Commit graph

460 commits

Author SHA1 Message Date
xenolf
da7dd0f7b8 Remove no longer needed crypto function. ACME spec no longer requires this. 2016-02-21 04:31:02 +01:00
xenolf
c9e1d0a482 Remove keyBits from tests, use keyType instead. 2016-02-21 04:22:03 +01:00
xenolf
a61e41c90e Fix typo in the constant for the P384 curve. 2016-02-21 04:18:45 +01:00
xenolf
1f777a0d77 Adapt tests to EC changes 2016-02-21 04:18:45 +01:00
xenolf
0e26bb45ca Add support for EC certificates / account keys 2016-02-21 04:18:45 +01:00
xenolf
f203a8e336 Fix wrong variables being used in DNSimple test. 2016-02-21 04:14:32 +01:00
xenolf
a4d8c0e6b9 Fix a couple of misspelled words and lint errors. 2016-02-15 03:59:43 +01:00
Michael Cross
06b3802346 DNS Challenge: Fix handling of CNAMEs
Prior to this commit, the checkDNSPropagation function was exiting
early if the TXT record could not be found on the recursive
nameserver, and thus the authoritative nameservers were not being
queried until after the record showed up on the recursive nameserver
causing a delay.

This commit changes that behaviour so that the authoritative
nameservers are queried on each execution of checkDNSPropagation when
possible.
2016-02-19 21:44:35 +00:00
xenolf
d17982745f Merge pull request #137 from xi2/fix-TestCheckAuthoritativeNss-failure-report
Fix TestCheckAuthoritativeNss failure report
2016-02-19 18:25:45 +01:00
Michael Cross
fc64f8b99d DNS Challenge: Fix TestCheckAuthoritativeNss failure report 2016-02-19 10:24:39 +00:00
Jan Broer
453a3d6b3f Declare own HTTP client 2016-02-18 20:41:27 +01:00
Jan Broer
93cfae053a Use custom lego user-agent in requests 2016-02-16 18:38:51 +01:00
Jan Broer
d03fb496c0 Refactor CloudFlare provider to have no 3rd party dependencies 2016-02-16 15:50:24 +01:00
xenolf
f1a1e081c8 Merge pull request #127 from xenolf/tweaks
Add go vet to the CI checks, fix vet errors and set default HTTP timeout to 10 seconds.
2016-02-15 00:02:11 +01:00
Matthew Holt
971541dc0a Use http client with timeout of 10s
This will prevent indefinitely-hanging requests in case some service or middle box is malfunctioning.

Fix vet errors and lint warnings

Add vet to CI check

Only get issuer certificate if it would be used

No need to make a GET request if the OCSP server is not specified in leaf certificate

Fix CI tests

Make tests verbose
2016-02-14 14:33:54 -07:00
xenolf
a44384f52f Fix tests for new naming. 2016-02-14 22:07:27 +01:00
xenolf
21de29e902 Take the magic out of defaulting to the Server implementations of HTTP-01 and TLS-SNI-01 2016-02-14 16:57:06 +01:00
xenolf
7475e7f9c2 Move the HTTP-01 and TLS-SNI-01 default solvers to a more unified layout.
Made the solvers exported and added New... functions to them.
2016-02-14 16:56:14 +01:00
xenolf
bf66ac9e17 Resolve issue where the route53 tests would take 30secs to complete.
The default AWS HTTP client retries three times with a deadline of 10 seconds in order to fetch metadata from EC2. Replaced the default HTTP client with one that does not retry and has a low timeout.
2016-02-14 00:55:03 +01:00
Philipp Kern
f00f09f19c Allow to specify RFC2136_NAMESERVER without the port.
Append the default DNS port if the nameserver specification does not
contain any.
2016-02-13 18:46:32 +01:00
Philipp Kern
b3d25a9a61 Allow to specify the TSIG algorithm for RFC2136 DNS-01 authentication.
Add a new environment variable RFC2136_TSIG_ALGORITHM that accepts the
TSIG algorithm pseudo-domain name. Let it default to
"hmac-md5.sig-alg.reg.int." if unset.
2016-02-13 18:46:28 +01:00
xenolf
ba64faa4e1 Merge pull request #116 from janeczku/dns-check
Refactor DNS check
2016-02-11 02:50:28 +01:00
Jan Broer
b594acbc2a Validation domain may be a CNAME or delegated to another NS 2016-02-10 16:56:50 +01:00
Jan Broer
c97b5a52a1 Refactor DNS check
* Gets a list of all authoritative nameservers by looking up the NS RRs for the root domain (zone apex)
* Verifies that the expected TXT record exists on all nameservers before sending off the challenge to ACME server
2016-02-09 05:23:58 +01:00
xenolf
614f5ea7ce Merge pull request #108 from xi2/http01-disable-keepalives
http-01 challenge: disable TCP connection reuse
2016-02-08 02:15:30 +01:00
xenolf
da953623bf Add package comments to make the library and CLI more discoverable on godoc.org
Fixes #106
2016-02-08 01:59:03 +01:00
Michael Cross
9350fb4aef http-01 challenge: disable TCP connection reuse
If TCP connection reuse (KeepAlives) are left on then, in a sequence
of challenges arising from a multiple-domain certficate, challenges
after the 1st can fail due to reusing the now defunct tcp connection
used in the first challenge. This has been observed when using the Go
standard library reverse proxy to forward the challenges to Lego.

Fixes #107
2016-02-07 13:40:47 +00:00
xenolf
e4978657b2 Merge pull request #102 from willglynn/aws_authentication
Add support for additional AWS authentication sources
2016-02-07 14:28:57 +01:00
Chris Moos
7bdc9e26f7 GetOCSPCert should fail if there are no OCSP servers in the cert. 2016-02-06 23:19:32 -07:00
Will Glynn
13e01e1751 Add support for additional AWS authentication sources
AWS client tools commonly support passing credentials via
`AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY`, but supporting only this is
insufficient. For example, access key IDs provided by STS require passing in
`AWS_SECURITY_TOKEN` as a third value, and EC2 instances are often provided
dynamic credentials at runtime via the EC2 metadata service.

This changeset makes `lego` attempt to find credentials in the same way that
the `aws` CLI tool attempts to find credentials. The result is even less
auth code than before because `goamz` provides all this with `aws.GetAuth()`.
2016-02-06 18:38:40 -06:00
Jehiah Czebotar
9dc7fa9d52 httpHead: return error before referencying resp.Body 2016-02-06 15:06:42 -05:00
Jan Broer
bae7428c08 Fixes issues with the Present() method of Route53 provider:
- InvalidTXTRDATA error when creating TXT record (closes #94)
- Present() should poll and wait until the status of the record change becomes INSYNC (thanks @oov)

Adds a retry/timeout utility function to dns_challenge.go that may be used in other places
2016-02-04 00:34:52 +01:00
xenolf
29423c6293 Merge pull request #91 from weppos/log-with-name
Add missing domain name for consistency
2016-01-30 23:58:21 +01:00
xenolf
1ab8907f82 Merge pull request #90 from weppos/dnsimple-subdomain
Fix bugs with subdomains
2016-01-30 23:57:27 +01:00
Simone Carletti
ae7184b339 Add missing domain name for consistency
Before the change:

    2016/01/30 00:23:37 [INFO][simonecarletti.com, foo1.simonecarletti.com, foo2.simonecarletti.com, foo3.simonecarletti.com] acme: Obtaining bundled SAN certificate
    2016/01/30 00:23:38 [INFO][simonecarletti.com] acme: Could not find solver for: tls-sni-01
    2016/01/30 00:23:38 [INFO] acme: Trying to solve DNS-01
    2016/01/30 00:23:42 [INFO][simonecarletti.com] The server validated our request
    2016/01/30 00:23:44 [INFO] acme: Trying to solve DNS-01
    2016/01/30 00:23:47 [INFO][foo1.simonecarletti.com] The server validated our request
    2016/01/30 00:23:49 [INFO][foo2.simonecarletti.com] acme: Could not find solver for: tls-sni-01
    2016/01/30 00:23:49 [INFO][foo2.simonecarletti.com] acme: Could not find solver for: http-01
    2016/01/30 00:23:49 [INFO] acme: Trying to solve DNS-01
    2016/01/30 00:23:53 [INFO][foo3.simonecarletti.com] acme: Could not find solver for: http-01
    2016/01/30 00:23:53 [INFO] acme: Trying to solve DNS-01
    2016/01/30 00:23:56 [INFO][foo3.simonecarletti.com] The server validated our request

After the change:

    2016/01/30 00:27:58 [INFO][simonecarletti.com, foo1.simonecarletti.com, foo2.simonecarletti.com, foo3.simonecarletti.com] acme: Obtaining bundled SAN certificate
    2016/01/30 00:27:59 [INFO][simonecarletti.com] acme: Could not find solver for: http-01
    2016/01/30 00:27:59 [INFO][simonecarletti.com] acme: Trying to solve DNS-01
    2016/01/30 00:28:12 [INFO][simonecarletti.com] The server validated our request
    2016/01/30 00:28:14 [INFO][foo1.simonecarletti.com] acme: Could not find solver for: http-01
    2016/01/30 00:28:14 [INFO][foo1.simonecarletti.com] acme: Trying to solve DNS-01
    2016/01/30 00:28:19 [INFO][foo2.simonecarletti.com] acme: Could not find solver for: http-01
    2016/01/30 00:28:19 [INFO][foo2.simonecarletti.com] acme: Could not find solver for: tls-sni-01
    2016/01/30 00:28:19 [INFO][foo2.simonecarletti.com] acme: Trying to solve DNS-01
    2016/01/30 00:28:22 [INFO][foo1.simonecarletti.com] The server validated our request
2016-01-30 22:17:41 +01:00
Simone Carletti
2e32f171d2 DNSimpleProvider: Fix wrong record deletion
This is a very subtle bug. In some specific circumstances, when the
list of domains in the SAN was > 1, the library may delete the wrong
record (specifically the last one) instead of the matching one.

The issue is explained here
https://groups.google.com/forum/#!topic/golang-nuts/tlWzJUWJKgA

Here's the output from one of the various tests

    ➜  lego git:(dnsimple-subdomain) ✗ DNSIMPLE_DOMAIN=simone.io go test -v ./... --run "TestLiveDNSimpleCleanUp"
    ?       github.com/xenolf/lego    [no test files]
    === RUN   TestLiveDNSimpleCleanUp
    2016/01/30 01:10:45 Empty records:
    2016/01/30 01:10:45 0
    2016/01/30 01:10:46 Fetched records:
    2016/01/30 01:10:46 [{5326536 41571  v=spf1 a include:_spf.google.com ~all 3600 0 TXT 2016-01-26 12:53:42.85 +0000 UTC 2016-01-26 12:53:42.85 +0000 UTC} {5026157 41571 google-site-verification=obstZAG6j2BVxYg696WxAsC46_d1-bzkv7D0qGm4K_0 3600 0 TXT 2015-10-19 11:21:03.586 +0000 UTC 2015-10-19 11:21:03.586 +0000 UTC} {5340655 41571 _acme-challenge ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-29 23:52:15.657 +0000 UTC 2016-01-29 23:52:15.657 +0000 UTC} {5340677 41571 _acme-challenge.www1 ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-30 00:03:19.89 +0000 UTC 2016-01-30 00:03:19.89 +0000 UTC}]
    2016/01/30 01:10:46 Record name:
    2016/01/30 01:10:46 _acme-challenge
    2016/01/30 01:10:46 {5326536 41571  v=spf1 a include:_spf.google.com ~all 3600 0 TXT 2016-01-26 12:53:42.85 +0000 UTC 2016-01-26 12:53:42.85 +0000 UTC}
    2016/01/30 01:10:46 {5026157 41571 google-site-verification=obstZAG6j2BVxYg696WxAsC46_d1-bzkv7D0qGm4K_0 3600 0 TXT 2015-10-19 11:21:03.586 +0000 UTC 2015-10-19 11:21:03.586 +0000 UTC}
    2016/01/30 01:10:46 {5340655 41571 _acme-challenge ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-29 23:52:15.657 +0000 UTC 2016-01-29 23:52:15.657 +0000 UTC}
    2016/01/30 01:10:46 Deleted>>
    2016/01/30 01:10:46 {5340655 41571 _acme-challenge ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-29 23:52:15.657 +0000 UTC 2016-01-29 23:52:15.657 +0000 UTC}
    2016/01/30 01:10:46 >>Deleted
    2016/01/30 01:10:46 {5340677 41571 _acme-challenge.www1 ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-30 00:03:19.89 +0000 UTC 2016-01-30 00:03:19.89 +0000 UTC}
    2016/01/30 01:10:46 Record to delete:
    2016/01/30 01:10:46 1
    2016/01/30 01:10:46 {5340677 41571 _acme-challenge.www1 ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-30 00:03:19.89 +0000 UTC 2016-01-30 00:03:19.89 +0000 UTC}
    2016/01/30 01:10:46 Record to delete (foos):
    2016/01/30 01:10:46 [{5340655 41571 _acme-challenge ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-29 23:52:15.657 +0000 UTC 2016-01-29 23:52:15.657 +0000 UTC}]
    2016/01/30 01:10:46 Found records to delete:
    2016/01/30 01:10:46 1
    2016/01/30 01:10:46 [0xc8203be240]
    2016/01/30 01:10:46 &{5340677 41571 _acme-challenge.www1 ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-30 00:03:19.89 +0000 UTC 2016-01-30 00:03:19.89 +0000 UTC}
    --- PASS: TestLiveDNSimpleCleanUp (3.10s)
    PASS
    ok      github.com/xenolf/lego/acme    3.121s

