feat: take out CNAME support from experimental features (#1718)

This commit is contained in:
Ludovic Fernandez 2022-09-19 11:21:35 +02:00 committed by GitHub
parent 0d7ee5e750
commit af37b94b38
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 60 additions and 26 deletions

View file

@ -125,7 +125,10 @@
text = "(tlsFeatureExtensionOID|ocspMustStapleFeature) is a global variable" text = "(tlsFeatureExtensionOID|ocspMustStapleFeature) is a global variable"
[[issues.exclude-rules]] [[issues.exclude-rules]]
path = "challenge/dns01/nameserver.go" path = "challenge/dns01/nameserver.go"
text = "(defaultNameservers|recursiveNameservers|dnsTimeout|fqdnSoaCache|muFqdnSoaCache) is a global variable" text = "(defaultNameservers|recursiveNameservers|fqdnSoaCache|muFqdnSoaCache) is a global variable"
[[issues.exclude-rules]]
path = "challenge/dns01/nameserver_.+.go"
text = "dnsTimeout is a global variable"
[[issues.exclude-rules]] [[issues.exclude-rules]]
path = "challenge/dns01/nameserver_test.go" path = "challenge/dns01/nameserver_test.go"
text = "findXByFqdnTestCases is a global variable" text = "findXByFqdnTestCases is a global variable"

View file

@ -176,22 +176,33 @@ func GetRecord(domain, keyAuth string) (fqdn, value string) {
keyAuthShaBytes := sha256.Sum256([]byte(keyAuth)) keyAuthShaBytes := sha256.Sum256([]byte(keyAuth))
// base64URL encoding without padding // base64URL encoding without padding
value = base64.RawURLEncoding.EncodeToString(keyAuthShaBytes[:sha256.Size]) value = base64.RawURLEncoding.EncodeToString(keyAuthShaBytes[:sha256.Size])
fqdn = fmt.Sprintf("_acme-challenge.%s.", domain)
if ok, _ := strconv.ParseBool(os.Getenv("LEGO_EXPERIMENTAL_CNAME_SUPPORT")); ok { fqdn = getChallengeFqdn(domain)
return
}
func getChallengeFqdn(domain string) string {
fqdn := fmt.Sprintf("_acme-challenge.%s.", domain)
if ok, _ := strconv.ParseBool(os.Getenv("LEGO_DISABLE_CNAME_SUPPORT")); ok {
return fqdn
}
// recursion counter so it doesn't spin out of control // recursion counter so it doesn't spin out of control
for limit := 0; limit < 50; limit++ { for limit := 0; limit < 50; limit++ {
// Keep following CNAMEs // Keep following CNAMEs
r, err := dnsQuery(fqdn, dns.TypeCNAME, recursiveNameservers, true) r, err := dnsQuery(fqdn, dns.TypeCNAME, recursiveNameservers, true)
// Check if the domain has CNAME then use that // Check if the domain has CNAME then use that
if err == nil && r.Rcode == dns.RcodeSuccess { if err == nil && r.Rcode == dns.RcodeSuccess {
fqdn = updateDomainWithCName(r, fqdn) fqdn = updateDomainWithCName(r, fqdn)
} else { continue
// No more CNAME records to follow, exit
return
}
}
} }
return // No more CNAME records to follow, exit
break
}
return fqdn
} }

View file

@ -13,9 +13,6 @@ import (
const defaultResolvConf = "/etc/resolv.conf" const defaultResolvConf = "/etc/resolv.conf"
// dnsTimeout is used to override the default DNS timeout of 10 seconds.
var dnsTimeout = 10 * time.Second
var ( var (
fqdnSoaCache = map[string]*soaCacheEntry{} fqdnSoaCache = map[string]*soaCacheEntry{}
muFqdnSoaCache sync.Mutex muFqdnSoaCache sync.Mutex

View file

@ -0,0 +1,8 @@
//go:build !windows
package dns01
import "time"
// dnsTimeout is used to override the default DNS timeout of 10 seconds.
var dnsTimeout = 10 * time.Second

View file

@ -0,0 +1,8 @@
//go:build windows
package dns01
import "time"
// dnsTimeout is used to override the default DNS timeout of 20 seconds.
var dnsTimeout = 20 * time.Second

View file

@ -45,11 +45,6 @@ $ CLOUDFLARE_EMAIL_FILE=/the/path/to/my/email \
lego --dns cloudflare --domains www.example.com --email you@example.com run lego --dns cloudflare --domains www.example.com --email you@example.com run
``` ```
## Experimental Features
To resolve CNAME when creating dns-01 challenge:
set `LEGO_EXPERIMENTAL_CNAME_SUPPORT` to `true`.
## DNS Providers ## DNS Providers
{{% tableofdnsproviders %}} {{% tableofdnsproviders %}}

View file

@ -18,7 +18,7 @@ var (
const ( const (
// Fixed test data for unit tests. // Fixed test data for unit tests.
egDomain = "threeletter.agency" egDomain = "example.com"
egFQDN = "_acme-challenge." + egDomain + "." egFQDN = "_acme-challenge." + egDomain + "."
egKeyAuth = "⚷" egKeyAuth = "⚷"
) )

View file

@ -2,6 +2,7 @@ package versio
import ( import (
"fmt" "fmt"
"io"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"testing" "testing"
@ -231,7 +232,10 @@ func muxSuccess() *http.ServeMux {
}) })
mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
log.Printf("Not Found for Request: (%+v)\n\n", r) log.Printf("unexpected request: %+v\n\n", r)
data, _ := io.ReadAll(r.Body)
defer func() { _ = r.Body.Close() }()
log.Println(string(data))
http.NotFound(w, r) http.NotFound(w, r)
}) })
@ -267,6 +271,14 @@ func muxFailToCreateTXT() *http.ServeMux {
w.WriteHeader(http.StatusBadRequest) w.WriteHeader(http.StatusBadRequest)
}) })
mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
log.Printf("unexpected request: %+v\n\n", r)
data, _ := io.ReadAll(r.Body)
defer func() { _ = r.Body.Close() }()
log.Println(string(data))
http.NotFound(w, r)
})
return mux return mux
} }