Deprecate certbot-auto on Debian systems (#8354)

Fixes #8294. * Deprecate certbot-auto on Debian systems. * Add changelog entry. * Remove le_auto_xenial test. * Update certbot-auto test farm tests. * Add comments explaining expected behavior.
2026-01-26 07:41:33 +03:00 · 2020-10-20 16:25:20 -07:00
parent 88386e8c82
commit cb916a0682
9 changed files with 38 additions and 66 deletions
--- a/.azure-pipelines/templates/jobs/extended-tests-jobs.yml
+++ b/.azure-pipelines/templates/jobs/extended-tests-jobs.yml
@@ -64,8 +64,6 @@ jobs:
          ACME_SERVER: boulder-v2
        nginx-compat:
          TOXENV: nginx_compat
-        le-auto-centos6:
-          TOXENV: le_auto_centos6
        le-auto-oraclelinux6:
          TOXENV: le_auto_oraclelinux6
        docker-dev:
--- a/.azure-pipelines/templates/jobs/standard-tests-jobs.yml
+++ b/.azure-pipelines/templates/jobs/standard-tests-jobs.yml
@@ -58,9 +58,9 @@ jobs:
        apache-compat:
          IMAGE_NAME: ubuntu-18.04
          TOXENV: apache_compat
-        le-auto-xenial:
+        le-auto-centos6:
          IMAGE_NAME: ubuntu-18.04
-          TOXENV: le_auto_xenial
+          TOXENV: le_auto_centos6
        apacheconftest:
          IMAGE_NAME: ubuntu-18.04
          PYTHON_VERSION: 2.7
--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@@ -12,7 +12,7 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).

 ### Changed

-*
+* certbot-auto was deprecated on Debian based systems.

 ### Fixed

--- a/letsencrypt-auto-source/Dockerfile.xenial
+++ b/letsencrypt-auto-source/Dockerfile.xenial
@@ -1,36 +0,0 @@
-# For running tests, build a docker image with a passwordless sudo and a trust
-# store we can manipulate.
-
-FROM ubuntu:xenial
-
-# Add an unprivileged user:
-RUN useradd --create-home --home-dir /home/lea --shell /bin/bash --groups sudo --uid 1000 lea
-
-# Install pip, sudo, and openssl:
-RUN apt-get update && \
-    apt-get -q -y install python-pip sudo openssl && \
-    apt-get clean
-
-# Use pipstrap to update to a stable and tested version of pip
-COPY ./pieces/pipstrap.py /opt
-RUN /opt/pipstrap.py
-# Pin pytest version for increased stability
-RUN pip install pytest==3.2.5 six==1.10.0
-
-# Let that user sudo:
-RUN sed -i.bkp -e \
-      's/%sudo\s\+ALL=(ALL\(:ALL\)\?)\s\+ALL/%sudo ALL=NOPASSWD:ALL/g' \
-      /etc/sudoers
-
-RUN mkdir -p /home/lea/certbot
-
-# Install fake testing CA:
-COPY ./tests/certs/ca/my-root-ca.crt.pem /usr/local/share/ca-certificates/
-
-# Copy code:
-COPY . /home/lea/certbot/letsencrypt-auto-source
-
-USER lea
-WORKDIR /home/lea
-
-CMD ["pytest", "-v", "-s", "certbot/letsencrypt-auto-source/tests"]
--- a/letsencrypt-auto-source/letsencrypt-auto
+++ b/letsencrypt-auto-source/letsencrypt-auto
@@ -799,11 +799,7 @@ BootstrapMageiaCommon() {
 # that function. If Bootstrap is set to a function that doesn't install any
 # packages BOOTSTRAP_VERSION is not set.
 if [ -f /etc/debian_version ]; then
-  Bootstrap() {
-    BootstrapMessage "Debian-based OSes"
-    BootstrapDebCommon
-  }
-  BOOTSTRAP_VERSION="BootstrapDebCommon $BOOTSTRAP_DEB_COMMON_VERSION"
+  DEPRECATED_OS=1
 elif [ -f /etc/mageia-release ]; then
  # Mageia has both /etc/mageia-release and /etc/redhat-release
  DEPRECATED_OS=1
--- a/letsencrypt-auto-source/letsencrypt-auto.template
+++ b/letsencrypt-auto-source/letsencrypt-auto.template
@@ -321,11 +321,7 @@ DeterminePythonVersion() {
 # that function. If Bootstrap is set to a function that doesn't install any
 # packages BOOTSTRAP_VERSION is not set.
 if [ -f /etc/debian_version ]; then
-  Bootstrap() {
-    BootstrapMessage "Debian-based OSes"
-    BootstrapDebCommon
-  }
-  BOOTSTRAP_VERSION="BootstrapDebCommon $BOOTSTRAP_DEB_COMMON_VERSION"
+  DEPRECATED_OS=1
 elif [ -f /etc/mageia-release ]; then
  # Mageia has both /etc/mageia-release and /etc/redhat-release
  DEPRECATED_OS=1
--- a/tests/letstest/scripts/test_leauto_upgrades.sh
+++ b/tests/letstest/scripts/test_leauto_upgrades.sh
@@ -105,9 +105,18 @@ if ./letsencrypt-auto -v --debug --version | grep "WARNING: couldn't find Python
    exit 1
 fi

-EXPECTED_VERSION=$(grep -m1 LE_AUTO_VERSION certbot-auto | cut -d\" -f2)
+# On systems like Debian where certbot-auto is deprecated, we expect it to
+# leave existing Certbot installations unmodified so we check for the same
+# version that was initially installed below.  Once certbot-auto is deprecated
+# on RHEL systems, we can unconditionally check for INITIAL_VERSION.
+if [ -f /etc/debian_version ]; then
+    EXPECTED_VERSION="$INITIAL_VERSION"
+else
+    EXPECTED_VERSION=$(grep -m1 LE_AUTO_VERSION certbot-auto | cut -d\" -f2)
+fi
+
 if ! /opt/eff.org/certbot/venv/bin/letsencrypt --version 2>&1 | tail -n1 | grep "^certbot $EXPECTED_VERSION$" ; then
-    echo upgrade appeared to fail
+    echo unexpected certbot version found
    exit 1
 fi

--- a/tests/letstest/scripts/test_letsencrypt_auto_certonly_standalone.sh
+++ b/tests/letstest/scripts/test_letsencrypt_auto_certonly_standalone.sh
@@ -16,6 +16,24 @@ sudo chown root "$LE_AUTO_PATH"
 sudo chmod 0755 "$LE_AUTO_PATH"
 export PATH="$LE_AUTO_DIR:$PATH"

+# On systems like Debian where certbot-auto is deprecated, we expect
+# certbot-auto to error and refuse to install Certbot.  Once certbot-auto is
+# deprecated on RHEL systems, we can unconditionally run this code.
+if [ -f /etc/debian_version ]; then
+    set +o pipefail
+    if ! letsencrypt-auto --debug --version | grep "Certbot cannot be installed."; then
+        echo "letsencrypt-auto didn't report being uninstallable."
+        exit 1
+    fi
+    if [ ${PIPESTATUS[0]} != 1 ]; then
+        echo "letsencrypt-auto didn't exit with status 1 as expected"
+        exit 1
+    fi
+    # letsencrypt-auto is deprecated and cannot be installed on this system so
+    # we cannot run the rest of this test.
+    exit 0
+fi
+
 letsencrypt-auto --os-packages-only --debug --version

 # This script sets the environment variables PYTHON_NAME, VENV_PATH, and
--- a/tox.ini
+++ b/tox.ini
@@ -188,11 +188,12 @@ whitelist_externals =
 passenv =
    DOCKER_*

-[testenv:le_auto_xenial]
-# At the moment, this tests under Python 2.7 only.
+[testenv:le_auto_centos6]
+# At the moment, this tests under Python 2.6 only, as only that version is
+# readily available on the CentOS 6 Docker image.
 commands =
    python {toxinidir}/tests/modification-check.py
-    docker build -f letsencrypt-auto-source/Dockerfile.xenial -t lea letsencrypt-auto-source
+    docker build -f letsencrypt-auto-source/Dockerfile.redhat6 --build-arg REDHAT_DIST_FLAVOR=centos -t lea letsencrypt-auto-source
    docker run --rm -t lea
 whitelist_externals =
    docker
@@ -200,16 +201,6 @@ passenv =
    DOCKER_*
    TARGET_BRANCH

-[testenv:le_auto_centos6]
-# At the moment, this tests under Python 2.6 only, as only that version is
-# readily available on the CentOS 6 Docker image.
-commands =
-    docker build -f letsencrypt-auto-source/Dockerfile.redhat6 --build-arg REDHAT_DIST_FLAVOR=centos -t lea letsencrypt-auto-source
-    docker run --rm -t lea
-whitelist_externals =
-    docker
-passenv = DOCKER_*
-
 [testenv:le_auto_oraclelinux6]
 # At the moment, this tests under Python 2.6 only, as only that version is
 # readily available on the Oracle Linux 6 Docker image.