Commit graph

32 commits

Author SHA1 Message Date
xenolf
44d92633c6
Move duplicate code to a function
Signed-off-by: xenolf <xenolf@users.noreply.github.com>
2016-04-08 01:04:38 +02:00
LukeHandle
20ab8300eb Use zone name when talking to DNS APIs
This should handle multiple zones more efficiently
2016-03-21 00:18:49 +00:00
xenolf
d6fb247c29 Fix typo in dns_challenge 2016-03-19 17:48:50 +01:00
Michael Cross
8aa797f49d Add ChallengeProviderTimeout type to acme package
This type allows for implementing DNS ChallengeProviders that require
an unsually long timeout when checking for record propagation.
2016-03-16 18:17:03 +00:00
xenolf
3252b0bcb9 Fix WaitFor calls 2016-03-11 04:52:59 +01:00
xenolf
c50baa67cb Move WaitFor into new utils.go and switch timeout and interval to time.Duration. 2016-03-11 03:52:46 +01:00
xenolf
2ae35a755d Rename provider types as provider names are already in the package name. Added package level comments and fixed the name of the interface the providers are importing. 2016-03-11 03:46:09 +01:00
xenolf
9008ec6949 Move functions from dns package back into ACME. 2016-03-11 03:40:28 +01:00
xenolf
b412c67aa6 Move providers out of ACME package. 2016-03-03 01:14:32 +01:00
Pauline Middelink
8b90b1a380 Added testcase for in-valid.co.uk
Camelcased: fqdn2zone to fqdnToZone
Grammatical fix in externally visible error message
2016-02-29 08:46:15 +01:00
Pauline Middelink
4945919c69 - Moved findZone from rfc2136 to dns_challenge.go and renamed to findZoneByFqdn
- Reworked the code in dns_challenge.go to not assume nameserver is
   port-less or defaults to 53. (messes up testing)
- Updated nameserver test to clear the fqdn2zone cache and return a dummy
  SOA RR to make initial findZoneByFqdn call happy.
- Used publicsuffix library to determine if the "authorative" zone we found
  is a public registry, in that case error out. (Also used by boulder btw)
2016-02-28 21:09:05 +01:00
xenolf
0e26bb45ca Add support for EC certificates / account keys 2016-02-21 04:18:45 +01:00
Michael Cross
06b3802346 DNS Challenge: Fix handling of CNAMEs
Prior to this commit, the checkDNSPropagation function was exiting
early if the TXT record could not be found on the recursive
nameserver, and thus the authoritative nameservers were not being
queried until after the record showed up on the recursive nameserver
causing a delay.

This commit changes that behaviour so that the authoritative
nameservers are queried on each execution of checkDNSPropagation when
possible.
2016-02-19 21:44:35 +00:00
Matthew Holt
971541dc0a Use http client with timeout of 10s
This will prevent indefinitely-hanging requests in case some service or middle box is malfunctioning.

Fix vet errors and lint warnings

Add vet to CI check

Only get issuer certificate if it would be used

No need to make a GET request if the OCSP server is not specified in leaf certificate

Fix CI tests

Make tests verbose
2016-02-14 14:33:54 -07:00
Jan Broer
b594acbc2a Validation domain may be a CNAME or delegated to another NS 2016-02-10 16:56:50 +01:00
Jan Broer
c97b5a52a1 Refactor DNS check
* Gets a list of all authoritative nameservers by looking up the NS RRs for the root domain (zone apex)
* Verifies that the expected TXT record exists on all nameservers before sending off the challenge to ACME server
2016-02-09 05:23:58 +01:00
Jan Broer
bae7428c08 Fixes issues with the Present() method of Route53 provider:
- InvalidTXTRDATA error when creating TXT record (closes #94)
- Present() should poll and wait until the status of the record change becomes INSYNC (thanks @oov)

Adds a retry/timeout utility function to dns_challenge.go that may be used in other places
2016-02-04 00:34:52 +01:00
xenolf
29423c6293 Merge pull request #91 from weppos/log-with-name
Add missing domain name for consistency
2016-01-30 23:58:21 +01:00
Simone Carletti
ae7184b339 Add missing domain name for consistency
Before the change:

    2016/01/30 00:23:37 [INFO][simonecarletti.com, foo1.simonecarletti.com, foo2.simonecarletti.com, foo3.simonecarletti.com] acme: Obtaining bundled SAN certificate
    2016/01/30 00:23:38 [INFO][simonecarletti.com] acme: Could not find solver for: tls-sni-01
    2016/01/30 00:23:38 [INFO] acme: Trying to solve DNS-01
    2016/01/30 00:23:42 [INFO][simonecarletti.com] The server validated our request
    2016/01/30 00:23:44 [INFO] acme: Trying to solve DNS-01
    2016/01/30 00:23:47 [INFO][foo1.simonecarletti.com] The server validated our request
    2016/01/30 00:23:49 [INFO][foo2.simonecarletti.com] acme: Could not find solver for: tls-sni-01
    2016/01/30 00:23:49 [INFO][foo2.simonecarletti.com] acme: Could not find solver for: http-01
    2016/01/30 00:23:49 [INFO] acme: Trying to solve DNS-01
    2016/01/30 00:23:53 [INFO][foo3.simonecarletti.com] acme: Could not find solver for: http-01
    2016/01/30 00:23:53 [INFO] acme: Trying to solve DNS-01
    2016/01/30 00:23:56 [INFO][foo3.simonecarletti.com] The server validated our request

After the change:

    2016/01/30 00:27:58 [INFO][simonecarletti.com, foo1.simonecarletti.com, foo2.simonecarletti.com, foo3.simonecarletti.com] acme: Obtaining bundled SAN certificate
    2016/01/30 00:27:59 [INFO][simonecarletti.com] acme: Could not find solver for: http-01
    2016/01/30 00:27:59 [INFO][simonecarletti.com] acme: Trying to solve DNS-01
    2016/01/30 00:28:12 [INFO][simonecarletti.com] The server validated our request
    2016/01/30 00:28:14 [INFO][foo1.simonecarletti.com] acme: Could not find solver for: http-01
    2016/01/30 00:28:14 [INFO][foo1.simonecarletti.com] acme: Trying to solve DNS-01
    2016/01/30 00:28:19 [INFO][foo2.simonecarletti.com] acme: Could not find solver for: http-01
    2016/01/30 00:28:19 [INFO][foo2.simonecarletti.com] acme: Could not find solver for: tls-sni-01
    2016/01/30 00:28:19 [INFO][foo2.simonecarletti.com] acme: Trying to solve DNS-01
    2016/01/30 00:28:22 [INFO][foo1.simonecarletti.com] The server validated our request
2016-01-30 22:17:41 +01:00
Den Quixote
0e53e51ba5 dns_challenge preCheckDNS: let system resolver decide IPv4 ./. IPv6.
We can ask the OS resolver for the IP of Google's public anycast DNS.
No need to "bootstrap" with literal IP address. The OS resolver knows
best about IPv4 ./. IPv6.

Mostly fixes #88.
2016-01-30 19:39:10 +01:00
Simone Carletti
d70e2869d2 Move toFqdn and unFqdn into a shared place (see GH-84) 2016-01-26 16:37:50 +01:00
xenolf
50031525c9 Fix DNS-01 challenge resource property 2016-01-25 00:32:47 +01:00
xenolf
08cd016ed3 Switch DNS-01 challenge over to central validation function 2016-01-25 00:23:21 +01:00
Jehiah Czebotar
617dd4d37c Refactor challenge providers to new ChallengeProvider interface
* new ChallengeProvider with Present and CleanUp methods
* new Challenge type describing `http-01`, `tls-sni-01`, `dns-01`
* new client.SetChallengeProvider to support custom implementations
2016-01-24 16:10:50 -05:00
Matthew Holt
1ceed018fd Tweak comment 2016-01-22 13:39:32 -07:00
xenolf
5992793edd Refactor DNS precheck 2016-01-22 02:25:27 +01:00
xenolf
a3f134e3fb Check DNS entry for validity before hitting boulder 2016-01-22 01:38:15 +01:00
Jan Broer
04e4239653 Base64 encode dns-01 record 2016-01-05 00:40:05 +01:00
Jan Broer
666698cea3 Modular DNS challenge
- Manual provider
- Dynamic DNS Update provider (RFC2136)
- Route53 provider
- CloudFlare provider
2015-12-10 18:35:35 +01:00
xenolf
cce3d79fc9 Add DNS-01 2015-11-17 00:05:01 +01:00
xenolf
0ca3e29eb4 Rename simple_https to simple_http and add minimal interface implementation 2015-06-11 00:17:52 +02:00
xenolf
fe1b6e36d8 Add remaining challenge types. 2015-06-11 00:11:58 +02:00