Age | Commit message (Collapse) | Author |
|
|
|
In argparse, type casting is performed on individual arguments, which
may or may not be aggregated into a list depending on other factors,
normally the value given to `nargs`. When `nargs` is one of the values
that causes argparse to return a list, return a wrapping function that
will serialize an iterable, calling `action.type` (or default `str`)
on each element of the iterable as opposed to on the iterable itself.
|
|
If a plugin adds a command line argument with the `nargs` parameter, e.g. `nargs='+'`, this parameter gets filtered from the `HelpfulArgumentParser` created/used in default detection. As a result, this parser does not parse the command line in the expected way, instead using the default value for `nargs`.
Leaving `nargs` in place resolves this issue.
|
|
|
|
Now that yaml/pyyaml#126 is resolved, #6170 can be reverted by bumping the pinned version of PyYAML.
You can see this code passing with full macOS and integration tests at https://travis-ci.org/certbot/certbot/builds/400957729.
* Revert "Allow py37 testing (#6170)"
This reverts commit cad95466b05e6be51c1c29eaa91e6e3b7ea3cefd.
* Bump pyyaml pinning to work on Python 3.7.
|
|
We released josepy 1.1.0 a while ago to work around newer versions of cryptography deprecating some of the functionality we were using. We haven't yet upgraded our pinned josepy version though and since #6169 has landed, we're now seeing these deprecation warnings in our tests. This would be shown to certbot-auto users as well.
This PR removes these warnings by upgrading our pinned version of josepy.
* update pinned josepy version
* build leauto
* update pinned dev version of josepy
|
|
interfaces.GenericUpdater and new enhancement interface updater functions get run on every invocation of Certbot with "renew" verb for every lineage. This causes performance problems for users with large configurations, because of plugin plumbing and preparsing happening in prepare() method of installer plugins. This PR moves the responsibility to call prepare() to the plugin (possibly) implementing a new style enhancement interface.
Fixes: #6153
* Do not call IPlugin.prepare() for updaters when running renew
* Check prepare called in tests
* Refine pydoc and make the function name more informative
* Verify the plugin type
|
|
* Remove apacheconftest packages.
The apacheconftests handle installing Apache dependencies, so let's remove it from the general case.
* We don't need to run dpkg -s in before_install.
* Remove augeas sources.
We only needed it for Ubuntu Precise which is dead and it doesn't work in Ubuntu Xenial.
* Upgrade Python 3.6 tests to 3.7.
Let's continue the approach of testing on the oldest and newest versions of Python 3. We will continue testing on Python 3.6 in the nightly tests.
* Revert "We don't need to run dpkg -s in before_install."
This reverts commit e5d35099a79985ee97a26931e08451620d711522.
* let apacheconftest handle deps
|
|
This allows us to depend on packages like acme>=0.26.0.dev0 during development
and automatically change it to acme>=0.26.0 during the release. We use `git add
-p` to be safe, but if .dev0 is used at all in our released setup.py files,
we're probably doing something wrong.
|
|
* Reorganize packages in tox to allow for py37 tests
certbot-dns-cloudflare doesn't currently work in Python 3.7 because it transitively depends on pyYAML which doesn't yet support Python 3.7. See https://github.com/yaml/pyyaml/issues/126 for more info.
* add py37 tox environment
|
|
This allows certbot-auto and our development setup to work with Python 3.7.
|
|
* Don't use port 1234 in standalone tests.
* rename unused variable
* add back failure case
* Add back probe connection error test.
* fix lint
* remove unused import
* fix test file coverage
* prevent future heisenbug
|
|
|
|
Fixes #6154.
* add symlinking to load flow
* test account reuse on load
|
|
* Use greater than or equal to in requirements.
This changes the existing requirements using strictly greater than to greater
than or equal to so that they're more conventional.
* Use >= for certbot-postfix.
Despite it previously saying 'certbot>0.23.0', certbot-postfix/local-oldest-requirements.txt was pinned to 0.23.0 so let's just use certbot>=0.23.0.
|
|
|
|
|
|
|
|
If either --cert-name or both --key-path and --cert-path (in which case the user requests installation for a certificate not managed by Certbot) are not provided, prompt the user with managed certificates and let them choose.
