From 528a816f704b3d359c423425eadc1c66c4d9f181 Mon Sep 17 00:00:00 2001 From: Marius Gedminas Date: Mon, 2 May 2016 09:30:32 +0300 Subject: [PATCH 01/12] Don't fail authentication when vhost cannot be found Should fix #677 and #2600. --- certbot-apache/certbot_apache/tls_sni_01.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/certbot-apache/certbot_apache/tls_sni_01.py b/certbot-apache/certbot_apache/tls_sni_01.py index 1236c2eb9..a8a931fd6 100644 --- a/certbot-apache/certbot_apache/tls_sni_01.py +++ b/certbot-apache/certbot_apache/tls_sni_01.py @@ -4,6 +4,7 @@ import os import logging from certbot.plugins import common +from certbot.errors import PluginError from certbot_apache import obj from certbot_apache import parser @@ -116,12 +117,21 @@ class ApacheTlsSni01(common.TLSSNI01): def _get_addrs(self, achall): """Return the Apache addresses needed for TLS-SNI-01.""" - vhost = self.configurator.choose_vhost(achall.domain, temp=True) # TODO: Checkout _default_ rules. addrs = set() default_addr = obj.Addr(("*", str( self.configurator.config.tls_sni_01_port))) + try: + vhost = self.configurator.choose_vhost(achall.domain, temp=True) + except PluginError: + # We couldn't find the virtualhost for this domain, possibly + # because it's a new vhost that's not configured yet (GH #677), + # or perhaps because there were multiple sections + # in the config file (GH #1042). See also GH #2600. + addrs.add(default_addr) + return addrs + for addr in vhost.addrs: if "_default_" == addr.get_addr(): addrs.add(default_addr) From 8b4f48556d2f3b1614641ddd87ada36586f99e4a Mon Sep 17 00:00:00 2001 From: Marius Gedminas Date: Mon, 2 May 2016 09:45:27 +0300 Subject: [PATCH 02/12] Catch the right exception Conrary to the docstring of choose_vhost(), when you run non-interactive certificate renewals and the Apache plugin fails to discover the correct vhost, it raises MissingCommandlineFlag and not PluginError. --- certbot-apache/certbot_apache/tls_sni_01.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/certbot-apache/certbot_apache/tls_sni_01.py b/certbot-apache/certbot_apache/tls_sni_01.py index a8a931fd6..f14f7be0f 100644 --- a/certbot-apache/certbot_apache/tls_sni_01.py +++ b/certbot-apache/certbot_apache/tls_sni_01.py @@ -4,7 +4,7 @@ import os import logging from certbot.plugins import common -from certbot.errors import PluginError +from certbot.errors import PluginError, MissingCommandlineFlag from certbot_apache import obj from certbot_apache import parser @@ -124,7 +124,7 @@ class ApacheTlsSni01(common.TLSSNI01): try: vhost = self.configurator.choose_vhost(achall.domain, temp=True) - except PluginError: + except (PluginError, MissingCommandlineFlag): # We couldn't find the virtualhost for this domain, possibly # because it's a new vhost that's not configured yet (GH #677), # or perhaps because there were multiple sections From d73e2e68ac65a80a4407f83ebd1b2ea1fa25681e Mon Sep 17 00:00:00 2001 From: Marius Gedminas Date: Mon, 2 May 2016 11:45:07 +0300 Subject: [PATCH 03/12] Add a test for #2906 --- .../certbot_apache/tests/tls_sni_01_test.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/certbot-apache/certbot_apache/tests/tls_sni_01_test.py b/certbot-apache/certbot_apache/tests/tls_sni_01_test.py index 17ef92004..aa6a2a09c 100644 --- a/certbot-apache/certbot_apache/tests/tls_sni_01_test.py +++ b/certbot-apache/certbot_apache/tests/tls_sni_01_test.py @@ -4,6 +4,7 @@ import shutil import mock +from certbot import errors from certbot.plugins import common_test from certbot_apache import obj @@ -137,6 +138,16 @@ class TlsSniPerformTest(util.ApacheTest): set([obj.Addr.fromstring("*:443")]), self.sni._get_addrs(self.achalls[0])) + def test_get_addrs_no_vhost_found(self): + self.sni.configurator.choose_vhost = mock.Mock( + side_effect=errors.MissingCommandlineFlag( + "Failed to run Apache plugin non-interactively")) + + # pylint: disable=protected-access + self.assertEqual( + set([obj.Addr.fromstring("*:443")]), + self.sni._get_addrs(self.achalls[0])) + if __name__ == "__main__": unittest.main() # pragma: no cover From 4e19f9eae0c0cdf6def576bd98949fee12e23b7c Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 4 May 2016 17:28:16 -0700 Subject: [PATCH 04/12] venv is still named letsencrypt --- certbot/cli.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot/cli.py b/certbot/cli.py index e2c57595b..97b1a5399 100644 --- a/certbot/cli.py +++ b/certbot/cli.py @@ -37,7 +37,7 @@ helpful_parser = None # should only be used for purposes where inability to detect letsencrypt-auto # fails safely -fragment = os.path.join(".local", "share", "certbot") +fragment = os.path.join(".local", "share", "letsencrypt") cli_command = "letsencrypt-auto" if fragment in sys.argv[0] else "certbot" # Argparse's help formatting has a lot of unhelpful peculiarities, so we want From f3172bcfeed8666c9904bdabfcfbb28fd17c947a Mon Sep 17 00:00:00 2001 From: Jeremy Gillula Date: Thu, 5 May 2016 08:55:49 -0700 Subject: [PATCH 05/12] Changing some "will happen"s to "hopefully will happen"s --- README.rst | 4 ++-- docs/using.rst | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/README.rst b/README.rst index 050cde82b..cc4e53bda 100644 --- a/README.rst +++ b/README.rst @@ -128,8 +128,8 @@ System Requirements =================== The Let's Encrypt Client presently only runs on Unix-ish OSes that include -Python 2.6 or 2.7; Python 3.x support will be added after the Public Beta -launch. The client requires root access in order to write to +Python 2.6 or 2.7; Python 3.x support will hopefully be added after the Public +Beta launch. The client requires root access in order to write to ``/etc/letsencrypt``, ``/var/log/letsencrypt``, ``/var/lib/letsencrypt``; to bind to ports 80 and 443 (if you use the ``standalone`` plugin) and to read and modify webserver configurations (if you use the ``apache`` or ``nginx`` diff --git a/docs/using.rst b/docs/using.rst index 66c5907ae..8f56554ce 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -124,7 +124,7 @@ or ``--webroot-path /usr/share/nginx/html`` are two common webroot paths. If you're getting a certificate for many domains at once, the plugin needs to know where each domain's files are served from, which could -potentially be a separate directory for each domain. When requested a +potentially be a separate directory for each domain. When requesting a certificate for multiple domains, each domain will use the most recently specified ``--webroot-path``. So, for instance, @@ -184,11 +184,11 @@ be on a different computer. Nginx ----- -In the future, if you're running Nginx you can use this plugin to -automatically obtain and install your certificate. The Nginx plugin -is still experimental, however, and is not installed with -letsencrypt-auto_. If installed, you can select this plugin on the -command line by including ``--nginx``. +In the future, if you're running Nginx you will hopefully be able to use this +plugin to automatically obtain and install your certificate. The Nginx plugin is +still experimental, however, and is not installed with letsencrypt-auto_. If +installed, you can select this plugin on the command line by including +``--nginx``. Third-party plugins ------------------- @@ -446,7 +446,7 @@ If you run Debian Stretch or Debian Sid, you can install letsencrypt packages. If you don't want to use the Apache plugin, you can omit the ``python-letsencrypt-apache`` package. -Packages for Debian Jessie are coming in the next few weeks. +Packages for Debian Jessie will hopefully be coming in the next few weeks. **Fedora** From 127ba71c43770d233d1604ab8a2b32e574c12e8b Mon Sep 17 00:00:00 2001 From: Jeremy Gillula Date: Thu, 5 May 2016 11:17:47 -0700 Subject: [PATCH 06/12] Adding the fact that we actually have backports for Debian Jessie to the docs --- docs/using.rst | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/using.rst b/docs/using.rst index 8f56554ce..60c074d75 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -446,7 +446,13 @@ If you run Debian Stretch or Debian Sid, you can install letsencrypt packages. If you don't want to use the Apache plugin, you can omit the ``python-letsencrypt-apache`` package. -Packages for Debian Jessie will hopefully be coming in the next few weeks. +Packages exist for Debian Jessie via backports. First you'll have to follow the +instructions at http://backports.debian.org/Instructions/ to enable the Jessie backports +repo, if you have not already done so. Then run: + +.. code-block:: shell + + sudo apt-get install certbot python-certbot-apache -t jessie-backports **Fedora** From fbbbb5b51634d348f82f893e1a02e98c0fcf3606 Mon Sep 17 00:00:00 2001 From: Jeremy Gillula Date: Thu, 5 May 2016 11:31:28 -0700 Subject: [PATCH 07/12] Turns out the public beta is over, but still no Python 3.0 support. We over-promised! --- README.rst | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/README.rst b/README.rst index cc4e53bda..236bdf8f4 100644 --- a/README.rst +++ b/README.rst @@ -128,16 +128,15 @@ System Requirements =================== The Let's Encrypt Client presently only runs on Unix-ish OSes that include -Python 2.6 or 2.7; Python 3.x support will hopefully be added after the Public -Beta launch. The client requires root access in order to write to -``/etc/letsencrypt``, ``/var/log/letsencrypt``, ``/var/lib/letsencrypt``; to -bind to ports 80 and 443 (if you use the ``standalone`` plugin) and to read and -modify webserver configurations (if you use the ``apache`` or ``nginx`` -plugins). If none of these apply to you, it is theoretically possible to run -without root privileges, but for most users who want to avoid running an ACME -client as root, either `letsencrypt-nosudo -`_ or `simp_le -`_ are more appropriate choices. +Python 2.6 or 2.7; Python 3.x support will hopefully be added in the future. The +client requires root access in order to write to ``/etc/letsencrypt``, +``/var/log/letsencrypt``, ``/var/lib/letsencrypt``; to bind to ports 80 and 443 +(if you use the ``standalone`` plugin) and to read and modify webserver +configurations (if you use the ``apache`` or ``nginx`` plugins). If none of +these apply to you, it is theoretically possible to run without root privileges, +but for most users who want to avoid running an ACME client as root, either +`letsencrypt-nosudo `_ or +`simp_le `_ are more appropriate choices. The Apache plugin currently requires a Debian-based OS with augeas version 1.0; this includes Ubuntu 12.04+ and Debian 7+. From a65fca486cf65e88cdc8c8881c3e9f0c20db76ed Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 6 May 2016 11:57:12 -0700 Subject: [PATCH 08/12] Specify minimum parsedatetime version --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 67cefdc48..4ee56576b 100644 --- a/setup.py +++ b/setup.py @@ -39,7 +39,7 @@ install_requires = [ 'ConfigArgParse>=0.9.3', 'configobj', 'cryptography>=0.7', # load_pem_x509_certificate - 'parsedatetime', + 'parsedatetime>=1.3', # Calendar.parseDT 'psutil>=2.1.0', # net_connections introduced in 2.1.0 'PyOpenSSL', 'pyrfc3339', From 495371a3b8d150f989d92820e3d30abbe26ac96a Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 6 May 2016 12:33:52 -0700 Subject: [PATCH 09/12] Use --force-reinstall to fix bad virtualenv package --- tools/_venv_common.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/_venv_common.sh b/tools/_venv_common.sh index a121af82d..dc6ca3dd2 100755 --- a/tools/_venv_common.sh +++ b/tools/_venv_common.sh @@ -18,7 +18,8 @@ virtualenv --no-site-packages $VENV_NAME $VENV_ARGS # Separately install setuptools and pip to make sure following # invocations use latest pip install -U setuptools -pip install -U pip +# --force-reinstall used to fix broken pip installation on some systems +pip install --force-reinstall -U pip pip install "$@" set +x From 785010fe5001a3c1472bf3ef47e99fb1da32f802 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 6 May 2016 12:45:51 -0700 Subject: [PATCH 10/12] Welcome to Certbot! --- README.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.rst b/README.rst index 236bdf8f4..91a3cfcb5 100644 --- a/README.rst +++ b/README.rst @@ -3,9 +3,9 @@ Disclaimer ========== -The Let's Encrypt Client is **BETA SOFTWARE**. It contains plenty of bugs and -rough edges, and should be tested thoroughly in staging environments before use -on production systems. +Certbot (previously, the Let's Encrypt client) is **BETA SOFTWARE**. It +contains plenty of bugs and rough edges, and should be tested thoroughly in +staging environments before use on production systems. For more information regarding the status of the project, please see https://letsencrypt.org. Be sure to checkout the From 4627971dc68f1cf834eb1e836b8b4ad40e39fb0f Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 6 May 2016 17:30:18 -0700 Subject: [PATCH 11/12] s/--letsencrypt/--certbot --- tests/travis-integration.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/travis-integration.sh b/tests/travis-integration.sh index 1b51f0980..c22c346b1 100755 --- a/tests/travis-integration.sh +++ b/tests/travis-integration.sh @@ -12,8 +12,8 @@ cd $GOPATH/src/github.com/letsencrypt/boulder/ # boulder's integration-test.py has code that knows to start and wait for the # boulder processes to start reliably and then will run the certbot -# boulder-interation.sh on its own. The --letsencrypt flag says to run only the +# boulder-interation.sh on its own. The --certbot flag says to run only the # certbot tests (instead of any other client tests it might run). We're # going to want to define a more robust interaction point between the boulder # and certbot tests, but that will be better built off of this. -python test/integration-test.py --letsencrypt +python test/integration-test.py --certbot From 5c0eabcd76fc73e0fd6240cb62466336ad555593 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 6 May 2016 17:42:25 -0700 Subject: [PATCH 12/12] Rename LETSENCRYPT_PATH to CERTBOT_PATH --- tests/travis-integration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/travis-integration.sh b/tests/travis-integration.sh index c22c346b1..159a2ef80 100755 --- a/tests/travis-integration.sh +++ b/tests/travis-integration.sh @@ -6,7 +6,7 @@ set -o errexit source .tox/$TOXENV/bin/activate -export LETSENCRYPT_PATH=`pwd` +export CERTBOT_PATH=`pwd` cd $GOPATH/src/github.com/letsencrypt/boulder/