python3-certbot-nginx is incompatible with its dependencies

Bug #1875471 reported by Brad Warren on 2020-04-27
140
This bug affects 28 people
Affects Status Importance Assigned to Milestone
python-certbot-nginx (Ubuntu)
High
Andreas Hasenack
Focal
Undecided
Unassigned

Bug Description

This bug tracks an update for python-certbot from 0.39.0 to 0.40.0.

This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.

[Impact]

Reguesting a certificate via the nginx plugin fails:

AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'

The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.

[Major Changes]

To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support.

It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build.

To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version.

1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project. You can try, though: https://github.com/certbot/certbot/compare/v0.39.0...v0.40.0 and search for "certbot-nginx"
2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1

[Test Plan]

a) See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process. Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript (script updated by Brad Warren for this update, thank you!). Sample trailer output in comment #18.

b) Request a registration with nginx (example shown in comment #19):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --nginx

c) Request a registration using apache (example shown in comment #21):
sudo certbot -d <yourdomain> --agree-tos --staging --register-unsafely-without-email --apache

d) Search build logs for "dh_auto_test" and confirm it was called and that the build-time tests were run. In launchpad, you can find these by going to https://launchpad.net/ubuntu/+source/python-certbot-nginx and clicking through the version of this package in focal-proposed and the builds on the right hand side of the screen.

[Regression Potential]

Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.

python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides.

This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release:
- bug #1876933: python-certbot FTBFS due to failing build time tests
- bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8
- bug #1876934: python-certbot-apache FTBFS due to failing build time tests

python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot-apache just because of the d/rules error in calling those tests, which is being fixed in this update.

Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU.

[Original Description]
This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04.

To reproduce the problem, install python3-certbot-nginx and run a command like:

sudo certbot -d example.org --agree-tos --staging --register-unsafely-without-email --nginx

This command will fail and the relevant output is:

AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'

The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot-nginx completely unable to obtain certificates.

As the upstream maintainer of this package, I'll suggest two ways to fix this problem:

1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30.

2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to:

* certbot_nginx/configurator.py
* certbot_nginx/tests/configurator_test.py

While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc.

Related branches

Brad Warren (bradmwarren) wrote :

At the risk of sending the discussion in this issue off topic, I looked into other potential problems with the Certbot packages in Focal/Groovy since they've been being held back. I'm happy to move this discussion somewhere else if people prefer.

In the current state in Focal/Groovy, the tests we include in our packages are broken for at least python-certbot, python-certbot-apache, and python-certbot-nginx. The python-certbot-dns-* packages themselves are working, but I didn't verify whether or not the tests are. I can if people think that's important.

Only python-certbot-nginx is actually broken in Focal from a user perspective though which I described above.

The reason for most of these problems is that these tests/packages were relying on parts of python-acme's API which has been removed in recent versions. A version of python-acme with these changes has already been pushed to Focal/Groovy causing the problem. In one case at https://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html#python-certbot though, I saw a different but similar problem with python-certbot where its proposed update had removed components being used by the old, packaged version of python-certbot-apache.

For Groovy, if possible, I'd recommend upgrading all of python-certbot, python-certbot-apache, and python-certbot-nginx together to their latest versions and ignoring failures caused by testing older versions with these new packages. Again, many of the failures being seen are already present in the current packages and none of them will exist when everything is updated to a newer version.

For Focal, while I'd love for all Certbot components to be >=1.0, doing this will cause a number of backwards incompatible changes. From our changelog, those are:

* Certbot's `config_changes` subcommand has been removed
* `certbot.plugins.common.TLSSNI01` has been removed.
* The functions
  `certbot.plugins.common.Installer.view_config_changes`,
  `certbot.reverter.Reverter.view_config_changes`, and
  `certbot.util.get_systemd_os_info` have been removed
* Certbot's `register --update-registration` subcommand has been removed
* When possible, default to automatically configuring the webserver so all requests
  redirect to secure HTTPS access. This is mostly relevant when running Certbot
  in non-interactive mode. Previously, the default was to not redirect all requests.

All of these changes are things warned about in the current version of our packages in Focal and are to minor aspects to our functionality.

