Merge branch 'master' into always-save-serveralways-save-server

11 files changed, 62 insertions, 28 deletions

diff --git a/Dockerfile b/Dockerfile
index 3e4c9430e..d42b632d4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,6 +21,7 @@ WORKDIR /opt/certbot
 # If <dest> doesn't exist, it is created along with all missing
 # directories in its path.
 
+ENV DEBIAN_FRONTEND=noninteractive
 
 COPY letsencrypt-auto-source/letsencrypt-auto /opt/certbot/src/letsencrypt-auto-source/letsencrypt-auto
 RUN /opt/certbot/src/letsencrypt-auto-source/letsencrypt-auto --os-packages-only && \
diff --git a/certbot/cli.py b/certbot/cli.py
index 4109e5816..e15725ece 100644
--- a/certbot/cli.py
+++ b/certbot/cli.py
@@ -761,7 +761,8 @@ def prepare_and_parse_args(plugins, args, detect_defaults=False):
         "renew", "--post-hook",
         help="Command to be run in a shell after attempting to obtain/renew "
         " certificates. Can be used to deploy renewed certificates, or to restart"
-        " any servers that were stopped by --pre-hook.")
+        " any servers that were stopped by --pre-hook. This is only run if"
+        " an attempt was made to obtain/renew a certificate.")
     helpful.add(
         "renew", "--renew-hook",
         help="Command to be run in a shell once for each successfully renewed certificate."
diff --git a/certbot/hooks.py b/certbot/hooks.py
index 890021a5f..1a3e4a98e 100644
--- a/certbot/hooks.py
+++ b/certbot/hooks.py
@@ -39,7 +39,7 @@ def pre_hook(config):
     if config.pre_hook and not pre_hook.already:
         logger.info("Running pre-hook command: %s", config.pre_hook)
         _run_hook(config.pre_hook)
-        pre_hook.already = True
+    pre_hook.already = True
 
 pre_hook.already = False
 
@@ -50,6 +50,11 @@ def post_hook(config, final=False):
     we're called with final=True before actually doing anything.
     """
     if config.post_hook:
+        if not pre_hook.already:
+            logger.info("No renewals attempted, so not running post-hook")
+            if config.verb != "renew":
+                logger.warn("Sanity failure in renewal hooks")
+            return
         if final or config.verb != "renew":
             logger.info("Running post-hook command: %s", config.post_hook)
             _run_hook(config.post_hook)
diff --git a/certbot/main.py b/certbot/main.py
index 66804143c..fa5d43b72 100644
--- a/certbot/main.py
+++ b/certbot/main.py
@@ -94,7 +94,7 @@ def _auth_from_domains(le_client, config, domains, lineage=None):
             if lineage is False:
                 raise errors.Error("Certificate could not be obtained")
     finally:
-        hooks.post_hook(config)
+        hooks.post_hook(config, final=False)
 
     if not config.dry_run and not config.verb == "renew":
         _report_new_cert(config, lineage.cert, lineage.fullchain)
diff --git a/certbot/renewal.py b/certbot/renewal.py
index 3682c50d5..b5b982972 100644
--- a/certbot/renewal.py
+++ b/certbot/renewal.py
@@ -301,7 +301,10 @@ def _renew_describe_results(config, renew_successes, renew_failures,
 def renew_all_lineages(config):
     """Examine each lineage; renew if due and report results"""
 
-    if config.domains != []:
+    # This is trivially False if config.domains is empty
+    if any(domain not in config.webroot_map for domain in config.domains):
+        # If more plugins start using cli.add_domains,
+        # we may want to only log a warning here
         raise errors.Error("Currently, the renew verb is only capable of "
                            "renewing all installed certificates that are due "
                            "to be renewed; individual domains cannot be "
diff --git a/certbot/tests/cli_test.py b/certbot/tests/cli_test.py
index 31056cafe..d7965a24e 100644
--- a/certbot/tests/cli_test.py
+++ b/certbot/tests/cli_test.py
@@ -712,6 +712,12 @@ class CLITest(unittest.TestCase):  # pylint: disable=too-many-public-methods
         self._test_renew_common(renewalparams=renewalparams,
                                 assert_oc_called=True)
 
+    def test_renew_with_webroot_map(self):
+        renewalparams = {'authenticator': 'webroot'}
+        self._test_renew_common(
+            renewalparams=renewalparams, assert_oc_called=True,
+            args=['renew', '--webroot-map', '{"example.com": "/tmp"}'])
+
     def test_renew_reconstitute_error(self):
         # pylint: disable=protected-access
         with mock.patch('certbot.main.renewal._reconstitute') as mock_reconstitute:
diff --git a/certbot/tests/hook_test.py b/certbot/tests/hook_test.py
index ce78b5dc9..be7fb852d 100644
--- a/certbot/tests/hook_test.py
+++ b/certbot/tests/hook_test.py
@@ -56,14 +56,22 @@ class HookTest(unittest.TestCase):
             return mock_logger.warning
 
     def test_pre_hook(self):
+        hooks.pre_hook.already = False
         config = mock.MagicMock(pre_hook="true")
         self._test_a_hook(config, hooks.pre_hook, 1)
         config = mock.MagicMock(pre_hook="")
         self._test_a_hook(config, hooks.pre_hook, 0)
 
     def test_post_hook(self):
+        hooks.pre_hook.already = False
+        # if pre-hook isn't called, post-hook shouldn't be
         config = mock.MagicMock(post_hook="true", verb="splonk")
+        self._test_a_hook(config, hooks.post_hook, 0)
+
+        config = mock.MagicMock(post_hook="true", verb="splonk")
+        self._test_a_hook(config, hooks.pre_hook, 1)
         self._test_a_hook(config, hooks.post_hook, 2)
+
         config = mock.MagicMock(post_hook="true", verb="renew")
         self._test_a_hook(config, hooks.post_hook, 0)
 
diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto
index bbb2cda54..eb5561070 100755
--- a/letsencrypt-auto-source/letsencrypt-auto
+++ b/letsencrypt-auto-source/letsencrypt-auto
@@ -68,6 +68,12 @@ for arg in "$@" ; do
   esac
 done
 
+if [ $BASENAME = "letsencrypt-auto" ]; then
+  # letsencrypt-auto does not respect --help or --yes for backwards compatibility
+  ASSUME_YES=1
+  HELP=0
+fi
+
 # certbot-auto needs root access to bootstrap OS dependencies, and
 # certbot itself needs root access for almost all modes of operation
 # The "normal" case is that sudo is used for the steps that need root, but
@@ -107,12 +113,6 @@ else
   SUDO=
 fi
 
-if [ $BASENAME = "letsencrypt-auto" ]; then
-  # letsencrypt-auto does not respect --help or --yes for backwards compatibility
-  ASSUME_YES=1
-  HELP=0
-fi
-
 ExperimentalBootstrap() {
   # Arguments: Platform name, bootstrap function name
   if [ "$DEBUG" = 1 ]; then
@@ -452,6 +452,11 @@ BootstrapMac() {
   fi
 }
 
+BootstrapSmartOS() {
+  pkgin update
+  pkgin -y install 'gcc49' 'py27-augeas' 'py27-virtualenv'
+}
+
 
 # Install required OS packages:
 Bootstrap() {
@@ -484,8 +489,10 @@ Bootstrap() {
     ExperimentalBootstrap "FreeBSD" BootstrapFreeBsd
   elif uname | grep -iq Darwin ; then
     ExperimentalBootstrap "Mac OS X" BootstrapMac
-  elif grep -iq "Amazon Linux" /etc/issue ; then
+  elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then
     ExperimentalBootstrap "Amazon Linux" BootstrapRpmCommon
+  elif [ -f /etc/product ] && grep -q "Joyent Instance" /etc/product ; then
+    ExperimentalBootstrap "Joyent SmartOS Zone" BootstrapSmartOS
   else
     echo "Sorry, I don't know how to bootstrap Certbot on your operating system!"
     echo
@@ -891,14 +898,16 @@ UNLIKELY_EOF
     fi
     echo "Installation succeeded."
   fi
-  echo "Requesting root privileges to run certbot..."
+  if [ -n "$SUDO" ]; then
+    # SUDO is su wrapper or sudo
+    echo "Requesting root privileges to run certbot..."
+    echo "  $VENV_BIN/letsencrypt" "$@"
+  fi
   if [ -z "$SUDO_ENV" ] ; then
     # SUDO is su wrapper / noop
-    echo "  " $SUDO "$VENV_BIN/letsencrypt" "$@"
     $SUDO "$VENV_BIN/letsencrypt" "$@"
   else
     # sudo
-    echo "  " $SUDO "$SUDO_ENV" "$VENV_BIN/letsencrypt" "$@"
     $SUDO "$SUDO_ENV" "$VENV_BIN/letsencrypt" "$@"
   fi
 
