Ubuntu
python-certbot-nginx package

Bug #1875471
Comment #13

Comment 13 for bug 1875471

Revision history for this message

Harlan Lieberman-Berg (hlieberman) wrote on 2020-05-05: Re: [Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies

#13

If you want to do a more extensive test, I just added end-to-end nginx
certbot testing in Debian sid. You should be able to pull it out of
the source package and run it by hand just by invoking the script from
the extracted source tarball, as long as you have pebble and the nginx
plugin installed.

On Tue, May 5, 2020 at 11:11 AM Andreas Hasenack <email address hidden> wrote:
>
> Ok, I filed bugs for the FTBFS issues, but per policy, we won't do an
> update just to fix failed-to-build-from-source bugs: these should be
> updated together with something else.
>
> Thanks for all the options you outlined in comment #8, and for the check
> in comment #11.
>
> So to keep things simple:
>
> a) update just python-certbot-nginx to 0.40.0, and gloss over the fact
> that the build-time tests are being skipped;
>
> b) fix the build-time tests call in python-certbot-nginx, which will require these other changes:
> - bump python-certbot-apache to 0.40.0
> - drop TLSSNI01 from python-certbot 0.40.0
> - preferably fix python-acme's idna build-deps and update it together, as that would also run tests with the current idna in focal
> I didn't check if the version bumps have the commits you mentioned, but the tests and a minimal run worked. If this looks feasable, the next step would be to run the full test suite, and also try this on a live server with proper DNS setup.
>
> c) bump everything to what we have in groovy, so that the versions match
> expectations and we don't have this big mismatch we are seeing in focal
> right now
>
> There is a feeling we should go with (a) to fix the immediate problem,
> and (b) can be done over time, or even (c).
>
> I have the (b) scenario done in my ppa at
> https://launchpad.net/~ahasenack/+archive/ubuntu/certbot-
> tlssni01-1875471
>
> --
> You received this bug notification because you are subscribed to python-
> certbot-nginx in Ubuntu.
> https://bugs.launchpad.net/bugs/1875471
>
> Title:
> python3-certbot-nginx is incompatible with its dependencies
>
> Status in python-certbot-nginx package in Ubuntu:
> In Progress
>
> Bug description:
> This issue only affects version 0.39.0-1 of the python-certbot-nginx
> package in Ubuntu 20.04.
>
> To reproduce the problem, install python3-certbot-nginx and run a
> command like:
>
> sudo certbot -d example.org --agree-tos --staging --register-unsafely-
> without-email --nginx
>
> This command will fail and the relevant output is:
>
> AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
>
> The problem here is python-certbot-nginx contains references to code
> in python-acme that has been removed. This problem makes python-
> certbot-nginx completely unable to obtain certificates.
>
> As the upstream maintainer of this package, I'll suggest two ways to
> fix this problem:
>
> 1. Update python-certbot-nginx to our 0.40.0 release. The benefit of
> this is it sticks to well tested versions of our software rather than
> making potentially error prone backports. Certbot has an SRU exception
> which can be seen at
> https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of
> code upstream between 0.39.0 and 0.40.0 if you all want to take this
> route can be see at
> https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
>
> 2. You can manually backport minimal fixes. The only changes that
> should required from the above gist are the changes to:
>
> * certbot_nginx/configurator.py
> * certbot_nginx/tests/configurator_test.py
>
> While I have essentially no knowledge of creating .debs myself, please
> let me know if you have any questions resolving this, want help
> testing proposed packages, etc.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions

--
Harlan Lieberman-Berg
~hlieberman

If you want to do a more extensive test, I just added end-to-end nginx
certbot testing in Debian sid.  You should be able to pull it out of
the source package and run it by hand just by invoking the script from
the extracted source tarball, as long as you have pebble and the nginx
plugin installed.

On Tue, May 5, 2020 at 11:11 AM Andreas Hasenack <andreas@canonical.com> wrote:
>
> Ok, I filed bugs for the FTBFS issues, but per policy, we won't do an
> update just to fix failed-to-build-from-source bugs: these should be
> updated together with something else.
>
> Thanks for all the options you outlined in comment #8, and for the check
> in comment #11.
>
> So to keep things simple:
>
> a) update just python-certbot-nginx to 0.40.0, and gloss over the fact
> that the build-time tests are being skipped;
>
> b) fix the build-time tests call in python-certbot-nginx, which will require these other changes:
> - bump python-certbot-apache to 0.40.0
> - drop TLSSNI01 from python-certbot 0.40.0
> - preferably fix python-acme's idna build-deps and update it together, as that would also run tests with the current idna in focal
> I didn't check if the version bumps have the commits you mentioned, but the tests and a minimal run worked. If this looks feasable, the next step would be to run the full test suite, and also try this on a live server with proper DNS setup.
>
> c) bump everything to what we have in groovy, so that the versions match
> expectations and we don't have this big mismatch we are seeing in focal
> right now
>
> There is a feeling we should go with (a) to fix the immediate problem,
> and (b) can be done over time, or even (c).
>
> I have the (b) scenario done in my ppa at
> https://launchpad.net/~ahasenack/+archive/ubuntu/certbot-
> tlssni01-1875471
>
> --
> You received this bug notification because you are subscribed to python-
> certbot-nginx in Ubuntu.
> https://bugs.launchpad.net/bugs/1875471
>
> Title:
>   python3-certbot-nginx is incompatible with its dependencies
>
> Status in python-certbot-nginx package in Ubuntu:
>   In Progress
>
> Bug description:
>   This issue only affects version 0.39.0-1 of the python-certbot-nginx
>   package in Ubuntu 20.04.
>
>   To reproduce the problem, install python3-certbot-nginx and run a
>   command like:
>
>   sudo certbot -d example.org --agree-tos --staging --register-unsafely-
>   without-email --nginx
>
>   This command will fail and the relevant output is:
>
>   AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
>
>   The problem here is python-certbot-nginx contains references to code
>   in python-acme that has been removed. This problem makes python-
>   certbot-nginx completely unable to obtain certificates.
>
>   As the upstream maintainer of this package, I'll suggest two ways to
>   fix this problem:
>
>   1. Update python-certbot-nginx to our 0.40.0 release. The benefit of
>   this is it sticks to well tested versions of our software rather than
>   making potentially error prone backports. Certbot has an SRU exception
>   which can be seen at
>   https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of
>   code upstream between 0.39.0 and 0.40.0 if you all want to take this
>   route can be see at
>   https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
>
>   2. You can manually backport minimal fixes. The only changes that
>   should required from the above gist are the changes to:
>
>   * certbot_nginx/configurator.py
>   * certbot_nginx/tests/configurator_test.py
>
>   While I have essentially no knowledge of creating .debs myself, please
>   let me know if you have any questions resolving this, want help
>   testing proposed packages, etc.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions

-- 
Harlan Lieberman-Berg
~hlieberman

Ubuntupython-certbot-nginx package

Comment 13 for bug 1875471

Ubuntu
python-certbot-nginx package