Update certbot to v4.1.0 #58

Merged

renovate-bot merged 1 commits from renovate/certbot into master 2025-06-18 01:00:13 +00:00

Conversation 0 Commits 1 Files Changed 1 +2 -2

renovate-bot commented 2025-06-18 00:00:18 +00:00

Collaborator

Copy Link

This PR contains the following updates:

Package	Update	Change	Pending
certbot	minor	==4.0.0 -> ==4.1.0	4.1.1
certbot-dns-cloudflare	minor	==4.0.0 -> ==4.1.0	4.1.1

---

Release Notes

certbot/certbot (certbot)

v4.1.0: Certbot 4.1.0

Compare Source

Added

• ACME Renewal Info (ARI) support. https://datatracker.ietf.org/doc/draft-ietf-acme-ari/
  certbot renew will automatically check ARI when using an ACME server that supports it,
  and may renew early based on the ARI information. For Let's Encrypt certificates this
  will typically cause renewal at around 2/3rds of the certificate's lifetime, even if
  the renew_before_expiry field of a lineage renewal config is set a later date.

Changed

• Switched to src-layout from flat-layout to accommodate PEP 517 pip editable installs
• acme.client.ClientNetwork now makes the "key" parameter optional.
• Deprecated acme.challenges.TLSALPN01Response
• Deprecated acme.challenges.TLSALPN01
• Deprecated parameter alpn_protocols from acme.crypto_util.probe_sni
• Deprecated acme.crypto_util.SSLSocket
• Deprecated acme.standalone.TLSServer
• Deprecated acme.standalone.TLSALPN01Server
• Deprecated parameter enforce_openssl_binary_usage from certbot.ocsp.RevocationChecker.
• Dropped support for Python 3.9.0 and 3.9.1 for compatibility with newer
  versions of the cryptography Python package. Python 3.9.2+ is still
  supported.

Fixed

• Order finalization now catches orderNotReady response, polls until order status is
  ready, and resubmits finalization request before polling for valid to download
  certificate. This conforms to RFC 8555 more accurately and avoids race conditions where
  all authorizations are fulfilled but order has not yet transitioned to ready state on
  the server when the finalization request is sent. It also respects retry-after when
  polling for finalization readiness.
• The --preferred-profile and --required-profile flags now have their values stored in
  the renewal configuration so the same setting will be used on renewal.
• Fixed an unintended change introduced in 4.0.0 where renew_before_expiry could not be
  shorter than certbot's default renewal time. If the server does not provide an ARI
  response, renew_before_expiry will continue to override certbot's default. However,
  an early ARI response will override a later renew_before_expiry time, to account for
  notifications in case of certificate revocation, especially with the impending deprecation
  of OCSP (https://letsencrypt.org/2024/12/05/ending-ocsp/). To force a later date, users
  can replace certbot's default cron job and/or systemd timer with one of their own timing.

More details about these changes can be found on our GitHub repo.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [certbot](https://github.com/certbot/certbot) | minor | `==4.0.0` -> `==4.1.0` | `4.1.1` | | [certbot-dns-cloudflare](https://github.com/certbot/certbot) | minor | `==4.0.0` -> `==4.1.0` | `4.1.1` | --- ### Release Notes <details> <summary>certbot/certbot (certbot)</summary> ### [`v4.1.0`](https://github.com/certbot/certbot/releases/tag/v4.1.0): Certbot 4.1.0 [Compare Source](https://github.com/certbot/certbot/compare/v4.0.0...v4.1.0) ##### Added - ACME Renewal Info (ARI) support. https://datatracker.ietf.org/doc/draft-ietf-acme-ari/ `certbot renew` will automatically check ARI when using an ACME server that supports it, and may renew early based on the ARI information. For Let's Encrypt certificates this will typically cause renewal at around 2/3rds of the certificate's lifetime, even if the renew_before_expiry field of a lineage renewal config is set a later date. ##### Changed - Switched to src-layout from flat-layout to accommodate PEP 517 pip editable installs - acme.client.ClientNetwork now makes the "key" parameter optional. - Deprecated `acme.challenges.TLSALPN01Response` - Deprecated `acme.challenges.TLSALPN01` - Deprecated parameter `alpn_protocols` from `acme.crypto_util.probe_sni` - Deprecated `acme.crypto_util.SSLSocket` - Deprecated `acme.standalone.TLSServer` - Deprecated `acme.standalone.TLSALPN01Server` - Deprecated parameter `enforce_openssl_binary_usage` from certbot.ocsp.RevocationChecker. - Dropped support for Python 3.9.0 and 3.9.1 for compatibility with newer versions of the cryptography Python package. Python 3.9.2+ is still supported. ##### Fixed - Order finalization now catches `orderNotReady` response, polls until order status is `ready`, and resubmits finalization request before polling for `valid` to download certificate. This conforms to RFC 8555 more accurately and avoids race conditions where all authorizations are fulfilled but order has not yet transitioned to ready state on the server when the finalization request is sent. It also respects retry-after when polling for finalization readiness. - The --preferred-profile and --required-profile flags now have their values stored in the renewal configuration so the same setting will be used on renewal. - Fixed an unintended change introduced in 4.0.0 where `renew_before_expiry` could not be shorter than certbot's default renewal time. If the server does not provide an ARI response, `renew_before_expiry` will continue to override certbot's default. However, an early ARI response will override a later `renew_before_expiry` time, to account for notifications in case of certificate revocation, especially with the impending deprecation of OCSP (https://letsencrypt.org/2024/12/05/ending-ocsp/). To force a later date, users can replace certbot's default cron job and/or systemd timer with one of their own timing. More details about these changes can be found on our GitHub repo. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

renovate-bot added 1 commit 2025-06-18 00:00:19 +00:00

Update certbot to v4.1.0 f7476bc8e7

renovate-bot merged commit f7476bc8e7 into master 2025-06-18 01:00:13 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

question

More information is needed

wontfix

This won't be fixed

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

renovate-bot MrMeeb

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MrMeeb/certbot-cron-docker#58

No description provided.