From 00e06095476700552a00e1200e4551611631b4bf Mon Sep 17 00:00:00 2001 From: Jasmine Schladen Date: Thu, 11 Mar 2021 17:04:28 -0800 Subject: [PATCH 1/8] Doc fix --- docs/administration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/administration.rst b/docs/administration.rst index af18167e..bad95026 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -875,7 +875,7 @@ account. See :ref:`Using a pre-existing ACME account ` for mor :noindex: This is an optional parameter to indicate the preferred chain to retrieve from ACME when finalizing the order. - This is applicable to Let's Encrypts recent `migration https://letsencrypt.org/certificates/`_ to their + This is applicable to Let's Encrypts recent `migration `_ to their own root, where they provide two distinct certificate chains (fullchain_pem vs. alternative_fullchains_pem); the main chain will be the long chain that is rooted in the expiring DTS root, whereas the alternative chain is rooted in X1 root CA. From 2b7c151426983385306df2134a3f212faf649485 Mon Sep 17 00:00:00 2001 From: Jasmine Schladen Date: Thu, 11 Mar 2021 17:10:13 -0800 Subject: [PATCH 2/8] Add missing dependency --- requirements-docs.in | 1 + requirements-docs.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/requirements-docs.in b/requirements-docs.in index ec12fbea..87663485 100644 --- a/requirements-docs.in +++ b/requirements-docs.in @@ -7,6 +7,7 @@ acme arrow boto3 botocore +certbot certsrv CloudFlare cryptography diff --git a/requirements-docs.txt b/requirements-docs.txt index e3d80774..84357685 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -66,6 +66,7 @@ botocore==1.20.22 # boto3 # moto # s3transfer +certbot==1.13.0 certifi==2020.12.5 # via # -r requirements-tests.txt From 97bdb8a00a2115b58ef6dadccf9d7aa7e5c4a926 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 11 Mar 2021 17:14:51 -0800 Subject: [PATCH 3/8] Change log for 0.8.1 --- CHANGELOG.rst | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 24db16d0..0c850f6a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,36 @@ Changelog ========= +0.8.1 - `2021-03-12` +~~~~~~~~~~~~~~~~~~~~ + +This release includes improvements on many fronts, such as: + +- Notifications: + - Enhanced SNS flow + - Expiration Summary + - CA expiration email +- EC algorithm as the default +- Improved revocation flow +- Localized AWS STS option +- Improved Lemur doc building +- ACME: + - reduced failed attempts to 3x trials + - support for selecting the chain (Let's Encrypt X1 transition) + - revocation + - http01 documentation +- Entrust: + - Support for cross-signed intermediate CA +- Dependency updates and conflict resolutions + +Special thanks to all who contributed to this release, notably: + +- `peschmae `_ +- `atugushev `_ +- `sirferl `_ + + + 0.8.0 - `2020-11-13` ~~~~~~~~~~~~~~~~~~~~ From a630721a3a458b57505dfaf7030a002e1e6ad48a Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 11 Mar 2021 17:16:03 -0800 Subject: [PATCH 4/8] Update CHANGELOG.rst --- CHANGELOG.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 0c850f6a..a470bdc4 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -21,6 +21,7 @@ This release includes improvements on many fronts, such as: - http01 documentation - Entrust: - Support for cross-signed intermediate CA +- Revised disclosure process - Dependency updates and conflict resolutions Special thanks to all who contributed to this release, notably: From d1c21fa23ae4eeeb80f67283dba270fd20760a02 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Fri, 12 Mar 2021 10:11:47 -0800 Subject: [PATCH 5/8] updating version number --- lemur/__about__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/__about__.py b/lemur/__about__.py index 0926ef33..b0d09167 100644 --- a/lemur/__about__.py +++ b/lemur/__about__.py @@ -15,7 +15,7 @@ __title__ = "lemur" __summary__ = "Certificate management and orchestration service" __uri__ = "https://github.com/Netflix/lemur" -__version__ = "0.8.0" +__version__ = "0.8.1" __author__ = "The Lemur developers" __email__ = "security@netflix.com" From 29b5c554d618a51b9c8a9843251431cd3c13dd32 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Fri, 12 Mar 2021 10:42:59 -0800 Subject: [PATCH 6/8] allow automatic version bumping --- .github/workflows/lemur-publish-release-pypi.yml | 10 ++++++++++ lemur/__about__.py | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/lemur-publish-release-pypi.yml b/.github/workflows/lemur-publish-release-pypi.yml index 26185489..816146d0 100644 --- a/.github/workflows/lemur-publish-release-pypi.yml +++ b/.github/workflows/lemur-publish-release-pypi.yml @@ -18,6 +18,16 @@ jobs: uses: actions/setup-python@v2 with: python-version: '3.x' + - name: Autobump version + run: | + # from refs/tags/v0.8.1 get 0.8.1 + VERSION=$(echo $GITHUB_REF | sed 's#.*/v##') + PLACEHOLDER='__version__ = "develop"' + VERSION_FILE='lemur/__about__.py' + # in case placeholder is missing, exists with code 1 and github actions aborts the build + grep "$PLACEHOLDER" "$VERSION_FILE" + sed -i "s/$PLACEHOLDER/__version__ = \"${VERSION}\"/g" "$VERSION_FILE" + shell: bash - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/lemur/__about__.py b/lemur/__about__.py index b0d09167..2a6db3c1 100644 --- a/lemur/__about__.py +++ b/lemur/__about__.py @@ -15,7 +15,7 @@ __title__ = "lemur" __summary__ = "Certificate management and orchestration service" __uri__ = "https://github.com/Netflix/lemur" -__version__ = "0.8.1" +__version__ = "develop" __author__ = "The Lemur developers" __email__ = "security@netflix.com" From 0d388a85bb2c2350e1dfcf22709b4d40d6eba85b Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 15 Mar 2021 13:49:12 +0000 Subject: [PATCH 7/8] Bump boto3 from 1.17.22 to 1.17.27 Bumps [boto3](https://github.com/boto/boto3) from 1.17.22 to 1.17.27. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.17.22...1.17.27) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 73 +++++++++++++++++++++++++++++++++++++++--- requirements-tests.txt | 61 +++++++++++++++++++++++++++++++++-- requirements.txt | 44 ++++++++++++++++++++++--- 3 files changed, 165 insertions(+), 13 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 84357685..9906a3ea 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -5,7 +5,10 @@ # pip-compile --no-index --output-file=requirements-docs.txt requirements-docs.in # acme==1.13.0 - # via -r requirements-docs.in + # via + # -r requirements-docs.in + # -r requirements-tests.txt + # certbot alabaster==0.7.12 # via sphinx alembic==1.5.5 @@ -48,7 +51,7 @@ blinker==1.4 # flask-mail # flask-principal # raven -boto3==1.17.22 +boto3==1.17.27 # via # -r requirements-docs.in # -r requirements-tests.txt @@ -58,7 +61,7 @@ boto==2.49.0 # via # -r requirements-tests.txt # moto -botocore==1.20.22 +botocore==1.20.27 # via # -r requirements-docs.in # -r requirements-tests.txt @@ -67,6 +70,9 @@ botocore==1.20.22 # moto # s3transfer certbot==1.13.0 + # via + # -r requirements-docs.in + # -r requirements-tests.txt certifi==2020.12.5 # via # -r requirements-tests.txt @@ -94,6 +100,14 @@ click==7.1.2 # flask cloudflare==2.8.15 # via -r requirements-docs.in +configargparse==1.4 + # via + # -r requirements-tests.txt + # certbot +configobj==5.0.6 + # via + # -r requirements-tests.txt + # certbot coverage==5.5 # via -r requirements-tests.txt cryptography==3.4.6 @@ -101,6 +115,7 @@ cryptography==3.4.6 # -r requirements-docs.in # -r requirements-tests.txt # acme + # certbot # josepy # moto # paramiko @@ -111,6 +126,10 @@ decorator==4.4.2 # via # -r requirements-tests.txt # networkx +distro==1.5.0 + # via + # -r requirements-tests.txt + # certbot dnspython3==1.15.0 # via -r requirements-docs.in dnspython==1.15.0 @@ -226,7 +245,9 @@ jmespath==0.9.5 josepy==1.7.0 # via # -r requirements-docs.in + # -r requirements-tests.txt # acme + # certbot jsondiff==1.1.2 # via # -r requirements-tests.txt @@ -293,6 +314,10 @@ packaging==20.3 # sphinx paramiko==2.7.2 # via -r requirements-docs.in +parsedatetime==2.6 + # via + # -r requirements-tests.txt + # certbot pathspec==0.8.0 # via # -r requirements-tests.txt @@ -339,6 +364,7 @@ pynacl==1.4.0 pyopenssl==20.0.1 # via # -r requirements-docs.in + # -r requirements-tests.txt # acme # josepy pyparsing==2.4.7 @@ -346,7 +372,10 @@ pyparsing==2.4.7 # -r requirements-tests.txt # packaging pyrfc3339==1.1 - # via acme + # via + # -r requirements-tests.txt + # acme + # certbot pyrsistent==0.16.0 # via # -r requirements-tests.txt @@ -382,6 +411,7 @@ pytz==2019.3 # -r requirements-tests.txt # acme # babel + # certbot # flask-restful # moto # pyrfc3339 @@ -406,7 +436,9 @@ regex==2020.4.4 requests-mock==1.8.0 # via -r requirements-tests.txt requests-toolbelt==0.9.1 - # via acme + # via + # -r requirements-tests.txt + # acme requests==2.25.1 # via # -r requirements-tests.txt @@ -441,6 +473,7 @@ six==1.15.0 # bandit # bcrypt # cfn-lint + # configobj # docker # ecdsa # fakeredis @@ -564,6 +597,36 @@ zipp==3.1.0 # -r requirements-tests.txt # importlib-metadata # moto +zope.component==4.6.2 + # via + # -r requirements-tests.txt + # certbot +zope.deferredimport==4.3.1 + # via + # -r requirements-tests.txt + # zope.component +zope.deprecation==4.4.0 + # via + # -r requirements-tests.txt + # zope.component +zope.event==4.5.0 + # via + # -r requirements-tests.txt + # zope.component +zope.hookable==5.0.1 + # via + # -r requirements-tests.txt + # zope.component +zope.interface==5.2.0 + # via + # -r requirements-tests.txt + # certbot + # zope.component + # zope.proxy +zope.proxy==4.3.5 + # via + # -r requirements-tests.txt + # zope.deferredimport # The following packages are considered to be unsafe in a requirements file: # setuptools diff --git a/requirements-tests.txt b/requirements-tests.txt index e0591911..49f56952 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -4,6 +4,8 @@ # # pip-compile --no-index --output-file=requirements-tests.txt requirements-tests.in # +acme==1.13.0 + # via certbot appdirs==1.4.3 # via black attrs==19.3.0 @@ -18,19 +20,20 @@ bandit==1.7.0 # via -r requirements-tests.in black==20.8b1 # via -r requirements-tests.in -boto3==1.17.22 +boto3==1.17.27 # via # aws-sam-translator # moto boto==2.49.0 # via moto -botocore==1.20.22 +botocore==1.20.27 # via # aws-xray-sdk # boto3 # moto # s3transfer certbot==1.13.0 + # via -r requirements-tests.in certifi==2020.12.5 # via requests cffi==1.14.0 @@ -43,15 +46,25 @@ click==7.1.2 # via # black # flask +configargparse==1.4 + # via certbot +configobj==5.0.6 + # via certbot coverage==5.5 # via -r requirements-tests.in cryptography==3.4.6 # via + # acme + # certbot + # josepy # moto + # pyopenssl # python-jose # sshpubkeys decorator==4.4.2 # via networkx +distro==1.5.0 + # via certbot docker==4.2.0 # via moto ecdsa==0.14.1 @@ -95,6 +108,10 @@ jmespath==0.9.5 # via # boto3 # botocore +josepy==1.7.0 + # via + # acme + # certbot jsondiff==1.1.2 # via moto jsonpatch==1.25 @@ -125,6 +142,8 @@ nose==1.3.7 # via -r requirements-tests.in packaging==20.3 # via pytest +parsedatetime==2.6 + # via certbot pathspec==0.8.0 # via black pbr==5.4.5 @@ -141,8 +160,16 @@ pycparser==2.20 # via cffi pyflakes==2.2.0 # via -r requirements-tests.in +pyopenssl==20.0.1 + # via + # acme + # josepy pyparsing==2.4.7 # via packaging +pyrfc3339==1.1 + # via + # acme + # certbot pyrsistent==0.16.0 # via jsonschema pytest-flask==1.2.0 @@ -163,7 +190,11 @@ python-dateutil==2.8.1 python-jose[cryptography]==3.1.0 # via moto pytz==2019.3 - # via moto + # via + # acme + # certbot + # moto + # pyrfc3339 pyyaml==5.4.1 # via # -r requirements-tests.in @@ -176,11 +207,15 @@ regex==2020.4.4 # via black requests-mock==1.8.0 # via -r requirements-tests.in +requests-toolbelt==0.9.1 + # via acme requests==2.25.1 # via + # acme # docker # moto # requests-mock + # requests-toolbelt # responses responses==0.10.12 # via moto @@ -193,12 +228,15 @@ six==1.15.0 # aws-sam-translator # bandit # cfn-lint + # configobj # docker # ecdsa # fakeredis + # josepy # jsonschema # moto # packaging + # pyopenssl # pyrsistent # python-dateutil # python-jose @@ -243,6 +281,23 @@ zipp==3.1.0 # via # importlib-metadata # moto +zope.component==4.6.2 + # via certbot +zope.deferredimport==4.3.1 + # via zope.component +zope.deprecation==4.4.0 + # via zope.component +zope.event==4.5.0 + # via zope.component +zope.hookable==5.0.1 + # via zope.component +zope.interface==5.2.0 + # via + # certbot + # zope.component + # zope.proxy +zope.proxy==4.3.5 + # via zope.deferredimport # The following packages are considered to be unsafe in a requirements file: # setuptools diff --git a/requirements.txt b/requirements.txt index 586f6a5c..c70b42c9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,7 +5,9 @@ # pip-compile --no-index --output-file=requirements.txt requirements.in # acme==1.13.0 - # via -r requirements.in + # via + # -r requirements.in + # certbot alembic-autogenerate-enums==0.0.2 # via -r requirements.in alembic==1.4.2 @@ -31,9 +33,9 @@ blinker==1.4 # flask-mail # flask-principal # raven -boto3==1.17.22 +boto3==1.17.27 # via -r requirements.in -botocore==1.20.22 +botocore==1.20.27 # via # -r requirements.in # boto3 @@ -41,6 +43,7 @@ botocore==1.20.22 celery[redis]==4.4.2 # via -r requirements.in certbot==1.13.0 + # via -r requirements.in certifi==2020.12.5 # via # -r requirements.in @@ -58,13 +61,20 @@ click==7.1.2 # via flask cloudflare==2.8.15 # via -r requirements.in +configargparse==1.4 + # via certbot +configobj==5.0.6 + # via certbot cryptography==3.4.6 # via # -r requirements.in # acme + # certbot # josepy # paramiko # pyopenssl +distro==1.5.0 + # via certbot dnspython3==1.15.0 # via -r requirements.in dnspython==1.15.0 @@ -126,7 +136,9 @@ jmespath==0.9.5 # boto3 # botocore josepy==1.7.0 - # via acme + # via + # acme + # certbot jsonlines==1.2.0 # via cloudflare kombu==4.6.8 @@ -151,6 +163,8 @@ ndg-httpsclient==0.5.1 # via -r requirements.in paramiko==2.7.2 # via -r requirements.in +parsedatetime==2.6 + # via certbot pem==21.1.0 # via -r requirements.in psycopg2==2.8.6 @@ -182,7 +196,9 @@ pyopenssl==20.0.1 # josepy # ndg-httpsclient pyrfc3339==1.1 - # via acme + # via + # acme + # certbot python-dateutil==2.8.1 # via # alembic @@ -198,6 +214,7 @@ pytz==2019.3 # via # acme # celery + # certbot # flask-restful # pyrfc3339 pyyaml==5.4.1 @@ -228,6 +245,7 @@ six==1.15.0 # via # -r requirements.in # bcrypt + # configobj # flask-cors # flask-restful # hvac @@ -264,6 +282,22 @@ werkzeug==1.0.1 # via flask xmltodict==0.12.0 # via -r requirements.in +zope.component==4.6.2 + # via certbot +zope.deferredimport==4.3.1 + # via zope.component +zope.deprecation==4.4.0 + # via zope.component +zope.event==4.5.0 + # via zope.component +zope.hookable==5.0.1 + # via zope.component +zope.interface==5.2.0 + # via + # certbot + # zope.component +zope.proxy==4.3.5 + # via zope.deferredimport # The following packages are considered to be unsafe in a requirements file: # setuptools From d097da685aba578d896b4c4b765d33eb8f1d9232 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 15 Mar 2021 18:06:22 +0000 Subject: [PATCH 8/8] Bump pre-commit from 2.11.0 to 2.11.1 Bumps [pre-commit](https://github.com/pre-commit/pre-commit) from 2.11.0 to 2.11.1. - [Release notes](https://github.com/pre-commit/pre-commit/releases) - [Changelog](https://github.com/pre-commit/pre-commit/blob/master/CHANGELOG.md) - [Commits](https://github.com/pre-commit/pre-commit/compare/v2.11.0...v2.11.1) Signed-off-by: dependabot-preview[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 8bd7fe60..f6ea8caa 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -50,7 +50,7 @@ packaging==20.9 # via bleach pkginfo==1.5.0.1 # via twine -pre-commit==2.11.0 +pre-commit==2.11.1 # via -r requirements-dev.in pycodestyle==2.6.0 # via flake8