The record 5340655 was supposed to be deleted, but 5340677 was deleted
instead (notice how the deleted record was always the last one in the
returned record set).

And of course the validation never passed

    ➜  letsencrypt-dnsimple git:(master) go run main.go --user xxx --api-key "xxx" --email "xxx@gmail.com" simone.io,foo1.simone.io,foo2.simone.io,foo3.simone.io
    2016/01/30 00:27:55 .data/users/xxx@gmail.com
    2016/01/30 00:27:55 {xxx@gmail.com <nil> 0xc82009a300}
    2016/01/30 00:27:56 [INFO] acme: Registering account for xxx@gmail.com
    2016/01/30 00:27:57 &{{ 116016 {RSA xxx} [mailto:xxx@gmail.com]   } https://acme-staging.api.letsencrypt.org/acme/reg/116016 https://acme-staging.api.letsencrypt.org/acme/new-authz https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf}
    2016/01/30 00:27:58 [INFO][simone.io, foo1.simone.io, foo2.simone.io, foo3.simone.io] acme: Obtaining bundled SAN certificate
    2016/01/30 00:27:59 [INFO][simone.io] acme: Could not find solver for: http-01
    2016/01/30 00:27:59 [INFO][simone.io] acme: Trying to solve DNS-01
    2016/01/30 00:28:00 simone.io
    2016/01/30 00:28:00 &{0 0 _acme-challenge Uo7cIEDgw_sCgZhSOML_GU4DkKlgpB6p1Et8lxRVGLI 120 0 TXT <nil> <nil>}
    2016/01/30 00:28:12 [INFO][simone.io] The server validated our request
    2016/01/30 00:28:14 &{5340584 41571 _acme-challenge Uo7cIEDgw_sCgZhSOML_GU4DkKlgpB6p1Et8lxRVGLI 120 0 TXT 2016-01-29 23:28:00.828 +0000 UTC 2016-01-29 23:28:00.828 +0000 UTC}
    2016/01/30 00:28:14 [INFO][foo1.simone.io] acme: Could not find solver for: http-01
    2016/01/30 00:28:14 [INFO][foo1.simone.io] acme: Trying to solve DNS-01
    2016/01/30 00:28:15 simone.io
    2016/01/30 00:28:15 &{0 0 _acme-challenge.foo1 l_HB5ctb2M86FVcgpCaWgURVhCePNY9KIVQ0tsVH2Ew 120 0 TXT <nil> <nil>}
    2016/01/30 00:28:19 &{5340585 41571 _acme-challenge.foo1 l_HB5ctb2M86FVcgpCaWgURVhCePNY9KIVQ0tsVH2Ew 120 0 TXT 2016-01-29 23:28:15.996 +0000 UTC 2016-01-29 23:28:15.996 +0000 UTC}
    2016/01/30 00:28:19 [INFO][foo2.simone.io] acme: Could not find solver for: http-01
    2016/01/30 00:28:19 [INFO][foo2.simone.io] acme: Could not find solver for: tls-sni-01
    2016/01/30 00:28:19 [INFO][foo2.simone.io] acme: Trying to solve DNS-01
    2016/01/30 00:28:20 simone.io
    2016/01/30 00:28:20 &{0 0 _acme-challenge.foo2 rohi66Q0VHSEu0kR3LcGPkFEIftt47xHfeQercf8frU 120 0 TXT <nil> <nil>}
    2016/01/30 00:28:22 [INFO][foo2.simone.io] The server validated our request
    2016/01/30 00:28:23 &{5340586 41571 _acme-challenge.foo2 rohi66Q0VHSEu0kR3LcGPkFEIftt47xHfeQercf8frU 120 0 TXT 2016-01-29 23:28:21.051 +0000 UTC 2016-01-29 23:28:21.051 +0000 UTC}
    2016/01/30 00:28:24 [INFO][foo3.simone.io] acme: Could not find solver for: tls-sni-01
    2016/01/30 00:28:24 [INFO][foo3.simone.io] acme: Could not find solver for: http-01
    2016/01/30 00:28:24 [INFO][foo3.simone.io] acme: Trying to solve DNS-01
    2016/01/30 00:28:25 simone.io
    2016/01/30 00:28:25 &{0 0 _acme-challenge.foo3 gmn1sKV_0gP3BiOT3yZQywZq95akKRGup0IJs1cqdVo 120 0 TXT <nil> <nil>}
    2016/01/30 00:28:27 [INFO][foo3.simone.io] The server validated our request
    2016/01/30 00:28:28 &{5340587 41571 _acme-challenge.foo3 gmn1sKV_0gP3BiOT3yZQywZq95akKRGup0IJs1cqdVo 120 0 TXT 2016-01-29 23:28:25.616 +0000 UTC 2016-01-29 23:28:25.616 +0000 UTC}
    2016/01/30 00:28:28 map[foo1.simone.io:acme: Error 0 - urn:acme:error:connection - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.foo1.simone.io
    Error Detail:
    ]
    exit status 1

This is the result of the latest (successful) run:

    ➜  letsencrypt-dnsimple git:(master) ✗ go run main.go --user xxx --api-key "xxx" --email "xxx@gmail.com" simone.io,yy.simone.io,xx.simone.io
    2016/01/30 21:34:01 .data/users/xxx@gmail.com
    2016/01/30 21:34:01 {xxx@gmail.com <nil> 0xc820070480}
    2016/01/30 21:34:02 [INFO] acme: Registering account for xxx@gmail.com
    2016/01/30 21:34:03 &{{ 116199 {RSA xxx} [mailto:xxx@gmail.com]   } https://acme-staging.api.letsencrypt.org/acme/reg/116199 https://acme-staging.api.letsencrypt.org/acme/new-authz https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf}
    2016/01/30 21:34:03 [INFO][simone.io, yy.simone.io, xx.simone.io] acme: Obtaining bundled SAN certificate
    2016/01/30 21:34:04 [INFO][simone.io] acme: Could not find solver for: tls-sni-01
    2016/01/30 21:34:04 [INFO][simone.io] acme: Could not find solver for: http-01
    2016/01/30 21:34:04 [INFO][simone.io] acme: Trying to solve DNS-01
    2016/01/30 21:34:13 [INFO][simone.io] The server validated our request
    2016/01/30 21:34:14 Searching for
    2016/01/30 21:34:14 simone.io
    2016/01/30 21:34:15 To delete:
    2016/01/30 21:34:15 {5341831 41571 _acme-challenge TX8-77TN9XHZHO510Yw20u1j89UhdgGXcwScKZHRGNY 120 0 TXT 2016-01-30 20:34:05.859 +0000 UTC 2016-01-30 20:34:05.859 +0000 UTC}
    2016/01/30 21:34:15 Will delete:
    2016/01/30 21:34:15 [{5341831 41571 _acme-challenge TX8-77TN9XHZHO510Yw20u1j89UhdgGXcwScKZHRGNY 120 0 TXT 2016-01-30 20:34:05.859 +0000 UTC 2016-01-30 20:34:05.859 +0000 UTC}]
    2016/01/30 21:34:15 [INFO][yy.simone.io] acme: Could not find solver for: http-01
    2016/01/30 21:34:15 [INFO][yy.simone.io] acme: Could not find solver for: tls-sni-01
    2016/01/30 21:34:15 [INFO][yy.simone.io] acme: Trying to solve DNS-01
    2016/01/30 21:34:18 [INFO][yy.simone.io] The server validated our request
    2016/01/30 21:34:19 Searching for
    2016/01/30 21:34:19 yy.simone.io
    2016/01/30 21:34:19 To delete:
    2016/01/30 21:34:19 {5341832 41571 _acme-challenge.yy pHolYM_OqxCThmL3nBA91qRCI6-oEIMG0YOJj3R1Xww 120 0 TXT 2016-01-30 20:34:17.176 +0000 UTC 2016-01-30 20:34:17.176 +0000 UTC}
    2016/01/30 21:34:19 Will delete:
    2016/01/30 21:34:19 [{5341832 41571 _acme-challenge.yy pHolYM_OqxCThmL3nBA91qRCI6-oEIMG0YOJj3R1Xww 120 0 TXT 2016-01-30 20:34:17.176 +0000 UTC 2016-01-30 20:34:17.176 +0000 UTC}]
    2016/01/30 21:34:20 [INFO][xx.simone.io] acme: Could not find solver for: tls-sni-01
    2016/01/30 21:34:20 [INFO][xx.simone.io] acme: Trying to solve DNS-01
    2016/01/30 21:34:23 [INFO][xx.simone.io] The server validated our request
    2016/01/30 21:34:23 Searching for
    2016/01/30 21:34:23 xx.simone.io
    2016/01/30 21:34:24 To delete:
    2016/01/30 21:34:24 {5341833 41571 _acme-challenge.xx LEr6l7KJCr6e7LlqyQgAbZbKCRmLFa5zNC8kNHK1FtQ 120 0 TXT 2016-01-30 20:34:21.793 +0000 UTC 2016-01-30 20:34:21.793 +0000 UTC}
    2016/01/30 21:34:24 Will delete:
    2016/01/30 21:34:24 [{5341833 41571 _acme-challenge.xx LEr6l7KJCr6e7LlqyQgAbZbKCRmLFa5zNC8kNHK1FtQ 120 0 TXT 2016-01-30 20:34:21.793 +0000 UTC 2016-01-30 20:34:21.793 +0000 UTC}]
    2016/01/30 21:34:25 [INFO][simone.io, yy.simone.io, xx.simone.io] acme: Validations succeeded; requesting certificates
    2016/01/30 21:34:26 [INFO] acme: Requesting issuer cert from https://acme-staging.api.letsencrypt.org/acme/issuer-cert
    2016/01/30 21:34:26 [INFO][simone.io] Server responded with a certificate.
    [INFO][https://acme-staging.api.letsencrypt.org/acme/cert/fae971fcb1ce12 c4d3bb95a1f577786cccfe] Certificate simone.io, yy.simone.io, xx.simone.io2016/01/30 21:34:26 145 <nil>
    2016/01/30 21:34:26 .data/certs/1454186041
    2016/01/30 21:34:26 completed!
2016-01-30 22:14:29 +01:00
Den Quixote
0e53e51ba5 dns_challenge preCheckDNS: let system resolver decide IPv4 ./. IPv6.
We can ask the OS resolver for the IP of Google's public anycast DNS.
No need to "bootstrap" with literal IP address. The OS resolver knows
best about IPv4 ./. IPv6.

