM +letsencrypt==0.4.0 + +# sha256: D3YDaVFjLsMSEfjI5B5D5tn5FeWUtNHYXCObw3ih2tg +# sha256: VTgvsePYGRmI4IOSAnxoYFHd8KciD73bxIuIHtbVFd8 +letsencrypt-apache==0.4.0 + +# sha256: uDndLZwRfHAUMMFJlWkYpCOphjtIsJyQ4wpgE-fS9E8 +# sha256: j4MIDaoknQNsvM-4rlzG_wB7iNbZN1ITca-r57Gbrbw +mock==1.0.1 + +UNLIKELY_EOF + # ------------------------------------------------------------------------- + cat << "UNLIKELY_EOF" > "$TEMP_DIR/peep.py" +#!/usr/bin/env python +"""peep ("prudently examine every package") verifies that packages conform to a +trusted, locally stored hash and only then installs them:: + + peep install -r requirements.txt + +This makes your deployments verifiably repeatable without having to maintain a +local PyPI mirror or use a vendor lib. Just update the version numbers and +hashes in requirements.txt, and you're all set. + +""" +# This is here so embedded copies of peep.py are MIT-compliant: +# Copyright (c) 2013 Erik Rose +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to +# deal in the Software without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +# sell copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +from __future__ import print_function +try: + xrange = xrange +except NameError: + xrange = range +from base64 import urlsafe_b64encode, urlsafe_b64decode +from binascii import hexlify +import cgi +from collections import defaultdict +from functools import wraps +from hashlib import sha256 +from itertools import chain, islice +import mimetypes +from optparse import OptionParser +from os.path import join, basename, splitext, isdir +from pickle import dumps, loads +import re +import sys +from shutil import rmtree, copy +from sys import argv, exit +from tempfile import mkdtemp +import traceback +try: + from urllib2 import build_opener, HTTPHandler, HTTPSHandler, HTTPError +except ImportError: + from urllib.request import build_opener, HTTPHandler, HTTPSHandler + from urllib.error import HTTPError +try: + from urlparse import urlparse +except ImportError: + from urllib.parse import urlparse # 3.4 +# TODO: Probably use six to make urllib stuff work across 2/3. + +from pkg_resources import require, VersionConflict, DistributionNotFound + +# We don't admit our dependency on pip in setup.py, lest a naive user simply +# say `pip install peep.tar.gz` and thus pull down an untrusted copy of pip +# from PyPI. Instead, we make sure it's installed and new enough here and spit +# out an error message if not: + + +def activate(specifier): + """Make a compatible version of pip importable. Raise a RuntimeError if we + couldn't.""" + try: + for distro in require(specifier): + distro.activate() + except (VersionConflict, DistributionNotFound): + raise RuntimeError('The installed version of pip is too old; peep ' + 'requires ' + specifier) + +# Before 0.6.2, the log module wasn't there, so some +# of our monkeypatching fails. It probably wouldn't be +# much work to support even earlier, though. +activate('pip>=0.6.2') + +import pip +from pip.commands.install import InstallCommand +try: + from pip.download import url_to_path # 1.5.6 +except ImportError: + try: + from pip.util import url_to_path # 0.7.0 + except ImportError: + from pip.util import url_to_filename as url_to_path # 0.6.2 +from pip.index import PackageFinder, Link +try: + from pip.log import logger +except ImportError: + from pip import logger # 6.0 +from pip.req import parse_requirements +try: + from pip.utils.ui import DownloadProgressBar, DownloadProgressSpinner +except ImportError: + class NullProgressBar(object): + def __init__(self, *args, **kwargs): + pass + + def iter(self, ret, *args, **kwargs): + return ret + + DownloadProgressBar = DownloadProgressSpinner = NullProgressBar + +__version__ = 3, 0, 0 + +try: + from pip.index import FormatControl # noqa + FORMAT_CONTROL_ARG = 'format_control' + + # The line-numbering bug will be fixed in pip 8. All 7.x releases had it. + PIP_MAJOR_VERSION = int(pip.__version__.split('.')[0]) + PIP_COUNTS_COMMENTS = PIP_MAJOR_VERSION >= 8 +except ImportError: + FORMAT_CONTROL_ARG = 'use_wheel' # pre-7 + PIP_COUNTS_COMMENTS = True + + +ITS_FINE_ITS_FINE = 0 +SOMETHING_WENT_WRONG = 1 +# "Traditional" for command-line errors according to optparse docs: +COMMAND_LINE_ERROR = 2 + +ARCHIVE_EXTENSIONS = ('.tar.bz2', '.tar.gz', '.tgz', '.tar', '.zip') + +MARKER = object() + + +class PipException(Exception): + """When I delegated to pip, it exited with an error.""" + + def __init__(self, error_code): + self.error_code = error_code + + +class UnsupportedRequirementError(Exception): + """An unsupported line was encountered in a requirements file.""" + + +class DownloadError(Exception): + def __init__(self, link, exc): + self.link = link + self.reason = str(exc) + + def __str__(self): + return 'Downloading %s failed: %s' % (self.link, self.reason) + + +def encoded_hash(sha): + """Return a short, 7-bit-safe representation of a hash. + + If you pass a sha256, this results in the hash algorithm that the Wheel + format (PEP 427) uses, except here it's intended to be run across the + downloaded archive before unpacking. + + """ + return urlsafe_b64encode(sha.digest()).decode('ascii').rstrip('=') + + +def path_and_line(req): + """Return the path and line number of the file from which an + InstallRequirement came. + + """ + path, line = (re.match(r'-r (.*) \(line (\d+)\)$', + req.comes_from).groups()) + return path, int(line) + + +def hashes_above(path, line_number): + """Yield hashes from contiguous comment lines before line ``line_number``. + + """ + def hash_lists(path): + """Yield lists of hashes appearing between non-comment lines. + + The lists will be in order of appearance and, for each non-empty + list, their place in the results will coincide with that of the + line number of the corresponding result from `parse_requirements` + (which changed in pip 7.0 to not count comments). + + """ + hashes = [] + with open(path) as file: + for lineno, line in enumerate(file, 1): + match = HASH_COMMENT_RE.match(line) + if match: # Accumulate this hash. + hashes.append(match.groupdict()['hash']) + if not IGNORED_LINE_RE.match(line): + yield hashes # Report hashes seen so far. + hashes = [] + elif PIP_COUNTS_COMMENTS: + # Comment: count as normal req but have no hashes. + yield [] + + return next(islice(hash_lists(path), line_number - 1, None)) + + +def run_pip(initial_args): + """Delegate to pip the given args (starting with the subcommand), and raise + ``PipException`` if something goes wrong.""" + status_code = pip.main(initial_args) + + # Clear out the registrations in the pip "logger" singleton. Otherwise, + # loggers keep getting appended to it with every run. Pip assumes only one + # command invocation will happen per interpreter lifetime. + logger.consumers = [] + + if status_code: + raise PipException(status_code) + + +def hash_of_file(path): + """Return the hash of a downloaded file.""" + with open(path, 'rb') as archive: + sha = sha256() + while True: + data = archive.read(2 ** 20) + if not data: + break + sha.update(data) + return encoded_hash(sha) + + +def is_git_sha(text): + """Return whether this is probably a git sha""" + # Handle both the full sha as well as the 7-character abbreviation + if len(text) in (40, 7): + try: + int(text, 16) + return True + except ValueError: + pass + return False + + +def filename_from_url(url): + parsed = urlparse(url) + path = parsed.path + return path.split('/')[-1] + + +def requirement_args(argv, want_paths=False, want_other=False): + """Return an iterable of filtered arguments. + + :arg argv: Arguments, starting after the subcommand + :arg want_paths: If True, the returned iterable includes the paths to any + requirements files following a ``-r`` or ``--requirement`` option. + :arg want_other: If True, the returned iterable includes the args that are + not a requirement-file path or a ``-r`` or ``--requirement`` flag. + + """ + was_r = False + for arg in argv: + # Allow for requirements files named "-r", don't freak out if there's a + # trailing "-r", etc. + if was_r: + if want_paths: + yield arg + was_r = False + elif arg in ['-r', '--requirement']: + was_r = True + else: + if want_other: + yield arg + +# any line that is a comment or just whitespace +IGNORED_LINE_RE = re.compile(r'^(\s*#.*)?\s*$') + +HASH_COMMENT_RE = re.compile( + r""" + \s*\#\s+ # Lines that start with a '#' + (?Psha256):\s+ # Hash type is hardcoded to be sha256 for now. + (?P[^\s]+) # Hashes can be anything except '#' or spaces. + \s* # Suck up whitespace before the comment or + # just trailing whitespace if there is no + # comment. Also strip trailing newlines. + (?:\#(?P.*))? # Comments can be anything after a whitespace+# + # and are optional. + $""", re.X) + + +def peep_hash(argv): + """Return the peep hash of one or more files, returning a shell status code + or raising a PipException. + + :arg argv: The commandline args, starting after the subcommand + + """ + parser = OptionParser( + usage='usage: %prog hash file [file ...]', + description='Print a peep hash line for one or more files: for ' + 'example, "# sha256: ' + 'oz42dZy6Gowxw8AelDtO4gRgTW_xPdooH484k7I5EOY".') + _, paths = parser.parse_args(args=argv) + if paths: + for path in paths: + print('# sha256:', hash_of_file(path)) + return ITS_FINE_ITS_FINE + else: + parser.print_usage() + return COMMAND_LINE_ERROR + + +class EmptyOptions(object): + """Fake optparse options for compatibility with pip<1.2 + + pip<1.2 had a bug in parse_requirements() in which the ``options`` kwarg + was required. We work around that by passing it a mock object. + + """ + default_vcs = None + skip_requirements_regex = None + isolated_mode = False + + +def memoize(func): + """Memoize a method that should return the same result every time on a + given instance. + + """ + @wraps(func) + def memoizer(self): + if not hasattr(self, '_cache'): + self._cache = {} + if func.__name__ not in self._cache: + self._cache[func.__name__] = func(self) + return self._cache[func.__name__] + return memoizer + + +def package_finder(argv): + """Return a PackageFinder respecting command-line options. + + :arg argv: Everything after the subcommand + + """ + # We instantiate an InstallCommand and then use some of its private + # machinery--its arg parser--for our own purposes, like a virus. This + # approach is portable across many pip versions, where more fine-grained + # ones are not. Ignoring options that don't exist on the parser (for + # instance, --use-wheel) gives us a straightforward method of backward + # compatibility. + try: + command = InstallCommand() + except TypeError: + # This is likely pip 1.3.0's "__init__() takes exactly 2 arguments (1 + # given)" error. In that version, InstallCommand takes a top=level + # parser passed in from outside. + from pip.baseparser import create_main_parser + command = InstallCommand(create_main_parser()) + # The downside is that it essentially ruins the InstallCommand class for + # further use. Calling out to pip.main() within the same interpreter, for + # example, would result in arguments parsed this time turning up there. + # Thus, we deepcopy the arg parser so we don't trash its singletons. Of + # course, deepcopy doesn't work on these objects, because they contain + # uncopyable regex patterns, so we pickle and unpickle instead. Fun! + options, _ = loads(dumps(command.parser)).parse_args(argv) + + # Carry over PackageFinder kwargs that have [about] the same names as + # options attr names: + possible_options = [ + 'find_links', + FORMAT_CONTROL_ARG, + ('allow_all_prereleases', 'pre'), + 'process_dependency_links' + ] + kwargs = {} + for option in possible_options: + kw, attr = option if isinstance(option, tuple) else (option, option) + value = getattr(options, attr, MARKER) + if value is not MARKER: + kwargs[kw] = value + + # Figure out index_urls: + index_urls = [options.index_url] + options.extra_index_urls + if options.no_index: + index_urls = [] + index_urls += getattr(options, 'mirrors', []) + + # If pip is new enough to have a PipSession, initialize one, since + # PackageFinder requires it: + if hasattr(command, '_build_session'): + kwargs['session'] = command._build_session(options) + + return PackageFinder(index_urls=index_urls, **kwargs) + + +class DownloadedReq(object): + """A wrapper around InstallRequirement which offers additional information + based on downloading and examining a corresponding package archive + + These are conceptually immutable, so we can get away with memoizing + expensive things. + + """ + def __init__(self, req, argv, finder): + """Download a requirement, compare its hashes, and return a subclass + of DownloadedReq depending on its state. + + :arg req: The InstallRequirement I am based on + :arg argv: The args, starting after the subcommand + + """ + self._req = req + self._argv = argv + self._finder = finder + + # We use a separate temp dir for each requirement so requirements + # (from different indices) that happen to have the same archive names + # don't overwrite each other, leading to a security hole in which the + # latter is a hash mismatch, the former has already passed the + # comparison, and the latter gets installed. + self._temp_path = mkdtemp(prefix='peep-') + # Think of DownloadedReq as a one-shot state machine. It's an abstract + # class that ratchets forward to being one of its own subclasses, + # depending on its package status. Then it doesn't move again. + self.__class__ = self._class() + + def dispose(self): + """Delete temp files and dirs I've made. Render myself useless. + + Do not call further methods on me after calling dispose(). + + """ + rmtree(self._temp_path) + + def _version(self): + """Deduce the version number of the downloaded package from its filename.""" + # TODO: Can we delete this method and just print the line from the + # reqs file verbatim instead? + def version_of_archive(filename, package_name): + # Since we know the project_name, we can strip that off the left, strip + # any archive extensions off the right, and take the rest as the + # version. + for ext in ARCHIVE_EXTENSIONS: + if filename.endswith(ext): + filename = filename[:-len(ext)] + break + # Handle github sha tarball downloads. + if is_git_sha(filename): + filename = package_name + '-' + filename + if not filename.lower().replace('_', '-').startswith(package_name.lower()): + # TODO: Should we replace runs of [^a-zA-Z0-9.], not just _, with -? + give_up(filename, package_name) + return filename[len(package_name) + 1:] # Strip off '-' before version. + + def version_of_wheel(filename, package_name): + # For Wheel files (http://legacy.python.org/dev/peps/pep-0427/#file- + # name-convention) we know the format bits are '-' separated. + whl_package_name, version, _rest = filename.split('-', 2) + # Do the alteration to package_name from PEP 427: + our_package_name = re.sub(r'[^\w\d.]+', '_', package_name, re.UNICODE) + if whl_package_name != our_package_name: + give_up(filename, whl_package_name) + return version + + def give_up(filename, package_name): + raise RuntimeError("The archive '%s' didn't start with the package name " + "'%s', so I couldn't figure out the version number. " + "My bad; improve me." % + (filename, package_name)) + + get_version = (version_of_wheel + if self._downloaded_filename().endswith('.whl') + else version_of_archive) + return get_version(self._downloaded_filename(), self._project_name()) + + def _is_always_unsatisfied(self): + """Returns whether this requirement is always unsatisfied + + This would happen in cases where we can't determine the version + from the filename. + + """ + # If this is a github sha tarball, then it is always unsatisfied + # because the url has a commit sha in it and not the version + # number. + url = self._url() + if url: + filename = filename_from_url(url) + if filename.endswith(ARCHIVE_EXTENSIONS): + filename, ext = splitext(filename) + if is_git_sha(filename): + return True + return False + + @memoize # Avoid hitting the file[cache] over and over. + def _expected_hashes(self): + """Return a list of known-good hashes for this package.""" + return hashes_above(*path_and_line(self._req)) + + def _download(self, link): + """Download a file, and return its name within my temp dir. + + This does no verification of HTTPS certs, but our checking hashes + makes that largely unimportant. It would be nice to be able to use the + requests lib, which can verify certs, but it is guaranteed to be + available only in pip >= 1.5. + + This also drops support for proxies and basic auth, though those could + be added back in. + + """ + # Based on pip 1.4.1's URLOpener but with cert verification removed + def opener(is_https): + if is_https: + opener = build_opener(HTTPSHandler()) + # Strip out HTTPHandler to prevent MITM spoof: + for handler in opener.handlers: + if isinstance(handler, HTTPHandler): + opener.handlers.remove(handler) + else: + opener = build_opener() + return opener + + # Descended from unpack_http_url() in pip 1.4.1 + def best_filename(link, response): + """Return the most informative possible filename for a download, + ideally with a proper extension. + + """ + content_type = response.info().get('content-type', '') + filename = link.filename # fallback + # Have a look at the Content-Disposition header for a better guess: + content_disposition = response.info().get('content-disposition') + if content_disposition: + type, params = cgi.parse_header(content_disposition) + # We use ``or`` here because we don't want to use an "empty" value + # from the filename param: + filename = params.get('filename') or filename + ext = splitext(filename)[1] + if not ext: + ext = mimetypes.guess_extension(content_type) + if ext: + filename += ext + if not ext and link.url != response.geturl(): + ext = splitext(response.geturl())[1] + if ext: + filename += ext + return filename + + # Descended from _download_url() in pip 1.4.1 + def pipe_to_file(response, path, size=0): + """Pull the data off an HTTP response, shove it in a new file, and + show progress. + + :arg response: A file-like object to read from + :arg path: The path of the new file + :arg size: The expected size, in bytes, of the download. 