If these changes seem acceptable considering our SRU exception, how new Focal is, and the benefit we'll have of making it easier to update these packages going forward since they'll have made it through our API/UI changes and to Certbot 1.0, I'd recommend updating Groovy and then moving these packages to Focal.

If these changes do not seem acceptable, I'd recommend taking one of the two paths I described in my previous post to fix python-certbot-nginx in Focal.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-certbot-nginx (Ubuntu):
status: New → Confirmed
Changed in python-certbot-nginx (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
importance: Undecided → High
status: Confirmed → In Progress
Andreas Hasenack (ahasenack) wrote :

The groovy packages are being updated, there are just too many packages being handled and the machines are very busy.

For focal, we should take the path of updating the nginx subpackage to 0.40.0. I'll handle that and check the tests.

Andreas Hasenack (ahasenack) wrote :

> In the current state in Focal/Groovy, the tests we include in our packages are broken
> for at least python-certbot, python-certbot-apache, and python-certbot-nginx.
> The python-certbot-dns-* packages themselves are working, but I didn't verify whether
> or not the tests are. I can if people think that's important.

I just saw that, when I fixed the tests to actually run at package build time (a problem still present in the 1.3.0-2 packages):
diff --git a/debian/rules b/debian/rules
index c057a16..154080a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -21,6 +21,6 @@ override_dh_installdocs:
        dh_installdocs -p python3-certbot-nginx

 override_dh_auto_test:
-ifdef (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
        python3 setup.py test
 endif

The 0.40.0 tests fail with:

============================= test session starts ==============================
platform linux -- Python 3.8.2, pytest-4.6.9, py-1.8.1, pluggy-0.13.0
rootdir: /home/ubuntu/git/packages/python-certbot-nginx/python-certbot-nginx
collected 167 items / 1 errors / 166 selected

==================================== ERRORS ====================================
_____________ ERROR collecting certbot_nginx/tests/http_01_test.py _____________
certbot_nginx/tests/http_01_test.py:11: in <module>
    from certbot.plugins import common_test
<frozen importlib._bootstrap>:991: in _find_and_load
    ???
<frozen importlib._bootstrap>:975: in _find_and_load_unlocked
    ???
<frozen importlib._bootstrap>:655: in _load_unlocked
    ???
<frozen importlib._bootstrap>:618: in _load_backward_compatible
    ???
/usr/lib/python3/dist-packages/_pytest/assertion/rewrite.py:304: in load_module
    exec(co, mod.__dict__)
/usr/lib/python3/dist-packages/certbot/plugins/common_test.py:26: in <module>
    challenges.TLSSNI01(token=b'token1'), "pending"),
E AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'

I'll check latest upstream, maybe the diff to fix this test is simple enough to incorporate. I'd like to re-enable the tests at build time if possible.

Andreas Hasenack (ahasenack) wrote :

So python-certbot 0.40.0 still has TLSSNI01, but not acme, and so far only python-certbot-nginx is triggering the error. Probably not worth bumping python-certbot just to be able to run its tests correctly.

Andreas Hasenack (ahasenack) wrote :

Would this commit be correct to apply on top of 0.40.0 to at least match python-acme 1.1.0-1 that is in focal w.r.t. TLSSNI01's removal?

https://github.com/certbot/certbot/commit/4b488614cf7749c8139c11f0983fe4b71e29827f
* Remove tls sni common (#7527)

* fixes #7478

* add changelog entry

If it's hard to check, then never mind. It just feels we could still be open to problems by having python-acme *without* TLSSNI01 but python-certbot *with* it somewhere in the code.

Andreas Hasenack (ahasenack) wrote :

PPA with test packages: https://launchpad.net/~ahasenack/+archive/ubuntu/certbot-tlssni01-1875471

It has python-certbot with TLSSNI01 removed, probably not necessary for this bugfix, but it allowed me to re-introduce the build-time tests for the python-certbot-nginx package.

Will continue tomorrow.

Brad Warren (bradmwarren) wrote :

Thanks a lot for quickly working on this issue Andreas.

Applying that commit to python-certbot 0.40.0-1 in addition to the python-certbot-nginx changes would fix both python-certbot and python-certbot-nginx's tests, however, it would break python-certbot-apache in normal usage outside of tests because it removes certbot.plugins.common.TLSSNI01 which is being used by python-certbot-apache 0.39.0-1 (despite it sending deprecation warnings every time the plugin references the object).

This class in Certbot is meant to help plugins handle ACME TLSSNI01 objects, however, its implementation doesn't reference them itself. The problem occurs in the tests for this class in certbot/plugins/common_test.py where these ACME TLSSNI01 objects are created and this testing code is reused in python-certbot-nginx to help it test itself.

Because of this, I don't really suspect there to be any future problems with certbot.plugins.common.TLSSNI01, however, the TLSSNI test failures in all of python-certbot, python-certbot-apache, and python-certbot-nginx may continue to be annoying in the future.

To fix this, I think we have a few options.

If we just wanted to fix python-certbot-nginx's tests and leave python-certbot and python-certbot-apache's untouched with broken tests, you could just apply the changes to certbot-nginx from https://github.com/certbot/certbot/commit/4abd81e2186eddc67551d61a8260440bd177d18d. That's a massive commit, however, the relevant changes to nginx are quite small and only to certbot-nginx/certbot_nginx/tests/http_01_test.py.

If we want to try to fix python-certbot's tests now, you could skip these additional python-certbot-nginx changes described in my last paragraph and instead just take the test changes from the commit you found of https://github.com/certbot/certbot/commit/4b488614cf7749c8139c11f0983fe4b71e29827f. I have mixed feelings about this because while it solves some immediate problems, it removes all tests of certbot.plugins.common.TLSSNI01 while keeping the code which is needed to do unless you want to also update python-certbot-apache.

If you are also hesitant to leave certbot.plugins.common.TLSSNI01 around without tests and would like to remove it and apply the full commit, you'd need to apply the changes to certbot-apache from https://github.com/certbot/certbot/commit/de6b56bec02881d5a63173aedb670b24d847f72d.

If you want to fix python-certbot-apache's tests now, you could apply the changes to python-certbot-apache's tests from https://github.com/certbot/certbot/commit/63d673a3e04de4a64d18483a2f0df55c6a6c4198.

This is all a lot backports, many of which require us to apply a subset of the changes from different commits, but things are honestly kind of a mess right now with the mix of 0.x and 1.x components. Again, a final option here would be to update all of these packages to any 1.x version and if the package's dependencies are satisfied, it should all just work, however, that'd come with the backwards incompatible changes I described in my previous post.

Andreas Hasenack (ahasenack) wrote :

Sorry for having gone radio silent in the past few days. I'm back on this tomorrow.

Andreas Hasenack (ahasenack) wrote :

Quick update on the current focal situation regarding some of these packages:

These are currently an FTBFS in focal:
- python-certbot 0.40.0-1 (build-time tests fail)
- python-acme 1.1.0-1 (build-dep python3-idna <<2.8 not satisfied. When it was last built in focal, python3-idna was at 2.6)
- python-certbot-apache 0.39.0-1 (build-time tests fail)

python-certbot-nginx 0.39.0-1 builds, but just because the tests are incorrectly skipped in d/rules. If they run, they fail, and that would FTBFS this package as well.

If I change python-acme to accept python3-idna 2.8 as a build-dep (changing d/control do python3-idna << 2.9), then it builds. I don't know if this change is acceptable. Upstream python-idna made a 2.9 release in February 17th 2020, which we have in groovy and debian unstable.

Will continue tomorrow.

Brad Warren (bradmwarren) wrote :

I think changing the build-dep to python3-idna << 2.9 is acceptable. It looks like we hit a similar problem with the last SRU and I described the problem and how to fix the specific issue at the time at https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/1836823/comments/23.

In this case, allowing python3-idna 2.8 should be fine because Focal has python3-requests 2.22.0 and the constraints that version of requests puts on idna are "idna>=2.5,<2.9" which can be seen at https://github.com/psf/requests/blob/v2.22.0/setup.py#L46.

Andreas Hasenack (ahasenack) wrote :

Ok, I filed bugs for the FTBFS issues, but per policy, we won't do an update just to fix failed-to-build-from-source bugs: these should be updated together with something else.

Thanks for all the options you outlined in comment #8, and for the check in comment #11.

