Commit graph

227 commits

Author SHA1 Message Date
LukeHandle
20ab8300eb Use zone name when talking to DNS APIs
This should handle multiple zones more efficiently
2016-03-21 00:18:49 +00:00
xenolf
d6fb247c29 Fix typo in dns_challenge 2016-03-19 17:48:50 +01:00
Michael Cross
8aa797f49d Add ChallengeProviderTimeout type to acme package
This type allows for implementing DNS ChallengeProviders that require
an unsually long timeout when checking for record propagation.
2016-03-16 18:17:03 +00:00
Michael Cross
f70a48e28a Improve wording of ChallengeProvider comment 2016-03-15 12:46:48 +00:00
xenolf
98c95e83c9 Add link to account to certificate meta data. 2016-03-14 03:29:29 +01:00
xenolf
3252b0bcb9 Fix WaitFor calls 2016-03-11 04:52:59 +01:00
xenolf
c50baa67cb Move WaitFor into new utils.go and switch timeout and interval to time.Duration. 2016-03-11 03:52:46 +01:00
xenolf
2ae35a755d Rename provider types as provider names are already in the package name. Added package level comments and fixed the name of the interface the providers are importing. 2016-03-11 03:46:09 +01:00
xenolf
9008ec6949 Move functions from dns package back into ACME. 2016-03-11 03:40:28 +01:00
xenolf
b412c67aa6 Move providers out of ACME package. 2016-03-03 01:14:32 +01:00
Pauline Middelink
8b90b1a380 Added testcase for in-valid.co.uk
Camelcased: fqdn2zone to fqdnToZone
Grammatical fix in externally visible error message
2016-02-29 08:46:15 +01:00
Pauline Middelink
4945919c69 - Moved findZone from rfc2136 to dns_challenge.go and renamed to findZoneByFqdn
- Reworked the code in dns_challenge.go to not assume nameserver is
   port-less or defaults to 53. (messes up testing)
- Updated nameserver test to clear the fqdn2zone cache and return a dummy
  SOA RR to make initial findZoneByFqdn call happy.
- Used publicsuffix library to determine if the "authorative" zone we found
  is a public registry, in that case error out. (Also used by boulder btw)
2016-02-28 21:09:05 +01:00
Pauline Middelink
bc5c3b53e1 Merge remote-tracking branch 'upstream/master' into issue-140-multi-zone-certs
Conflicts solved:
	README.md
	cli.go
2016-02-28 15:42:09 +01:00
Pauline Middelink
e772779caf Fix for issue/140:
- Removal of RFC2136_ZONE from help text
 - Query nameserver directly to find zone we have to update
 - During insert, make sure the new record is the ONLY challence.
   (I had a few panics, hence 3 challences left. Not good.)
2016-02-28 01:08:59 +01:00
Pauline Middelink
b5e0b91c05 Merge remote-tracking branch 'upstream/master' 2016-02-27 17:47:25 +01:00
xenolf
fcd05ae397 Merge pull request #130 from xenolf/add-ecc-support
Add EC support
2016-02-27 03:38:12 +01:00
Pauline Middelink
ec18e5ce07 Unneeded assignment 2016-02-26 02:52:13 +01:00
xenolf
da7dd0f7b8 Remove no longer needed crypto function. ACME spec no longer requires this. 2016-02-21 04:31:02 +01:00
xenolf
c9e1d0a482 Remove keyBits from tests, use keyType instead. 2016-02-21 04:22:03 +01:00
xenolf
a61e41c90e Fix typo in the constant for the P384 curve. 2016-02-21 04:18:45 +01:00
xenolf
1f777a0d77 Adapt tests to EC changes 2016-02-21 04:18:45 +01:00
xenolf
0e26bb45ca Add support for EC certificates / account keys 2016-02-21 04:18:45 +01:00
xenolf
f203a8e336 Fix wrong variables being used in DNSimple test. 2016-02-21 04:14:32 +01:00
xenolf
a4d8c0e6b9 Fix a couple of misspelled words and lint errors. 2016-02-15 03:59:43 +01:00
Michael Cross
06b3802346 DNS Challenge: Fix handling of CNAMEs
Prior to this commit, the checkDNSPropagation function was exiting
early if the TXT record could not be found on the recursive
nameserver, and thus the authoritative nameservers were not being
queried until after the record showed up on the recursive nameserver
causing a delay.

This commit changes that behaviour so that the authoritative
nameservers are queried on each execution of checkDNSPropagation when
possible.
2016-02-19 21:44:35 +00:00
xenolf
d17982745f Merge pull request #137 from xi2/fix-TestCheckAuthoritativeNss-failure-report
Fix TestCheckAuthoritativeNss failure report
2016-02-19 18:25:45 +01:00
Michael Cross
fc64f8b99d DNS Challenge: Fix TestCheckAuthoritativeNss failure report 2016-02-19 10:24:39 +00:00
Jan Broer
453a3d6b3f Declare own HTTP client 2016-02-18 20:41:27 +01:00
Jan Broer
93cfae053a Use custom lego user-agent in requests 2016-02-16 18:38:51 +01:00
Jan Broer
d03fb496c0 Refactor CloudFlare provider to have no 3rd party dependencies 2016-02-16 15:50:24 +01:00
xenolf
f1a1e081c8 Merge pull request #127 from xenolf/tweaks
Add go vet to the CI checks, fix vet errors and set default HTTP timeout to 10 seconds.
2016-02-15 00:02:11 +01:00
Matthew Holt
971541dc0a Use http client with timeout of 10s
This will prevent indefinitely-hanging requests in case some service or middle box is malfunctioning.

Fix vet errors and lint warnings

Add vet to CI check

Only get issuer certificate if it would be used

No need to make a GET request if the OCSP server is not specified in leaf certificate

Fix CI tests

Make tests verbose
2016-02-14 14:33:54 -07:00
xenolf
a44384f52f Fix tests for new naming. 2016-02-14 22:07:27 +01:00
xenolf
21de29e902 Take the magic out of defaulting to the Server implementations of HTTP-01 and TLS-SNI-01 2016-02-14 16:57:06 +01:00
xenolf
7475e7f9c2 Move the HTTP-01 and TLS-SNI-01 default solvers to a more unified layout.
Made the solvers exported and added New... functions to them.
2016-02-14 16:56:14 +01:00
xenolf
bf66ac9e17 Resolve issue where the route53 tests would take 30secs to complete.
The default AWS HTTP client retries three times with a deadline of 10 seconds in order to fetch metadata from EC2. Replaced the default HTTP client with one that does not retry and has a low timeout.
2016-02-14 00:55:03 +01:00
Philipp Kern
f00f09f19c Allow to specify RFC2136_NAMESERVER without the port.
Append the default DNS port if the nameserver specification does not
contain any.
2016-02-13 18:46:32 +01:00
Philipp Kern
b3d25a9a61 Allow to specify the TSIG algorithm for RFC2136 DNS-01 authentication.
Add a new environment variable RFC2136_TSIG_ALGORITHM that accepts the
TSIG algorithm pseudo-domain name. Let it default to
"hmac-md5.sig-alg.reg.int." if unset.
2016-02-13 18:46:28 +01:00
xenolf
ba64faa4e1 Merge pull request #116 from janeczku/dns-check
Refactor DNS check
2016-02-11 02:50:28 +01:00
Jan Broer
b594acbc2a Validation domain may be a CNAME or delegated to another NS 2016-02-10 16:56:50 +01:00
Jan Broer
c97b5a52a1 Refactor DNS check
* Gets a list of all authoritative nameservers by looking up the NS RRs for the root domain (zone apex)
* Verifies that the expected TXT record exists on all nameservers before sending off the challenge to ACME server
2016-02-09 05:23:58 +01:00
xenolf
614f5ea7ce Merge pull request #108 from xi2/http01-disable-keepalives
http-01 challenge: disable TCP connection reuse
2016-02-08 02:15:30 +01:00
xenolf
da953623bf Add package comments to make the library and CLI more discoverable on godoc.org
Fixes #106
2016-02-08 01:59:03 +01:00
Michael Cross
9350fb4aef http-01 challenge: disable TCP connection reuse
If TCP connection reuse (KeepAlives) are left on then, in a sequence
of challenges arising from a multiple-domain certficate, challenges
after the 1st can fail due to reusing the now defunct tcp connection
used in the first challenge. This has been observed when using the Go
standard library reverse proxy to forward the challenges to Lego.

Fixes #107
2016-02-07 13:40:47 +00:00
xenolf
e4978657b2 Merge pull request #102 from willglynn/aws_authentication
Add support for additional AWS authentication sources
2016-02-07 14:28:57 +01:00
Chris Moos
7bdc9e26f7 GetOCSPCert should fail if there are no OCSP servers in the cert. 2016-02-06 23:19:32 -07:00
Will Glynn
13e01e1751 Add support for additional AWS authentication sources
AWS client tools commonly support passing credentials via
`AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY`, but supporting only this is
insufficient. For example, access key IDs provided by STS require passing in
`AWS_SECURITY_TOKEN` as a third value, and EC2 instances are often provided
dynamic credentials at runtime via the EC2 metadata service.

This changeset makes `lego` attempt to find credentials in the same way that
the `aws` CLI tool attempts to find credentials. The result is even less
auth code than before because `goamz` provides all this with `aws.GetAuth()`.
2016-02-06 18:38:40 -06:00
Jehiah Czebotar
9dc7fa9d52 httpHead: return error before referencying resp.Body 2016-02-06 15:06:42 -05:00
Jan Broer
bae7428c08 Fixes issues with the Present() method of Route53 provider:
- InvalidTXTRDATA error when creating TXT record (closes #94)
- Present() should poll and wait until the status of the record change becomes INSYNC (thanks @oov)

Adds a retry/timeout utility function to dns_challenge.go that may be used in other places
2016-02-04 00:34:52 +01:00
xenolf
29423c6293 Merge pull request #91 from weppos/log-with-name
Add missing domain name for consistency
2016-01-30 23:58:21 +01:00