0 for + unknown or to suppress progress indication (as for cached + downloads) + + """ + def response_chunks(chunk_size): + while True: + chunk = response.read(chunk_size) + if not chunk: + break + yield chunk + + print('Downloading %s%s...' % ( + self._req.req, + (' (%sK)' % (size / 1000)) if size > 1000 else '')) + progress_indicator = (DownloadProgressBar(max=size).iter if size + else DownloadProgressSpinner().iter) + with open(path, 'wb') as file: + for chunk in progress_indicator(response_chunks(4096), 4096): + file.write(chunk) + + url = link.url.split('#', 1)[0] + try: + response = opener(urlparse(url).scheme != 'http').open(url) + except (HTTPError, IOError) as exc: + raise DownloadError(link, exc) + filename = best_filename(link, response) + try: + size = int(response.headers['content-length']) + except (ValueError, KeyError, TypeError): + size = 0 + pipe_to_file(response, join(self._temp_path, filename), size=size) + return filename + + # Based on req_set.prepare_files() in pip bb2a8428d4aebc8d313d05d590f386fa3f0bbd0f + @memoize # Avoid re-downloading. + def _downloaded_filename(self): + """Download the package's archive if necessary, and return its + filename. + + --no-deps is implied, as we have reimplemented the bits that would + ordinarily do dependency resolution. + + """ + # Peep doesn't support requirements that don't come down as a single + # file, because it can't hash them. Thus, it doesn't support editable + # requirements, because pip itself doesn't support editable + # requirements except for "local projects or a VCS url". Nor does it + # support VCS requirements yet, because we haven't yet come up with a + # portable, deterministic way to hash them. In summary, all we support + # is == requirements and tarballs/zips/etc. + + # TODO: Stop on reqs that are editable or aren't ==. + + # If the requirement isn't already specified as a URL, get a URL + # from an index: + link = self._link() or self._finder.find_requirement(self._req, upgrade=False) + + if link: + lower_scheme = link.scheme.lower() # pip lower()s it for some reason. + if lower_scheme == 'http' or lower_scheme == 'https': + file_path = self._download(link) + return basename(file_path) + elif lower_scheme == 'file': + # The following is inspired by pip's unpack_file_url(): + link_path = url_to_path(link.url_without_fragment) + if isdir(link_path): + raise UnsupportedRequirementError( + "%s: %s is a directory. So that it can compute " + "a hash, peep supports only filesystem paths which " + "point to files" % + (self._req, link.url_without_fragment)) + else: + copy(link_path, self._temp_path) + return basename(link_path) + else: + raise UnsupportedRequirementError( + "%s: The download link, %s, would not result in a file " + "that can be hashed. Peep supports only == requirements, " + "file:// URLs pointing to files (not folders), and " + "http:// and https:// URLs pointing to tarballs, zips, " + "etc." % (self._req, link.url)) + else: + raise UnsupportedRequirementError( + "%s: couldn't determine where to download this requirement from." + % (self._req,)) + + def install(self): + """Install the package I represent, without dependencies. + + Obey typical pip-install options passed in on the command line. + + """ + other_args = list(requirement_args(self._argv, want_other=True)) + archive_path = join(self._temp_path, self._downloaded_filename()) + # -U so it installs whether pip deems the requirement "satisfied" or + # not. This is necessary for GitHub-sourced zips, which change without + # their version numbers changing. + run_pip(['install'] + other_args + ['--no-deps', '-U', archive_path]) + + @memoize + def _actual_hash(self): + """Download the package's archive if necessary, and return its hash.""" + return hash_of_file(join(self._temp_path, self._downloaded_filename())) + + def _project_name(self): + """Return the inner Requirement's "unsafe name". + + Raise ValueError if there is no name. + + """ + name = getattr(self._req.req, 'project_name', '') + if name: + return name + raise ValueError('Requirement has no project_name.') + + def _name(self): + return self._req.name + + def _link(self): + try: + return self._req.link + except AttributeError: + # The link attribute isn't available prior to pip 6.1.0, so fall + # back to the now deprecated 'url' attribute. + return Link(self._req.url) if self._req.url else None + + def _url(self): + link = self._link() + return link.url if link else None + + @memoize # Avoid re-running expensive check_if_exists(). + def _is_satisfied(self): + self._req.check_if_exists() + return (self._req.satisfied_by and + not self._is_always_unsatisfied()) + + def _class(self): + """Return the class I should be, spanning a continuum of goodness.""" + try: + self._project_name() + except ValueError: + return MalformedReq + if self._is_satisfied(): + return SatisfiedReq + if not self._expected_hashes(): + return MissingReq + if self._actual_hash() not in self._expected_hashes(): + return MismatchedReq + return InstallableReq + + @classmethod + def foot(cls): + """Return the text to be printed once, after all of the errors from + classes of my type are printed. + + """ + return '' + + +class MalformedReq(DownloadedReq): + """A requirement whose package name could not be determined""" + + @classmethod + def head(cls): + return 'The following requirements could not be processed:\n' + + def error(self): + return '* Unable to determine package name from URL %s; add #egg=' % self._url() + + +class MissingReq(DownloadedReq): + """A requirement for which no hashes were specified in the requirements file""" + + @classmethod + def head(cls): + return ('The following packages had no hashes specified in the requirements file, which\n' + 'leaves them open to tampering. Vet these packages to your satisfaction, then\n' + 'add these "sha256" lines like so:\n\n') + + def error(self): + if self._url(): + # _url() always contains an #egg= part, or this would be a + # MalformedRequest. + line = self._url() + else: + line = '%s==%s' % (self._name(), self._version()) + return '# sha256: %s\n%s\n' % (self._actual_hash(), line) + + +class MismatchedReq(DownloadedReq): + """A requirement for which the downloaded file didn't match any of my hashes.""" + @classmethod + def head(cls): + return ("THE FOLLOWING PACKAGES DIDN'T MATCH THE HASHES SPECIFIED IN THE REQUIREMENTS\n" + "FILE. If you have updated the package versions, update the hashes. If not,\n" + "freak out, because someone has tampered with the packages.\n\n") + + def error(self): + preamble = ' %s: expected' % self._project_name() + if len(self._expected_hashes()) > 1: + preamble += ' one of' + padding = '\n' + ' ' * (len(preamble) + 1) + return '%s %s\n%s got %s' % (preamble, + padding.join(self._expected_hashes()), + ' ' * (len(preamble) - 4), + self._actual_hash()) + + @classmethod + def foot(cls): + return '\n' + + +class SatisfiedReq(DownloadedReq): + """A requirement which turned out to be already installed""" + + @classmethod + def head(cls): + return ("These packages were already installed, so we didn't need to download or build\n" + "them again. If you installed them with peep in the first place, you should be\n" + "safe. If not, uninstall them, then re-attempt your install with peep.\n") + + def error(self): + return ' %s' % (self._req,) + + +class InstallableReq(DownloadedReq): + """A requirement whose hash matched and can be safely installed""" + + +# DownloadedReq subclasses that indicate an error that should keep us from +# going forward with installation, in the order in which their errors should +# be reported: +ERROR_CLASSES = [MismatchedReq, MissingReq, MalformedReq] + + +def bucket(things, key): + """Return a map of key -> list of things.""" + ret = defaultdict(list) + for thing in things: + ret[key(thing)].append(thing) + return ret + + +def first_every_last(iterable, first, every, last): + """Execute something before the first item of iter, something else for each + item, and a third thing after the last. + + If there are no items in the iterable, don't execute anything. + + """ + did_first = False + for item in iterable: + if not did_first: + did_first = True + first(item) + every(item) + if did_first: + last(item) + + +def _parse_requirements(path, finder): + try: + # list() so the generator that is parse_requirements() actually runs + # far enough to report a TypeError + return list(parse_requirements( + path, options=EmptyOptions(), finder=finder)) + except TypeError: + # session is a required kwarg as of pip 6.0 and will raise + # a TypeError if missing. It needs to be a PipSession instance, + # but in older versions we can't import it from pip.download + # (nor do we need it at all) so we only import it in this except block + from pip.download import PipSession + return list(parse_requirements( + path, options=EmptyOptions(), session=PipSession(), finder=finder)) + + +def downloaded_reqs_from_path(path, argv): + """Return a list of DownloadedReqs representing the requirements parsed + out of a given requirements file. + + :arg path: The path to the requirements file + :arg argv: The commandline args, starting after the subcommand + + """ + finder = package_finder(argv) + return [DownloadedReq(req, argv, finder) for req in + _parse_requirements(path, finder)] + + +def peep_install(argv): + """Perform the ``peep install`` subcommand, returning a shell status code + or raising a PipException. + + :arg argv: The commandline args, starting after the subcommand + + """ + output = [] + out = output.append + reqs = [] + try: + req_paths = list(requirement_args(argv, want_paths=True)) + if not req_paths: + out("You have to specify one or more requirements files with the -r option, because\n" + "otherwise there's nowhere for peep to look up the hashes.\n") + return COMMAND_LINE_ERROR + + # We're a "peep install" command, and we have some requirement paths. + reqs = list(chain.from_iterable( + downloaded_reqs_from_path(path, argv) + for path in req_paths)) + buckets = bucket(reqs, lambda r: r.__class__) + + # Skip a line after pip's "Cleaning up..." so the important stuff + # stands out: + if any(buckets[b] for b in ERROR_CLASSES): + out('\n') + + printers = (lambda r: out(r.head()), + lambda r: out(r.error() + '\n'), + lambda r: out(r.foot())) + for c in ERROR_CLASSES: + first_every_last(buckets[c], *printers) + + if any(buckets[b] for b in ERROR_CLASSES): + out('-------------------------------\n' + 'Not proceeding to installation.\n') + return SOMETHING_WENT_WRONG + else: + for req in buckets[InstallableReq]: + req.install() + + first_every_last(buckets[SatisfiedReq], *printers) + + return ITS_FINE_ITS_FINE + except (UnsupportedRequirementError, DownloadError) as exc: + out(str(exc)) + return SOMETHING_WENT_WRONG + finally: + for req in reqs: + req.dispose() + print(''.join(output)) + + +def peep_port(paths): + """Convert a peep requirements file to one compatble with pip-8 hashing. + + Loses comments and tromps on URLs, so the result will need a little manual + massaging, but the hard part--the hash conversion--is done for you. + + """ + if not paths: + print('Please specify one or more requirements files so I have ' + 'something to port.\n') + return COMMAND_LINE_ERROR + for req in chain.from_iterable( + _parse_requirements(path, package_finder(argv)) for path in paths): + hashes = [hexlify(urlsafe_b64decode((hash + '=').encode('ascii'))).decode('ascii') + for hash in hashes_above(*path_and_line(req))] + if not hashes: + print(req.req) + elif len(hashes) == 1: + print('%s --hash=sha256:%s' % (req.req, hashes[0])) + else: + print('%s' % req.req, end='') + for hash in hashes: + print(' \\') + print(' --hash=sha256:%s' % hash, end='') + print() + + +def main(): + """Be the top-level entrypoint. Return a shell status code.""" + commands = {'hash': peep_hash, + 'install': peep_install, + 'port': peep_port} + try: + if len(argv) >= 2 and argv[1] in commands: + return commands[argv[1]](argv[2:]) + else: + # Fall through to top-level pip main() for everything else: + return pip.main() + except PipException as exc: + return exc.error_code + + +def exception_handler(exc_type, exc_value, exc_tb): + print('Oh no! Peep had a problem while trying to do stuff. Please write up a bug report') + print('with the specifics so we can fix it:') + print() + print('https://github.com/erikrose/peep/issues/new') + print() + print('Here are some particulars you can copy and paste into the bug report:') + print() + print('---') + print('peep:', repr(__version__)) + print('python:', repr(sys.version)) + print('pip:', repr(getattr(pip, '__version__', 'no __version__ attr'))) + print('Command line: ', repr(sys.argv)) + print( + ''.join(traceback.format_exception(exc_type, exc_value, exc_tb))) + print('---') + + +if __name__ == '__main__': + try: + exit(main()) + except Exception: + exception_handler(*sys.exc_info()) + exit(SOMETHING_WENT_WRONG) + +UNLIKELY_EOF + # ------------------------------------------------------------------------- + set +e + PEEP_OUT=`"$VENV_BIN/python" "$TEMP_DIR/peep.py" install -r "$TEMP_DIR/letsencrypt-auto-requirements.txt"` + PEEP_STATUS=$? + set -e + rm -rf "$TEMP_DIR" + if [ "$PEEP_STATUS" != 0 ]; then + # Report error. (Otherwise, be quiet.) + echo "Had a problem while downloading and verifying Python packages:" + echo "$PEEP_OUT" + exit 1 + fi + fi + echo "Requesting root privileges to run letsencrypt..." + echo " " $SUDO "$VENV_BIN/letsencrypt" "$@" + $SUDO "$VENV_BIN/letsencrypt" "$@" +else + # Phase 1: Upgrade letsencrypt-auto if neceesary, then self-invoke. + # + # Each phase checks the version of only the thing it is responsible for + # upgrading. Phase 1 checks the version of the latest release of + # letsencrypt-auto (which is always the same as that of the letsencrypt + # package). Phase 2 checks the version of the locally installed letsencrypt. + + if [ ! -f "$VENV_BIN/letsencrypt" ]; then + # If it looks like we've never bootstrapped before, bootstrap: + Bootstrap + fi + if [ "$OS_PACKAGES_ONLY" = 1 ]; then + echo "OS packages installed." + exit 0 + fi + + echo "Checking for new version..." + TEMP_DIR=$(TempDir) + # --------------------------------------------------------------------------- + cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" +"""Do downloading and JSON parsing without additional dependencies. :: + + # Print latest released version of LE to stdout: + python fetch.py --latest-version + + # Download letsencrypt-auto script from git tag v1.2.3 into the folder I'm + # in, and make sure its signature verifies: + python fetch.py --le-auto-script v1.2.3 + +On failure, return non-zero. + +""" +from distutils.version import LooseVersion +from json import loads +from os import devnull, environ +from os.path import dirname, join +import re +from subprocess import check_call, CalledProcessError +from sys import argv, exit +from urllib2 import build_opener, HTTPHandler, HTTPSHandler, HTTPError + +PUBLIC_KEY = environ.get('LE_AUTO_PUBLIC_KEY', """-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbq +OzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18 +xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp +9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiij +n9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XH +cXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+ +CQIDAQAB +-----END PUBLIC KEY----- +""") + +class ExpectedError(Exception): + """A novice-readable exception that also carries the original exception for + debugging""" + + +class HttpsGetter(object): + def __init__(self): + """Build an HTTPS opener.""" + # Based on pip 1.4.1's URLOpener + # This verifies certs on only Python >=2.7.9. + self._opener = build_opener(HTTPSHandler()) + # Strip out HTTPHandler to prevent MITM spoof: + for handler in self._opener.handlers: + if isinstance(handler, HTTPHandler): + self._opener.handlers.remove(handler) + + def get(self, url): + """Return the document contents pointed to by an HTTPS URL. + + If something goes wrong (404, timeout, etc.), raise ExpectedError. + + """ + try: + return self._opener.open(url).read() + except (HTTPError, IOError) as exc: + raise ExpectedError("Couldn't download %s." % url, exc) + + +def write(contents, dir, filename): + """Write something to a file in a certain directory.""" + with open(join(dir, filename), 'w') as file: + file.write(contents) + + +def latest_stable_version(get): + """Return the latest stable release of letsencrypt.""" + metadata = loads(get( + environ.get('LE_AUTO_JSON_URL', + 'https://pypi.python.org/pypi/letsencrypt/json'))) + # metadata['info']['version'] actually returns the latest of any kind of + # release release, contrary to https://wiki.python.org/moin/PyPIJSON. + # The regex is a sufficient regex for picking out prereleases for most + # packages, LE included. + return str(max(LooseVersion(r) for r + in metadata['releases'].iterkeys() + if re.match('^[0-9.]+$', r))) + + +def verified_new_le_auto(get, tag, temp_dir): + """Return the path to a verified, up-to-date letsencrypt-auto script. + + If the download's signature does not verify or something else goes wrong + with the verification process, raise ExpectedError. + + """ + le_auto_dir = environ.get( + 'LE_AUTO_DIR_TEMPLATE', + 'https://raw.githubusercontent.com/letsencrypt/letsencrypt/%s/' + 'letsencrypt-auto-source/') % tag + write(get(le_auto_dir + 'letsencrypt-auto'), temp_dir, 'letsencrypt-auto') + write(get(le_auto_dir + 'letsencrypt-auto.sig'), temp_dir, 'letsencrypt-auto.sig') + write(PUBLIC_KEY, temp_dir, 'public_key.pem') + try: + with open(devnull, 'w') as dev_null: + check_call(['openssl', 'dgst', '-sha256', '-verify', + join(temp_dir, 'public_key.pem'), + '-signature', + join(temp_dir, 'letsencrypt-auto.sig'), + join(temp_dir, 'letsencrypt-auto')], + stdout=dev_null, + stderr=dev_null) + except CalledProcessError as exc: + raise ExpectedError("Couldn't verify signature of downloaded " + "letsencrypt-auto.", exc) + + +def main(): + get = HttpsGetter().get + flag = argv[1] + try: + if flag == '--latest-version': + print latest_stable_version(get) + elif flag == '--le-auto-script': + tag = argv[2] + verified_new_le_auto(get, tag, dirname(argv[0])) + except ExpectedError as exc: + print exc.args[0], exc.args[1] + return 1 + else: + return 0 + + +if __name__ == '__main__': + exit(main()) + +UNLIKELY_EOF + # --------------------------------------------------------------------------- + DeterminePythonVersion + REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` + if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then + echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." + + # Now we drop into Python so we don't have to install even more + # dependencies (curl, etc.), for better flow control, and for the option of + # future Windows compatibility. + "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" + + # Install new copy of letsencrypt-auto. This preserves permissions and + # ownership from the old copy. + # TODO: Deal with quotes in pathnames. + echo "Replacing letsencrypt-auto..." + echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + # TODO: Clean up temp dir safely, even if it has quotes in its path. + rm -rf "$TEMP_DIR" + fi # should upgrade + "$0" --no-self-upgrade "$@" +fi diff --git a/tools/release.sh b/tools/release.sh index 6ec83053f..02e3d00b8 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -171,7 +171,10 @@ while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \ read -p "Please correctly sign letsencrypt-auto with offline-signrequest.sh" done -git add letsencrypt-auto-source +# copy leauto to the root, overwriting the previous release version +cp -p letsencrypt-auto-source/letsencrypt-auto letsencrypt-auto + +git add letsencrypt-auto letsencrypt-auto-source git diff --cached git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version" git tag --local-user "$RELEASE_GPG_KEY" --sign --message "Release $version" "$tag" From 0062678f7d4c5e7ced4c0c1e9e18c3b155bf7208 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 19 Feb 2016 12:20:32 -0800 Subject: [PATCH 104/141] A temporary save is a good save --- letsencrypt-apache/letsencrypt_apache/tls_sni_01.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt-apache/letsencrypt_apache/tls_sni_01.py b/letsencrypt-apache/letsencrypt_apache/tls_sni_01.py index cc1d749a0..30a3d3ef5 100644 --- a/letsencrypt-apache/letsencrypt_apache/tls_sni_01.py +++ b/letsencrypt-apache/letsencrypt_apache/tls_sni_01.py @@ -62,7 +62,7 @@ class ApacheTlsSni01(common.TLSSNI01): return [] # Save any changes to the configuration as a precaution # About to make temporary changes to the config - self.configurator.save() + self.configurator.save("Changes before challenge setup", True) # Prepare the server for HTTPS self.configurator.prepare_server_https( From 2d2c98aa9df307844328de4cd5c9b22e71d24ceb Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Fri, 19 Feb 2016 13:47:10 -0800 Subject: [PATCH 105/141] add a check for wildcards --- .../letsencrypt_apache/configurator.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index cbc451ac9..6cb7c12d4 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -342,6 +342,14 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): self.assoc[target_name] = vhost return vhost + def included_in_wildcard(self, names, target_name): + """Helper function to see if alias is covered by wildcard""" + wildcards = [domain for domain in names if domain.startswith("*")] + for wildcard in wildcards: + if wildcard.split(".")[1] == target_name.split(".")[1]: + return True + return False + def _find_best_vhost(self, target_name): """Finds the best vhost for a target_name. @@ -360,7 +368,10 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): for vhost in self.vhosts: if vhost.modmacro is True: continue - if target_name in vhost.get_names(): + names = vhost.get_names() + if target_name in names: + points = 3 + elif self.included_in_wildcard(names, target_name): points = 2 elif any(addr.get_addr() == target_name for addr in vhost.addrs): points = 1 From f9a3abeeae43e286cdf94f3198c709a594f9171f Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 19 Feb 2016 17:58:37 -0800 Subject: [PATCH 106/141] fixes #2247 --- letsencrypt-apache/letsencrypt_apache/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt-apache/letsencrypt_apache/parser.py b/letsencrypt-apache/letsencrypt_apache/parser.py index 3c13aae5f..f49ac0acc 100644 --- a/letsencrypt-apache/letsencrypt_apache/parser.py +++ b/letsencrypt-apache/letsencrypt_apache/parser.py @@ -477,7 +477,7 @@ class ApacheParser(object): # Note: This works for augeas globs, ie. *.conf if use_new: inc_test = self.aug.match( - "/augeas/load/Httpd/incl [. ='%s']" % filepath) + "/augeas/load/Httpd['%s' =~ glob(incl)]" % filepath) if not inc_test: # Load up files # This doesn't seem to work on TravisCI From b6142c13d65e45c9b7e624fd8c416d604dc95c06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roy=20Wellington=20=E2=85=A3?= Date: Fri, 19 Feb 2016 22:08:40 -0800 Subject: [PATCH 107/141] Change zope's implements to be a class decorator. When attempting to import any module that uses zope.interface.implements in Python 3, a TypeError is raised; it reads: TypeError: Class advice impossible in Python3. Use the @implementer class decorator instead. Following the listed advice seems to function in Python 3. --- examples/plugins/letsencrypt_example_plugins.py | 4 ++-- letsencrypt-apache/letsencrypt_apache/configurator.py | 2 +- .../configurators/apache/apache24.py | 3 +-- .../configurators/apache/common.py | 3 +-- .../letsencrypt_compatibility_test/validator.py | 2 +- letsencrypt-nginx/letsencrypt_nginx/configurator.py | 2 +- letsencrypt/configuration.py | 2 +- letsencrypt/continuity_auth.py | 2 +- letsencrypt/display/util.py | 9 +++------ letsencrypt/plugins/common.py | 2 +- letsencrypt/plugins/manual.py | 2 +- letsencrypt/plugins/null.py | 2 +- letsencrypt/plugins/standalone.py | 2 +- letsencrypt/plugins/webroot.py | 2 +- letsencrypt/reporter.py | 2 +- 15 files changed, 18 insertions(+), 23 deletions(-) diff --git a/examples/plugins/letsencrypt_example_plugins.py b/examples/plugins/letsencrypt_example_plugins.py index 2810d0d40..990d7787c 100644 --- a/examples/plugins/letsencrypt_example_plugins.py +++ b/examples/plugins/letsencrypt_example_plugins.py @@ -9,9 +9,9 @@ from letsencrypt import interfaces from letsencrypt.plugins import common +@zope.interface.implementer(interfaces.IAuthenticator) class Authenticator(common.Plugin): """Example Authenticator.""" - zope.interface.implements(interfaces.IAuthenticator) zope.interface.classProvides(interfaces.IPluginFactory) description = "Example Authenticator plugin" @@ -20,9 +20,9 @@ class Authenticator(common.Plugin): # "self" as first argument, e.g. def prepare(self)... +@zope.interface.implementer(interfaces.IInstaller) class Installer(common.Plugin): """Example Installer.""" - zope.interface.implements(interfaces.IInstaller) zope.interface.classProvides(interfaces.IPluginFactory) description = "Example Installer plugin" diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index f4a407974..20e73eb1e 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -60,6 +60,7 @@ logger = logging.getLogger(__name__) # sites-available doesn't allow immediate find_dir search even with save() # and load() +@zope.interface.implementer(interfaces.IAuthenticator, interfaces.IInstaller) class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # pylint: disable=too-many-instance-attributes,too-many-public-methods """Apache configurator. @@ -80,7 +81,6 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): :ivar dict assoc: Mapping between domains and vhosts """ - zope.interface.implements(interfaces.IAuthenticator, interfaces.IInstaller) zope.interface.classProvides(interfaces.IPluginFactory) description = "Apache Web Server - Alpha" diff --git a/letsencrypt-compatibility-test/letsencrypt_compatibility_test/configurators/apache/apache24.py b/letsencrypt-compatibility-test/letsencrypt_compatibility_test/configurators/apache/apache24.py index 3cc6fdf8e..a68f53689 100644 --- a/letsencrypt-compatibility-test/letsencrypt_compatibility_test/configurators/apache/apache24.py +++ b/letsencrypt-compatibility-test/letsencrypt_compatibility_test/configurators/apache/apache24.py @@ -34,11 +34,10 @@ SHARED_MODULES = { "vhost_alias"} +@zope.interface.implementer(interfaces.IConfiguratorProxy) class Proxy(apache_common.Proxy): """Wraps the ApacheConfigurator for Apache 2.4 tests""" - zope.interface.implements(interfaces.IConfiguratorProxy) - def __init__(self, args): """Initializes the plugin with the given command line args""" super(Proxy, self).__init__(args) diff --git a/letsencrypt-compatibility-test/letsencrypt_compatibility_test/configurators/apache/common.py b/letsencrypt-compatibility-test/letsencrypt_compatibility_test/configurators/apache/common.py index 5fef8c47f..d383963a3 100644 --- a/letsencrypt-compatibility-test/letsencrypt_compatibility_test/configurators/apache/common.py +++ b/letsencrypt-compatibility-test/letsencrypt_compatibility_test/configurators/apache/common.py @@ -19,12 +19,11 @@ APACHE_VERSION_REGEX = re.compile(r"Apache/([0-9\.]*)", re.IGNORECASE) APACHE_COMMANDS = ["apachectl", "a2enmod", "a2dismod"] +@zope.interface.implementer(interfaces.IConfiguratorProxy) class Proxy(configurators_common.Proxy): # pylint: disable=too-many-instance-attributes """A common base for Apache test configurators""" - zope.interface.implements(interfaces.IConfiguratorProxy) - def __init__(self, args): """Initializes the plugin with the given command line args""" super(Proxy, self).__init__(args) diff --git a/letsencrypt-compatibility-test/letsencrypt_compatibility_test/validator.py b/letsencrypt-compatibility-test/letsencrypt_compatibility_test/validator.py index e5386f290..90ce108c0 100644 --- a/letsencrypt-compatibility-test/letsencrypt_compatibility_test/validator.py +++ b/letsencrypt-compatibility-test/letsencrypt_compatibility_test/validator.py @@ -12,10 +12,10 @@ from letsencrypt import interfaces logger = logging.getLogger(__name__) +@zope.interface.implementer(interfaces.IValidator) class Validator(object): # pylint: disable=no-self-use """Collection of functions to test a live webserver's configuration""" - zope.interface.implements(interfaces.IValidator) def certificate(self, cert, name, alt_host=None, port=443): """Verifies the certificate presented at name is cert""" diff --git a/letsencrypt-nginx/letsencrypt_nginx/configurator.py b/letsencrypt-nginx/letsencrypt_nginx/configurator.py index d2f45a8c2..876d843f5 100644 --- a/letsencrypt-nginx/letsencrypt_nginx/configurator.py +++ b/letsencrypt-nginx/letsencrypt_nginx/configurator.py @@ -31,6 +31,7 @@ from letsencrypt_nginx import parser logger = logging.getLogger(__name__) +@zope.interface.implementer(interfaces.IAuthenticator, interfaces.IInstaller) class NginxConfigurator(common.Plugin): # pylint: disable=too-many-instance-attributes,too-many-public-methods """Nginx configurator. @@ -52,7 +53,6 @@ class NginxConfigurator(common.Plugin): :ivar tup version: version of Nginx """ - zope.interface.implements(interfaces.IAuthenticator, interfaces.IInstaller) zope.interface.classProvides(interfaces.IPluginFactory) description = "Nginx Web Server - currently doesn't work" diff --git a/letsencrypt/configuration.py b/letsencrypt/configuration.py index c49751a6c..062722346 100644 --- a/letsencrypt/configuration.py +++ b/letsencrypt/configuration.py @@ -11,6 +11,7 @@ from letsencrypt import interfaces from letsencrypt import le_util +@zope.interface.implementer(interfaces.IConfig) class NamespaceConfig(object): """Configuration wrapper around :class:`argparse.Namespace`. @@ -32,7 +33,6 @@ class NamespaceConfig(object): :type namespace: :class:`argparse.Namespace` """ - zope.interface.implements(interfaces.IConfig) def __init__(self, namespace): self.namespace = namespace diff --git a/letsencrypt/continuity_auth.py b/letsencrypt/continuity_auth.py index 52d0cee8e..28612bb17 100644 --- a/letsencrypt/continuity_auth.py +++ b/letsencrypt/continuity_auth.py @@ -9,6 +9,7 @@ from letsencrypt import interfaces from letsencrypt import proof_of_possession +@zope.interface.implementer(interfaces.IAuthenticator) class ContinuityAuthenticator(object): """IAuthenticator for :const:`~acme.challenges.ContinuityChallenge` class challenges. @@ -18,7 +19,6 @@ class ContinuityAuthenticator(object): :class:`letsencrypt.proof_of_possession.Proof_of_Possession` """ - zope.interface.implements(interfaces.IAuthenticator) # This will have an installer soon for get_key/cert purposes def __init__(self, config, installer): # pylint: disable=unused-argument diff --git a/letsencrypt/display/util.py b/letsencrypt/display/util.py index 976a2afdf..84049c47c 100644 --- a/letsencrypt/display/util.py +++ b/letsencrypt/display/util.py @@ -36,11 +36,10 @@ def _wrap_lines(msg): fixed_l.append(textwrap.fill(line, 80)) return os.linesep.join(fixed_l) +@zope.interface.implementer(interfaces.IDisplay) class NcursesDisplay(object): """Ncurses-based display.""" - zope.interface.implements(interfaces.IDisplay) - def __init__(self, width=WIDTH, height=HEIGHT): super(NcursesDisplay, self).__init__() self.dialog = dialog.Dialog() @@ -176,11 +175,10 @@ class NcursesDisplay(object): message, width=self.width, height=self.height, choices=choices) +@zope.interface.implementer(interfaces.IDisplay) class FileDisplay(object): """File-based display.""" - zope.interface.implements(interfaces.IDisplay) - def __init__(self, outfile): super(FileDisplay, self).__init__() self.outfile = outfile @@ -411,11 +409,10 @@ class FileDisplay(object): return OK, selection +@zope.interface.implementer(interfaces.IDisplay) class NoninteractiveDisplay(object): """An iDisplay implementation that never asks for interactive user input""" - zope.interface.implements(interfaces.IDisplay) - def __init__(self, outfile): super(NoninteractiveDisplay, self).__init__() self.outfile = outfile diff --git a/letsencrypt/plugins/common.py b/letsencrypt/plugins/common.py index 37738f5c0..2a32df96e 100644 --- a/letsencrypt/plugins/common.py +++ b/letsencrypt/plugins/common.py @@ -31,9 +31,9 @@ hostname_regex = re.compile( r"^(([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*[a-z]+$", re.IGNORECASE) +@zope.interface.implementer(interfaces.IPlugin) class Plugin(object): """Generic plugin.""" - zope.interface.implements(interfaces.IPlugin) # classProvides is not inherited, subclasses must define it on their own #zope.interface.classProvides(interfaces.IPluginFactory) diff --git a/letsencrypt/plugins/manual.py b/letsencrypt/plugins/manual.py index 0e516b5b0..248b4ca58 100644 --- a/letsencrypt/plugins/manual.py +++ b/letsencrypt/plugins/manual.py @@ -23,6 +23,7 @@ from letsencrypt.plugins import common logger = logging.getLogger(__name__) +@zope.interface.implementer(interfaces.IAuthenticator) class Authenticator(common.Plugin): """Manual Authenticator. @@ -34,7 +35,6 @@ class Authenticator(common.Plugin): .. todo:: Support for `~.challenges.TLSSNI01`. """ - zope.interface.implements(interfaces.IAuthenticator) zope.interface.classProvides(interfaces.IPluginFactory) hidden = True diff --git a/letsencrypt/plugins/null.py b/letsencrypt/plugins/null.py index cdb96a116..55734a16d 100644 --- a/letsencrypt/plugins/null.py +++ b/letsencrypt/plugins/null.py @@ -11,9 +11,9 @@ from letsencrypt.plugins import common logger = logging.getLogger(__name__) +@zope.interface.implementer(interfaces.IInstaller) class Installer(common.Plugin): """Null installer.""" - zope.interface.implements(interfaces.IInstaller) zope.interface.classProvides(interfaces.IPluginFactory) description = "Null Installer" diff --git a/letsencrypt/plugins/standalone.py b/letsencrypt/plugins/standalone.py index a27b9f5c8..1bb7da658 100644 --- a/letsencrypt/plugins/standalone.py +++ b/letsencrypt/plugins/standalone.py @@ -135,6 +135,7 @@ def supported_challenges_validator(data): return data +@zope.interface.implementer(interfaces.IAuthenticator) class Authenticator(common.Plugin): """Standalone Authenticator. @@ -143,7 +144,6 @@ class Authenticator(common.Plugin): challenges from the certificate authority. Therefore, it does not rely on any existing server program. """ - zope.interface.implements(interfaces.IAuthenticator) zope.interface.classProvides(interfaces.IPluginFactory) description = "Automatically use a temporary webserver" diff --git a/letsencrypt/plugins/webroot.py b/letsencrypt/plugins/webroot.py index 49f779bb8..67dd36686 100644 --- a/letsencrypt/plugins/webroot.py +++ b/letsencrypt/plugins/webroot.py @@ -17,9 +17,9 @@ from letsencrypt.plugins import common logger = logging.getLogger(__name__) +@zope.interface.implementer(interfaces.IAuthenticator) class Authenticator(common.Plugin): """Webroot Authenticator.""" - zope.interface.implements(interfaces.IAuthenticator) zope.interface.classProvides(interfaces.IPluginFactory) description = "Webroot Authenticator" diff --git a/letsencrypt/reporter.py b/letsencrypt/reporter.py index c0c7856a7..81106be34 100644 --- a/letsencrypt/reporter.py +++ b/letsencrypt/reporter.py @@ -17,6 +17,7 @@ from letsencrypt import le_util logger = logging.getLogger(__name__) +@zope.interface.implementer(interfaces.IReporter) class Reporter(object): """Collects and displays information to the user. @@ -24,7 +25,6 @@ class Reporter(object): the user. """ - zope.interface.implements(interfaces.IReporter) HIGH_PRIORITY = 0 """High priority constant. See `add_message`.""" From e9d981acebd0c0d4ba4b5e504fc4687dbc6610e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roy=20Wellington=20=E2=85=A3?