[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Thanks again for quickly helping with this issue everyone. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
This bug was fixed in the package python-certbot-nginx - 0.40.0-0ubuntu0.1 --- python-certbot-nginx (0.40.0-0ubuntu0.1) focal; urgency=medium * Cope with newer python-acme that dropped TLSSNI01 (LP: #1875471): - new upstream version: 0.40.0 - d/rules: actually run the tests by fixing the expression that looks for nocheck in DEB_BUILD_OPTIONS - d/p/fix-tests-with-newer-acme.patch: fix tests with newer python-acme that has no TLSSNI01. Thanks to Brad Warren -- Andreas Hasenack Tue, 05 May 2020 15:39:00 -0300 ** Changed in: python-certbot-nginx (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Thank you to everyone for testing. I see no need for the usual ageing period on this SRU, as we're only updating a single package, it has no reverse dependencies, and it shipped in Focal broken. There doesn't appear to be any of the usual things to gain from waiting. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
autopackage tests are also green: https://people.canonical.com/~ubuntu- archive/proposed-migration/focal/update_excuses.html#python-certbot- nginx -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
a) Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript. Full output attached. Package from proposed is installed: *** 0.40.0-0ubuntu0.1 500 500 http://br.archive.ubuntu.com/ubuntu focal-proposed/universe amd64 Packages 100 /var/lib/dpkg/status 0.39.0-1 500 500 http://br.archive.ubuntu.com/ubuntu focal/universe amd64 Packages Script being run with CERTBOT_PREINSTALLED=1 because not all certbot packages were updated in this SRU (...) testing roundcube-1222.conf...passed testing section-continuations-2525.conf...passed testing section-empty-continuations-2731.conf...passed testing semacode-1598.conf...passed testing two-blocks-one-line-1693.conf...passed Success! Package versions tested: certbot 0.40.0-1 letsencrypt python3-acme1.1.0-1 python3-certbot 0.40.0-1 python3-certbot-apache 0.39.0-1 python3-certbot-nginx 0.40.0-0ubuntu0.1 python3-josepy 1.2.0-2 real4m23.223s ** Attachment added: "sru-1875471-test-a-log.txt" https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+attachment/5371730/+files/sru-1875471-test-a-log.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Checks (a), (b), (c), (d) passed, plus the comments from others who installed the package on their servers or test rigs. Marking the verification as succeeded. ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Focal verification tests (b), (c) and (d) below: a) Running script from https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript b) Request a registration with nginx sudo certbot -d certbot-test.justgohome.co.uk --agree-tos --staging --register-unsafely-without-email --nginx python3-certbot-nginx from proposed: Version table: *** 0.40.0-0ubuntu0.1 500 500 http://ports.ubuntu.com/ubuntu-ports focal-proposed/universe ppc64el Packages 100 /var/lib/dpkg/status 0.39.0-1 500 500 http://ports.ubuntu.com/ubuntu-ports focal/universe ppc64el Packages ubuntu@certbot-test:~$ sudo certbot -d certbot-test.justgohome.co.uk --agree-tos --staging --register-unsafely-without-email --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Registering without email! Obtaining a new certificate Performing the following challenges: http-01 challenge for certbot-test.justgohome.co.uk Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://certbot-test.justgohome.co.uk You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=certbot-test.justgohome.co.uk - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/certbot-test.justgohome.co.uk/privkey.pem Your cert will expire on 2020-08-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. c) Request a registration using apache sudo certbot -d certbot-test.justgohome.co.uk --agree-tos --staging --register-unsafely-without-email --apache python3-certbot-apache from release: Version table: *** 0.39.0-1 500 500 http://ports.ubuntu.com/ubuntu-ports focal/universe ppc64el Packages 100 /var/lib/dpkg/status ubuntu@certbot-test:~$ sudo certbot -d certbot-test.justgohome.co.uk --agree-tos --staging --register-unsafely-without-email --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Registering without email! Obtaining a new certificate Performing the following challenges: http-01 challenge for certbot-test.justgohome.co.uk Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Enabled Apache rewrite module Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
For me, fixed the issue: `AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' ` in Ubuntu 20.04 $ dpkg -l python3-certbot-nginx Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=-=--= ii python3-certbot-nginx 0.40.0-0ubuntu0.1 all Nginx plugin for Certbot -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
I tested the proposed package successfully without any issues. I also examined the changes to our upstream files included in the package they are what I expected. It's our 0.40.0 certbot-nginx package with one test change backported from a newer version. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
The package I tested was python3-certbot-nginx 0.40.0-0ubuntu0.1. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
The fixed version works for me. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
This looks good. Thank you to everyone involved for working through such a complex issue. In particular, since python-certbot-nginx is believed to be completely broken in Focal at the moment, it is unlikely that we will regress it further and this is a nice minimal fix, so it seems unlikely that we will regret landing this. The actual upstream changes being adopted - particular the functional changes (one line!) - seem specific to one issue and minor in scope. One minor comment: > -ifdef (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) > +ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) I see this fix is not yet present in Groovy, but it is fixed in Debian VCS https://salsa.debian.org/letsencrypt-team/certbot/certbot- nginx/-/commit/72853775b81f04232d5d63ebeaa683003310dfbe (thank you!) and this won't cause a functional regression for users upgrading to Groovy, so I think this is acceptable for the SRU. ** Also affects: python-certbot-nginx (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: python-certbot-nginx (Ubuntu) Status: In Progress => Fix Released ** Changed in: python-certbot-nginx (Ubuntu Focal) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
** Tags added: focal regression-release -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Uploaded, waiting for SRU team. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/python-certbot-nginx/+git/python-certbot-nginx/+merge/383529 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/python-certbot-nginx/+git/python-certbot-nginx/+merge/383528 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
** Description changed: This bug tracks an update for python-certbot from 0.39.0 to 0.40.0. This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. [Impact] Reguesting a certificate via the nginx plugin fails: AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot- nginx completely unable to obtain certificates. [Major Changes] To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support. It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build. To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version. 1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project. You can try, though: https://github.com/certbot/certbot/compare/v0.39.0...v0.40.0 and search for "certbot-nginx" 2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1 [Test Plan] a) See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process. Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript (script updated by Brad Warren for this update, thank you!). Sample trailer output in comment #18. b) Request a registration with nginx (example shown in comment #19): sudo certbot -d --agree-tos --staging --register-unsafely-without-email --nginx c) Request a registration using apache (example shown in comment #21): sudo certbot -d --agree-tos --staging --register-unsafely-without-email --apache - TODO: add testscript.sh run results + d) Search build logs for "dh_auto_test" and confirm it was called and + that the build-time tests were run. In launchpad, you can find these by + going to https://launchpad.net/ubuntu/+source/python-certbot-nginx and + clicking through the version of this package in focal-proposed and the + builds on the right hand side of the screen. [Regression Potential] Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters. python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides. This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release: - bug #1876933: python-certbot FTBFS due to failing build time tests - bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8 - bug #1876934: python-certbot-apache FTBFS due to failing build time tests python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot- apache just because of the d/rules error in calling those tests, which is being fixed in this update. Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU. [Original Description] This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04. To reproduce the problem, install python3-certbot-nginx and run a command like: sudo certbot -d example.org --agree-tos --staging --register-unsafely- without-email --nginx This command will fail and the relevant output is: AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot- nginx completely unabl
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
