* Certbot now stores the Retry-After value given by ACME Renewal Info (ARI)
so the value can be respected across multiple Certbot runs.
* Added uv as a test dependency, and switched most pip invocations to uv pip
for faster installs.
* certbot.ocsp.RevocationChecker.__init__ no longer accepts the parameter
enforce_openssl_binary_usage and always uses the cryptography library
for OCSP checking.
* Python 3.9 support was removed.
* Migrated most functionality from setup.py to pyproject.toml
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=140
* Added --eab-hmac-alg parameter to support custom HMAC algorithm for
External Account Binding.
* Catches and ignores errors during the directory fetch for ARI checking
so that these errors do not hinder the actual certificate issuance.
* Removed the dependency on pytz
* Support for Python 3.9 was deprecated and will be removed in our next
planned release.
* The Certbot snap no longer sets the environment variable PYTHONPATH
stopping it from picking up Python files in the current directory
and polluting the environment for Certbot hooks written in Python.
* Previously, we claimed to set FAILED_DOMAINS and RENEWED_DOMAINS env
variables for use by post-hooks when certificate renewals fail, but
we were not actually setting them. Now, we are.
* Certbot now always uses the server value from the renewal configuration
file for ARI checks instead of the server value from the current
invocation of Certbot. This helps prevent ARI requests from going to the
wrong server if the user changes CAs.
- Make the libalternatives transition conditional
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=138
* Deprecated parameter enforce_openssl_binary_usage from
certbot.ocsp.RevocationChecker.
* The --preferred-profile and --required-profile flags now have their
values stored in the renewal configuration so the same setting will
be used on renewal.
* No longer checks ARI during certbot --dry-run.
* Fixed an unintended change introduced in 4.0.0 where renew_before_expiry
could not be shorter than certbot's default renewal time.
* Switched to src-layout from flat-layout to accommodate PEP 517 pip
editable installs
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=132
- Update to 4.0.0:
* Added
+ The --preferred-profile and --required-profile flags allow requesting
a profile.
* Changed
+ Certificates now renew with 1/3rd of lifetime left (or 1/2 of lifetime
left, if the lifetime is shorter than 10 days).
+ removed acme.crypto_util._pyopenssl_cert_or_req_all_names
+ removed acme.crypto_util._pyopenssl_cert_or_req_san
+ removed acme.crypto_util.dump_pyopenssl_chain
+ removed acme.crypto_util.gen_ss_cert
+ removed certbot.crypto_util.dump_pyopenssl_chain
+ removed certbot.crypto_util.pyopenssl_load_certificate
* Fixed
+ Moved RewriteEngine on directive added during apache http01
authentication to the end of the virtual host, so that it overwrites
any RewriteEngine off directives that already exist and allows
redirection to the challenge URL.
OBS-URL: https://build.opensuse.org/request/show/1271240
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-certbot?expand=0&rev=56
* Added
+ The --preferred-profile and --required-profile flags allow requesting
a profile.
* Changed
+ Certificates now renew with 1/3rd of lifetime left (or 1/2 of lifetime
left, if the lifetime is shorter than 10 days).
+ removed acme.crypto_util._pyopenssl_cert_or_req_all_names
+ removed acme.crypto_util._pyopenssl_cert_or_req_san
+ removed acme.crypto_util.dump_pyopenssl_chain
+ removed acme.crypto_util.gen_ss_cert
+ removed certbot.crypto_util.dump_pyopenssl_chain
+ removed certbot.crypto_util.pyopenssl_load_certificate
* Fixed
+ Moved RewriteEngine on directive added during apache http01
authentication to the end of the virtual host, so that it overwrites
any RewriteEngine off directives that already exist and allows
redirection to the challenge URL.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=130
* The --register-unsafely-without-email flag is no longer needed
in non-interactive mode.
* In interactive mode, pressing Enter at the email prompt will
register without an email.
* deprecated certbot.crypto_util.dump_pyopenssl_chain
* deprecated certbot.crypto_util.pyopenssl_load_certificate
* Fixed a bug introduced in Certbot 3.1.0 where OpenSSL environment
variables needed in our snap configuration were persisted in calls
to external programs like nginx which could cause them to fail to
load OpenSSL.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=128
* certbot-nginx now requires pyparsing>=2.4.7.
* certbot and its acme library now require
cryptography>=43.0.0.
* certbot-nginx and our acme library now require
pyOpenSSL>=25.0.0.
* Deprecated `gen_ss_cert` in `acme.crypto_util` as it uses
deprecated pyOpenSSL API.
