Table of Contents
- Getting Started
- Code components and layout
- Writing your own plugin
- Coding style
- Submitting a pull request
- Updating certbot-auto and letsencrypt-auto
- Updating the documentation
- Other methods for running the client
- Notes on OS dependencies
Running the client in developer mode from your local tree is a little
different than running
certbot-auto. To get set up, do these things
git clone https://github.com/certbot/certbot cd certbot ./letsencrypt-auto-source/letsencrypt-auto --os-packages-only ./tools/venv.sh
Then in each shell where you’re working on the client, do:
After that, your shell will be using the virtual environment, and you run the client by typing:
Activating a shell in this way makes it easier to run unit tests
tox and integration tests, as described below. To reverse this, you
deactivate. More information can be found in the virtualenv docs.
You can find the open issues in the github issue tracker. Comparatively easy ones are marked Good Volunteer Task. If you’re starting work on something, post a comment to let others know and seek feedback on your plan where appropriate.
Once you’ve got a working branch, you can open a pull request. All changes in your pull request must have thorough unit test coverage, pass our tests, and be compliant with the coding style.
When you are working in a file
foo.py, there should also be a file
either in the same directory as
foo.py or in the
(if there isn’t, make one). While you are working on your code and tests, run
python foo_test.py to run the relevant tests.
For debugging, we recommend running
pip install ipdb and putting
import ipdb; ipdb.set_trace() statements inside the source
code. Alternatively, you can use Python’s standard library
but you won’t get TAB completion.
Once you are done with your code changes, and the tests in
run all of the unittests for Certbot with
tox -e py27 (this uses Python
Once all the unittests pass, check for sufficient test coverage using
tox -e cover, and then check for code style with
tox -e lint (all files)
pylint --rcfile=.pylintrc path/to/file.py (single file at a time).
Once all of the above is successful, you may run the full test suite,
including integration tests, using
tox. We recommend running the
commands above first, because running all tests with
tox is very
slow, and the large amount of
tox output can make it hard to find
specific failures when they happen. Also note that the full test suite
will attempt to modify your system’s Apache config if your user has sudo
permissions, so it should not be run on a production Apache server.
If you have trouble getting the full
tox suite to run locally, it is
generally sufficient to open a pull request and let Github and Travis run
integration tests for you.
To run integration tests locally, you need Docker and docker-compose installed and working. Fetch and start Boulder using:
If you have problems with Docker, you may want to try removing all containers and volumes and making sure you have at least 1GB of memory.
Run the integration tests using:
- contains all protocol specific code
- main client code
- certbot-apache and certbot-nginx
- client code to configure specific web servers
- configuration for packaging Certbot
Certbot has a plugin architecture to facilitate support for different webservers, other TLS servers, and operating systems. The interfaces available for plugins to implement are defined in interfaces.py and plugins/common.py.
There are also
which implement bindings to alternative UI libraries.
Authenticators are plugins designed to prove that this client deserves a
certificate for some domain name by solving challenges received from
the ACME server. From the protocol, there are essentially two
different types of challenges. Challenges that must be solved by
individual plugins in order to satisfy domain validation (subclasses
DNS) and continuity specific
challenges (subclasses of
ProofOfPossession). Continuity challenges are
always handled by the
ContinuityAuthenticator, while plugins are
expected to handle
Right now, we have two authenticator plugins, the
StandaloneAuthenticator. The Standalone and Apache
authenticators only solve the
TLSSNI01 challenge currently.
(You can set which challenges your authenticator can handle through the
(FYI: We also have a partial implementation for a
in a separate branch).
Installers plugins exist to actually setup the certificate in a server,
possibly tweak the security configuration to make it more correct and secure
(Fix some mixed content problems, turn on HSTS, redirect to HTTPS, etc).
Installer plugins tell the main client about their abilities to do the latter
supported_enhancements() call. We currently
have two Installers in the tree, the
ApacheConfigurator. and the
NginxConfigurator. External projects have made some progress toward
support for IIS, Icecast and Plesk.
Installers and Authenticators will oftentimes be the same class/object (because for instance both tasks can be performed by a webserver like nginx) though this is not always the case (the standalone plugin is an authenticator that listens on port 443, but it cannot install certs; a postfix plugin would be an installer but not an authenticator).
Installers and Authenticators are kept separate because
it should be possible to use the
StandaloneAuthenticator (it sets
up its own Python server to perform challenges) with a program that
cannot solve challenges itself (Such as MTA installers).
There are a few existing classes that may be beneficial while
developing a new
Installers aimed to reconfigure UNIX servers may use Augeas for
configuration parsing and can inherit from
to handle much of the interface. Installers that are unable to use
Augeas may still find the
Reverter class helpful in handling
configuration checkpoints and rollback.
Certbot client supports dynamic discovery of plugins through the
setuptools entry points. This way you can, for example, create a
custom implementation of
IInstaller without having to merge it
with the core upstream source code. An example is provided in
Please be aware though that as this client is still in a developer-preview stage, the API may undergo a few changes. If you believe the plugin will be beneficial to the community, please consider submitting a pull request to the repo and we will update it with any necessary API changes.
Be consistent with the rest of the code.
def foo(arg): """Short description. :param int arg: Some number. :returns: Argument :rtype: int """ return arg
Remember to use
- Write your code!
- Make sure your environment is set up properly and that you’re in your
virtualenv. You can do this by running
./tools/venv.sh. (this is a very important step)
tox -e lintto check for pylint errors. Fix any errors.
tox --skip-missing-interpretersto run the entire test suite including coverage. The
--skip-missing-interpretersargument ignores missing versions of Python needed for running the tests. Fix any errors.
- If your code touches communication with an ACME server/Boulder, you should run the integration tests, see integration. See `Known Issues`_ for some common failures that have nothing to do with your code.
- Submit the PR.
- Did your tests pass on Travis? If they didn’t, fix any errors.
Developers should not modify the
in the root directory of the repository. Rather, modify the
letsencrypt-auto.template and associated platform-specific shell scripts in
letsencrypt-auto-source/pieces/bootstrappers directory, respectively.
Once changes to any of the aforementioned files have been made, the
letsencrypt-auto-source/letsencrypt-auto script should be updated. In lieu of
manually updating this script, run the build script, which lives at
build.py will update the
script. Note that the
letsencrypt-auto scripts in the root
directory of the repository will remain unchanged after this script is run.
Your changes will be propagated to these files during the next release of
When opening a PR, ensure that the following files are committed:
It might also be a good idea to double check that no changes were
inadvertently made to the
letsencrypt-auto scripts in the
root of the repository. These scripts will be updated by the core developers
during the next release.
In order to generate the Sphinx documentation, run the following commands:
make -C docs clean html man
This should generate documentation in the
If you are a Vagrant user, Certbot comes with a Vagrantfile that
automates setting up a development environment in an Ubuntu 14.04
LTS VM. To set it up, simply run
vagrant up. The repository is
/vagrant, so you can get started with:
vagrant ssh cd /vagrant sudo ./venv/bin/certbot
Support for other Linux distributions coming soon.
Unfortunately, Python distutils and, by extension, setup.py and tox, use hard linking quite extensively. Hard linking is not supported by the default sync filesystem in Vagrant. As a result, all actions with these commands are significantly slower in Vagrant. One potential fix is to use NFS (related issue).
OSX users will probably find it easiest to set up a Docker container for
development. Certbot comes with a Dockerfile (
for doing so. To use Docker on OSX, install and setup docker-machine using the
instructions at https://docs.docker.com/installation/mac/.
To build the development Docker image:
docker build -t certbot -f Dockerfile-dev .
Now run tests inside the Docker image:
docker run -it certbot bash cd src tox -e py27
OS-level dependencies can be installed like so:
sudois required as a suggested way of running privileged process
- Python 2.6/2.7 is required
- Augeas is required for the Python bindings
pipare used for managing other python library dependencies
For squeeze you will need to:
virtualenv --no-site-packages -p pythoninstead of