* add issuer certificate to CertificateResource
Also write it out to the file system when running "lego run"
Removed caching of the issuer certificate inside the acme client, since
it didn't appear to be used.
* only append issuerCert to issuedCert in case of success
Effectively a no-op since issuerCert will be nil on error, but it seems
more correct to only do it if fetching the issuer succeeds.
Introduces a new command line switch `--must-staple` to `run` and `renew`.
Using this switch will add the must staple TLS extension to the CSR generated by lego and thus also to the generated certificate.
This does not work with user specified CSRs!
Fixes#270
* Add NS1 DNS provider.
Integrates Lego with NS1 using their rest API.
It uses NS1's official Go package as client:
https://github.com/ns1/ns1-go
Signed-off-by: David Calavera <david.calavera@gmail.com>
* Add NS1 to the cli handlers.
Signed-off-by: David Calavera <david.calavera@gmail.com>
client.RenewCertificate now supports CSRs, and in fact prefers them,
when renewing certificates. In other words, if the certificate was
created via a CSR then using that will be attempted before re-generating
off a new private key.
Also adjusted the API of ObtainCertificateForCSR to be a little
more in line with the original ObtainCertificate function.
Different DNS providers were handling credentials in different ways.
Some were reading credential environment variables in cli_handlers.go
and then passing them into the NewDNSProvider function, while others
were reading the environment variables within their NewDNSProvider
functions.
This change replaces each DNS challenge's NewDNSProvider function with
two new functions: (1) a NewDNSProvider function that takes no
parameters and uses the environment to read credentials, and (2) a
NewDNSProviderCredentials that takes credentials as parameters.
Use GCE_PROJECT to designate your GCE project.
Authentication is automatically picked up from gcloud credentials if
running locally and from GCE metadata if run within Google Cloud.
Requires at least permission scope
"https://www.googleapis.com/auth/ndev.clouddns.readwrite"
This commit adds support for Dyn, specifically Dyn Managed DNS. Makes
use of the Dyn REST API [1] and requires 3 environment variables for
credentails:
DYN_CUSTOMER_NAME
DYN_USER_NAME
DYN_PASSWORD
The Dyn DNS API requires a session to be established first using the
credentials above, After creating a session an api token is used for
subsequent requests.
The unit test performs a "live test" and currently requires a valid Dyn
account and domain.
[1] https://help.dyn.com/rest/
- Removal of RFC2136_ZONE from help text
- Query nameserver directly to find zone we have to update
- During insert, make sure the new record is the ONLY challence.
(I had a few panics, hence 3 challences left. Not good.)