forked from TrueCloudLab/lego
Allow to specify the TSIG algorithm for RFC2136 DNS-01 authentication.
Add a new environment variable RFC2136_TSIG_ALGORITHM that accepts the TSIG algorithm pseudo-domain name. Let it default to "hmac-md5.sig-alg.reg.int." if unset.
This commit is contained in:
Philipp Kern
parent
f18ec353f1
commit
b3d25a9a61
3 changed files with 21 additions and 14 deletions
|
|
@ -2,30 +2,36 @@ package acme
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/miekg/dns"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/miekg/dns"
|
||||||
)
|
)
|
||||||
|
|
||||||
// DNSProviderRFC2136 is an implementation of the ChallengeProvider interface that
|
// DNSProviderRFC2136 is an implementation of the ChallengeProvider interface that
|
||||||
// uses dynamic DNS updates (RFC 2136) to create TXT records on a nameserver.
|
// uses dynamic DNS updates (RFC 2136) to create TXT records on a nameserver.
|
||||||
type DNSProviderRFC2136 struct {
|
type DNSProviderRFC2136 struct {
|
||||||
nameserver string
|
nameserver string
|
||||||
zone string
|
zone string
|
||||||
tsigKey string
|
tsigAlgorithm string
|
||||||
tsigSecret string
|
tsigKey string
|
||||||
records map[string]string
|
tsigSecret string
|
||||||
|
records map[string]string
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewDNSProviderRFC2136 returns a new DNSProviderRFC2136 instance.
|
// NewDNSProviderRFC2136 returns a new DNSProviderRFC2136 instance.
|
||||||
// To disable TSIG authentication 'tsigKey' and 'tsigSecret' must be set to the empty string.
|
// To disable TSIG authentication 'tsigAlgorithm, 'tsigKey' and 'tsigSecret' must be set to the empty string.
|
||||||
// 'nameserver' must be a network address in the the form "host:port". 'zone' must be the fully
|
// 'nameserver' must be a network address in the the form "host:port". 'zone' must be the fully
|
||||||
// qualified name of the zone.
|
// qualified name of the zone.
|
||||||
func NewDNSProviderRFC2136(nameserver, zone, tsigKey, tsigSecret string) (*DNSProviderRFC2136, error) {
|
func NewDNSProviderRFC2136(nameserver, zone, tsigAlgorithm, tsigKey, tsigSecret string) (*DNSProviderRFC2136, error) {
|
||||||
d := &DNSProviderRFC2136{
|
d := &DNSProviderRFC2136{
|
||||||
nameserver: nameserver,
|
nameserver: nameserver,
|
||||||
zone: zone,
|
zone: zone,
|
||||||
records: make(map[string]string),
|
records: make(map[string]string),
|
||||||
}
|
}
|
||||||
|
if tsigAlgorithm == "" {
|
||||||
|
tsigAlgorithm = dns.HmacMD5
|
||||||
|
}
|
||||||
|
d.tsigAlgorithm = tsigAlgorithm
|
||||||
if len(tsigKey) > 0 && len(tsigSecret) > 0 {
|
if len(tsigKey) > 0 && len(tsigSecret) > 0 {
|
||||||
d.tsigKey = tsigKey
|
d.tsigKey = tsigKey
|
||||||
d.tsigSecret = tsigSecret
|
d.tsigSecret = tsigSecret
|
||||||
|
|
@ -73,7 +79,7 @@ func (r *DNSProviderRFC2136) changeRecord(action, fqdn, value string, ttl int) e
|
||||||
c.SingleInflight = true
|
c.SingleInflight = true
|
||||||
// TSIG authentication / msg signing
|
// TSIG authentication / msg signing
|
||||||
if len(r.tsigKey) > 0 && len(r.tsigSecret) > 0 {
|
if len(r.tsigKey) > 0 && len(r.tsigSecret) > 0 {
|
||||||
m.SetTsig(dns.Fqdn(r.tsigKey), dns.HmacMD5, 300, time.Now().Unix())
|
m.SetTsig(dns.Fqdn(r.tsigKey), r.tsigAlgorithm, 300, time.Now().Unix())
|
||||||
c.TsigSecret = map[string]string{dns.Fqdn(r.tsigKey): r.tsigSecret}
|
c.TsigSecret = map[string]string{dns.Fqdn(r.tsigKey): r.tsigSecret}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -57,7 +57,7 @@ func TestRFC2136ServerSuccess(t *testing.T) {
|
||||||
}
|
}
|
||||||
defer server.Shutdown()
|
defer server.Shutdown()
|
||||||
|
|
||||||
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", "")
|
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", "", "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("Expected NewDNSProviderRFC2136() to return no error but the error was -> %v", err)
|
t.Fatalf("Expected NewDNSProviderRFC2136() to return no error but the error was -> %v", err)
|
||||||
}
|
}
|
||||||
|
|
@ -76,7 +76,7 @@ func TestRFC2136ServerError(t *testing.T) {
|
||||||
}
|
}
|
||||||
defer server.Shutdown()
|
defer server.Shutdown()
|
||||||
|
|
||||||
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", "")
|
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", "", "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("Expected NewDNSProviderRFC2136() to return no error but the error was -> %v", err)
|
t.Fatalf("Expected NewDNSProviderRFC2136() to return no error but the error was -> %v", err)
|
||||||
}
|
}
|
||||||
|
|
@ -97,7 +97,7 @@ func TestRFC2136TsigClient(t *testing.T) {
|
||||||
}
|
}
|
||||||
defer server.Shutdown()
|
defer server.Shutdown()
|
||||||
|
|
||||||
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, rfc2136TestTsigKey, rfc2136TestTsigSecret)
|
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", rfc2136TestTsigKey, rfc2136TestTsigSecret)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("Expected NewDNSProviderRFC2136() to return no error but the error was -> %v", err)
|
t.Fatalf("Expected NewDNSProviderRFC2136() to return no error but the error was -> %v", err)
|
||||||
}
|
}
|
||||||
|
|
@ -135,7 +135,7 @@ func TestRFC2136ValidUpdatePacket(t *testing.T) {
|
||||||
t.Fatalf("Error packing expect msg: %v", err)
|
t.Fatalf("Error packing expect msg: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", "")
|
provider, err := NewDNSProviderRFC2136(addrstr, rfc2136TestZone, "", "", "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("Expected NewDNSProviderRFC2136() to return no error but the error was -> %v", err)
|
t.Fatalf("Expected NewDNSProviderRFC2136() to return no error but the error was -> %v", err)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -69,10 +69,11 @@ func setup(c *cli.Context) (*Configuration, *Account, *acme.Client) {
|
||||||
case "rfc2136":
|
case "rfc2136":
|
||||||
nameserver := os.Getenv("RFC2136_NAMESERVER")
|
nameserver := os.Getenv("RFC2136_NAMESERVER")
|
||||||
zone := os.Getenv("RFC2136_ZONE")
|
zone := os.Getenv("RFC2136_ZONE")
|
||||||
|
tsigAlgorithm := os.Getenv("RFC2136_TSIG_ALGORITHM")
|
||||||
tsigKey := os.Getenv("RFC2136_TSIG_KEY")
|
tsigKey := os.Getenv("RFC2136_TSIG_KEY")
|
||||||
tsigSecret := os.Getenv("RFC2136_TSIG_SECRET")
|
tsigSecret := os.Getenv("RFC2136_TSIG_SECRET")
|
||||||
|
|
||||||
provider, err = acme.NewDNSProviderRFC2136(nameserver, zone, tsigKey, tsigSecret)
|
provider, err = acme.NewDNSProviderRFC2136(nameserver, zone, tsigAlgorithm, tsigKey, tsigSecret)
|
||||||
case "manual":
|
case "manual":
|
||||||
provider, err = acme.NewDNSProviderManual()
|
provider, err = acme.NewDNSProviderManual()
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue