From bebd3994885dc26509e047dbde6b33de8efab26c Mon Sep 17 00:00:00 2001 From: alexzorin Date: Fri, 16 Jul 2021 08:50:16 +1000 Subject: [PATCH] acme: deprecate ACMEv1 client classes (#8931) * acme: deprecate ACMEv1 client classes Adds pending deprecations to: - acme.client.Client - acme.client.BackwardsCompatibleClientV2 Adds a warning to Certbot when a v1 server is detected. * move thsi change from 1.17 to 1.18 * revert some whitespace changes --- acme/acme/client.py | 11 +++++++++++ certbot/CHANGELOG.md | 2 ++ certbot/certbot/_internal/client.py | 15 +++++++++++++-- 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/acme/acme/client.py b/acme/acme/client.py index da34026be..28ed4f5bb 100644 --- a/acme/acme/client.py +++ b/acme/acme/client.py @@ -14,6 +14,7 @@ from typing import List from typing import Set from typing import Text from typing import Union +import warnings import josepy as jose import OpenSSL @@ -224,6 +225,9 @@ class ClientBase: class Client(ClientBase): """ACME client for a v1 API. + .. deprecated:: 1.18.0 + Use :class:`ClientV2` instead. + .. todo:: Clean up raised error types hierarchy, document, and handle (wrap) instances of `.DeserializationError` raised in `from_json()`. @@ -246,6 +250,8 @@ class Client(ClientBase): URI from which the resource will be downloaded. """ + warnings.warn("acme.client.Client (ACMEv1) is deprecated, " + "use acme.client.ClientV2 instead.", PendingDeprecationWarning) self.key = key if net is None: net = ClientNetwork(key, alg=alg, verify_ssl=verify_ssl) @@ -805,6 +811,9 @@ class BackwardsCompatibleClientV2: """ACME client wrapper that tends towards V2-style calls, but supports V1 servers. + .. deprecated:: 1.18.0 + Use :class:`ClientV2` instead. + .. note:: While this class handles the majority of the differences between versions of the ACME protocol, if you need to support an ACME server based on version 3 or older of the IETF ACME draft @@ -821,6 +830,8 @@ class BackwardsCompatibleClientV2: """ def __init__(self, net, key, server): + warnings.warn("acme.client.BackwardsCompatibleClientV2 is deprecated, use " + "acme.client.ClientV2 instead.", PendingDeprecationWarning) directory = messages.Directory.from_json(net.get(server).json()) self.acme_version = self._acme_version_from_directory(directory) self.client: Union[Client, ClientV2] diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md index 8dcc5049f..fe7642cda 100644 --- a/certbot/CHANGELOG.md +++ b/certbot/CHANGELOG.md @@ -15,6 +15,8 @@ Certbot adheres to [Semantic Versioning](https://semver.org/). is composed of only ASCII characters. Previously we were relying on the default behavior of the requests library which tries to guess the encoding of the response which was error prone. +* `acme`: the `.client.Client` and `.client.BackwardsCompatibleClientV2` classes + are now deprecated in favor of `.client.ClientV2`. ### Fixed diff --git a/certbot/certbot/_internal/client.py b/certbot/certbot/_internal/client.py index 1ae65aa46..7fcaf91c5 100644 --- a/certbot/certbot/_internal/client.py +++ b/certbot/certbot/_internal/client.py @@ -3,6 +3,7 @@ import datetime import logging import platform from typing import List, Optional, Union +import warnings from cryptography.hazmat.backends import default_backend # See https://github.com/pyca/cryptography/issues/4275 @@ -32,13 +33,23 @@ from certbot.display import util as display_util logger = logging.getLogger(__name__) - def acme_from_config_key(config, key, regr=None): "Wrangle ACME client construction" # TODO: Allow for other alg types besides RS256 net = acme_client.ClientNetwork(key, account=regr, verify_ssl=(not config.no_verify_ssl), user_agent=determine_user_agent(config)) - return acme_client.BackwardsCompatibleClientV2(net, key, config.server) + + with warnings.catch_warnings(): + # TODO: full removal of ACMEv1 support: https://github.com/certbot/certbot/issues/6844 + warnings.simplefilter("ignore", PendingDeprecationWarning) + + client = acme_client.BackwardsCompatibleClientV2(net, key, config.server) + if client.acme_version == 1: + logger.warning( + "Certbot is configured to use an ACMEv1 server (%s). ACMEv1 support is deprecated" + " and will soon be removed. See https://community.letsencrypt.org/t/143839 for " + "more information.", config.server) + return client def determine_user_agent(config):