* Add `make_self_signed_cert` to `acme.crypto_util` to replace
`gen_ss_cert.
* Directory hooks are now run on all commands by default, not
just `renew`
* Help output now shows `False` as default when it can be set
via `cli.ini` instead of `None`
* Changed terms of service agreement text to have a newline
after the TOS link
* certbot-cloudflare-dns is now pinned to version 2.19 of
Cloudflare's python library
* Our runtime dependency on setuptools has been dropped from all
* The csr_dir and key_dir attributes on
* Support for Python 3.8 was deprecated and will be removed in our
* Fixed a bug in Certbot where a CSR's SANs did not always follow
the order of the domain names that the user requested interactively.
In some cases, the resulting cert's common name might seem picked
up randomly from the SANs when it should be the first item the user
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=126
- update to 2.9.0:
* Support for Python 3.12 was added.
* Updates `joinpath` syntax to only use one addition per call,
because the multiple inputs version was causing mypy errors
on Python 3.10.
* Makes the `reconfigure` verb actually use the staging server
for the dry run to check the new configuration.
- Add %{?sle15_python_module_pythons}
* The default key type for new certificates is now ECDSA secp256r1 (P-256). It was
* Certbot will now error if a certificate has --reuse-key set and a conflicting --key-type,
--key-size or --elliptic-curve is requested on the CLI. Use --new-key to change the key
* The zope based interfaces in certbot.interfaces have been removed in favor of the abc
* Removed deprecated functions certbot.tests.util.patch_get_utility*. Plugins should now patch
certbot.display.util themselves in their tests or use certbot.tests.util.patch_display_util
* Fixes a bug where the certbot working directory has unusably restrictive permissions on
* Certbot will no longer respect very long challenge polling intervals, which may be suggested
by some ACME servers. Certbot will continue to wait up to 90 seconds by default, or up to
* Allow a user to modify the configuration of a certificate without renewing it using the new
* Certbot will no longer save previous CSRs and certificate private keys to /etc/letsencrypt/csr
* Certbot will now only keep the current and 5 previous certificates in the /etc/letsencrypt/archive
directory for each certificate lineage. Any prior certificates will be automatically deleted upon
* We deprecated support for the update_symlinks command. Support will be removed in a following
* Optionally sign the SOA query for dns-rfc2136, to help resolve problems with split-view DNS setups
* Certbot will no longer try to invoke plugins which do not subclass from the proper certbot.interfaces.{Installer,Authenticator}
* If Certbot exits before setting up its usual log files, the temporary
directory created to save logging information will begin with the name
certbot-log- rather than a generic name. This should not be considered a
* Fixed an incompatibility in the certbot-dns-cloudflare plugin and the
OBS-URL: https://build.opensuse.org/request/show/1145433
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-certbot?expand=0&rev=49
* Support for Python 3.12 was added.
* Updates `joinpath` syntax to only use one addition per call,
because the multiple inputs version was causing mypy errors
on Python 3.10.
* Makes the `reconfigure` verb actually use the staging server
for the dry run to check the new configuration.
* The default key type for new certificates is now ECDSA secp256r1 (P-256). It was
* Certbot will now error if a certificate has --reuse-key set and a conflicting --key-type,
--key-size or --elliptic-curve is requested on the CLI. Use --new-key to change the key
* The zope based interfaces in certbot.interfaces have been removed in favor of the abc
* Removed deprecated functions certbot.tests.util.patch_get_utility*. Plugins should now patch
certbot.display.util themselves in their tests or use certbot.tests.util.patch_display_util
* Fixes a bug where the certbot working directory has unusably restrictive permissions on
* Certbot will no longer respect very long challenge polling intervals, which may be suggested
by some ACME servers. Certbot will continue to wait up to 90 seconds by default, or up to
* Allow a user to modify the configuration of a certificate without renewing it using the new
* Certbot will no longer save previous CSRs and certificate private keys to /etc/letsencrypt/csr
* Certbot will now only keep the current and 5 previous certificates in the /etc/letsencrypt/archive
directory for each certificate lineage. Any prior certificates will be automatically deleted upon
* We deprecated support for the update_symlinks command. Support will be removed in a following
* Optionally sign the SOA query for dns-rfc2136, to help resolve problems with split-view DNS setups
* Certbot will no longer try to invoke plugins which do not subclass from the proper certbot.interfaces.{Installer,Authenticator}
* If Certbot exits before setting up its usual log files, the temporary
directory created to save logging information will begin with the name
certbot-log- rather than a generic name. This should not be considered a
* Fixed an incompatibility in the certbot-dns-cloudflare plugin and the
Cloudflare library which was introduced in the Cloudflare library version
2.10.1. The library would raise an error if a token was specified in the
Certbot --dns-cloudflare-credentials file as well as the cloudflare.cfg
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=115
* Add certbot.util.LooseVersion class. See GH #9489.
* NamespaceConfig now tracks how its arguments were set via a dictionary, allowing us to remove a bunch
of global state previously needed to inspect whether a user set an argument or not.
* Support for Python 3.7 was deprecated and will be removed in our next planned release.
* Added RENEWED_DOMAINS and FAILED_DOMAINS environment variables for consumption by post renewal hooks.
* Do not call deprecated datetime.utcnow() and datetime.utcfromtimestamp()
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=104
- Update to 2.6.0
* Support for Python 3.11 was added to Certbot and all of its components.
* The default key type for new certificates is now ECDSA secp256r1 (P-256). It was
previously RSA 2048-bit. Existing certificates are not affected.
* acme and Certbot no longer support versions of ACME from before the RFC 8555 standard.
* acme and Certbot no longer support the old urn:acme:error: ACME error prefix.
* Removed the deprecated certbot-dns-cloudxns plugin.
* Certbot will now error if a certificate has --reuse-key set and a conflicting --key-type,
--key-size or --elliptic-curve is requested on the CLI. Use --new-key to change the key
while preserving --reuse-key.
* The zope based interfaces in certbot.interfaces have been removed in favor of the abc
based interfaces found in the same module.
* Certbot no longer depends on zope.
* Removed some deprecated functions and attributes from certbot(.display)?.(crypto_)?util
* Removed deprecated functions certbot.tests.util.patch_get_utility*. Plugins should now patch
certbot.display.util themselves in their tests or use certbot.tests.util.patch_display_util
as a temporary workaround.
* Fixes a bug where the certbot working directory has unusably restrictive permissions on
systems with stricter default umasks.
* Requests to subscribe to the EFF mailing list now time out after 60 seconds.
* Certbot will no longer respect very long challenge polling intervals, which may be suggested
by some ACME servers. Certbot will continue to wait up to 90 seconds by default, or up to
a total of 30 minutes if requested by the server via Retry-After.
* Allow a user to modify the configuration of a certificate without renewing it using the new
reconfigure subcommand. See certbot help reconfigure for details.
* certbot show_account now displays the ACME Account Thumbprint.
* Certbot will no longer save previous CSRs and certificate private keys to /etc/letsencrypt/csr
and /etc/letsencrypt/keys, respectively. These directories may be safely deleted.
* Certbot will now only keep the current and 5 previous certificates in the /etc/letsencrypt/archive
directory for each certificate lineage. Any prior certificates will be automatically deleted upon
OBS-URL: https://build.opensuse.org/request/show/1091312
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=102
- update to 1.29.0:
* --allow-subset-of-names will now additionally retry in cases where domains
are rejected while creating or finalizing orders. This requires subproblem
support from the ACME server
* The show_account subcommand now uses the "newAccount" ACME endpoint to
fetch the account data, so it doesn't rely on the locally stored account URL.
This fixes situations where Certbot
would use old ACMEv1 registration info with non-functional account URLs.
* The generated Certificate Signing Requests are now generated as version 1
instead of version 3. This resolves situations in where strict enforcement
of PKCS#10 meant that CSRs that were generated as version 3 were rejected
OBS-URL: https://build.opensuse.org/request/show/988433
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-certbot?expand=0&rev=43
* --allow-subset-of-names will now additionally retry in cases where domains
are rejected while creating or finalizing orders. This requires subproblem
support from the ACME server
* The show_account subcommand now uses the "newAccount" ACME endpoint to
fetch the account data, so it doesn't rely on the locally stored account URL.
This fixes situations where Certbot
would use old ACMEv1 registration info with non-functional account URLs.
* The generated Certificate Signing Requests are now generated as version 1
instead of version 3. This resolves situations in where strict enforcement
of PKCS#10 meant that CSRs that were generated as version 3 were rejected
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=95
* Updated Apache/NGINX TLS configs to document contents are based on ssl-config.mozilla.org
* A change to order finalization has been made to the `acme` module and Certbot:
- An order's `certificate` field will only be processed if the order's `status` is `valid`.
- An order's `error` field will only be processed if the order's `status` is `invalid`.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=93
