acme: deprecate ACMEv1 client classes (#8931)

* acme: deprecate ACMEv1 client classes

Adds pending deprecations to:
- acme.client.Client
- acme.client.BackwardsCompatibleClientV2

Adds a warning to Certbot when a v1 server is detected.

* move thsi change from 1.17 to 1.18

* revert some whitespace changes

acme/acme/client.py

@@ -14,6 +14,7 @@ from typing import List
 from typing import Set
 from typing import Text
 from typing import Union
+import warnings
 
 import josepy as jose
 import OpenSSL
@@ -224,6 +225,9 @@ class ClientBase:
 class Client(ClientBase):
     """ACME client for a v1 API.
 
+    .. deprecated:: 1.18.0
+       Use :class:`ClientV2` instead.
+
     .. todo::
        Clean up raised error types hierarchy, document, and handle (wrap)
        instances of `.DeserializationError` raised in `from_json()`.
@@ -246,6 +250,8 @@ class Client(ClientBase):
             URI from which the resource will be downloaded.
 
         """
+        warnings.warn("acme.client.Client (ACMEv1) is deprecated, "
+                      "use acme.client.ClientV2 instead.", PendingDeprecationWarning)
         self.key = key
         if net is None:
             net = ClientNetwork(key, alg=alg, verify_ssl=verify_ssl)
@@ -805,6 +811,9 @@ class BackwardsCompatibleClientV2:
     """ACME client wrapper that tends towards V2-style calls, but
     supports V1 servers.
 
+    .. deprecated:: 1.18.0
+       Use :class:`ClientV2` instead.
+
     .. note:: While this class handles the majority of the differences
         between versions of the ACME protocol, if you need to support an
         ACME server based on version 3 or older of the IETF ACME draft
@@ -821,6 +830,8 @@ class BackwardsCompatibleClientV2:
     """
 
     def __init__(self, net, key, server):
+        warnings.warn("acme.client.BackwardsCompatibleClientV2 is deprecated, use "
+                      "acme.client.ClientV2 instead.", PendingDeprecationWarning)
         directory = messages.Directory.from_json(net.get(server).json())
         self.acme_version = self._acme_version_from_directory(directory)
         self.client: Union[Client, ClientV2]

certbot/CHANGELOG.md

@@ -15,6 +15,8 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
   is composed of only ASCII characters. Previously we were relying on the
   default behavior of the requests library which tries to guess the encoding of
   the response which was error prone.
+* `acme`: the `.client.Client` and `.client.BackwardsCompatibleClientV2` classes
+  are now deprecated in favor of `.client.ClientV2`.
 
 ### Fixed
 

certbot/certbot/_internal/client.py

@@ -3,6 +3,7 @@ import datetime
 import logging
 import platform
 from typing import List, Optional, Union
+import warnings
 
 from cryptography.hazmat.backends import default_backend
 # See https://github.com/pyca/cryptography/issues/4275
@@ -32,13 +33,23 @@ from certbot.display import util as display_util
 
 logger = logging.getLogger(__name__)
 
-
 def acme_from_config_key(config, key, regr=None):
     "Wrangle ACME client construction"
     # TODO: Allow for other alg types besides RS256
     net = acme_client.ClientNetwork(key, account=regr, verify_ssl=(not config.no_verify_ssl),
                                     user_agent=determine_user_agent(config))
-    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
+
+    with warnings.catch_warnings():
+        # TODO: full removal of ACMEv1 support: https://github.com/certbot/certbot/issues/6844
+        warnings.simplefilter("ignore", PendingDeprecationWarning)
+
+        client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
+        if client.acme_version == 1:
+            logger.warning(
+                "Certbot is configured to use an ACMEv1 server (%s). ACMEv1 support is deprecated"
+                " and will soon be removed. See https://community.letsencrypt.org/t/143839 for "
+                "more information.", config.server)
+        return client
 
 
 def determine_user_agent(config):