Revert "update libs"

This reverts commit 03ff3b8.

lib/charms/observability_libs/v1/cert_handler.py

@@ -32,7 +32,6 @@
 Since this library uses [Juju Secrets](https://juju.is/docs/juju/secret) it requires Juju >= 3.0.3.
 """
 import abc
-import hashlib
 import ipaddress
 import json
 import socket
@@ -68,7 +67,7 @@
 
 LIBID = "b5cd5cd580f3428fa5f59a8876dcbe6a"
 LIBAPI = 1
-LIBPATCH = 14
+LIBPATCH = 13
 
 VAULT_SECRET_LABEL = "cert-handler-private-vault"
 
@@ -302,11 +301,14 @@ def __init__(
                 Must match metadata.yaml.
             cert_subject: Custom subject. Name collisions are under the caller's responsibility.
             sans: DNS names. If none are given, use FQDN.
-            refresh_events: [DEPRECATED].
+            refresh_events: an optional list of bound events which
+                will be observed to replace the current CSR with a new one
+                if there are changes in the CSR's DNS SANs or IP SANs.
+                Then, subsequently, replace its corresponding certificate with a new one.
         """
         super().__init__(charm, key)
         # use StoredState to store the hash of the CSR
-        # to potentially trigger a CSR renewal
+        # to potentially trigger a CSR renewal on `refresh_events`
         self._stored.set_default(
             csr_hash=None,
         )
@@ -318,9 +320,8 @@ def __init__(
 
         # Use fqdn only if no SANs were given, and drop empty/duplicate SANs
         sans = list(set(filter(None, (sans or [socket.getfqdn()]))))
-        # sort SANS lists to avoid unnecessary csr renewals during reconciliation
-        self.sans_ip = sorted(filter(is_ip_address, sans))
-        self.sans_dns = sorted(filterfalse(is_ip_address, sans))
+        self.sans_ip = list(filter(is_ip_address, sans))
+        self.sans_dns = list(filterfalse(is_ip_address, sans))
 
         if self._check_juju_supports_secrets():
             vault_backend = _SecretVaultBackend(charm, secret_label=VAULT_SECRET_LABEL)
@@ -366,15 +367,13 @@ def __init__(
         )
 
         if refresh_events:
-            logger.warn(
-                "DEPRECATION WARNING. `refresh_events` is now deprecated. CertHandler will automatically refresh the CSR when necessary."
-            )
-
-        self._reconcile()
+            for ev in refresh_events:
+                self.framework.observe(ev, self._on_refresh_event)
 
-    def _reconcile(self):
-        """Run all logic that is independent of what event we're processing."""
-        self._refresh_csr_if_needed()
+    def _on_refresh_event(self, _):
+        """Replace the latest current CSR with a new one if there are any SANs changes."""
+        if self._stored.csr_hash != self._csr_hash:
+            self._generate_csr(renew=True)
 
     def _on_upgrade_charm(self, _):
         has_privkey = self.vault.get_value("private-key")
@@ -389,11 +388,6 @@ def _on_upgrade_charm(self, _):
             # this will call `self.private_key` which will generate a new privkey.
             self._generate_csr(renew=True)
 
-    def _refresh_csr_if_needed(self):
-        """Refresh the current CSR with a new one if there are any SANs changes."""
-        if self._stored.csr_hash is not None and self._stored.csr_hash != self._csr_hash:
-            self._generate_csr(renew=True)
-
     def _migrate_vault(self):
         peer_backend = _RelationVaultBackend(self.charm, relation_name="peers")
 
@@ -446,17 +440,13 @@ def enabled(self) -> bool:
         return True
 
     @property
-    def _csr_hash(self) -> str:
+    def _csr_hash(self) -> int:
         """A hash of the config that constructs the CSR.
 
         Only include here the config options that, should they change, should trigger a renewal of
         the CSR.
         """
-
-        def _stable_hash(data):
-            return hashlib.sha256(str(data).encode()).hexdigest()
-
-        return _stable_hash(
+        return hash(
             (
                 tuple(self.sans_dns),
                 tuple(self.sans_ip),