M/e0f *dZddlZddlZddlZddlZddlZddlZddlZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z ddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlm Z ddlm!Z!ddlm"Z"ddlm#Z#ddl$m%Z&ddl'm(Z)ddl*m+Z+ddl,mZ-ej\e/Z0gdZ1ddgZ2gdZ3e4ejje3e2e1d Z6d!ejnd"e8d#ee"jrfd$Z:d!ejnd%e e8e fd#dfd&Z;d!ejnd%e e8e fd#dfd'Zd*e8d+ee e8e8fd#e e8fd,Z?d-e8d+e8d#e@fd.ZAd-e8d+e8d#eBfd/ZCd-e8d+e8d#ee8fd0ZDd!ejnd1e"jrd#e@fd2ZEd!ejnd1e"jrd3e8d#dfd4ZFd!ejnd1e"jrd#dfd5ZGd!ejnd6ee e8d7ejd1e"jrd#df d8ZId9e e8d:e8d#e8fd;ZJd!ejnde e8d?e e8d#df d@ZKd!ejnd#eeLeLffdAZMdBe8d!ejnd#dfdCZNy)DzGFunctionality for autorenewal and associated juggling of configurationsN)Any)Dict)Iterable)List)Mapping)Optional)Tuple)Union)default_backend)ec)rsa)load_pem_private_key) configuration) crypto_util)errors)util)cli)client) constants)hooks)storage)updater)obj)disco)os) config_dirlogs_dirwork_dir user_agentserveraccount authenticator installer renew_hookpre_hook post_hookhttp01_addresspreferred_chainkey_typeelliptic_curve rsa_key_size http01_port) must_stapleallow_subset_of_names reuse_key autorenew) pref_challsconfig full_pathreturnc  tj||}d|jvrt j d|y|jd}d|vrt j d|y|jd d |d <t|} t||t|| |j%Dcgc]}t'j(|c}|_|S#tjtf$rg}t j d|t j dt|t jdtjYd}~yd}~wwxYw#t tj"f$rR}t j d |t|t jdtjYd}~yd}~wwxYwcc}w#tj,$r!}t j d ||Yd}~yd}~wwxYw) aTry to instantiate a RenewableCert, updating config with relevant items. This is specifically for use in renewal and enforces several checks and policies to ensure that we can try to proceed with the renewal request. The config argument is modified by including relevant options read from the renewal configuration file. :param configuration.NamespaceConfig config: configuration for the current lineage :param str full_path: Absolute path to the configuration file that defines this lineage :returns: the RenewableCert object or None if a fatal error occurred :rtype: `storage.RenewableCert` or NoneType z(Renewal configuration file %s is broken.zThe error was: %s Skipping.Traceback was: %sN renewalparamsz%33ODMm+ 56? A!. 1 1*e DM*7}EM(? 6#4#:#:#<>44Q7> Y  # #W - ?K 3SZ@ )9+?+?+AB 8  %  !"+SZ 9  )9+?+?+AB >  $ $ ,-6 ? s[CE!G3G GE2AEEG5AGG GH"G>>Hr7cd|vr|jds |d|_d|vr2|jds |d}t|tr|g}||_yyy)z webroot_map is, uniquely, a dict, and the general-purpose configuration restoring logic is not able to correctly parse it from the serialized form. webroot_map webroot_pathN) set_by_userrP isinstancer=rQ)r2r7wps rM_restore_webroot_configrU|si %f.@.@.O*=9&v/A/A./Q > * b# B  0R&c g}|ddk(r t||n|j|d|jd|j|dt|D]}|j dd}|j D]o\}}|j |dzs|j|r-|dvrt||t|Htj|}t||||qy)aSets plugin specific values in config from renewalparams :param configuration.NamespaceConfig config: configuration for the current lineage :param configobj.Section renewalparams: Parameters from the renewal configuration file that defines this lineage r"webrootr#N-_)NoneTrueFalse) rUappendrAsetreplaceitems startswithrRsetattrevalr argparse_type)r2r7plugin_prefixes plugin_prefix config_item config_valuecasts rMrDrDs("$O_%2 6}_=>%1}[9:_- E %--c37 )6)<)<)> E %K%%mc&9:6CUCUVaCb #<<FKl1CD,,[9DFKl1CD E ErVc i}tjdtfftttj t tttj ttttj t}|D]-\}}||vs |j|r||||}|||</|jD]\}}t|||y)aSets non-plugin specific values in config from renewalparams :param configuration.NamespaceConfig config: configuration for the current lineage :param configobj.Section renewalparams: parameters from the renewal configuration file that defines this lineage r1N) itertoolschain_restore_pref_challszipBOOL_CONFIG_ITEMSrepeat _restore_boolINT_CONFIG_ITEMS _restore_intSTR_CONFIG_ITEMS _restore_strrRrarc)r2r7updated_valuesrequired_items item_name restore_funcvaluekeys rMrCrCsN__ - .0 y// >? i..|<= i..|<= ?N $2. <  %f.@.@.K M),DEE(-N9 %.%**,$ UU#$rVcz|jDcic]\}}|tjvr||c}}Scc}}w)zRemoves deprecated config options from the parsed renewalparams. :param dict renewalparams: list of parsed renewalparams :returns: list of renewalparams with deprecated config options removed :rtype: dict )rarDEPRECATED_OPTIONS)r7 option_namevs rMrBrBsD4A3F3F3H 6/ Q c44 4 N 66 6s7 unused_namer{cVt|tr|gn|}tj|S)aRestores preferred challenges from a renewal config file. If value is a `str`, it should be a single challenge type. :param str unused_name: option name :param value: option value :type value: `list` of `str` or `str` :returns: converted option value to be stored in the runtime config :rtype: `list` of `str` :raises errors.Error: if value can't be converted to a bool )rSr=rparse_preferred_challenges)rr{s rMrnrns'$"%-UG5E  ) )% 00rVnamecj|j}|dvrtjd|d||dk(S)a#Restores a boolean key-value pair from a renewal config file. :param str name: option name :param str value: option value :returns: converted option value to be stored in the runtime config :rtype: bool :raises errors.Error: if value can't be converted to a bool )truefalsezExpected True or False for z but found r)lowerrrF)rr{lowercase_values rMrrrrs@kkmO//ll8k%QRR f $$rVc|dk(r/|dk(r*tjdtjdS t |S#t $rt jd|wxYw)a#Restores an integer key-value pair from a renewal config file. :param str name: option name :param str value: option value :returns: converted option value to be stored in the runtime config :rtype: int :raises errors.Error: if value can't be converted to an int r,r[z!updating legacy http01_port valuezExpected a numeric value for )r;infor flag_defaultintrErrFrr{s rMrtrtsh }& 78 ..C5z Cll:4&ABBCs A"A#c|dk(rN|tjk(r;tjdtjd|tjdS|dk(rdS|S)zRestores a string key-value pair from a renewal config file. :param str name: option name :param str value: option value :returns: converted option value to be stored in the runtime config :rtype: str or None r z$Using server %s instead of legacy %sr[N)rV1_URIr;r CLI_DEFAULTSrs rMrvrvsZ" xEY%5%55 :**84e =%%h//F?4--rVlineagec|jrtjdy|jrtj dy|j rtj dyt jdy)zDReturn true if any of the circumstances for automatic renewal apply.z+Auto-renewal forced with --force-renewal...Tz0Certificate is due for renewal, auto-renewing...zCCertificate not due for renewal, but simulating renewal for dry runz#Certificate not yet due for renewalF)renew_by_defaultr;r>should_autorenewrdry_run display_utilnotify)r2rs rM should_renewr7s`  BC! FG ~~ YZ=> rVoriginal_serverctj|jr[tj|sE|js8dj |j }t jd|dyyy)z9Do not renew a valid cert with one from a staging server!z, z^You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: z@). We will not do that unless you use the --break-my-certs flag!N)r is_stagingr break_my_certsjoinrGrrF)r2rrrGs rM_avoid_invalidating_lineagerFsu v}}%/(( '--/2ll4497;@@AA)0&rVcRjdr jsyjs jsyjryjj dfdfdfdfdfdfg}|D](}|d st j d |d d y) zDon't allow combining --reuse-key with any flags that would conflict with key reuse (--key-type, --rsa-key-size, --elliptic-curve), unless --new-key is also set. r/Nz --key-typec>jjk7SN)private_key_typer)ktrsrMz,_avoid_reuse_key_conflicts..nsw//5577rVz--rsa-key-sizecDdk(xrjjk7S)Nr )r+r2rrsrMrz,_avoid_reuse_key_conflicts..ps!uL!4!48L8L!LrVz--elliptic-curvecdk(xrCjxr5jjjjk7S)Necdsa)r*rrsrMrz,_avoid_reuse_key_conflicts..rsHwQ7#9#9Q&&,,.'2H2H2N2N2PPrVzUnable to change the rz of this certificate because --reuse-key is set. To stop reusing the private key, specify --no-reuse-key. To change the private key this one time and then reuse it in future, add --new-key.)rRr/new_keyr)rrrF)r2rpotential_conflictsconflictrs`` @rM_avoid_reuse_key_conflictsrSs+&v/?/?   V%5%5~~    B  7 9  L N  Q R (" 8A;=,,' }5!!" ""rVrI le_clientc"|jd}|jdtjd}t |||t |||s|j }|jrB|js6tjj|j}t||nd}|j||\}}}} |jr>t j#dtjj%|j&n^|j)} |j+| ||j,|||j/|j)|j1t3j4|||j6y)zRenew a certificate lineage.r7r Nz(Dry run: skipping updating lineage at %s)rrArrrrrGr/rrpathnormpathprivkey_update_renewal_params_from_keyobtain_certificaterr;r>dirnamecertlatest_common_versionsave_successorpemupdate_all_links_totruncaterr$live_dir) r2rIrrrenewal_paramsrrnew_cert new_chainrZ prior_versions rM renew_certrs6**?;N$((33C3CH3MNOAvw/ --/''""7??3'8&/&B&B7G&T#Hi! ~~ ?QXQ]Q]A^_557 }h YPVW##G$A$A$CD VWg&6&67rVmsgscategorycBfd|D}ddj|zS)z:Format a results report for a category of renewal outcomesc3.K|] }|ddyw)z ()N).0mrs rM zreport..s 51!X & 5sz z )r)rrliness ` rMreportrs! 5 5E &++e$ $$rVrenew_successesrenew_failures renew_skippedparse_failuresctj}tj}|dtj |j rdnd}|r|d|t|d|s;|s9|d|d|j|j |j|d n|r!|s|d |d |t|d n`|r|s|d ||t|dn@|r>|r<|d|d|t|d dz|d||t|d|r|d|t|d|tj y)a Print a report to the terminal about the results of the renewal process. :param configuration.NamespaceConfiguration config: Configuration :param list renew_successes: list of fullchain paths which were renewed :param list renew_failures: list of fullchain paths which failed to be renewed :param list renew_skipped: list of messages to print about skipped certificates :param list parse_failures: list of renewal parameter paths which had errors  zsimulated renewalrenewalz7The following certificates are not due for renewal yet:skippedzNo zs were attempted.NzNo hooks were run.zCongratulations, all z s succeeded: successz@All %ss failed. The following certificates could not be renewed:failurezThe following z s succeeded:zThe following %ss failed:zB Additionally, the following renewal configurations were invalid: parsefail) rrr;r< display_obj SIDE_FRAMErrr%r$r&)r2rrrrr notify_error renewal_nouns rM_renew_describe_resultsrsS F<\N"345 OO '!!-1A1A1M ' ( &|nMBCvoy12 !". 0VNI67 O ~\:;voy1D890,?VNI67  !vnk23 ; ! !"rVctfdjDrtjdjr"t j jg}nt j}g}g}g}g}g}g}tjj xr j}|D]} tjd| zdtj} t j | } t#| | } | s|j1| nL| j3d d lm}t8j:j=}t?| | r|rCtAjBd d }t&jEd |tGjH|d}|jK| || |j1| jL|jO| jQnbtSjT| jWd| jY}|j1| jLd|j[dt]j^| | |ta|||||s|r-tjtc|dtc|dt&j+d||fS#t$$r\} t&j)d| | | t&j+dt-j.|j1| Yd} ~ sd} ~ wwxYw#t$$r} t&j)d| | t&j+dt-j.| r:|j1| jL|jO| jQYd} ~ d} ~ wwxYw)z5Examine each lineage; renew if due and report resultsc3:K|]}|jvywr)rP)rdomainr2s rMrz)handle_renewal_request..s I6++ + IsafCurrently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.z Processing F)pausezTRenewal configuration file %s (cert: %s) produced an unexpected error: %s. Skipping.r6Nr)mainriz3Non-interactive renewal: random delay of %s secondsrz expires on z%Y-%m-%dz-Failed to renew certificate %s with error: %sz renew failure(s), z parse failure(s)zno renewal failures)2anyrIrrFcertnamerrenewal_file_for_certnamerenewal_conf_filessysstdinisattyrandom_sleep_on_renewr notificationcopydeepcopylineagename_for_filenamerN Exceptionr;r<r>r?r@r^ensure_deployedcertbot._internalr plugins_discoPluginsRegistryfind_allrrandomuniformrtimesleepr fullchainextendrGrnotAfterversionrstrftimerrun_generic_updatersrlen)r2 conf_filesrrrrrenewed_domainsfailed_domainsapply_random_sleep renewal_filelineage_config lineagenamerKerplugins sleep_timeexpirys` rMhandle_renewal_requestr s\ I&.. IIllPQ Q77PQ //7 ONMNON!YY--//PF4P4P"<A !!-,">eLv.66|D   ,^\ J + A$%%l3!1132'77@@B0AB)%+^^Av%>  $Y$.0 :.-2*OONG=NO#**+<+F+FG#**+<+B+B+DE(112C2K2K 1 G G I3KLF!((?P?Z?Z)/)D*FG,,^=N-46a<A~FO^)>;ll>"##6s>7J6KK\ ]_ _  LL&' ^ ,,C  LLI'a 9 LL-y/C/C/E F  ! !, /   T A LL?Q  LL-y/C/C/E F %%&7&A&AB%%&7&=&=&?@ As3< K E!L. L+AL&&L+. N=7A;N88N=key_pathct|d5}t|jdt}dddt t j rd|_|j|_ yt |tjr#d|_|jj|_ytj d|dt#|d#1swYxYw)Nrb)passwordbackendr rzKey at z is of an unsupported type: .)openrreadr rSr RSAPrivateKeyr)key_sizer+r EllipticCurvePrivateKeycurverr*rrFtype)r r2file_hr|s rMrrBs h \"6;;=4IZ[\#s(()!ll C33 4! # llWXJ.J4PS9+UVWXX\\s %CC)O__doc__rrlloggingrrrr?typingrrrrrrr r cryptography.hazmat.backendsr )cryptography.hazmat.primitives.asymmetricr r ,cryptography.hazmat.primitives.serializationrcertbotrrrrrrrrrrrcertbot._internal.displayrrcertbot._internal.pluginsrrcertbot.compatrcertbot.displayr getLogger__name__r;rursrpr_rm CONFIG_ITEMSNamespaceConfigr=r8rNrUrDrCrBrnboolrrrrtrvrrrClientrrrlistr rrrVrMr,sM  889M!!$'#%%8<0   8 $ E#M2"?9??')9;KMN @66@ @%-g.C.C%D@F!M$A$A!+238+<!AE!$)EM$A$A)E+238+<)EAE)EX$]-J-J$4;CH4E$JN$2 6gc3h6G 6DQTVYQYN 61c1%S 32G1DQTI1,%%C%D%$CsC3C3C,.s.3.8C=.2 66 AVAV [_  A (E(E A)0)>)> AQT AY] A)"}'D'D)"(/(=(=)"BF)"X8}448xS ?R8 --8292G2G8LP8:%#%#%#% -#M$A$A-#TXY\T]-#,0I-#FJ3i-#,0I-#:>-#`m-=#@#@m-U4QU:EVm-` Yc Y=;X;X Y]a YrV