Certbot
|
⇤ ← Revision 1 as of 2017-07-18 18:20:13
Size: 3515
Comment: Initial draft
|
Size: 3518
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 7: | Line 7: |
| == Requesting the SRU | == Requesting the SRU == |
This document describes the policy for updating the Certbot-related packages (currently the source packages python-acme, python-certbot, python-certbot-apache and python-certbot-nginx) to new upstream versions in a stable, supported distro (including LTS releases). This is an exception to the standard SRU process and includes new features under the SRU "new features for LTS" exception.
The primary purpose of certbot is to automatically obtain and configure SSL certificates. Certificates are obtained using the ACME protocol, which involves a validation step to "prove" ownership of a configured domain, for example by configuring a web server to respond with a correct token when queried using the domain requested. Once obtained, certbot then configures the web server with the issued certificate.
Certbot is under active development upstream. Feature work generally involves better integration with the platform (eg. web server daemons). For example, a recent update enhanced certbot to correctly configure web server daemons in the case that multiple virtual domains are configured. As Ubuntu Server LTS is one of the most commonly used platforms for serving websites, and we want to promote the "HTTPS everywhere" initiative, it makes sense for the LTS to be updated with these types of enhancements.
Requesting the SRU
The SRU should be done with a single process bug, instead of individual bug reports for individual bug fixes. The one bug should have the following:
The SRU should be requested per the StableReleaseUpdates documented process.
- The template at the end of this document should be used and all ‘TODO’ filled out.
- Major changes should be called out in the SRU template, especially where changed behavior is not backwards compatible.
QA Process
Upstream carries out extensive testing:
- Nosetest unit tests with coverage for each module between 97% and 100%; *test.py in the relevant tree.
- Integration tests that run Certbot against the current copy of Let's Encrypt's serverside boulder codebase. These require docker and are a little more involved to run. See tests/boulder_integration.sh for instructions.
- "Compatibility tests" that run the Apache and Nginx plugins against corpora of configuration files for those webservers; these live in certbot-compatibility-test/
- Test farm tests, which upstream uses to check that our releases run correctly on a wide range of platforms. These spin up Amazon EC2 instances for numerous OSes and run various tests on them. They live in tests/letstest
Packaging includes a dep8 smoke test.
SRU Verification Process
The following must be verified before a proposed update is marked verification-done:
- TBC
Verify that dep8 has passed by checking http://people.canonical.com/~ubuntu-archive/pending-sru.html
- Comment in the bug detailing that these checks have been performed and list
- the package versions verified.
SRU Template
This bug tracks an update for the Certbot family of packages, version TODO.
This update includes [TODO: remove one] bugfixes only/new features following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/Certbot.
[Impact]
[Test Plan]
See https://wiki.ubuntu.com/StableReleaseUpdates/Certbot#SRU_Verification_Process
[Regression Potential]
StableReleaseUpdates/Certbot (last edited 2025-06-25 19:20:16 by ahasenack)