Ubuntu
python-certbot-nginx package

Merge ~ahasenack/ubuntu/+source/python-certbot-nginx:focal-certbot-nginx-1875471 into ubuntu/+source/python-certbot-nginx:ubuntu/focal

  1. Git
  2. lp:~ahasenack/ubuntu/+source/python-certbot-nginx
  3. focal-certbot-nginx-1875471
  4. Merge into ubuntu/focal
Proposed by Andreas Hasenack
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 723b05582944144e68428246b1d478afa80625cb
Merge reported by: Andreas Hasenack
Merged at revision: 723b05582944144e68428246b1d478afa80625cb
Proposed branch: ~ahasenack/ubuntu/+source/python-certbot-nginx:focal-certbot-nginx-1875471
Merge into: ubuntu/+source/python-certbot-nginx:ubuntu/focal
Diff against target: 214 lines (+71/-20)
13 files modified
PKG-INFO (+1/-1)
certbot_nginx.egg-info/PKG-INFO (+1/-1)
certbot_nginx.egg-info/SOURCES.txt (+1/-2)
certbot_nginx/configurator.py (+1/-1)
certbot_nginx/http_01.py (+4/-4)
certbot_nginx/tests/configurator_test.py (+1/-1)
certbot_nginx/tests/http_01_test.py (+3/-3)
debian/changelog (+11/-0)
debian/patches/fix-tests-with-newer-acme.patch (+45/-0)
debian/patches/series (+1/-0)
debian/rules (+1/-1)
dev/null (+0/-5)
setup.py (+1/-1)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+383529@code.launchpad.net

This proposal supersedes a proposal from 2020-05-06.

Description of the change

## NOTE
This MP is against ubuntu/focal, not ubuntu/focal-devel, as focal had a python-certbot-nginx package in focal-proposed when the release was cut and groovy opened. The package in focal-proposed never made it to focal and became part of groovy instead.

The bug has details on what happened, and how it was fixed. The options we had were outlined in https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/comments/12 and upstream suggested a fourth alternative in https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/comments/15 which is what I adopted.

Test PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/certbot-tlssni01-1875471-d

Running all the tests properly needs a specific setup, which I suggest to leave for the SRU verification. I have done those with my test PPA already prior to submitting this.

What can easily be tested is the python error which originated this:

AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'

Just run this, on any host/container (no need to replace the fake domain):

sudo apt install python3-certbot-nginx
sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx

The fixed version won't fail with AttributeError, but will try to fetch a certificate for example.org, and that will of course fail and is fine.

The second check to make is to confirm that the build-time tests were run. Search build logs for "dh_auto_test".

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Read all the bug updates - for how much was going on there the MP doesn't look so bad after all :-)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

After wondering "hey this is a new version" at first this seems ok.
0.39 -> 0.40 is minimal and fixes the issues we see.

Also I agree not going the full >=1.3.x that is in groovy.

The backport of the test-fix LGTM as well.

The SRU Template is great and should resolve all confusion for anyone looking at the case.

Buildlog and changelog look good as well.
+1

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, tagging and uploading 723b05582944144e68428246b1d478afa80625cb

$ git push pkg upload/0.40.0-0ubuntu0.1
Enumerating objects: 45, done.
Counting objects: 100% (45/45), done.
Delta compression using up to 4 threads
Compressing objects: 100% (23/23), done.
Writing objects: 100% (29/29), 3.89 KiB | 442.00 KiB/s, done.
Total 29 (delta 20), reused 5 (delta 5)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/python-certbot-nginx
 * [new tag] upload/0.40.0-0ubuntu0.1 -> upload/0.40.0-0ubuntu0.1

$ dput ubuntu ../python-certbot-nginx_0.40.0-0ubuntu0.1_source.changes
Checking signature on .changes
gpg: ../python-certbot-nginx_0.40.0-0ubuntu0.1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../python-certbot-nginx_0.40.0-0ubuntu0.1.dsc: Valid signature from AC983EB5BF6BCBA9
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading python-certbot-nginx_0.40.0-0ubuntu0.1.dsc: done.
  Uploading python-certbot-nginx_0.40.0.orig.tar.gz: done.
  Uploading python-certbot-nginx_0.40.0.orig.tar.gz.asc: done.
  Uploading python-certbot-nginx_0.40.0-0ubuntu0.1.debian.tar.xz: done.
  Uploading python-certbot-nginx_0.40.0-0ubuntu0.1_source.buildinfo: done.
  Uploading python-certbot-nginx_0.40.0-0ubuntu0.1_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This was released already.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/PKG-INFO b/PKG-INFO
index e7aaec3..bbef3c2 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
1Metadata-Version: 2.11Metadata-Version: 2.1
2Name: certbot-nginx2Name: certbot-nginx
3Version: 0.39.03Version: 0.40.0
4Summary: Nginx plugin for Certbot4Summary: Nginx plugin for Certbot
5Home-page: https://github.com/letsencrypt/letsencrypt5Home-page: https://github.com/letsencrypt/letsencrypt
6Author: Certbot Project6Author: Certbot Project
diff --git a/certbot_nginx.egg-info/PKG-INFO b/certbot_nginx.egg-info/PKG-INFO
index e7aaec3..bbef3c2 100644
--- a/certbot_nginx.egg-info/PKG-INFO
+++ b/certbot_nginx.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
1Metadata-Version: 2.11Metadata-Version: 2.1
2Name: certbot-nginx2Name: certbot-nginx
3Version: 0.39.03Version: 0.40.0
4Summary: Nginx plugin for Certbot4Summary: Nginx plugin for Certbot
5Home-page: https://github.com/letsencrypt/letsencrypt5Home-page: https://github.com/letsencrypt/letsencrypt
6Author: Certbot Project6Author: Certbot Project
diff --git a/certbot_nginx.egg-info/SOURCES.txt b/certbot_nginx.egg-info/SOURCES.txt
index 082c212..be61861 100644
--- a/certbot_nginx.egg-info/SOURCES.txt
+++ b/certbot_nginx.egg-info/SOURCES.txt
@@ -72,5 +72,4 @@ docs/_static/.gitignore
72docs/_templates/.gitignore72docs/_templates/.gitignore
73docs/api/nginxparser.rst73docs/api/nginxparser.rst
74docs/api/obj.rst74docs/api/obj.rst
75docs/api/parser.rst
76docs/api/tls_sni_01.rst
77\ No newline at end of file75\ No newline at end of file
76docs/api/parser.rst
78\ No newline at end of file77\ No newline at end of file
diff --git a/certbot_nginx/configurator.py b/certbot_nginx/configurator.py
index 9571591..fe5c7da 100644
--- a/certbot_nginx/configurator.py
+++ b/certbot_nginx/configurator.py
@@ -1107,7 +1107,7 @@ class NginxConfigurator(common.Installer):
1107 ###########################################################################1107 ###########################################################################
1108 def get_chall_pref(self, unused_domain): # pylint: disable=no-self-use1108 def get_chall_pref(self, unused_domain): # pylint: disable=no-self-use
1109 """Return list of challenge preferences."""1109 """Return list of challenge preferences."""
1110 return [challenges.HTTP01, challenges.TLSSNI01]1110 return [challenges.HTTP01]
11111111
1112 # Entry point in main.py for performing challenges1112 # Entry point in main.py for performing challenges
1113 def perform(self, achalls):1113 def perform(self, achalls):
diff --git a/certbot_nginx/http_01.py b/certbot_nginx/http_01.py
index 70147a4..4dcc532 100644
--- a/certbot_nginx/http_01.py
+++ b/certbot_nginx/http_01.py
@@ -29,10 +29,10 @@ class NginxHttp01(common.ChallengePerformer):
29 :param list indices: Meant to hold indices of challenges in a29 :param list indices: Meant to hold indices of challenges in a
30 larger array. NginxHttp01 is capable of solving many challenges30 larger array. NginxHttp01 is capable of solving many challenges
31 at once which causes an indexing issue within NginxConfigurator31 at once which causes an indexing issue within NginxConfigurator
32 who must return all responses in order. Imagine NginxConfigurator32 who must return all responses in order. Imagine
33 maintaining state about where all of the http-01 Challenges,33 NginxConfigurator maintaining state about where all of the
34 TLS-SNI-01 Challenges belong in the response array. This is an34 challenges, possibly of different types, belong in the response
35 optional utility.35 array. This is an optional utility.
3636
37 """37 """
3838
diff --git a/certbot_nginx/tests/configurator_test.py b/certbot_nginx/tests/configurator_test.py
index 19624a7..237e22d 100644
--- a/certbot_nginx/tests/configurator_test.py
+++ b/certbot_nginx/tests/configurator_test.py
@@ -97,7 +97,7 @@ class NginxConfiguratorTest(util.NginxTest):
97 errors.PluginError, self.config.enhance, 'myhost', 'unknown_enhancement')97 errors.PluginError, self.config.enhance, 'myhost', 'unknown_enhancement')
9898
99 def test_get_chall_pref(self):99 def test_get_chall_pref(self):
100 self.assertEqual([challenges.HTTP01, challenges.TLSSNI01],100 self.assertEqual([challenges.HTTP01],
101 self.config.get_chall_pref('myhost'))101 self.config.get_chall_pref('myhost'))
102102
103 def test_save(self):103 def test_save(self):
diff --git a/certbot_nginx/tests/http_01_test.py b/certbot_nginx/tests/http_01_test.py
index 41c4b95..c6d35b8 100644
--- a/certbot_nginx/tests/http_01_test.py
+++ b/certbot_nginx/tests/http_01_test.py
@@ -73,11 +73,11 @@ class HttpPerformTest(util.NginxTest):
73 self.http01.add_chall(achall)73 self.http01.add_chall(achall)
74 acme_responses.append(achall.response(self.account_key))74 acme_responses.append(achall.response(self.account_key))
7575
76 sni_responses = self.http01.perform()76 http_responses = self.http01.perform()
7777
78 self.assertEqual(len(sni_responses), 4)78 self.assertEqual(len(http_responses), 4)
79 for i in six.moves.range(4):79 for i in six.moves.range(4):
80 self.assertEqual(sni_responses[i], acme_responses[i])80 self.assertEqual(http_responses[i], acme_responses[i])
8181
82 def test_mod_config(self):82 def test_mod_config(self):
83 self.http01.add_chall(self.achalls[0])83 self.http01.add_chall(self.achalls[0])
diff --git a/debian/changelog b/debian/changelog
index cc87eaa..0b4f53c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
1python-certbot-nginx (0.40.0-0ubuntu0.1) focal; urgency=medium
2
3 * Cope with newer python-acme that dropped TLSSNI01 (LP: #1875471):
4 - new upstream version: 0.40.0
5 - d/rules: actually run the tests by fixing the expression that looks
6 for nocheck in DEB_BUILD_OPTIONS
7 - d/p/fix-tests-with-newer-acme.patch: fix tests with newer python-acme
8 that has no TLSSNI01. Thanks to Brad Warren <bmw@eff.org>
9
10 -- Andreas Hasenack <andreas@canonical.com> Tue, 05 May 2020 15:39:00 -0300
11
1python-certbot-nginx (0.39.0-1) unstable; urgency=medium12python-certbot-nginx (0.39.0-1) unstable; urgency=medium
213
3 * New upstream version 0.39.014 * New upstream version 0.39.0
diff --git a/debian/patches/fix-tests-with-newer-acme.patch b/debian/patches/fix-tests-with-newer-acme.patch
4new file mode 10064415new file mode 100644
index 0000000..2cdd71d
--- /dev/null
+++ b/debian/patches/fix-tests-with-newer-acme.patch
@@ -0,0 +1,45 @@
1Description: fix tests with newer python-acme that has no TLSSNI01
2 This extracts the minimal pieces from upstream's bigger refactoring
3 necessary to cope with python-acme's removal of TLSSNI01 in the version shipped
4 in Focal.
5Author: Brad Warren <bmw@eff.org>
6Origin: upstream, https://gist.github.com/bmw/e4f13e17d1f4647c9d6be730c7ec3512
7Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471
8Applied-Upstream: https://github.com/certbot/certbot/commit/4abd81e2186eddc67551d61a8260440bd177d18d
9Last-Update: 2020-05-05
10---
11This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
12diff --git a/certbot-nginx/certbot_nginx/tests/http_01_test.py b/certbot-nginx/certbot_nginx/tests/http_01_test.py
13index d05370c68..8e0450f6a 100644
14--- a/certbot_nginx/tests/http_01_test.py
15+++ b/certbot_nginx/tests/http_01_test.py
16@@ -1,6 +1,7 @@
17 """Tests for certbot_nginx.http_01"""
18 import unittest
19
20+import josepy as jose
21 import mock
22 import six
23
24@@ -8,17 +9,19 @@ from acme import challenges
25
26 from certbot import achallenges
27
28-from certbot.plugins import common_test
29 from certbot.tests import acme_util
30+from certbot.tests import util as test_util
31
32 from certbot_nginx.obj import Addr
33 from certbot_nginx.tests import util
34
35+AUTH_KEY = jose.JWKRSA.load(test_util.load_vector("rsa512_key.pem"))
36+
37
38 class HttpPerformTest(util.NginxTest):
39 """Test the NginxHttp01 challenge."""
40
41- account_key = common_test.AUTH_KEY
42+ account_key = AUTH_KEY
43 achalls = [
44 achallenges.KeyAuthorizationAnnotatedChallenge(
45 challb=acme_util.chall_to_challb(
diff --git a/debian/patches/series b/debian/patches/series
0new file mode 10064446new file mode 100644
index 0000000..86c7057
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
1fix-tests-with-newer-acme.patch
diff --git a/debian/rules b/debian/rules
index c057a16..154080a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -21,6 +21,6 @@ override_dh_installdocs:
21 dh_installdocs -p python3-certbot-nginx21 dh_installdocs -p python3-certbot-nginx
2222
23override_dh_auto_test:23override_dh_auto_test:
24ifdef (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))24ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
25 python3 setup.py test25 python3 setup.py test
26endif26endif
diff --git a/docs/api/tls_sni_01.rst b/docs/api/tls_sni_01.rst
27deleted file mode 10064427deleted file mode 100644
index 5074f63..0000000
--- a/docs/api/tls_sni_01.rst
+++ /dev/null
@@ -1,5 +0,0 @@
1:mod:`certbot_nginx.tls_sni_01`
2-----------------------------------
3
4.. automodule:: certbot_nginx.tls_sni_01
5 :members:
diff --git a/setup.py b/setup.py
index 9c69a53..b53e166 100644
--- a/setup.py
+++ b/setup.py
@@ -4,7 +4,7 @@ from setuptools.command.test import test as TestCommand
4import sys4import sys
55
66
7version = '0.39.0'7version = '0.40.0'
88
9# Remember to update local-oldest-requirements.txt when changing the minimum9# Remember to update local-oldest-requirements.txt when changing the minimum
10# acme/certbot version.10# acme/certbot version.

Subscribers

People subscribed via source and target branches