diff -Nru python-certbot-nginx-0.35.1/certbot_nginx/configurator.py python-certbot-nginx-0.36.0/certbot_nginx/configurator.py --- python-certbot-nginx-0.35.1/certbot_nginx/configurator.py 2019-06-10 22:02:09.000000000 +0000 +++ python-certbot-nginx-0.36.0/certbot_nginx/configurator.py 2019-07-11 19:12:24.000000000 +0000 @@ -6,6 +6,8 @@ import tempfile import time +import pkg_resources + import OpenSSL import zope.interface @@ -121,6 +123,14 @@ self.reverter.recovery_routine() @property + def mod_ssl_conf_src(self): + """Full absolute path to SSL configuration file source.""" + config_filename = "options-ssl-nginx.conf" + if self.version < (1, 5, 9): + config_filename = "options-ssl-nginx-old.conf" + return pkg_resources.resource_filename("certbot_nginx", config_filename) + + @property def mod_ssl_conf(self): """Full absolute path to SSL configuration file.""" return os.path.join(self.config.config_dir, constants.MOD_SSL_CONF_DEST) @@ -130,6 +140,11 @@ """Full absolute path to digest of updated SSL configuration file.""" return os.path.join(self.config.config_dir, constants.UPDATED_MOD_SSL_CONF_DIGEST) + def install_ssl_options_conf(self, options_ssl, options_ssl_digest): + """Copy Certbot's SSL options file into the system's config dir if required.""" + return common.install_version_controlled_file(options_ssl, options_ssl_digest, + self.mod_ssl_conf_src, constants.ALL_SSL_OPTIONS_HASHES) + # This is called in determine_authenticator and determine_installer def prepare(self): """Prepare the authenticator/installer. @@ -148,14 +163,14 @@ self.parser = parser.NginxParser(self.conf('server-root')) - install_ssl_options_conf(self.mod_ssl_conf, self.updated_mod_ssl_conf_digest) - - self.install_ssl_dhparams() - # Set Version if self.version is None: self.version = self.get_version() + self.install_ssl_options_conf(self.mod_ssl_conf, self.updated_mod_ssl_conf_digest) + + self.install_ssl_dhparams() + # Prevent two Nginx plugins from modifying a config at once try: util.lock_dir_until_exit(self.conf('server-root')) @@ -1131,12 +1146,6 @@ time.sleep(1) -def install_ssl_options_conf(options_ssl, options_ssl_digest): - """Copy Certbot's SSL options file into the system's config dir if required.""" - return common.install_version_controlled_file(options_ssl, options_ssl_digest, - constants.MOD_SSL_CONF_SRC, constants.ALL_SSL_OPTIONS_HASHES) - - def _determine_default_server_root(): if os.environ.get("CERTBOT_DOCS") == "1": default_server_root = "%s or %s" % (constants.LINUX_SERVER_ROOT, diff -Nru python-certbot-nginx-0.35.1/certbot_nginx/constants.py python-certbot-nginx-0.36.0/certbot_nginx/constants.py --- python-certbot-nginx-0.35.1/certbot_nginx/constants.py 2019-06-10 22:02:09.000000000 +0000 +++ python-certbot-nginx-0.36.0/certbot_nginx/constants.py 2019-07-11 19:12:24.000000000 +0000 @@ -1,8 +1,6 @@ """nginx plugin constants.""" import platform -import pkg_resources - FREEBSD_DARWIN_SERVER_ROOT = "/usr/local/etc/nginx" LINUX_SERVER_ROOT = "/etc/nginx" @@ -21,14 +19,14 @@ MOD_SSL_CONF_DEST = "options-ssl-nginx.conf" """Name of the mod_ssl config file as saved in `IConfig.config_dir`.""" -MOD_SSL_CONF_SRC = pkg_resources.resource_filename( - "certbot_nginx", "options-ssl-nginx.conf") -"""Path to the nginx mod_ssl config file found in the Certbot -distribution.""" - UPDATED_MOD_SSL_CONF_DIGEST = ".updated-options-ssl-nginx-conf-digest.txt" """Name of the hash of the updated or informed mod_ssl_conf as saved in `IConfig.config_dir`.""" +SSL_OPTIONS_HASHES_NEW = [ + '63e2bddebb174a05c9d8a7cf2adf72f7af04349ba59a1a925fe447f73b2f1abf', + '2901debc7ecbc10917edd9084c05464c9c5930b463677571eaf8c94bffd11ae2', +] +"""SHA256 hashes of the contents of versions of MOD_SSL_CONF_SRC for nginx >= 1.5.9""" ALL_SSL_OPTIONS_HASHES = [ '0f81093a1465e3d4eaa8b0c14e77b2a2e93568b0fc1351c2b87893a95f0de87c', @@ -37,7 +35,8 @@ '7f95624dd95cf5afc708b9f967ee83a24b8025dc7c8d9df2b556bbc64256b3ff', '394732f2bbe3e5e637c3fb5c6e980a1f1b90b01e2e8d6b7cff41dde16e2a756d', '4b16fec2bcbcd8a2f3296d886f17f9953ffdcc0af54582452ca1e52f5f776f16', -] + 'c052ffff0ad683f43bffe105f7c606b339536163490930e2632a335c8d191cc4', +] + SSL_OPTIONS_HASHES_NEW """SHA256 hashes of the contents of all versions of MOD_SSL_CONF_SRC""" def os_constant(key): diff -Nru python-certbot-nginx-0.35.1/certbot_nginx/options-ssl-nginx.conf python-certbot-nginx-0.36.0/certbot_nginx/options-ssl-nginx.conf --- python-certbot-nginx-0.35.1/certbot_nginx/options-ssl-nginx.conf 2019-06-10 22:02:09.000000000 +0000 +++ python-certbot-nginx-0.36.0/certbot_nginx/options-ssl-nginx.conf 2019-07-11 19:12:24.000000000 +0000 @@ -4,8 +4,9 @@ # the up-to-date file that you will need to refer to when manually updating # this file. -ssl_session_cache shared:le_nginx_SSL:1m; +ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; +ssl_session_tickets off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; diff -Nru python-certbot-nginx-0.35.1/certbot_nginx/options-ssl-nginx-old.conf python-certbot-nginx-0.36.0/certbot_nginx/options-ssl-nginx-old.conf --- python-certbot-nginx-0.35.1/certbot_nginx/options-ssl-nginx-old.conf 1970-01-01 00:00:00.000000000 +0000 +++ python-certbot-nginx-0.36.0/certbot_nginx/options-ssl-nginx-old.conf 2019-07-11 19:12:24.000000000 +0000 @@ -0,0 +1,13 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. + +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1440m; + +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_prefer_server_ciphers on; + +ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; diff -Nru python-certbot-nginx-0.35.1/certbot_nginx/tests/configurator_test.py python-certbot-nginx-0.36.0/certbot_nginx/tests/configurator_test.py --- python-certbot-nginx-0.35.1/certbot_nginx/tests/configurator_test.py 2019-06-10 22:02:09.000000000 +0000 +++ python-certbot-nginx-0.36.0/certbot_nginx/tests/configurator_test.py 2019-07-11 19:12:24.000000000 +0000 @@ -13,7 +13,6 @@ from certbot.compat import os from certbot.tests import util as certbot_test_util -from certbot_nginx import constants from certbot_nginx import obj from certbot_nginx import parser from certbot_nginx.configurator import _redirect_block_for_domain @@ -428,11 +427,6 @@ mock_recovery_routine.side_effect = errors.ReverterError("foo") self.assertRaises(errors.PluginError, self.config.recovery_routine) - @mock.patch("certbot.reverter.Reverter.view_config_changes") - def test_view_config_changes_throws_error_from_reverter(self, mock_view_config_changes): - mock_view_config_changes.side_effect = errors.ReverterError("foo") - self.assertRaises(errors.PluginError, self.config.view_config_changes) - @mock.patch("certbot.reverter.Reverter.rollback_checkpoints") def test_rollback_checkpoints_throws_error_from_reverter(self, mock_rollback_checkpoints): mock_rollback_checkpoints.side_effect = errors.ReverterError("foo") @@ -883,12 +877,11 @@ self.config_path, self.config_dir, self.work_dir, self.logs_dir) def _call(self): - from certbot_nginx.configurator import install_ssl_options_conf - install_ssl_options_conf(self.config.mod_ssl_conf, self.config.updated_mod_ssl_conf_digest) + self.config.install_ssl_options_conf(self.config.mod_ssl_conf, + self.config.updated_mod_ssl_conf_digest) def _current_ssl_options_hash(self): - from certbot_nginx.constants import MOD_SSL_CONF_SRC - return crypto_util.sha256sum(MOD_SSL_CONF_SRC) + return crypto_util.sha256sum(self.config.mod_ssl_conf_src) def _assert_current_file(self): self.assertTrue(os.path.isfile(self.config.mod_ssl_conf)) @@ -908,12 +901,32 @@ self._call() self._assert_current_file() + def _mock_hash_except_ssl_conf_src(self, fake_hash): + # Write a bad file in place so that update tests fail if no update occurs. + # We're going to pretend this file (the currently installed conf