Commit graph

81 commits

Author SHA1 Message Date
wiz
1e9caac440 *: update email for fhajny 2018-12-15 21:12:18 +00:00
fhajny
da4b10957e py-{acme,certbot}: Update to 0.27.0.
## 0.27.0 - 2018-09-05

### Added

- The Apache plugin now accepts the parameter --apache-ctl which can
  be used to configure the path to the Apache control script.

### Changed

- When using `acme.client.ClientV2` (or
 `acme.client.BackwardsCompatibleClientV2` with an ACME server that
 supports a newer version of the ACME protocol), an
 `acme.errors.ConflictError` will be raised if you try to create
 an ACME account with a key that has already been used. Previously,
 a JSON parsing error was raised in this scenario when using the
 library with Let's Encrypt's ACMEv2 endpoint.

### Fixed

- When Apache is not installed, Certbot's Apache plugin no longer
  prints messages about being unable to find apachectl to the
  terminal when the plugin is not selected.
- If you're using the Apache plugin with the --apache-vhost-root flag
  set to a directory containing a disabled virtual host for the
  domain you're requesting a certificate for, the virtual host will
  now be temporarily enabled if necessary to pass the HTTP challenge.
- The documentation for the Certbot package can now be built using
  Sphinx 1.6+.
- You can now call `query_registration` without having to first call
  `new_account` on `acme.client.ClientV2` objects.
- The requirement of `setuptools>=1.0` has been removed from
  `certbot-dns-ovh`.
- Names in certbot-dns-sakuracloud's tests have been updated to refer
  to Sakura Cloud rather than NS1 whose plugin certbot-dns-sakuracloud
  was based on.

## 0.26.1 - 2018-07-17

### Fixed

- Fix a bug that was triggered when users who had previously manually
  set `--server` to get ACMEv2 certs tried to renew ACMEv1 certs.
2018-09-06 12:25:26 +00:00
triaxx
2bc64cbe9a Add used by comment for py-certbot-dns-rfc2136. 2018-07-24 09:24:11 +00:00
fhajny
50ab0d83fb net/py-{acme,certbot}: Update to 0.26.0.
### Added

- A new security enhancement which we're calling AutoHSTS has been
  added to Certbot's Apache plugin. This enhancement configures your
  webserver to send a HTTP Strict Transport Security header with a low
  max-age value that is slowly increased over time. The max-age value is
  not increased to a large value until you've successfully managed to
  renew your certificate. This enhancement can be requested with the
  --auto-hsts flag.
- New official DNS plugins have been created for Gehirn Infrastracture
  Service, Linode, OVH, and Sakura Cloud. These plugins can be found
  on our Docker Hub page at https://hub.docker.com/u/certbot and on
  PyPI.
- The ability to reuse ACME accounts from Let's Encrypt's ACMEv1
  endpoint on Let's Encrypt's ACMEv2 endpoint has been added.
- Certbot and its components now support Python 3.7.
- Certbot's install subcommand now allows you to interactively choose
  which certificate to install from the list of certificates managed
  by Certbot.
- Certbot now accepts the flag `--no-autorenew` which causes any
  obtained certificates to not be automatically renewed when it
  approaches expiration.
- Support for parsing the TLS-ALPN-01 challenge has been added back to
  the acme library.

### Changed

- Certbot's default ACME server has been changed to Let's Encrypt's
  ACMEv2 endpoint. By default, this server will now be used for both
  new certificate lineages and renewals.
- The Nginx plugin is no longer marked labeled as an "Alpha" version.
- The `prepare` method of Certbot's plugins is no longer called before
  running "Updater" enhancements that are run on every invocation of
  `certbot renew`.
2018-07-17 16:32:16 +00:00
fhajny
c6e88c65f1 security/py-{acme,certbot}: Update to 0.25.0.
### Added

- Support for the ready status type was added to acme. Without this change,
  Certbot and acme users will begin encountering errors when using Let's
  Encrypt's ACMEv2 API starting on June 19th for the staging environment and
  July 5th for production. See
  https://community.letsencrypt.org/t/acmev2-order-ready-status/62866 for more
  information.
- Certbot now accepts the flag --reuse-key which will cause the same key to be
  used in the certificate when the lineage is renewed rather than generating a
  new key.
- You can now add multiple email addresses to your ACME account with Certbot by
  providing a comma separated list of emails to the --email flag.
- Support for Let's Encrypt's upcoming TLS-ALPN-01 challenge was added to acme.
  For more information, see
  https://community.letsencrypt.org/t/tls-alpn-validation-method/63814/1.
- acme now supports specifying the source address to bind to when sending
  outgoing connections. You still cannot specify this address using Certbot.
- If you run Certbot against Let's Encrypt's ACMEv2 staging server but don't
  already have an account registered at that server URL, Certbot will
  automatically reuse your staging account from Let's Encrypt's ACMEv1 endpoint
  if it exists.
- Interfaces were added to Certbot allowing plugins to be called at additional
  points. The `GenericUpdater` interface allows plugins to perform actions
  every time `certbot renew` is run, regardless of whether any certificates are
  due for renewal, and the `RenewDeployer` interface allows plugins to perform
  actions when a certificate is renewed. See `certbot.interfaces` for more
  information.

### Changed

- When running Certbot with --dry-run and you don't already have a staging
  account, the created account does not contain an email address even if one
  was provided to avoid expiration emails from Let's Encrypt's staging server.
- certbot-nginx does a better job of automatically detecting the location of
  Nginx's configuration files when run on BSD based systems.
- acme now requires and uses pytest when running tests with setuptools with
  `python setup.py test`.
- `certbot config_changes` no longer waits for user input before exiting.

### Fixed

- Misleading log output that caused users to think that Certbot's standalone
  plugin failed to bind to a port when performing a challenge has been
  corrected.
- An issue where certbot-nginx would fail to enable HSTS if the server block
  already had an `add_header` directive has been resolved.
- certbot-nginx now does a better job detecting the server block to base the
  configuration for TLS-SNI challenges on.
2018-06-12 09:22:35 +00:00
fhajny
6d46b1370a security/py-{acme,certbot}: Update to 0.24.0.
### Added

- certbot now has an enhance subcommand which allows you to configure
  security enhancements like HTTP to HTTPS redirects, OCSP stapling,
  and HSTS without reinstalling a certificate.
- certbot-dns-rfc2136 now allows the user to specify the port to use
  to reach the DNS server in its credentials file.
- acme now parses the wildcard field included in authorizations so it
  can be used by users of the library.

### Changed

- certbot-dns-route53 used to wait for each DNS update to propagate
  before sending the next one, but now it sends all updates before
  waiting which speeds up issuance for multiple domains dramatically.
- We've doubled the time Certbot will spend polling authorizations
  before timing out.
- The level of the message logged when Certbot is being used with
  non-standard paths warning that crontabs for renewal included in
  Certbot packages from OS package managers may not work has been
  reduced. This stops the message from being written to stderr every
  time `certbot renew` runs.

### Fixed

- certbot-auto now works with Python 3.6.
2018-05-16 15:09:42 +00:00
fhajny
35e37afea5 security/py-certbot: Update to 0.23.0.
### Added

- Support for OpenResty was added to the Nginx plugin.

### Changed

- The timestamps in Certbot's logfiles now use the system's local time
  zone rather than UTC.
- Certbot's DNS plugins that use Lexicon now rely on Lexicon>=2.2.1 to
  be able to create and delete multiple TXT records on a single
  domain.
- certbot-dns-google's test suite now works without an internet
  connection.

### Fixed

- Removed a small window that if during which an error occurred,
  Certbot wouldn't clean up performed challenges.
- The parameters `default` and `ipv6only` are now removed from
  `listen` directives when creating a new server block in the Nginx
  plugin.
- `server_name` directives enclosed in quotation marks in Nginx are
  now properly supported.
- Resolved an issue preventing the Apache plugin from starting Apache
  when it's not currently running on RHEL and Gentoo based systems.
2018-04-13 08:14:28 +00:00
fhajny
0e097b55ef security/py-certbot: Update to 0.22.2.
0.22.2
- A type error introduced in 0.22.1 that would occur during challenge
  cleanup when a Certbot plugin raises an exception while trying to
  complete the challenge was fixed.

0.22.1
- The ACME server used with Certbot's --dry-run and --staging flags is
  now Let's Encrypt's ACMEv2 staging server which allows people to
  also test ACMEv2 features with these flags.
- The HTTP Content-Type header is now set to the correct value during
  certificate revocation with new versions of the ACME protocol.
- When using Certbot with Let's Encrypt's ACMEv2 server, it would add
  a blank line to the top of chain.pem and between the certificates in
  fullchain.pem for each lineage. These blank lines have been removed.
- Resolved a bug that caused Certbot's --allow-subset-of-names flag
  not to work.
- Fixed a regression in acme.client.Client that caused the class to
  not work when it was initialized without a ClientNetwork which is
  done by some of the other projects using our ACME library.
2018-03-23 14:37:08 +00:00
fhajny
2887a6fc50 security/py-certbot: Update to 0.22.0
### Added

- Support for obtaining wildcard certificates and a newer version of the ACME
  protocol such as the one implemented by Let's Encrypt's upcoming ACMEv2
  endpoint was added to Certbot and its ACME library. Certbot still works with
  older ACME versions and will automatically change the version of the protocol
  used based on the version the ACME CA implements.
- The Apache and Nginx plugins are now able to automatically install a wildcard
  certificate to multiple virtual hosts that you select from your server
  configuration.
- The `certbot install` command now accepts the `--cert-name` flag for
  selecting a certificate.
- `acme.client.BackwardsCompatibleClientV2` was added to Certbot's ACME library
  which automatically handles most of the differences between new and old ACME
  versions. `acme.client.ClientV2` is also available for people who only want
  to support one version of the protocol or want to handle the differences
  between versions themselves.
- certbot-auto now supports the flag --install-only which has the script
  install Certbot and its dependencies and exit without invoking Certbot.
- Support for issuing a single certificate for a wildcard and base domain was
  added to our Google Cloud DNS plugin. To do this, we now require your API
  credentials have additional permissions, however, your credentials will
  already have these permissions unless you defined a custom role with fewer
  permissions than the standard DNS administrator role provided by Google.
  These permissions are also only needed for the case described above so it
  will continue to work for existing users. For more information about the
  permissions changes, see the documentation in the plugin.

### Changed

- We have broken lockstep between our ACME library, Certbot, and its plugins.
  This means that the different components do not need to be the same version
  to work together like they did previously. This makes packaging easier
  because not every piece of Certbot needs to be repackaged to ship a change to
  a subset of its components.
- Support for Python 2.6 and Python 3.3 has been removed from ACME, Certbot,
  Certbot's plugins, and certbot-auto. If you are using certbot-auto on a RHEL
  6 based system, it will walk you through the process of installing Certbot
  with Python 3 and refuse to upgrade to a newer version of Certbot until you
  have done so.
- Certbot's components now work with older versions of setuptools to simplify
  packaging for EPEL 7.

### Fixed

- Issues caused by Certbot's Nginx plugin adding multiple ipv6only directives
  has been resolved.
- A problem where Certbot's Apache plugin would add redundant include
  directives for the TLS configuration managed by Certbot has been fixed.
- Certbot's webroot plugin now properly deletes any directories it creates.
2018-03-13 10:08:51 +00:00
fhajny
cbd3d9e306 Update security/py-{acme,certbot} to 0.21.1.
- When creating an HTTP to HTTPS redirect in Nginx, we now ensure the
  Host header of the request is set to an expected value before
  redirecting users to the domain found in the header. The previous way
  Certbot configured Nginx redirects was a potential security issue
- Fixed a problem where Certbot's Apache plugin could fail HTTP-01
  challenges if basic authentication is configured for the domain you
  request a certificate for.
- certbot-auto --no-bootstrap now properly tries to use Python 3.4 on
  RHEL 6 based systems rather than Python 2.6.
2018-02-02 15:36:08 +00:00
fhajny
74add85d4c Update security/py-{acme,certbot} to 0.21.0.
### Added

- Support for the HTTP-01 challenge type was added to our Apache and Nginx
  plugins.
- IPv6 support was added to the Nginx plugin.
- Support for automatically creating server blocks based on the default server
  block was added to the Nginx plugin.
- The flags --delete-after-revoke and --no-delete-after-revoke were added
  allowing users to control whether the revoke subcommand also deletes the
  certificates it is revoking.

### Changed

- We deprecated support for Python 2.6 and Python 3.3 in Certbot and its ACME
  library.
- We split our implementation of JOSE (Javascript Object Signing and
  Encryption) out of our ACME library and into a separate package named josepy.
- We updated the ciphersuites used in Apache to the new values recommended by
  Mozilla

### Fixed

- An issue with our Apache plugin on Gentoo due to differences in their
  apache2ctl command have been resolved.
2018-01-22 13:37:25 +00:00
fhajny
f3aa8b64a1 Update security/py-{acme,certbot} to 0.20.0.
0.20.0 - 2017-12-06

- Certbot's ACME library now recognizes URL fields in challenge
  objects in preparation for Let's Encrypt's new ACME endpoint.
- The Apache plugin now parses some distro specific Apache
  configuration files on non-Debian systems allowing it to get a
  clearer picture on the running configuration.
- Certbot better reports network failures by removing information
  about connection retries from the error output.
- An unnecessary question when using Certbot's webroot plugin
  interactively has been removed.
- Certbot's NGINX plugin no longer sometimes incorrectly reports that
  it was unable to deploy a HTTP->HTTPS redirect when requesting
  Certbot to enable a redirect for multiple domains.
- Problems where the Apache plugin was failing to find directives and
  duplicating existing directives on openSUSE have been resolved.
- An issue running the test shipped with Certbot and some our DNS
  plugins with older versions of mock have been resolved.
- On some systems, users reported strangely interleaved output
  depending on when stdout and stderr were flushed.