= Date: Fri, 19 Feb 2016 22:08:40 -0800 Subject: [PATCH 108/141] Change zope's classProvides to be a class decorator. When attempting to import any module that uses zope.interface.classProvides in Python 3, a TypeError is raised; it reads: TypeError: Class advice impossible in Python3. Use the @provider class decorator instead. Following the listed advice seems to function in Python 3. --- examples/plugins/letsencrypt_example_plugins.py | 4 ++-- letsencrypt-apache/letsencrypt_apache/configurator.py | 2 +- letsencrypt-nginx/letsencrypt_nginx/configurator.py | 2 +- letsencrypt/plugins/common.py | 4 ++-- letsencrypt/plugins/manual.py | 2 +- letsencrypt/plugins/null.py | 2 +- letsencrypt/plugins/standalone.py | 2 +- letsencrypt/plugins/webroot.py | 2 +- 8 files changed, 10 insertions(+), 10 deletions(-) diff --git a/examples/plugins/letsencrypt_example_plugins.py b/examples/plugins/letsencrypt_example_plugins.py index 990d7787c..5c22ca7ff 100644 --- a/examples/plugins/letsencrypt_example_plugins.py +++ b/examples/plugins/letsencrypt_example_plugins.py @@ -10,9 +10,9 @@ from letsencrypt.plugins import common @zope.interface.implementer(interfaces.IAuthenticator) +@zope.interface.provider(interfaces.IPluginFactory) class Authenticator(common.Plugin): """Example Authenticator.""" - zope.interface.classProvides(interfaces.IPluginFactory) description = "Example Authenticator plugin" @@ -21,9 +21,9 @@ class Authenticator(common.Plugin): @zope.interface.implementer(interfaces.IInstaller) +@zope.interface.provider(interfaces.IPluginFactory) class Installer(common.Plugin): """Example Installer.""" - zope.interface.classProvides(interfaces.IPluginFactory) description = "Example Installer plugin" diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index 20e73eb1e..6f03ce4ee 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -61,6 +61,7 @@ logger = logging.getLogger(__name__) # and load() @zope.interface.implementer(interfaces.IAuthenticator, interfaces.IInstaller) +@zope.interface.provider(interfaces.IPluginFactory) class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # pylint: disable=too-many-instance-attributes,too-many-public-methods """Apache configurator. @@ -81,7 +82,6 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): :ivar dict assoc: Mapping between domains and vhosts """ - zope.interface.classProvides(interfaces.IPluginFactory) description = "Apache Web Server - Alpha" diff --git a/letsencrypt-nginx/letsencrypt_nginx/configurator.py b/letsencrypt-nginx/letsencrypt_nginx/configurator.py index 876d843f5..3a45a2e0e 100644 --- a/letsencrypt-nginx/letsencrypt_nginx/configurator.py +++ b/letsencrypt-nginx/letsencrypt_nginx/configurator.py @@ -32,6 +32,7 @@ logger = logging.getLogger(__name__) @zope.interface.implementer(interfaces.IAuthenticator, interfaces.IInstaller) +@zope.interface.provider(interfaces.IPluginFactory) class NginxConfigurator(common.Plugin): # pylint: disable=too-many-instance-attributes,too-many-public-methods """Nginx configurator. @@ -53,7 +54,6 @@ class NginxConfigurator(common.Plugin): :ivar tup version: version of Nginx """ - zope.interface.classProvides(interfaces.IPluginFactory) description = "Nginx Web Server - currently doesn't work" diff --git a/letsencrypt/plugins/common.py b/letsencrypt/plugins/common.py index 2a32df96e..319692344 100644 --- a/letsencrypt/plugins/common.py +++ b/letsencrypt/plugins/common.py @@ -34,8 +34,8 @@ hostname_regex = re.compile( @zope.interface.implementer(interfaces.IPlugin) class Plugin(object): """Generic plugin.""" - # classProvides is not inherited, subclasses must define it on their own - #zope.interface.classProvides(interfaces.IPluginFactory) + # provider is not inherited, subclasses must define it on their own + # @zope.interface.provider(interfaces.IPluginFactory) def __init__(self, config, name): self.config = config diff --git a/letsencrypt/plugins/manual.py b/letsencrypt/plugins/manual.py index 248b4ca58..47c8ff6e4 100644 --- a/letsencrypt/plugins/manual.py +++ b/letsencrypt/plugins/manual.py @@ -24,6 +24,7 @@ logger = logging.getLogger(__name__) @zope.interface.implementer(interfaces.IAuthenticator) +@zope.interface.provider(interfaces.IPluginFactory) class Authenticator(common.Plugin): """Manual Authenticator. @@ -35,7 +36,6 @@ class Authenticator(common.Plugin): .. todo:: Support for `~.challenges.TLSSNI01`. """ - zope.interface.classProvides(interfaces.IPluginFactory) hidden = True description = "Manually configure an HTTP server" diff --git a/letsencrypt/plugins/null.py b/letsencrypt/plugins/null.py index 55734a16d..2c643d495 100644 --- a/letsencrypt/plugins/null.py +++ b/letsencrypt/plugins/null.py @@ -12,9 +12,9 @@ logger = logging.getLogger(__name__) @zope.interface.implementer(interfaces.IInstaller) +@zope.interface.provider(interfaces.IPluginFactory) class Installer(common.Plugin): """Null installer.""" - zope.interface.classProvides(interfaces.IPluginFactory) description = "Null Installer" hidden = True diff --git a/letsencrypt/plugins/standalone.py b/letsencrypt/plugins/standalone.py index 1bb7da658..acc253bca 100644 --- a/letsencrypt/plugins/standalone.py +++ b/letsencrypt/plugins/standalone.py @@ -136,6 +136,7 @@ def supported_challenges_validator(data): @zope.interface.implementer(interfaces.IAuthenticator) +@zope.interface.provider(interfaces.IPluginFactory) class Authenticator(common.Plugin): """Standalone Authenticator. @@ -144,7 +145,6 @@ class Authenticator(common.Plugin): challenges from the certificate authority. Therefore, it does not rely on any existing server program. """ - zope.interface.classProvides(interfaces.IPluginFactory) description = "Automatically use a temporary webserver" diff --git a/letsencrypt/plugins/webroot.py b/letsencrypt/plugins/webroot.py index 67dd36686..0e3ebe1a7 100644 --- a/letsencrypt/plugins/webroot.py +++ b/letsencrypt/plugins/webroot.py @@ -18,9 +18,9 @@ logger = logging.getLogger(__name__) @zope.interface.implementer(interfaces.IAuthenticator) +@zope.interface.provider(interfaces.IPluginFactory) class Authenticator(common.Plugin): """Webroot Authenticator.""" - zope.interface.classProvides(interfaces.IPluginFactory) description = "Webroot Authenticator" From 9f372bfa38d9594ea924042a10379b47818fb130 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roy=20Wellington=20=E2=85=A3?= Date: Sat, 20 Feb 2016 01:38:45 -0800 Subject: [PATCH 109/141] Don't mix tabs & spaces in Python. It's a bit silly, and might cause someone a lot of grief to debug. --- .../letsencrypt_nginx/tests/parser_test.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/letsencrypt-nginx/letsencrypt_nginx/tests/parser_test.py b/letsencrypt-nginx/letsencrypt_nginx/tests/parser_test.py index b64f1dee3..b597fcad5 100644 --- a/letsencrypt-nginx/letsencrypt_nginx/tests/parser_test.py +++ b/letsencrypt-nginx/letsencrypt_nginx/tests/parser_test.py @@ -230,23 +230,23 @@ class NginxParserTest(util.NginxTest): def test_parse_server_ssl(self): server = parser.parse_server([ - ['listen', '443'] - ]) + ['listen', '443'] + ]) self.assertFalse(server['ssl']) server = parser.parse_server([ - ['listen', '443 ssl'] - ]) + ['listen', '443 ssl'] + ]) self.assertTrue(server['ssl']) server = parser.parse_server([ - ['listen', '443'], ['ssl', 'off'] - ]) + ['listen', '443'], ['ssl', 'off'] + ]) self.assertFalse(server['ssl']) server = parser.parse_server([ - ['listen', '443'], ['ssl', 'on'] - ]) + ['listen', '443'], ['ssl', 'on'] + ]) self.assertTrue(server['ssl']) if __name__ == "__main__": From 29d16b027eea4c831e5cc1f593da3432eec1c465 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sat, 20 Feb 2016 11:01:10 +0000 Subject: [PATCH 110/141] Separate pep8 config for acme. --- acme/.pep8 | 4 ++++ pep8.travis.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 acme/.pep8 diff --git a/acme/.pep8 b/acme/.pep8 new file mode 100644 index 000000000..22045d3d3 --- /dev/null +++ b/acme/.pep8 @@ -0,0 +1,4 @@ +[pep8] +# E265 block comment should start with '# ' +# E501 line too long (X > 79 characters) +ignore = E265,E501 diff --git a/pep8.travis.sh b/pep8.travis.sh index 13a727596..91124bdbd 100755 --- a/pep8.travis.sh +++ b/pep8.travis.sh @@ -3,7 +3,7 @@ set -e # Fail fast # PEP8 is not ignored in ACME -pep8 acme +pep8 --config=acme/.pep8 acme pep8 \ setup.py \ From db4135a3ec50800371ca0562cd85191e35c6a676 Mon Sep 17 00:00:00 2001 From: bmw Date: Mon, 22 Feb 2016 11:21:04 -0800 Subject: [PATCH 111/141] Revert "Revert "Let --no-self-upgrade bootstrap OS packages. Fix #2432."" --- letsencrypt-auto-source/Dockerfile | 2 +- letsencrypt-auto-source/letsencrypt-auto | 52 ++++++++++--------- .../letsencrypt-auto.template | 52 ++++++++++--------- 3 files changed, 57 insertions(+), 49 deletions(-) diff --git a/letsencrypt-auto-source/Dockerfile b/letsencrypt-auto-source/Dockerfile index fd7fe4851..ad2465fda 100644 --- a/letsencrypt-auto-source/Dockerfile +++ b/letsencrypt-auto-source/Dockerfile @@ -17,7 +17,7 @@ RUN apt-get update && \ apt-get clean RUN pip install nose -RUN mkdir -p /home/lea/letsencrypt/letsencrypt +RUN mkdir -p /home/lea/letsencrypt # Install fake testing CA: COPY ./tests/certs/ca/my-root-ca.crt.pem /usr/local/share/ca-certificates/ diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index b542c8d3e..743770f35 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -422,9 +422,10 @@ TempDir() { -if [ "$NO_SELF_UPGRADE" = 1 ]; then +if [ "$1" = "--le-auto-phase2" ]; then # Phase 2: Create venv, install LE, and run. + shift 1 # the --le-auto-phase2 arg if [ -f "$VENV_BIN/letsencrypt" ]; then INSTALLED_VERSION=$("$VENV_BIN/letsencrypt" --version 2>&1 | cut -d " " -f 2) else @@ -1665,10 +1666,11 @@ else exit 0 fi - echo "Checking for new version..." - TEMP_DIR=$(TempDir) - # --------------------------------------------------------------------------- - cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" + if [ "$NO_SELF_UPGRADE" != 1 ]; then + echo "Checking for new version..." + TEMP_DIR=$(TempDir) + # --------------------------------------------------------------------------- + cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" """Do downloading and JSON parsing without additional dependencies. :: # Print latest released version of LE to stdout: @@ -1797,25 +1799,27 @@ if __name__ == '__main__': exit(main()) UNLIKELY_EOF - # --------------------------------------------------------------------------- - DeterminePythonVersion - REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` - if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then - echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." + # --------------------------------------------------------------------------- + DeterminePythonVersion + REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` + if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then + echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." - # Now we drop into Python so we don't have to install even more - # dependencies (curl, etc.), for better flow control, and for the option of - # future Windows compatibility. - "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" + # Now we drop into Python so we don't have to install even more + # dependencies (curl, etc.), for better flow control, and for the option of + # future Windows compatibility. + "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" - # Install new copy of letsencrypt-auto. This preserves permissions and - # ownership from the old copy. - # TODO: Deal with quotes in pathnames. - echo "Replacing letsencrypt-auto..." - echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - # TODO: Clean up temp dir safely, even if it has quotes in its path. - rm -rf "$TEMP_DIR" - fi # should upgrade - "$0" --no-self-upgrade "$@" + # Install new copy of letsencrypt-auto. This preserves permissions and + # ownership from the old copy. + # TODO: Deal with quotes in pathnames. + echo "Replacing letsencrypt-auto..." + echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + # TODO: Clean up temp dir safely, even if it has quotes in its path. + rm -rf "$TEMP_DIR" + fi # A newer version is available. + fi # Self-upgrading is allowed. + + "$0" --le-auto-phase2 "$@" fi diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index bccd9e2c9..204813daf 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -171,9 +171,10 @@ TempDir() { -if [ "$NO_SELF_UPGRADE" = 1 ]; then +if [ "$1" = "--le-auto-phase2" ]; then # Phase 2: Create venv, install LE, and run. + shift 1 # the --le-auto-phase2 arg if [ -f "$VENV_BIN/letsencrypt" ]; then INSTALLED_VERSION=$("$VENV_BIN/letsencrypt" --version 2>&1 | cut -d " " -f 2) else @@ -235,31 +236,34 @@ else exit 0 fi - echo "Checking for new version..." - TEMP_DIR=$(TempDir) - # --------------------------------------------------------------------------- - cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" + if [ "$NO_SELF_UPGRADE" != 1 ]; then + echo "Checking for new version..." + TEMP_DIR=$(TempDir) + # --------------------------------------------------------------------------- + cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" {{ fetch.py }} UNLIKELY_EOF - # --------------------------------------------------------------------------- - DeterminePythonVersion - REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` - if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then - echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." + # --------------------------------------------------------------------------- + DeterminePythonVersion + REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` + if [ "$LE_AUTO_VERSION" != "$REMOTE_VERSION" ]; then + echo "Upgrading letsencrypt-auto $LE_AUTO_VERSION to $REMOTE_VERSION..." - # Now we drop into Python so we don't have to install even more - # dependencies (curl, etc.), for better flow control, and for the option of - # future Windows compatibility. - "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" + # Now we drop into Python so we don't have to install even more + # dependencies (curl, etc.), for better flow control, and for the option of + # future Windows compatibility. + "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" - # Install new copy of letsencrypt-auto. This preserves permissions and - # ownership from the old copy. - # TODO: Deal with quotes in pathnames. - echo "Replacing letsencrypt-auto..." - echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - # TODO: Clean up temp dir safely, even if it has quotes in its path. - rm -rf "$TEMP_DIR" - fi # should upgrade - "$0" --no-self-upgrade "$@" + # Install new copy of letsencrypt-auto. This preserves permissions and + # ownership from the old copy. + # TODO: Deal with quotes in pathnames. + echo "Replacing letsencrypt-auto..." + echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + # TODO: Clean up temp dir safely, even if it has quotes in its path. + rm -rf "$TEMP_DIR" + fi # A newer version is available. + fi # Self-upgrading is allowed. + + "$0" --le-auto-phase2 "$@" fi From 9a36439e1b738c7ead76752572b091cc413c560d Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 22 Feb 2016 17:26:55 -0800 Subject: [PATCH 112/141] Tweaks per review --- acme/acme/client.py | 2 +- acme/acme/client_test.py | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index eaca6dc7d..79d7c5df4 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -4,6 +4,7 @@ import datetime import heapq import logging import time +from email.utils import parsedate_tz import six from six.moves import http_client # pylint: disable=import-error @@ -17,7 +18,6 @@ from acme import jose from acme import jws from acme import messages -from email.utils import parsedate_tz logger = logging.getLogger(__name__) diff --git a/acme/acme/client_test.py b/acme/acme/client_test.py index 29f60c25d..93c86862d 100644 --- a/acme/acme/client_test.py +++ b/acme/acme/client_test.py @@ -205,8 +205,12 @@ class ClientTest(unittest.TestCase): datetime.datetime(2015, 3, 27, 0, 0, 10), self.client.retry_after(response=self.response, default=10)) - # wrong date -> ValueError + @mock.patch('acme.client.datetime') + def test_retry_after_overflow(self, dt_mock): + dt_mock.datetime.now.return_value = datetime.datetime(2015, 3, 27) + dt_mock.timedelta = datetime.timedelta dt_mock.datetime.side_effect = datetime.datetime + self.response.headers['Retry-After'] = "Tue, 116 Feb 2016 11:50:00 MST" self.assertEqual( datetime.datetime(2015, 3, 27, 0, 0, 10), From b81079be3b373bb49304b7a61c04f0ab8835433b Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Mon, 22 Feb 2016 18:08:06 -0800 Subject: [PATCH 113/141] brad nits --- letsencrypt-apache/letsencrypt_apache/obj.