Fixes: #5824
|
|
|
|
server (#5894)" (#6144)
This partially reverts commit 15f1405fff7083bf5d4f599a58c54a43be499740.
A basic tls-alpn-01 implementation is left so we can successfully parse the
challenge so it can be used in boulder's tests.
|
|
See https://github.com/certbot/website/pull/348#issuecomment-399257703.
```
$ certbot --help all | grep -C 3 nginx-server-root
nginx:
Nginx Web Server plugin - Alpha
--nginx-server-root NGINX_SERVER_ROOT
Nginx server root directory. (default: /etc/nginx)
--nginx-ctl NGINX_CTL
Path to the 'nginx' binary, used for 'configtest' and
```
```
$ CERTBOT_DOCS=1 certbot --help all | grep -C 3 nginx-server-root
nginx:
Nginx Web Server plugin - Alpha
--nginx-server-root NGINX_SERVER_ROOT
Nginx server root directory. (default: /etc/nginx or
/usr/local/etc/nginx)
--nginx-ctl NGINX_CTL
```
* Show both possible Nginx default server root values in docs
* add test
* check that exactly one server root is in the default
* use default magic
|
|
Addresses issue #5005.
|
|
fixes #6131
* doc(postfix): install instructions
* address brad's comments
|
|
* Use less informative UA values in docs.
* set CERTBOT_DOCS during release
|
|
* Reuse accounts made with ACMEv1 when using an ACMEv2 Let's Encrypt server. This commit turns the feature on for the production server; the bulk of the work was done in 8e4303a.
* add upgrade test for production server
|
|
Currently, you must read ten paragraphs about writing renewal hooks
before you find that most distributions will automatically renew certs
for you. This is burying the lede in a major way; moving it up to the
header seems a better choice.
|
|
This PR adds the functionality to enhance Apache configuration to include HTTP Strict Transport Security header with a low initial max-age value.
The max-age value will get increased on every (scheduled) run of certbot renew regardless of the certificate actually getting renewed, if the last increase took place longer than ten hours ago. The increase steps are visible in constants.AUTOHSTS_STEPS.
Upon the first actual renewal after reaching the maximum increase step, the max-age value will be made "permanent" and will get value of one year.
To achieve accurate VirtualHost discovery on subsequent runs, a comment with unique id string will be added to each enhanced VirtualHost.
* AutoHSTS code rebased on master
* Fixes to match the changes in master
* Make linter happy with metaclass registration
* Address small review comments
* Use new enhancement interfaces
* New style enhancement changes
* Do not allow --hsts and --auto-hsts simultaneuously
* MyPy annotation fixes and added test
* Change oldest requrements to point to local certbot core version
* Enable new style enhancements for run and install verbs
* Test refactor
* New test class for main.install tests
* Move a test to a correct test class
|
|
Postfix plugin
|
|
|
|
- Finishing refactor of postconf/postfix command-line utilities
- Plugin uses starttls_policy plugin to specify per-domain policies
Cleaning up TLS policy code.
Print warning when setting configuration parameter that is overridden by master.
Update client to use new policy API
Cleanup and test fixes
Documentation fix
smaller fixes
Policy is now an enhancement and reverting works
Added a README, and small documentation fixes throughout
Moving testing infra from starttls repo to certbot-postfix
fixing tests and lint
Changes against new policy API
starttls-everywhere => starttls-policy
testing(postfix): Added more varieties of certificates to test against.
Moar fixes against policy API.
Address comments on README and setup.py
Address small comments on postconf and util
Address comments in installer
Python 3 fixes and Postconf tester extends TempDir test class
Mock out postconf calls from tests and test coverage for master overrides
More various fixes. Everything minus testing done
Remove STARTTLS policy enhancement from this branch.
sphinx quickstart
99% test coverage
some cleanup and testfixing
cleanup leftover files
Remove print statement
testfix for python 3.4
Revert dockerfile change
mypy fix
fix(postfix): brad's comments
test(postfix): coverage to 100
test(postfix): mypy
import mypy types
fix(postfix docs): add .rst files and fix build
fix(postfix): tls_only and server_only params behave nicely together
some cleanup
lint
fix more comments
bump version number
|
|
pep8ify
Delint
cover++
test more_info()
Refactor get_config_var
Don't duplicate changes to Postfix config
document instance variables
Always clear save_notes on save
Test deploy_cert and save and add MockPostfix.
