Ubuntu
python-certbot-nginx package

Merge ~ahasenack/ubuntu/+source/python-certbot-nginx:focal-certbot-nginx-1875471 into ubuntu/+source/python-certbot-nginx:ubuntu/focal

  1. Git
  2. lp:~ahasenack/ubuntu/+source/python-certbot-nginx
  3. focal-certbot-nginx-1875471
  4. Merge into ubuntu/focal
Proposed by Andreas Hasenack
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 723b05582944144e68428246b1d478afa80625cb
Merge reported by: Andreas Hasenack
Merged at revision: 723b05582944144e68428246b1d478afa80625cb
Proposed branch: ~ahasenack/ubuntu/+source/python-certbot-nginx:focal-certbot-nginx-1875471
Merge into: ubuntu/+source/python-certbot-nginx:ubuntu/focal
Diff against target: 214 lines (+71/-20)
13 files modified
PKG-INFO (+1/-1)
certbot_nginx.egg-info/PKG-INFO (+1/-1)
certbot_nginx.egg-info/SOURCES.txt (+1/-2)
certbot_nginx/configurator.py (+1/-1)
certbot_nginx/http_01.py (+4/-4)
certbot_nginx/tests/configurator_test.py (+1/-1)
certbot_nginx/tests/http_01_test.py (+3/-3)
debian/changelog (+11/-0)
debian/patches/fix-tests-with-newer-acme.patch (+45/-0)
debian/patches/series (+1/-0)
debian/rules (+1/-1)
dev/null (+0/-5)
setup.py (+1/-1)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+383529@code.launchpad.net

This proposal supersedes a proposal from 2020-05-06.

Description of the change

## NOTE
This MP is against ubuntu/focal, not ubuntu/focal-devel, as focal had a python-certbot-nginx package in focal-proposed when the release was cut and groovy opened. The package in focal-proposed never made it to focal and became part of groovy instead.

The bug has details on what happened, and how it was fixed. The options we had were outlined in https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/comments/12 and upstream suggested a fourth alternative in https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/comments/15 which is what I adopted.

Test PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/certbot-tlssni01-1875471-d

Running all the tests properly needs a specific setup, which I suggest to leave for the SRU verification. I have done those with my test PPA already prior to submitting this.

What can easily be tested is the python error which originated this:

AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'

Just run this, on any host/container (no need to replace the fake domain):

sudo apt install python3-certbot-nginx
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx

The fixed version won't fail with AttributeError, but will try to fetch a certificate for example.org, and that will of course fail and is fine.

The second check to make is to confirm that the build-time tests were run. Search build logs for "dh_auto_test".

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Read all the bug updates - for how much was going on there the MP doesn't look so bad after all :-)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

After wondering "hey this is a new version" at first this seems ok.
0.39 -> 0.40 is minimal and fixes the issues we see.

Also I agree not going the full >=1.3.x that is in groovy.

The backport of the test-fix LGTM as well.

The SRU Template is great and should resolve all confusion for anyone looking at the case.

Buildlog and changelog look good as well.
+1

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, tagging and uploading 723b05582944144e68428246b1d478afa80625cb

$ git push pkg upload/0.40.0-0ubuntu0.1
Enumerating objects: 45, done.
Counting objects: 100% (45/45), done.
Delta compression using up to 4 threads
Compressing objects: 100% (23/23), done.
Writing objects: 100% (29/29), 3.89 KiB | 442.00 KiB/s, done.
Total 29 (delta 20), reused 5 (delta 5)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/python-certbot-nginx
 * [new tag] upload/0.40.0-0ubuntu0.1 -> upload/0.40.0-0ubuntu0.1

$ dput ubuntu ../python-certbot-nginx_0.40.0-0ubuntu0.1_source.changes
Checking signature on .changes
gpg: ../python-certbot-nginx_0.40.0-0ubuntu0.1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../python-certbot-nginx_0.40.0-0ubuntu0.1.dsc: Valid signature from AC983EB5BF6BCBA9
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading python-certbot-nginx_0.40.0-0ubuntu0.1.dsc: done.
  Uploading python-certbot-nginx_0.40.0.orig.tar.gz: done.
  Uploading python-certbot-nginx_0.40.0.orig.tar.gz.asc: done.
  Uploading python-certbot-nginx_0.40.0-0ubuntu0.1.debian.tar.xz: done.
  Uploading python-certbot-nginx_0.40.0-0ubuntu0.1_source.buildinfo: done.
  Uploading python-certbot-nginx_0.40.0-0ubuntu0.1_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This was released already.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/PKG-INFO b/PKG-INFO
2index e7aaec3..bbef3c2 100644
3--- a/PKG-INFO
4+++ b/PKG-INFO
5@@ -1,6 +1,6 @@
6 Metadata-Version: 2.1
7 Name: certbot-nginx
8-Version: 0.39.0
9+Version: 0.40.0
10 Summary: Nginx plugin for Certbot
11 Home-page: https://github.com/letsencrypt/letsencrypt
12 Author: Certbot Project
13diff --git a/certbot_nginx.egg-info/PKG-INFO b/certbot_nginx.egg-info/PKG-INFO
14index e7aaec3..bbef3c2 100644
15--- a/certbot_nginx.egg-info/PKG-INFO
16+++ b/certbot_nginx.egg-info/PKG-INFO
17@@ -1,6 +1,6 @@
18 Metadata-Version: 2.1
19 Name: certbot-nginx
20-Version: 0.39.0
21+Version: 0.40.0
22 Summary: Nginx plugin for Certbot
23 Home-page: https://github.com/letsencrypt/letsencrypt
24 Author: Certbot Project
25diff --git a/certbot_nginx.egg-info/SOURCES.txt b/certbot_nginx.egg-info/SOURCES.txt
26index 082c212..be61861 100644
27--- a/certbot_nginx.egg-info/SOURCES.txt
28+++ b/certbot_nginx.egg-info/SOURCES.txt
29@@ -72,5 +72,4 @@ docs/_static/.gitignore
30 docs/_templates/.gitignore
31 docs/api/nginxparser.rst
32 docs/api/obj.rst
33-docs/api/parser.rst
34-docs/api/tls_sni_01.rst
35\ No newline at end of file
36+docs/api/parser.rst
37\ No newline at end of file
38diff --git a/certbot_nginx/configurator.py b/certbot_nginx/configurator.py
39index 9571591..fe5c7da 100644
40--- a/certbot_nginx/configurator.py
41+++ b/certbot_nginx/configurator.py
42@@ -1107,7 +1107,7 @@ class NginxConfigurator(common.Installer):
43 ###########################################################################
44 def get_chall_pref(self, unused_domain): # pylint: disable=no-self-use
45 """Return list of challenge preferences."""
46- return [challenges.HTTP01, challenges.TLSSNI01]
47+ return [challenges.HTTP01]
48
49 # Entry point in main.py for performing challenges
50 def perform(self, achalls):
51diff --git a/certbot_nginx/http_01.py b/certbot_nginx/http_01.py
52index 70147a4..4dcc532 100644
53--- a/certbot_nginx/http_01.py
54+++ b/certbot_nginx/http_01.py
55@@ -29,10 +29,10 @@ class NginxHttp01(common.ChallengePerformer):
56 :param list indices: Meant to hold indices of challenges in a
57 larger array. NginxHttp01 is capable of solving many challenges
58 at once which causes an indexing issue within NginxConfigurator
59- who must return all responses in order. Imagine NginxConfigurator
60- maintaining state about where all of the http-01 Challenges,
61- TLS-SNI-01 Challenges belong in the response array. This is an
62- optional utility.
63+ who must return all responses in order. Imagine
64+ NginxConfigurator maintaining state about where all of the
65+ challenges, possibly of different types, belong in the response
66+ array. This is an optional utility.
67
68 """
69
70diff --git a/certbot_nginx/tests/configurator_test.py b/certbot_nginx/tests/configurator_test.py
71index 19624a7..237e22d 100644
72--- a/certbot_nginx/tests/configurator_test.py
73+++ b/certbot_nginx/tests/configurator_test.py
74@@ -97,7 +97,7 @@ class NginxConfiguratorTest(util.NginxTest):
75 errors.PluginError, self.config.enhance, 'myhost', 'unknown_enhancement')
76
77 def test_get_chall_pref(self):
78- self.assertEqual([challenges.HTTP01, challenges.TLSSNI01],
79+ self.assertEqual([challenges.HTTP01],
80 self.config.get_chall_pref('myhost'))
81
82 def test_save(self):
83diff --git a/certbot_nginx/tests/http_01_test.py b/certbot_nginx/tests/http_01_test.py
84index 41c4b95..c6d35b8 100644
85--- a/certbot_nginx/tests/http_01_test.py
86+++ b/certbot_nginx/tests/http_01_test.py
87@@ -73,11 +73,11 @@ class HttpPerformTest(util.NginxTest):
88 self.http01.add_chall(achall)
89 acme_responses.append(achall.response(self.account_key))
90
91- sni_responses = self.http01.perform()
92+ http_responses = self.http01.perform()
93
94- self.assertEqual(len(sni_responses), 4)
95+ self.assertEqual(len(http_responses), 4)
96 for i in six.moves.range(4):
97- self.assertEqual(sni_responses[i], acme_responses[i])
98+ self.assertEqual(http_responses[i], acme_responses[i])
99
100 def test_mod_config(self):
101 self.http01.add_chall(self.achalls[0])
102diff --git a/debian/changelog b/debian/changelog
103index cc87eaa..0b4f53c 100644
104--- a/debian/changelog
105+++ b/debian/changelog
106@@ -1,3 +1,14 @@
107+python-certbot-nginx (0.40.0-0ubuntu0.1) focal; urgency=medium
108+
109+ * Cope with newer python-acme that dropped TLSSNI01 (LP: #1875471):
110+ - new upstream version: 0.40.0
111+ - d/rules: actually run the tests by fixing the expression that looks
112+ for nocheck in DEB_BUILD_OPTIONS
113+ - d/p/fix-tests-with-newer-acme.patch: fix tests with newer python-acme
114+ that has no TLSSNI01. Thanks to Brad Warren <bmw@eff.org>
115+
116+ -- Andreas Hasenack <andreas@canonical.com> Tue, 05 May 2020 15:39:00 -0300
117+
118 python-certbot-nginx (0.39.0-1) unstable; urgency=medium
119
120 * New upstream version 0.39.0
121diff --git a/debian/patches/fix-tests-with-newer-acme.patch b/debian/patches/fix-tests-with-newer-acme.patch
122new file mode 100644
123index 0000000..2cdd71d
124--- /dev/null
125+++ b/debian/patches/fix-tests-with-newer-acme.patch
126@@ -0,0 +1,45 @@
127+Description: fix tests with newer python-acme that has no TLSSNI01
128+ This extracts the minimal pieces from upstream's bigger refactoring
129+ necessary to cope with python-acme's removal of TLSSNI01 in the version shipped
130+ in Focal.
131+Author: Brad Warren <bmw@eff.org>
132+Origin: upstream, https://gist.github.com/bmw/e4f13e17d1f4647c9d6be730c7ec3512
133+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471
134+Applied-Upstream: https://github.com/certbot/certbot/commit/4abd81e2186eddc67551d61a8260440bd177d18d
135+Last-Update: 2020-05-05
136+---
137+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
138+diff --git a/certbot-nginx/certbot_nginx/tests/http_01_test.py b/certbot-nginx/certbot_nginx/tests/http_01_test.py
139+index d05370c68..8e0450f6a 100644
140+--- a/certbot_nginx/tests/http_01_test.py
141++++ b/certbot_nginx/tests/http_01_test.py
142+@@ -1,6 +1,7 @@
143+ """Tests for certbot_nginx.http_01"""
144+ import unittest
145+
146++import josepy as jose
147+ import mock
148+ import six
149+
150+@@ -8,17 +9,19 @@ from acme import challenges
151+
152+ from certbot import achallenges
153+
154+-from certbot.plugins import common_test
155+ from certbot.tests import acme_util
156++from certbot.tests import util as test_util
157+
158+ from certbot_nginx.obj import Addr
159+ from certbot_nginx.tests import util
160+
161++AUTH_KEY = jose.JWKRSA.load(test_util.load_vector("rsa512_key.pem"))
162++
163+
164+ class HttpPerformTest(util.NginxTest):
165+ """Test the NginxHttp01 challenge."""
166+
167+- account_key = common_test.AUTH_KEY
168++ account_key = AUTH_KEY
169+ achalls = [
170+ achallenges.KeyAuthorizationAnnotatedChallenge(
171+ challb=acme_util.chall_to_challb(
172diff --git a/debian/patches/series b/debian/patches/series
173new file mode 100644
174index 0000000..86c7057
175--- /dev/null
176+++ b/debian/patches/series
177@@ -0,0 +1 @@
178+fix-tests-with-newer-acme.patch
179diff --git a/debian/rules b/debian/rules
180index c057a16..154080a 100755
181--- a/debian/rules
182+++ b/debian/rules
183@@ -21,6 +21,6 @@ override_dh_installdocs:
184 dh_installdocs -p python3-certbot-nginx
185
186 override_dh_auto_test:
187-ifdef (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
188+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
189 python3 setup.py test
190 endif
191diff --git a/docs/api/tls_sni_01.rst b/docs/api/tls_sni_01.rst
192deleted file mode 100644
193index 5074f63..0000000
194--- a/docs/api/tls_sni_01.rst
195+++ /dev/null
196@@ -1,5 +0,0 @@
197-:mod:`certbot_nginx.tls_sni_01`
198------------------------------------
199-
200-.. automodule:: certbot_nginx.tls_sni_01
201- :members:
202diff --git a/setup.py b/setup.py
203index 9c69a53..b53e166 100644
204--- a/setup.py
205+++ b/setup.py
206@@ -4,7 +4,7 @@ from setuptools.command.test import test as TestCommand
207 import sys
208
209
210-version = '0.39.0'
211+version = '0.40.0'
212
213 # Remember to update local-oldest-requirements.txt when changing the minimum
214 # acme/certbot version.

Subscribers

People subscribed via source and target branches