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/obj.py b/letsencrypt-apache/letsencrypt_apache/obj.py index c98ca4b99..b2a21ef5d 100644 --- a/letsencrypt-apache/letsencrypt_apache/obj.py +++ b/letsencrypt-apache/letsencrypt_apache/obj.py @@ -194,6 +194,8 @@ class VirtualHost(object): # pylint: disable=too-few-public-methods Used in redirection - indicates whether or not the two virtual hosts serve on the exact same IP combinations, but different ports. + The generic flag indicates that that we're trying to match to a + default or generic vhost .. todo:: Handle _default_ @@ -207,8 +209,7 @@ class VirtualHost(object): # pylint: disable=too-few-public-methods if self.name is not None or self.aliases: return True # If we're looking for a generic vhost, don't return one with a ServerName - else: - if self.name: + elif self.name: return False # Both sets of names are empty. From 7aa5edb2121da9280ee3a6f979c7802459fea2b7 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Mon, 22 Feb 2016 21:31:14 -0800 Subject: [PATCH 114/141] Set CSR version in make_csr --- letsencrypt/crypto_util.py | 1 + 1 file changed, 1 insertion(+) diff --git a/letsencrypt/crypto_util.py b/letsencrypt/crypto_util.py index 76265a739..5fdcba843 100644 --- a/letsencrypt/crypto_util.py +++ b/letsencrypt/crypto_util.py @@ -118,6 +118,7 @@ def make_csr(key_str, domains): value=", ".join("DNS:%s" % d for d in domains) ), ]) + req.set_version(2) req.set_pubkey(pkey) req.sign(pkey, "sha256") return tuple(OpenSSL.crypto.dump_certificate_request(method, req) From 6d1b0298acf0a433c5e29b21958fc808fcf3e5f4 Mon Sep 17 00:00:00 2001 From: Dominic Cleal Date: Tue, 23 Feb 2016 09:35:29 +0000 Subject: [PATCH 115/141] Add failing test from ticket #2525 Augeas fails to parse the last new line/continuation between an IP in a VirtualHost block and the closing `>` of the section. --- .../failing/section-continuations-2525.conf | 284 ++++++++++++++++++ 1 file changed, 284 insertions(+) create mode 100644 letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/failing/section-continuations-2525.conf diff --git a/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/failing/section-continuations-2525.conf b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/failing/section-continuations-2525.conf new file mode 100644 index 000000000..6840b71d6 --- /dev/null +++ b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/failing/section-continuations-2525.conf @@ -0,0 +1,284 @@ + +NameVirtualHost 0.0.0.0:7080 +NameVirtualHost [00000:000:000:000::0]:7080 +NameVirtualHost 0.0.0.0:7080 + +NameVirtualHost 127.0.0.1:7080 +NameVirtualHost 0.0.0.0:7081 +NameVirtualHost [0000:000:000:000::2]:7081 +NameVirtualHost 0.0.0.0:7081 + +NameVirtualHost 127.0.0.1:7081 + +ServerName "example.com" +ServerAdmin "srv@example.com" + +DocumentRoot "/var/www/vhosts/default/htdocs" + + + LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" plesklog + + + LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" plesklog + + +TraceEnable off + +ServerTokens ProductOnly + + + AllowOverride "All" + Options SymLinksIfOwnerMatch + Order allow,deny + Allow from all + + + php_admin_flag engine off + + + + php_admin_flag engine off + + + + + + AllowOverride "All" + Options SymLinksIfOwnerMatch + Order allow,deny + Allow from all + + php_admin_flag engine off + + + php_admin_flag engine off + + + + + Header add X-Powered-By PleskLin + + + + SecRuleEngine DetectionOnly + SecRequestBodyAccess On + SecRequestBodyLimit 134217728 + SecResponseBodyAccess Off + SecResponseBodyLimit 524288 + SecAuditEngine On + SecAuditLog "/var/log/modsec_audit.log" + SecAuditLogType serial + + +Include "/etc/httpd/conf/plesk.conf.d/ip_default/*.conf" + + + ServerName "default" + UseCanonicalName Off + DocumentRoot "/var/www/vhosts/default/htdocs" + ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" + + + SSLEngine off + + + + AllowOverride None + Options None + Order allow,deny + Allow from all + + + + + + php_admin_flag engine on + + + + php_admin_flag engine on + + + + + + + + + + ServerName "default-0_0_0_0" + UseCanonicalName Off + DocumentRoot "/var/www/vhosts/default/htdocs" + ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" + + SSLEngine on + SSLVerifyClient none + SSLCertificateFile "/usr/local/psa/var/certificates/certGXCBZ4r" + + + AllowOverride None + Options None + Order allow,deny + Allow from all + + + + + + php_admin_flag engine on + + + + php_admin_flag engine on + + + + + + + ServerName "default-0000_000_000_00000__2" + UseCanonicalName Off + DocumentRoot "/var/www/vhosts/default/htdocs" + ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" + + SSLEngine on + SSLVerifyClient none + SSLCertificateFile "/usr/local/psa/var/certificates/certGXCBZ4r" + + + AllowOverride None + Options None + Order allow,deny + Allow from all + + + + + + php_admin_flag engine on + + + + php_admin_flag engine on + + + + + + + ServerName "default-0_0_0_0" + UseCanonicalName Off + DocumentRoot "/var/www/vhosts/default/htdocs" + ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" + + SSLEngine on + SSLVerifyClient none + SSLCertificateFile "/usr/local/psa/var/certificates/cert-Nv4Tz5" + + SSLCACertificateFile "/usr/local/psa/var/certificates/cert-nLy6Z1" + + + AllowOverride None + Options None + Order allow,deny + Allow from all + + + + + + php_admin_flag engine on + + + + php_admin_flag engine on + + + + + + + + + + DocumentRoot "/var/www/vhosts/default/htdocs" + ServerName lists + ServerAlias lists.* + UseCanonicalName Off + + ScriptAlias "/mailman/" "/usr/lib/mailman/cgi-bin/" + + Alias "/icons/" "/var/www/icons/" + Alias "/pipermail/" "/var/lib/mailman/archives/public/" + + + SSLEngine off + + + + Options FollowSymLinks + Order allow,deny + Allow from all + + + + + + + DocumentRoot "/var/www/vhosts/default/htdocs" + ServerName lists + ServerAlias lists.* + UseCanonicalName Off + + ScriptAlias "/mailman/" "/usr/lib/mailman/cgi-bin/" + + Alias "/icons/" "/var/www/icons/" + Alias "/pipermail/" "/var/lib/mailman/archives/public/" + + SSLEngine on + SSLVerifyClient none + SSLCertificateFile "/usr/local/psa/var/certificates/cert-Nv4Tz5" + + + Options FollowSymLinks + Order allow,deny + Allow from all + + + + + + + RPAFproxy_ips 0.0.0.0 [00000:000:000:00000::2] 0.0.0.0 + + + RPAFproxy_ips 0.0.0.0 [0000:000:000:0000::2] 0.0.0.0 + + + RemoteIPInternalProxy 0.0.0.0 [0000:000:000:0000::2] 0.0.0.0 + RemoteIPHeader X-Forwarded-For + \ No newline at end of file From 40bca477a5bafb94bd667ebdc4fd3c745ce1dabd Mon Sep 17 00:00:00 2001 From: Dominic Cleal Date: Tue, 23 Feb 2016 09:37:35 +0000 Subject: [PATCH 116/141] Merge Augeas lens fix for continuations in section headings From https://github.com/hercules-team/augeas/commit/0b22176535809f6e8aba3191a809f122e08bc7d0 Closes: #2525 --- .../letsencrypt_apache/augeas_lens/httpd.aug | 7 +++---- .../{failing => passing}/section-continuations-2525.conf | 0 2 files changed, 3 insertions(+), 4 deletions(-) rename letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/{failing => passing}/section-continuations-2525.conf (100%) diff --git a/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug b/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug index edaca3fef..f3e688e05 100644 --- a/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug +++ b/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug @@ -45,9 +45,8 @@ autoload xfm let dels (s:string) = del s s (* deal with continuation lines *) -let sep_spc = del /([ \t]+|[ \t]*\\\\\r?\n[ \t]*)/ " " - -let sep_osp = Sep.opt_space +let sep_spc = del /([ \t]+|[ \t]*\\\\\r?\n[ \t]*)/ " " +let sep_osp = del /([ \t]*|[ \t]*\\\\\r?\n[ \t]*)/ "" let sep_eq = del /[ \t]*=[ \t]*/ "=" let nmtoken = /[a-zA-Z:_][a-zA-Z0-9:_.-]*/ @@ -60,7 +59,7 @@ let indent = Util.indent (* borrowed from shellvars.aug *) let char_arg_dir = /([^\\ '"{\t\r\n]|[^ '"{\t\r\n]+[^\\ \t\r\n])|\\\\"|\\\\'/ -let char_arg_sec = /[^ '"\t\r\n>]|\\\\"|\\\\'/ +let char_arg_sec = /[^\\ '"\t\r\n>]|\\\\"|\\\\'/ let char_arg_wl = /([^\\ '"},\t\r\n]|[^ '"},\t\r\n]+[^\\ '"},\t\r\n])/ let cdot = /\\\\./ diff --git a/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/failing/section-continuations-2525.conf b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf similarity index 100% rename from letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/failing/section-continuations-2525.conf rename to letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf From f4c33656a2131923dba8b678b0701674041aeb31 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 23 Feb 2016 12:08:01 -0800 Subject: [PATCH 117/141] Try to finally prevent dangling AWS volumes --- tests/letstest/multitester.py | 228 ++++++++++++++++++---------------- 1 file changed, 119 insertions(+), 109 deletions(-) diff --git a/tests/letstest/multitester.py b/tests/letstest/multitester.py index e27385002..876b7807f 100644 --- a/tests/letstest/multitester.py +++ b/tests/letstest/multitester.py @@ -333,6 +333,55 @@ def create_client_instances(targetlist): print() return instances + +def test_client_process(inqueue, outqueue): + cur_proc = mp.current_process() + for inreq in iter(inqueue.get, SENTINEL): + ii, target = inreq + + #save all stdout to log file + sys.stdout = open(LOGDIR+'/'+'%d_%s.log'%(ii,target['name']), 'w') + + print("[%s : client %d %s %s]" % (cur_proc.name, ii, target['ami'], target['name'])) + instances[ii] = block_until_instance_ready(instances[ii]) + print("server %s at %s"%(instances[ii], instances[ii].public_ip_address)) + env.host_string = "%s@%s"%(target['user'], instances[ii].public_ip_address) + print(env.host_string) + + try: + install_and_launch_letsencrypt(instances[ii], boulder_url, target) + outqueue.put((ii, target, 'pass')) + print("%s - %s SUCCESS"%(target['ami'], target['name'])) + except: + outqueue.put((ii, target, 'fail')) + print("%s - %s FAIL"%(target['ami'], target['name'])) + pass + + # append server letsencrypt.log to each per-machine output log + print("\n\nletsencrypt.log\n" + "-"*80 + "\n") + try: + execute(grab_letsencrypt_log) + except: + print("log fail\n") + pass + + +def cleanup(cl_args, instances, targetlist): + print('Logs in ', LOGDIR) + if not cl_args.saveinstances: + print('Terminating EC2 Instances and Cleaning Dangling EBS Volumes') + if cl_args.killboulder: + boulder_server.terminate() + terminate_and_clean(instances) + else: + # print login information for the boxes for debugging + for ii, target in enumerate(targetlist): + print(target['name'], + target['ami'], + "%s@%s"%(target['user'], instances[ii].public_ip_address)) + + + #------------------------------------------------------------------------------- # SCRIPT BEGINS #------------------------------------------------------------------------------- @@ -413,124 +462,85 @@ else: #machine_type='t2.medium', security_groups=['letsencrypt_test']) -if not cl_args.boulderonly: - instances = create_client_instances(targetlist) +try: + if not cl_args.boulderonly: + instances = create_client_instances(targetlist) -# Configure and launch boulder server -#------------------------------------------------------------------------------- -print("Waiting on Boulder Server") -boulder_server = block_until_instance_ready(boulder_server) -print(" server %s"%boulder_server) + # Configure and launch boulder server + #------------------------------------------------------------------------------- + print("Waiting on Boulder Server") + boulder_server = block_until_instance_ready(boulder_server) + print(" server %s"%boulder_server) -# env.host_string defines the ssh user and host for connection -env.host_string = "ubuntu@%s"%boulder_server.public_ip_address -print("Boulder Server at (SSH):", env.host_string) -if not boulder_preexists: - print("Configuring and Launching Boulder") - config_and_launch_boulder(boulder_server) - # blocking often unnecessary, but cheap EC2 VMs can get very slow - block_until_http_ready('http://%s:4000'%boulder_server.public_ip_address, - wait_time=10, timeout=500) + # env.host_string defines the ssh user and host for connection + env.host_string = "ubuntu@%s"%boulder_server.public_ip_address + print("Boulder Server at (SSH):", env.host_string) + if not boulder_preexists: + print("Configuring and Launching Boulder") + config_and_launch_boulder(boulder_server) + # blocking often unnecessary, but cheap EC2 VMs can get very slow + block_until_http_ready('http://%s:4000'%boulder_server.public_ip_address, + wait_time=10, timeout=500) -boulder_url = "http://%s:4000/directory"%boulder_server.private_ip_address -print("Boulder Server at (public ip): http://%s:4000/directory"%boulder_server.public_ip_address) -print("Boulder Server at (EC2 private ip): %s"%boulder_url) + boulder_url = "http://%s:4000/directory"%boulder_server.private_ip_address + print("Boulder Server at (public ip): http://%s:4000/directory"%boulder_server.public_ip_address) + print("Boulder Server at (EC2 private ip): %s"%boulder_url) -if cl_args.boulderonly: - sys.exit(0) + if cl_args.boulderonly: + sys.exit(0) -# Install and launch client scripts in parallel -#------------------------------------------------------------------------------- -print("Uploading and running test script in parallel: %s"%cl_args.test_script) -print("Output routed to log files in %s"%LOGDIR) -# (Advice: always use Manager.Queue, never regular multiprocessing.Queue -# the latter has implementation flaws that deadlock it in some circumstances) -manager = Manager() -outqueue = manager.Queue() -inqueue = manager.Queue() -SENTINEL = None #queue kill signal + # Install and launch client scripts in parallel + #------------------------------------------------------------------------------- + print("Uploading and running test script in parallel: %s"%cl_args.test_script) + print("Output routed to log files in %s"%LOGDIR) + # (Advice: always use Manager.Queue, never regular multiprocessing.Queue + # the latter has implementation flaws that deadlock it in some circumstances) + manager = Manager() + outqueue = manager.Queue() + inqueue = manager.Queue() + SENTINEL = None #queue kill signal -# launch as many processes as clients to test -num_processes = len(targetlist) -jobs = [] #keep a reference to current procs + # launch as many processes as clients to test + num_processes = len(targetlist) + jobs = [] #keep a reference to current procs -def test_client_process(inqueue, outqueue): - cur_proc = mp.current_process() - for inreq in iter(inqueue.get, SENTINEL): - ii, target = inreq - #save all stdout to log file - sys.stdout = open(LOGDIR+'/'+'%d_%s.log'%(ii,target['name']), 'w') + # initiate process execution + for i in range(num_processes): + p = mp.Process(target=test_client_process, args=(inqueue, outqueue)) + jobs.append(p) + p.daemon = True # kills subprocesses if parent is killed + p.start() - print("[%s : client %d %s %s]" % (cur_proc.name, ii, target['ami'], target['name'])) - instances[ii] = block_until_instance_ready(instances[ii]) - print("server %s at %s"%(instances[ii], instances[ii].public_ip_address)) - env.host_string = "%s@%s"%(target['user'], instances[ii].public_ip_address) - print(env.host_string) - - try: - install_and_launch_letsencrypt(instances[ii], boulder_url, target) - outqueue.put((ii, target, 'pass')) - print("%s - %s SUCCESS"%(target['ami'], target['name'])) - except: - outqueue.put((ii, target, 'fail')) - print("%s - %s FAIL"%(target['ami'], target['name'])) - pass - - # append server letsencrypt.log to each per-machine output log - print("\n\nletsencrypt.log\n" + "-"*80 + "\n") - try: - execute(grab_letsencrypt_log) - except: - print("log fail\n") - pass - -# initiate process execution -for i in range(num_processes): - p = mp.Process(target=test_client_process, args=(inqueue, outqueue)) - jobs.append(p) - p.daemon = True # kills subprocesses if parent is killed - p.start() - -# fill up work queue -for ii, target in enumerate(targetlist): - inqueue.put((ii, target)) - -# add SENTINELs to end client processes -for i in range(num_processes): - inqueue.put(SENTINEL) -# wait on termination of client processes -for p in jobs: - p.join() -# add SENTINEL to output queue -outqueue.put(SENTINEL) - -# clean up -execute(local_repo_clean) - -# print and save summary results -results_file = open(LOGDIR+'/results', 'w') -outputs = [outq for outq in iter(outqueue.get, SENTINEL)] -outputs.sort(key=lambda x: x[0]) -for outq in outputs: - ii, target, status = outq - print('%d %s %s'%(ii, target['name'], status)) - results_file.write('%d %s %s\n'%(ii, target['name'], status)) -results_file.close() - -if not cl_args.saveinstances: - print('Logs in ', LOGDIR) - print('Terminating EC2 Instances and Cleaning Dangling EBS Volumes') - if cl_args.killboulder: - boulder_server.terminate() - terminate_and_clean(instances) -else: - # print login information for the boxes for debugging + # fill up work queue for ii, target in enumerate(targetlist): - print(target['name'], - target['ami'], - "%s@%s"%(target['user'], instances[ii].public_ip_address)) + inqueue.put((ii, target)) -# kill any connections -fabric.network.disconnect_all() + # add SENTINELs to end client processes + for i in range(num_processes): + inqueue.put(SENTINEL) + # wait on termination of client processes + for p in jobs: + p.join() + # add SENTINEL to output queue + outqueue.put(SENTINEL) + + # clean up + execute(local_repo_clean) + + # print and save summary results + results_file = open(LOGDIR+'/results', 'w') + outputs = [outq for outq in iter(outqueue.get, SENTINEL)] + outputs.sort(key=lambda x: x[0]) + for outq in outputs: + ii, target, status = outq + print('%d %s %s'%(ii, target['name'], status)) + results_file.write('%d %s %s\n'%(ii, target['name'], status)) + results_file.close() + +finally: + cleanup(cl_args, instances, targetlist) + + # kill any connections + fabric.network.disconnect_all() From c86b602edeae8e1fbfc36bd4d34784cddc88a862 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 23 Feb 2016 12:46:18 -0800 Subject: [PATCH 118/141] Return an error code if any renewals fail --- letsencrypt/cli.