diff options
author | Brad Warren <bmw@eff.org> | 2016-05-19 19:19:22 +0300 |
---|---|---|
committer | Brad Warren <bmw@eff.org> | 2016-05-19 19:19:22 +0300 |
commit | 4897f5ac0b9d348050f16f7f820895a09e44d354 (patch) | |
tree | 6923f4181d29e08ddb802e4f8c3b5cfb0a210364 | |
parent | 3684eabad3945f1ed065effbb9136272024a5489 (diff) | |
parent | e385274cca6814b3e910e82a09574fae349d68e2 (diff) |
Merge branch 'master' into always-save-serveralways-save-server
-rw-r--r-- | Dockerfile | 1 | ||||
-rw-r--r-- | certbot/cli.py | 3 | ||||
-rw-r--r-- | certbot/hooks.py | 7 | ||||
-rw-r--r-- | certbot/main.py | 2 | ||||
-rw-r--r-- | certbot/renewal.py | 5 | ||||
-rw-r--r-- | certbot/tests/cli_test.py | 6 | ||||
-rw-r--r-- | certbot/tests/hook_test.py | 8 | ||||
-rwxr-xr-x | letsencrypt-auto-source/letsencrypt-auto | 32 | ||||
-rwxr-xr-x | letsencrypt-auto-source/letsencrypt-auto.template | 21 | ||||
-rwxr-xr-x | letsencrypt-auto-source/pieces/bootstrappers/mac.sh | 3 | ||||
-rw-r--r-- | letsencrypt-auto-source/pieces/fetch.py | 2 |
11 files changed, 62 insertions, 28 deletions
diff --git a/Dockerfile b/Dockerfile index 3e4c9430e..d42b632d4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,6 +21,7 @@ WORKDIR /opt/certbot # If <dest> doesn't exist, it is created along with all missing # directories in its path. +ENV DEBIAN_FRONTEND=noninteractive COPY letsencrypt-auto-source/letsencrypt-auto /opt/certbot/src/letsencrypt-auto-source/letsencrypt-auto RUN /opt/certbot/src/letsencrypt-auto-source/letsencrypt-auto --os-packages-only && \ diff --git a/certbot/cli.py b/certbot/cli.py index 4109e5816..e15725ece 100644 --- a/certbot/cli.py +++ b/certbot/cli.py @@ -761,7 +761,8 @@ def prepare_and_parse_args(plugins, args, detect_defaults=False): "renew", "--post-hook", help="Command to be run in a shell after attempting to obtain/renew " " certificates. Can be used to deploy renewed certificates, or to restart" - " any servers that were stopped by --pre-hook.") + " any servers that were stopped by --pre-hook. This is only run if" + " an attempt was made to obtain/renew a certificate.") helpful.add( "renew", "--renew-hook", help="Command to be run in a shell once for each successfully renewed certificate." diff --git a/certbot/hooks.py b/certbot/hooks.py index 890021a5f..1a3e4a98e 100644 --- a/certbot/hooks.py +++ b/certbot/hooks.py @@ -39,7 +39,7 @@ def pre_hook(config): if config.pre_hook and not pre_hook.already: logger.info("Running pre-hook command: %s", config.pre_hook) _run_hook(config.pre_hook) - pre_hook.already = True + pre_hook.already = True pre_hook.already = False @@ -50,6 +50,11 @@ def post_hook(config, final=False): we're called with final=True before actually doing anything. """ if config.post_hook: + if not pre_hook.already: + logger.info("No renewals attempted, so not running post-hook") + if config.verb != "renew": + logger.warn("Sanity failure in renewal hooks") + return if final or config.verb != "renew": logger.info("Running post-hook command: %s", config.post_hook) _run_hook(config.post_hook) diff --git a/certbot/main.py b/certbot/main.py index 66804143c..fa5d43b72 100644 --- a/certbot/main.py +++ b/certbot/main.py @@ -94,7 +94,7 @@ def _auth_from_domains(le_client, config, domains, lineage=None): if lineage is False: raise errors.Error("Certificate could not be obtained") finally: - hooks.post_hook(config) + hooks.post_hook(config, final=False) if not config.dry_run and not config.verb == "renew": _report_new_cert(config, lineage.cert, lineage.fullchain) diff --git a/certbot/renewal.py b/certbot/renewal.py index 3682c50d5..b5b982972 100644 --- a/certbot/renewal.py +++ b/certbot/renewal.py @@ -301,7 +301,10 @@ def _renew_describe_results(config, renew_successes, renew_failures, def renew_all_lineages(config): """Examine each lineage; renew if due and report results""" - if config.domains != []: + # This is trivially False if config.domains is empty + if any(domain not in config.webroot_map for domain in config.domains): + # If more plugins start using cli.add_domains, + # we may want to only log a warning here raise errors.Error("Currently, the renew verb is only capable of " "renewing all installed certificates that are due " "to be renewed; individual domains cannot be " diff --git a/certbot/tests/cli_test.py b/certbot/tests/cli_test.py index 31056cafe..d7965a24e 100644 --- a/certbot/tests/cli_test.py +++ b/certbot/tests/cli_test.py @@ -712,6 +712,12 @@ class CLITest(unittest.TestCase): # pylint: disable=too-many-public-methods self._test_renew_common(renewalparams=renewalparams, assert_oc_called=True) + def test_renew_with_webroot_map(self): + renewalparams = {'authenticator': 'webroot'} + self._test_renew_common( + renewalparams=renewalparams, assert_oc_called=True, + args=['renew', '--webroot-map', '{"example.com": "/tmp"}']) + def test_renew_reconstitute_error(self): # pylint: disable=protected-access with mock.patch('certbot.main.renewal._reconstitute') as mock_reconstitute: diff --git a/certbot/tests/hook_test.py b/certbot/tests/hook_test.py index ce78b5dc9..be7fb852d 100644 --- a/certbot/tests/hook_test.py +++ b/certbot/tests/hook_test.py @@ -56,14 +56,22 @@ class HookTest(unittest.TestCase): return mock_logger.warning def test_pre_hook(self): + hooks.pre_hook.already = False config = mock.MagicMock(pre_hook="true") self._test_a_hook(config, hooks.pre_hook, 1) config = mock.MagicMock(pre_hook="") self._test_a_hook(config, hooks.pre_hook, 0) def test_post_hook(self): + hooks.pre_hook.already = False + # if pre-hook isn't called, post-hook shouldn't be config = mock.MagicMock(post_hook="true", verb="splonk") + self._test_a_hook(config, hooks.post_hook, 0) + + config = mock.MagicMock(post_hook="true", verb="splonk") + self._test_a_hook(config, hooks.pre_hook, 1) self._test_a_hook(config, hooks.post_hook, 2) + config = mock.MagicMock(post_hook="true", verb="renew") self._test_a_hook(config, hooks.post_hook, 0) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index bbb2cda54..eb5561070 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -68,6 +68,12 @@ for arg in "$@" ; do esac done +if [ $BASENAME = "letsencrypt-auto" ]; then + # letsencrypt-auto does not respect --help or --yes for backwards compatibility + ASSUME_YES=1 + HELP=0 +fi + # certbot-auto needs root access to bootstrap OS dependencies, and # certbot itself needs root access for almost all modes of operation # The "normal" case is that sudo is used for the steps that need root, but @@ -107,12 +113,6 @@ else SUDO= fi -if [ $BASENAME = "letsencrypt-auto" ]; then - # letsencrypt-auto does not respect --help or --yes for backwards compatibility - ASSUME_YES=1 - HELP=0 -fi - ExperimentalBootstrap() { # Arguments: Platform name, bootstrap function name if [ "$DEBUG" = 1 ]; then @@ -452,6 +452,11 @@ BootstrapMac() { fi } +BootstrapSmartOS() { + pkgin update + pkgin -y install 'gcc49' 'py27-augeas' 'py27-virtualenv' +} + # Install required OS packages: Bootstrap() { @@ -484,8 +489,10 @@ Bootstrap() { ExperimentalBootstrap "FreeBSD" BootstrapFreeBsd elif uname | grep -iq Darwin ; then ExperimentalBootstrap "Mac OS X" BootstrapMac - elif grep -iq "Amazon Linux" /etc/issue ; then + elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then ExperimentalBootstrap "Amazon Linux" BootstrapRpmCommon + elif [ -f /etc/product ] && grep -q "Joyent Instance" /etc/product ; then + ExperimentalBootstrap "Joyent SmartOS Zone" BootstrapSmartOS else echo "Sorry, I don't know how to bootstrap Certbot on your operating system!" echo @@ -891,14 +898,16 @@ UNLIKELY_EOF fi echo "Installation succeeded." fi - echo "Requesting root privileges to run certbot..." + if [ -n "$SUDO" ]; then + # SUDO is su wrapper or sudo + echo "Requesting root privileges to run certbot..." + echo " $VENV_BIN/letsencrypt" "$@" + fi if [ -z "$SUDO_ENV" ] ; then # SUDO is su wrapper / noop - echo " " $SUDO "$VENV_BIN/letsencrypt" "$@" $SUDO "$VENV_BIN/letsencrypt" "$@" else # sudo - echo " " $SUDO "$SUDO_ENV" "$VENV_BIN/letsencrypt" "$@" $SUDO "$SUDO_ENV" "$VENV_BIN/letsencrypt" "$@" fi @@ -924,7 +933,6 @@ else fi if [ "$NO_SELF_UPGRADE" != 1 ]; then - echo "Checking for new version..." TEMP_DIR=$(TempDir) # --------------------------------------------------------------------------- cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" @@ -1017,7 +1025,7 @@ def verified_new_le_auto(get, tag, temp_dir): """ le_auto_dir = environ.get( 'LE_AUTO_DIR_TEMPLATE', - 'https://raw.githubusercontent.com/letsencrypt/letsencrypt/%s/' + 'https://raw.githubusercontent.com/certbot/certbot/%s/' 'letsencrypt-auto-source/') % tag write(get(le_auto_dir + 'letsencrypt-auto'), temp_dir, 'letsencrypt-auto') write(get(le_auto_dir + 'letsencrypt-auto.sig'), temp_dir, 'letsencrypt-auto.sig') diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index 5a4ddee7d..f1ed82c4c 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -68,6 +68,12 @@ for arg in "$@" ; do esac done +if [ $BASENAME = "letsencrypt-auto" ]; then + # letsencrypt-auto does not respect --help or --yes for backwards compatibility + ASSUME_YES=1 + HELP=0 +fi + # certbot-auto needs root access to bootstrap OS dependencies, and # certbot itself needs root access for almost all modes of operation # The "normal" case is that sudo is used for the steps that need root, but @@ -107,12 +113,6 @@ else SUDO= fi -if [ $BASENAME = "letsencrypt-auto" ]; then - # letsencrypt-auto does not respect --help or --yes for backwards compatibility - ASSUME_YES=1 - HELP=0 -fi - ExperimentalBootstrap() { # Arguments: Platform name, bootstrap function name if [ "$DEBUG" = 1 ]; then @@ -255,14 +255,16 @@ UNLIKELY_EOF fi echo "Installation succeeded." fi - echo "Requesting root privileges to run certbot..." + if [ -n "$SUDO" ]; then + # SUDO is su wrapper or sudo + echo "Requesting root privileges to run certbot..." + echo " $VENV_BIN/letsencrypt" "$@" + fi if [ -z "$SUDO_ENV" ] ; then # SUDO is su wrapper / noop - echo " " $SUDO "$VENV_BIN/letsencrypt" "$@" $SUDO "$VENV_BIN/letsencrypt" "$@" else # sudo - echo " " $SUDO "$SUDO_ENV" "$VENV_BIN/letsencrypt" "$@" $SUDO "$SUDO_ENV" "$VENV_BIN/letsencrypt" "$@" fi @@ -288,7 +290,6 @@ else fi if [ "$NO_SELF_UPGRADE" != 1 ]; then - echo "Checking for new version..." TEMP_DIR=$(TempDir) # --------------------------------------------------------------------------- cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py" diff --git a/letsencrypt-auto-source/pieces/bootstrappers/mac.sh b/letsencrypt-auto-source/pieces/bootstrappers/mac.sh index e41db04b1..2b04977c8 100755 --- a/letsencrypt-auto-source/pieces/bootstrappers/mac.sh +++ b/letsencrypt-auto-source/pieces/bootstrappers/mac.sh @@ -16,7 +16,8 @@ BootstrapMac() { $pkgcmd augeas $pkgcmd dialog - if [ "$(which python)" = "/System/Library/Frameworks/Python.framework/Versions/2.7/bin/python" ]; then + if [ "$(which python)" = "/System/Library/Frameworks/Python.framework/Versions/2.7/bin/python" \ + -o "$(which python)" = "/usr/bin/python" ]; then # We want to avoid using the system Python because it requires root to use pip. # python.org, MacPorts or HomeBrew Python installations should all be OK. echo "Installing python..." diff --git a/letsencrypt-auto-source/pieces/fetch.py b/letsencrypt-auto-source/pieces/fetch.py index 38f4aa255..ca3e94b80 100644 --- a/letsencrypt-auto-source/pieces/fetch.py +++ b/letsencrypt-auto-source/pieces/fetch.py @@ -87,7 +87,7 @@ def verified_new_le_auto(get, tag, temp_dir): """ le_auto_dir = environ.get( 'LE_AUTO_DIR_TEMPLATE', - 'https://raw.githubusercontent.com/letsencrypt/letsencrypt/%s/' + 'https://raw.githubusercontent.com/certbot/certbot/%s/' 'letsencrypt-auto-source/') % tag write(get(le_auto_dir + 'letsencrypt-auto'), temp_dir, 'letsencrypt-auto') write(get(le_auto_dir + 'letsencrypt-auto.sig'), temp_dir, 'letsencrypt-auto.sig') |