Mostly fixes #88.
2016-01-30 19:39:10 +01:00
Simone Carletti
753f9ca798 DNSimpleProvider: Fix bug with subdomains
When requesting a certificate for a subdomain, the DNS record was
attached to the domain instead.

E.g.

Requested:

    ww1.example.com

Created:

   _acme-challenge.example.com

instead of

    _acme-challenge.ww1.example.com
2016-01-30 00:03:50 +01:00
Simone Carletti
adc8afbb89 Update the path to the go lib 2016-01-29 23:47:56 +01:00
xenolf
815d8bba0c Merge pull request #84 from weppos/dnsimple
Add DNSimple DNS support
2016-01-29 23:06:42 +01:00
xenolf
54e272aaa3 Fix regression in Renew with SAN.
re-apply 5930ea52f0
Fixes #87
2016-01-29 14:10:57 +01:00
Matthew Holt
cf4ca2a89d Use http.DefaultClient
The Go docs recommend this.
2016-01-27 20:43:51 -07:00
Matthew Holt
b42b256d5c Add DigitalOcean DNS provider
Also a few vet/lint fixes and improved some error messages
2016-01-26 17:57:55 -07:00
Simone Carletti
d70e2869d2 Move toFqdn and unFqdn into a shared place (see GH-84) 2016-01-26 16:37:50 +01:00
Simone Carletti
08516614dd DNSimpleProvider: implement Present/CleanUp 2016-01-26 15:09:33 +01:00
Simone Carletti
6a3297e36f DNSimpleProvider: fetch credentials from env
I also had to rename the `envAuth()` in the Cloudflare implementation
to avoid the "redeclared" error

    acme/dns_challenge_dnsimple.go:41: envAuth redeclared in this block
        previous declaration at acme/dns_challenge_cloudflare.go:154
2016-01-26 13:13:40 +01:00
Simone Carletti
bcfce0809a DNSimpleProvider: Check valid credentials 2016-01-26 12:25:51 +01:00
Simone Carletti
3f4b078329 Basic DNSimple implementation for DNSProvider 2016-01-26 12:14:10 +01:00
xenolf
50031525c9 Fix DNS-01 challenge resource property 2016-01-25 00:32:47 +01:00
xenolf
08cd016ed3 Switch DNS-01 challenge over to central validation function 2016-01-25 00:23:21 +01:00
Jehiah Czebotar
617dd4d37c Refactor challenge providers to new ChallengeProvider interface
* new ChallengeProvider with Present and CleanUp methods
* new Challenge type describing `http-01`, `tls-sni-01`, `dns-01`
* new client.SetChallengeProvider to support custom implementations
2016-01-24 16:10:50 -05:00
Matthew Holt
1ceed018fd Tweak comment 2016-01-22 13:39:32 -07:00
Jan Broer
323bb88640 Fetch remaining zones when response is truncated.
Route53 API won’t return more than 100 zones per request.
2016-01-22 18:50:18 +01:00
xenolf
50be32a69e Change maximum zone number requested from Route53 to Math.MaxInt32 from MaxInt64.
Fixes #79.
2016-01-22 18:18:53 +01:00
xenolf
5992793edd Refactor DNS precheck 2016-01-22 02:25:27 +01:00
xenolf
602aeba6c1 Merge branch 'add-dns-challenge' 2016-01-22 01:51:10 +01:00
xenolf
a3f134e3fb Check DNS entry for validity before hitting boulder 2016-01-22 01:38:15 +01:00
Matthew Holt
db3a956d52 Couple more tests to ensure right method is being used 2016-01-13 18:49:25 -07:00
Ernesto Alejo
873ed4771d Fix fallthrough in the response status codes 2016-01-14 00:32:45 +01:00
xenolf
beac6273f6 Merge pull request #71 from xenolf/pem-decode-fix
Fix PEM decoding if file ends with multiple newlines
2016-01-12 18:16:52 +01:00
xenolf
33216d7563 Fix a race for socket in HTTP-01 2016-01-11 22:04:04 +01:00
Matthew Holt
19ea2cbf75 Fix PEM decoding if file ends with multiple newlines
This method more closely reflects how crypto/tls does it here: https://golang.org/src/crypto/tls/tls.go?s=5139:5210#L174
2016-01-11 10:02:28 -07:00
xenolf
db1a519684 Add the ability to reuse a private key 2016-01-08 10:14:41 +01:00
xenolf
6e33cd1b84 Move JSON http wrappers to http.go file 2016-01-08 10:04:57 +01:00
xenolf
0c10083ef0 Update tests 2016-01-08 08:04:50 +01:00
xenolf
de29381f7a Add interface:port override to HTTP-01 and TLS-01 instead of only port 2016-01-08 08:04:38 +01:00
xenolf
1193ae895a Merge pull request #66 from xenolf/user-agent-string
Implement custom User-Agent string
2016-01-07 04:51:31 +01:00
Jan Broer
04e4239653 Base64 encode dns-01 record 2016-01-05 00:40:05 +01:00
Matthew Holt
0786c993c9 Return full, parsed ocsp response instead of just the status 2015-12-31 16:07:18 -07:00
Matthew Holt
bfc24007db Oops 2015-12-31 15:04:58 -07:00
Matthew Holt
89908f39e9 Implement custom User-Agent string
Also a couple miscellaneous vet fixes
2015-12-30 15:01:21 -07:00
xenolf
fce9468e1e Update client docs 2015-12-27 20:56:02 +01:00
xenolf
8362f35823 Remove unreachable code 2015-12-27 20:55:44 +01:00
xenolf
3a3baf1597 Fix validateFunc tests 2015-12-27 19:26:47 +01:00
xenolf
09ff568758 Adjust logging output for http-01 2015-12-27 19:18:38 +01:00
xenolf
466af28672 Extract validateFunc from httpChallenge and tlsSNIChallenge 2015-12-27 19:08:17 +01:00
xenolf
6b750198f2 Fix tests 2015-12-27 18:56:44 +01:00
xenolf
523f3eb250 Change SetHTTPSPort to SetTLSPort 2015-12-27 18:56:36 +01:00
xenolf
0e857b2fef Adapt CLI to changes in lib
- Change explicit include of challenges to explicit exclude
- Add CLI switches for HTTP and TLS ports
2015-12-27 18:35:19 +01:00
xenolf
053dc4cfb1 Extract mutation of client into functions 2015-12-27 18:28:54 +01:00
xenolf
595f684e27 Merge branch 'master' of https://github.com/tommie/lego into refactor-client
# Conflicts:
#	acme/client.go
#	acme/http_challenge.go
#	acme/http_challenge_test.go
#	acme/tls_sni_challenge.go
#	cli.go
#	cli_handlers.go
2015-12-27 17:38:49 +01:00
Mustafa Altun
f3df6b81b2 Fix gofmt errors 2015-12-24 10:57:09 +02:00
xenolf
c2630f8eb7 Limit ioutil.ReadAll calls in client as well 2015-12-21 02:44:25 +01:00
xenolf
00af84d91b Close response body in getIssuerCertificate 2015-12-21 02:44:25 +01:00
xenolf
7789bd2ffc Limit OCSP answers to 1MB.
fixes #56
2015-12-18 22:33:30 +01:00
xenolf
136cc73ff8 Move call to ObtainSANCertificate 2015-12-18 17:55:43 +01:00
xenolf
5930ea52f0 lib: make renew aware of SAN 2015-12-18 17:55:43 +01:00
xenolf
c13968859a tweak log messages a bit 2015-12-15 21:21:12 +01:00
xenolf
c2467d031f Fix tests with new error 2015-12-11 17:16:24 +01:00
xenolf
f08c15df80 Use boulder error messages. 2015-12-11 17:16:24 +01:00
Jan Broer
666698cea3 Modular DNS challenge
- Manual provider
- Dynamic DNS Update provider (RFC2136)
- Route53 provider
- CloudFlare provider
2015-12-10 18:35:35 +01:00
xenolf
a23289899c Fix typo 2015-12-07 16:58:01 +01:00
xenolf
54e96f6fc5 Document that ObtainSANCertificate will never return a partial certificate on error. 2015-12-07 16:51:28 +01:00
Tommie Gannert
e32b9abfb2 Remove ObtainCertificates and rename ObtainSANCertificate to ObtainCertificate.
Also removes revokation abilities from RenewCertificate.

Makes the API more orthogonal. These things are not provided by the
ACME protocol, but were convenience helpers.
2015-12-05 22:07:12 +00:00
Tommie Gannert
71624f607a Replace exponential back-off in validate with Retry-After header.
Last paragraph of ACME spec, section 6.5:

  To check on the status of an authorization, the client sends a GET
  request to the authorization URI, and the server responds with the
  current authorization object.  In responding to poll requests while
  the validation is still in progress, the server MUST return a 202
  (Accepted) response with a Retry-After header field.
2015-12-05 21:32:53 +00:00
Tommie Gannert
b2c88d7a5d Make solvers configurable.
Allows selecting which solvers are available, and specifying options for them.
2015-12-05 21:01:08 +00:00
Tommie Gannert
039b7c50dc Use postJSON and getJSON wherever possible.
Encapsulates JSON marshalling.
2015-12-05 15:59:15 +00:00
Tommie Gannert
2dc2fdd1af Split off tests for validate, simplifying HTTP-01 and TLS-SNI-01 tests. 2015-12-05 15:09:29 +00:00
Tommie Gannert
bee1326835 Use a local ServeMux in httpChallenge.Solve.
Avoids modifying global state.
2015-12-05 12:25:01 +00:00
Tommie Gannert
38cb60624f Simplify tlsSNIChallenge code.
Solve is blocking, so no need to run initialization code in a separate
goroutine. Removes the need for s.start.

Once the listener is closed, all I/O resources have been returned. No
need to wait for http.Serve to return. Removes the need for s.end.
2015-12-05 12:24:49 +00:00
Tommie Gannert
5dc33c8c08 Simplify httpChallenge code.
Solve is blocking, so no need to run initialization code in a separate
goroutine. Removes the need for s.start.

Once the listener is closed, all I/O resources have been returned. No
need to wait for http.Serve to return. Removes the need for s.end.
2015-12-05 12:00:00 +00:00
Tommie Gannert
58a2fd2267 Split off validation function.
This is a loop that interacts with the ACME server, not the individual challenges.

Also switch to exponential back-off polling for good measure.
2015-12-05 11:52:24 +00:00
Tommie Gannert
237689b0cf Run gofmt on acme/tls_sni_challenge. 2015-12-05 11:50:57 +00:00
Matthew Holt
d9e2e2a873 Cleaned up a couple log lines 2015-12-02 12:33:37 -07:00
xenolf
32a29fd5ad We have two solvers now 2015-11-22 19:33:26 +01:00
xenolf
775545e2bb Add tests to TLS-SNI-01 2015-11-22 19:31:16 +01:00
xenolf
22622438fd Implement TLS-SNI-01 to match Boulder. Not spec conform. 2015-11-22 19:31:16 +01:00
xenolf
e8d64bb50b WIP TLS-SNI-01
[ci skip]
2015-11-22 19:31:16 +01:00
Matthew Holt
974f2fa929 Don't try appending /directory to caURL (spec doesn't require it)
Also improved some comments/docs and fixed a test
2015-11-20 12:01:06 -07:00
xenolf
f2389fda58 Remove simpleHTTP - Update README 2015-11-18 22:17:02 +01:00
xenolf
08680d8fcf Properly name challenge types for http-01 tests 2015-11-18 22:11:47 +01:00
xenolf
7662cbcec5 Merge pull request #30 from xenolf/add-san-cert
Add SAN certificates - fix #20
2015-11-18 22:07:54 +01:00
xenolf
f41ed4f9de Remove unneeded function 2015-11-18 21:41:27 +01:00
xenolf
a8c2a12871 Move back to square/go-jose (reverted from commit cae6d59e19) 2015-11-18 21:15:49 +01:00
xenolf
cae6d59e19 Move back to square/go-jose 2015-11-18 21:06:45 +01:00
xenolf
caba7ddee7 Add comment to ObtainSANCertificate 2015-11-18 19:53:42 +01:00
xenolf
3be490f6cb Change how challenge order is preserved as suggested by @zakjan 2015-11-18 19:44:47 +01:00
xenolf
b9ba9e58b3 Return the right error 2015-11-17 23:07:13 +01:00
xenolf
487c8763d5 Revert adding locks to jws - not in scope of this branch 2015-11-17 22:36:25 +01:00
xenolf
6671fd137c Make sure the challenges do not get re-ordered for SAN certs 2015-11-17 22:22:25 +01:00
xenolf
c849ca1b90 If any challenge fails - return an error 2015-11-17 19:45:15 +01:00
xenolf
cce3d79fc9 Add DNS-01 2015-11-17 00:05:01 +01:00
xenolf
dd3d2d5668 Demote challenge lookup failures to infos 2015-11-17 00:05:01 +01:00
xenolf
17576f0626 Update README & Extract KeyAuthorizations from HTTP-01 2015-11-16 23:57:04 +01:00
Jan Zak
5f566d2e0c Add JSON tags to RegistrationResource as used in official client 2015-11-13 20:20:15 +01:00
xenolf
9ee93e8428 Add tests for http-01 2015-11-12 23:51:07 +01:00
xenolf
f29debf702 Adjust client tests to new solver count 2015-11-12 22:51:12 +01:00
xenolf
94caca08d8 correctly fix go1.5 dependency 2015-11-12 22:49:02 +01:00
xenolf
87e9f08cfa Replace code which needs go1.5 2015-11-12 22:33:00 +01:00
xenolf
83dc16fa5e Add the http-01 challenge to the list of solvers 2015-11-12 22:32:27 +01:00
xenolf
ba66756d4e Initial work on HTTP-01 2015-11-12 21:42:57 +01:00
xenolf
3409740d33 Fix nonce starvation bug in SimpleHTTP - fix tests 2015-11-12 02:55:28 +01:00
xenolf
998a8325aa Move back to square/go-jose 2015-11-12 02:06:22 +01:00
xenolf
b958bd2da4 Make the CA URL accept /directory. #23 2015-11-11 13:51:03 +01:00
xenolf
27a8cff3c6 Initial support for SAN certificates 2015-11-11 01:01:15 +01:00
xenolf
f6576e8815 Add locking to JWS nonce store. 2015-11-11 01:00:20 +01:00
xenolf
7717294d9e Add fallback to SimpleHTTP bind in case domain:port is not bindable. 2015-11-09 18:41:27 +01:00
Matthew Holt
10f2b59add Removed unused functions, more consistent/readable debugging 2015-11-06 23:22:32 -07:00
Matthew Holt
6f9e487d7d Make acme.Logger optional; otherwise use standard log.Logger
Also fixed lil' vet warning
2015-11-05 23:43:42 -07:00
Matthew Holt
71d0e8db6f Bind to domain:port to solve simple HTTP
This way it doesn't conflict with other processes bound to 0.0.0.0 on the same port. Refactored tests to use 127.0.0.1 instead of a bogus domain, since it must resolve to localhost to pass.
2015-11-03 12:13:20 -07:00
xenolf
3e1a5dc04b Add hooks to SimpleHTTP 2015-11-03 00:02:47 +01:00
xenolf
a2867a0c18 Add TOSError and change ObtainCertificates to return errors by domain. 2015-11-02 01:01:00 +01:00
xenolf
ee2c7f3ad7 Library support for optional email 2015-10-31 00:12:12 +01:00
Matthew Holt
2c24056374 Close leaky file descriptors 2015-10-30 15:38:59 -06:00
xenolf
38e66cf43a Fix test regexp 2015-10-30 13:50:02 +01:00
xenolf
f91d853068 Fix test to also match on travis 2015-10-30 13:26:22 +01:00
xenolf
34fe2a5547 Re-organized SimpleHTTPTests and expanded them a bit 2015-10-30 13:13:34 +01:00
xenolf
fc08101f79 Add docs to error 2015-10-30 00:50:03 +01:00
Matthew Holt
f146acc019 fix panic for situation common with self-signed certs 2015-10-28 21:36:02 -06:00
xenolf
3842dc6432 Forward server error messages to the caller
Fixes #18.
2015-10-29 01:42:05 +01:00
xenolf
cf288a3503 Change Content-Type of JWS posts.
Fixes #19.
2015-10-28 23:42:57 +01:00
xenolf
6764e53bbe Merge pull request #17 from xenolf/errorhandling
Replaced fatal with print; return errors from NewClient
2015-10-28 16:26:07 +01:00
Matthew Holt
56d50cebd8 Replaced fatal with print; return errors from NewClient 2015-10-27 17:00:42 -06:00
xenolf
94aeac7b5f Add the OCSP status code to GetOCSPForCert 2015-10-27 23:55:50 +01:00
xenolf
65b62b5670 Make ocsp validate the signature of a response.
OCSP signatures should get validated if no issuer certificate is returned from
the OCSP responder.
2015-10-27 22:31:56 +01:00
xenolf
f2f5117496 Fix client_test 2015-10-26 02:29:02 +01:00
xenolf
8b16d59831 Remove devMode from library and cli. 2015-10-26 00:47:37 +01:00
xenolf
8d31bb0123 Remove challenge pre-checks.
We won't ever be able to do this properly for all possible scenarios.
2015-10-26 00:40:11 +01:00
xenolf
537a0b74fd Update client.go 2015-10-25 23:37:26 +01:00
xenolf
2afea79309 Fix cert bundle order 2015-10-24 04:31:12 +02:00
xenolf
51a95ee548 Add initial support for certificate bundling 2015-10-24 03:55:18 +02:00
xenolf
d6f4e42b13 Add support for getting OCSP responses for OCSPStapling 2015-10-24 03:46:00 +02:00
xenolf
4d99c9e543 Support for RecoveryKey (not enabled). But not supported server side... 2015-10-23 16:24:02 +02:00
xenolf
3ddf33c8c3 Change name of AgreeToTos to AgreeToTOS.
According to https://github.com/golang/go/wiki/CodeReviewComments#initialisms
2015-10-23 10:17:51 +02:00
Matthew Holt
5efb56a1d4 Fix file descriptor leaks 2015-10-21 22:16:36 -06:00
xenolf
e74d5d4586 Make cert revocation on renewal optional. Also change signature of renew. 2015-10-19 03:20:41 +02:00
xenolf
0cd31861d3 Implement renewal. Fixes #7 2015-10-19 00:42:04 +02:00
xenolf
29a27ba807 Make CertResources json savable. Fix cli_handlers to use it. 2015-10-19 00:40:59 +02:00
xenolf
dc4125d3cf Change GetCertExpiration to accept PEM encoded certs. 2015-10-19 00:36:25 +02:00
xenolf
10b0192255 Fix goroutine leak.
Fixes #10
Tired coding is bad for you, mkay?
2015-10-18 17:27:59 +02:00
Matt Holt
5d31b0a04c Fix panic 2015-10-17 20:58:14 -06:00
xenolf
7f6f790253 Wrap []byte for DER certificates in its own type. 2015-10-18 03:29:26 +02:00
xenolf
dcdcde03aa Certificates are PEM encoded by default now 2015-10-18 03:10:46 +02:00
xenolf
caa6e78289 Clean some stuff up and refactor getCerts for some concurrency. 2015-10-18 02:16:15 +02:00
xenolf
62b4ebe72b Fix client tests 2015-10-18 02:10:17 +02:00
xenolf
12c04828c1 Move the tests to a different port. 2015-10-18 02:09:19 +02:00
xenolf
b49f37d920 Add a dev flag for skipping challenge pre-checks 2015-10-18 01:57:46 +02:00
xenolf
835927f5d5 Clean-up ugly zero time check 2015-10-18 00:25:46 +02:00
xenolf
3ef08f7413 Add a comment to GetCertExpiration 2015-10-17 22:27:04 +02:00
xenolf
34910bd541 Add a function to check cert expiration dates. 2015-10-16 21:05:16 +02:00
xenolf
b3035b16b5 Support for cert revocation 2015-09-27 14:51:44 +02:00
xenolf
e5f6f4c4a3 Changed the client to pull the urls down from the directory on the CA server.
CA Url now needs to point to the root of the CA
2015-09-26 22:59:16 +02:00
xenolf
37b20117bf Update everything to work with the latest boulder updates. 2015-09-26 19:45:52 +02:00
xenolf
98e23bab07 Make solvers private + remove random from crypto tests 2015-06-14 02:33:21 +02:00
xenolf
076173ef11 Merge pull request #4 from mholt/patch-1
Basic tests for crypto wrapper functions
2015-06-13 21:18:33 +02:00
xenolf
e6aaf7e2dd Program should not exit on bind error, but return the error to get handled 2015-06-13 21:15:34 +02:00
xenolf
2231118fdf Add SimpleHTTP tests 2015-06-13 21:06:47 +02:00
xenolf
53d7b59d36 Initial SimpleHTTP test 2015-06-13 19:13:04 +02:00
xenolf
fcd0fba9c7 Add a basic execution check to SimpleHTTP 2015-06-13 18:37:30 +02:00
Matt Holt
6b6876d15a Basic tests for crypto wrapper functions
Even though the std lib does the heavy lifting, this should verify (somewhat) that the helper functions are working.