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py index 855c7a467..3fc5c4829 100644 --- a/letsencrypt/cli.py +++ b/letsencrypt/cli.py @@ -1030,6 +1030,12 @@ def renew(config, unused_plugins): _renew_describe_results(config, renew_successes, renew_failures, renew_skipped, parse_failures) + if renew_failures or parse_failures: + raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format( + len(renew_failures), len(parse_failures))) + else: + logger.debug("no renewal failures") + def revoke(config, unused_plugins): # TODO: coop with renewal config """Revoke a previously obtained certificate.""" From bf0e20bfa6dc5521a43cf09db9293259d12fa3de Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 23 Feb 2016 12:47:21 -0800 Subject: [PATCH 119/141] Test renewal erroring For the new case and a lot of previous ones... --- letsencrypt/tests/cli_test.py | 66 +++++++++++++++++++++++------------ 1 file changed, 43 insertions(+), 23 deletions(-) diff --git a/letsencrypt/tests/cli_test.py b/letsencrypt/tests/cli_test.py index 77a4b5892..d47815de5 100644 --- a/letsencrypt/tests/cli_test.py +++ b/letsencrypt/tests/cli_test.py @@ -540,7 +540,7 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods self._certonly_new_request_common, mock_client) def _test_renewal_common(self, due_for_renewal, extra_args, log_out=None, - args=None, renew=True): + args=None, renew=True, error_expected=False): # pylint: disable=too-many-locals cert_path = 'letsencrypt/tests/testdata/cert.pem' chain_path = '/etc/letsencrypt/live/foo.bar/fullchain.pem' @@ -567,11 +567,14 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods args = ['-d', 'isnot.org', '-a', 'standalone', 'certonly'] if extra_args: args += extra_args - self._call(args) - - if log_out: - with open(os.path.join(self.logs_dir, "letsencrypt.log")) as lf: - self.assertTrue(log_out in lf.read()) + try: + ret, _, _, _ = self._call(args) + if ret: + print "Returned", ret + raise AssertionError(ret) + assert not error_expected, "renewal should have errored" + except: + assert error_expected, "renewal should not have errored" + traceback.format_exc() if renew: mock_client.obtain_certificate.assert_called_once_with(['isnot.org']) @@ -580,6 +583,10 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods except: self._dump_log() raise + finally: + if log_out: + with open(os.path.join(self.logs_dir, "letsencrypt.log")) as lf: + self.assertTrue(log_out in lf.read()) return mock_lineage, mock_get_utility @@ -624,12 +631,25 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods args = ["renew", "--dry-run", "-tvv"] self._test_renewal_common(True, [], args=args, renew=True) + def test_renew_verb_empty_config(self): - renewer_configs_dir = os.path.join(self.config_dir, 'renewal') - os.makedirs(renewer_configs_dir) - with open(os.path.join(renewer_configs_dir, 'empty.conf'), 'w'): + rd = os.path.join(self.config_dir, 'renewal') + if not os.path.exists(rd): + os.makedirs(rd) + with open(os.path.join(rd, 'empty.conf'), 'w'): pass # leave the file empty - self.test_renew_verb() + args = ["renew", "--dry-run", "-tvv"] + self._test_renewal_common(False, [], args=args, renew=False, error_expected=True) + + def _unused_test(self): + with open(rc, "w") as dest: + dest.write("BLOBOFRANDOM\nJUNK") + + args = ["renew", "--dry-run", "-tvv"] + self._test_renewal_common(True, [], args=args, renew=True, + log_out="1 parse failure", error_expected=True) + + assert False, "Failed to raise SystemExit" def _make_dummy_renewal_config(self): renewer_configs_dir = os.path.join(self.config_dir, 'renewal') @@ -637,7 +657,7 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods with open(os.path.join(renewer_configs_dir, 'test.conf'), 'w') as f: f.write("My contents don't matter") - def _test_renew_common(self, renewalparams=None, + def _test_renew_common(self, renewalparams=None, error_expected=False, names=None, assert_oc_called=None): self._make_dummy_renewal_config() with mock.patch('letsencrypt.storage.RenewableCert') as mock_rc: @@ -649,7 +669,7 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods mock_lineage.names.return_value = names mock_rc.return_value = mock_lineage with mock.patch('letsencrypt.cli.obtain_cert') as mock_obtain_cert: - self._test_renewal_common(True, None, + self._test_renewal_common(True, None, error_expected=error_expected, args=['renew'], renew=False) if assert_oc_called is not None: if assert_oc_called: @@ -658,21 +678,22 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods self.assertFalse(mock_obtain_cert.called) def test_renew_no_renewalparams(self): - self._test_renew_common(assert_oc_called=False) + self._test_renew_common(assert_oc_called=False, error_expected=True) def test_renew_no_authenticator(self): - self._test_renew_common(renewalparams={}, assert_oc_called=False) + self._test_renew_common(renewalparams={}, assert_oc_called=False, + error_expected=True) def test_renew_with_bad_int(self): renewalparams = {'authenticator': 'webroot', 'rsa_key_size': 'over 9000'} - self._test_renew_common(renewalparams=renewalparams, + self._test_renew_common(renewalparams=renewalparams, error_expected=True, assert_oc_called=False) def test_renew_with_bad_domain(self): renewalparams = {'authenticator': 'webroot'} names = ['*.example.com'] - self._test_renew_common(renewalparams=renewalparams, + self._test_renew_common(renewalparams=renewalparams, error_expected=True, names=names, assert_oc_called=False) def test_renew_plugin_config_restoration(self): @@ -686,7 +707,7 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods # pylint: disable=protected-access with mock.patch('letsencrypt.cli._reconstitute') as mock_reconstitute: mock_reconstitute.side_effect = Exception - self._test_renew_common(assert_oc_called=False) + self._test_renew_common(assert_oc_called=False, error_expected=True) def test_renew_obtain_cert_error(self): self._make_dummy_renewal_config() @@ -698,15 +719,14 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods 'renewalparams': {'authenticator': 'webroot'}} with mock.patch('letsencrypt.cli.obtain_cert') as mock_obtain_cert: mock_obtain_cert.side_effect = Exception - self._test_renewal_common(True, None, + self._test_renewal_common(True, None, error_expected=True, args=['renew'], renew=False) def test_renew_with_bad_cli_args(self): - self.assertRaises(errors.Error, self._test_renewal_common, True, None, - args='renew -d example.com'.split(), renew=False) - self.assertRaises(errors.Error, self._test_renewal_common, True, None, - args='renew --csr {0}'.format(CSR).split(), - renew=False) + self._test_renewal_common(True, None, args='renew -d example.com'.split(), + renew=False, error_expected=True) + self._test_renewal_common(True, None, args='renew --csr {0}'.format(CSR).split(), + renew=False, error_expected=True) @mock.patch('letsencrypt.cli.zope.component.getUtility') @mock.patch('letsencrypt.cli._treat_as_renewal') From ba88ea1b310a7960f7611ebb81c465e69d9469af Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 23 Feb 2016 12:53:31 -0800 Subject: [PATCH 120/141] Cleanup & lint --- letsencrypt/tests/cli_test.py | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/letsencrypt/tests/cli_test.py b/letsencrypt/tests/cli_test.py index d47815de5..b3119e2fa 100644 --- a/letsencrypt/tests/cli_test.py +++ b/letsencrypt/tests/cli_test.py @@ -541,7 +541,7 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods def _test_renewal_common(self, due_for_renewal, extra_args, log_out=None, args=None, renew=True, error_expected=False): - # pylint: disable=too-many-locals + # pylint: disable=too-many-locals,too-many-arguments cert_path = 'letsencrypt/tests/testdata/cert.pem' chain_path = '/etc/letsencrypt/live/foo.bar/fullchain.pem' mock_lineage = mock.MagicMock(cert=cert_path, fullchain=chain_path) @@ -573,8 +573,11 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods print "Returned", ret raise AssertionError(ret) assert not error_expected, "renewal should have errored" - except: - assert error_expected, "renewal should not have errored" + traceback.format_exc() + except: # pylint: disable=bare-except + if not error_expected: + raise AssertionError( + "Unexpected renewal error:\n" + + traceback.format_exc()) if renew: mock_client.obtain_certificate.assert_called_once_with(['isnot.org']) @@ -631,7 +634,6 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods args = ["renew", "--dry-run", "-tvv"] self._test_renewal_common(True, [], args=args, renew=True) - def test_renew_verb_empty_config(self): rd = os.path.join(self.config_dir, 'renewal') if not os.path.exists(rd): @@ -641,16 +643,6 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods args = ["renew", "--dry-run", "-tvv"] self._test_renewal_common(False, [], args=args, renew=False, error_expected=True) - def _unused_test(self): - with open(rc, "w") as dest: - dest.write("BLOBOFRANDOM\nJUNK") - - args = ["renew", "--dry-run", "-tvv"] - self._test_renewal_common(True, [], args=args, renew=True, - log_out="1 parse failure", error_expected=True) - - assert False, "Failed to raise SystemExit" - def _make_dummy_renewal_config(self): renewer_configs_dir = os.path.join(self.config_dir, 'renewal') os.makedirs(renewer_configs_dir) From ca56a31132b46a4fe36eef58909ac0d4f1e049b1 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Tue, 23 Feb 2016 15:27:30 -0800 Subject: [PATCH 121/141] reverse domain matching for wildcards --- .../letsencrypt_apache/configurator.py | 21 +++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index 6cb7c12d4..47f2ef382 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -344,9 +344,16 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): def included_in_wildcard(self, names, target_name): """Helper function to see if alias is covered by wildcard""" - wildcards = [domain for domain in names if domain.startswith("*")] + target_name = target_name.split(".")[::-1] + wildcards = [domain.split(".")[1:] for domain in names if domain.startswith("*")] for wildcard in wildcards: - if wildcard.split(".")[1] == target_name.split(".")[1]: + if len(wildcard) > len(target_name): + continue + for idx, segment in enumerate(wildcard[::-1]): + if segment != target_name[idx]: + break + else: + # https://docs.python.org/2/tutorial/controlflow.html#break-and-continue-statements-and-else-clauses-on-loops return True return False @@ -359,9 +366,11 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): :returns: VHost or None """ - # Points 4 - Servername SSL - # Points 3 - Address name with SSL - # Points 2 - Servername no SSL + # Points 6 - Servername SSL + # Points 5 - Wildcard SSL + # Points 4 - Address name with SSL + # Points 3 - Servername no SSL + # Points 2 - Wildcard no SSL # Points 1 - Address name with no SSL best_candidate = None best_points = 0 @@ -381,7 +390,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): continue # pragma: no cover if vhost.ssl: - points += 2 + points += 3 if points > best_points: best_points = points From 34685a855869f2d6eafc8b7f9f8983c1176a81e5 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 23 Feb 2016 15:53:56 -0800 Subject: [PATCH 122/141] Fix indendation --- letsencrypt-apache/letsencrypt_apache/obj.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt-apache/letsencrypt_apache/obj.py b/letsencrypt-apache/letsencrypt_apache/obj.py index b2a21ef5d..80a49b6a6 100644 --- a/letsencrypt-apache/letsencrypt_apache/obj.py +++ b/letsencrypt-apache/letsencrypt_apache/obj.py @@ -210,7 +210,7 @@ class VirtualHost(object): # pylint: disable=too-few-public-methods return True # If we're looking for a generic vhost, don't return one with a ServerName elif self.name: - return False + return False # Both sets of names are empty. From b7a53541c5911c3619b851a5d57db4fdc8ee4161 Mon Sep 17 00:00:00 2001 From: bmw Date: Tue, 23 Feb 2016 16:51:11 -0800 Subject: [PATCH 123/141] Revert "Merge Augeas lens fix for continuations in section headings" --- .../letsencrypt_apache/augeas_lens/httpd.aug | 7 +- .../passing/section-continuations-2525.conf | 284 ------------------ 2 files changed, 4 insertions(+), 287 deletions(-) delete mode 100644 letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf diff --git a/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug b/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug index f3e688e05..edaca3fef 100644 --- a/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug +++ b/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug @@ -45,8 +45,9 @@ autoload xfm let dels (s:string) = del s s (* deal with continuation lines *) -let sep_spc = del /([ \t]+|[ \t]*\\\\\r?\n[ \t]*)/ " " -let sep_osp = del /([ \t]*|[ \t]*\\\\\r?\n[ \t]*)/ "" +let sep_spc = del /([ \t]+|[ \t]*\\\\\r?\n[ \t]*)/ " " + +let sep_osp = Sep.opt_space let sep_eq = del /[ \t]*=[ \t]*/ "=" let nmtoken = /[a-zA-Z:_][a-zA-Z0-9:_.-]*/ @@ -59,7 +60,7 @@ let indent = Util.indent (* borrowed from shellvars.aug *) let char_arg_dir = /([^\\ '"{\t\r\n]|[^ '"{\t\r\n]+[^\\ \t\r\n])|\\\\"|\\\\'/ -let char_arg_sec = /[^\\ '"\t\r\n>]|\\\\"|\\\\'/ +let char_arg_sec = /[^ '"\t\r\n>]|\\\\"|\\\\'/ let char_arg_wl = /([^\\ '"},\t\r\n]|[^ '"},\t\r\n]+[^\\ '"},\t\r\n])/ let cdot = /\\\\./ diff --git a/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf deleted file mode 100644 index 6840b71d6..000000000 --- a/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf +++ /dev/null @@ -1,284 +0,0 @@ - -NameVirtualHost 0.0.0.0:7080 -NameVirtualHost [00000:000:000:000::0]:7080 -NameVirtualHost 0.0.0.0:7080 - -NameVirtualHost 127.0.0.1:7080 -NameVirtualHost 0.0.0.0:7081 -NameVirtualHost [0000:000:000:000::2]:7081 -NameVirtualHost 0.0.0.0:7081 - -NameVirtualHost 127.0.0.1:7081 - -ServerName "example.com" -ServerAdmin "srv@example.com" - -DocumentRoot "/var/www/vhosts/default/htdocs" - - - LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" plesklog - - - LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" plesklog - - -TraceEnable off - -ServerTokens ProductOnly - - - AllowOverride "All" - Options SymLinksIfOwnerMatch - Order allow,deny - Allow from all - - - php_admin_flag engine off - - - - php_admin_flag engine off - - - - - - AllowOverride "All" - Options SymLinksIfOwnerMatch - Order allow,deny - Allow from all - - php_admin_flag engine off - - - php_admin_flag engine off - - - - - Header add X-Powered-By PleskLin - - - - SecRuleEngine DetectionOnly - SecRequestBodyAccess On - SecRequestBodyLimit 134217728 - SecResponseBodyAccess Off - SecResponseBodyLimit 524288 - SecAuditEngine On - SecAuditLog "/var/log/modsec_audit.log" - SecAuditLogType serial - - -Include "/etc/httpd/conf/plesk.conf.d/ip_default/*.conf" - - - ServerName "default" - UseCanonicalName Off - DocumentRoot "/var/www/vhosts/default/htdocs" - ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" - - - SSLEngine off - - - - AllowOverride None - Options None - Order allow,deny - Allow from all - - - - - - php_admin_flag engine on - - - - php_admin_flag engine on - - - - - - - - - - ServerName "default-0_0_0_0" - UseCanonicalName Off - DocumentRoot "/var/www/vhosts/default/htdocs" - ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" - - SSLEngine on - SSLVerifyClient none - SSLCertificateFile "/usr/local/psa/var/certificates/certGXCBZ4r" - - - AllowOverride None - Options None - Order allow,deny - Allow from all - - - - - - php_admin_flag engine on - - - - php_admin_flag engine on - - - - - - - ServerName "default-0000_000_000_00000__2" - UseCanonicalName Off - DocumentRoot "/var/www/vhosts/default/htdocs" - ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" - - SSLEngine on - SSLVerifyClient none - SSLCertificateFile "/usr/local/psa/var/certificates/certGXCBZ4r" - - - AllowOverride None - Options None - Order allow,deny - Allow from all - - - - - - php_admin_flag engine on - - - - php_admin_flag engine on - - - - - - - ServerName "default-0_0_0_0" - UseCanonicalName Off - DocumentRoot "/var/www/vhosts/default/htdocs" - ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" - - SSLEngine on - SSLVerifyClient none - SSLCertificateFile "/usr/local/psa/var/certificates/cert-Nv4Tz5" - - SSLCACertificateFile "/usr/local/psa/var/certificates/cert-nLy6Z1" - - - AllowOverride None - Options None - Order allow,deny - Allow from all - - - - - - php_admin_flag engine on - - - - php_admin_flag engine on - - - - - - - - - - DocumentRoot "/var/www/vhosts/default/htdocs" - ServerName lists - ServerAlias lists.* - UseCanonicalName Off - - ScriptAlias "/mailman/" "/usr/lib/mailman/cgi-bin/" - - Alias "/icons/" "/var/www/icons/" - Alias "/pipermail/" "/var/lib/mailman/archives/public/" - - - SSLEngine off - - - - Options FollowSymLinks - Order allow,deny - Allow from all - - - - - - - DocumentRoot "/var/www/vhosts/default/htdocs" - ServerName lists - ServerAlias lists.