** Description changed: - This issue only affects version 0.39.0-1 of the python-certbot-nginx - package in Ubuntu 20.04. + This bug tracks an update for python-certbot from 0.39.0 to 0.40.0. + + This update includes bugfixes only following the SRU policy exception + defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. + + [Impact] + + Not directly applicable; see the exception policy document at + https://wiki.ubuntu.com/StableReleaseUpdates/Certbot + + Reguesting a certificate via the nginx plugin fails: + + AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' + + The problem here is python-certbot-nginx contains references to code in + python-acme that has been removed. This problem makes python-certbot- + nginx completely unable to obtain certificates. + + [Major Changes] + + To fix the problem, python-certbot-nginx is being updated from 0.39.0 to + 0.40.0. The diff[1] is small and is about removing TLSSNI01 support. + + It was also noticed that the build-time tests were never run due to a + bug in how they were called in d/rules. This has been fixed, and turns + out the current version in focal release (0.39.0-1) is already an FTBFS + when tests are properly run during build. + + To have the tests run at build time (as was the original intention), the + conditional in d/rules was fixed and a patch from upstream was added. I + also submitted the d/rules fix to Debian via [2]. Once that is merged, + groovy will have the fix as well via a standard sync. Note the extra + patch isn't needed in that version. + + + 1. see the linked MP. Getting a diff from github just for the nginx plugin is hard because it is a subdirectory of the bigger certbot project. + 2. https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx/-/merge_requests/1 + + [Test Plan] + + See + https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process + + TODO: add testscript.sh run results + TODO: add manual registration results with nginx and apache against staging + + [Regression Potential] + + Upstream performs extensive testing before release, giving us a high + degree of confidence in the general case. There problems are most likely + to manifest in Ubuntu-specific integrations, such as in relation to the + versions of dependencies available and other packaging-specific matters. + + python-acme 1.x which removed TLSSNI01 (among other changes) shouldn't + have migrated to the release pocket without also migrating a newer 1.x + version of python-certbot-*. This was fixed in the development release + and in Debian via an ABI provides. + + This situation of having a more recent python-acme in focal but not accompanying python-certbot-* version bumps to the same series also made some related packages to become FTBFS in focal release: + - bug #1876933: python-certbot FTBFS due to failing build time tests + - bug #1876929: python-acme FTBFS due to unsatisfied dependency on python3-idna << 2.8 + - bug #1876934: python-certbot-apache FTBFS due to failing build time tests + + python-certbot-nginx 0.39.0 didn't become an FTBFS like python-certbot- + apache just because of the d/rules error in calling those tests, which + is being fixed in this update. + + Fixing those FTBFS issues in the other packages is not in scope for this + SRU. It is expected that certbot in general will get more updates in the + future during the lifecycle of Ubuntu Focal, and updating the packages + at that time will fix the build problem. At the moment, they don't + impact the functionality of the system. See the discussion further down + here in this bug. + + [Original Description] + This issue only affects version 0.39.0-1 of the python-certbot-nginx package in Ubuntu 20.04. To reproduce the problem, install python3-certbot-nginx and run a command like: sudo certbot -d example.org --agree-tos --staging --register-unsafely- without-email --nginx This command will fail and the relevant output is: AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01' The problem here is python-certbot-nginx contains references to code in python-acme that has been removed. This problem makes python-certbot- nginx completely unable to obtain certificates. As the upstream maintainer of this package, I'll suggest two ways to fix this problem: 1. Update python-certbot-nginx to our 0.40.0 release. The benefit of this is it sticks to well tested versions of our software rather than making potentially error prone backports. Certbot has an SRU exception which can be seen at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot. The diff of code upstream between 0.39.0 and 0.40.0 if you all want to take this route can be see at https://gist.github.com/bmw/a88429687f4aed13e300fafdad85ce30. 2. You can manually backport minimal fixes. The only changes that should required from the above gist are the changes to: * certbot_nginx/configurator.py * certbot_nginx/tests/configurator_test.py While I have essentially no knowledge of creating .debs myself, please let me know if you have any questions resolving this, want help testing proposed packages, etc.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875471 Title: python3-certbot-nginx is incompatible with its dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-certbot-nginx/+bug/1875471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
