[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Andreas Hasenack
andreas at canonical.com
Wed May 6 18:12:16 UTC 2020
Successful run with apache:
ubuntu at certbot-test:~$ sudo certbot -d certbot-test.justgohome.co.uk --agree-tos --staging --register-unsafely-without-email --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://certbot-test.justgohome.co.uk
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=certbot-test.justgohome.co.uk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/certbot-test.justgohome.co.uk/privkey.pem
Your cert will expire on 2020-08-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
** Description changed:
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception
defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Not directly applicable; see the exception policy document at
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in
python-acme that has been removed. This problem makes python-certbot-
nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to
0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a
bug in how they were called in d/rules. This has been fixed, and turns
out the current version in focal release (0.39.0-1) is already an FTBFS
when tests are properly run during build.
To have the tests run at build time (as was the original intention), the
conditional in d/rules was fixed and a patch from upstream was added. I
also submitted the d/rules fix to Debian via [2]. Once that is merged,
groovy will have the fix as well via a standard sync. Note the extra
patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project.
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
- See
+ a) See
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
+
+ b) Request a registration with nginx:
+ sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --nginx
+
+ c) Request a registration using apache:
+ sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --apache
+
+ Comment #19 shows a successful manual registration using nginx and
+ packages from a test PPA
TODO: add testscript.sh run results
TODO: add manual registration results with nginx and apache against staging
[Regression Potential]
Upstream performs extensive testing before release, giving us a high
degree of confidence in the general case. There problems are most likely
to manifest in Ubuntu-specific integrations, such as in relation to the
versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't
have migrated to the release pocket without also migrating a newer 1.x
version of python-certbot-*. This was fixed in the development release
and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-
apache just because of the d/rules error in calling those tests, which
is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this
SRU. It is expected that certbot in general will get more updates in the
future during the lifecycle of Ubuntu Focal, and updating the packages
at that time will fix the build problem. At the moment, they don't
impact the functionality of the system. See the discussion further down
here in this bug, in particular comment #12 and comment #15, the latter
being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a
command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-
without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in
python-acme that has been removed. This problem makes python-certbot-
nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix
this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of
this is it sticks to well tested versions of our software rather than
making potentially error prone backports. Certbot has an SRU exception
which can be seen at
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code
upstream between 0.39.0 and 0.40.0 if you all want to take this route
can be see at
https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should
required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please
let me know if you have any questions resolving this, want help testing
proposed packages, etc.
** Description changed:
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception
defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
Not directly applicable; see the exception policy document at
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in
python-acme that has been removed. This problem makes python-certbot-
nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to
0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a
bug in how they were called in d/rules. This has been fixed, and turns
out the current version in focal release (0.39.0-1) is already an FTBFS
when tests are properly run during build.
To have the tests run at build time (as was the original intention), the
conditional in d/rules was fixed and a patch from upstream was added. I
also submitted the d/rules fix to Debian via [2]. Once that is merged,
groovy will have the fix as well via a standard sync. Note the extra
patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project.
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
a) See
- https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
+ https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process.
+ Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript
+ (script updated by Brad Warren for this update, thank you!). Sample
+ trailer output in comment #18.
- b) Request a registration with nginx:
+ b) Request a registration with nginx (example shown in comment #19):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --nginx
- c) Request a registration using apache:
+ c) Request a registration using apache (example shown in comment #21):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --apache
- Comment #19 shows a successful manual registration using nginx and
- packages from a test PPA
-
TODO: add testscript.sh run results
- TODO: add manual registration results with nginx and apache against staging
[Regression Potential]
Upstream performs extensive testing before release, giving us a high
degree of confidence in the general case. There problems are most likely
to manifest in Ubuntu-specific integrations, such as in relation to the
versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't
have migrated to the release pocket without also migrating a newer 1.x
version of python-certbot-*. This was fixed in the development release
and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-
apache just because of the d/rules error in calling those tests, which
is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this
SRU. It is expected that certbot in general will get more updates in the
future during the lifecycle of Ubuntu Focal, and updating the packages
at that time will fix the build problem. At the moment, they don't
impact the functionality of the system. See the discussion further down
here in this bug, in particular comment #12 and comment #15, the latter
being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a
command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-
without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in
python-acme that has been removed. This problem makes python-certbot-
nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix
this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of
this is it sticks to well tested versions of our software rather than
making potentially error prone backports. Certbot has an SRU exception
which can be seen at
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code
upstream between 0.39.0 and 0.40.0 if you all want to take this route
can be see at
https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should
required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please
let me know if you have any questions resolving this, want help testing
proposed packages, etc.
** Description changed:
This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.
This update includes bugfixes only following the SRU policy exception
defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
-
- Not directly applicable; see the exception policy document at
- https://wiki.ubuntu.com/StableReleaseUpdates/Certbot
Reguesting a certificate via the nginx plugin fails:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in
python-acme that has been removed. This problem makes python-certbot-
nginx completely unable to obtain certificates.
[Major Changes]
To fix the problem, python-certbot-nginx is being updated from 0.39.0 to
0.40.0. The diff[1] is small and is about removing TLSSNI01 support.
It was also noticed that the build-time tests were never run due to a
bug in how they were called in d/rules. This has been fixed, and turns
out the current version in focal release (0.39.0-1) is already an FTBFS
when tests are properly run during build.
To have the tests run at build time (as was the original intention), the
conditional in d/rules was fixed and a patch from upstream was added. I
also submitted the d/rules fix to Debian via [2]. Once that is merged,
groovy will have the fix as well via a standard sync. Note the extra
patch isn't needed in that version.
1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project.
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1
[Test Plan]
a) See
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process.
Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript
(script updated by Brad Warren for this update, thank you!). Sample
trailer output in comment #18.
b) Request a registration with nginx (example shown in comment #19):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --nginx
c) Request a registration using apache (example shown in comment #21):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --apache
TODO: add testscript.sh run results
[Regression Potential]
Upstream performs extensive testing before release, giving us a high
degree of confidence in the general case. There problems are most likely
to manifest in Ubuntu-specific integrations, such as in relation to the
versions of dependencies available and other packaging-specific matters.
python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't
have migrated to the release pocket without also migrating a newer 1.x
version of python-certbot-*. This was fixed in the development release
and in Debian via an ABI provides.
This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests
python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-
apache just because of the d/rules error in calling those tests, which
is being fixed in this update.
Fixing those FTBFS issues in the other packages is not in scope for this
SRU. It is expected that certbot in general will get more updates in the
future during the lifecycle of Ubuntu Focal, and updating the packages
at that time will fix the build problem. At the moment, they don't
impact the functionality of the system. See the discussion further down
here in this bug, in particular comment #12 and comment #15, the latter
being what was implemented for this SRU.
[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.
To reproduce the problem, install python3-certbot-nginx and run a
command like:
sudo certbot -d example.org --agree-tos --staging --register-unsafely-
without-email --nginx
This command will fail and the relevant output is:
AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
The problem here is python-certbot-nginx contains references to code in
python-acme that has been removed. This problem makes python-certbot-
nginx completely unable to obtain certificates.
As the upstream maintainer of this package, I'll suggest two ways to fix
this problem:
1. Update python-certbot-nginx to our 0.40.0 release. The benefit of
this is it sticks to well tested versions of our software rather than
making potentially error prone backports. Certbot has an SRU exception
which can be seen at
https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code
upstream between 0.39.0 and 0.40.0 if you all want to take this route
can be see at
https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.
2. You can manually backport minimal fixes. The only changes that should
required from the above gist are the changes to:
* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py
While I have essentially no knowledge of creating .debs myself, please
let me know if you have any questions resolving this, want help testing
proposed packages, etc.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1875471
Title:
python3-certbot-nginx is incompatible with its dependencies
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions
More information about the Ubuntu-server-bugs
mailing list