It has to check all the directories in sets/ to pick the next, not just
use the next name of the "last" available set.

The defaults are as follows:

* If the current set is available

** If it is due to expire inside the threshold

*** generate a new set if there is no set more recent (unless instructed
otherwise)
*** roll over to the new set if one has been generated (unless
instructed not to)

** Otherwise

*** do not generate a new set (unless instructed otherwise)
*** do not roll over (unless instructed to)

* If the "current" set is missing, but other sets are available

** If the most recent set is due to expire inside the threshold

*** generate a new set (unless instructed otherwise)
*** roll over to the new set if one has been generated (unless
instructed not to)

** If the most recent set is not due to expire soon

*** do not generate a new set (unless instructed otherwise)
*** roll over to the latest set (unless instructed not to)

* If there are no certificate sets

** generate a new one (unless instructed otherwise)
** roll over to the new set if one has been generate (unless instructed
not to)

Apparently the solution is to "retry a reasonable number of times".

  https://github.com/letsencrypt/boulder/issues/1217
  https://community.letsencrypt.org/t/getting-the-client-sent-an-unacceptable-anti-replay-nonce/9172

Also fixed up retrying when writing fails.  In now retries, and shouts
louder if the second attempt fails.

Just remove duff characters.

This adds in tests for previous commits too.

This ensures a good-looking email address is sent to letsencrypt.

The regex is taken from our Exim config.

This will hopefully help debugging.

Also the #verify_status is cached between tests, so we don't call it
lots of times by accident.

The sleep has moved to after the "pending" check makes testing (and
potentially production) faster.

Previously it was assumed that the bare domain would be the CN, but when
this doesn't verify, then that doesn't make sense.

This reverts commit 6054612a, reversing
changes made to d4d77473.

This now uses String#strip to remove any leading/trailing whitespace.

Test case added, changelog bumped.

Instead merge into previous release.

We load config from /srv/example.com/config/spf and then
encode the first line. However we need to make sure that we
cope with the `\r\n` which Windows-users might have added.

That will manifest itself in SPF records containing things
like this:

    "v=spf1 +mx +a -all\010"

Where \010 corresponds to "\n".

Reference RT-ticket #641993

This fixes the

    !! Failed: Error creating new authz :: DNS name was empty

errors seen by people.

Fixes: #12453

A bad pattern was copied all over the place, calling the wrong method.
The method has now been renamed (and an alias inserted for the old
name).

This should shorten the retry loops for domains that have gone away.

Because the script would almost alway be called as root.

The old code would have failed if the hostname didn't match the selector
regex, as $2 would have been nil.

This did not match what the DKIM record generator in the common package
was producing for the selector.

The author had not realised that spaces were needed between DMARC
fields.  This has now been put in place.

Additionally, the default policy is more relaxed than it was, namely:

 v=DMARC1; p=quarantine; sp=none

which means that anything that fail SPF or DKIM checks should be
regarded suspiciously, and that subdomains should be treated separately.

This reverts commit 61ef3fff.

I'll recommence this work in a feature branch

The write method no longer uses a temporary directory to create the
ceritficates, but writes them out directly to the new set directory.
This directory should be owned by the domain's uid, and the ssl-cert
gid, and mode 0750.  Programs that need access to the SSL cert should be
members of the ssl-cert group.

If any part of this gid changing fails, we revert back to the domain's
gid, and mod 0755, allowing anyone to read the files.