Move mock and call to InstallerTest
Add getters and setters
Use postfix getters and setters
protect get_config_var
bump cover to 100%
bump required coverage to 100
s/config_dir/config_utility
Decrease minimum version to Postfix 2.6.
This is the minimum version that allows us to set ciphers to be used with
opportunistic TLS and is the oldest version packaged in any major distro.
Use tls_security_level instead of use_tls.
smtpd_tls_security_level should be used instead according to Postfix documentation.
Test smtpd_tls_security_level conditional
make dunder method an under method
refactor postconf usage
add check_all_output
test check_all_output
Add and test verify_exe_exists
Add PostfixUtilBase
Add ReadOnlyMainMap
Use _get_output instead of _call
Fix split strip typo
|
|
* fix(display): alternate spaces and dashes
* add comment
|
|
* check coverage separately
* Add coverage minimums for integration tests.
|
|
|
|
|
|
* Add autorenew option to `renew` subcommand.
* Change default value for 'autorenew' cli option.
* Update certbot.cli.prepare_and_parse_args (autorenew)
Set `default` for --autorenew and --no-autorenew.
* Update certbot.storage.RenewableCert.should_autorenew.
- Remove `interactive` argument in RenewableCert.should_autorenew.
- Update certbot.renewal.should_renew.
* Move autorenew enable/disable check to certbot.storage.
- Remove autorenew enable/disable check in
`certbot.renewal.handle_renewal_request`.
- Fix RenewableCert.autorenewal_is_enabled; autorenew is stored in
'renewalparams'.
- Add autorenew enable/disable check in
`RenewableCert.should_autorenew`.
- Update tests test_time_interval_judgments,
test_autorenewal_is_enabled, test_should_autorenew tests in
storage_test.py
* certbot: Update RenewableCert.should_autorenew
Remove block that sets autorenew option in the renewal configuration
file.
* certbot: Update prepare_and_parse_args.
Remove --autorenew option.
* certbot: Update CLI_DEFAULTS.
Set default of `autorenew` to True.
* Remove unused imports in certbot.storage.
|
|
|
|
* Release 0.25.1
(cherry picked from commit 21b5e4eadb445d0a3dcd8cebb709a9fd15e18278)
* Bump version to 0.26.0
|
|
The value of norecusedirs is the default in newer versions of pytest which is
listed at
https://docs.pytest.org/en/3.0.0/customize.html#confval-norecursedirs.
|
|
|
|
* Wrap TLS-ALPN extension with ASN.1
* Fix test
|
|
Update certbot-auto and version numbers
|
|
* Revert "Revert "switch signature verification to use pure cryptography (#6000)" (#6074)"
This reverts commit 3cffe1449c4e9166b65eaed75022d73b7ad79328.
* Fixes #6073.
This silences the deprecation warnings from cryptography. I looked into only
silencing the cryptography warning specifically in the function, however,
CryptographyDeprecationWarning doesn't seem to be publicly documented, so we
probably shouldn't depend on it.
|
|
For the past couple of releases, twine has errored while trying to upload
packages and this is fixed by upgrading to a newer version of twine. This
commit updates our pinned version installed when using tools/venv.sh to the
latest available version. pkginfo had to be upgraded as well to support the
latest version of twine.
|
|
Festival isn't available via Homebrew and is only needed to read the hash
aloud, so let's not make it a strict requirement that it's installed. You can
simply read the hash from the terminal instead.
|
|
Debian Wheezy is no longer supported (see https://wiki.debian.org/LTS) and
Amazon shut down their Debian 7 mirrors so let's stop trying to use Debian 7
during testing.
|
|
|
|
|
|
|