If either --cert-name or both --key-path and --cert-path (in which case the user requests installation for a certificate not managed by Certbot) are not provided, prompt the user with managed certificates and let them choose.
Fixes: #5824
This partially reverts commit 15f1405fff.
A basic tls-alpn-01 implementation is left so we can successfully parse the
challenge so it can be used in boulder's tests.
See https://github.com/certbot/website/pull/348#issuecomment-399257703.
```
$ certbot --help all | grep -C 3 nginx-server-root
nginx:
Nginx Web Server plugin - Alpha
--nginx-server-root NGINX_SERVER_ROOT
Nginx server root directory. (default: /etc/nginx)
--nginx-ctl NGINX_CTL
Path to the 'nginx' binary, used for 'configtest' and
```
```
$ CERTBOT_DOCS=1 certbot --help all | grep -C 3 nginx-server-root
nginx:
Nginx Web Server plugin - Alpha
--nginx-server-root NGINX_SERVER_ROOT
Nginx server root directory. (default: /etc/nginx or
/usr/local/etc/nginx)
--nginx-ctl NGINX_CTL
```
* Show both possible Nginx default server root values in docs
* add test
* check that exactly one server root is in the default
* use default magic
* Reuse accounts made with ACMEv1 when using an ACMEv2 Let's Encrypt server. This commit turns the feature on for the production server; the bulk of the work was done in 8e4303a.
* add upgrade test for production server
Currently, you must read ten paragraphs about writing renewal hooks
before you find that most distributions will automatically renew certs
for you. This is burying the lede in a major way; moving it up to the
header seems a better choice.
This PR adds the functionality to enhance Apache configuration to include HTTP Strict Transport Security header with a low initial max-age value.
The max-age value will get increased on every (scheduled) run of certbot renew regardless of the certificate actually getting renewed, if the last increase took place longer than ten hours ago. The increase steps are visible in constants.AUTOHSTS_STEPS.
Upon the first actual renewal after reaching the maximum increase step, the max-age value will be made "permanent" and will get value of one year.
To achieve accurate VirtualHost discovery on subsequent runs, a comment with unique id string will be added to each enhanced VirtualHost.
* AutoHSTS code rebased on master
* Fixes to match the changes in master
* Make linter happy with metaclass registration
* Address small review comments
* Use new enhancement interfaces
* New style enhancement changes
* Do not allow --hsts and --auto-hsts simultaneuously
* MyPy annotation fixes and added test
* Change oldest requrements to point to local certbot core version
* Enable new style enhancements for run and install verbs
* Test refactor
* New test class for main.install tests
* Move a test to a correct test class
- Finishing refactor of postconf/postfix command-line utilities
- Plugin uses starttls_policy plugin to specify per-domain policies
Cleaning up TLS policy code.
Print warning when setting configuration parameter that is overridden by master.
Update client to use new policy API
Cleanup and test fixes
Documentation fix
smaller fixes
Policy is now an enhancement and reverting works
Added a README, and small documentation fixes throughout
Moving testing infra from starttls repo to certbot-postfix
fixing tests and lint
Changes against new policy API
starttls-everywhere => starttls-policy
testing(postfix): Added more varieties of certificates to test against.
Moar fixes against policy API.
Address comments on README and setup.py
Address small comments on postconf and util
Address comments in installer
Python 3 fixes and Postconf tester extends TempDir test class
Mock out postconf calls from tests and test coverage for master overrides
More various fixes. Everything minus testing done
Remove STARTTLS policy enhancement from this branch.
sphinx quickstart
99% test coverage
some cleanup and testfixing
cleanup leftover files
Remove print statement
testfix for python 3.4
Revert dockerfile change
mypy fix
fix(postfix): brad's comments
test(postfix): coverage to 100
test(postfix): mypy
import mypy types
fix(postfix docs): add .rst files and fix build
fix(postfix): tls_only and server_only params behave nicely together
some cleanup
lint
fix more comments
bump version number
pep8ify
Delint
cover++
test more_info()
Refactor get_config_var
Don't duplicate changes to Postfix config
document instance variables
Always clear save_notes on save
Test deploy_cert and save and add MockPostfix.
Move mock and call to InstallerTest
Add getters and setters
Use postfix getters and setters
protect get_config_var
bump cover to 100%
bump required coverage to 100
s/config_dir/config_utility
Decrease minimum version to Postfix 2.6.
This is the minimum version that allows us to set ciphers to be used with
opportunistic TLS and is the oldest version packaged in any major distro.
Use tls_security_level instead of use_tls.
smtpd_tls_security_level should be used instead according to Postfix documentation.
Test smtpd_tls_security_level conditional
make dunder method an under method
refactor postconf usage
add check_all_output
test check_all_output
Add and test verify_exe_exists
Add PostfixUtilBase
Add ReadOnlyMainMap
Use _get_output instead of _call
Fix split strip typo
* Revert "Revert "switch signature verification to use pure cryptography (#6000)" (#6074)"
This reverts commit 3cffe1449c.
* Fixes#6073.
This silences the deprecation warnings from cryptography. I looked into only
silencing the cryptography warning specifically in the function, however,
CryptographyDeprecationWarning doesn't seem to be publicly documented, so we
probably shouldn't depend on it.
For the past couple of releases, twine has errored while trying to upload
packages and this is fixed by upgrading to a newer version of twine. This
commit updates our pinned version installed when using tools/venv.sh to the
latest available version. pkginfo had to be upgraded as well to support the
latest version of twine.
Festival isn't available via Homebrew and is only needed to read the hash
aloud, so let's not make it a strict requirement that it's installed. You can
simply read the hash from the terminal instead.
Debian Wheezy is no longer supported (see https://wiki.debian.org/LTS) and
Amazon shut down their Debian 7 mirrors so let's stop trying to use Debian 7
during testing.
* automatically select among default vhosts if we have a port preference
* ports should be strings in the nginx plugin
* clarify port vs preferred_port behavior by adding allow_port_mismatch flag
* update all instances of default_vhosts to all_default_vhosts
* require port
* port should never be None in _get_default_vhost
* Reuse ACMEv1 accounts for ACMEv2
* Correct behavior
* add unit tests
* add _find_all_inner to comply with interface
* acme-staging-v01 --> acme-staging
* only create symlink to previous account if there is one there
* recurse on server path
* update tests and change internal use of load to use server_path
* fail gracefully on corrupted account file by returning [] when rmdir fails
* only reuse accounts in staging for now
* Remove unneeded sys import.
Once upon a time we needed this in some of these setup.py files because we were
using sys in the file, but we aren't anymore so let's remove the import.
* use setuptools instead of distutils
The new challenge is described in https://github.com/rolandshoemaker/acme-tls-alpn.
* TLS-ALPN tests
* Implement TLS-ALPN challenge
* Skip TLS-ALPN tests on old pyopenssl
* make _selection methods private.
* Initial work on new version of --reuse-key
* Test for reuse_key
* Make lint happier
* Also test a non-dry-run reuse_key renewal
* Test --reuse-key in boulder integration test
* Better reuse-key integration testing
* Log fact that key was reused
* Test that the certificates themselves are different
* Change "oldkeypath" to "old_keypath"
* Simply appearance of new-key generation logic
* Reorganize new-key logic
* Move awk logic into TotalAndDistinctLines function
* After refactor, there's now explicit None rather than missing param
* Indicate for MyPy that key can be None
* Actually import the Optional type
* magic_typing is too magical for pylint
* Remove --no-reuse-key option
* Correct pylint test disable
When Certbot is run with --dry-run, skip running GenericUpdater and RenewDeployer interface methods.
This PR also makes the parameter order of updater.run_generic_updaters and updater.run_renewal_deployer consistent.
Fixes#5927
* Do not call updaters and deployers when run with --dry-run
* Use ConfigTestCase instead of mocking config objects manually
In order to give more flexibility for plugins using interfaces.GenericUpdater interface, lineage needs to be passed to the updater method instead of individual domains. All of the (present and potential) installers do not work on per domain basis, while the lineage does contain a list of them for installers which do.
This also means that we don't unnecessarily run the updater method multiple times, potentially invoking expensive tooling up to $max_san_amount times.
* Make GenericUpdater use lineage as parameter and get invoked only once per lineage
The value for FAKE_DNS is now always the same because Boulder's
docker-compose hardcodes it, so skip some sed.
Set a time limit on how long we'll wait for boulder to come up.
