chore(deps): update dependency certbot to v4

[ZxBot]

This PR contains the following updates:

Package	Change	Age	Confidence
certbot	2.11.1 → 4.2.0

---

Release Notes

certbot/certbot (certbot)

v4.2.0: Certbot 4.2.0

Compare Source

Added

• Added --eab-hmac-alg parameter to support custom HMAC algorithm for
  External Account Binding.
  (#​10281)

Changed

• Catches and ignores errors during the directory fetch for ARI checking so
  that these errors do not hinder the actual certificate issuance.
  (#​10342)
• Removed the dependency on pytz.
  (#​10350)
• Deprecated acme.crypto_util.probe_sni
  (#​10386)
• Support for Python 3.9 was deprecated and will be removed in our next planned
  release. (#​10390)

Fixed

• The Certbot snap no longer sets the environment variable PYTHONPATH stopping
  it from picking up Python files in the current directory and polluting the
  environment for Certbot hooks written in Python.
  (#​10176,
  #​10257)
• Previously, we claimed to set FAILED_DOMAINS and RENEWED_DOMAINS env
  variables for use by post-hooks when certificate renewals fail, but we were
  not actually setting them. Now, we are.
  (#​10259)
• Certbot now always uses the server value from the renewal configuration file
  for ARI checks instead of the server value from the current invocation of
  Certbot. This helps prevent ARI requests from going to the wrong server if
  the user changes CAs.
  (#​10339)

v4.1.1: Certbot 4.1.1

Compare Source

Fixed

• When a CA fails to issue a certificate after finalization, print the ACME error from the order
• No longer checks ARI during certbot --dry-run, because --dry-run uses staging when used
  with let's encrypt but the cert was issued against the default server. This would emit
  a scary warning, even though the cert would renew successfully.
• Contacting the CA to check ARI is now skipped for certificate lineages that
  have autorenew set to False.

More details about these changes can be found on our GitHub repo.

v4.1.0: Certbot 4.1.0

Compare Source

Added

• ACME Renewal Info (ARI) support. https://datatracker.ietf.org/doc/draft-ietf-acme-ari/
  certbot renew will automatically check ARI when using an ACME server that supports it,
  and may renew early based on the ARI information. For Let's Encrypt certificates this
  will typically cause renewal at around 2/3rds of the certificate's lifetime, even if
  the renew_before_expiry field of a lineage renewal config is set a later date.

Changed

• Switched to src-layout from flat-layout to accommodate PEP 517 pip editable installs
• acme.client.ClientNetwork now makes the "key" parameter optional.
• Deprecated acme.challenges.TLSALPN01Response
• Deprecated acme.challenges.TLSALPN01
• Deprecated parameter alpn_protocols from acme.crypto_util.probe_sni
• Deprecated acme.crypto_util.SSLSocket
• Deprecated acme.standalone.TLSServer
• Deprecated acme.standalone.TLSALPN01Server
• Deprecated parameter enforce_openssl_binary_usage from certbot.ocsp.RevocationChecker.
• Dropped support for Python 3.9.0 and 3.9.1 for compatibility with newer
  versions of the cryptography Python package. Python 3.9.2+ is still
  supported.

Fixed

• Order finalization now catches orderNotReady response, polls until order status is
  ready, and resubmits finalization request before polling for valid to download
  certificate. This conforms to RFC 8555 more accurately and avoids race conditions where
  all authorizations are fulfilled but order has not yet transitioned to ready state on
  the server when the finalization request is sent. It also respects retry-after when
  polling for finalization readiness.
• The --preferred-profile and --required-profile flags now have their values stored in
  the renewal configuration so the same setting will be used on renewal.
• Fixed an unintended change introduced in 4.0.0 where renew_before_expiry could not be
  shorter than certbot's default renewal time. If the server does not provide an ARI
  response, renew_before_expiry will continue to override certbot's default. However,
  an early ARI response will override a later renew_before_expiry time, to account for
  notifications in case of certificate revocation, especially with the impending deprecation
  of OCSP (https://letsencrypt.org/2024/12/05/ending-ocsp/). To force a later date, users
  can replace certbot's default cron job and/or systemd timer with one of their own timing.

More details about these changes can be found on our GitHub repo.

v4.0.0: Certbot 4.0.0

Compare Source

Added

• The --preferred-profile and --required-profile flags allow requesting a profile.
  https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/

Changed

• Certificates now renew with 1/3rd of lifetime left (or 1/2 of lifetime left,
  if the lifetime is shorter than 10 days). This is a change from a hardcoded
  renewal at 30 days before expiration. The config field renew_before_expiry
  still overrides this default.

• removed acme.crypto_util._pyopenssl_cert_or_req_all_names

• removed acme.crypto_util._pyopenssl_cert_or_req_san

• removed acme.crypto_util.dump_pyopenssl_chain

• removed acme.crypto_util.gen_ss_cert

• removed certbot.crypto_util.dump_pyopenssl_chain

• removed certbot.crypto_util.pyopenssl_load_certificate

Fixed

• Moved RewriteEngine on directive added during apache http01 authentication
  to the end of the virtual host, so that it overwrites any RewriteEngine off
  directives that already exist and allows redirection to the challenge URL.

More details about these changes can be found on our GitHub repo.

v3.3.0: Certbot 3.3.0

Compare Source

Added

Changed

• The --register-unsafely-without-email flag is no longer needed in non-interactive mode.
• In interactive mode, pressing Enter at the email prompt will register without an email.
• deprecated acme.crypto_util.dump_pyopenssl_chain
• deprecated acme.crypto_util._pyopenssl_cert_or_req_all_names
• deprecated acme.crypto_util._pyopenssl_cert_or_req_san
• deprecated certbot.crypto_util.dump_pyopenssl_chain
• deprecated certbot.crypto_util.pyopenssl_load_certificate

Fixed

• Fixed a bug introduced in Certbot 3.1.0 where OpenSSL environment variables
  needed in our snap configuration were persisted in calls to external programs
  like nginx which could cause them to fail to load OpenSSL.

More details about these changes can be found on our GitHub repo.

v3.2.0: Certbot 3.2.0

Compare Source

Added

Changed

• certbot-nginx now requires pyparsing>=2.4.7.
• certbot and its acme library now require cryptography>=43.0.0.
• certbot-nginx and our acme library now require pyOpenSSL>=25.0.0.
• Deprecated gen_ss_cert in acme.crypto_util as it uses deprecated
  pyOpenSSL API.
• Add make_self_signed_cert to acme.crypto_util to replace `gen_ss_cert.
• Directory hooks are now run on all commands by default, not just renew
• Help output now shows False as default when it can be set via cli.ini instead of None
• Changed terms of service agreement text to have a newline after the TOS link
• certbot-cloudflare-dns is now pinned to version 2.19 of Cloudflare's python library
• Removed support for Linode API v3 which was sunset at the end of July 203.

Fixed

• Private keys are now saved in PKCS#8 format instead of PKCS#1. Using PKCS#1
  was a regression introduced in Certbot 3.1.0.
• Allow nginx plugin to parse non-breaking spaces in nginx configuration files.
• Honor --reuse-key when --allow-subset-of-names is set
• Fixed regression in symlink parsing on Windows that was introduced in Certbot
  3.1.0.
• When adding ssl listen directives in nginx server blocks, IP addresses are now
  preserved.
• Nginx configurations can now have the http block in files other than the root (nginx.conf)

More details about these changes can be found on our GitHub repo.

v3.1.0: Certbot 3.1.0

Compare Source

Added

Changed

• Python 3.8 support was removed.
• certbot-dns-rfc2136's minimum required version of dnspython is now 2.6.1.
• Updated our Docker images to be based on Alpine Linux 3.20.
• Our runtime dependency on setuptools has been dropped from all Certbot
  components.
• Certbot's packages no longer depend on library importlib_resources.

Fixed

• Included an OpenSSL library that was missing in our Certbot snap fixing
  crashes affecting 32-bit ARM users.

More details about these changes can be found on our GitHub repo.

v3.0.1: Certbot 3.0.1

Compare Source

Fixed

• Removed a CryptographyDeprecationWarning that was being displayed to users
  when checking OCSP status.

More details about these changes can be found on our GitHub repo.

v3.0.0: Certbot 3.0.0

Compare Source

Added

Changed

• The update_symlinks command was removed.
• The csr_dir and key_dir attributes on
  certbot.configuration.NamespaceConfig were removed.
• The --manual-public-ip-logging-ok command line flag was removed.
• The --dns-route53-propagation-seconds command line flag was removed.
• The certbot_dns_route53.authenticator module has been removed. This should
  not affect any users of the plugin and instead would only affect developers
  trying to develop on top of the old code.
• Support for Python 3.8 was deprecated and will be removed in our next planned
  release.

Fixed

More details about these changes can be found on our GitHub repo.

---

Configuration

📅 Schedule: (in timezone Europe/Rome)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[ZxBot]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.