** Description changed: This bug tracks an update for python-certbot from 0.39.0 to 0.40.0. This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. [Impact] Reguesting a certificate via the nginx plugin fails: AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot- nginx completely unable to obtain certificates. [Major Changes] To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support. It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build. To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version. - 1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project. + 1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project. You can try, though: https://github.com/certbot/certbot/compare/v0.39.0...v0.40.0 and search for "certbot-nginx" 2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1 [Test Plan] a) See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process. Run https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript (script updated by Brad Warren for this update, thank you!). Sample trailer output in comment #18. b) Request a registration with nginx (example shown in comment #19): sudo certbot -d --agree-tos --staging --register-unsafely-without-email --nginx c) Request a registration using apache (example shown in comment #21): sudo certbot -d --agree-tos --staging --register-unsafely-without-email --apache TODO: add testscript.sh run results [Regression Potential] Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters. python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides. This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release: - bug #1876933: python-certbot FTBFS due to failing build time tests - bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8 - bug #1876934: python-certbot-apache FTBFS due to failing build time tests python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot- apache just because of the d/rules error in calling those tests, which is being fixed in this update. Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down here in this bug, in particular comment #12 and comment #15, the latter being what was implemented for this SRU. [Original Description] This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04. To reproduce the problem, install python3-certbot-nginx and run a command like: sudo certbot -d example.org --agree-tos --staging --register-unsafely- without-email --nginx This command will fail and the relevant output is: AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot- nginx completely unable to obtain certificates. As the upstream maintainer of this package, I'll suggest two ways to fix this problem: 1. Update python-certbot-nginx to our 0.40.0 release. The benefit of
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Successful run with apache: ubuntu@certbot-test:~$ sudo certbot -d certbot-test.justgohome.co.uk --agree-tos --staging --register-unsafely-without-email --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Obtaining a new certificate Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Enabled Apache rewrite module Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://certbot-test.justgohome.co.uk You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=certbot-test.justgohome.co.uk - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/certbot-test.justgohome.co.uk/privkey.pem Your cert will expire on 2020-08-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" ** Description changed: This bug tracks an update for python-certbot from 0.39.0 to 0.40.0. This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. [Impact] Not directly applicable; see the exception policy document at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot Reguesting a certificate via the nginx plugin fails: AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot- nginx completely unable to obtain certificates. [Major Changes] To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support. It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build. To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version. 1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project. 2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1 [Test Plan] - See + a) See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process + + b) Request a registration with nginx: + sudo certbot -d --agree-tos --staging --register-unsafely-without-email --nginx + + c) Request a registration using apache: + sudo certbot -d --agree-tos --staging --register-unsafely-without-email --apache + + Comment #19 shows a successful manual registration using nginx and + packages from a test PPA TODO: add testscript.sh run results TODO: add manual registration results with nginx and apache against staging [Regression Potential] Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters. python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket witho
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
** Description changed: This bug tracks an update for python-certbot from 0.39.0 to 0.40.0. This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. [Impact] Not directly applicable; see the exception policy document at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot Reguesting a certificate via the nginx plugin fails: AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot- nginx completely unable to obtain certificates. [Major Changes] To fix the problem, python-certbot-nginx is being updated from 0.39.0 to 0.40.0. The diff[1] is small and is about removing TLSSNI01 support. It was also noticed that the build-time tests were never run due to a bug in how they were called in d/rules. This has been fixed, and turns out the current version in focal release (0.39.0-1) is already an FTBFS when tests are properly run during build. To have the tests run at build time (as was the original intention), the conditional in d/rules was fixed and a patch from upstream was added. I also submitted the d/rules fix to Debian via [2]. Once that is merged, groovy will have the fix as well via a standard sync. Note the extra patch isn't needed in that version. - 1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project. 