release: v2.0.3 - fix Route53 propagation flag, private CA SSL verification

Issue #75 - Route53: unrecognised argument --dns-route53-propagation-seconds
certbot-dns-route53 >= 1.22 removed this flag; the plugin polls Route53 internally.
Added supports_propagation_seconds_flag property to DNSProviderStrategy (base = True).
Route53Strategy overrides it to False. CertificateManager only appends the flag when
the strategy declares it is supported.
Files: modules/core/dns_strategies.py, modules/core/certificates.py

Issue #74 - Private CA ACME endpoint connection test fails with SSL error
The test endpoint was using verify=True (system CA bundle), rejecting self-signed /
private-root certificates even when a CA cert was supplied in the configuration form.
Fix: write the provided CA cert to a temporary PEM file and pass it as verify=<path>
to requests.get(). Temp file cleaned up in a finally block. SSL error messages now
include targeted hints about supplying or correcting the CA certificate.
File: modules/api/resources.py

Issue #56 - Residual Route53 / san_domains failures after v2.0.2
The remaining reported failure mode (--dns-route53-propagation-seconds unrecognised)
is resolved by the Issue #75 fix above.

Test suite: 161 passed, 9 skipped, 0 failed
New tests: TestRoute53PropagationFlag (4), TestAcmeConnectionSSLHandling (2)

Author: fabriziosalmi

RELEASE_NOTES.md

@@ -1,3 +1,67 @@
+# Release v2.0.3
+
+## Bug Fixes
+
+### Issue #75 — AWS Route53 DNS Provider: unrecognised argument `--dns-route53-propagation-seconds`
+
+**Root cause:** certbot-dns-route53 ≥ 1.22 removed the `--dns-route53-propagation-seconds`
+CLI flag. The plugin now polls Route53 internally until the TXT record propagates, making
+the flag redundant. Passing it caused an "unrecognised arguments" error that aborted every
+certificate request using the Route53 provider.
+
+**Fix:**
+- Added `supports_propagation_seconds_flag` property to `DNSProviderStrategy` (base class,
+  defaults to `True`).
+- `Route53Strategy` overrides the property to `False`.
+- `CertificateManager.create_certificate()` now only appends the propagation-seconds flag to
+  the certbot command when the strategy's `supports_propagation_seconds_flag` is `True`.
+
+**Files changed:** `modules/core/dns_strategies.py`, `modules/core/certificates.py`
+
+---
+
+### Issue #74 — Private CA ACME endpoint connection test fails with SSL error
+
+**Root cause:** The "Test Connection" API endpoint used `verify=True` (system CA bundle)
+for all HTTPS requests to private ACME servers. Private CAs with self-signed or
+internal-root certificates are not trusted by the system bundle, causing every connection
+test to report "ACME endpoint is not accessible" even when the endpoint was reachable.
+
+**Fix:**
+- When the user provides a CA certificate in the Private CA configuration form, the
+  certificate is written to a temporary PEM file and passed as `verify=<path>` to
+  `requests.get()`, allowing the self-signed / private-root to be properly validated.
+- The temporary file is always removed in a `finally` block to avoid leaking disk state.
+- SSL error messages now include a targeted hint: whether to supply a CA certificate
+  (if none was given) or verify that the provided certificate is the correct root/intermediate.
+
+**Files changed:** `modules/api/resources.py`
+
+---
+
+### Issue #56 — Residual Route53 failures still reported after v2.0.2
+
+The `san_domains` keyword argument and Cloudflare-hardcoded DNS provider fallback were
+already resolved in v2.0.1 and v2.0.2. The remaining failure mode reported by users
+("unrecognised arguments: --dns-route53-propagation-seconds") is the same bug addressed
+by the Issue #75 fix above. Closing as fully resolved in v2.0.3.
+
+---
+
+## Test Suite
+
+- 4 new unit tests added to `tests/test_san_domains.py`:
+  - `TestRoute53PropagationFlag`: verifies `Route53Strategy.supports_propagation_seconds_flag`
+    is `False`, all other strategies are `True`, and the flag is absent from the constructed
+    certbot command for Route53.
+  - `TestAcmeConnectionSSLHandling`: verifies temp-file CA bundle creation and the
+    no-cert system-bundle fallback.
+
+**Full suite result: 161 passed, 9 skipped, 0 failed** (9 skipped require live credentials
+or a real CA; all automatable tests are green).
+
+---
+
 # Release v1.9.0
 
 ## Docker First-Run UX

app.py

@@ -2,7 +2,7 @@
 CertMate - Modular SSL Certificate Management Application
 Main application entry point with modular architecture
 """
-__version__ = '2.0.2'
+__version__ = '2.0.3'
 import os
 import sys
 import tempfile

modules/api/resources.py

@@ -939,17 +939,34 @@ def post(self):
                         try:
                             import requests
                             import ssl
+                            import tempfile
                             from urllib.parse import urljoin
 
                             # Test if the ACME directory is accessible
                             timeout = 10
 
-                            # For HTTPS URLs, we might need to handle custom CA certificates
-                            verify_ssl = True
+                            # Build SSL verification argument.
+                            # If the user supplied a custom CA certificate (typical for private CAs
+                            # with self-signed roots), write it to a temp file and pass it as the
+                            # `verify` argument so requests can validate the server certificate.
+                            # Without this, requests falls back to the system CA bundle and will
+                            # reject self-signed / private-root certificates.
+                            _ca_bundle_tmp = None
                             if ca_cert:
-                                # If a custom CA cert is provided, we should use it for verification
-                                # For now, we'll warn but still allow the connection
-                                logger.info("Custom CA certificate provided for Private CA")
+                                try:
+                                    _ca_bundle_tmp = tempfile.NamedTemporaryFile(
+                                        mode='w', suffix='.pem', delete=False
+                                    )
+                                    _ca_bundle_tmp.write(ca_cert.strip())
+                                    _ca_bundle_tmp.flush()
+                                    _ca_bundle_tmp.close()
+                                    verify_ssl = _ca_bundle_tmp.name
+                                    logger.info("Using provided CA certificate for ACME endpoint SSL verification")
+                                except Exception as tmp_err:
+                                    logger.warning(f"Could not write CA cert to temp file: {tmp_err}")
+                                    verify_ssl = True
+                            else:
+                                verify_ssl = True
 
                             response = requests.get(acme_url, timeout=timeout, verify=verify_ssl, allow_redirects=False)
 
@@ -994,22 +1011,36 @@ def post(self):
                         except requests.exceptions.ConnectionError:
                             return {
                                 'success': False,
-                                'message': 'Connection failed - ACME endpoint is not accessible',
+                                'message': 'Connection failed - ACME endpoint is not accessible. '
+                                           'Ensure the CertMate server can reach the ACME host on the required port.',
                                 'ca_provider': ca_provider
                             }
                         except requests.exceptions.SSLError as ssl_error:
+                            hint = (
+                                ' Provide the private CA certificate in the "CA Certificate" field so it can be used for verification.'
+                                if not ca_cert else
+                                ' The provided CA certificate could not verify the server. Ensure it is the correct root/intermediate PEM.'
+                            )
                             return {
                                 'success': False,
-                                'message': 'SSL verification failed',
+                                'message': f'SSL verification failed.{hint}',
                                 'ca_provider': ca_provider
                             }
                         except Exception as conn_error:
                             logger.error(f"CA provider connection test failed: {conn_error}")
                             return {
                                 'success': False,
-                                'message': 'Connection test failed',
+                                'message': f'Connection test failed: {conn_error}',
                                 'ca_provider': ca_provider
                             }
+                        finally:
+                            # Always remove the temporary CA bundle file if we created one
+                            try:
+                                if _ca_bundle_tmp is not None:
+                                    import os as _os
+                                    _os.unlink(_ca_bundle_tmp.name)
+                            except (NameError, OSError):
+                                pass
 
                     else:
                         return {'error': 'Invalid CA provider type'}, 400

modules/core/certificates.py

@@ -347,7 +347,10 @@ def create_certificate(self, domain, email, dns_provider=None, dns_config=None,
                 # Ensure propagation time is within reasonable bounds (1 second to 1 hour)
                 propagation_time = max(1, min(3600, propagation_time))
 
-                certbot_cmd.extend([f'--{strategy.plugin_name}-propagation-seconds', str(propagation_time)])
+                # Some plugins (e.g. certbot-dns-route53 ≥ 1.22) do not accept a
+                # --{plugin}-propagation-seconds flag and handle propagation internally.
+                if strategy.supports_propagation_seconds_flag:
+                    certbot_cmd.extend([f'--{strategy.plugin_name}-propagation-seconds', str(propagation_time)])
 
             logger.info(f"Running certbot command for {domain} with {dns_provider}")
             # Redact sensitive arguments before logging

modules/core/dns_strategies.py

@@ -37,6 +37,16 @@ def default_propagation_seconds(self) -> int:
         """Return default propagation time in seconds"""
         return 120
 
+    @property
+    def supports_propagation_seconds_flag(self) -> bool:
+        """Whether this provider's certbot plugin accepts a --{plugin}-propagation-seconds flag.
+
+        Most plugins support this flag, but some (e.g. certbot-dns-route53 ≥ 1.22)
+        removed it because propagation is handled internally.  Override and return
+        ``False`` in subclasses where the flag is not accepted.
+        """
+        return True
+
     def configure_certbot_arguments(self, cmd: list, credentials_file: Optional[Path], domain_alias: Optional[str] = None) -> None:
         """Add provider-specific arguments to the certbot command
         
@@ -87,7 +97,13 @@ def create_config_file(self, config_data: Dict[str, Any]) -> Optional[Path]:
     @property
     def plugin_name(self) -> str:
         return 'dns-route53'
-        
+
+    @property
+    def supports_propagation_seconds_flag(self) -> bool:
+        # certbot-dns-route53 ≥ 1.22 removed --dns-route53-propagation-seconds.
+        # The plugin polls Route53 internally until the record propagates.
+        return False
+
     @property
     def default_propagation_seconds(self) -> int:
         return 60

modules/core/file_operations.py

@@ -140,7 +140,7 @@ def create_unified_backup(self, settings_data, backup_reason="manual"):
                 "backup_id": backup_id,
                 "timestamp": datetime.now().isoformat(),
                 "backup_reason": backup_reason,
-                "version": "2.0.2",  # New unified format
+                "version": "2.0.3",  # New unified format
                 "type": "unified",
                 "domains": domains,
                 "settings_domains": [d.get('domain') if isinstance(d, dict) else d for d in settings_data.get('domains', [])],

modules/core/settings.py

@@ -594,7 +594,7 @@ def _ensure_certificate_metadata(self):
                             "domain": domain,
                             "dns_provider": dns_provider,
                             "created_at": "unknown",
-                            "version": "2.0.2",
+                            "version": "2.0.3",
                             "migrated": True
                         }
 

package.json

@@ -1,7 +1,7 @@
 {
   "private": true,
   "name": "certmate",
-  "version": "2.0.2",
+  "version": "2.0.3",
   "description": "CertMate SSL Certificate Manager - frontend assets",
   "scripts": {
     "css:build": "npx tailwindcss -i static/css/input.css -o static/css/tailwind.min.css --minify",

tests/test_san_domains.py

@@ -132,3 +132,100 @@ def test_domain_config_without_provider_uses_default(self):
         }
         result = self.mgr.get_domain_dns_provider('example.com', settings)
         assert result == 'route53'
+
+
+class TestRoute53PropagationFlag:
+    """Issue #75 — certbot-dns-route53 removed --dns-route53-propagation-seconds.
+
+    The certbot-dns-route53 plugin (≥ 1.22) no longer accepts a
+    ``--dns-route53-propagation-seconds`` argument; it polls Route53
+    internally.  CertMate must NOT pass that flag for Route53.
+    """
+
+    def setup_method(self):
+        from modules.core.dns_strategies import Route53Strategy, CloudflareStrategy, DNSStrategyFactory
+        self.route53 = Route53Strategy()
+        self.cloudflare = CloudflareStrategy()
+        self.factory = DNSStrategyFactory
+
+    def test_route53_does_not_support_propagation_flag(self):
+        """Route53Strategy.supports_propagation_seconds_flag must be False."""
+        assert self.route53.supports_propagation_seconds_flag is False
+
+    def test_other_providers_do_support_propagation_flag(self):
+        """All non-Route53 strategies should still support the propagation flag."""
+        assert self.cloudflare.supports_propagation_seconds_flag is True
+
+    def test_all_non_route53_strategies_support_flag(self):
+        """Every strategy except Route53 should support the propagation flag."""
+        from modules.core.dns_strategies import DNSStrategyFactory
+        for name, strategy_cls in DNSStrategyFactory._strategies.items():
+            strategy = strategy_cls()
+            if name == 'route53':
+                assert strategy.supports_propagation_seconds_flag is False, \
+                    f"Route53 should NOT support propagation-seconds flag"
+            else:
+                assert strategy.supports_propagation_seconds_flag is True, \
+                    f"{name} should support propagation-seconds flag"
+
+    def test_propagation_flag_not_in_certbot_cmd_for_route53(self):
+        """When CertificateManager builds the command for Route53, the
+        --dns-route53-propagation-seconds flag must be absent."""
+        from modules.core.dns_strategies import Route53Strategy
+        strategy = Route53Strategy()
+        cmd = ['certbot', 'certonly', '--dns-route53']
+        # Simulate what certificates.py does
+        if strategy.supports_propagation_seconds_flag:
+            cmd.extend([f'--{strategy.plugin_name}-propagation-seconds', '60'])
+        assert '--dns-route53-propagation-seconds' not in cmd
+
+
+class TestAcmeConnectionSSLHandling:
+    """Issue #74 — ACME endpoint test must use the provided CA cert for SSL
+    verification instead of always falling back to the system CA bundle."""
+
+    def test_ca_cert_written_to_tempfile_for_verification(self, tmp_path):
+        """When a CA cert is supplied the connection test should pass verify=<path>."""
+        import tempfile, os
+
+        fake_cert = (
+            "-----BEGIN CERTIFICATE-----\n"
+            "MIIBIjANBgkq...(fake PEM content)...\n"
+            "-----END CERTIFICATE-----\n"
+        )
+
+        # Simulate the tempfile creation logic used in resources.py
+        _ca_bundle_tmp = None
+        try:
+            _ca_bundle_tmp = tempfile.NamedTemporaryFile(
+                mode='w', suffix='.pem', delete=False
+            )
+            _ca_bundle_tmp.write(fake_cert.strip())
+            _ca_bundle_tmp.flush()
+            _ca_bundle_tmp.close()
+            verify_ssl = _ca_bundle_tmp.name
+
+            assert os.path.isfile(verify_ssl)
+            with open(verify_ssl) as fh:
+                assert 'BEGIN CERTIFICATE' in fh.read()
+        finally:
+            if _ca_bundle_tmp is not None:
+                try:
+                    os.unlink(_ca_bundle_tmp.name)
+                except OSError:
+                    pass
+
+    def test_no_ca_cert_uses_system_bundle(self):
+        """When no CA cert is supplied, verify_ssl should default to True."""
+        ca_cert = None
+        _ca_bundle_tmp = None
+
+        if ca_cert:
+            import tempfile
+            _ca_bundle_tmp = tempfile.NamedTemporaryFile(mode='w', suffix='.pem', delete=False)
+            verify_ssl = _ca_bundle_tmp.name
+        else:
+            verify_ssl = True
+
+        assert verify_ssl is True
+        assert _ca_bundle_tmp is None