Commit graph

920 commits

Author SHA1 Message Date
xenolf
416a63120e Introduce --agree-tos switch. Fixes #128 2016-02-15 03:51:59 +01:00
xenolf
9fef872cac Merge pull request #138 from xi2/improve-cli-error-messages
CLI: Give helpful error message if --http/--tls is given without colon
2016-02-20 01:43:04 +01:00
Michael Cross
c3abd54dc7 CLI: Give helpful error message if --http/--tls is given without colon
Fixes #134
2016-02-20 00:35:47 +00:00
xenolf
7dcfb4a92b Merge pull request #136 from xi2/fix-handling-of-cnames
DNS Challenge: Fix handling of CNAMEs
2016-02-20 01:24:12 +01:00
Michael Cross
06b3802346 DNS Challenge: Fix handling of CNAMEs
Prior to this commit, the checkDNSPropagation function was exiting
early if the TXT record could not be found on the recursive
nameserver, and thus the authoritative nameservers were not being
queried until after the record showed up on the recursive nameserver
causing a delay.

This commit changes that behaviour so that the authoritative
nameservers are queried on each execution of checkDNSPropagation when
possible.
2016-02-19 21:44:35 +00:00
xenolf
d17982745f Merge pull request #137 from xi2/fix-TestCheckAuthoritativeNss-failure-report
Fix TestCheckAuthoritativeNss failure report
2016-02-19 18:25:45 +01:00
xenolf
dea896da28 Merge pull request #132 from janeczku/cloudflare-newlib
Refactor CloudFlare DNS provider to have no 3rd party dependencies
2016-02-19 18:18:51 +01:00
Michael Cross
fc64f8b99d DNS Challenge: Fix TestCheckAuthoritativeNss failure report 2016-02-19 10:24:39 +00:00
Jan Broer
453a3d6b3f Declare own HTTP client 2016-02-18 20:41:27 +01:00
Jan Broer
93cfae053a Use custom lego user-agent in requests 2016-02-16 18:38:51 +01:00
Jan Broer
d03fb496c0 Refactor CloudFlare provider to have no 3rd party dependencies 2016-02-16 15:50:24 +01:00
xenolf
9900bf675a Merge pull request #131 from xi2/master
Fix small typos in error messages
2016-02-15 18:00:06 +01:00
Michael Cross
78c36ef846 Fix small typos in error messages 2016-02-15 14:18:31 +00:00
xenolf
f1a1e081c8 Merge pull request #127 from xenolf/tweaks
Add go vet to the CI checks, fix vet errors and set default HTTP timeout to 10 seconds.
2016-02-15 00:02:11 +01:00
Matthew Holt
971541dc0a Use http client with timeout of 10s
This will prevent indefinitely-hanging requests in case some service or middle box is malfunctioning.

Fix vet errors and lint warnings

Add vet to CI check

Only get issuer certificate if it would be used

No need to make a GET request if the OCSP server is not specified in leaf certificate

Fix CI tests

Make tests verbose
2016-02-14 14:33:54 -07:00
xenolf
a44384f52f Fix tests for new naming. 2016-02-14 22:07:27 +01:00
xenolf
21de29e902 Take the magic out of defaulting to the Server implementations of HTTP-01 and TLS-SNI-01 2016-02-14 16:57:06 +01:00
xenolf
7475e7f9c2 Move the HTTP-01 and TLS-SNI-01 default solvers to a more unified layout.
Made the solvers exported and added New... functions to them.
2016-02-14 16:56:14 +01:00
xenolf
00f13f2da0 Merge pull request #123 from willglynn/dns_provider_implies_dns_challenge
--dns=foo means we specifically intend to fulfill a DNS challenge
2016-02-14 02:01:21 +01:00
Will Glynn
3bceed427a Make the --dns help message more explicit about disabling challenges 2016-02-13 18:42:47 -06:00
Will Glynn
030ba6877a Document that --dns=provider specifically selects the DNS challenge 2016-02-13 18:31:04 -06:00
Will Glynn
fdc05d2942 --dns=foo means we specifically intend to fulfill a DNS challenge 2016-02-13 18:24:52 -06:00
xenolf
48cf387dd5 Run tests with multiple versions of go. 2016-02-14 01:03:40 +01:00
xenolf
bf66ac9e17 Resolve issue where the route53 tests would take 30secs to complete.
The default AWS HTTP client retries three times with a deadline of 10 seconds in order to fetch metadata from EC2. Replaced the default HTTP client with one that does not retry and has a low timeout.
2016-02-14 00:55:03 +01:00
xenolf
01ac49f59a Merge pull request #101 from pkern/master
Allow to customize the TSIG algorithm and allow to omit the DNS port
2016-02-14 00:08:38 +01:00
Philipp Kern
f00f09f19c Allow to specify RFC2136_NAMESERVER without the port.
Append the default DNS port if the nameserver specification does not
contain any.
2016-02-13 18:46:32 +01:00
Philipp Kern
b3d25a9a61 Allow to specify the TSIG algorithm for RFC2136 DNS-01 authentication.
Add a new environment variable RFC2136_TSIG_ALGORITHM that accepts the
TSIG algorithm pseudo-domain name. Let it default to
"hmac-md5.sig-alg.reg.int." if unset.
2016-02-13 18:46:28 +01:00
xenolf
f18ec353f1 Add CONTRIBUTING.md 2016-02-12 18:42:43 +01:00
xenolf
ba64faa4e1 Merge pull request #116 from janeczku/dns-check
Refactor DNS check
2016-02-11 02:50:28 +01:00
Adrien Carbonne
8850ac8bba Minor fix, forgot package name 2016-02-10 17:00:20 +01:00
Jan Broer
b594acbc2a Validation domain may be a CNAME or delegated to another NS 2016-02-10 16:56:50 +01:00
Adrien Carbonne
9a424abdee Using the standard provider way
Other providers should be used with the SetChallengeProvider function
and should supply a New function. In your case this would be
NewHTTPProviderWebroot taking the path as an argument.
2016-02-10 16:55:10 +01:00
Adrien Carbonne
fdf059fbbd Added a --webroot option for HTTP challenge
When using this option, the challenge will be written in a file in
".well-known/acme-challenge/" inside the given webroot folder.
This allows lego to work without binding any port at all.
2016-02-10 12:19:29 +01:00
Jan Broer
c97b5a52a1 Refactor DNS check
* Gets a list of all authoritative nameservers by looking up the NS RRs for the root domain (zone apex)
* Verifies that the expected TXT record exists on all nameservers before sending off the challenge to ACME server
2016-02-09 05:23:58 +01:00
Matt Holt
0dc1b5b7bf Merge pull request #113 from willglynn/mention_staging_endpoint
Mention the Let's Encrypt staging endpoint in the README
2016-02-08 15:04:02 -07:00
Will Glynn
86ba08bb9e Mention the Let's Encrypt staging endpoint in the README 2016-02-08 15:27:06 -06:00
xenolf
614f5ea7ce Merge pull request #108 from xi2/http01-disable-keepalives
http-01 challenge: disable TCP connection reuse
2016-02-08 02:15:30 +01:00
xenolf
da953623bf Add package comments to make the library and CLI more discoverable on godoc.org
Fixes #106
2016-02-08 01:59:03 +01:00
Michael Cross
9350fb4aef http-01 challenge: disable TCP connection reuse
If TCP connection reuse (KeepAlives) are left on then, in a sequence
of challenges arising from a multiple-domain certficate, challenges
after the 1st can fail due to reusing the now defunct tcp connection
used in the first challenge. This has been observed when using the Go
standard library reverse proxy to forward the challenges to Lego.

Fixes #107
2016-02-07 13:40:47 +00:00
xenolf
e4978657b2 Merge pull request #102 from willglynn/aws_authentication
Add support for additional AWS authentication sources
2016-02-07 14:28:57 +01:00
Matt Holt
4efc9abf53 Merge pull request #104 from chrismoos/fix_ocsp
GetOCSPForCert should fail if there are no OCSP servers in the cert.
2016-02-07 05:43:23 -07:00
Chris Moos
7bdc9e26f7 GetOCSPCert should fail if there are no OCSP servers in the cert. 2016-02-06 23:19:32 -07:00
Matt Holt
1bb7d54178 Merge pull request #103 from willglynn/compact_iam_policy
Compact IAM policy
2016-02-06 18:23:21 -07:00
Will Glynn
fa8214b5b8 Reduce IAM policy to a more compact version
`Sid` is optional and can be omitted for brevity.

Both `route53:ListHostedZones` and `route53:GetChange` are allowed for
`*`, so they can be combined into a single statement.

Actions can be combined onto the same line, since it's equivalent JSON.
2016-02-06 19:06:21 -06:00
Will Glynn
13e01e1751 Add support for additional AWS authentication sources
AWS client tools commonly support passing credentials via
`AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY`, but supporting only this is
insufficient. For example, access key IDs provided by STS require passing in
`AWS_SECURITY_TOKEN` as a third value, and EC2 instances are often provided
dynamic credentials at runtime via the EC2 metadata service.

This changeset makes `lego` attempt to find credentials in the same way that
the `aws` CLI tool attempts to find credentials. The result is even less
auth code than before because `goamz` provides all this with `aws.GetAuth()`.
2016-02-06 18:38:40 -06:00
Matt Holt
1198444908 Merge pull request #99 from jehiah/http_head_error_99
Handle HEAD request errors
2016-02-06 13:20:50 -07:00
Jehiah Czebotar
9dc7fa9d52 httpHead: return error before referencying resp.Body 2016-02-06 15:06:42 -05:00
xenolf
3939b9f20b Merge pull request #98 from jimmycuadra/readme-route53
Add full CLI example and IAM policy for Route 53 to the README.
2016-02-06 20:39:49 +01:00
Jimmy Cuadra
e800e75b59 Add full CLI example and IAM policy for Route 53 to the README. [ci
skip]
2016-02-05 02:44:09 -08:00
xenolf
be4e74d1aa Merge pull request #97 from janeczku/route53-raw-string-literals
Route53 provider fixes
2016-02-05 04:05:25 +01:00