storage: always save key_type to renewal .conf (#9217)

* storage: always save key_type to renewal .conf

* fix typo in comment

Co-authored-by: DasSkelett <dasskelett@gmail.com>

certbot-ci/certbot_integration_tests/certbot_tests/assertions.py

@@ -1,6 +1,7 @@
 """This module contains advanced assertions for the certbot integration tests."""
 import io
 import os
+from typing import Optional
 from typing import Type
 
 from cryptography.hazmat.backends import default_backend
@@ -62,14 +63,26 @@ def assert_hook_execution(probe_path: str, probe_content: str) -> None:
     assert probe_content in lines
 
 
+def assert_saved_lineage_option(config_dir: str, lineage: str,
+                                option: str, value: Optional[str] = None) -> None:
+    """
+    Assert that the option of a lineage has been saved.
+    :param str config_dir: location of the certbot configuration
+    :param str lineage: lineage domain name
+    :param str option: the option key
+    :param value: if desired, the expected option value
+    """
+    with open(os.path.join(config_dir, 'renewal', '{0}.conf'.format(lineage))) as file_h:
+        assert f"{option} = {value if value else ''}" in file_h.read()
+
+
 def assert_saved_renew_hook(config_dir: str, lineage: str) -> None:
     """
     Assert that the renew hook configuration of a lineage has been saved.
     :param str config_dir: location of the certbot configuration
     :param str lineage: lineage domain name
     """
-    with open(os.path.join(config_dir, 'renewal', '{0}.conf'.format(lineage))) as file_h:
-        assert 'renew_hook' in file_h.read()
+    assert_saved_lineage_option(config_dir, lineage, 'renew_hook')
 
 
 def assert_cert_count_for_lineage(config_dir: str, lineage: str, count: int) -> None:

certbot-ci/certbot_integration_tests/certbot_tests/test_main.py

@@ -25,6 +25,7 @@ from certbot_integration_tests.certbot_tests.assertions import assert_equals_gro
 from certbot_integration_tests.certbot_tests.assertions import assert_equals_world_read_permissions
 from certbot_integration_tests.certbot_tests.assertions import assert_hook_execution
 from certbot_integration_tests.certbot_tests.assertions import assert_rsa_key
+from certbot_integration_tests.certbot_tests.assertions import assert_saved_lineage_option
 from certbot_integration_tests.certbot_tests.assertions import assert_saved_renew_hook
 from certbot_integration_tests.certbot_tests.assertions import assert_world_no_permissions
 from certbot_integration_tests.certbot_tests.assertions import assert_world_read_permissions
@@ -102,6 +103,7 @@ def test_http_01(context: IntegrationTestsContext) -> None:
 
     assert_hook_execution(context.hook_probe, 'deploy')
     assert_saved_renew_hook(context.config_dir, certname)
+    assert_saved_lineage_option(context.config_dir, certname, 'key_type', 'rsa')
 
 
 def test_manual_http_auth(context: IntegrationTestsContext) -> None:
@@ -544,6 +546,7 @@ def test_renew_with_ec_keys(context: IntegrationTestsContext) -> None:
     assert 200 < os.stat(key1).st_size < 250  # ec keys of 256 bits are ~225 bytes
     assert_elliptic_key(key1, SECP256R1)
     assert_cert_count_for_lineage(context.config_dir, certname, 1)
+    assert_saved_lineage_option(context.config_dir, certname, 'key_type', 'ecdsa')
 
     context.certbot(['renew', '--elliptic-curve', 'secp384r1'])
     assert_cert_count_for_lineage(context.config_dir, certname, 2)

certbot/certbot/_internal/storage.py

@@ -298,6 +298,11 @@ def relevant_values(all_values: Mapping[str, Any]) -> Dict[str, Any]:
     # and behavioral consistency when versions of Certbot with different
     # server defaults are used.
     rv["server"] = all_values["server"]
+
+    # Save key type to help with forward compatibility on Certbot's transition
+    # from RSA to ECDSA certificates by default.
+    rv["key_type"] = all_values["key_type"]
+
     return rv
 
 

certbot/tests/storage_test.py

@@ -39,7 +39,7 @@ class RelevantValuesTest(unittest.TestCase):
     """Tests for certbot._internal.storage.relevant_values."""
 
     def setUp(self):
-        self.values = {"server": "example.org"}
+        self.values = {"server": "example.org", "key_type": "rsa"}
 
     def _call(self, *args, **kwargs):
         from certbot._internal.storage import relevant_values