* - UseCanonicalName Off - - ScriptAlias "/mailman/" "/usr/lib/mailman/cgi-bin/" - - Alias "/icons/" "/var/www/icons/" - Alias "/pipermail/" "/var/lib/mailman/archives/public/" - - SSLEngine on - SSLVerifyClient none - SSLCertificateFile "/usr/local/psa/var/certificates/cert-Nv4Tz5" - - - Options FollowSymLinks - Order allow,deny - Allow from all - - - - - - - RPAFproxy_ips 0.0.0.0 [00000:000:000:00000::2] 0.0.0.0 - - - RPAFproxy_ips 0.0.0.0 [0000:000:000:0000::2] 0.0.0.0 - - - RemoteIPInternalProxy 0.0.0.0 [0000:000:000:0000::2] 0.0.0.0 - RemoteIPHeader X-Forwarded-For - \ No newline at end of file From e46ce3028f6a633cfd3d66c5755211ff279446c7 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Tue, 23 Feb 2016 17:31:41 -0800 Subject: [PATCH 124/141] coverage --- .../tests/configurator_test.py | 33 ++++++++++++++----- .../apache2/sites-available/wildcard.conf | 13 ++++++++ .../letsencrypt_apache/tests/util.py | 7 +++- 3 files changed, 43 insertions(+), 10 deletions(-) create mode 100644 letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/sites-available/wildcard.conf diff --git a/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py b/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py index 5b15a20d1..ef2c1b0b6 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py @@ -85,7 +85,7 @@ class TwoVhost80Test(util.ApacheTest): mock_getutility.notification = mock.MagicMock(return_value=True) names = self.config.get_all_names() self.assertEqual(names, set( - ["letsencrypt.demo", "encryption-example.demo", "ip-172-30-0-17"])) + ["letsencrypt.demo", "encryption-example.demo", "ip-172-30-0-17", "*.blue.purple.com"])) @mock.patch("zope.component.getUtility") @mock.patch("letsencrypt_apache.configurator.socket.gethostbyaddr") @@ -103,7 +103,7 @@ class TwoVhost80Test(util.ApacheTest): self.config.vhosts.append(vhost) names = self.config.get_all_names() - self.assertEqual(len(names), 5) + self.assertEqual(len(names), 6) self.assertTrue("zombo.com" in names) self.assertTrue("google.com" in names) self.assertTrue("letsencrypt.demo" in names) @@ -124,7 +124,7 @@ class TwoVhost80Test(util.ApacheTest): """ vhs = self.config.get_virtual_hosts() - self.assertEqual(len(vhs), 6) + self.assertEqual(len(vhs), 7) found = 0 for vhost in vhs: @@ -135,7 +135,7 @@ class TwoVhost80Test(util.ApacheTest): else: raise Exception("Missed: %s" % vhost) # pragma: no cover - self.assertEqual(found, 6) + self.assertEqual(found, 7) # Handle case of non-debian layout get_virtual_hosts with mock.patch( @@ -143,7 +143,7 @@ class TwoVhost80Test(util.ApacheTest): ) as mock_conf: mock_conf.return_value = False vhs = self.config.get_virtual_hosts() - self.assertEqual(len(vhs), 6) + self.assertEqual(len(vhs), 7) @mock.patch("letsencrypt_apache.display_ops.select_vhost") def test_choose_vhost_none_avail(self, mock_select): @@ -186,6 +186,20 @@ class TwoVhost80Test(util.ApacheTest): self.assertRaises( errors.PluginError, self.config.choose_vhost, "none.com") + def test_choosevhost_select_vhost_with_wildcard(self): + chosen_vhost = self.config.choose_vhost("blue.purple.com", temp=True) + self.assertEqual(self.vh_truth[6], chosen_vhost) + + def test_findbest_continues_on_short_domain(self): + # pylint: disable=protected-access + chosen_vhost = self.config._find_best_vhost("purple.com") + self.assertEqual(None, chosen_vhost) + + def test_findbest_continues_on_long_domain(self): + # pylint: disable=protected-access + chosen_vhost = self.config._find_best_vhost("green.red.purple.com") + self.assertEqual(None, chosen_vhost) + def test_find_best_vhost(self): # pylint: disable=protected-access self.assertEqual( @@ -211,6 +225,7 @@ class TwoVhost80Test(util.ApacheTest): self.config.vhosts = [ vh for vh in self.config.vhosts if vh.name not in ["letsencrypt.demo", "encryption-example.demo"] + and "*.blue.purple.com" not in vh.aliases ] self.assertEqual( @@ -218,7 +233,7 @@ class TwoVhost80Test(util.ApacheTest): def test_non_default_vhosts(self): # pylint: disable=protected-access - self.assertEqual(len(self.config._non_default_vhosts()), 4) + self.assertEqual(len(self.config._non_default_vhosts()), 5) def test_is_site_enabled(self): """Test if site is enabled. @@ -524,7 +539,7 @@ class TwoVhost80Test(util.ApacheTest): self.assertEqual(self.config.is_name_vhost(self.vh_truth[0]), self.config.is_name_vhost(ssl_vhost)) - self.assertEqual(len(self.config.vhosts), 7) + self.assertEqual(len(self.config.vhosts), 8) def test_clean_vhost_ssl(self): # pylint: disable=protected-access @@ -942,7 +957,7 @@ class TwoVhost80Test(util.ApacheTest): # pylint: disable=protected-access self.config._enable_redirect(self.vh_truth[1], "") - self.assertEqual(len(self.config.vhosts), 7) + self.assertEqual(len(self.config.vhosts), 8) def test_create_own_redirect_for_old_apache_version(self): self.config.parser.modules.add("rewrite_module") @@ -953,7 +968,7 @@ class TwoVhost80Test(util.ApacheTest): # pylint: disable=protected-access self.config._enable_redirect(self.vh_truth[1], "") - self.assertEqual(len(self.config.vhosts), 7) + self.assertEqual(len(self.config.vhosts), 8) def test_sift_line(self): # pylint: disable=protected-access diff --git a/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/sites-available/wildcard.conf b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/sites-available/wildcard.conf new file mode 100644 index 000000000..33e30a63b --- /dev/null +++ b/letsencrypt-apache/letsencrypt_apache/tests/testdata/debian_apache_2_4/two_vhost_80/apache2/sites-available/wildcard.conf @@ -0,0 +1,13 @@ + + + ServerName ip-172-30-0-17 + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + ServerAlias *.blue.purple.com + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/letsencrypt-apache/letsencrypt_apache/tests/util.py b/letsencrypt-apache/letsencrypt_apache/tests/util.py index 97a11e851..fb1e1442d 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/util.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/util.py @@ -150,7 +150,12 @@ def get_vh_truth(temp_dir, config_name): os.path.join(prefix, "default-ssl-port-only.conf"), os.path.join(aug_pre, ("default-ssl-port-only.conf/" "IfModule/VirtualHost")), - set([obj.Addr.fromstring("_default_:443")]), True, False) + set([obj.Addr.fromstring("_default_:443")]), True, False), + obj.VirtualHost( + os.path.join(prefix, "wildcard.conf"), + os.path.join(aug_pre, "wildcard.conf/VirtualHost"), + set([obj.Addr.fromstring("*:80")]), False, False, + "ip-172-30-0-17", aliases=["*.blue.purple.com"]) ] return vh_truth From d9534cefb503be0254360e3072bceff35f7e7b3a Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 23 Feb 2016 17:38:33 -0800 Subject: [PATCH 125/141] Revert "Revert "Merge Augeas lens fix for continuations in section headings"" This reverts commit b7a53541c5911c3619b851a5d57db4fdc8ee4161. --- .../letsencrypt_apache/augeas_lens/httpd.aug | 7 +- .../passing/section-continuations-2525.conf | 284 ++++++++++++++++++ 2 files changed, 287 insertions(+), 4 deletions(-) create mode 100644 letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf diff --git a/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug b/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug index edaca3fef..f3e688e05 100644 --- a/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug +++ b/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug @@ -45,9 +45,8 @@ autoload xfm let dels (s:string) = del s s (* deal with continuation lines *) -let sep_spc = del /([ \t]+|[ \t]*\\\\\r?\n[ \t]*)/ " " - -let sep_osp = Sep.opt_space +let sep_spc = del /([ \t]+|[ \t]*\\\\\r?\n[ \t]*)/ " " +let sep_osp = del /([ \t]*|[ \t]*\\\\\r?\n[ \t]*)/ "" let sep_eq = del /[ \t]*=[ \t]*/ "=" let nmtoken = /[a-zA-Z:_][a-zA-Z0-9:_.-]*/ @@ -60,7 +59,7 @@ let indent = Util.indent (* borrowed from shellvars.aug *) let char_arg_dir = /([^\\ '"{\t\r\n]|[^ '"{\t\r\n]+[^\\ \t\r\n])|\\\\"|\\\\'/ -let char_arg_sec = /[^ '"\t\r\n>]|\\\\"|\\\\'/ +let char_arg_sec = /[^\\ '"\t\r\n>]|\\\\"|\\\\'/ let char_arg_wl = /([^\\ '"},\t\r\n]|[^ '"},\t\r\n]+[^\\ '"},\t\r\n])/ let cdot = /\\\\./ diff --git a/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf new file mode 100644 index 000000000..6840b71d6 --- /dev/null +++ b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf @@ -0,0 +1,284 @@ + +NameVirtualHost 0.0.0.0:7080 +NameVirtualHost [00000:000:000:000::0]:7080 +NameVirtualHost 0.0.0.0:7080 + +NameVirtualHost 127.0.0.1:7080 +NameVirtualHost 0.0.0.0:7081 +NameVirtualHost [0000:000:000:000::2]:7081 +NameVirtualHost 0.0.0.0:7081 + +NameVirtualHost 127.0.0.1:7081 + +ServerName "example.com" +ServerAdmin "srv@example.com" + +DocumentRoot "/var/www/vhosts/default/htdocs" + + + LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" plesklog + + + LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" plesklog + + +TraceEnable off + +ServerTokens ProductOnly + + + AllowOverride "All" + Options SymLinksIfOwnerMatch + Order allow,deny + Allow from all + + + php_admin_flag engine off + + + + php_admin_flag engine off + + + + + + AllowOverride "All" + Options SymLinksIfOwnerMatch + Order allow,deny + Allow from all + + php_admin_flag engine off + + + php_admin_flag engine off + + + + + Header add X-Powered-By PleskLin + + + + SecRuleEngine DetectionOnly + SecRequestBodyAccess On + SecRequestBodyLimit 134217728 + SecResponseBodyAccess Off + SecResponseBodyLimit 524288 + SecAuditEngine On + SecAuditLog "/var/log/modsec_audit.log" + SecAuditLogType serial + + +Include "/etc/httpd/conf/plesk.conf.d/ip_default/*.conf" + + + ServerName "default" + UseCanonicalName Off + DocumentRoot "/var/www/vhosts/default/htdocs" + ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" + + + SSLEngine off + + + + AllowOverride None + Options None + Order allow,deny + Allow from all + + + + + + php_admin_flag engine on + + + + php_admin_flag engine on + + + + + + + + + + ServerName "default-0_0_0_0" + UseCanonicalName Off + DocumentRoot "/var/www/vhosts/default/htdocs" + ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" + + SSLEngine on + SSLVerifyClient none + SSLCertificateFile "/usr/local/psa/var/certificates/certGXCBZ4r" + + + AllowOverride None + Options None + Order allow,deny + Allow from all + + + + + + php_admin_flag engine on + + + + php_admin_flag engine on + + + + + + + ServerName "default-0000_000_000_00000__2" + UseCanonicalName Off + DocumentRoot "/var/www/vhosts/default/htdocs" + ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" + + SSLEngine on + SSLVerifyClient none + SSLCertificateFile "/usr/local/psa/var/certificates/certGXCBZ4r" + + + AllowOverride None + Options None + Order allow,deny + Allow from all + + + + + + php_admin_flag engine on + + + + php_admin_flag engine on + + + + + + + ServerName "default-0_0_0_0" + UseCanonicalName Off + DocumentRoot "/var/www/vhosts/default/htdocs" + ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" + + SSLEngine on + SSLVerifyClient none + SSLCertificateFile "/usr/local/psa/var/certificates/cert-Nv4Tz5" + + SSLCACertificateFile "/usr/local/psa/var/certificates/cert-nLy6Z1" + + + AllowOverride None + Options None + Order allow,deny + Allow from all + + + + + + php_admin_flag engine on + + + + php_admin_flag engine on + + + + + + + + + + DocumentRoot "/var/www/vhosts/default/htdocs" + ServerName lists + ServerAlias lists.* + UseCanonicalName Off + + ScriptAlias "/mailman/" "/usr/lib/mailman/cgi-bin/" + + Alias "/icons/" "/var/www/icons/" + Alias "/pipermail/" "/var/lib/mailman/archives/public/" + + + SSLEngine off + + + + Options FollowSymLinks + Order allow,deny + Allow from all + + + + + + + DocumentRoot "/var/www/vhosts/default/htdocs" + ServerName lists + ServerAlias lists.* + UseCanonicalName Off + + ScriptAlias "/mailman/" "/usr/lib/mailman/cgi-bin/" + + Alias "/icons/" "/var/www/icons/" + Alias "/pipermail/" "/var/lib/mailman/archives/public/" + + SSLEngine on + SSLVerifyClient none + SSLCertificateFile "/usr/local/psa/var/certificates/cert-Nv4Tz5" + + + Options FollowSymLinks + Order allow,deny + Allow from all + + + + + + + RPAFproxy_ips 0.0.0.0 [00000:000:000:00000::2] 0.0.0.0 + + + RPAFproxy_ips 0.0.0.0 [0000:000:000:0000::2] 0.0.0.0 + + + RemoteIPInternalProxy 0.0.0.0 [0000:000:000:0000::2] 0.0.0.0 + RemoteIPHeader X-Forwarded-For + \ No newline at end of file From d4804fd9e6f361433d3192b74718920e754a6d38 Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Thu, 25 Feb 2016 00:08:20 -0500 Subject: [PATCH 126/141] Use a new file for the updated le-auto script. Fix #2456. I prefer to err toward simplicity here. Yes, there's an assumption necessary for this to work--that the shell doesn't do multiple open() calls to the script path throughout the life of the interpreter--but I think it's reasonable. The alternative of exec-ing out to a dedicated update script which then execs back to le-auto has more moving parts (like extra files that we have to clean up) and is longer. --- letsencrypt-auto-source/letsencrypt-auto | 17 +++++++++++++---- .../letsencrypt-auto.template | 17 +++++++++++++---- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 23a9d93f0..85e05cae6 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -1818,12 +1818,21 @@ UNLIKELY_EOF # future Windows compatibility. "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" - # Install new copy of letsencrypt-auto. This preserves permissions and - # ownership from the old copy. + # Install new copy of letsencrypt-auto. # TODO: Deal with quotes in pathnames. echo "Replacing letsencrypt-auto..." - echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + # Clone permissions with cp. chmod and chown don't have a --reference + # option on OS X or BSD, and stat -c on Linux is stat -f on OS X and BSD: + echo " " $SUDO cp -p "$0" "$TEMP_DIR/letsencrypt-auto.permission-clone" + $SUDO cp -p "$0" "$TEMP_DIR/letsencrypt-auto.permission-clone" + echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$TEMP_DIR/letsencrypt-auto.permission-clone" + $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$TEMP_DIR/letsencrypt-auto.permission-clone" + # Using mv rather than cp leaves the old file descriptor pointing to the + # original copy so the shell can continue to read it unmolested. mv across + # filesystems is non-atomic, doing `rm dest, cp src dest, rm src`, but the + # cp is unlikely to fail (esp. under sudo) if the rm doesn't. + echo " " $SUDO mv -f "$TEMP_DIR/letsencrypt-auto.permission-clone" "$0" + $SUDO mv -f "$TEMP_DIR/letsencrypt-auto.permission-clone" "$0" # TODO: Clean up temp dir safely, even if it has quotes in its path. rm -rf "$TEMP_DIR" fi # should upgrade diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index bccd9e2c9..353fd2129 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -252,12 +252,21 @@ UNLIKELY_EOF # future Windows compatibility. "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION" - # Install new copy of letsencrypt-auto. This preserves permissions and - # ownership from the old copy. + # Install new copy of letsencrypt-auto. # TODO: Deal with quotes in pathnames. echo "Replacing letsencrypt-auto..." - echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" - $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$0" + # Clone permissions with cp. chmod and chown don't have a --reference + # option on OS X or BSD, and stat -c on Linux is stat -f on OS X and BSD: + echo " " $SUDO cp -p "$0" "$TEMP_DIR/letsencrypt-auto.permission-clone" + $SUDO cp -p "$0" "$TEMP_DIR/letsencrypt-auto.permission-clone" + echo " " $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$TEMP_DIR/letsencrypt-auto.permission-clone" + $SUDO cp "$TEMP_DIR/letsencrypt-auto" "$TEMP_DIR/letsencrypt-auto.permission-clone" + # Using mv rather than cp leaves the old file descriptor pointing to the + # original copy so the shell can continue to read it unmolested. mv across + # filesystems is non-atomic, doing `rm dest, cp src dest, rm src`, but the + # cp is unlikely to fail (esp. under sudo) if the rm doesn't. + echo " " $SUDO mv -f "$TEMP_DIR/letsencrypt-auto.permission-clone" "$0" + $SUDO mv -f "$TEMP_DIR/letsencrypt-auto.permission-clone" "$0" # TODO: Clean up temp dir safely, even if it has quotes in its path. rm -rf "$TEMP_DIR" fi # should upgrade From ac26a931472c621bde6ea4524c5963d66d7b6d54 Mon Sep 17 00:00:00 2001 From: Dominic Cleal Date: Thu, 25 Feb 2016 14:44:19 +0000 Subject: [PATCH 127/141] Merge Augeas lens fix for backslashes in section headings From https://github.com/hercules-team/augeas/commit/1cd33e52110e7c85befc00d93c867ec89cc12628 --- letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug b/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug index f3e688e05..697d5de89 100644 --- a/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug +++ b/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug @@ -59,7 +59,7 @@ let indent = Util.indent (* borrowed from shellvars.aug *) let char_arg_dir = /([^\\ '"{\t\r\n]|[^ '"{\t\r\n]+[^\\ \t\r\n])|\\\\"|\\\\'/ -let char_arg_sec = /[^\\ '"\t\r\n>]|\\\\"|\\\\'/ +let char_arg_sec = /([^\\ '"\t\r\n>]|[^ '"\t\r\n>]+[^\\ \t\r\n>])|\\\\"|\\\\'/ let char_arg_wl = /([^\\ '"},\t\r\n]|[^ '"},\t\r\n]+[^\\ '"},\t\r\n])/ let cdot = /\\\\./ From 5828bf7eda5f3ff9ad691814740ffa1170f87144 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 25 Feb 2016 11:58:18 -0800 Subject: [PATCH 128/141] Cast webroot-path from str to [str] if needed - for compatibility with pre-public-beta renewal conf files - fixes #2542 --- letsencrypt/cli.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py index e8675a169..2258e29c3 100644 --- a/letsencrypt/cli.py +++ b/letsencrypt/cli.py @@ -871,8 +871,11 @@ def _restore_webroot_config(config, renewalparams): if not (_set_by_cli("webroot_map") or _set_by_cli("webroot_path")): setattr(config.namespace, "webroot_map", renewalparams["webroot_map"]) elif "webroot_path" in renewalparams: + wp = renewalparams["webroot_path"] + if isinstance(wp, str): + wp = [wp] logger.info("Ancient renewal conf file without webroot-map, restoring webroot-path") - setattr(config.namespace, "webroot_path", renewalparams["webroot_path"]) + setattr(config.namespace, "webroot_path", wp) def _reconstitute(config, full_path): From 66e09fbf2fd1647565b2271f58a5a72c077f1637 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 25 Feb 2016 12:11:38 -0800 Subject: [PATCH 129/141] Fix path problems in section-continuations-2525.conf --- .../passing/section-continuations-2525.conf | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf index 6840b71d6..e1bfeee27 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf +++ b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf @@ -13,7 +13,7 @@ NameVirtualHost 127.0.0.1:7081 ServerName "example.com" ServerAdmin "srv@example.com" -DocumentRoot "/var/www/vhosts/default/htdocs" +DocumentRoot "/var/www/html" LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" plesklog @@ -70,7 +70,7 @@ ServerTokens ProductOnly SecAuditLogType serial -Include "/etc/httpd/conf/plesk.conf.d/ip_default/*.conf" +#Include "/etc/httpd/conf/plesk.conf.d/ip_default/*.conf" ServerName "default" UseCanonicalName Off - DocumentRoot "/var/www/vhosts/default/htdocs" + DocumentRoot "/var/www/html" ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" @@ -116,12 +116,12 @@ Include "/etc/httpd/conf/plesk.conf.d/ip_default/*.conf" > ServerName "default-0_0_0_0" UseCanonicalName Off - DocumentRoot "/var/www/vhosts/default/htdocs" + DocumentRoot "/var/www/html" ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" SSLEngine on SSLVerifyClient none - SSLCertificateFile "/usr/local/psa/var/certificates/certGXCBZ4r" + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem AllowOverride None @@ -149,12 +149,12 @@ Include "/etc/httpd/conf/plesk.conf.d/ip_default/*.conf" > ServerName "default-0000_000_000_00000__2" UseCanonicalName Off - DocumentRoot "/var/www/vhosts/default/htdocs" + DocumentRoot "/var/www/html" ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" SSLEngine on SSLVerifyClient none - SSLCertificateFile "/usr/local/psa/var/certificates/certGXCBZ4r" + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem AllowOverride None @@ -182,14 +182,14 @@ Include "/etc/httpd/conf/plesk.conf.d/ip_default/*.conf" > ServerName "default-0_0_0_0" UseCanonicalName Off - DocumentRoot "/var/www/vhosts/default/htdocs" + DocumentRoot "/var/www/html" ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" SSLEngine on SSLVerifyClient none - SSLCertificateFile "/usr/local/psa/var/certificates/cert-Nv4Tz5" + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem - SSLCACertificateFile "/usr/local/psa/var/certificates/cert-nLy6Z1" + #SSLCACertificateFile "/usr/local/psa/var/certificates/cert-nLy6Z1" AllowOverride None @@ -220,7 +220,7 @@ Include "/etc/httpd/conf/plesk.conf.d/ip_default/*.conf" 0.0.0.0:7080 \ 127.0.0.1:7080 \ > - DocumentRoot "/var/www/vhosts/default/htdocs" + DocumentRoot "/var/www/html" ServerName lists ServerAlias lists.* UseCanonicalName Off @@ -249,7 +249,7 @@ Include "/etc/httpd/conf/plesk.conf.d/ip_default/*.conf" 0.0.0.0:7081 \ 127.0.0.1:7081 \ > - DocumentRoot "/var/www/vhosts/default/htdocs" + DocumentRoot "/var/www/html" ServerName lists ServerAlias lists.* UseCanonicalName Off @@ -261,7 +261,7 @@ Include "/etc/httpd/conf/plesk.conf.d/ip_default/*.conf" SSLEngine on SSLVerifyClient none - SSLCertificateFile "/usr/local/psa/var/certificates/cert-Nv4Tz5" + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem Options FollowSymLinks @@ -281,4 +281,4 @@ Include "/etc/httpd/conf/plesk.conf.d/ip_default/*.conf" RemoteIPInternalProxy 0.0.0.0 [0000:000:000:0000::2] 0.0.0.0 RemoteIPHeader X-Forwarded-For - \ No newline at end of file + From 73870ac9b63b5759486c6c6ebdfa24683d18b7bb Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 25 Feb 2016 12:20:54 -0800 Subject: [PATCH 130/141] tabs + spaces = headaches --- .../passing/section-continuations-2525.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf index e1bfeee27..035a05c7e 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf +++ b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf @@ -121,7 +121,7 @@ ServerTokens ProductOnly SSLEngine on SSLVerifyClient none - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem AllowOverride None @@ -154,7 +154,7 @@ ServerTokens ProductOnly SSLEngine on SSLVerifyClient none - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem AllowOverride None @@ -187,7 +187,7 @@ ServerTokens ProductOnly SSLEngine on SSLVerifyClient none - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #SSLCACertificateFile "/usr/local/psa/var/certificates/cert-nLy6Z1" @@ -261,7 +261,7 @@ ServerTokens ProductOnly SSLEngine on SSLVerifyClient none - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem Options FollowSymLinks From 03ee5a01b7bb3cb83c75d1a86fc9339439a33276 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 25 Feb 2016 12:49:35 -0800 Subject: [PATCH 131/141] Does someone not like quotes? --- .../passing/section-continuations-2525.conf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf index 035a05c7e..bc403e4cf 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf +++ b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf @@ -13,7 +13,7 @@ NameVirtualHost 127.0.0.1:7081 ServerName "example.com" ServerAdmin "srv@example.com" -DocumentRoot "/var/www/html" +DocumentRoot /var/www/html LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" plesklog @@ -80,7 +80,7 @@ ServerTokens ProductOnly > ServerName "default" UseCanonicalName Off - DocumentRoot "/var/www/html" + DocumentRoot /var/www/html ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" @@ -116,7 +116,7 @@ ServerTokens ProductOnly > ServerName "default-0_0_0_0" UseCanonicalName Off - DocumentRoot "/var/www/html" + DocumentRoot /var/www/html ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" SSLEngine on @@ -149,7 +149,7 @@ ServerTokens ProductOnly > ServerName "default-0000_000_000_00000__2" UseCanonicalName Off - DocumentRoot "/var/www/html" + DocumentRoot /var/www/html ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" SSLEngine on @@ -182,7 +182,7 @@ ServerTokens ProductOnly > ServerName "default-0_0_0_0" UseCanonicalName Off - DocumentRoot "/var/www/html" + DocumentRoot /var/www/html ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" SSLEngine on @@ -220,7 +220,7 @@ ServerTokens ProductOnly 0.0.0.0:7080 \ 127.0.0.1:7080 \ > - DocumentRoot "/var/www/html" + DocumentRoot /var/www/html ServerName lists ServerAlias lists.* UseCanonicalName Off @@ -249,7 +249,7 @@ ServerTokens ProductOnly 0.0.0.0:7081 \ 127.0.0.1:7081 \ > - DocumentRoot "/var/www/html" + DocumentRoot /var/www/html ServerName lists ServerAlias lists.* UseCanonicalName Off From 13a4089ee65e608f49669e282cbfe23af38e0366 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 25 Feb 2016 13:10:43 -0800 Subject: [PATCH 132/141] I promise /tmp is a directory --- .../passing/section-continuations-2525.conf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf index bc403e4cf..8f65e4773 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf +++ b/letsencrypt-apache/letsencrypt_apache/tests/apache-conf-files/passing/section-continuations-2525.conf @@ -13,7 +13,7 @@ NameVirtualHost 127.0.0.1:7081 ServerName "example.com" ServerAdmin "srv@example.com" -DocumentRoot /var/www/html +DocumentRoot /tmp LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" plesklog @@ -80,7 +80,7 @@ ServerTokens ProductOnly > ServerName "default" UseCanonicalName Off - DocumentRoot /var/www/html + DocumentRoot /tmp ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" @@ -116,7 +116,7 @@ ServerTokens ProductOnly > ServerName "default-0_0_0_0" UseCanonicalName Off - DocumentRoot /var/www/html + DocumentRoot /tmp ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" SSLEngine on @@ -149,7 +149,7 @@ ServerTokens ProductOnly > ServerName "default-0000_000_000_00000__2" UseCanonicalName Off - DocumentRoot /var/www/html + DocumentRoot /tmp ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" SSLEngine on @@ -182,7 +182,7 @@ ServerTokens ProductOnly > ServerName "default-0_0_0_0" UseCanonicalName Off - DocumentRoot /var/www/html + DocumentRoot /tmp ScriptAlias "/cgi-bin/" "/var/www/vhosts/default/cgi-bin" SSLEngine on @@ -220,7 +220,7 @@ ServerTokens ProductOnly 0.0.0.0:7080 \ 127.0.0.1:7080 \ > - DocumentRoot /var/www/html + DocumentRoot /tmp ServerName lists ServerAlias lists.* UseCanonicalName Off @@ -249,7 +249,7 @@ ServerTokens ProductOnly 0.0.0.0:7081 \ 127.0.0.1:7081 \ > - DocumentRoot /var/www/html + DocumentRoot /tmp ServerName lists ServerAlias lists.* UseCanonicalName Off From 152bfce313c75b0b5cac1d64b553465eea1fc797 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 25 Feb 2016 16:21:13 -0800 Subject: [PATCH 133/141] After much madness, a test case --- letsencrypt/cli.py | 6 +++--- letsencrypt/tests/cli_test.py | 22 ++++++++++++++++++++-- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py index 2258e29c3..3551d5a10 100644 --- a/letsencrypt/cli.py +++ b/letsencrypt/cli.py @@ -871,10 +871,10 @@ def _restore_webroot_config(config, renewalparams): if not (_set_by_cli("webroot_map") or _set_by_cli("webroot_path")): setattr(config.namespace, "webroot_map", renewalparams["webroot_map"]) elif "webroot_path" in renewalparams: - wp = renewalparams["webroot_path"] - if isinstance(wp, str): - wp = [wp] logger.info("Ancient renewal conf file without webroot-map, restoring webroot-path") + wp = renewalparams["webroot_path"] + if isinstance(wp, str): # prior to 0.1.0, webroot_path was a string + wp = [wp] setattr(config.namespace, "webroot_path", wp) diff --git a/letsencrypt/tests/cli_test.py b/letsencrypt/tests/cli_test.py index 2b4e443a8..ffef21c63 100644 --- a/letsencrypt/tests/cli_test.py +++ b/letsencrypt/tests/cli_test.py @@ -20,6 +20,7 @@ from letsencrypt import constants from letsencrypt import crypto_util from letsencrypt import errors from letsencrypt import le_util +from letsencrypt import storage from letsencrypt.plugins import disco from letsencrypt.plugins import manual @@ -630,8 +631,9 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods print "Logs:" print lf.read() - def test_renew_verb(self): - with open(test_util.vector_path('sample-renewal.conf')) as src: + + def _make_test_renewal_conf(self, testfile): + with open(test_util.vector_path(testfile)) as src: # put the correct path for cert.pem, chain.pem etc in the renewal conf renewal_conf = src.read().replace("MAGICDIR", test_util.vector_path()) rd = os.path.join(self.config_dir, "renewal") @@ -640,9 +642,25 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods rc = os.path.join(rd, "sample-renewal.conf") with open(rc, "w") as dest: dest.write(renewal_conf) + return rc + + def test_renew_verb(self): + self._make_test_renewal_conf('sample-renewal.conf') args = ["renew", "--dry-run", "-tvv"] self._test_renewal_common(True, [], args=args, renew=True) + @mock.patch("letsencrypt.cli._set_by_cli") + def test_ancient_webroot(self, mock_set_by_cli): + mock_set_by_cli.return_value = False + rc_path = self._make_test_renewal_conf('sample-renewal-ancient.conf') + args = mock.MagicMock(account=None, email=None, webroot_path=None) + config = configuration.NamespaceConfig(args) + lineage = storage.RenewableCert(rc_path, + configuration.RenewerConfiguration(config)) + renewalparams = lineage.configuration["renewalparams"] + cli._restore_webroot_config(config, renewalparams) + self.assertEqual(config.webroot_path, ["/var/www/"]) + def test_renew_verb_empty_config(self): rd = os.path.join(self.config_dir, 'renewal') if not os.path.exists(rd): From 087271204d6657e77a8a73d1e342669802d9012e Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 25 Feb 2016 16:22:02 -0800 Subject: [PATCH 134/141] And the renewal conf file for the test case... --- .../testdata/sample-renewal-ancient.conf | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100755 letsencrypt/tests/testdata/sample-renewal-ancient.conf diff --git a/letsencrypt/tests/testdata/sample-renewal-ancient.conf b/letsencrypt/tests/testdata/sample-renewal-ancient.conf new file mode 100755 index 000000000..ff246ba7c --- /dev/null +++ b/letsencrypt/tests/testdata/sample-renewal-ancient.conf @@ -0,0 +1,75 @@ +cert = MAGICDIR/live/sample-renewal/cert.pem +privkey = MAGICDIR/live/sample-renewal/privkey.pem +chain = MAGICDIR/live/sample-renewal/chain.pem +fullchain = MAGICDIR/live/sample-renewal/fullchain.pem +renew_before_expiry = 1 year + +# Options and defaults used in the renewal process +[renewalparams] +no_self_upgrade = False +apache_enmod = a2enmod +no_verify_ssl = False +ifaces = None +apache_dismod = a2dismod +register_unsafely_without_email = False +apache_handle_modules = True +uir = None +installer = none +nginx_ctl = nginx +config_dir = MAGICDIR +text_mode = False +func = +staging = True +prepare = False +work_dir = /var/lib/letsencrypt +tos = False +init = False +http01_port = 80 +duplicate = False +noninteractive_mode = True +key_path = None +nginx = False +nginx_server_root = /etc/nginx +fullchain_path = /home/ubuntu/letsencrypt/chain.pem +email = None +csr = None +agree_dev_preview = None +redirect = None +verb = certonly +verbose_count = -3 +config_file = None +renew_by_default = False +hsts = False +apache_handle_sites = True +authenticator = webroot +domains = isnot.org, +rsa_key_size = 2048 +apache_challenge_location = /etc/apache2 +checkpoints = 1 +manual_test_mode = False +apache = False +cert_path = /home/ubuntu/letsencrypt/cert.pem +webroot_path = /var/www/ +reinstall = False +expand = False +strict_permissions = False +apache_server_root = /etc/apache2 +account = None +dry_run = False +manual_public_ip_logging_ok = False +chain_path = /home/ubuntu/letsencrypt/chain.pem +break_my_certs = False +standalone = True +manual = False +server = https://acme-staging.api.letsencrypt.org/directory +standalone_supported_challenges = "tls-sni-01,http-01" +webroot = True +os_packages_only = False +apache_init_script = None +user_agent = None +apache_le_vhost_ext = -le-ssl.conf +debug = False +tls_sni_01_port = 443 +logs_dir = /var/log/letsencrypt +apache_vhost_root = /etc/apache2/sites-available +configurator = None From 6e0457841cafc38da6c3d0354f42a1df14c3a4a2 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 25 Feb 2016 16:41:34 -0800 Subject: [PATCH 135/141] More accurate function name --- letsencrypt/tests/cli_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt/tests/cli_test.py b/letsencrypt/tests/cli_test.py index ffef21c63..e7f4ca2d4 100644 --- a/letsencrypt/tests/cli_test.py +++ b/letsencrypt/tests/cli_test.py @@ -650,7 +650,7 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods self._test_renewal_common(True, [], args=args, renew=True) @mock.patch("letsencrypt.cli._set_by_cli") - def test_ancient_webroot(self, mock_set_by_cli): + def test_ancient_webroot_renewal_conf(self, mock_set_by_cli): mock_set_by_cli.return_value = False rc_path = self._make_test_renewal_conf('sample-renewal-ancient.conf') args = mock.MagicMock(account=None, email=None, webroot_path=None) From 5c6638f60a99f358b118deab48574502c60834e6 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 25 Feb 2016 16:43:05 -0800 Subject: [PATCH 136/141] lint --- letsencrypt/tests/cli_test.py | 1 + 1 file changed, 1 insertion(+) diff --git a/letsencrypt/tests/cli_test.py b/letsencrypt/tests/cli_test.py index e7f4ca2d4..aef3447c3 100644 --- a/letsencrypt/tests/cli_test.py +++ b/letsencrypt/tests/cli_test.py @@ -658,6 +658,7 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods lineage = storage.RenewableCert(rc_path, configuration.RenewerConfiguration(config)) renewalparams = lineage.configuration["renewalparams"] + # pylint: disable=protected-access cli._restore_webroot_config(config, renewalparams) self.assertEqual(config.webroot_path, ["/var/www/"]) From bcb40a890beafe6f7a86c7b2b81d421a51280e19 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 25 Feb 2016 16:52:29 -0800 Subject: [PATCH 137/141] Remove werkzeug from leauto requirements --- .../pieces/letsencrypt-auto-requirements.txt | 4 ---- 1 file changed, 4 deletions(-) diff --git a/letsencrypt-auto-source/pieces/letsencrypt-auto-requirements.txt b/letsencrypt-auto-source/pieces/letsencrypt-auto-requirements.txt index 574e567c3..b258fcfad 100644 --- a/letsencrypt-auto-source/pieces/letsencrypt-auto-requirements.txt +++ b/letsencrypt-auto-source/pieces/letsencrypt-auto-requirements.txt @@ -172,10 +172,6 @@ traceback2==1.4.0 # sha256: IogqDkGMKE4fcYqCKzsCKUTVPS2QjhaQsxmp0-ssBXk unittest2==1.1.0 -# sha256: aUkbUwUVfDxuDwSnAZhNaud_1yn8HJrNJQd_HfOFMms -# sha256: 619wCpv8lkILBVY1r5AC02YuQ9gMP_0x8iTCW8DV9GI -Werkzeug==0.11.3 - # sha256: KCwRK1XdjjyGmjVx-GdnwVCrEoSprOK97CJsWSrK-Bo zope.component==4.2.2 From 593cb3a03855c0ec41479b16d34209ee168ac74d Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 25 Feb 2016 16:58:54 -0800 Subject: [PATCH 138/141] alphabetanit --- acme/acme/client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index 79d7c5df4..e67de35c5 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -1,10 +1,10 @@ """ACME client API.""" import collections import datetime +from email.utils import parsedate_tz import heapq import logging import time -from email.utils import parsedate_tz import six from six.moves import http_client # pylint: disable=import-error From 556e9f2123535f3aaaae751f3e99c646e0b1cd39 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 25 Feb 2016 17:03:48 -0800 Subject: [PATCH 139/141] Rebuild leauto --- letsencrypt-auto-source/letsencrypt-auto | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 9218bdc52..ba0827cf6 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -19,7 +19,7 @@ XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share} VENV_NAME="letsencrypt" VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"} VENV_BIN=${VENV_PATH}/bin -LE_AUTO_VERSION="0.4.0" +LE_AUTO_VERSION="0.5.0.dev0" # This script takes the same arguments as the main letsencrypt program, but it # additionally responds to --verbose (more output) and --debug (allow support @@ -609,10 +609,6 @@ traceback2==1.4.0 # sha256: IogqDkGMKE4fcYqCKzsCKUTVPS2QjhaQsxmp0-ssBXk unittest2==1.1.0 -# sha256: aUkbUwUVfDxuDwSnAZhNaud_1yn8HJrNJQd_HfOFMms -# sha256: 619wCpv8lkILBVY1r5AC02YuQ9gMP_0x8iTCW8DV9GI -Werkzeug==0.11.3 - # sha256: KCwRK1XdjjyGmjVx-GdnwVCrEoSprOK97CJsWSrK-Bo zope.component==4.2.2 From 902ab9afdf6306868252fffc9d67be6664c68a0c Mon Sep 17 00:00:00 2001 From: Kane York Date: Mon, 29 Feb 2016 10:58:14 -0800 Subject: [PATCH 140/141] Work around leap day bug in parsedatetime --- tests/boulder-integration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/boulder-integration.sh b/tests/boulder-integration.sh index 32c292e90..77e866b52 100755 --- a/tests/boulder-integration.sh +++ b/tests/boulder-integration.sh @@ -68,7 +68,7 @@ common renew CheckCertCount 2 # This will renew because the expiry is less than 10 years from now -sed -i "4arenew_before_expiry = 10 years" "$root/conf/renewal/le.wtf.conf" +sed -i "4arenew_before_expiry = 4 years" "$root/conf/renewal/le.wtf.conf" common_no_force_renew renew --rsa-key-size 2048 CheckCertCount 3 From 1f254f5330956d6756d740ae237798c5a95ab195 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Mon, 29 Feb 2016 11:34:17 -0800 Subject: [PATCH 141/141] Change renewal period to fix leap year problems --- letsencrypt/tests/testdata/sample-renewal.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt/tests/testdata/sample-renewal.conf b/letsencrypt/tests/testdata/sample-renewal.conf index 16778303a..d6ebbd845 100755 --- a/letsencrypt/tests/testdata/sample-renewal.conf +++ b/letsencrypt/tests/testdata/sample-renewal.conf @@ -2,7 +2,7 @@ cert = MAGICDIR/live/sample-renewal/cert.pem privkey = MAGICDIR/live/sample-renewal/privkey.pem chain = MAGICDIR/live/sample-renewal/chain.pem fullchain = MAGICDIR/live/sample-renewal/fullchain.pem -renew_before_expiry = 1 year +renew_before_expiry = 4 years # Options and defaults used in the renewal process [renewalparams]