From d5ae45a0d0e6f07297c7b26c81fb4b88bfbd6c51 Mon Sep 17 00:00:00 2001
From: Hossein Shafagh <hshafagh@netflix.com>
Date: Tue, 14 Jul 2020 17:35:13 -0700
Subject: [PATCH 01/14] Let's Encrypt has been using a cross-signed
 intermediate CA by DST Root CA X3, which is included in any older devices'
 TrustStore. https://letsencrypt.org/certificates/

Let's Encrypt is transitioning to use the intermediate CA issued by their own root (ISRG X1) starting from September 29th 2020. This is in preparation of concluding the initial bootstrapping of their CA, by having it cross-signed by an older CA.
https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html

This PR allows Lemur to pin to the cross-signed ICA (same public/private key pair as the ICA signed by ISRG X1). This will prolong support for incompatible systems.
---
 lemur/plugins/lemur_acme/plugin.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py
index 3fc1df61..16d61a0f 100644
--- a/lemur/plugins/lemur_acme/plugin.py
+++ b/lemur/plugins/lemur_acme/plugin.py
@@ -205,9 +205,15 @@ class AcmeHandler(object):
                 OpenSSL.crypto.FILETYPE_PEM, orderr.fullchain_pem
             ),
         ).decode()
-        pem_certificate_chain = orderr.fullchain_pem[
-            len(pem_certificate) :  # noqa
-        ].lstrip()
+
+        if current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA", False) \
+                and datetime.datetime.now() < datetime.datetime.strptime(
+                    current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'):
+            pem_certificate_chain = current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA")
+        else:
+            pem_certificate_chain = orderr.fullchain_pem[
+                len(pem_certificate) :  # noqa
+            ].lstrip()
 
         current_app.logger.debug(
             "{0} {1}".format(type(pem_certificate), type(pem_certificate_chain))

From 231796780256b91cf29e78c19909252ea234fe65 Mon Sep 17 00:00:00 2001
From: Hossein Shafagh <hshafagh@netflix.com>
Date: Wed, 15 Jul 2020 17:04:49 -0700
Subject: [PATCH 02/14] lack of an empty config file was resulting into this
 error

```
Traceback (most recent call last):
  File "/home/travis/build/Netflix/lemur/lemur/plugins/lemur_acme/tests/test_acme.py", line 159, in test_request_certificate
    self.acme.request_certificate(mock_acme, [], mock_order)
  File "/home/travis/build/Netflix/lemur/lemur/plugins/lemur_acme/plugin.py", line 211, in request_certificate
    current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'):
TypeError: strptime() argument 1 must be str, not MagicMock
```
---
 lemur/plugins/lemur_acme/tests/test_acme.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lemur/plugins/lemur_acme/tests/test_acme.py b/lemur/plugins/lemur_acme/tests/test_acme.py
index 94949a74..8320a2de 100644
--- a/lemur/plugins/lemur_acme/tests/test_acme.py
+++ b/lemur/plugins/lemur_acme/tests/test_acme.py
@@ -156,6 +156,7 @@ class TestAcme(unittest.TestCase):
         mock_acme.fetch_chain = Mock(return_value="mock_chain")
         mock_crypto.dump_certificate = Mock(return_value=b"chain")
         mock_order = Mock()
+        mock_current_app.config = {}
         self.acme.request_certificate(mock_acme, [], mock_order)
 
     def test_setup_acme_client_fail(self):

From 0607520f93539a914fbf67e9c09037c21c8dc4ea Mon Sep 17 00:00:00 2001
From: "dependabot-preview[bot]"
 <27856297+dependabot-preview[bot]@users.noreply.github.com>
Date: Mon, 27 Jul 2020 13:40:35 +0000
Subject: [PATCH 03/14] Bump botocore from 1.17.23 to 1.17.28

Bumps [botocore](https://github.com/boto/botocore) from 1.17.23 to 1.17.28.
- [Release notes](https://github.com/boto/botocore/releases)
- [Changelog](https://github.com/boto/botocore/blob/develop/CHANGELOG.rst)
- [Commits](https://github.com/boto/botocore/compare/1.17.23...1.17.28)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
---
 requirements-docs.txt  | 2 +-
 requirements-tests.txt | 2 +-
 requirements.txt       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/requirements-docs.txt b/requirements-docs.txt
index c37fbb20..aa2e50ee 100644
--- a/requirements-docs.txt
+++ b/requirements-docs.txt
@@ -18,7 +18,7 @@ beautifulsoup4==4.9.1     # via -r requirements.txt, cloudflare
 billiard==3.6.3.0         # via -r requirements.txt, celery
 blinker==1.4              # via -r requirements.txt, flask-mail, flask-principal, raven
 boto3==1.14.23            # via -r requirements.txt
-botocore==1.17.23         # via -r requirements.txt, boto3, s3transfer
+botocore==1.17.28         # via -r requirements.txt, boto3, s3transfer
 celery[redis]==4.4.2      # via -r requirements.txt
 certifi==2020.6.20        # via -r requirements.txt, requests
 certsrv==2.1.1            # via -r requirements.txt
diff --git a/requirements-tests.txt b/requirements-tests.txt
index a3f037e9..bd5eb0e0 100644
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@@ -12,7 +12,7 @@ bandit==1.6.2             # via -r requirements-tests.in
 black==19.10b0            # via -r requirements-tests.in
 boto3==1.14.23            # via aws-sam-translator, moto
 boto==2.49.0              # via moto
-botocore==1.17.23         # via aws-xray-sdk, boto3, moto, s3transfer
+botocore==1.17.28         # via aws-xray-sdk, boto3, moto, s3transfer
 certifi==2020.6.20        # via requests
 cffi==1.14.0              # via cryptography
 cfn-lint==0.29.5          # via moto
diff --git a/requirements.txt b/requirements.txt
index a42fe3f6..0295a2bf 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -16,7 +16,7 @@ beautifulsoup4==4.9.1     # via cloudflare
 billiard==3.6.3.0         # via celery
 blinker==1.4              # via flask-mail, flask-principal, raven
 boto3==1.14.23            # via -r requirements.in
-botocore==1.17.23         # via -r requirements.in, boto3, s3transfer
+botocore==1.17.28         # via -r requirements.in, boto3, s3transfer
 celery[redis]==4.4.2      # via -r requirements.in
 certifi==2020.6.20        # via -r requirements.in, requests
 certsrv==2.1.1            # via -r requirements.in

From 276229db4a9cd82b49fd8020ef161268724c91e4 Mon Sep 17 00:00:00 2001
From: "dependabot-preview[bot]"
 <27856297+dependabot-preview[bot]@users.noreply.github.com>
Date: Mon, 27 Jul 2020 17:32:39 +0000
Subject: [PATCH 04/14] Bump coverage from 5.2 to 5.2.1

Bumps [coverage](https://github.com/nedbat/coveragepy) from 5.2 to 5.2.1.
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/coverage-5.2...coverage-5.2.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
---
 requirements-tests.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements-tests.txt b/requirements-tests.txt
index bd5eb0e0..aa5c6ca0 100644
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@@ -18,7 +18,7 @@ cffi==1.14.0              # via cryptography
 cfn-lint==0.29.5          # via moto
 chardet==3.0.4            # via requests
 click==7.1.1              # via black, flask
-coverage==5.2             # via -r requirements-tests.in
+coverage==5.2.1           # via -r requirements-tests.in
 cryptography==2.9.2       # via moto, sshpubkeys
 decorator==4.4.2          # via networkx
 docker==4.2.0             # via moto

From 560894befb4a6c68c5a955ce76c2e7449117d715 Mon Sep 17 00:00:00 2001
From: "dependabot-preview[bot]"
 <27856297+dependabot-preview[bot]@users.noreply.github.com>
Date: Mon, 27 Jul 2020 17:45:03 +0000
Subject: [PATCH 05/14] Bump hvac from 0.10.4 to 0.10.5

Bumps [hvac](https://github.com/hvac/hvac) from 0.10.4 to 0.10.5.
- [Release notes](https://github.com/hvac/hvac/releases)
- [Changelog](https://github.com/hvac/hvac/blob/develop/CHANGELOG.md)
- [Commits](https://github.com/hvac/hvac/compare/v0.10.4...v0.10.5)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
---
 requirements-docs.txt | 2 +-
 requirements.txt      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements-docs.txt b/requirements-docs.txt
index aa2e50ee..20021b9c 100644
--- a/requirements-docs.txt
+++ b/requirements-docs.txt
@@ -43,7 +43,7 @@ flask-sqlalchemy==2.4.4   # via -r requirements.txt, flask-migrate
 flask==1.1.2              # via -r requirements.txt, flask-bcrypt, flask-cors, flask-mail, flask-migrate, flask-principal, flask-restful, flask-script, flask-sqlalchemy, raven
 future==0.18.2            # via -r requirements.txt
 gunicorn==20.0.4          # via -r requirements.txt
-hvac==0.10.4              # via -r requirements.txt
+hvac==0.10.5              # via -r requirements.txt
 idna==2.9                 # via -r requirements.txt, requests
 imagesize==1.2.0          # via sphinx
 inflection==0.5.0         # via -r requirements.txt
diff --git a/requirements.txt b/requirements.txt
index 0295a2bf..a142caec 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -41,7 +41,7 @@ flask-sqlalchemy==2.4.4   # via -r requirements.in, flask-migrate
 flask==1.1.2              # via -r requirements.in, flask-bcrypt, flask-cors, flask-mail, flask-migrate, flask-principal, flask-restful, flask-script, flask-sqlalchemy, raven
 future==0.18.2            # via -r requirements.in
 gunicorn==20.0.4          # via -r requirements.in
-hvac==0.10.4              # via -r requirements.in
+hvac==0.10.5              # via -r requirements.in
 idna==2.9                 # via requests
 inflection==0.5.0         # via -r requirements.in
 itsdangerous==1.1.0       # via flask

From 99628aface0af40cf49f7a0a70a57d7fb0101610 Mon Sep 17 00:00:00 2001
From: "dependabot-preview[bot]"
 <27856297+dependabot-preview[bot]@users.noreply.github.com>
Date: Mon, 27 Jul 2020 17:58:40 +0000
Subject: [PATCH 06/14] Bump arrow from 0.15.7 to 0.15.8

Bumps [arrow](https://github.com/arrow-py/arrow) from 0.15.7 to 0.15.8.
- [Release notes](https://github.com/arrow-py/arrow/releases)
- [Changelog](https://github.com/arrow-py/arrow/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/arrow-py/arrow/compare/0.15.7...0.15.8)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
---
 requirements-docs.txt | 2 +-
 requirements.txt      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements-docs.txt b/requirements-docs.txt
index 20021b9c..1abb61d2 100644
--- a/requirements-docs.txt
+++ b/requirements-docs.txt
@@ -10,7 +10,7 @@ alembic-autogenerate-enums==0.0.2  # via -r requirements.txt
 alembic==1.4.2            # via -r requirements.txt, flask-migrate
 amqp==2.5.2               # via -r requirements.txt, kombu
 aniso8601==8.0.0          # via -r requirements.txt, flask-restful
-arrow==0.15.7             # via -r requirements.txt
+arrow==0.15.8             # via -r requirements.txt
 asyncpool==1.0            # via -r requirements.txt
 babel==2.8.0              # via sphinx
 bcrypt==3.1.7             # via -r requirements.txt, flask-bcrypt, paramiko
diff --git a/requirements.txt b/requirements.txt
index a142caec..1e98e717 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -9,7 +9,7 @@ alembic-autogenerate-enums==0.0.2  # via -r requirements.in
 alembic==1.4.2            # via flask-migrate
 amqp==2.5.2               # via kombu
 aniso8601==8.0.0          # via flask-restful
-arrow==0.15.7             # via -r requirements.in
+arrow==0.15.8             # via -r requirements.in
 asyncpool==1.0            # via -r requirements.in
 bcrypt==3.1.7             # via flask-bcrypt, paramiko
 beautifulsoup4==4.9.1     # via cloudflare

From 69bfe48cbe0b21d510873a886dea421669a5a748 Mon Sep 17 00:00:00 2001
From: "dependabot-preview[bot]"
 <27856297+dependabot-preview[bot]@users.noreply.github.com>
Date: Mon, 27 Jul 2020 18:11:16 +0000
Subject: [PATCH 07/14] Bump cloudflare from 2.8.6 to 2.8.8

Bumps [cloudflare](https://github.com/cloudflare/python-cloudflare) from 2.8.6 to 2.8.8.
- [Release notes](https://github.com/cloudflare/python-cloudflare/releases)
- [Changelog](https://github.com/cloudflare/python-cloudflare/blob/master/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/python-cloudflare/compare/2.8.6...2.8.8)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
---
 requirements-docs.txt | 2 +-
 requirements.txt      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements-docs.txt b/requirements-docs.txt
index 1abb61d2..2eefbfa5 100644
--- a/requirements-docs.txt
+++ b/requirements-docs.txt
@@ -25,7 +25,7 @@ certsrv==2.1.1            # via -r requirements.txt
 cffi==1.14.0              # via -r requirements.txt, bcrypt, cryptography, pynacl
 chardet==3.0.4            # via -r requirements.txt, requests
 click==7.1.1              # via -r requirements.txt, flask
-cloudflare==2.8.6         # via -r requirements.txt
+cloudflare==2.8.8         # via -r requirements.txt
 cryptography==2.9.2       # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests
 dnspython3==1.15.0        # via -r requirements.txt
 dnspython==1.15.0         # via -r requirements.txt, dnspython3
diff --git a/requirements.txt b/requirements.txt
index 1e98e717..52beb419 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -23,7 +23,7 @@ certsrv==2.1.1            # via -r requirements.in
 cffi==1.14.0              # via bcrypt, cryptography, pynacl
 chardet==3.0.4            # via requests
 click==7.1.1              # via flask
-cloudflare==2.8.6         # via -r requirements.in
+cloudflare==2.8.8         # via -r requirements.in
 cryptography==2.9.2       # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests
 dnspython3==1.15.0        # via -r requirements.in
 dnspython==1.15.0         # via dnspython3

From 1e90bb2d0b4accac83a799b5d73fcaebb3c00546 Mon Sep 17 00:00:00 2001
From: "dependabot-preview[bot]"
 <27856297+dependabot-preview[bot]@users.noreply.github.com>
Date: Mon, 27 Jul 2020 18:26:11 +0000
Subject: [PATCH 08/14] Bump boto3 from 1.14.23 to 1.14.28

Bumps [boto3](https://github.com/boto/boto3) from 1.14.23 to 1.14.28.
- [Release notes](https://github.com/boto/boto3/releases)
- [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst)
- [Commits](https://github.com/boto/boto3/compare/1.14.23...1.14.28)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
---
 requirements-docs.txt  | 2 +-
 requirements-tests.txt | 2 +-
 requirements.txt       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/requirements-docs.txt b/requirements-docs.txt
index 2eefbfa5..32ffc73e 100644
--- a/requirements-docs.txt
+++ b/requirements-docs.txt
@@ -17,7 +17,7 @@ bcrypt==3.1.7             # via -r requirements.txt, flask-bcrypt, paramiko
 beautifulsoup4==4.9.1     # via -r requirements.txt, cloudflare
 billiard==3.6.3.0         # via -r requirements.txt, celery
 blinker==1.4              # via -r requirements.txt, flask-mail, flask-principal, raven
-boto3==1.14.23            # via -r requirements.txt
+boto3==1.14.28            # via -r requirements.txt
 botocore==1.17.28         # via -r requirements.txt, boto3, s3transfer
 celery[redis]==4.4.2      # via -r requirements.txt
 certifi==2020.6.20        # via -r requirements.txt, requests
diff --git a/requirements-tests.txt b/requirements-tests.txt
index aa5c6ca0..d6e149cc 100644
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@@ -10,7 +10,7 @@ aws-sam-translator==1.22.0  # via cfn-lint
 aws-xray-sdk==2.5.0       # via moto
 bandit==1.6.2             # via -r requirements-tests.in
 black==19.10b0            # via -r requirements-tests.in
-boto3==1.14.23            # via aws-sam-translator, moto
+boto3==1.14.28            # via aws-sam-translator, moto
 boto==2.49.0              # via moto
 botocore==1.17.28         # via aws-xray-sdk, boto3, moto, s3transfer
 certifi==2020.6.20        # via requests
diff --git a/requirements.txt b/requirements.txt
index 52beb419..afb04ddb 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -15,7 +15,7 @@ bcrypt==3.1.7             # via flask-bcrypt, paramiko
 beautifulsoup4==4.9.1     # via cloudflare
 billiard==3.6.3.0         # via celery
 blinker==1.4              # via flask-mail, flask-principal, raven
-boto3==1.14.23            # via -r requirements.in
+boto3==1.14.28            # via -r requirements.in
 botocore==1.17.28         # via -r requirements.in, boto3, s3transfer
 celery[redis]==4.4.2      # via -r requirements.in
 certifi==2020.6.20        # via -r requirements.in, requests

From 4752e1047234c99f8334e7a8c2ceaa4efee9fd01 Mon Sep 17 00:00:00 2001
From: "dependabot-preview[bot]"
 <27856297+dependabot-preview[bot]@users.noreply.github.com>
Date: Mon, 27 Jul 2020 18:40:59 +0000
Subject: [PATCH 09/14] Bump cryptography from 2.9.2 to 3.0

Bumps [cryptography](https://github.com/pyca/cryptography) from 2.9.2 to 3.0.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/2.9.2...3.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
---
 requirements-dev.txt   | 2 +-
 requirements-docs.txt  | 2 +-
 requirements-tests.txt | 2 +-
 requirements.txt       | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/requirements-dev.txt b/requirements-dev.txt
index 6c8df1e4..2299848e 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -11,7 +11,7 @@ cffi==1.14.0              # via cryptography
 cfgv==3.1.0               # via pre-commit
 chardet==3.0.4            # via requests
 colorama==0.4.3           # via twine
-cryptography==2.9.2       # via secretstorage
+cryptography==3.0         # via secretstorage
 distlib==0.3.0            # via virtualenv
 docutils==0.16            # via readme-renderer
 filelock==3.0.12          # via virtualenv
diff --git a/requirements-docs.txt b/requirements-docs.txt
index 32ffc73e..4f70314f 100644
--- a/requirements-docs.txt
+++ b/requirements-docs.txt
@@ -26,7 +26,7 @@ cffi==1.14.0              # via -r requirements.txt, bcrypt, cryptography, pynac
 chardet==3.0.4            # via -r requirements.txt, requests
 click==7.1.1              # via -r requirements.txt, flask
 cloudflare==2.8.8         # via -r requirements.txt
-cryptography==2.9.2       # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests
+cryptography==3.0         # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests
 dnspython3==1.15.0        # via -r requirements.txt
 dnspython==1.15.0         # via -r requirements.txt, dnspython3
 docutils==0.15.2          # via -r requirements.txt, botocore, sphinx
diff --git a/requirements-tests.txt b/requirements-tests.txt
index d6e149cc..cd625630 100644
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@@ -19,7 +19,7 @@ cfn-lint==0.29.5          # via moto
 chardet==3.0.4            # via requests
 click==7.1.1              # via black, flask
 coverage==5.2.1           # via -r requirements-tests.in
-cryptography==2.9.2       # via moto, sshpubkeys
+cryptography==3.0         # via moto, sshpubkeys
 decorator==4.4.2          # via networkx
 docker==4.2.0             # via moto
 docutils==0.15.2          # via botocore
diff --git a/requirements.txt b/requirements.txt
index afb04ddb..a57f6205 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -24,7 +24,7 @@ cffi==1.14.0              # via bcrypt, cryptography, pynacl
 chardet==3.0.4            # via requests
 click==7.1.1              # via flask
 cloudflare==2.8.8         # via -r requirements.in
-cryptography==2.9.2       # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests
+cryptography==3.0         # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests
 dnspython3==1.15.0        # via -r requirements.in
 dnspython==1.15.0         # via dnspython3
 docutils==0.15.2          # via botocore

From e7c684724abbb00c072d88a67afb9df6e447765e Mon Sep 17 00:00:00 2001
From: csine-nflx <csine@netflix.com>
Date: Fri, 31 Jul 2020 17:54:18 -0700
Subject: [PATCH 10/14] fixing Dockerfile, Lemur builds now

---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index fc83a034..a7f8c878 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,6 +4,7 @@ RUN apt-get install -y make software-properties-common curl
 RUN curl -sL https://deb.nodesource.com/setup_7.x | bash -
 RUN apt-get update
 RUN apt-get install -y npm libldap2-dev libsasl2-dev libldap2-dev libssl-dev
+RUN pip install pip==20.0.2
 RUN pip install -U setuptools
 RUN pip install coveralls bandit
 WORKDIR /app

From 57e06cf1db7aed6d1062fbfffa2bc7435331a3c6 Mon Sep 17 00:00:00 2001
From: "dependabot-preview[bot]"
 <27856297+dependabot-preview[bot]@users.noreply.github.com>
Date: Mon, 3 Aug 2020 13:36:46 +0000
Subject: [PATCH 11/14] Bump pytest from 5.4.3 to 6.0.1

Bumps [pytest](https://github.com/pytest-dev/pytest) from 5.4.3 to 6.0.1.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pytest-dev/pytest/compare/5.4.3...6.0.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
---
 requirements-tests.txt | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/requirements-tests.txt b/requirements-tests.txt
index cd625630..3d5c4318 100644
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@@ -34,6 +34,7 @@ gitdb==4.0.4              # via gitpython
 gitpython==3.1.1          # via bandit
 idna==2.8                 # via moto, requests
 importlib-metadata==1.6.0  # via jsonpickle
+iniconfig==1.0.1          # via pytest
 itsdangerous==1.1.0       # via flask
 jinja2==2.11.2            # via flask, moto
 jmespath==0.9.5           # via boto3, botocore
@@ -52,7 +53,7 @@ packaging==20.3           # via pytest
 pathspec==0.8.0           # via black
 pbr==5.4.5                # via stevedore
 pluggy==0.13.1            # via pytest
-py==1.8.1                 # via pytest
+py==1.9.0                 # via pytest
 pyasn1==0.4.8             # via python-jose, rsa
 pycparser==2.20           # via cffi
 pyflakes==2.2.0           # via -r requirements-tests.in
@@ -60,7 +61,7 @@ pyparsing==2.4.7          # via packaging
 pyrsistent==0.16.0        # via jsonschema
 pytest-flask==1.0.0       # via -r requirements-tests.in
 pytest-mock==3.2.0        # via -r requirements-tests.in
-pytest==5.4.3             # via -r requirements-tests.in, pytest-flask, pytest-mock
+pytest==6.0.1             # via -r requirements-tests.in, pytest-flask, pytest-mock
 python-dateutil==2.8.1    # via botocore, faker, freezegun, moto
 python-jose==3.1.0        # via moto
 pytz==2019.3              # via moto
@@ -78,10 +79,9 @@ sortedcontainers==2.1.0   # via fakeredis
 sshpubkeys==3.1.0         # via moto
 stevedore==1.32.0         # via bandit
 text-unidecode==1.3       # via faker
-toml==0.10.0              # via black
+toml==0.10.0              # via black, pytest
 typed-ast==1.4.1          # via black
 urllib3==1.25.8           # via botocore, requests
-wcwidth==0.1.9            # via pytest
 websocket-client==0.57.0  # via docker
 werkzeug==1.0.1           # via flask, moto, pytest-flask
 wrapt==1.12.1             # via aws-xray-sdk

From c80a3390e77ed826e8b81c816c2f315c51dca714 Mon Sep 17 00:00:00 2001
From: "dependabot-preview[bot]"
 <27856297+dependabot-preview[bot]@users.noreply.github.com>
Date: Mon, 3 Aug 2020 17:27:26 +0000
Subject: [PATCH 12/14] Bump botocore from 1.17.28 to 1.17.33

Bumps [botocore](https://github.com/boto/botocore) from 1.17.28 to 1.17.33.
- [Release notes](https://github.com/boto/botocore/releases)
- [Changelog](https://github.com/boto/botocore/blob/develop/CHANGELOG.rst)
- [Commits](https://github.com/boto/botocore/compare/1.17.28...1.17.33)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
---
 requirements-docs.txt  | 2 +-
 requirements-tests.txt | 2 +-
 requirements.txt       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/requirements-docs.txt b/requirements-docs.txt
index 4f70314f..63af4e4a 100644
--- a/requirements-docs.txt
+++ b/requirements-docs.txt
@@ -18,7 +18,7 @@ beautifulsoup4==4.9.1     # via -r requirements.txt, cloudflare
 billiard==3.6.3.0         # via -r requirements.txt, celery
 blinker==1.4              # via -r requirements.txt, flask-mail, flask-principal, raven
 boto3==1.14.28            # via -r requirements.txt
-botocore==1.17.28         # via -r requirements.txt, boto3, s3transfer
+botocore==1.17.33         # via -r requirements.txt, boto3, s3transfer
 celery[redis]==4.4.2      # via -r requirements.txt
 certifi==2020.6.20        # via -r requirements.txt, requests
 certsrv==2.1.1            # via -r requirements.txt
diff --git a/requirements-tests.txt b/requirements-tests.txt
index 3d5c4318..3212f033 100644
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@@ -12,7 +12,7 @@ bandit==1.6.2             # via -r requirements-tests.in
 black==19.10b0            # via -r requirements-tests.in
 boto3==1.14.28            # via aws-sam-translator, moto
 boto==2.49.0              # via moto
-botocore==1.17.28         # via aws-xray-sdk, boto3, moto, s3transfer
+botocore==1.17.33         # via aws-xray-sdk, boto3, moto, s3transfer
 certifi==2020.6.20        # via requests
 cffi==1.14.0              # via cryptography
 cfn-lint==0.29.5          # via moto
diff --git a/requirements.txt b/requirements.txt
index a57f6205..eb4be2fd 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -16,7 +16,7 @@ beautifulsoup4==4.9.1     # via cloudflare
 billiard==3.6.3.0         # via celery
 blinker==1.4              # via flask-mail, flask-principal, raven
 boto3==1.14.28            # via -r requirements.in
-botocore==1.17.28         # via -r requirements.in, boto3, s3transfer
+botocore==1.17.33         # via -r requirements.in, boto3, s3transfer
 celery[redis]==4.4.2      # via -r requirements.in
 certifi==2020.6.20        # via -r requirements.in, requests
 certsrv==2.1.1            # via -r requirements.in

From 117c0bab044db58c74afcf863392d7c2f55fe059 Mon Sep 17 00:00:00 2001
From: "dependabot-preview[bot]"
 <27856297+dependabot-preview[bot]@users.noreply.github.com>
Date: Mon, 3 Aug 2020 17:38:07 +0000
Subject: [PATCH 13/14] Bump boto3 from 1.14.28 to 1.14.33

Bumps [boto3](https://github.com/boto/boto3) from 1.14.28 to 1.14.33.
- [Release notes](https://github.com/boto/boto3/releases)
- [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst)
- [Commits](https://github.com/boto/boto3/compare/1.14.28...1.14.33)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
---
 requirements-docs.txt  | 2 +-
 requirements-tests.txt | 2 +-
 requirements.txt       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/requirements-docs.txt b/requirements-docs.txt
index 63af4e4a..3d1ed54c 100644
--- a/requirements-docs.txt
+++ b/requirements-docs.txt
@@ -17,7 +17,7 @@ bcrypt==3.1.7             # via -r requirements.txt, flask-bcrypt, paramiko
 beautifulsoup4==4.9.1     # via -r requirements.txt, cloudflare
 billiard==3.6.3.0         # via -r requirements.txt, celery
 blinker==1.4              # via -r requirements.txt, flask-mail, flask-principal, raven
-boto3==1.14.28            # via -r requirements.txt
+boto3==1.14.33            # via -r requirements.txt
 botocore==1.17.33         # via -r requirements.txt, boto3, s3transfer
 celery[redis]==4.4.2      # via -r requirements.txt
 certifi==2020.6.20        # via -r requirements.txt, requests
diff --git a/requirements-tests.txt b/requirements-tests.txt
index 3212f033..7fd13f76 100644
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@@ -10,7 +10,7 @@ aws-sam-translator==1.22.0  # via cfn-lint
 aws-xray-sdk==2.5.0       # via moto
 bandit==1.6.2             # via -r requirements-tests.in
 black==19.10b0            # via -r requirements-tests.in
-boto3==1.14.28            # via aws-sam-translator, moto
+boto3==1.14.33            # via aws-sam-translator, moto
 boto==2.49.0              # via moto
 botocore==1.17.33         # via aws-xray-sdk, boto3, moto, s3transfer
 certifi==2020.6.20        # via requests
diff --git a/requirements.txt b/requirements.txt
index eb4be2fd..46723b0d 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -15,7 +15,7 @@ bcrypt==3.1.7             # via flask-bcrypt, paramiko
 beautifulsoup4==4.9.1     # via cloudflare
 billiard==3.6.3.0         # via celery
 blinker==1.4              # via flask-mail, flask-principal, raven
-boto3==1.14.28            # via -r requirements.in
+boto3==1.14.33            # via -r requirements.in
 botocore==1.17.33         # via -r requirements.in, boto3, s3transfer
 celery[redis]==4.4.2      # via -r requirements.in
 certifi==2020.6.20        # via -r requirements.in, requests

From 084f9a14f4177e5576304d83597cc74694a1a0e2 Mon Sep 17 00:00:00 2001
From: Hossein Shafagh <hshafagh@netflix.com>
Date: Mon, 3 Aug 2020 16:14:14 -0700
Subject: [PATCH 14/14] updating documentation for cross-signed ICA

---
 docs/production/index.rst | 50 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/docs/production/index.rst b/docs/production/index.rst
index b91ed6bd..67e97dae 100644
--- a/docs/production/index.rst
+++ b/docs/production/index.rst
@@ -451,3 +451,53 @@ LetsEncrypt flow to function. However, Lemur will attempt to automatically deter
 possible. To enable this functionality, periodically (or through Cron/Celery) run `lemur dns_providers get_all_zones`.
 This command will traverse all DNS providers, determine which zones they control, and upload this list of zones to
 Lemur's database (in the dns_providers table). Alternatively, you can manually input this data.
+
+
+LetsEncrypt: pinning to cross-signed ICA
+----------------------------------------
+
+Let's Encrypt has been using a `cross-signed <https://letsencrypt.org/certificates/>`_ intermediate CA by DST Root CA X3,
+which is included in many older devices' TrustStore.
+
+
+Let's Encrypt is `transitioning <https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html>`_ to use
+the intermediate CA issued by their own root (ISRG X1) starting from September 29th 2020.
+This is in preparation of concluding the initial bootstrapping of their CA, by having it cross-signed by an older CA.
+
+
+Lemur can temporarily pin to the cross-signed intermediate CA (same public/private key pair as the ICA signed by ISRG X1).
+This will prolong support for incompatible devices.
+
+The following must be added to the config file to activate the pinning (the pinning will be removed by September 2021)::
+
+    # remove or update after Mar 17 16:40:46 2021 GMT
+    IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE = "17/03/21"
+    IDENTRUST_CROSS_SIGNED_LE_ICA = """
+    -----BEGIN CERTIFICATE-----
+    MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+    MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+    DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+    SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+    GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+    AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+    q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+    SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+    Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+    a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+    /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+    AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+    CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+    bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+    c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+    VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+    ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+    MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+    Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+    AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+    uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+    wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+    X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+    PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+    KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+    -----END CERTIFICATE-----
+    """