forked from TrueCloudLab/lego
Allow to specify the TSIG algorithm for RFC2136 DNS-01 authentication.
Add a new environment variable RFC2136_TSIG_ALGORITHM that accepts the TSIG algorithm pseudo-domain name. Let it default to "hmac-md5.sig-alg.reg.int." if unset.
This commit is contained in:
parent
f18ec353f1
commit
b3d25a9a61
3 changed files with 21 additions and 14 deletions
|
@ -2,30 +2,36 @@ package acme
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/miekg/dns"
|
||||
"time"
|
||||
|
||||
"github.com/miekg/dns"
|
||||
)
|
||||
|
||||
// DNSProviderRFC2136 is an implementation of the ChallengeProvider interface that
|
||||
// uses dynamic DNS updates (RFC 2136) to create TXT records on a nameserver.
|
||||
type DNSProviderRFC2136 struct {
|
||||
nameserver string
|
||||
zone string
|
||||
tsigKey string
|
||||
tsigSecret string
|
||||
records map[string]string
|
||||
nameserver string
|
||||
zone string
|
||||
tsigAlgorithm string
|
||||
tsigKey string
|
||||
tsigSecret string
|
||||
records map[string]string
|
||||
}
|
||||
|
||||
// NewDNSProviderRFC2136 returns a new DNSProviderRFC2136 instance.
|
||||
// To disable TSIG authentication 'tsigKey' and 'tsigSecret' must be set to the empty string.
|
||||
// To disable TSIG authentication 'tsigAlgorithm, 'tsigKey' and 'tsigSecret' must be set to the empty string.
|
||||
// 'nameserver' must be a network address in the the form "host:port". 'zone' must be the fully
|
||||
// qualified name of the zone.
|
||||
func NewDNSProviderRFC2136(nameserver, zone, tsigKey, tsigSecret string) (*DNSProviderRFC2136, error) {
|
||||
func NewDNSProviderRFC2136(nameserver, zone, tsigAlgorithm, tsigKey, tsigSecret string) (*DNSProviderRFC2136, error) {
|
||||
d := &DNSProviderRFC2136{
|
||||
nameserver: nameserver,
|
||||
zone: zone,
|
||||
records: make(map[string]string),
|
||||
}
|
||||
if tsigAlgorithm == "" {
|
||||
tsigAlgorithm = dns.HmacMD5
|
||||
}
|
||||
d.tsigAlgorithm = tsigAlgorithm
|
||||
if len(tsigKey) > 0 && len(tsigSecret) > 0 {
|
||||
d.tsigKey = tsigKey
|
||||
d.tsigSecret = tsigSecret
|
||||
|
@ -73,7 +79,7 @@ func (r *DNSProviderRFC2136) changeRecord(action, fqdn, value string, ttl int) e
|
|||
c.SingleInflight = true
|
||||
// TSIG authentication / msg signing
|
||||
if len(r.tsigKey) > 0 && len(r.tsigSecret) > 0 {
|
||||
m.SetTsig(dns.Fqdn(r.tsigKey), dns.HmacMD5, 300, time.Now().Unix())
|
||||
m.SetTsig(dns.Fqdn(r.tsigKey), r.tsigAlgorithm, 300, time.Now().Unix())
|
||||
c.TsigSecret = map[string]string{dns.Fqdn(r.tsigKey): r.tsigSecret}
|
||||
}
|
||||
|
||||
|
|
|
@ -57,7 +57,7 @@ func TestRFC2136ServerSuccess(t *testing.T) {
|
|||
}
|
||||
defer server.Shutdown()
|
||||
|
||||
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", "")
|
||||
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", "", "")
|
||||
if err != nil {
|
||||
t.Fatalf("Expected NewDNSProviderRFC2136() to return no error but the error was -> %v", err)
|
||||
}
|
||||
|
@ -76,7 +76,7 @@ func TestRFC2136ServerError(t *testing.T) {
|
|||
}
|
||||
defer server.Shutdown()
|
||||
|
||||
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", "")
|
||||
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", "", "")
|
||||
if err != nil {
|
||||
t.Fatalf("Expected NewDNSProviderRFC2136() to return no error but the error was -> %v", err)
|
||||
}
|
||||
|
@ -97,7 +97,7 @@ func TestRFC2136TsigClient(t *testing.T) {
|
|||
}
|
||||
defer server.Shutdown()
|
||||
|
||||
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, rfc2136TestTsigKey, rfc2136TestTsigSecret)
|
||||
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", rfc2136TestTsigKey, rfc2136TestTsigSecret)
|
||||
if err != nil {
|
||||
t.Fatalf("Expected NewDNSProviderRFC2136() to return no error but the error was -> %v", err)
|
||||
}
|
||||
|
@ -135,7 +135,7 @@ func TestRFC2136ValidUpdatePacket(t *testing.T) {
|
|||
t.Fatalf("Error packing expect msg: %v", err)
|
||||
}
|
||||
|
||||
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", "")
|
||||
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", "", "")
|
||||
if err != nil {
|
||||
t.Fatalf("Expected NewDNSProviderRFC2136() to return no error but the error was -> %v", err)
|
||||
}
|
||||
|
|
|
@ -69,10 +69,11 @@ func setup(c *cli.Context) (*Configuration, *Account, *acme.Client) {
|
|||
case "rfc2136":
|
||||
nameserver := os.Getenv("RFC2136_NAMESERVER")
|
||||
zone := os.Getenv("RFC2136_ZONE")
|
||||
tsigAlgorithm := os.Getenv("RFC2136_TSIG_ALGORITHM")
|
||||
tsigKey := os.Getenv("RFC2136_TSIG_KEY")
|
||||
tsigSecret := os.Getenv("RFC2136_TSIG_SECRET")
|
||||
|
||||
provider, err = acme.NewDNSProviderRFC2136(nameserver, zone, tsigKey, tsigSecret)
|
||||
provider, err = acme.NewDNSProviderRFC2136(nameserver, zone, tsigAlgorithm, tsigKey, tsigSecret)
|
||||
case "manual":
|
||||
provider, err = acme.NewDNSProviderManual()
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue