* Added --eab-hmac-alg parameter to support custom HMAC algorithm for
External Account Binding.
* Catches and ignores errors during the directory fetch for ARI checking
so that these errors do not hinder the actual certificate issuance.
* Removed the dependency on pytz
* Support for Python 3.9 was deprecated and will be removed in our next
planned release.
* The Certbot snap no longer sets the environment variable PYTHONPATH
stopping it from picking up Python files in the current directory
and polluting the environment for Certbot hooks written in Python.
* Previously, we claimed to set FAILED_DOMAINS and RENEWED_DOMAINS env
variables for use by post-hooks when certificate renewals fail, but
we were not actually setting them. Now, we are.
* Certbot now always uses the server value from the renewal configuration
file for ARI checks instead of the server value from the current
invocation of Certbot. This helps prevent ARI requests from going to the
wrong server if the user changes CAs.
- Make the libalternatives transition conditional
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=138
* Deprecated parameter enforce_openssl_binary_usage from
certbot.ocsp.RevocationChecker.
* The --preferred-profile and --required-profile flags now have their
values stored in the renewal configuration so the same setting will
be used on renewal.
* No longer checks ARI during certbot --dry-run.
* Fixed an unintended change introduced in 4.0.0 where renew_before_expiry
could not be shorter than certbot's default renewal time.
* Switched to src-layout from flat-layout to accommodate PEP 517 pip
editable installs
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=132
- Update to 4.0.0:
* Added
+ The --preferred-profile and --required-profile flags allow requesting
a profile.
* Changed
+ Certificates now renew with 1/3rd of lifetime left (or 1/2 of lifetime
left, if the lifetime is shorter than 10 days).
+ removed acme.crypto_util._pyopenssl_cert_or_req_all_names
+ removed acme.crypto_util._pyopenssl_cert_or_req_san
+ removed acme.crypto_util.dump_pyopenssl_chain
+ removed acme.crypto_util.gen_ss_cert
+ removed certbot.crypto_util.dump_pyopenssl_chain
+ removed certbot.crypto_util.pyopenssl_load_certificate
* Fixed
+ Moved RewriteEngine on directive added during apache http01
authentication to the end of the virtual host, so that it overwrites
any RewriteEngine off directives that already exist and allows
redirection to the challenge URL.
OBS-URL: https://build.opensuse.org/request/show/1271240
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-certbot?expand=0&rev=56
* Added
+ The --preferred-profile and --required-profile flags allow requesting
a profile.
* Changed
+ Certificates now renew with 1/3rd of lifetime left (or 1/2 of lifetime
left, if the lifetime is shorter than 10 days).
+ removed acme.crypto_util._pyopenssl_cert_or_req_all_names
+ removed acme.crypto_util._pyopenssl_cert_or_req_san
+ removed acme.crypto_util.dump_pyopenssl_chain
+ removed acme.crypto_util.gen_ss_cert
+ removed certbot.crypto_util.dump_pyopenssl_chain
+ removed certbot.crypto_util.pyopenssl_load_certificate
* Fixed
+ Moved RewriteEngine on directive added during apache http01
authentication to the end of the virtual host, so that it overwrites
any RewriteEngine off directives that already exist and allows
redirection to the challenge URL.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=130
* The --register-unsafely-without-email flag is no longer needed
in non-interactive mode.
* In interactive mode, pressing Enter at the email prompt will
register without an email.
* deprecated certbot.crypto_util.dump_pyopenssl_chain
* deprecated certbot.crypto_util.pyopenssl_load_certificate
* Fixed a bug introduced in Certbot 3.1.0 where OpenSSL environment
variables needed in our snap configuration were persisted in calls
to external programs like nginx which could cause them to fail to
load OpenSSL.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=128
* certbot-nginx now requires pyparsing>=2.4.7.
* certbot and its acme library now require
cryptography>=43.0.0.
* certbot-nginx and our acme library now require
pyOpenSSL>=25.0.0.
* Deprecated `gen_ss_cert` in `acme.crypto_util` as it uses
deprecated pyOpenSSL API.
* Add `make_self_signed_cert` to `acme.crypto_util` to replace
`gen_ss_cert.
* Directory hooks are now run on all commands by default, not
just `renew`
* Help output now shows `False` as default when it can be set
via `cli.ini` instead of `None`
* Changed terms of service agreement text to have a newline
after the TOS link
* certbot-cloudflare-dns is now pinned to version 2.19 of
Cloudflare's python library
* Our runtime dependency on setuptools has been dropped from all
* The csr_dir and key_dir attributes on
* Support for Python 3.8 was deprecated and will be removed in our
* Fixed a bug in Certbot where a CSR's SANs did not always follow
the order of the domain names that the user requested interactively.
In some cases, the resulting cert's common name might seem picked
up randomly from the SANs when it should be the first item the user
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:certbot/python-certbot?expand=0&rev=126
- update to 2.9.0:
* Support for Python 3.12 was added.
* Updates `joinpath` syntax to only use one addition per call,
because the multiple inputs version was causing mypy errors
on Python 3.10.
* Makes the `reconfigure` verb actually use the staging server
for the dry run to check the new configuration.
- Add %{?sle15_python_module_pythons}
* The default key type for new certificates is now ECDSA secp256r1 (P-256). It was
* Certbot will now error if a certificate has --reuse-key set and a conflicting --key-type,
--key-size or --elliptic-curve is requested on the CLI. Use --new-key to change the key
* The zope based interfaces in certbot.interfaces have been removed in favor of the abc
* Removed deprecated functions certbot.tests.util.patch_get_utility*. Plugins should now patch
certbot.display.util themselves in their tests or use certbot.tests.util.patch_display_util
* Fixes a bug where the certbot working directory has unusably restrictive permissions on
* Certbot will no longer respect very long challenge polling intervals, which may be suggested
by some ACME servers. Certbot will continue to wait up to 90 seconds by default, or up to
* Allow a user to modify the configuration of a certificate without renewing it using the new
* Certbot will no longer save previous CSRs and certificate private keys to /etc/letsencrypt/csr
* Certbot will now only keep the current and 5 previous certificates in the /etc/letsencrypt/archive
directory for each certificate lineage. Any prior certificates will be automatically deleted upon
* We deprecated support for the update_symlinks command. Support will be removed in a following
* Optionally sign the SOA query for dns-rfc2136, to help resolve problems with split-view DNS setups
* Certbot will no longer try to invoke plugins which do not subclass from the proper certbot.interfaces.{Installer,Authenticator}
* If Certbot exits before setting up its usual log files, the temporary
directory created to save logging information will begin with the name
certbot-log- rather than a generic name. This should not be considered a
* Fixed an incompatibility in the certbot-dns-cloudflare plugin and the
OBS-URL: https://build.opensuse.org/request/show/1145433
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-certbot?expand=0&rev=49
- update to 1.29.0:
* --allow-subset-of-names will now additionally retry in cases where domains
are rejected while creating or finalizing orders. This requires subproblem
support from the ACME server
* The show_account subcommand now uses the "newAccount" ACME endpoint to
fetch the account data, so it doesn't rely on the locally stored account URL.
This fixes situations where Certbot
would use old ACMEv1 registration info with non-functional account URLs.
* The generated Certificate Signing Requests are now generated as version 1
instead of version 3. This resolves situations in where strict enforcement
of PKCS#10 meant that CSRs that were generated as version 3 were rejected
OBS-URL: https://build.opensuse.org/request/show/988433
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-certbot?expand=0&rev=43
- update to version 1.0.0 (boo#1160066)
* certbot-auto has deprecated support for systems using OpenSSL 1.0.1
that are not running on x86-64.
* Certbot's config_changes subcommand has been removed
* certbot.plugins.common.TLSSNI01 has been removed.
* The functions certbot.client.view_config_changes,
certbot.main.config_changes,
certbot.plugins.common.Installer.view_config_changes,
certbot.reverter.Reverter.view_config_changes, and
certbot.util.get_systemd_os_info have been removed
* Certbot's register --update-registration subcommand has been removed
* When possible, default to automatically configuring the webserver so all requests
redirect to secure HTTPS access. This is mostly relevant when running Certbot
in non-interactive mode. Previously, the default was to not redirect all requests.
OBS-URL: https://build.opensuse.org/request/show/760673
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-certbot?expand=0&rev=21
- Update to 0.30.2:
* Update the version of setuptools pinned in certbot-auto to 40.6.3 to
solve installation problems on newer OSes.
* Always download the pinned version of pip in pipstrap to address breakages
* Rename old,default.conf to old-and-default.conf to address commas in filenames
breaking recent versions of pip.
* Add VIRTUALENV_NO_DOWNLOAD=1 to all calls to virtualenv to address breakages
from venv downloading the latest pip
* Added the `update_account` subcommand for account management commands.
OBS-URL: https://build.opensuse.org/request/show/669788
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-certbot?expand=0&rev=7
- update to 0.29.1:
* The default work and log directories have been changed back
to /var/lib/letsencrypt and /var/log/letsencrypt respectively.
* Noninteractive renewals with `certbot renew` (those not started
from a terminal) now randomly sleep 1-480 seconds before beginning
work in order to spread out load spikes on the server side.
* Added External Account Binding support in cli and acme library.
Command line arguments --eab-kid and --eab-hmac-key added.
* Private key permissioning changes: Renewal preserves existing group mode
& gid of previous private key material. Private keys for new
lineages (i.e. new certs, not renewed) default to 0o600.
* Update code and dependencies to clean up Resource and Deprecation Warnings.
* Only depend on imgconverter extension for Sphinx >= 1.6
- update URL
OBS-URL: https://build.opensuse.org/request/show/658302
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-certbot?expand=0&rev=6
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
