Log message:
py-acme py-certbot*: updated to 4.1.1

Certbot 4.1.1

Fixed

When a CA fails to issue a certificate after finalization, print the ACME error \ 
from the order
No longer checks ARI during certbot --dry-run, because --dry-run uses staging \ 
when used
with let's encrypt but the cert was issued against the default server. This \ 
would emit
a scary warning, even though the cert would renew successfully.
Contacting the CA to check ARI is now skipped for certificate lineages that
have autorenew set to False.

Certbot 4.1.0

Added

ACME Renewal Info (ARI) support. \ 
https://datatracker.ietf.org/doc/draft-ietf-acme-ari/
certbot renew will automatically check ARI when using an ACME server that \ 
supports it,
and may renew early based on the ARI information. For Let's Encrypt certificates this
will typically cause renewal at around 2/3rds of the certificate's lifetime, even if
the renew_before_expiry field of a lineage renewal config is set a later date.

Changed

Switched to src-layout from flat-layout to accommodate PEP 517 pip editable installs
acme.client.ClientNetwork now makes the "key" parameter optional.
Deprecated acme.challenges.TLSALPN01Response
Deprecated acme.challenges.TLSALPN01
Deprecated parameter alpn_protocols from acme.crypto_util.probe_sni
Deprecated acme.crypto_util.SSLSocket
Deprecated acme.standalone.TLSServer
Deprecated acme.standalone.TLSALPN01Server
Deprecated parameter enforce_openssl_binary_usage from \ 
certbot.ocsp.RevocationChecker.
Dropped support for Python 3.9.0 and 3.9.1 for compatibility with newer
versions of the cryptography Python package. Python 3.9.2+ is still
supported.

Fixed

Order finalization now catches orderNotReady response, polls until order status is
ready, and resubmits finalization request before polling for valid to download
certificate. This conforms to RFC 8555 more accurately and avoids race \ 
conditions where
all authorizations are fulfilled but order has not yet transitioned to ready state on
the server when the finalization request is sent. It also respects retry-after when
polling for finalization readiness.
The --preferred-profile and --required-profile flags now have their values stored in
the renewal configuration so the same setting will be used on renewal.
Fixed an unintended change introduced in 4.0.0 where renew_before_expiry could not be
shorter than certbot's default renewal time. If the server does not provide an ARI
response, renew_before_expiry will continue to override certbot's default. However,
an early ARI response will override a later renew_before_expiry time, to account for
notifications in case of certificate revocation, especially with the impending \ 
deprecation
of OCSP (https://letsencrypt.org/2024/12/05/ending-ocsp/). To force a later \ 
date, users
can replace certbot's default cron job and/or systemd timer with one of their \ 
own timing.

Log message:
py-acme py-certbot*: updated to 4.0.0

4.0.0

Added

The --preferred-profile and --required-profile flags allow requesting a profile.
https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/

Changed

Certificates now renew with 1/3rd of lifetime left (or 1/2 of lifetime left,
if the lifetime is shorter than 10 days). This is a change from a hardcoded
renewal at 30 days before expiration. The config field renew_before_expiry
still overrides this default.

removed acme.crypto_util._pyopenssl_cert_or_req_all_names

removed acme.crypto_util._pyopenssl_cert_or_req_san

removed acme.crypto_util.dump_pyopenssl_chain

removed acme.crypto_util.gen_ss_cert

removed certbot.crypto_util.dump_pyopenssl_chain

removed certbot.crypto_util.pyopenssl_load_certificate

Fixed

Moved RewriteEngine on directive added during apache http01 authentication
to the end of the virtual host, so that it overwrites any RewriteEngine off
directives that already exist and allows redirection to the challenge URL.

Log message:
py-certbot: fix for setuptools>=78

Log message:
py-certbot: require newest setuptools (for py-acme)

Log message:
py-acme py-certbot*: updated to 3.3.0

3.3.0

Changed

The --register-unsafely-without-email flag is no longer needed in \ 
non-interactive mode.
In interactive mode, pressing Enter at the email prompt will register without an \ 
email.
deprecated acme.crypto_util.dump_pyopenssl_chain
deprecated acme.crypto_util._pyopenssl_cert_or_req_all_names
deprecated acme.crypto_util._pyopenssl_cert_or_req_san
deprecated certbot.crypto_util.dump_pyopenssl_chain
deprecated certbot.crypto_util.pyopenssl_load_certificate

Fixed

Fixed a bug introduced in Certbot 3.1.0 where OpenSSL environment variables
needed in our snap configuration were persisted in calls to external programs
like nginx which could cause them to fail to load OpenSSL.

Log message:
py-acme py-certbot*: updated to 3.2.0

3.2.0

Changed

certbot-nginx now requires pyparsing>=2.4.7.
certbot and its acme library now require cryptography>=43.0.0.
certbot-nginx and our acme library now require pyOpenSSL>=25.0.0.
Deprecated gen_ss_cert in acme.crypto_util as it uses deprecated
pyOpenSSL API.
Add make_self_signed_cert to acme.crypto_util to replace `gen_ss_cert.
Directory hooks are now run on all commands by default, not just renew
Help output now shows False as default when it can be set via cli.ini instead of None
Changed terms of service agreement text to have a newline after the TOS link
certbot-cloudflare-dns is now pinned to version 2.19 of Cloudflare's python library
Removed support for Linode API v3 which was sunset at the end of July 203.

Fixed

Private keys are now saved in PKCS#8 format instead of PKCS#1. Using PKCS#1
was a regression introduced in Certbot 3.1.0.
Allow nginx plugin to parse non-breaking spaces in nginx configuration files.
Honor --reuse-key when --allow-subset-of-names is set
Fixed regression in symlink parsing on Windows that was introduced in Certbot
3.1.0.
When adding ssl listen directives in nginx server blocks, IP addresses are now
preserved.
Nginx configurations can now have the http block in files other than the root \ 
(nginx.conf)

Log message:
py-acme py-certbot*: updated to 3.1.0

Certbot 3.1.0

Changed

Python 3.8 support was removed.
certbot-dns-rfc2136's minimum required version of dnspython is now 2.6.1.
Updated our Docker images to be based on Alpine Linux 3.20.
Our runtime dependency on setuptools has been dropped from all Certbot
components.
Certbot's packages no longer depend on library importlib_resources.

Fixed

Included an OpenSSL library that was missing in our Certbot snap fixing
crashes affecting 32-bit ARM users.

Log message:
py-acme py-certbot*: updated to 3.0.1

Certbot 3.0.1

Fixed

Removed a CryptographyDeprecationWarning that was being displayed to users
when checking OCSP status.

Log message:
py-acme py-certbot*: updated to 3.0.0

Certbot 3.0.0

The update_symlinks command was removed.
The csr_dir and key_dir attributes on
certbot.configuration.NamespaceConfig were removed.
The --manual-public-ip-logging-ok command line flag was removed.
The --dns-route53-propagation-seconds command line flag was removed.
The certbot_dns_route53.authenticator module has been removed. This should
not affect any users of the plugin and instead would only affect developers
trying to develop on top of the old code.
Support for Python 3.8 was deprecated and will be removed in our next planned
release.

Log message:
py-*: remove unused tool dependency

py-setuptools includes the py-wheel functionality nowadays