* add issuer certificate to CertificateResource
Also write it out to the file system when running "lego run"
Removed caching of the issuer certificate inside the acme client, since
it didn't appear to be used.
* only append issuerCert to issuedCert in case of success
Effectively a no-op since issuerCert will be nil on error, but it seems
more correct to only do it if fetching the issuer succeeds.
Before read access to `nonces` field in jws structure (in `Nonces` method) was not synchronized and we were still able
to get `slice bounds out of range` panic when trying to "pop" value in `Nonces` method.
The race can be actually observed by running `Nonce` method multiple times in separate goroutines with th precondition is `len(jws.nonces) == 1`.
* Get better dns server defaults if available
if an /etc/resolv.conf file exists, then get the dns servers from there
* fix handwritten code...
* Make discovering system dns servers more testable
Allow specifying path to resolv.conf file to allow testing logic
* add tests
* Log which resolvers we are using
* move log statement for dns resolvers used
Introduces a new command line switch `--must-staple` to `run` and `renew`.
Using this switch will add the must staple TLS extension to the CSR generated by lego and thus also to the generated certificate.
This does not work with user specified CSRs!
Fixes#270
client.RenewCertificate now supports CSRs, and in fact prefers them,
when renewing certificates. In other words, if the certificate was
created via a CSR then using that will be attempted before re-generating
off a new private key.
Also adjusted the API of ObtainCertificateForCSR to be a little
more in line with the original ObtainCertificate function.
This commit also breaks requestCertificate() into two parts, the first of
which generates a CSR, the second of which became requestCertificateForCsr()
which does what the name implies.
Add 2 new functions to acme.Client for registration stuff:
* QueryRegistration: This performs a POST on the client
registration's URI and gets the updated registration info.
* DeleteRegistration: This deletes the registration as currently
configured in the client.
The latter, while a part of the IETF draft, may not be 100%
functional in LE yet, my tests showed that resources were still
available after deletion.
Added a slice of NS to be used when retrying queries. Also used with FindZoneByFqdn()
Adjusted 2 error messages given to better differentiate the returned error string
This patch adds code to only parse the HTTP response body as JSON if the
content-type header advertises the content as JSON. In my case, the
directory server was unavailable: it returned a 503 HTTP response code
with an HTML document, and the only thing lego reported was:
2016/04/04 19:12:56 Could not create client: get directory at 'https://acme-v01.api.letsencrypt.org/directory': invalid character '<' looking for beginning of value
This was caused by trying to parse the document body (HTML) as JSON,
without looking at the content-type header and returning the JSON parse
error.