0.19.0 - 2017-10-04

- Certbot now has renewal hook directories where executable files can
  be placed for Certbot to run with the renew subcommand.
- After revoking a certificate with the revoke subcommand, Certbot
  will offer to delete the lineage associated with the certificate.
- When using Certbot's Google Cloud DNS plugin on Google Compute
  Engine, you no longer have to provide a credential file to Certbot
  if you have configured sufficient permissions for the instance which
  Certbot can automatically obtain using Google's metadata service.
- When deleting certificates interactively using the delete
  subcommand, Certbot will now allow you to select multiple lineages
  to be deleted at once.
- Certbot's Apache plugin no longer always parses Apache's
  sites-available on Debian based systems and instead only parses
  virtual hosts included in your Apache configuration.
- The plugins subcommand can now be run without root access.
- certbot-auto now includes a timeout when updating itself so it no
  longer hangs indefinitely when it is unable to connect to the
  external server.
- An issue where Certbot's Apache plugin would sometimes fail to
  deploy a certificate on Debian based systems if mod_ssl wasn't
  already enabled has been resolved.
- A bug in our Docker image where the certificates subcommand could
  not report if certificates maintained by Certbot had been revoked
  has been fixed.
- Certbot's RFC 2136 DNS plugin (for use with software like BIND) now
  properly performs DNS challenges when the domain being verified
  contains a CNAME record.
2017-12-09 16:39:03 +00:00
fhajny
7bbd7861a0 Update security/py-certbot to 0.18.2.
- An issue where Certbot's ACME module would raise an AttributeError
  trying to create self-signed certificates when used with pyOpenSSL
  17.3.0 has been resolved. For Certbot users with this version of
  pyOpenSSL, this caused Certbot to crash when performing a TLS SNI
  challenge or when the Nginx plugin tried to create an SSL server
  block.
2017-09-27 12:44:39 +00:00
fhajny
5a99b35667 Update security/py-certbot to 0.18.1.
- The Nginx plugin now configures Nginx to use 2048-bit Diffie-Hellman
  parameters.
- certbot-auto now installs Certbot in directories under /opt/eff.org.
- The Nginx plugin can now be selected in Certbot's interactive output.
- Output verbosity of renewal failures when running with --quiet has
  been reduced.
- The default revocation reason shown in Certbot help output now is a
  human readable string instead of a numerical code.
- Plugin selection is now included in normal terminal output.
- A newer version of ConfigArgParse is now installed when using
  certbot-auto causing values set to false in a Certbot INI
  configuration file to be handled intuitively.
- New naming conventions preventing certbot-auto from installing OS
  dependencies on Fedora 26 have been resolved.
2017-09-13 10:28:42 +00:00
fhajny
5985dc54b2 Update security/py-certbot to 0.18.0.
### Added
- The Nginx plugin now configures Nginx to use 2048-bit Diffie-Hellman
  parameters.

### Changed
- certbot-auto now installs Certbot in directories under `/opt/eff.org`.
- The Nginx plugin can now be selected in Certbot's interactive output.
- Output verbosity of renewal failures when running with `--quiet` has
  been reduced.
- The default revocation reason shown in Certbot help output now is a
  human readable string instead of a numerical code.
- Plugin selection is now included in normal terminal output.

### Fixed
- A newer version of ConfigArgParse is now installed when using
  certbot-auto causing values set to false in a Certbot INI
  configuration file to be handled intuitively.
- New naming conventions preventing certbot-auto from installing OS
  dependencies on Fedora 26 have been resolved.
2017-09-07 09:12:23 +00:00
fhajny
3f6d57d41a Update security/py-certbot and security/py-acme to 0.17.0.
### Added

- Support in our nginx plugin for modifying SSL server blocks that do
  not contain certificate or key directives.
- A `--max-log-backups` flag to allow users to configure or even completely
  disable Certbot's built in log rotation.
- A `--user-agent-comment` flag to allow people who build tools around Certbot
  to differentiate their user agent string by adding a comment to its default
  value.

### Changed

- Due to some awesome work by cryptography project, compilation can now be
  avoided on most systems when using certbot-auto.
- The `--renew-hook` flag has been hidden in favor of `--deploy-hook`.
- We have started printing deprecation warnings in certbot-auto for
  experimentally supported systems with OS packages available.
- A certificate lineage's name is included in error messages during renewal.

### Fixed

- Encoding errors that could occur when parsing error messages from the ACME
  server containing Unicode have been resolved.
- certbot-auto no longer prints misleading messages about there being a newer
  pip version available when installation fails.
- Certbot's ACME library now properly extracts domains from critical SAN
  extensions.
2017-08-03 22:12:17 +00:00
fhajny
f366845ccb Update security/py-certbot to 0.16.0.
Added
- A plugin for performing DNS challenges using dynamic DNS updates as
  defined in RFC 2316 (available separately).
- Plugins for performing DNS challenges for the providers DNS Made
  Easy and LuaDNS (available separately).
- Support for performing TLS-SNI-01 challenges when using the manual
  plugin.
- Automatic detection of Arch Linux in the Apache plugin providing
  better default settings for the plugin.

Changed
- The text of the interactive question about whether a redirect from
  HTTP to HTTPS should be added by Certbot has been rewritten to
  better explain the choices to the user.
- Simplified HTTP challenge instructions in the manual plugin.

Fixed
- Problems performing a dry run when using the Nginx plugin have been
  fixed.
- Resolved an issue where certbot-dns-digitalocean's test suite would
  sometimes fail when ran using Python 3.
- On some systems, previous versions of certbot-auto would error out
  with a message about a missing hash for setuptools.
- A bug where Certbot would sometimes not print a space at the end of
  an interactive prompt has been resolved.
- Nonfatal tracebacks are no longer shown in rare cases where Certbot
  encounters an exception trying to close its TCP connection with the
  ACME server.
2017-08-02 20:31:29 +00:00
fhajny
33ec4cb832 Update security/py-certbot and security/py-acme to 0.15.0
Added
- Plugins for performing DNS challenges for popular providers
- IPv6 support in the standalone plugin.
- A mechanism for keeping your Apache and Nginx SSL/TLS configuration
  up to date.
- --http-01-address and --tls-sni-01-address flags for controlling the
  address Certbot listens on when using the standalone plugin.
- The command certbot certificates that lists certificates managed by
  Certbot now performs additional validity checks to notify you if
  your files have become corrupted.

Changed
- Messages custom hooks print to stdout are now displayed by Certbot
  when not running in --quiet mode.
- jwk and alg fields in JWS objects have been moved into the protected
  header causing Certbot to more closely follow the latest version of
  the ACME spec.

Fixed
- Permissions on renewal configuration files are now properly
  preserved when they are updated.
- A bug causing Certbot to display strange defaults in its help output
  when using Python <= 2.7.4 has been fixed.
- Certbot now properly handles mixed case domain names found in custom
  CSRs.
- A number of poorly worded prompts and error messages.

Removed
- Support for OpenSSL 1.0.0 in certbot-auto has been removed as we now
  pin a newer version of cryptography which dropped support for this
  version.
2017-06-14 13:16:08 +00:00
fhajny
d076b75d28 Update security/py-certbot to 0.14.2.
0.14.2
- Certbot 0.14.0 included a bug where Certbot would create a temporary
  log file (usually in /tmp) if the program exited during argument parsing.

0.14.1
- Certbot now works with configargparse 0.12.0.
- Issues with the Apache plugin and Augeas 1.7+ have been resolved.
- A problem where the Nginx plugin would fail to install certificates on
  systems that had the plugin's SSL/TLS options file from 7+ months ago
  has been fixed.
2017-05-30 14:28:52 +00:00
fhajny
ac4dcecfdf Update py-certbot and py-acme to 0.14.0.
Use ALTERNATIVES to handle different Python versions better.

0.14.0 - 2017-05-04

Added

- Python 3.3+ support for all Certbot packages. certbot-auto still
  currently only supports Python 2, but the acme, certbot,
  certbot-apache, and certbot-nginx packages on PyPI now fully support
  Python 2.6, 2.7, and 3.3+.
- Certbot's Apache plugin now handles multiple virtual hosts per file.
- Lockfiles to prevent multiple versions of Certbot running
  simultaneously.

Changed

- When converting an HTTP virtual host to HTTPS in Apache, Certbot
  only copies the virtual host rather than the entire contents of the
  file it's contained in.
- The Nginx plugin now includes SSL/TLS directives in a separate file
  located in Certbot's configuration directory rather than copying the
  contents of the file into every modified server block.

Fixed

- Ensure logging is configured before parts of Certbot attempt to log
  any messages.
- Support for the --quiet flag in certbot-auto.
- Reverted a change made in a previous release to make the acme and
  certbot packages always depend on argparse. This dependency is
  conditional again on the user's Python version.
- Small bugs in the Nginx plugin such as properly handling empty
  server blocks and setting server_names_hash_bucket_size during
  challenges.
2017-05-11 08:23:35 +00:00
fhajny
14073b64fe Fix stale and missing dependencies in py-acme and py-certbot. PKGREVISION++ 2017-04-10 10:29:38 +00:00
fhajny
9eca35ebf0 Update security/py-certbot and security/py-acme to 0.13.0.
0.13.0 - 2017-04-06

Added
- --debug-challenges pauses Certbot after setting up challenges for
  debugging.
- The Nginx parser can handle all valid directives in configuration
  files.
- Nginx ciphersuites changed to Mozilla Intermediate.
- certbot-auto --no-bootstrap won't install OS dependencies.

Fixed
- --register-unsafely-without-email respects --quiet.
- Hyphenated renewalparams are now saved in renewal config files.
- --dry-run no longer persists keys and csrs.
- No longer hangs when trying to start Nginx in Arch Linux.
- Apache rewrite rules no longer double-encode characters.

0.12.0 - 2017-03-02

Added
- Allow non-camelcase Apache VirtualHost names
- Allow more log messages to be silenced

Fixed
- Fix a regression around using --cert-name when getting new
  certificates
2017-04-06 19:51:15 +00:00
wiz
5195101c51 Updated py-certbot to 0.11.1.
No concise changelog found. ~30 bugs/issues fixed.
2017-02-07 14:03:58 +00:00
wiz
a8e0b68b5f Update py-acme and py-certbot to 0.10.1.
All py-certbot self tests pass.
39 self test failures in py-acme (running py.test), one core dump
in openssl (running make test).

Changes:
Test bug fixes
2017-01-25 12:34:07 +00:00
fhajny
29322c0209 Update security/py-{acme,certbot} to 0.10.0.
No changelog released, commits closed for 0.10.0:
- Stop IDisplay AssertionErrors
- Add update_symlinks to "--help manage"
- Hide rename command for 0.10.0
- Disable rename command for 0.10.0
- Break on failure to deploy cert
- Incorrect success condition in nginx
- certbot delete and rename evoke IDisplay
- Put update_symlinks in certbot --help manage
- Fix Error Message for invalid FQDNs
- pyopenssl inject workaround
- pyparsing.restOfLine is not a function, don't call it
- Add information on updating [certbot|letsencrypt]-auto
- Remove quotes so tilde is expanded
- Correctly report when we skip hooks during renewal
- Add line number to Augeas syntax error message
- Mention line in (Apache) conf file in case of Augeas parse/syntax
  error
- Fixes #3954 and adds a test to prevent regressions
- Further OCSP improvements
- `-n` doesn't like `force_interactive`?
- Save allow_subset_of_names in renewal conf files
- I promise checklists are OK (fixes #3934)
- Return domains for _find_domains_or_certname
- --cert-name causes explosions when trying to use "run" as an installer
- Interactivity glitch in git master
- Document some particularities of the revoke subcommand
- test using os.path.sep not hardcoded /
- Save --pre and --post hooks in renewal conf files, and run them in a
  sophisticated way
- Don't add ServerAlias directives when the domain is already covered by
  a wildcard
- Mitigate problems for people who run without -n
- Use relative paths for livedir symlinks
- Implement delete command
- Use isatty checks before asking new questions
- Ensure apt-cache is always running in English if we're going to grep
- Sort the names by domain (then subdomain) before showing them
- Merge the manual and script plugins
- --allow-subset-of-names should probably be a renewalparam
- Fix certbox-nginx address equality check
- Implement our fancy new --help output
- Make renew command respect the --cert-name flag
- Error when using non-english locale on Debian
- Document defaults
- Improve simple --help output
- Add pyasn1 back to le-auto
- Mark Nginx vhosts as ssl when any vhost is on ssl at that address
- Fully check for Nginx address equality
- Preserve --must-staple in configuration for renewal (#3844)
- Git master certbot is making executable renewal conf files?
- Improve the "certbot certificates" output
- Renewal: Preserve 'OCSP Must Staple' (option --must-staple)
- Security enhancement cleanup
- Parallalelise nosetests from tox
- "certbot certificates" is API-like, so make it future-proof
- Fix LE_AUTO_SUDO usage
- Remove the sphinxcontrib.programout [docs]dependency
- No more relative path connection from live-crt to archive-crt files
- Ensure tests pass with openssl 1.1
- Output success message for revoke command
- acme module fails tests with openssl 1.1
- Pin pyopenssl 16.2.0 in certbot-auto
- Fixed output of `certbot-auto --version`(#3637).
- Take advantage of urllib3 pyopenssl rewrite
- Busybox support
- Fix --http-01-port typo at source
- Implement the --cert-name flag to select a lineage by its name.
- Fix reinstall message
- Changed plugin interface return types (#3748).
- Remove letshelp-letsencrypt
- Bump pyopenssl version
- Bump python-cryptography to 1.5.3
- Remove get_all_certs_keys() from Apache and Nginx
- Further merge --script-* with --*-hook
- Certbot opens curses sessions for informational notices, breaking
  automation
- Fix writing pem files with Python3
- Strange reinstallation errors
- Don't re-add redirects if one exists
- Use subprocess.Popen.terminate instead of os.killpg
- Generalize return types for plugin interfaces
- Don't re-append Nginx redirect directive
- Cli help is sometimes wrong about what the default for something is
- [certbot-auto] Bump cryptography version to 1.5.2
- python-cryptography build failure on sid
- Remove sphinxcontrib-programoutput dependency?
- Allow notification interface to not wrap text
- Fix non-ASCII domain check.
- Add renew_hook to options stored in the renewal config, #3394
- Where oh where has sphinxcontrib-programoutput gone?
- Remove some domain name checks.
- Allowing modification check to run using "tox"
- How to modify *-auto
- Don't crash when U-label IDN provided on command line
- Add README file to each live directory explaining its contents.
- Allow user to select all domains by typing empty string at checklist
- Fix issue with suggest_unsafe undeclared
- Update docs/contributing.rst to match display behavior during release.
- Referencing unbound variable in certbot.display.ops.get_email
- Add list-certs command
- Remove the curses dialog, thereby deprecating the --help and --dialog
  command line options
- Remove the curses dialog, thereby deprecating the --help and --dialog
  command line options
- Specify archive directory in renewal configuration file
- 0.9.1 fails in non-interactive use (pythondialog, error opening
  terminal)
- Allow certbot to get a cert for default_servers
- [nginx] Cert for two domains in one virtaulhost fails
- [nginx] --hsts and --uir flags not working?
- `certbot-auto --version` still says `letsencrypt 0.9.3` (should say
  `certbot 0.9.3`?)
- Add a cli option for "all domains my installer sees"
- Stop rejecting punycode domain names
- Standalone vs. Apache for available ports
- nginx-compatibility-weirdness
- Support requesting IDNA2008 Punycode domains
- Cert Management Improvement Project (C-MIP)
- Add --lineage command line option for nicer SAN management.
- Fix requirements.txt surgery in response to shipping certbot-nginx
- Use correct Content-Types in headers.
- Missing Content-Type 'application/json' in POST requests
- Script plugin
- Inconsistent error placement
- Server alias [revision requested]
- When getopts is called multiple time we need to reset OPTIND.
- certbot-auto: Print link to doc on debugging pip install error
  [revision requested]
- Update ACME error namespace to match the new draft.
- Update errors to match latest ACME version.
- Testing the output of build.py against lea-source/lea
- Make return type of certbot.interfaces.IInstaller.get_all_keys_certs()
  an iterator
- Fix requirements file surgery for 0.10.0 release
- Update Where Are My Certs section.
- Hooks do not get stored in renewal config file
- Multiple vhosts
- Bind to IPv6, fix the problem of ipv6 site cannot generate / renew
  certificate [revision requested]
- Warning message for low memory servers
- Run simple certbot-auto tests with `tox`
- letsencrypt-auto-source/letsencrypt-auto should be the output of
  build.py
- DialogError should come with --text instructions
- Support correct error namespace
- Verification URL after successful certificate configuration can't be
  opened from terminal
- Use appropriate caution when handling configurations that have complex
  rewrite logic
- `revoke` doesn't output any status
- adding -delete option to remove the cert files
- Stop using simple_verify in manual plugin
- Ways of specifying what to renew
- Allow removing SAN from multidomain certificate when renewing
- Dialog is sometimes ugly
- Allow user to override sudo as root authorization method [minor
  revision requested]
- Add a README file to each live directory explaining its contents
- ExecutableNotFound
2017-01-12 16:02:43 +00:00
wiz
7f17c422cb Update py-certbot and py-acme to 0.9.3.
Changelog not found.
2016-10-19 13:45:54 +00:00
fhajny
40b116f20b Update py-certbot and py-acme to 0.9.1.
No changelog available, issues closed since 0.8.1:

certbot 0.9.1
- Make --quiet reduce the logging level

certbot 0.9.0
- Allow tests to pass without dnspython
- Remove psutil dep
- Renew symlink safety
- Update Nginx redirect enhancement process to modify appropriate
  blocks
- If lineages are in an inconsistent (non-deployed) state, deploy
  them
- Restructure how Nginx parser re-finds vhosts, and disable
  creating new server blocks.
- Remove pointless question
- Tie Nginx OCSP stapling to enhancements system
- Nginx server block selection: Handle non-80/443 ports
- Include log retention count to 1000.
- Make parser.py: add_server_directives documentation consistent
  with functionality
- Fix Nginx prompt
- Make Nginx error out if no matching server block is found
- Only suggest names LE will accept
- Implement Nginx server block selection
- should_autorenew ignores symlinks
- Fixes cffi errors in Travis during oldest tests
- DNS challenge support in the manual plugin and general purpose
  --preferred-challenges flag
- Fixed hash_bucket_size detection for nginx
- Support both invalidEmail and invalidContact errors
- Removes duplication between README.rst and resources.rst
- Psutil tests
- Allow tests to run when psutil isn't available
- Tests fail on Certbot package due to missing psutil dependency
- Hide the Nginx plugin
- Add the Nginx plugin to certbot-auto
- OCSP stapling in Nginx
- Nginx plugin selection
- Add certbot-nginx to certbot-auto
- Missing links in README
- clarify invalid email error in non-interactive
- Replace '-' with '_' before filtering plugin settings
- Fix extra or lack of spacing between words in help for renew
  flags
- Fix Travis tests
- Avoid importing conflicting security policy directives
- Change log rotation scheme
- Plugins with hyphens do not receive their args during renewal
- Handle dns01 challenge into the manual plugin [see #3466]
- Enable unit tests of certbot core on Python 3
- Add os-release ID_LIKE parsing if original distribution mapping
  not found in constants
- Fix README typo
- Nginx plugin domain selection
- Fix spacing of nginx redirect blocks
- Rationalise challenge and port selection flags
- Remove psutil from requirements.txt
- prevent Github commits from modifying certbot-auto and
  letsencrypt-auto
- Gradually remove psutil dependency, bugfix [URGENT]
- psutil fails to install because hash is missing when running
  certbot-auto
- Failure to start Nginx after configuring redirect
- Prepare docs to turn off the wiki
- Certbot apache plugin fails with TypeError: 'NoneType' object
  has no attribute '__getitem__'
- Change fatal warning to a fatal message
- Fatal warnings
- Apache default default
- Deprecation fixes
- New docs structure and introduction
- Nginx charset_map and ${VARIABLE_SUBSTITUTION} parsing
- Unclear error about invalid email in non-interactive mode
- Use simple socket test for port availability if psutil not found
- Python 3 support for certonly
- Set dialog widgets to use autowidgetsize
- Errors when run without root
- Apache plugin PATH fallback
- Automatically enable EPEL after prompting users
- Multi-topic help listings
- Installer error
- Explain why Apache [appears] not to be installed
- ErrorHandler causing errors
- Update FreeBSD package name
- Comment out corresponding RewriteConds for filtered RewriteRule
- Permissive parsing of nginx map blocks
- add nginx round-trip tests to tox/travis
- Fix Unix signal handling in certbot.error_handler.ErrorHandler
- Resuming error handling functions after a signal
- Only write nginx config files if they've been modified
- If the user picks "cancel" from the Apache vhost selection menu,
  Certbot doesn't exit
- certbot removes http->https rules corrupts ruleset
- Fix typo
- Better document plugins and reversion
- Nginx parser apparently can't parse "map"
- Nginx plugin shouldn't write files it hasn't changed
- Fix Nginx reversion
- Merge Augeas fix for comment line continuations
- Remove warning about nginx options file
- Explain the most likely cause of a missing replay nonce error
- Bump pyca package versions
- Don't add wildcard listen if user has more specific
  configuration
- Remove unused nosexcover dependency
- Cleanup dev setup
- Nginx space preservation
- Set dialog widgets to use autowidgetsize
- Printing pip output to terminal when -v is used
- Log new cert and cert renewal
- Log whether renewing or obtaining a new certificate
- Added the argument --quiet and -q so then when used with a
  regular user there is no output to the screen.
- certbot-auto not quiet when used with regular user
- Adding sensible UI logging for typical user
- Replace psutils dependency
- Display DialogError details correctly
- -v implies --text
- Fix FQDN checks, closes #3057 and #3056
- Bug in FQDN detection: installer wrongly interprets _
- Installer thinks bare TLD is not a valid FQDN
- Limiting tox envlist to really needed tests
- trouble with Listen directives in CentOS 7 / ssl.conf
- Remove dangling footnote
- certbot-apache fails to parse files with comma in the filename
- pip and verbosity
- Dialog error messages
- NcursesDisplay.menu: treat ESC as cancel
- More useful error when running as non-root?
- -v should imply --text
- Update tox/instructions
- Error that results when run without root is unclear
- Enable EPEL in RPM bootstrapper
- Add dns-01 challenge support to the ACME client
- Apache plugin fails to parse OWASP's ModSecurity ruleset
- Audit nginx plugin for guaranteed config reversion in case of
  error
- NoInstallationError() from Apache plugin within renewal cron
  jobs due to /usr/sbin not being in the PATH
- nginx http redirect
- "No installers" error message not clear
- HelpfulArgumentParser should know about flags that are relevant
  to several topics
- Nginx configurator should preserve whitespace on output
- server blocks added to nginx.conf
- Nginx fails if ssl_session_cache already defined
- nginx leaves dirty/modified config files
- Sensible UI logging for typical user
- nginx plugin issue with server block containing multiple
  servernames
2016-10-11 09:23:35 +00:00
fhajny
55a3ce7b60 Fix forgotten change, ride previous revision 2016-06-15 20:03:05 +00:00
fhajny
fc65a7fb21 Update security/py-certbot (and security/py-acme) to 0.8.1.
No changelog provided, Github issues touched:

- Update the autos in response to 0.8.1 release
- Fix default detection
- Provide nonroot guidance when logging gets EACCES.
- Add additional warning with actual exception message during
  renewal
- Interactive webroot values not stored in renewal config file
- Preserve common name during renewal
- Mageia Bootstrap
- Initialize Augeas in a different method to be able to react to
  ImportError
- Renew changes common name
- Update letsencrypt-auto in response to Arch package rename
- On Mac OSX: "ValueError: Invalid header value"
- Strip "\n" from end of OS version string for OS X.
- Revert "Use --force-reinstall to fix bad virtualenv package"
- Exit if cannot bootstrap in certbot-auto
- Add --disable-hook-validation
- --post-hook validation too strict
- letsencrypt-auto gives "sudo" is not available
- mageia bootstrap [needs revision]
- Install/compile fails of letsencrypt-auto on Smartos/Illumos
2016-06-15 19:59:43 +00:00
fhajny
1b00af5bcf Update security/py-certbot to 0.8.0.
Changes in 0.8.0

- The main new feature in this release is the register subcommand
  which can be used to register an account with the Let's Encrypt
  CA. Additionally, you can run certbot register
  --update-registration to change the e-mail address associated
  with your registration.

Full commit log since 0.7.0:

  https://github.com/certbot/certbot/compare/v0.7.0...v0.8.0

Changes in 0.7.0:
- --must-staple to request certificates from Let's Encrypt with the
  OCSP must staple extension
- automatic configuration of OSCP stapling for Apache
- requesting certificates for domains found in the common name
  of a custom CSR
- a number of bug fixes

Full commit log since 0.6.0

  https://github.com/certbot/certbot/compare/v0.6.0...v0.7.0
2016-06-03 11:30:14 +00:00
fhajny
9b1019e53d Import certbot 0.6.0 as security/py-certbot.
Certbot, previously the Let's Encrypt Client, is EFF's tool to
obtain certs from Let's Encrypt, and (optionally) autoenable HTTPS
on your server. It can also act as a client for any other CA that
uses the ACME protocol.
2016-05-25 18:18:16 +00:00