file) + # actually hashes to `fake_hash` for the update tests. + with open(self.config.mod_ssl_conf, "w") as f: + f.write("bogus") + sha256 = crypto_util.sha256sum + def _hash(filename): + return sha256(filename) if filename == self.config.mod_ssl_conf_src else fake_hash + return _hash + def test_prev_file_updates_to_current(self): from certbot_nginx.constants import ALL_SSL_OPTIONS_HASHES - with mock.patch('certbot.crypto_util.sha256sum') as mock_sha256: - mock_sha256.return_value = ALL_SSL_OPTIONS_HASHES[0] + with mock.patch('certbot.crypto_util.sha256sum', + new=self._mock_hash_except_ssl_conf_src(ALL_SSL_OPTIONS_HASHES[0])): + self._call() + self._assert_current_file() + + def test_prev_file_updates_to_current_old_nginx(self): + from certbot_nginx.constants import ALL_SSL_OPTIONS_HASHES, SSL_OPTIONS_HASHES_NEW + self.config.version = (1, 5, 8) + with mock.patch('certbot.crypto_util.sha256sum', + new=self._mock_hash_except_ssl_conf_src(ALL_SSL_OPTIONS_HASHES[0])): self._call() self._assert_current_file() + self.assertTrue(self._current_ssl_options_hash() not in SSL_OPTIONS_HASHES_NEW) def test_manually_modified_current_file_does_not_update(self): with open(self.config.mod_ssl_conf, "a") as mod_ssl_conf: @@ -922,7 +935,7 @@ self._call() self.assertFalse(mock_logger.warning.called) self.assertTrue(os.path.isfile(self.config.mod_ssl_conf)) - self.assertEqual(crypto_util.sha256sum(constants.MOD_SSL_CONF_SRC), + self.assertEqual(crypto_util.sha256sum(self.config.mod_ssl_conf_src), self._current_ssl_options_hash()) self.assertNotEqual(crypto_util.sha256sum(self.config.mod_ssl_conf), self._current_ssl_options_hash()) @@ -937,7 +950,7 @@ self.assertEqual(mock_logger.warning.call_args[0][0], "%s has been manually modified; updated file " "saved to %s. We recommend updating %s for security purposes.") - self.assertEqual(crypto_util.sha256sum(constants.MOD_SSL_CONF_SRC), + self.assertEqual(crypto_util.sha256sum(self.config.mod_ssl_conf_src), self._current_ssl_options_hash()) # only print warning once with mock.patch("certbot.plugins.common.logger") as mock_logger: @@ -950,6 +963,16 @@ "Constants.ALL_SSL_OPTIONS_HASHES must be appended" " with the sha256 hash of self.config.mod_ssl_conf when it is updated.") + def test_old_nginx_version_uses_old_config(self): + self.config.version = (1, 5, 8) + self.assertEqual(os.path.basename(self.config.mod_ssl_conf_src), + "options-ssl-nginx-old.conf") + self._call() + self._assert_current_file() + self.config.version = (1, 5, 9) + self.assertEqual(os.path.basename(self.config.mod_ssl_conf_src), + "options-ssl-nginx.conf") + class DetermineDefaultServerRootTest(certbot_test_util.ConfigTestCase): """Tests for certbot_nginx.configurator._determine_default_server_root.""" diff -Nru python-certbot-nginx-0.35.1/certbot_nginx.egg-info/PKG-INFO python-certbot-nginx-0.36.0/certbot_nginx.egg-info/PKG-INFO --- python-certbot-nginx-0.35.1/certbot_nginx.egg-info/PKG-INFO 2019-06-10 22:02:21.000000000 +0000 +++ python-certbot-nginx-0.36.0/certbot_nginx.egg-info/PKG-INFO 2019-07-11 19:12:35.000000000 +0000 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: certbot-nginx -Version: 0.35.1 +Version: 0.36.0 Summary: Nginx plugin for Certbot Home-page: https://github.com/letsencrypt/letsencrypt Author: Certbot Project diff -Nru python-certbot-nginx-0.35.1/certbot_nginx.egg-info/requires.txt python-certbot-nginx-0.36.0/certbot_nginx.egg-info/requires.txt --- python-certbot-nginx-0.35.1/certbot_nginx.egg-info/requires.txt 2019-06-10 22:02:21.000000000 +0000 +++ python-certbot-nginx-0.36.0/certbot_nginx.egg-info/requires.txt 2019-07-11 19:12:35.000000000 +0000 @@ -1,5 +1,5 @@ acme>=0.29.0 -certbot>=0.34.0 +certbot>=0.35.0 mock PyOpenSSL pyparsing>=1.5.5 diff -Nru python-certbot-nginx-0.35.1/certbot_nginx.egg-info/SOURCES.txt python-certbot-nginx-0.36.0/certbot_nginx.egg-info/SOURCES.txt --- python-certbot-nginx-0.35.1/certbot_nginx.egg-info/SOURCES.txt 2019-06-10 22:02:21.000000000 +0000 +++ python-certbot-nginx-0.36.0/certbot_nginx.egg-info/SOURCES.txt 2019-07-11 19:12:35.000000000 +0000 @@ -10,6 +10,7 @@ certbot_nginx/http_01.py certbot_nginx/nginxparser.py certbot_nginx/obj.py +certbot_nginx/options-ssl-nginx-old.conf certbot_nginx/options-ssl-nginx.conf certbot_nginx/parser.py certbot_nginx/parser_obj.py diff -Nru python-certbot-nginx-0.35.1/debian/changelog python-certbot-nginx-0.36.0/debian/changelog --- python-certbot-nginx-0.35.1/debian/changelog 2019-07-09 23:06:04.000000000 +0000 +++ python-certbot-nginx-0.36.0/debian/changelog 2019-07-11 21:26:16.000000000 +0000 @@ -1,3 +1,12 @@ +python-certbot-nginx (0.36.0-1) unstable; urgency=medium + + * New upstream version 0.36.0 + * Bump dep on certbot to 0.35. + * Bump S-V to 4.4.0; no changes needed. + * Bump compat, dh to 12. + + -- Harlan Lieberman-Berg Thu, 11 Jul 2019 17:26:16 -0400 + python-certbot-nginx (0.35.1-1) unstable; urgency=medium * New upstream version 0.35.1 diff -Nru python-certbot-nginx-0.35.1/debian/compat python-certbot-nginx-0.36.0/debian/compat --- python-certbot-nginx-0.35.1/debian/compat 2019-02-10 00:52:59.000000000 +0000 +++ python-certbot-nginx-0.36.0/debian/compat 2019-07-11 21:23:50.000000000 +0000 @@ -1 +1 @@ -11 +12 diff -Nru python-certbot-nginx-0.35.1/debian/control python-certbot-nginx-0.36.0/debian/control --- python-certbot-nginx-0.35.1/debian/control 2019-07-09 23:05:18.000000000 +0000 +++ python-certbot-nginx-0.36.0/debian/control 2019-07-11 21:23:46.000000000 +0000 @@ -4,11 +4,11 @@ Maintainer: Debian Let's Encrypt Uploaders: Harlan Lieberman-Berg , Francois Marier -Build-Depends: debhelper (>= 11~), +Build-Depends: debhelper (>= 12~), dh-python, python3, python3-acme (>= 0.29.0~), - python3-certbot (>= 0.34.0~), + python3-certbot (>= 0.35.0~), python3-configargparse (>= 0.10.0), python3-mock, python3-openssl (>= 0.13), @@ -24,7 +24,7 @@ python3-tz, python3-zope.component, python3-zope.interface -Standards-Version: 4.3.0 +Standards-Version: 4.4.0 Homepage: https://letsencrypt.org/ Vcs-Git: https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx.git Vcs-Browser: https://salsa.debian.org/letsencrypt-team/certbot/certbot-nginx @@ -33,7 +33,7 @@ Package: python3-certbot-nginx Architecture: all Depends: nginx, - certbot (>= 0.34.0~), + certbot (>= 0.35.0~), ${misc:Depends}, ${python3:Depends} Breaks: python-certbot-nginx (<< 0.20.0~) diff -Nru python-certbot-nginx-0.35.1/MANIFEST.in python-certbot-nginx-0.36.0/MANIFEST.in --- python-certbot-nginx-0.35.1/MANIFEST.in 2019-06-10 22:02:09.000000000 +0000 +++ python-certbot-nginx-0.36.0/MANIFEST.in 2019-07-11 19:12:24.000000000 +0000 @@ -3,3 +3,4 @@ recursive-include docs * recursive-include certbot_nginx/tests/testdata * include certbot_nginx/options-ssl-nginx.conf +include certbot_nginx/options-ssl-nginx-old.conf diff -Nru python-certbot-nginx-0.35.1/PKG-INFO python-certbot-nginx-0.36.0/PKG-INFO --- python-certbot-nginx-0.35.1/PKG-INFO 2019-06-10 22:02:21.000000000 +0000 +++ python-certbot-nginx-0.36.0/PKG-INFO 2019-07-11 19:12:35.000000000 +0000 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: certbot-nginx -Version: 0.35.1 +Version: 0.36.0 Summary: Nginx plugin for Certbot Home-page: https://github.com/letsencrypt/letsencrypt Author: Certbot Project diff -Nru python-certbot-nginx-0.35.1/setup.py python-certbot-nginx-0.36.0/setup.py --- python-certbot-nginx-0.35.1/setup.py 2019-06-10 22:02:10.000000000 +0000 +++ python-certbot-nginx-0.36.0/setup.py 2019-07-11 19:12:25.000000000 +0000 @@ -4,13 +4,13 @@ import sys -version = '0.35.1' +version = '0.36.0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. install_requires = [ 'acme>=0.29.0', - 'certbot>=0.34.0', + 'certbot>=0.35.0', 'mock', 'PyOpenSSL', 'pyparsing>=1.5.5', # Python3 support; perhaps unnecessary?