Comment 8 for bug 1875471

Thanks a lot for quickly working on this issue Andreas.

Applying that commit to python-certbot 0.40.0-1 in addition to the python-certbot-nginx changes would fix both python-certbot and python-certbot-nginx's tests, however, it would break python-certbot-apache in normal usage outside of tests because it removes certbot.plugins.common.TLSSNI01 which is being used by python-certbot-apache 0.39.0-1 (despite it sending deprecation warnings every time the plugin references the object).

This class in Certbot is meant to help plugins handle ACME TLSSNI01 objects, however, its implementation doesn't reference them itself. The problem occurs in the tests for this class in certbot/plugins/common_test.py where these ACME TLSSNI01 objects are created and this testing code is reused in python-certbot-nginx to help it test itself.

Because of this, I don't really suspect there to be any future problems with certbot.plugins.common.TLSSNI01, however, the TLSSNI test failures in all of python-certbot, python-certbot-apache, and python-certbot-nginx may continue to be annoying in the future.

To fix this, I think we have a few options.

If we just wanted to fix python-certbot-nginx's tests and leave python-certbot and python-certbot-apache's untouched with broken tests, you could just apply the changes to certbot-nginx from https://github.com/certbot/certbot/commit/4abd81e2186eddc67551d61a8260440bd177d18d. That's a massive commit, however, the relevant changes to nginx are quite small and only to certbot-nginx/certbot_nginx/tests/http_01_test.py.

If we want to try to fix python-certbot's tests now, you could skip these additional python-certbot-nginx changes described in my last paragraph and instead just take the test changes from the commit you found of https://github.com/certbot/certbot/commit/4b488614cf7749c8139c11f0983fe4b71e29827f. I have mixed feelings about this because while it solves some immediate problems, it removes all tests of certbot.plugins.common.TLSSNI01 while keeping the code which is needed to do unless you want to also update python-certbot-apache.

If you are also hesitant to leave certbot.plugins.common.TLSSNI01 around without tests and would like to remove it and apply the full commit, you'd need to apply the changes to certbot-apache from https://github.com/certbot/certbot/commit/de6b56bec02881d5a63173aedb670b24d847f72d.

If you want to fix python-certbot-apache's tests now, you could apply the changes to python-certbot-apache's tests from https://github.com/certbot/certbot/commit/63d673a3e04de4a64d18483a2f0df55c6a6c4198.

This is all a lot backports, many of which require us to apply a subset of the changes from different commits, but things are honestly kind of a mess right now with the mix of 0.x and 1.x components. Again, a final option here would be to update all of these packages to any 1.x version and if the package's dependencies are satisfied, it should all just work, however, that'd come with the backwards incompatible changes I described in my previous post.