2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1 [Test Plan] See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process TODO: add testscript.sh run results TODO: add manual registration results with nginx and apache against staging [Regression Potential] Upstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters. python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't have migrated to the release pocket without also migrating a newer 1.x version of python-certbot-*. This was fixed in the development release and in Debian via an ABI provides. This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release: - bug #1876933: python-certbot FTBFS due to failing build time tests - bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8 - bug #1876934: python-certbot-apache FTBFS due to failing build time tests python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot- apache just because of the d/rules error in calling those tests, which is being fixed in this update. Fixing those FTBFS issues in the other packages is not in scope for this SRU. It is expected that certbot in general will get more updates in the future during the lifecycle of Ubuntu Focal, and updating the packages at that time will fix the build problem. At the moment, they don't impact the functionality of the system. See the discussion further down - here in this bug. + here in this bug, in particular comment #12 and comment #15, the latter + being what was implemented for this SRU. [Original Description] This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04. To reproduce the problem, install python3-certbot-nginx and run a command like: sudo certbot -d example.org --agree-tos --staging --register-unsafely- without-email --nginx This command will fail and the relevant output is: AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot- nginx completely unable to obtain certificates. As the upstream maintainer of this package, I'll suggest two ways to fix this problem: 1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30. 2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to: * cer
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
** Description changed: - This issue only affects version 0.39.0-1 of the python-certbot-nginx - package in Ubuntu 20.04. + This bug tracks an update for python-certbot from 0.39.0 to 0.40.0. + + This update includes bugfixes only following the SRU policy exception + defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. + + [Impact] + + Not directly applicable; see the exception policy document at + https://wiki.ubuntu.com/StableReleaseUpdates/Certbot + + Reguesting a certificate via the nginx plugin fails: + + AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' + + The problem here is python-certbot-nginx contains references to code in + python-acme that has been removed. This problem makes python-certbot- + nginx completely unable to obtain certificates. + + [Major Changes] + + To fix the problem, python-certbot-nginx is being updated from 0.39.0 to + 0.40.0. The diff[1] is small and is about removing TLSSNI01 support. + + It was also noticed that the build-time tests were never run due to a + bug in how they were called in d/rules. This has been fixed, and turns + out the current version in focal release (0.39.0-1) is already an FTBFS + when tests are properly run during build. + + To have the tests run at build time (as was the original intention), the + conditional in d/rules was fixed and a patch from upstream was added. I + also submitted the d/rules fix to Debian via [2]. Once that is merged, + groovy will have the fix as well via a standard sync. Note the extra + patch isn't needed in that version. + + + 1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project. + 2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1 + + [Test Plan] + + See + https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process + + TODO: add testscript.sh run results + TODO: add manual registration results with nginx and apache against staging + + [Regression Potential] + + Upstream performs extensive testing before release, giving us a high + degree of confidence in the general case. There problems are most likely + to manifest in Ubuntu-specific integrations, such as in relation to the + versions of dependencies available and other packaging-specific matters. + + python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't + have migrated to the release pocket without also migrating a newer 1.x + version of python-certbot-*. This was fixed in the development release + and in Debian via an ABI provides. + + This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release: + - bug #1876933: python-certbot FTBFS due to failing build time tests + - bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8 + - bug #1876934: python-certbot-apache FTBFS due to failing build time tests + + python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot- + apache just because of the d/rules error in calling those tests, which + is being fixed in this update. + + Fixing those FTBFS issues in the other packages is not in scope for this + SRU. It is expected that certbot in general will get more updates in the + future during the lifecycle of Ubuntu Focal, and updating the packages + at that time will fix the build problem. At the moment, they don't + impact the functionality of the system. See the discussion further down + here in this bug. + + [Original Description] + This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04. To reproduce the problem, install python3-certbot-nginx and run a command like: sudo certbot -d example.org --agree-tos --staging --register-unsafely- without-email --nginx This command will fail and the relevant output is: AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot- nginx completely unable to obtain certificates. As the upstream maintainer of this package, I'll suggest two ways to fix this problem: 1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30. 2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to: * certbot_nginx/configur
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Fantastic! Thanks again Andreas. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Staging server test worked just fine. I'll prepare the SRU paperwork. ubuntu@certbot-test:~$ sudo certbot -d certbot-test.justgohome.co.uk --agree-tos --staging --register-unsafely-without-email --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Obtaining a new certificate Performing the following challenges: http-01 challenge for certbot-test.justgohome.co.uk Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://certbot-test.justgohome.co.uk You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=certbot-test.justgohome.co.uk - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/certbot-test.justgohome.co.uk/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/certbot-test.justgohome.co.uk/privkey.pem Your cert will expire on 2020-08-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Thanks for the test update, worked great: (...) testing section-continuations-2525.conf...passed testing section-empty-continuations-2731.conf...passed testing semacode-1598.conf...passed testing two-blocks-one-line-1693.conf...passed Success! Package versions tested: certbot 0.40.0-1 letsencrypt python3-acme1.1.0-1 python3-certbot 0.40.0-1 python3-certbot-apache 0.39.0-1 python3-certbot-nginx 0.40.0-0ubuntu0.1~ppa1 python3-josepy 1.2.0-2 Looks like we can proceed with (d). I'll do a real test with the staging server tomorrow. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
https://launchpad.net/~ahasenack/+archive/ubuntu/certbot- tlssni01-1875471-d -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
That sounds good, let me prepare a separate ppa for (d) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
To offer one other option based on my previous comments while trying to keep things simple, I think in the short term you could also go with: d) Update just python-certbot-nginx to 0.40.0 and apply this patch to python-certbot-nginx's tests: https://gist.github.com/bmw/e4f13e17d1f4647c9d6be730c7ec3512. This change is the only changes to the files shipped in the nginx package from https://github.com/certbot/certbot/commit/4abd81e2186eddc67551d61a8260440bd177d18d. This option would fix the user facing problems in the nginx plugin and its tests without modifying any other packages. In the long term, I'm personally in favor of updating things as much as we can and doing as little backporting of commits as possible, but I'm fine with any of the approaches in the short term. I'll start looking into the test failures now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
The testscript at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot/TestScript no longer works: Cloning into '/root/gopath/src/github.com/letsencrypt/boulder'... remote: Enumerating objects: 2676, done. remote: Counting objects: 100% (2676/2676), done. remote: Compressing objects: 100% (2106/2106), done. remote: Total 2676 (delta 577), reused 1597 (delta 425), pack-reused 0 Receiving objects: 100% (2676/2676), 4.68 MiB | 6.77 MiB/s, done. Resolving deltas: 100% (577/577), done. sed: can't read tests/boulder-integration.sh: No such file or directory -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
If you want to do a more extensive test, I just added end-to-end nginx certbot testing in Debian sid. You should be able to pull it out of the source package and run it by hand just by invoking the script from the extracted source tarball, as long as you have pebble and the nginx plugin installed. On Tue, May 5, 2020 at 11:11 AM Andreas Hasenack wrote: > > Ok, I filed bugs for the FTBFS issues, but per policy, we won't do an > update just to fix failed-to-build-from-source bugs: these should be > updated together with something else. > > Thanks for all the options you outlined in comment #8, and for the check > in comment #11. > > So to keep things simple: > > a) update just python-certbot-nginx to 0.40.0, and gloss over the fact > that the build-time tests are being skipped; > > b) fix the build-time tests call in python-certbot-nginx, which will require > these other changes: > - bump python-certbot-apache to 0.40.0 > - drop TLSSNI01 from python-certbot 0.40.0 > - preferably fix python-acme's idna build-deps and update it together, as > that would also run tests with the current idna in focal > I didn't check if the version bumps have the commits you mentioned, but the > tests and a minimal run worked. If this looks feasable, the next step would > be to run the full test suite, and also try this on a live server with proper > DNS setup. > > c) bump everything to what we have in groovy, so that the versions match > expectations and we don't have this big mismatch we are seeing in focal > right now > > There is a feeling we should go with (a) to fix the immediate problem, > and (b) can be done over time, or even (c). > > I have the (b) scenario done in my ppa at > https://launchpad.net/~ahasenack/+archive/ubuntu/certbot- > tlssni01-1875471 > > -- > You received this bug notification because you are subscribed to python- > certbot-nginx in Ubuntu. > https://bugs.launchpad.net/bugs/1875471 > > Title: > python3-certbot-nginx is incompatible with its dependencies > > Status in python-certbot-nginx package in Ubuntu: > In Progress > > Bug description: > This issue only affects version 0.39.0-1 of the python-certbot-nginx > package in Ubuntu 20.04. > > To reproduce the problem, install python3-certbot-nginx and run a > command like: > > sudo certbot -d example.org --agree-tos --staging --register-unsafely- > without-email --nginx > > This command will fail and the relevant output is: > > AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' > > The problem here is python-certbot-nginx contains references to code > in python-acme that has been removed. This problem makes python- > certbot-nginx completely unable to obtain certificates. > > As the upstream maintainer of this package, I'll suggest two ways to > fix this problem: > > 1. Update python-certbot-nginx to our 0.40.0 release. The benefit of > this is it sticks to well tested versions of our software rather than > making potentially error prone backports. Certbot has an SRU exception > which can be seen at > https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of > code upstream between 0.39.0 and 0.40.0 if you all want to take this > route can be see at > https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30. > > 2. You can manually backport minimal fixes. The only changes that > should required from the above gist are the changes to: > > * certbot_nginx/configurator.py > * certbot_nginx/tests/configurator_test.py > > While I have essentially no knowledge of creating .debs myself, please > let me know if you have any questions resolving this, want help > testing proposed packages, etc. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- Harlan Lieberman-Berg ~hlieberman -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Ok, I filed bugs for the FTBFS issues, but per policy, we won't do an update just to fix failed-to-build-from-source bugs: these should be updated together with something else. Thanks for all the options you outlined in comment #8, and for the check in comment #11. So to keep things simple: a) update just python-certbot-nginx to 0.40.0, and gloss over the fact that the build-time tests are being skipped; b) fix the build-time tests call in python-certbot-nginx, which will require these other changes: - bump python-certbot-apache to 0.40.0 - drop TLSSNI01 from python-certbot 0.40.0 - preferably fix python-acme's idna build-deps and update it together, as that would also run tests with the current idna in focal I didn't check if the version bumps have the commits you mentioned, but the tests and a minimal run worked. If this looks feasable, the next step would be to run the full test suite, and also try this on a live server with proper DNS setup. c) bump everything to what we have in groovy, so that the versions match expectations and we don't have this big mismatch we are seeing in focal right now There is a feeling we should go with (a) to fix the immediate problem, and (b) can be done over time, or even (c). I have the (b) scenario done in my ppa at https://launchpad.net/~ahasenack/+archive/ubuntu/certbot- tlssni01-1875471 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
I think changing the build-dep to python3-idna << 2.9 is acceptable. It looks like we hit a similar problem with the last SRU and I described the problem and how to fix the specific issue at the time at https://bugs.launchpad.net/ubuntu/+source/python- acme/+bug/1836823/comments/23. In this case, allowing python3-idna 2.8 should be fine because Focal has python3-requests 2.22.0 and the constraints that version of requests puts on idna are "idna>=2.5,<2.9" which can be seen at https://github.com/psf/requests/blob/v2.22.0/setup.py#L46. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Quick update on the current focal situation regarding some of these packages: These are currently an FTBFS in focal: - python-certbot 0.40.0-1 (build-time tests fail) - python-acme 1.1.0-1 (build-dep python3-idna <<2.8 not satisfied. When it was last built in focal, python3-idna was at 2.6) - python-certbot-apache 0.39.0-1 (build-time tests fail) python-certbot-nginx 0.39.0-1 builds, but just because the tests are incorrectly skipped in d/rules. If they run, they fail, and that would FTBFS this package as well. If I change python-acme to accept python3-idna 2.8 as a build-dep (changing d/control do python3-idna << 2.9), then it builds. I don't know if this change is acceptable. Upstream python-idna made a 2.9 release in February 17th 2020, which we have in groovy and debian unstable. Will continue tomorrow. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Sorry for having gone radio silent in the past few days. I'm back on this tomorrow. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Thanks a lot for quickly working on this issue Andreas. Applying that commit to python-certbot 0.40.0-1 in addition to the python-certbot-nginx changes would fix both python-certbot and python- certbot-nginx's tests, however, it would break python-certbot-apache in normal usage outside of tests because it removes certbot.plugins.common.TLSSNI01 which is being used by python-certbot- apache 0.39.0-1 (despite it sending deprecation warnings every time the plugin references the object). This class in Certbot is meant to help plugins handle ACME TLSSNI01 objects, however, its implementation doesn't reference them itself. The problem occurs in the tests for this class in certbot/plugins/common_test.py where these ACME TLSSNI01 objects are created and this testing code is reused in python-certbot-nginx to help it test itself. Because of this, I don't really suspect there to be any future problems with certbot.plugins.common.TLSSNI01, however, the TLSSNI test failures in all of python-certbot, python-certbot-apache, and python-certbot- nginx may continue to be annoying in the future. To fix this, I think we have a few options. If we just wanted to fix python-certbot-nginx's tests and leave python- certbot and python-certbot-apache's untouched with broken tests, you could just apply the changes to certbot-nginx from https://github.com/certbot/certbot/commit/4abd81e2186eddc67551d61a8260440bd177d18d. That's a massive commit, however, the relevant changes to nginx are quite small and only to certbot- nginx/certbot_nginx/tests/http_01_test.py. If we want to try to fix python-certbot's tests now, you could skip these additional python-certbot-nginx changes described in my last paragraph and instead just take the test changes from the commit you found of https://github.com/certbot/certbot/commit/4b488614cf7749c8139c11f0983fe4b71e29827f. I have mixed feelings about this because while it solves some immediate problems, it removes all tests of certbot.plugins.common.TLSSNI01 while keeping the code which is needed to do unless you want to also update python-certbot-apache. If you are also hesitant to leave certbot.plugins.common.TLSSNI01 around without tests and would like to remove it and apply the full commit, you'd need to apply the changes to certbot-apache from https://github.com/certbot/certbot/commit/de6b56bec02881d5a63173aedb670b24d847f72d. If you want to fix python-certbot-apache's tests now, you could apply the changes to python-certbot-apache's tests from https://github.com/certbot/certbot/commit/63d673a3e04de4a64d18483a2f0df55c6a6c4198. This is all a lot backports, many of which require us to apply a subset of the changes from different commits, but things are honestly kind of a mess right now with the mix of 0.x and 1.x components. Again, a final option here would be to update all of these packages to any 1.x version and if the package's dependencies are satisfied, it should all just work, however, that'd come with the backwards incompatible changes I described in my previous post. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
PPA with test packages: https://launchpad.net/~ahasenack/+archive/ubuntu /certbot-tlssni01-1875471 It has python-certbot with TLSSNI01 removed, probably not necessary for this bugfix, but it allowed me to re-introduce the build-time tests for the python-certbot-nginx package. Will continue tomorrow. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Would this commit be correct to apply on top of 0.40.0 to at least match python-acme 1.1.0-1 that is in focal w.r.t. TLSSNI01's removal? https://github.com/certbot/certbot/commit/4b488614cf7749c8139c11f0983fe4b71e29827f * Remove tls sni common (#7527) * fixes #7478 * add changelog entry If it's hard to check, then never mind. It just feels we could still be open to problems by having python-acme *without* TLSSNI01 but python-certbot *with* it somewhere in the code. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
So python-certbot 0.40.0 still has TLSSNI01, but not acme, and so far only python-certbot-nginx is triggering the error. Probably not worth bumping python-certbot just to be able to run its tests correctly. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
