Commit graph

59 commits

Author SHA1 Message Date
David Cowden
d54f963b81 acme/retry: Update DNS challenge tests 2020-05-20 18:02:58 -07:00
David Cowden
0f63e43b10 acme: Update http-01 challenge tests
Add tests for the starting challenge statuses.
Removed unneeded db write test.
2020-05-19 03:38:04 -07:00
David Cowden
9103880f88 Merge branch 'master' into dcow/challenge-retry 2020-05-18 23:00:25 -07:00
Max
ba91f4ed13
Merge pull request #260 from anxolerd/feat-force-cn-if-empty
[Feature] Force CommonName for certificates from ACME provisioner
2020-05-18 14:40:01 -07:00
David Cowden
d5f95dee57 Merge branch 'master' into dcow/challenge-retry 2020-05-18 04:06:30 -07:00
Oleksandr Kovalchuk
893a53793a
Modify existing tests to accept forceCNOption modifier
Modify existing tests to pass with changes introduced in commit
322200b7db. This is safe to do as
tests assert exact length of modifiers, which has changed.
2020-05-17 20:27:09 +03:00
Oleksandr Kovalchuk
322200b7db
Implement modifier to set CommonName
Implement modifier which sets CommonName to the certificate if
CommonName is empty and forceCN is set in the config. Replace previous
implementation introduced in 0218018cee
with new modifier.

Closes https://github.com/smallstep/certificates/issues/259
Ref: https://github.com/smallstep/certificates/pull/260#issuecomment-628961322
2020-05-17 20:23:13 +03:00
max furman
e1409349f3 Allow relative URL for all links in ACME api ...
* Pass the request context all the way down the ACME stack.
* Save baseURL in context and use when generating ACME urls.
2020-05-14 17:32:54 -07:00
Oleksandr Kovalchuk
0218018cee
Generate Subject if forceCN and Subject is empty
When `forceCN` is set in provisioner configuration and
Subject.CommonName is empty, set Subject.CommonName to the first SAN
from the CSR to follow the letsencrypt's boulder behavior. This is done
in order to support system which require certificate's Subject field to
be non-empty.

N.B. certbot does not send Subject in its certificate request and relies
on similar behavior of letsencrypt.

Closes https://github.com/smallstep/certificates/issues/259
2020-05-14 13:23:42 +03:00
David Cowden
deacbdc358 acme: Don't panic on logic errors
Since it will ultimately 500 anyway, just return an error.
2020-05-13 20:06:50 -07:00
David Cowden
c378e0043a acme: Move ordinal to application
The authority now receives the ordinal in its constructor rather than a
global variable set at package initialization time. The ordinal is
passed via the command line option `--ordinal`.
2020-05-13 19:22:07 -07:00
David Cowden
b8b3ca2ac1 acme/authority: Add descriptive intro to ValidateChallenge 2020-05-13 11:38:40 -07:00
David Cowden
5e5a76c3b5 acme/api: Set Link and Location headers for all 200
On the challenge resource, set "Link" and "Location" headers for all
successful requests to the challenge resource.
2020-05-13 11:10:14 -07:00
David Cowden
5354906b9c acme/api: Add func name to beginning of comment 2020-05-13 10:56:19 -07:00
David Cowden
976c8f82c6 acme/authority: Fix tests
Also, return early from ValidateChallenge if the challenge is already
valid. Interestingly, we aren't actually testing most of the
ValidateChallenge func, just the early error and return conditions. We
should add some more coverage here.
2020-05-13 07:55:38 -07:00
David Cowden
b061d0af34 acme/authority: Fix error message in test
The error message was updated. Make the test should reflect the new
changes.
2020-05-13 07:31:21 -07:00
David Cowden
609e1312da acme/api: Write headers for invalid challenges
Include the "Link" and "Location" headers on invalid challenge
resources. An invalid challenge is still a perfectly acceptable
response.
2020-05-13 07:29:12 -07:00
David Cowden
8ae32f50f2 acme: Fix comment style to appease linter
The linter likes comments on public functions to start with their name,
for some reason...
2020-05-13 05:04:49 -07:00
David Cowden
794725bcc3 acme/api: Remove unused BackoffChallenge func
The mock has an old func that is no longer used. Remove it.
2020-05-13 04:03:47 -07:00
David Cowden
8556d45c3f acme/authority: Move comment onto correct block
The comment appeared too early.
2020-05-13 04:03:01 -07:00
Clive Jevons
639993bd09 Read host and protocol information from request for links
When constructing links we want to read the required host and protocol
information in a dynamic manner from the request for constructing ACME
links such as the directory information. This way, if the server is
running behind a proxy, and we don't know what the exposed URL should
be at runtime, we can construct the required information from the
host, tls and X-Forwarded-Proto fields in the HTTP request.
Inspired by the LetsEncrypt Boulder project (web/relative.go).
2020-05-12 16:58:12 -07:00
David Cowden
84af2ad562 acme: Fix test compile
* Add toACME test for the "processing" state.
2020-05-12 08:33:32 -07:00
David Cowden
2514b58f58 acme/api: Fixup handler_test
Remove superfluous test. Add test checking for the Retry-After header if
the challenge's RetryAfter field is set.
2020-05-12 04:52:44 -07:00
David Cowden
089e3aea4f acme/challenge: Fix error return type on KeyAuthorization
In golang, one should always return error types rather than interfaces
that conform to an error protocol. Why? Because of this:

    https://play.golang.org/p/MVa5vowuNRo

Feels ~~like JavaScript~~ bad, man.
2020-05-11 21:30:50 -07:00
David Cowden
9f18882973 acme/challenge: Copy retry information on clone
When cloning a challenge, deeply clone the retry field if it is not nil.
2020-05-11 21:25:31 -07:00
David Cowden
a857c45847 acme/authority: Polymorph the challenge type
Prior to validation, we must wrap the base challenge in the correct
concrete challenge type so that we dispatch the correct validation
method.
2020-05-11 21:23:55 -07:00
David Cowden
2d0a00c4e1 acme/api: Add missing return
Stop execution when the error happens. This was previously a typo.
2020-05-11 21:22:40 -07:00
max furman
4cb777bdc1 ACME accountUpdate ignore fields not recognized by the server. 2020-05-08 11:52:30 -07:00
David Cowden
bdadea8a37 acme: go fmt 2020-05-07 09:27:16 -07:00
David Cowden
9af4dd3692 acme: Retry challenge validation attempts
Section 8.2 of RFC 8555 explains how retries apply to the validation
process. However, much is left up to the implementer.

Add retries every 12 seconds for 2 minutes after a client requests a
validation. The challenge status remains "processing" indefinitely until
a distinct conclusion is reached. This allows a client to continually
re-request a validation by sending a post-get to the challenge resource
until the process fails or succeeds.

Challenges in the processing state include information about why a
validation did not complete in the error field. The server also includes
a Retry-After header to help clients and servers coordinate.

Retries are inherently stateful because they're part of the public API.
When running step-ca in a highly available setup with replicas, care
must be taken to maintain a persistent identifier for each instance
"slot". In kubernetes, this implies a *stateful set*.
2020-05-06 07:39:13 -07:00
David Cowden
5e6a020da5 acme/authority: Add space around *
Makes the line more readable.
2020-04-30 04:44:36 -07:00
David Cowden
f56c449ea4 handler_test: Add BackoffChallenge
The mock acme authority needs to in order to conform to the updated acme
authority interface.
2020-04-30 04:44:08 -07:00
David Cowden
8fb558da10 handler_test: Remove unused field "Backoffs" 2020-04-30 04:44:08 -07:00
Wesley Graham
8d4356733e Implement standard backoff strategy 2020-04-30 04:44:08 -07:00
Wesley Graham
f9779d0bed Polish retry conditions 2020-04-30 04:44:08 -07:00
Wesley Graham
66b2c4b1a4 Add automated challenge retries, RFC 8555 2020-04-30 04:44:08 -07:00
Wesley Graham
40d7c42e33 Implement acme RFC 8555, challenge retries 2020-04-30 04:44:08 -07:00
Ivan Bertona
cb46a8b741 Small test fixes. 2020-02-11 09:57:28 -05:00
Ivan Bertona
10bc548c6e Remove leftover file. 2020-02-10 14:58:16 -05:00
Ivan Bertona
200cfd2433 Add test for missing TLS certificates in response. 2020-02-10 14:50:13 -05:00
Ivan Bertona
157686e338 Tiny finishes. 2020-02-07 19:57:29 -05:00
Ivan Bertona
6843408d42 Reject obsolete id-pe-acmeIdentifier. 2020-02-07 19:26:18 -05:00
Ivan Bertona
6b5a2b17b5 Add challenge unmarshal test cases. 2020-02-07 15:25:27 -05:00
Ivan Bertona
b8208ec401 Add test case for failed came-tls/1 protocol negotiation. 2020-02-07 15:14:08 -05:00
Ivan Bertona
4b473732d9 Add support for TLS-ALPN-01 challenge. 2020-02-07 14:37:13 -05:00
max furman
c255274572 Should be returning status code 400 for ACME Account Not Found.
Issue #173
2020-02-01 17:35:41 -08:00
Mariano Cano
0a890a5c16 Add the commonName as a DNSName to match RFC.
Normalize names and remove the use of reflection.
2020-01-28 15:34:01 -08:00
max furman
432ed0090f Use _'s in table names. 2020-01-28 13:29:40 -08:00
max furman
967e86a48b Simplify trimming *. prefix of domain in acme dns validation. 2019-12-20 13:32:44 -08:00
Oleksandr Kovalchuk
ec8ff0bced
Add testcase which ensures we pass correct domain to lookupTxt
Make sure we do not pass domains with asterisk (wildcard) in the middle,
like _acme-challenge.*.example.com to lookupTxt function, but preprocess
domain and remove leading wildcard so we lookup for
_acme-challenge.example.com.
2019-12-20 22:54:41 +02:00