@@ -924,7 +933,6 @@ else
   fi
 
   if [ "$NO_SELF_UPGRADE" != 1 ]; then
-    echo "Checking for new version..."
     TEMP_DIR=$(TempDir)
     # ---------------------------------------------------------------------------
     cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py"
@@ -1017,7 +1025,7 @@ def verified_new_le_auto(get, tag, temp_dir):
     """
     le_auto_dir = environ.get(
         'LE_AUTO_DIR_TEMPLATE',
-        'https://raw.githubusercontent.com/letsencrypt/letsencrypt/%s/'
+        'https://raw.githubusercontent.com/certbot/certbot/%s/'
         'letsencrypt-auto-source/') % tag
     write(get(le_auto_dir + 'letsencrypt-auto'), temp_dir, 'letsencrypt-auto')
     write(get(le_auto_dir + 'letsencrypt-auto.sig'), temp_dir, 'letsencrypt-auto.sig')
diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template
index 5a4ddee7d..f1ed82c4c 100755
--- a/letsencrypt-auto-source/letsencrypt-auto.template
+++ b/letsencrypt-auto-source/letsencrypt-auto.template
@@ -68,6 +68,12 @@ for arg in "$@" ; do
   esac
 done
 
+if [ $BASENAME = "letsencrypt-auto" ]; then
+  # letsencrypt-auto does not respect --help or --yes for backwards compatibility
+  ASSUME_YES=1
+  HELP=0
+fi
+
 # certbot-auto needs root access to bootstrap OS dependencies, and
 # certbot itself needs root access for almost all modes of operation
 # The "normal" case is that sudo is used for the steps that need root, but
@@ -107,12 +113,6 @@ else
   SUDO=
 fi
 
-if [ $BASENAME = "letsencrypt-auto" ]; then
-  # letsencrypt-auto does not respect --help or --yes for backwards compatibility
-  ASSUME_YES=1
-  HELP=0
-fi
-
 ExperimentalBootstrap() {
   # Arguments: Platform name, bootstrap function name
   if [ "$DEBUG" = 1 ]; then
@@ -255,14 +255,16 @@ UNLIKELY_EOF
     fi
     echo "Installation succeeded."
   fi
-  echo "Requesting root privileges to run certbot..."
+  if [ -n "$SUDO" ]; then
+    # SUDO is su wrapper or sudo
+    echo "Requesting root privileges to run certbot..."
+    echo "  $VENV_BIN/letsencrypt" "$@"
+  fi
   if [ -z "$SUDO_ENV" ] ; then
     # SUDO is su wrapper / noop
-    echo "  " $SUDO "$VENV_BIN/letsencrypt" "$@"
     $SUDO "$VENV_BIN/letsencrypt" "$@"
   else
     # sudo
-    echo "  " $SUDO "$SUDO_ENV" "$VENV_BIN/letsencrypt" "$@"
     $SUDO "$SUDO_ENV" "$VENV_BIN/letsencrypt" "$@"
   fi
 
@@ -288,7 +290,6 @@ else
   fi
 
   if [ "$NO_SELF_UPGRADE" != 1 ]; then
-    echo "Checking for new version..."
     TEMP_DIR=$(TempDir)
     # ---------------------------------------------------------------------------
     cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py"
diff --git a/letsencrypt-auto-source/pieces/bootstrappers/mac.sh b/letsencrypt-auto-source/pieces/bootstrappers/mac.sh
index e41db04b1..2b04977c8 100755
--- a/letsencrypt-auto-source/pieces/bootstrappers/mac.sh
+++ b/letsencrypt-auto-source/pieces/bootstrappers/mac.sh
@@ -16,7 +16,8 @@ BootstrapMac() {
 
   $pkgcmd augeas
   $pkgcmd dialog
-  if [ "$(which python)" = "/System/Library/Frameworks/Python.framework/Versions/2.7/bin/python" ]; then
+  if [ "$(which python)" = "/System/Library/Frameworks/Python.framework/Versions/2.7/bin/python" \
+      -o "$(which python)" = "/usr/bin/python" ]; then
     # We want to avoid using the system Python because it requires root to use pip.
     # python.org, MacPorts or HomeBrew Python installations should all be OK.
     echo "Installing python..."
diff --git a/letsencrypt-auto-source/pieces/fetch.py b/letsencrypt-auto-source/pieces/fetch.py
index 38f4aa255..ca3e94b80 100644
--- a/letsencrypt-auto-source/pieces/fetch.py
+++ b/letsencrypt-auto-source/pieces/fetch.py
@@ -87,7 +87,7 @@ def verified_new_le_auto(get, tag, temp_dir):
     """
     le_auto_dir = environ.get(
         'LE_AUTO_DIR_TEMPLATE',
-        'https://raw.githubusercontent.com/letsencrypt/letsencrypt/%s/'
+        'https://raw.githubusercontent.com/certbot/certbot/%s/'
         'letsencrypt-auto-source/') % tag
     write(get(le_auto_dir + 'letsencrypt-auto'), temp_dir, 'letsencrypt-auto')
     write(get(le_auto_dir + 'letsencrypt-auto.sig'), temp_dir, 'letsencrypt-auto.sig')