Better tests would involve replacing crypto/rand.Reader with a non-random Reader then comparing the contents to make sure the proper std lib crypto functions were called and their values returned.
2015-06-13 09:53:17 -06:00
Matt Holt
7e12bcd800 Test NewClient
Just a simple test to make sure a Client gets set up properly
2015-06-13 09:00:18 -06:00
xenolf
6ca96fc99d More comments 2015-06-13 04:50:36 +02:00
xenolf
aa818d0515 Some more comments 2015-06-13 04:26:33 +02:00
xenolf
1ceebb72a2 Add Authorizations to CSR request message 2015-06-13 04:10:32 +02:00
xenolf
b04e5a4aac add crypto.go 2015-06-13 03:57:05 +02:00
xenolf
728646c70e Implement new interface with DVSNI 2015-06-13 03:56:52 +02:00
xenolf
612033a83a Flesh out run cli_handler for error handling and saving certificates 2015-06-13 03:56:34 +02:00
xenolf
a2d9bf4cc3 Initial version of the SimpleHTTPS challenge 2015-06-13 03:55:53 +02:00
xenolf
8f992218b9 Allow the user to override the challenge port. Enables running as non-root. 2015-06-13 00:16:49 +02:00
xenolf
84c2bceade Add initial implementation for challenge choosing 2015-06-12 00:15:13 +02:00
xenolf
2b99a75aff Change solver interface definition 2015-06-12 00:14:33 +02:00
xenolf
e600438aeb Extract JWS to its own struct 2015-06-12 00:13:43 +02:00
xenolf
bcdc00add6 change solver.solve definition 2015-06-11 16:09:53 +02:00
xenolf
7f7e96097b Rename challengeHandler to solver 2015-06-11 15:31:09 +02:00
xenolf
811c68692c Add solvers to client 2015-06-11 01:11:14 +02:00
xenolf
0ca3e29eb4 Rename simple_https to simple_http and add minimal interface implementation 2015-06-11 00:17:52 +02:00
xenolf
fe1b6e36d8 Add remaining challenge types. 2015-06-11 00:11:58 +02:00
xenolf
a09886b577 Add challengeHandler interface 2015-06-10 15:11:01 +02:00
xenolf
7aab5562c1 Move CLI handlers to their own file
Implement Tos accept and start obtain certificates
2015-06-08 23:54:15 +02:00
xenolf
ea47f1137a Base implementation with registration support 2015-06-08 02:36:07 +02:00