M/eFeUdZddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddl Z ddl m Z ddl mZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlm Z ddlm!Z!ddlm"Z"ddlm#Z#ddlm$Z$ddlm%Z%ddlm&Z&ddlm'Z'dd lm(Z(dd!lm)Z)dd"l*m+Z+dd#l,m-Z-dd$l.m/Z/dd%l0m1Z1dd&l2m3Z3dd'l4m5Z5dd(l4m6Z6dd)l7m8Z9ddl:m;cmdd*l?m@Z@ejeBZCdaDee-eEd+<d,e9jd-eeGd.e fd/ZHd0ed.e fd1ZIy)2z2Certbot command line argument & config processing.N)Any)List)Optional)Type)NamespaceConfig) constants)ARGPARSE_PARAMS_TO_REMOVE) cli_command)COMMAND_OVERVIEW)DEPRECATED_OPTIONS) EXIT_ACTIONS)HELP_AND_VERSION_USAGE) SHORT_USAGE) VAR_MODIFIERS)ZERO_ARG_ACTIONS)_DeployHookAction)_DomainsAction)_EncodeReasonAction)_PrefChallAction)_RenewHookAction)_user_agent_comment_type) add_domains)CaseInsensitiveList) config_help)CustomHelpFormatter) flag_default)HelpfulArgumentGroup)nonnegative_int)parse_preferred_challenges) read_file)set_test_server_options)_add_all_groups)HelpfulArgumentParser) _paths_parser)_plugins_parsing)_create_subparsers) VERB_HELP) VERB_HELP_MAP)disco) enhancementshelpful_parserpluginsargsreturnc t||}t||jdddddtdd|jddd td tj |jdd d d dtd tj |jddt tdd|jddddtdtj |jgddddddtdd|jgdtjdtdd|jgdd d!d"d#d$ttd#d%& |jgd'd(d)d*d+,|jgd'd-d.d/d0,|jgd1d2d3d4td3d56|jgd7d8dd9td9d:;|jgd<d=dd>td>d?;|jd@dAgdBdtdCdD|jgdEdFdGtdHtdHI|jgdJdKdtdLdLdMN|jgdJdOdPtdLdLdQN|jgdRdSdTdUdVdtdVdW|jdAdXdtdYdZ|jdAd[d\d]jtjd^_|jdAd`gdadbdcdtdcdd|jdAdedfdtdfdg|jdAdhdidtdidj|jdAdkdidPtdidl|jdAdmdndtdndo|jgdpdqdtdrds|jdAdtdudtdudv|jdwdAgdxdytdzd{||jdAd}d~dtd~d|jgdddddtdd|jgdddddtddtjz|jdddtdd|jgdddtdd|jdddtdtd|jgddtdtdtd|jddgddtdtd |jddgdttdtd|jdddtdd|jddtdtdtd|jddddgt tdtd|jddt gddtdtd|jddddtdtd;|jddgdddtdd;|jdddPdtdd;|jddgdddtdd;|jdddPdtdtj ;|jddgdddtdd;|jdddPdtdtj ;|jddddtdd¬;|jdddPdtdtj ;|jdddtdūdƬ|jgdǢddtdɫtdɫ |jgdʢddt"td̫dͬ|jgddt dtdϫtdϫ|jd`dgddҬӫ|jd`dgddլӫ|jd`dgdt$tj ׫|jd`ddPtd٫dtj N|jd`dgdt&d۬׫|jd`ddPdtdݫdެ;|jd`ddPtdddN|jd`ddtdddN|jd`ddPtdddN|j)dd|j)dd|j)dd|j)ddt+j,|jt/|t1|t3|||a|j7S)aReturns parsed command line arguments. :param .PluginsRegistry plugins: available plugins :param list args: command line arguments with the program name removed :returns: parsed command line arguments :rtype: configuration.NamespaceConfig Nz-vz --verbose verbose_countcountzbThis flag can be used multiple times to incrementally increase the verbosity of output, e.g. -vvv.)destactiondefaulthelpz--verbose-level verbose_level)r2r4r5z-tz--text text_mode store_truez--max-log-backupsmax_log_backupszSpecifies the maximum number of backup logs that should be kept by Certbot's built in log rotation. Setting this flag to 0 disables log rotation entirely, causing Certbot to always append to the same log file.)typer4r5z--preconfigured-renewalpreconfigured_renewal)N automationruncertonlyenhancez-nz--non-interactivez--noninteractivenoninteractive_modezRun without ever asking for user input. This may require additional command line flags; the client will try to explain which ones are required if it finds one missing)Nregisterr=r>r?force_interactivezForce Certbot to be interactive even if it detects it's not being run in a terminal. This flag cannot be used with the renew subcommand.)r3r4r5)Nr=r> certificatesr?z-dz --domainsz--domaindomainsDOMAINaDomain names to include. For multiple domains you can use multiple -d flags or enter a comma separated list of domains as a parameter. All domains will be included as Subject Alternative Names on the certificate. The first domain will be used as the certificate name, unless otherwise specified or if you already have a certificate with the same name. In the case of a name conflict, a number like -0001 will be appended to the certificate name. (default: Ask))r2metavarr3r4r5)Nr=r>rAz --eab-kideab_kidEAB_KIDz+Key Identifier for External Account Binding)r2rFr5z--eab-hmac-key eab_hmac_key EAB_HMAC_KEYz%HMAC key for External Account Binding) Nr=r>managedeleterCrenewr? reconfigurez --cert-namecertnameCERTNAMEaCertificate name to apply. This name is used by Certbot for housekeeping and in file paths; it doesn't affect the content of the certificate itself. Certificate name cannot contain filepath separators (i.e. '/' or '\', depending on the platform). To see certificate names, run 'certbot certificates'. When creating a new certificate, specifies the new certificate's name. (default: the first provided domain or the name of an existing certificate on your system for the same domains))r2rFr4r5)NtestingrMr>z --dry-rundry_runaPerform a test run against the Let's Encrypt staging server, obtaining test (invalid) certificates but not saving them to disk. This can only be used with the 'certonly' and 'renew' subcommands. It may trigger webserver reloads to temporarily modify & roll back configuration files. --pre-hook and --post-hook commands run by default. --deploy-hook commands do not run, unless enabled by --run-deploy-hooks. The test server may be overridden with --server.)r3r2r4r5)rQrMr>rNz--run-deploy-hooksrun_deploy_hooksaWhen performing a test run using `--dry-run` or `reconfigure`, run any applicable deploy hooks. This includes hooks set on the command line, saved in the certificate's renewal configuration file, or present in the renewal-hooks directory. To exclude directory hooks, use --no-directory-hooks. The hook(s) will only be run if the dry run succeeds, and will use the current active certificate, not the temporary test certificate acquired during the dry run. This flag is recommended when modifying the deploy hook using `reconfigure`.rAr<z!--register-unsafely-without-emailregister_unsafely_without_emaila"Specifying this flag enables registering an account with no email address. This is strongly discouraged, because you will be unable to receive notice about impending expiration or revocation of your certificates or problems with your Certbot installation that will lead to failure to renew.)rAupdate_account unregisterr<z-mz--emailemail)r4r5)rArUr<z --eff-email eff_emailz"Share your e-mail address with EFF)r3r4r2r5z--no-eff-email store_falsez(Don't share your e-mail address with EFF)r<r>r=z--keep-until-expiringz--keepz --reinstall reinstallzIf the requested certificate matches an existing certificate, always keep the existing one until it is due for renewal (for the 'run' subcommand this means reinstall the existing certificate). (default: Ask)z--expandexpandzIf an existing certificate is a strict subset of the requested names, always expand and replace it with the additional names. (default: Ask)z --versionversionz %(prog)s {0}z&show program's version number and exit)r3r\r5rMz--force-renewalz--renew-by-defaultrenew_by_defaultzIf a certificate already exists for the requested domains, renew it now, regardless of whether it is near expiry. (Often --keep-until-expiring is more appropriate). Also implies --expand.z--renew-with-new-domainsrenew_with_new_domainszIf a certificate already exists for the requested certificate name but does not match the requested domains, renew it now, regardless of whether it is near expiry.z --reuse-key reuse_keyzDWhen renewing, use the same private key as the existing certificate.z--no-reuse-keyzWhen renewing, do not use the same private key as the existing certificate. Not reusing private keys is the default behavior of Certbot. This option may be used to unset --reuse-key on an existing certificate.z --new-keynew_keyzWhen renewing or replacing a certificate, generate a new private key, even if --reuse-key is set on the existing certificate. Combining --new-key and --reuse-key will result in the private key being replaced and then reused in future renewals.)r<rMr>z--allow-subset-of-namesallow_subset_of_namesa8When performing domain validation, do not consider it a failure if authorizations can not be obtained for a strict subset of the requested domains. This may be useful for allowing renewals for multiple domains to succeed even if some domains no longer point at this system. This option cannot be used with --csr.z --agree-tostosz5Agree to the ACME Subscriber Agreement (default: Ask)rVz --account ACCOUNT_IDaccountzAccount ID to use)rFr4r5z --duplicate duplicatezdAllow making a certificate lineage that duplicates an existing one (both can be renewed in parallel))r<rMr>r=z-qz--quietquietz\Silence all output except errors. Useful for automation via cron. Implies --non-interactive.)rQrevoker=z --test-certz --stagingstagingzmUse the Let's Encrypt staging server to obtain or revoke test (invalid) certificates; equivalent to --server rQz--debugdebugz!Show tracebacks in case of errors)Nr>r=z--debug-challengesdebug_challengeszAfter setting up challenges, wait for user input before submitting to CA. When used in combination with the `-v` option, the challenge URLs or FQDNs and their expected return values are shown.z--no-verify-ssl no_verify_ssl)r3r5r4)rQ standalonemanualz--http-01-port http01_port)r:r2r4r5rlz--http-01-addresshttp01_addressnginxz --https-port https_portz--break-my-certsbreak_my_certsz]Be willing to replace or renew valid certificates with invalid (testing/staging) certificatessecurityz--rsa-key-sizeN rsa_key_size)r:rFr4r5z --key-typersaecdsakey_type)choicesr:r4r5z--elliptic-curve) secp256r1 secp384r1 secp521r1elliptic_curve)r:ryrFr4r5z --must-staple must_stapler?z --redirectredirectzAutomatically redirect all HTTP traffic to HTTPS for the newly authenticated vhost. (default: redirect enabled for install and run, disabled for enhance)z --no-redirectzDo not automatically redirect all HTTP traffic to HTTPS for the newly authenticated vhost. (default: redirect enabled for install and run, disabled for enhance)z--hstshstszAdd the Strict-Transport-Security header to every HTTP response. Forcing browser to always use SSL for the domain. Defends against SSL Stripping.z --no-hstsz--uiruirzAdd the "Content-Security-Policy: upgrade-insecure-requests" header to every HTTP response. Forcing the browser to use https:// for every http:// resource.z--no-uirz --staple-ocspstaplezmEnables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS.z--no-staple-ocspz--strict-permissionsstrict_permissionsz}Require that all configuration files are owned by the current user; only needed if your config is somewhere unsafe like /tmp/)Nr>rMr=z--preferred-chainpreferred_chain)rmrlr>rMz--preferred-challenges pref_challsaA sorted, comma delimited list of the preferred challenge to use during authorization with the most preferred challenge listed first (Eg, "dns" or "http,dns"). Not all plugins support all challenges. See https://certbot.eff.org/docs/using.html#plugins for details. ACME Challenges are versioned, but if you pick "http" rather than "http-01", Certbot will select the latest version automatically.z--issuance-timeoutissuance_timeoutrNz --pre-hookuCommand to be run in a shell before obtaining any certificates. Unless --disable-hook-validation is used, the command’s first word must be the absolute pathname of an executable or one found via the PATH environment variable. Intended primarily for renewal, where it can be used to temporarily shut down a webserver that might conflict with the standalone plugin. This will only be called if a certificate is actually to be obtained/renewed. When renewing several certificates that have identical pre-hooks, only the first will be executed.)r5z --post-hookuCommand to be run in a shell after attempting to obtain/renew certificates. Unless --disable-hook-validation is used, the command’s first word must be the absolute pathname of an executable or one found via the PATH environment variable. Can be used to deploy renewed certificates, or to restart any servers that were stopped by --pre-hook. This is only run if an attempt was made to obtain/renew a certificate. If multiple renewed certificates have identical post-hooks, only one will be run.z --renew-hook)r3r5z--no-random-sleep-on-renewrandom_sleep_on_renewz --deploy-hookuACommand to be run in a shell once for each successfully issued certificate. Unless --disable-hook-validation is used, the command’s first word must be the absolute pathname of an executable or one found via the PATH environment variable. For this command, the shell variable $RENEWED_LINEAGE will point to the config live subdirectory (for example, "/etc/letsencrypt/live/example.com") containing the new certificates and keys; the shell variable $RENEWED_DOMAINS will contain a space-delimited list of renewed certificate domains (for example, "example.com www.example.com")z--disable-hook-validationvalidate_hooksaOrdinarily the commands specified for --pre-hook/--post-hook/--deploy-hook will be checked for validity, to see if the programs being run are in the $PATH, so that mistakes can be caught early, even when the hooks aren't being run just yet. The validation is rather simplistic and fails if you use more advanced shell constructs, so you can use this switch to disable it. (default: False)z--no-directory-hooksdirectory_hooksz`Disable running executables found in Certbot's hook directories during renewal. (default: False)z--disable-renew-updatesdisable_renew_updatesaDisable automatic updates to your server configuration that would otherwise be done by the selected installer plugin, and triggered when the user executes "certbot renew", regardless of if the certificate is renewed. This setting does not apply to important TLS configuration updates.z--no-autorenew autorenewz6Disable auto renewal of certificates. (default: False)z--os-packages-onlyrz--no-self-upgradez--no-bootstrapz--no-permissions-check)r#r"addrargparseSUPPRESSrrFORCE_INTERACTIVE_FLAGrrformatcertbot __version__ STAGING_URIintstrrrradd_deprecated_argumentr* populate_clir&r$r%r+ parse_args)r,r-helpfuls @/usr/lib/python3/dist-packages/certbot/_internal/cli/__init__.pyprepare_and_parse_argsr:sx $D'2GG KK dKog_-5 KK o_-H4E4EG KK dH;|[)0A0AC KK !./>? KK '.E\2I%J     KK: !#5 "<23@ A KK8((01! " KK< k:IY'\  ] KK-) :   KK-~ 4   KK ,-:L$<@  A KK.LyY'A  B KK7\8J/0D  E KK \"$GP\>?@A KKBD)W%  !# KKN$l;.Gk?A KK)= |K7P_ ` KKj|H?UVW KKk)%%g&9&9: 57 KK w/6H\2D%E  KK07O\2J%K89 KKm+\+%>  KK&[l;&?%& KKk |\)5L/0 KK+!,45F G KKm% U# DF KK |$k<Y' " KKm+l[)12  KK2 iglW%+ , KK,m[ |\)5L57@7L7LMN KK9\<;P 02 KK!#7 /0() KK$\  )_-/ KK+-=C ]++m2LN KK L!#6 -.[AQ5RT KK Gn3\*  &( KK%l-../  KK$3^,;~3NP KKL5'*:Z({:/FH KK&S; -.[AQ5R T KKOL L$?  ') KK Y\ Z(% & KKOM Z(%&  KK YFL KK Y 5,u:M56  KKJ}5,W\J]     KKOLxX&>?  KK&}8X&X->->@ KK*<12OP  KK*"3./kBS6T  KK5 }m)D   KK!#7o /0 + , .  KK - ,A B KK - -   KK-(.'h.?.?A KK-m45rs8 1'I;@B<F;=@=:?<<D7?7?8@;F5C=?<B?59<>>(   8 $37./6c M$A$Ac cc /c L CDr