> In the current state in Focal/Groovy, the tests we include in our packages > are broken > for at least python-certbot, python-certbot-apache, and python-certbot-nginx. > The python-certbot-dns-* packages themselves are working, but I didn't verify > whether > or not the tests are. I can if people think that's important. I just saw that, when I fixed the tests to actually run at package build time (a problem still present in the 1.3.0-2 packages): diff --git a/debian/rules b/debian/rules index c057a16..154080a 100755 --- a/debian/rules +++ b/debian/rules @@ -21,6 +21,6 @@ override_dh_installdocs: dh_installdocs -p python3-certbot-nginx override_dh_auto_test: -ifdef (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) +ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) python3 setup.py test endif The 0.40.0 tests fail with: = test session starts == platform linux -- Python 3.8.2, pytest-4.6.9, py-1.8.1, pluggy-0.13.0 rootdir: /home/ubuntu/git/packages/python-certbot-nginx/python-certbot-nginx collected 167 items / 1 errors / 166 selected ERRORS _ ERROR collecting certbot_nginx/tests/http_01_test.py _ certbot_nginx/tests/http_01_test.py:11: in from certbot.plugins import common_test :991: in _find_and_load ??? :975: in _find_and_load_unlocked ??? :655: in _load_unlocked ??? :618: in _load_backward_compatible ??? /usr/lib/python3/dist-packages/_pytest/assertion/rewrite.py:304: in load_module exec(co, mod.__dict__) /usr/lib/python3/dist-packages/certbot/plugins/common_test.py:26: in challenges.TLSSNI01(token=b'token1'), "pending"), E AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' I'll check latest upstream, maybe the diff to fix this test is simple enough to incorporate. I'd like to re-enable the tests at build time if possible. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
The groovy packages are being updated, there are just too many packages being handled and the machines are very busy. For focal, we should take the path of updating the nginx subpackage to 0.40.0. I'll handle that and check the tests. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
** Changed in: python-certbot-nginx (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: python-certbot-nginx (Ubuntu) Importance: Undecided => High ** Changed in: python-certbot-nginx (Ubuntu) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: python-certbot-nginx (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875471] Re: python3-certbot-nginx is incompatible with its dependencies
At the risk of sending the discussion in this issue off topic, I looked into other potential problems with the Certbot packages in Focal/Groovy since they've been being held back. I'm happy to move this discussion somewhere else if people prefer. In the current state in Focal/Groovy, the tests we include in our packages are broken for at least python-certbot, python-certbot-apache, and python-certbot-nginx. The python-certbot-dns-* packages themselves are working, but I didn't verify whether or not the tests are. I can if people think that's important. Only python-certbot-nginx is actually broken in Focal from a user perspective though which I described above. The reason for most of these problems is that these tests/packages were relying on parts of python-acme's API which has been removed in recent versions. A version of python-acme with these changes has already been pushed to Focal/Groovy causing the problem. In one case at https://people.canonical.com/~ubuntu-archive/proposed- migration/update_excuses.html#python-certbot though, I saw a different but similar problem with python-certbot where its proposed update had removed components being used by the old, packaged version of python- certbot-apache. For Groovy, if possible, I'd recommend upgrading all of python-certbot, python-certbot-apache, and python-certbot-nginx together to their latest versions and ignoring failures caused by testing older versions with these new packages. Again, many of the failures being seen are already present in the current packages and none of them will exist when everything is updated to a newer version. For Focal, while I'd love for all Certbot components to be >=1.0, doing this will cause a number of backwards incompatible changes. From our changelog, those are: * Certbot's `config_changes` subcommand has been removed * `certbot.plugins.common.TLSSNI01` has been removed. * The functions `certbot.plugins.common.Installer.view_config_changes`, `certbot.reverter.Reverter.view_config_changes`, and `certbot.util.get_systemd_os_info` have been removed * Certbot's `register --update-registration` subcommand has been removed * When possible, default to automatically configuring the webserver so all requests redirect to secure HTTPS access. This is mostly relevant when running Certbot in non-interactive mode. Previously, the default was to not redirect all requests. All of these changes are things warned about in the current version of our packages in Focal and are to minor aspects to our functionality. If these changes seem acceptable considering our SRU exception, how new Focal is, and the benefit we'll have of making it easier to update these packages going forward since they'll have made it through our API/UI changes and to Certbot 1.0, I'd recommend updating Groovy and then moving these packages to Focal. If these changes do not seem acceptable, I'd recommend taking one of the two paths I described in my previous post to fix python-certbot-nginx in Focal. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs