⬆️ Update certbot-dns-cloudflare to v2

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
certbot-dns-cloudflare	==1.32.0 -> ==2.7.1

---

Release Notes

certbot/certbot (certbot-dns-cloudflare)

v2.7.1: Certbot 2.7.1

Compare Source

Fixed

• Fixed a bug that broke the DNS plugin for DNSimple that was introduced in
  version 2.7.0 of the plugin.
• Correctly specified the new minimum version of the ConfigArgParse package
  that Certbot requires which is 1.5.3.

More details about these changes can be found on our GitHub repo.

v2.7.0: Certbot 2.7.0

Compare Source

Added

• Add certbot.util.LooseVersion class. See GH #​9489.
• Add a new base class certbot.plugins.dns_common_lexicon.LexiconDNSAuthenticator to implement a DNS
  authenticator plugin backed by Lexicon to communicate with the provider DNS API. This approach relies
  heavily on conventions to reduce the implementation complexity of a new plugin.
• Add a new test base class certbot.plugins.dns_test_common_lexicon.BaseLexiconDNSAuthenticatorTest to
  help testing DNS plugins implemented on top of LexiconDNSAuthenticator.

Changed

• NamespaceConfig now tracks how its arguments were set via a dictionary, allowing us to remove a bunch
  of global state previously needed to inspect whether a user set an argument or not.
• Support for Python 3.7 was deprecated and will be removed in our next planned release.
• Added RENEWED_DOMAINS and FAILED_DOMAINS environment variables for consumption by post renewal hooks.
• Deprecates LexiconClient base class and build_lexicon_config function in
  certbot.plugins.dns_common_lexicon module in favor of LexiconDNSAuthenticator.
• Deprecates BaseLexiconAuthenticatorTest and BaseLexiconClientTest test base classes of
  certbot.plugins.dns_test_common_lexicon module in favor of BaseLexiconDNSAuthenticatorTest.

Fixed

• Do not call deprecated datetime.utcnow() and datetime.utcfromtimestamp()
• Filter zones in certbot-dns-google to avoid usage of private DNS zones to create records

More details about these changes can be found on our GitHub repo.

v2.6.0: Certbot 2.6.0

Compare Source

Added

• --dns-google-project optionally allows for specifying the project that the DNS zone(s) reside in,
  which allows for Certbot usage in scenarios where the auth credentials reside in a different
  project to the zone(s) that are being managed.
• There is now a new Other annotated challenge object to allow plugins to support entirely novel challenges.

Changed

• Optionally sign the SOA query for dns-rfc2136, to help resolve problems with split-view
  DNS setups and hidden primary setups.
  • Certbot versions prior to v1.32.0 did not sign queries with the specified TSIG key
    resulting in difficulty with split-horizon implementations.
  • Certbot v1.32.0 through v2.5.0 signed queries by default, potentially causing
    incompatibility with hidden primary setups with allow-update-forwarding enabled
    if the secondary did not also have the TSIG key within its config.
  • Certbot v2.6.0 and later no longer signs queries by default, but allows
    the user to optionally sign these queries by explicit configuration using the
    dns_rfc2136_sign_query option in the credentials .ini file.
• Lineage name validity is performed for new lineages. --cert-name may no longer contain
  filepath separators (i.e. / or \, depending on the platform).
• certbot-dns-google now loads credentials using the standard Application Default
  Credentials strategy,
  rather than explicitly requiring the Google Compute metadata server to be present if a service account
  is not provided using --dns-google-credentials.
• --dns-google-credentials now supports additional types of file-based credential, such as
  External Account Credentials created by Workload Identity
  Federation. All file-based credentials implemented by the Google Auth library are supported.

Fixed

• certbot-dns-google no longer requires deprecated oauth2client library.
• Certbot will no longer try to invoke plugins which do not subclass from the proper
  certbot.interfaces.{Installer,Authenticator} interface (e.g. certbot -i standalone
  will now be ignored). See GH-9664.

More details about these changes can be found on our GitHub repo.

v2.5.0: Certbot 2.5.0

Compare Source

Added

• acme.messages.OrderResource now supports being round-tripped
  through JSON
• acme.client.ClientV2 now provides separate begin_finalization
  and poll_finalization methods, in addition to the existing
  finalize_order method.

Changed

• --dns-route53-propagation-seconds is now deprecated. The Route53 plugin relies on the
  GetChange API
  to determine if a DNS update is complete. The flag has never had any effect and will be
  removed in a future version of Certbot.
• Packaged tests for all Certbot components besides josepy were moved inside
  the _internal/tests module.

Fixed

• Fixed renew sometimes not preserving the key type of RSA certificates.
  • Users who upgraded from Certbot <v1.25.0 to Certbot >=v2.0.0 may
    have had their RSA certificates inadvertently changed to ECDSA certificates. If desired,
    the key type may be changed back to RSA. See the User Guide.
• Deprecated flags were inadvertently not printing warnings since v1.16.0. This is now fixed.

More details about these changes can be found on our GitHub repo.

v2.4.0: Certbot 2.4.0

Compare Source

Added

• We deprecated support for the update_symlinks command. Support will be removed in a following
  version of Certbot.

Changed

• Docker build and deploy scripts now generate multiarch manifests for non-architecture-specific tags, instead of defaulting to amd64 images.

Fixed

• Reverted #​9475 due to a performance regression in large nginx deployments.

More details about these changes can be found on our GitHub repo.

v2.3.0: Certbot 2.3.0

Compare Source

Added

• Allow a user to modify the configuration of a certificate without renewing it using the new reconfigure subcommand. See certbot help reconfigure for details.
• certbot show_account now displays the ACME Account Thumbprint.

Changed

• Certbot will no longer save previous CSRs and certificate private keys to /etc/letsencrypt/csr and /etc/letsencrypt/keys, respectively. These directories may be safely deleted.
• Certbot will now only keep the current and 5 previous certificates in the /etc/letsencrypt/archive directory for each certificate lineage. Any prior certificates will be automatically deleted upon renewal. This number may be further lowered in future releases.
  • As always, users should only reference the certificate files within /etc/letsencrypt/live and never use /etc/letsencrypt/archive directly. See Where are my certificates? in the Certbot User Guide.
• certbot.configuration.NamespaceConfig.key_dir and .csr_dir are now deprecated.
• All Certbot components now require pytest to run tests.

Fixed

• Fixed a crash when registering an account with BuyPass' ACME server.
• Fixed a bug where Certbot would crash with AttributeError: can't set attribute on ACME server errors in Python 3.11. See GH #​9539.

More details about these changes can be found on our GitHub repo.

v2.2.0: Certbot 2.2.0

Compare Source

Added

Changed

• Certbot will no longer respect very long challenge polling intervals, which may be suggested
  by some ACME servers. Certbot will continue to wait up to 90 seconds by default, or up to a
  total of 30 minutes if requested by the server via Retry-After.

Fixed

More details about these changes can be found on our GitHub repo.

v2.1.0: Certbot 2.1.0

Compare Source

Added

Changed

Fixed

• Interfaces which plugins register themselves as implementing without inheriting from them now show up in certbot plugins output.
• IPluginFactory, IPlugin, IAuthenticator and IInstaller have been re-added to
  certbot.interfaces.
  • This is to fix compatibility with a number of third-party DNS plugins which may
    have started erroring with AttributeError in Certbot v2.0.0.
  • Plugin authors can find more information about Certbot 2.x compatibility
    here.
• A bug causing our certbot-apache tests to crash on some systems has been resolved.

More details about these changes can be found on our GitHub repo.

v2.0.0: Certbot 2.0.0

Compare Source

Added

• Support for Python 3.11 was added to Certbot and all of its components.
• acme.challenges.HTTP01Response.simple_verify now accepts a timeout argument which defaults to 30 that causes the verification request to timeout after that many seconds.

Changed

• The default key type for new certificates is now ECDSA secp256r1 (P-256). It was previously RSA 2048-bit. Existing certificates are not affected.
• The Apache plugin no longer supports Apache 2.2.
• acme and Certbot no longer support versions of ACME from before the RFC 8555 standard.
• acme and Certbot no longer support the old urn:acme:error: ACME error prefix.
• Removed the deprecated certbot-dns-cloudxns plugin.
• Certbot will now error if a certificate has --reuse-key set and a conflicting --key-type, --key-size or --elliptic-curve is requested on the CLI. Use --new-key to change the key while preserving --reuse-key.
• 3rd party plugins no longer support the dist_name:plugin_name format on the CLI and in configuration files. Use the shorter plugin_name format.
• acme.client.Client, acme.client.ClientBase, acme.client.BackwardsCompatibleClientV2, acme.mixins, acme.client.DER_CONTENT_TYPE, acme.fields.Resource, acme.fields.resource, acme.magic_typing, acme.messages.OLD_ERROR_PREFIX, acme.messages.Directory.register, acme.messages.Authorization.resolved_combinations, acme.messages.Authorization.combinations have been removed.
• acme.messages.Directory now only supports lookups by the exact resource name string in the ACME directory (e.g. directory['newOrder']).
• Removed the deprecated source_address argument for acme.client.ClientNetwork.
• The zope based interfaces in certbot.interfaces have been removed in favor of the abc based interfaces found in the same module.
• Certbot no longer depends on zope.
• Removed deprecated function certbot.util.get_strict_version.
• Removed deprecated functions certbot.crypto_util.init_save_csr, certbot.crypto_util.init_save_key,
  and certbot.compat.misc.execute_command
• The attributes FileDisplay, NoninteractiveDisplay, SIDE_FRAME, input_with_timeout, separate_list_input, summarize_domain_list, HELP, and ESC from certbot.display.util have been removed.
• Removed deprecated functions certbot.tests.util.patch_get_utility*. Plugins should now
  patch certbot.display.util themselves in their tests or use
  certbot.tests.util.patch_display_util as a temporary workaround.
• Certbot's test API under certbot.tests now uses unittest.mock instead of the 3rd party mock library.

Fixed

• Fixes a bug where the certbot working directory has unusably restrictive permissions on systems with stricter default umasks.
• Requests to subscribe to the EFF mailing list now time out after 60 seconds.

We plan to slowly roll out Certbot 2.0 to all of our snap users in the coming months. If you want to use the Certbot 2.0 snap now, please follow the instructions at https://community.letsencrypt.org/t/certbot-2-0-beta-call-for-testing/185945.

More details about these changes can be found on our GitHub repo.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.