fix: use token as unique ID. (#1003)

e2e/challenges_test.go

@@ -32,6 +32,7 @@ var load = loader.EnvLoader{
 }
 
 func TestMain(m *testing.M) {
+	os.Setenv("LEGO_E2E_TESTS", "LEGO_E2E_TESTS")
 	os.Exit(load.MainTest(m))
 }
 
@@ -258,10 +259,14 @@ func TestChallengeTLS_Client_Obtain(t *testing.T) {
 	require.NoError(t, err)
 	user.registration = reg
 
+	// https://github.com/letsencrypt/pebble/issues/285
+	privateKeyCSR, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err, "Could not generate test key")
+
 	request := certificate.ObtainRequest{
 		Domains:    []string{"acme.wtf"},
 		Bundle:     true,
-		PrivateKey: privateKey,
+		PrivateKey: privateKeyCSR,
 	}
 	resource, err := client.Certificate.Obtain(request)
 	require.NoError(t, err)

e2e/dnschallenge/dns_challenges_test.go

@@ -103,10 +103,14 @@ func TestChallengeDNS_Client_Obtain(t *testing.T) {
 
 	domains := []string{"*.légo.acme", "légo.acme"}
 
+	// https://github.com/letsencrypt/pebble/issues/285
+	privateKeyCSR, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err, "Could not generate test key")
+
 	request := certificate.ObtainRequest{
 		Domains:    domains,
 		Bundle:     true,
-		PrivateKey: privateKey,
+		PrivateKey: privateKeyCSR,
 	}
 	resource, err := client.Certificate.Obtain(request)
 	require.NoError(t, err)

providers/dns/auroradns/auroradns.go

@@ -127,7 +127,7 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 	}
 
 	d.recordIDsMu.Lock()
-	d.recordIDs[fqdn] = newRecord.ID
+	d.recordIDs[token] = newRecord.ID
 	d.recordIDsMu.Unlock()
 
 	return nil
@@ -138,7 +138,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 	fqdn, _ := dns01.GetRecord(domain, keyAuth)
 
 	d.recordIDsMu.Lock()
-	recordID, ok := d.recordIDs[fqdn]
+	recordID, ok := d.recordIDs[token]
 	d.recordIDsMu.Unlock()
 
 	if !ok {
@@ -163,7 +163,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 	}
 
 	d.recordIDsMu.Lock()
-	delete(d.recordIDs, fqdn)
+	delete(d.recordIDs, token)
 	d.recordIDsMu.Unlock()
 
 	return nil

providers/dns/cloudflare/cloudflare.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"sync"
 	"time"
 
 	cloudflare "github.com/cloudflare/cloudflare-go"
@@ -47,6 +48,9 @@ func NewDefaultConfig() *Config {
 type DNSProvider struct {
 	client *metaClient
 	config *Config
+
+	recordIDs   map[string]string
+	recordIDsMu sync.Mutex
 }
 
 // NewDNSProvider returns a DNSProvider instance configured for Cloudflare.
@@ -140,6 +144,10 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 		return fmt.Errorf("cloudflare: failed to create TXT record: %+v %+v", response.Errors, response.Messages)
 	}
 
+	d.recordIDsMu.Lock()
+	d.recordIDs[token] = response.Result.ID
+	d.recordIDsMu.Unlock()
+
 	log.Infof("cloudflare: new record for %s, ID %s", domain, response.Result.ID)
 
 	return nil
@@ -159,22 +167,23 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 		return fmt.Errorf("cloudflare: failed to find zone %s: %v", authZone, err)
 	}
 
-	dnsRecord := cloudflare.DNSRecord{
+	// get the record's unique ID from when we created it
-		Type: "TXT",
+	d.recordIDsMu.Lock()
-		Name: dns01.UnFqdn(fqdn),
+	recordID, ok := d.recordIDs[token]
+	d.recordIDsMu.Unlock()
+	if !ok {
+		return fmt.Errorf("cloudflare: unknown record ID for '%s'", fqdn)
 	}
 
-	records, err := d.client.DNSRecords(zoneID, dnsRecord)
+	err = d.client.DeleteDNSRecord(zoneID, recordID)
-	if err != nil {
-		return fmt.Errorf("cloudflare: failed to find TXT records: %v", err)
-	}
-
-	for _, record := range records {
-		err = d.client.DeleteDNSRecord(zoneID, record.ID)
 	if err != nil {
 		log.Printf("cloudflare: failed to delete TXT record: %v", err)
 	}
-	}
+
+	// Delete record ID from map
+	d.recordIDsMu.Lock()
+	delete(d.recordIDs, token)
+	d.recordIDsMu.Unlock()
 
 	return nil
 }

providers/dns/digitalocean/digitalocean.go

@@ -94,7 +94,7 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 	}
 
 	d.recordIDsMu.Lock()
-	d.recordIDs[fqdn] = respData.DomainRecord.ID
+	d.recordIDs[token] = respData.DomainRecord.ID
 	d.recordIDsMu.Unlock()
 
 	return nil
@@ -111,7 +111,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 
 	// get the record's unique ID from when we created it
 	d.recordIDsMu.Lock()
-	recordID, ok := d.recordIDs[fqdn]
+	recordID, ok := d.recordIDs[token]
 	d.recordIDsMu.Unlock()
 	if !ok {
 		return fmt.Errorf("digitalocean: unknown record ID for '%s'", fqdn)
@@ -124,7 +124,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 
 	// Delete record ID from map
 	d.recordIDsMu.Lock()
-	delete(d.recordIDs, fqdn)
+	delete(d.recordIDs, token)
 	d.recordIDsMu.Unlock()
 
 	return nil

providers/dns/digitalocean/digitalocean_test.go

@@ -163,9 +163,9 @@ func TestDNSProvider_CleanUp(t *testing.T) {
 	})
 
 	provider.recordIDsMu.Lock()
-	provider.recordIDs["_acme-challenge.example.com."] = 1234567
+	provider.recordIDs["token"] = 1234567
 	provider.recordIDsMu.Unlock()
 
-	err := provider.CleanUp("example.com", "", "")
+	err := provider.CleanUp("example.com", "token", "")
 	require.NoError(t, err, "fail to remove TXT record")
 }

providers/dns/ovh/ovh.go

@@ -141,7 +141,7 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 	}
 
 	d.recordIDsMu.Lock()
-	d.recordIDs[fqdn] = respData.ID
+	d.recordIDs[token] = respData.ID
 	d.recordIDsMu.Unlock()
 
 	return nil
@@ -153,7 +153,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 
 	// get the record's unique ID from when we created it
 	d.recordIDsMu.Lock()
-	recordID, ok := d.recordIDs[fqdn]
+	recordID, ok := d.recordIDs[token]
 	d.recordIDsMu.Unlock()
 	if !ok {
 		return fmt.Errorf("ovh: unknown record ID for '%s'", fqdn)
@@ -182,7 +182,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 
 	// Delete record ID from map
 	d.recordIDsMu.Lock()
-	delete(d.recordIDs, fqdn)
+	delete(d.recordIDs, token)
 	d.recordIDsMu.Unlock()
 
 	return nil