certbot / certbot

Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Certbot 2.0 beta announcement text

alexzorin opened this issue · comments

To be posted on the community forums.

Questions:

  • Duration 1 month?
  • What happens to people who upgrade to the 2.0 beta and forget to go back to stable after the beta is over? Can we publish a final beta snap that has a scary logger.warning in the entrypoint to tell people to get off the beta release?
    • Both logging and auto transition to stable
  • What of DNS plugins? We have published beta versions of them, but we'd have to get users to refresh all their DNS plugins. I don't think it's technically necessary, is it? We didn't break anything in the plugins interface, other than zope removal. The 1.31.0 plugins seem to work against 2.0.0.dev0 Certbot`
    • Don't worry about DNS plugins.

The Certbot 2.0 beta is now available from the snap beta channel.

As a reminder, Certbot will default to issuing ECDSA certificates from this release. Read more about this and other changes here.

We intend to run this beta for at least one month to provide the opportunity for feedback and bug reporting.

To opt in to the Certbot beta program:

sudo snap install --classic --beta certbot

To opt in to the Certbot beta program if you already have the Certbot snap installed:

sudo snap refresh --beta certbot

Please remember to opt out of the beta program once 2.0 is released, or you will automatically be opted in to future beta releases. To opt out:

sudo snap refresh --stable certbot

Switching between versions should not cause any compatibility issues.

If you would like to test the Certbot 2.0 without using snap beta program, install from source via the 2.0.x branch.

Please provide any feedback on this release via the issue tracker or these forums.

Based on the snapcraft documentation, we are unsure what exactly will happen to our
Certbot 2.0 beta users when we close the beta channel and then re-open it in future
(e.g. for Certbot 3.0).

To test this, I have created a channel-refresh-test snap. Initially, I have published:

  • 0.19.0-4-g5d52c15 to the stable channel
  • 0.33.0.beta to the beta channel.

image

From here I can install stable and then upgrade to the beta ✅:

# snap install channel-refresh-test --stable
channel-refresh-test 0.19.0-4-g5d52c15 from Alex Zorin (i-alez-o) installed
# snap refresh --beta channel-refresh-test
channel-refresh-test (beta) 0.33.0.beta from Alex Zorin (i-alez-o) refreshed

If I close the beta channel:

image

and refresh, it refreshes to the stable channel ✅:

# snap refresh
channel-refresh-test 0.19.0-4-g5d52c15 from Alex Zorin (i-alez-o) refreshed
Channel latest/beta for channel-refresh-test is closed; temporarily forwarding to latest/stable.

If I then publish an even newer release to the beta channel:

image

and refresh, it goes back to the beta again ❌:

# snap refresh
channel-refresh-test (beta) 0.66.0.beta from Alex Zorin (i-alez-o) refreshed

Sad face. It seems that this may be by design:

People wouldn’t be able to follow a beta channel permanently, although they explicitly requested that

Given that the few users who will enroll into the beta are those who read the forum posts, what if we were just very explicit in the communication above and also in the 2.0 stable CHANGELOG, that you must remember to refresh back to the stable channel? The risk doesn't seem terribly high from that perspective.

I agree with the solution of being very explicit in the communication. Additionally, we could reframe it as "opting into our beta program" rather than "opting into the 2.0 beta" -- this way, the same set of users would also get potential 3.0 updates.

Since you have the testing already set up -- what happens if after we close the beta channel, users then manually switch to stable (even though they're already now on it in practice)? Hopefully at least then those users won't be flipped to a future beta.

what happens if after we close the beta channel, users then manually switch to stable (even though they're already now on it in practice)?

Thankfully, it stays on stable.

It looks like snap refresh --[beta,stable] persistently changes which channel is being tracked, regardless of what channel is currently being tracked.

Additionally, we could reframe it as "opting into our beta program" rather than "opting into the 2.0 beta"

Good idea. I've updated the original post.

If anybody wants to 👍 the updated wording, I'm happy to make the post, or anybody else can feel free since it'll be Saturday for me.

This plan and the updated wording sounds good to me! I propose we wait until the beginning of next week though so we're not making a significant announcement on a Friday and other people have a chance to chime in on the wording if they like.

When the post is made on the community forum, I think we should pin it to increase visibility.

I was just writing final warnings to 4 third-party DNS plugins available via snap that still reference the old zope interfaces:

# certbot plugins
An unexpected error occurred:
AttributeError: module 'certbot.interfaces' has no attribute 'IAuthenticator'

... and realized that the DNS plugins won't automatically change to the beta channel. I've added another question to the original post for discussion.

Good question. I think we're OK. There aren't any breaking changes in our DNS plugins for our 2.0 release that we want to test and our DNS plugins from the stable channel should work with the Certbot 2.0 beta snap.

All good to post?

Posting has a +1 from me. I think you should feel free to post it if you want.

Done, globally pinned until next Monday.