So to keep things simple:

a) update just python-certbot-nginx to 0.40.0, and gloss over the fact that the build-time tests are being skipped;

b) fix the build-time tests call in python-certbot-nginx, which will require these other changes:
- bump python-certbot-apache to 0.40.0
- drop TLSSNI01 from python-certbot 0.40.0
- preferably fix python-acme's idna build-deps and update it together, as that would also run tests with the current idna in focal
I didn't check if the version bumps have the commits you mentioned, but the tests and a minimal run worked. If this looks feasable, the next step would be to run the full test suite, and also try this on a live server with proper DNS setup.

c) bump everything to what we have in groovy, so that the versions match expectations and we don't have this big mismatch we are seeing in focal right now

There is a feeling we should go with (a) to fix the immediate problem, and (b) can be done over time, or even (c).

I have the (b) scenario done in my ppa at https://launchpad.net/~ahasenack/+archive/ubuntu/certbot-tlssni01-1875471

Download full text (3.8 KiB)

If you want to do a more extensive test, I just added end-to-end nginx
certbot testing in Debian sid. You should be able to pull it out of
the source package and run it by hand just by invoking the script from
the extracted source tarball, as long as you have pebble and the nginx
plugin installed.

On Tue, May 5, 2020 at 11:11 AM Andreas Hasenack <email address hidden> wrote:
>
> Ok, I filed bugs for the FTBFS issues, but per policy, we won't do an
> update just to fix failed-to-build-from-source bugs: these should be
> updated together with something else.
>
> Thanks for all the options you outlined in comment #8, and for the check
> in comment #11.
>
> So to keep things simple:
>
> a) update just python-certbot-nginx to 0.40.0, and gloss over the fact
> that the build-time tests are being skipped;
>
> b) fix the build-time tests call in python-certbot-nginx, which will require these other changes:
> - bump python-certbot-apache to 0.40.0
> - drop TLSSNI01 from python-certbot 0.40.0
> - preferably fix python-acme's idna build-deps and update it together, as that would also run tests with the current idna in focal
> I didn't check if the version bumps have the commits you mentioned, but the tests and a minimal run worked. If this looks feasable, the next step would be to run the full test suite, and also try this on a live server with proper DNS setup.
>
> c) bump everything to what we have in groovy, so that the versions match
> expectations and we don't have this big mismatch we are seeing in focal
> right now
>
> There is a feeling we should go with (a) to fix the immediate problem,
> and (b) can be done over time, or even (c).
>
> I have the (b) scenario done in my ppa at
> https://launchpad.net/~ahasenack/+archive/ubuntu/certbot-
> tlssni01-1875471
>
> --
> You received this bug notification because you are subscribed to python-
> certbot-nginx in Ubuntu.
> https://bugs.launchpad.net/bugs/1875471
>
> Title:
> python3-certbot-nginx is incompatible with its dependencies
>
> Status in python-certbot-nginx package in Ubuntu:
> In Progress
>
> Bug description:
> This issue only affects version 0.39.0-1 of the python-certbot-nginx
> package in Ubuntu 20.04.
>
> To reproduce the problem, install python3-certbot-nginx and run a
> command like:
>
> sudo certbot -d example.org --agree-tos --staging --register-unsafely-
> without-email --nginx
>
> This command will fail and the relevant output is:
>
> AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'
>
> The problem here is python-certbot-nginx contains references to code
> in python-acme that has been removed. This problem makes python-
> certbot-nginx completely unable to obtain certificates.
>
> As the upstream maintainer of this package, I'll suggest two ways to
> fix this problem:
>
> 1. Update python-certbot-nginx to our 0.40.0 release. The benefit of
> this is it sticks to well tested versions of our software rather than
> making potentially error prone backports. Certbot has an SRU exception
> which can be seen at
> https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of
> code upstream between 0.39.0 and 0.40.0 if you...

Read more...

Andreas Hasenack (ahasenack) wrote :

The testscript at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript no longer works:

Cloning into '/root/gopath/src/github.com/letsencrypt/boulder'...
remote: Enumerating objects: 2676, done.
remote: Counting objects: 100% (2676/2676), done.
remote: Compressing objects: 100% (2106/2106), done.
remote: Total 2676 (delta 577), reused 1597 (delta 425), pack-reused 0
Receiving objects: 100% (2676/2676), 4.68 MiB | 6.77 MiB/s, done.
Resolving deltas: 100% (577/577), done.
sed: can't read tests/boulder-integration.sh: No such file or directory

Brad Warren (bradmwarren) wrote :

To offer one other option based on my previous comments while trying to keep things simple, I think in the short term you could also go with:

d) Update just python-certbot-nginx to 0.40.0 and apply this patch to python-certbot-nginx's tests: https://gist.github.com/bmw/e4f13e17d1f4647c9d6be730c7ec3512. This change is the only changes to the files shipped in the nginx package from https://github.com/certbot/certbot/commit/4abd81e2186eddc67551d61a8260440bd177d18d.

This option would fix the user facing problems in the nginx plugin and its tests without modifying any other packages.

In the long term, I'm personally in favor of updating things as much as we can and doing as little backporting of commits as possible, but I'm fine with any of the approaches in the short term.

I'll start looking into the test failures now.

Andreas Hasenack (ahasenack) wrote :

That sounds good, let me prepare a separate ppa for (d)

Andreas Hasenack (ahasenack) wrote :

Thanks for the test update, worked great:
(...)
testing section-continuations-2525.conf...passed
testing section-empty-continuations-2731.conf...passed
testing semacode-1598.conf...passed
testing two-blocks-one-line-1693.conf...passed
Success!
Package versions tested:
certbot 0.40.0-1
letsencrypt
python3-acme 1.1.0-1
python3-certbot 0.40.0-1
python3-certbot-apache 0.39.0-1
python3-certbot-nginx 0.40.0-0ubuntu0.1~ppa1
python3-josepy 1.2.0-2

Looks like we can proceed with (d). I'll do a real test with the staging server tomorrow.

Andreas Hasenack (ahasenack) wrote :

Staging server test worked just fine. I'll prepare the SRU paperwork.

ubuntu@certbot-test:~$ sudo certbot -d certbot-test.justgohome.co.uk --agree-tos --staging --register-unsafely-without-email --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for certbot-test.justgohome.co.uk
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://certbot-test.justgohome.co.uk

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=certbot-test.justgohome.co.uk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/certbot-test.justgohome.co.uk/privkey.pem
   Your cert will expire on 2020-08-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

Brad Warren (bradmwarren) wrote :

Fantastic! Thanks again Andreas.

description: updated
description: updated
Andreas Hasenack (ahasenack) wrote :

Successful run with apache:
ubuntu@certbot-test:~$ sudo certbot -d certbot-test.justgohome.co.uk --agree-tos --staging --register-unsafely-without-email --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://certbot-test.justgohome.co.uk

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=certbot-test.justgohome.co.uk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/certbot-test.justgohome.co.uk/privkey.pem
   Your cert will expire on 2020-08-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

description: updated
description: updated
description: updated
description: updated
description: updated
Andreas Hasenack (ahasenack) wrote :

Uploaded, waiting for SRU team.

Robie Basak (racb) on 2020-05-12
tags: added: focal regression-release
Robie Basak (racb) wrote :

This looks good. Thank you to everyone involved for working through such a complex issue. In particular, since python-certbot-nginx is believed to be completely broken in Focal at the moment, it is unlikely that we will regress it further and this is a nice minimal fix, so it seems unlikely that we will regret landing this. The actual upstream changes being adopted - particular the functional changes (one line!) - seem specific to one issue and minor in scope.

One minor comment:

> -ifdef (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
> +ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))

I see this fix is not yet present in Groovy, but it is fixed in Debian VCS https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/commit/72853775b81f04232d5d63ebeaa683003310dfbe (thank you!) and this won't cause a functional regression for users upgrading to Groovy, so I think this is acceptable for the SRU.

Changed in python-certbot-nginx (Ubuntu):
status: In Progress → Fix Released
Changed in python-certbot-nginx (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed verification-needed-focal

Hello Brad, or anyone else affected,

Accepted python-certbot-nginx into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-certbot-nginx/0.40.0-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

savic (savic32323) wrote :

The fixed version works for me.

Brad Warren (bradmwarren) wrote :

I tested the proposed package successfully without any issues.

I also examined the changes to our upstream files included in the package they are what I expected. It's our 0.40.0 certbot-nginx package with one test change backported from a newer version.

Brad Warren (bradmwarren) wrote :

The package I tested was python3-certbot-nginx 0.40.0-0ubuntu0.1.

Hugo Leeney (hugo-leeney) wrote :

For me, fixed the issue:
`AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' `
in Ubuntu 20.04

$ dpkg -l python3-certbot-nginx
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================-=================-============-=================================
ii python3-certbot-nginx 0.40.0-0ubuntu0.1 all Nginx plugin for Certbot

Andreas Hasenack (ahasenack) wrote :
Download full text (7.9 KiB)

Focal verification tests (b), (c) and (d) below:
a) Running script from https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript

b) Request a registration with nginx
sudo certbot -d certbot-test.justgohome.co.uk --agree-tos --staging --register-unsafely-without-email --nginx

python3-certbot-nginx from proposed:
  Version table:
 *** 0.40.0-0ubuntu0.1 500
        500 http://ports.ubuntu.com/ubuntu-ports focal-proposed/universe ppc64el Packages
        100 /var/lib/dpkg/status
     0.39.0-1 500
        500 http://ports.ubuntu.com/ubuntu-ports focal/universe ppc64el Packages

ubuntu@certbot-test:~$ sudo certbot -d certbot-test.justgohome.co.uk --agree-tos --staging --register-unsafely-without-email --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Registering without email!
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for certbot-test.justgohome.co.uk
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://certbot-test.justgohome.co.uk

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=certbot-test.justgohome.co.uk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/certbot-test.justgohome.co.uk/privkey.pem
   Your cert will expire on 2020-08-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

c) Request a registration using apache
sudo certbot -d certbot-test.justgohome.co.uk --agree-tos --staging --register-unsafely-without-email --apache

python3-certbot-apache from release:
  Version table:
 *** 0.39.0-1 500
        50...

Read more...

Andreas Hasenack (ahasenack) wrote :

a) Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript. Full output attached.

Package from proposed is installed:
 *** 0.40.0-0ubuntu0.1 500
        500 http://br.archive.ubuntu.com/ubuntu focal-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     0.39.0-1 500
        500 http://br.archive.ubuntu.com/ubuntu focal/universe amd64 Packages

Script being run with CERTBOT_PREINSTALLED=1 because not all certbot packages were updated in this SRU

(...)
testing roundcube-1222.conf...passed
testing section-continuations-2525.conf...passed
testing section-empty-continuations-2731.conf...passed
testing semacode-1598.conf...passed
testing two-blocks-one-line-1693.conf...passed
Success!
Package versions tested:
certbot 0.40.0-1
letsencrypt
python3-acme 1.1.0-1
python3-certbot 0.40.0-1
python3-certbot-apache 0.39.0-1
python3-certbot-nginx 0.40.0-0ubuntu0.1
python3-josepy 1.2.0-2

real 4m23.223s

Andreas Hasenack (ahasenack) wrote :

Checks (a), (b), (c), (d) passed, plus the comments from others who installed the package on their servers or test rigs. Marking the verification as succeeded.

tags: added: verification-done-focal
removed: verification-needed-focal
Robie Basak (racb) wrote :

Thank you to everyone for testing. I see no need for the usual ageing period on this SRU, as we're only updating a single package, it has no reverse dependencies, and it shipped in Focal broken. There doesn't appear to be any of the usual things to gain from waiting.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-certbot-nginx - 0.40.0-0ubuntu0.1

---------------
python-certbot-nginx (0.40.0-0ubuntu0.1) focal; urgency=medium

  * Cope with newer python-acme that dropped TLSSNI01 (LP: #1875471):
    - new upstream version: 0.40.0
    - d/rules: actually run the tests by fixing the expression that looks
      for nocheck in DEB_BUILD_OPTIONS
    - d/p/fix-tests-with-newer-acme.patch: fix tests with newer python-acme
      that has no TLSSNI01. Thanks to Brad Warren <email address hidden>

 -- Andreas Hasenack <email address hidden> Tue, 05 May 2020 15:39:00 -0300

Changed in python-certbot-nginx (Ubuntu Focal):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for python-certbot-nginx has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Brad Warren (bradmwarren) wrote :

Thanks again for quickly helping with this issue everyone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers