python3-certbot-nginx is incompatible with its dependencies
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-certbot-nginx (Ubuntu) |
Fix Released
|
High
|
Andreas Hasenack | ||
Focal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception defined at https:/
[Impact]
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-
[Major Changes]
To fix the problem, python-
It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.
To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project. You can try, though: https:/
2. https:/
[Test Plan]
a) See https:/
b) Request a registration with nginx (example shown in comment #19):
sudo certbot -d <yourdomain> --agree-tos --staging --register-
c) Request a registration using apache (example shown in comment #21):
sudo certbot -d <yourdomain> --agree-tos --staging --register-
d) Search build logs for "dh_auto_test" and confirm it was called and that the build-time tests were run. In launchpad, you can find these by going to https:/
[Regression Potential]
Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-
python-
Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-
To reproduce the problem, install python3-
sudo certbot -d example.org --agree-tos --staging --register-
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-
As the upstream maintainer of this package, I'll suggest two ways to fix this problem:
1. Update python-
2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:
* certbot_
* certbot_
While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc.
Related branches
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 214 lines (+71/-20)13 files modifiedPKG-INFO (+1/-1)
certbot_nginx.egg-info/PKG-INFO (+1/-1)
certbot_nginx.egg-info/SOURCES.txt (+1/-2)
certbot_nginx/configurator.py (+1/-1)
certbot_nginx/http_01.py (+4/-4)
certbot_nginx/tests/configurator_test.py (+1/-1)
certbot_nginx/tests/http_01_test.py (+3/-3)
debian/changelog (+11/-0)
debian/patches/fix-tests-with-newer-acme.patch (+45/-0)
debian/patches/series (+1/-0)
debian/rules (+1/-1)
dev/null (+0/-5)
setup.py (+1/-1)
- Canonical Server MOTU reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 220 lines (+131/-2) (has conflicts)8 files modifiedPKG-INFO (+4/-0)
certbot_nginx.egg-info/PKG-INFO (+4/-0)
certbot_nginx.egg-info/SOURCES.txt (+59/-1)
debian/changelog (+13/-0)
debian/patches/fix-tests-with-newer-acme.patch (+45/-0)
debian/patches/series (+1/-0)
debian/rules (+1/-1)
setup.py (+4/-0)
Changed in python-certbot-nginx (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
importance: | Undecided → High |
status: | Confirmed → In Progress |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | added: focal regression-release |
At the risk of sending the discussion in this issue off topic, I looked into other potential problems with the Certbot packages in Focal/Groovy since they've been being held back. I'm happy to move this discussion somewhere else if people prefer.
In the current state in Focal/Groovy, the tests we include in our packages are broken for at least python-certbot, python- certbot- apache, and python- certbot- nginx. The python- certbot- dns-* packages themselves are working, but I didn't verify whether or not the tests are. I can if people think that's important.
Only python- certbot- nginx is actually broken in Focal from a user perspective though which I described above.
The reason for most of these problems is that these tests/packages were relying on parts of python-acme's API which has been removed in recent versions. A version of python-acme with these changes has already been pushed to Focal/Groovy causing the problem. In one case at https:/ /people. canonical. com/~ubuntu- archive/ proposed- migration/ update_ excuses. html#python- certbot though, I saw a different but similar problem with python-certbot where its proposed update had removed components being used by the old, packaged version of python- certbot- apache.
For Groovy, if possible, I'd recommend upgrading all of python-certbot, python- certbot- apache, and python- certbot- nginx together to their latest versions and ignoring failures caused by testing older versions with these new packages. Again, many of the failures being seen are already present in the current packages and none of them will exist when everything is updated to a newer version.
For Focal, while I'd love for all Certbot components to be >=1.0, doing this will cause a number of backwards incompatible changes. From our changelog, those are:
* Certbot's `config_changes` subcommand has been removed plugins. common. TLSSNI01` has been removed. plugins. common. Installer. view_config_ changes` , reverter. Reverter. view_config_ changes` , and util.get_ systemd_ os_info` have been removed registration` subcommand has been removed
* `certbot.
* The functions
`certbot.
`certbot.
`certbot.
* Certbot's `register --update-
* When possible, default to automatically configuring the webserver so all requests
redirect to secure HTTPS access. This is mostly relevant when running Certbot
in non-interactive mode. Previously, the default was to not redirect all requests.
All of these changes are things warned about in the current version of our packages in Focal and are to minor aspects to our functionality.
If these changes seem acceptable considering our SRU exception, how new Focal is, and the benefit we'll have of making it easier to update these packages going forward since they'll have made it through our API/UI changes and to Certbot 1.0, I'd recommend updating Groovy and then moving these packages to Focal.
If these changes do not seem acceptable, I'd recommend taking one of the two paths I described in my previous post to fix python- certbot- nginx in Focal.