Commit graph

1486 commits

Author SHA1 Message Date
Daniel McCarney
a5a28d2e7f Add /directory to example NewClient caDirURL. (#471)
The `acme.NewClient` function's `caDirURL` argument is expected to be
the full path to the ACME server's directory endpoint. In the README
example of using Lego programmatically against a Boulder instance only
the hostname & port are provided but not the directory path:

   `"http://192.168.99.100:4000"`

This produces an error like:

```
2018/01/15 14:34:06 get directory at 'http://192.168.99.100:4000': invalid
character '<' looking for beginning of value
```

When used verbatim with a Boulder container since the `/directory` is
missing and "What is an ACME server" HTML index page is returned.

This commit updates the example to use:

 `"http://192.168.99.100:4000/directory"`

Which allows the example code to work with Boulder as-intended.
2018-01-15 22:05:27 +01:00
Yoan Blanc
62e0f1096f exoscale: update to latest egoscale version (#468)
Signed-off-by: Yoan Blanc <yoan.blanc@exoscale.ch>
2018-01-15 21:58:24 +01:00
Simon Menke
b929aa5aab Fix zone detection for cross-zone cnames (#449)
* Fix zone detection for cross-zone cnames

CNAMEs cannot co-exist with SOA records so responses with
a CNAME should be skipped.

The `cross-zone-example.assets.sh.` is currently hosted by
me (@fd) and will continue to exist for as long as the assets.sh
domain exists. (The assets.sh domain is used as a CDN and is unlikely
to go away.)

See #330

* Extracted CNAME checking to simplify the FindZoneByFqdn control flow.
2017-11-15 11:03:00 +01:00
Amrit Bera
922235d33e Added missing environment variable in the comments (#450) 2017-11-14 01:14:38 +01:00
Davor Kapsa
084a073f13 travis: update go versions (#448) 2017-11-14 00:59:57 +01:00
Simon Merschjohann
aa94fb4696 Support for DNS Provider: GoDaddy (#416)
* Support for DNS Provider: godaddy

* GoDaddy DNS provider PUTs list instead of PATCH
2017-10-25 21:55:29 +02:00
LeSuisse
a80b046ca8 Users of an effective top-level domain can use the DNS challenge (#436)
They will not get anymore an error message saying
"Could not find the start of authority".

Finding the zone cut of a FQDN now only rely on the presence
of a SOA record. Indeed, in the context of an eTLD the
authority will be the eTLD itself so you need to continue
to recurse until you get an answer instead of cutting the search
when you find the public suffix of a domain.

Fixes #434
2017-10-25 21:47:54 +02:00
xenolf
2c41b2f40d Fix tested go versions in travis 2017-10-25 21:34:07 +02:00
Ian Bishop
b63985c974 renew/revoke - don't panic on wrong account (#446) 2017-10-25 21:31:30 +02:00
Oleg Stepura
5a2fd5039f Dockerfile broken with old alpine version with old go (#409)
* Dockerfile broken with old alpine version with old go

3.4 no longer works with error
```
package context: unrecognized import path "context" (import path does not begin with hostname)
```

3.5 with no changes did not work with error
```
# runtime/cgo
/tmp/go-build671992352/runtime/cgo/_obj/_cgo_export.c:2:20: fatal error: stdlib.h: No such file or directory
 #include <stdlib.h>
                    ^
compilation terminated.
```

3.6 with no changes did not work with error:
```
# github.com/xenolf/lego
/usr/lib/go/pkg/tool/linux_amd64/link: running gcc failed: exit status 1
/usr/lib/gcc/x86_64-alpine-linux-musl/6.3.0/../../../../x86_64-alpine-linux-musl/bin/ld: cannot find Scrt1.o: No such file or directory
/usr/lib/gcc/x86_64-alpine-linux-musl/6.3.0/../../../../x86_64-alpine-linux-musl/bin/ld: cannot find crti.o: No such file or directory
/usr/lib/gcc/x86_64-alpine-linux-musl/6.3.0/../../../../x86_64-alpine-linux-musl/bin/ld: cannot find -lpthread
/usr/lib/gcc/x86_64-alpine-linux-musl/6.3.0/../../../../x86_64-alpine-linux-musl/bin/ld: cannot find -lssp_nonshared
collect2: error: ld returned 1 exit status
```

* Fix git tag to freeze successfully builded image.

Fix git tag to freeze successfully builded image (prevents issues with newer versions in the future, plus uses stable release)

* Update Dockerfile according to PR comments

* Forgot /go in rm

* Bump lego version
2017-09-26 21:57:02 +02:00
Unknown
67c86d860a lego version 0.4.1 2017-09-26 16:13:47 +02:00
Unknown
3304583724 Improve --domains documentation
Closes #432
2017-09-25 22:29:52 +02:00
Andy Wiens
addee401b0 added authorization to dns zones client (#428) 2017-09-25 21:57:58 +02:00
Sean Brandt
49b9503635 handle move of egoscale to exoscale (#430) 2017-09-13 15:40:58 -06:00
Edward Betts
e370f2a4c5 correct spelling mistake (#424) 2017-09-01 11:46:15 -06:00
Shawn Smith
92ed209099 fix typo (#419) 2017-08-10 11:47:37 -06:00
Christian Groschupp
4dde48a9b9 Add DNS Provider for otc (#398)
* Add otc provider.

* Added tests for provider otc.

* Format dns_providers

* fix getZoneId

* Add for tests for provider otc.

* Add proxy to transport in otc provider.

* Use DefaultTransport in otc provider.

* Make loginRequest private in provider otc.

* better error handling in provider otc.

* add more tests for provider otc.
2017-07-20 00:54:35 +02:00
Unknown
68261a8b20 Add button to readme 2017-07-17 22:54:51 +02:00
jraby
a5eaf85c89 RFC2136_TIMEOUT: tuneable DNS propagation timeout (#386)
Useful for slower DNS environment.

Time string is parsed with time.ParseDuration, so units are mandatory
(eg. RFC2136_TIMEOUT=10m)
2017-07-17 22:05:47 +02:00
Janez Troha
147b326cb0 acme/http: saner http client timeouts (#377)
LE is becoming quite popular and it was observed that response time can be around 15s. I've increased this to 30s and added changes recomended here https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/
2017-07-17 21:57:01 +02:00
James Nugent
b2aab0377c dns/route53: Allow specifying hosted zone ID (#345)
* dns/route53: Allow specifying hosted zone ID

This commit adds support for specifying hosted zone ID via the
environment variable AWS_HOSTED_ZONE_ID. If this is not specified, the
previous discovery process is used.

This is useful in environments where multiple hosted zones for the same
domain name are present in an account.

* dns/route53: Fix up getHostedZoneID method params

Now that getHostedZoneID is a method on the DNSProvider struct, there is
no reason for it to take the Route53 client as a parameter - we can
simply use the reference stored in the struct.
2017-07-17 21:50:53 +02:00
Dan Lüdtke
dd74b99f8d RFC: providers/dns: add Service Account authorization option to gcloud (#408)
* providers/dns: add Service Account authorization option to gcloud

* providers/dns: use os.LookupEnv() for local ENV var
2017-07-17 21:40:57 +02:00
xenolf
192334c448 Lego version 0.4.0 2017-07-13 03:17:00 +02:00
Christian Groschupp
28ead50ff1 delete go version 1.6.3 from travis ci and add 1.8. (#402) 2017-06-18 11:58:28 -06:00
Wilk
aaa8e70aec CLI example with --days (#388) 2017-05-05 16:12:59 +02:00
theshamuel
25dd6b8fd7 Update azure.go (#391) 2017-05-03 16:53:59 +02:00
Unknown
eb711d3665 Merge branch 'authz-cleanup' 2017-05-03 16:13:45 +02:00
Unknown
f3fc555a98 Add explicit calls to disable authz on errors 2017-04-27 01:46:52 +02:00
jraby
b1fd84c6ff Add description for RFC2136 env vars (#385) 2017-04-25 20:01:22 -06:00
Makis Otman
5dfe609afb Update DNSimple instructions to use new env key (#374)
The help documentation still points to the old environment variable
(DNSIMPLE_API_KEY) so attempts that use that fail with: `DNSimple OAuth token is missing`.
This updates it with the correct key `DNSIMPLE_OAUTH_TOKEN`.
2017-04-05 12:28:06 -06:00
Luca Guidi
7668fe9274 Update error messages for DNSimple provider (#373) 2017-04-04 01:41:49 +02:00
Unknown
1293a4a35b Fix breaking change in azure SDK
Fixes #372
2017-04-04 00:33:46 +02:00
Manuel Valls Fernández
a111d61d85 Move nonce retry from jws to http (#367)
* Move nonce retry from jws to http

The error raised by an "invalid nonce" response never appeared
inside jws.go, but instead it was handled at http.go, so it makes
sense to move the retry logic to that file. The previous code from
jws.go had no effect and did not solve issues related to invalid
nonces.

* Rename retry response variable name for clarity
2017-03-30 02:25:34 +02:00
Unknown
ee0018c855 Remove conditional around rate limiting
Always limit LE requests to ~18 per second, no matter how many domains are being validated.
2017-03-30 02:06:43 +02:00
Mahmoud Abdelsalam
0e2937900b Add error checking for the jws httpPost (#360)
https://github.com/xenolf/lego/issues/359
2017-03-17 19:58:44 +01:00
Luca Guidi
e526fb5a1a Use DNSimple official Go client (#363) 2017-03-17 19:40:51 +01:00
Etienne
45beff7ed3 Add workaround for new-authz rate limits (#357) 2017-03-13 22:41:19 +01:00
Emilien Devos
6cac0ea7d8 Add lego installation via package manager for ArchLinux (#344) 2017-02-19 05:51:39 +01:00
xenolf
66d8acbf89 Add some better error messages to http and jws 2017-02-19 05:50:21 +01:00
Pavel Forkert
0c0d57a545 Log authorization urls (#350)
https://letsencrypt.org/docs/rate-limits/ says:
> The pending authorization objects are represented by URLs of the form https://acme-v01.api.letsencrypt.org/acme/authz/XYZ, and should show up in your client logs.
2017-02-19 05:30:33 +01:00
Pavel Forkert
661e5e690c Do not get stuck when server accidentally starts responding with bad data (#349)
If `links["next"] == ""` the early return does not send neither success, nor failure to outer code,
which leads to whole `getChallenges` method being stuck forever, cause it waits for either `resc` or `errc` to receive message.
2017-02-19 05:17:22 +01:00
xenolf
9f94aabbd2 Fix nonce error (#354)
* Adding a NonceError type to detect nonce errors

* Implement a one off retry on a nonce error.
2017-02-19 05:12:14 +01:00
Pavel Forkert
09d8a49bf2 Reduce nonce locking (#340)
* [reduce-locking] Prepare for change

* [reduce-locking] Do not lock on http request

* [reduce-locking] Move getNonce and getNonceFromResponse from jws struct cause they do not need access to it

* [reduce-locking] Extract nonceManager

* [reduce-locking] Add test that tries to show locking on http requests problem
2017-02-19 04:48:45 +01:00
Simone Carletti
be23e242c1 Fix invalid package name (#342) 2017-02-10 23:53:49 -07:00
Matt Holt
f5d538caab Close response body in error case and close first one (#341)
* Close response body in error case

* Ensure the body of both responses is closed when polling for cert

Also make a new const of maxBodySize, and cap the number of polls
to a maximum of 1000.

* More correct placement for polling limit

* Move const to the top
2017-01-15 16:54:49 +01:00
Fabio Berchtold
ce8fb060cb fix Vultr API calls (#335)
* fix Vultr API calls

Signed-off-by: Fabio Berchtold <jamesclonk@jamesclonk.ch>

* rename Vultr DNS structs

Signed-off-by: Fabio Berchtold <jamesclonk@jamesclonk.ch>
2016-12-27 00:46:13 +01:00
Jacob Hoffman-Andrews
ca19ea1c19 Fix example call to ObtainCertificate (#333)
The previous example left out the MustStaple argument.
2016-12-27 00:41:19 +01:00
Joe Shaw
e9c3078492 add issuer certificate to CertificateResource (#325)
* add issuer certificate to CertificateResource

Also write it out to the file system when running "lego run"

Removed caching of the issuer certificate inside the acme client, since
it didn't appear to be used.

* only append issuerCert to issuedCert in case of success

Effectively a no-op since issuerCert will be nil on error, but it seems
more correct to only do it if fetching the issuer succeeds.
2016-12-14 00:22:48 +01:00
Pavel Forkert
d149f14b6b Properly lock jws.nonces (#319)
Before read access to `nonces` field in jws structure (in `Nonces` method) was not synchronized and we were still able
to get `slice bounds out of range` panic when trying to "pop" value in `Nonces` method.

The race can be actually observed by running `Nonce` method multiple times in separate goroutines with th precondition is `len(jws.nonces) == 1`.
2016-12-13 09:49:37 +01:00
xenolf
cbd5d04c89 Fix OCSP must staple.
Fixes #327
2016-12-06 08:41:28 +01:00