Ludovic Fernandez
3a46680b73
Fix: gcloud wildcard ( #643 )
...
* fix: gcloud wildcard.
* refactor: minor changes.
2018-09-21 15:28:50 +00:00
Ludovic Fernandez
55361cea8c
Use Testify. ( #630 )
2018-09-15 19:16:35 +02:00
Ludovic Fernandez
bba134ce87
Allow to configure TTL, interval and timeout ( #634 )
...
* feat: add GetOrDefaultXXX methods.
* refactor: configuration (alidns).
* refactor: configuration (azure).
* refactor: configuration (auroradns).
* refactor: configuration (bluecat).
* refactor: configuration (cloudflare).
* refactor: configuration (digitalocean).
* refactor: configuration (dnsimple).
* refactor: configuration (dnmadeeasy).
* refactor: configuration (dnspod).
* refactor: configuration (duckdns).
* refactor: configuration (dyn).
* refactor: configuration (exoscale).
* refactor: configuration (fastdns).
* refactor: configuration (gandi).
* refactor: configuration (gandiv5).
* refactor: configuration (gcloud).
* refactor: configuration (glesys).
* refactor: configuration (godaddy).
* refactor: configuration (iij).
* refactor: configuration (lightsail).
* refactor: configuration (linode).
* refactor: configuration (namecheap).
* refactor: configuration (namedotcom).
* refactor: configuration (netcup).
* refactor: configuration (nifcloud).
* refactor: configuration (ns1).
* refactor: configuration (otc).
* refactor: configuration (ovh).
* refactor: configuration (pdns).
* refactor: configuration (rackspace).
* refactor: configuration (rfc2136).
* refactor: configuration (route53).
* refactor: configuration (sakuracloud).
* refactor: configuration (vegadns).
* refactor: configuration (vultr).
2018-09-15 19:07:24 +02:00
Sten Spans
cd5479a6b1
Panic on generating a certificate ( #627 )
2018-09-09 12:37:30 +02:00
Craig Peterson
de3accf531
Submit all dns records up front, then validate serially ( #607 )
2018-09-08 11:56:51 +02:00
Bill Shupp
e0d512138c
Fix missing issuer certificates from Let's Encrypt ( #587 )
2018-07-01 02:35:39 +02:00
Ludovic Fernandez
9bb5589e17
feat: CA Server Name. ( #590 )
2018-07-01 01:12:36 +02:00
Ludovic Fernandez
a2543a2fde
Don't trust identifiers order. ( #589 )
...
ACME draft Section 7.4 "Applying for Certificate Issuance"
https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4
says:
Clients SHOULD NOT make any assumptions about the sort order of
"identifiers" or "authorizations" elements in the returned order
object.
2018-07-01 01:06:46 +02:00
Ludovic Fernandez
94e14328ab
refactor: replace Dial by DialContext. ( #585 )
2018-07-01 00:55:57 +02:00
Robert Kästel
54422ab226
Order polling wait ( #581 )
2018-06-25 23:22:42 +02:00
Ludovic Fernandez
a1585a7b9a
Review DNS providers ( #580 )
...
* refactor: create log.Infof and log.Warnf
* refactor: review DNS providers.
- use one `http.Client` by provider instead of one client by request
- use the same receiver name `d` for all `DNSProvider`
- use `http.MethodXXX`
* refactor: logger init.
2018-06-21 19:06:16 +02:00
Ludovic Fernandez
57782ac3c1
tls-alpn: add a function to return PEM blocks. ( #579 )
...
* feature(tls-alpn): add function to return PEM blocks.
2018-06-18 15:44:18 +02:00
Wyatt Johnson
d457f70ae0
TLS-ALPN-01 Challenge ( #572 )
...
* feat: implemented TLS-ALPN-01 challenge
2018-06-14 01:20:56 +02:00
Daniel McCarney
8f9e90b2a0
ACME HTTP: Allow customizing HTTP client x509.CertPool ( #571 )
...
This commit updates `acme/http.go` to allow customizing the
`*x509.CertPool` used by the `HTTPClient` by specifying the filepath of
a custom CA certificate via the `CA_CERTIFICATE` environment variable.
This allows developers to easily trust a non-standard CA when
interacting with an ACME test server (e.g. Pebble):
```
CA_CERTIFICATE=~/go/src/github.com/letsencrypt/pebble/test/certs/pebble.minica.pem \
lego \
--server https://localhost:14000/dir \
--email foo@bar.com \
-d example.com \
run
```
2018-06-11 15:45:59 +02:00
Ludovic Fernandez
7fedfd1388
fix: user-agent string order. ( #566 )
2018-06-03 12:23:01 -06:00
nelsonkram
f17b1ce516
Added 'processing' status as valid challenge status ( #561 )
2018-05-31 17:22:37 +02:00
Ludovic Fernandez
1b12c25e43
Add linters ( #556 )
...
* feat: add linters.
* fix: lint.
2018-05-30 16:03:55 -06:00
Ludovic Fernandez
e7fd871a9c
ACME V2 support ( #555 )
2018-05-30 19:53:04 +02:00
Philippe M. Chiasson
6bddbfd17a
Use proxies from environment when making outbound http connections ( #478 )
...
Fixes #477
2018-01-25 09:10:08 -07:00
Simon Menke
b929aa5aab
Fix zone detection for cross-zone cnames ( #449 )
...
* Fix zone detection for cross-zone cnames
CNAMEs cannot co-exist with SOA records so responses with
a CNAME should be skipped.
The `cross-zone-example.assets.sh.` is currently hosted by
me (@fd) and will continue to exist for as long as the assets.sh
domain exists. (The assets.sh domain is used as a CDN and is unlikely
to go away.)
See #330
* Extracted CNAME checking to simplify the FindZoneByFqdn control flow.
2017-11-15 11:03:00 +01:00
LeSuisse
a80b046ca8
Users of an effective top-level domain can use the DNS challenge ( #436 )
...
They will not get anymore an error message saying
"Could not find the start of authority".
Finding the zone cut of a FQDN now only rely on the presence
of a SOA record. Indeed, in the context of an eTLD the
authority will be the eTLD itself so you need to continue
to recurse until you get an answer instead of cutting the search
when you find the public suffix of a domain.
Fixes #434
2017-10-25 21:47:54 +02:00
Shawn Smith
92ed209099
fix typo ( #419 )
2017-08-10 11:47:37 -06:00
Janez Troha
147b326cb0
acme/http: saner http client timeouts ( #377 )
...
LE is becoming quite popular and it was observed that response time can be around 15s. I've increased this to 30s and added changes recomended here https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/
2017-07-17 21:57:01 +02:00
Unknown
f3fc555a98
Add explicit calls to disable authz on errors
2017-04-27 01:46:52 +02:00
Manuel Valls Fernández
a111d61d85
Move nonce retry from jws to http ( #367 )
...
* Move nonce retry from jws to http
The error raised by an "invalid nonce" response never appeared
inside jws.go, but instead it was handled at http.go, so it makes
sense to move the retry logic to that file. The previous code from
jws.go had no effect and did not solve issues related to invalid
nonces.
* Rename retry response variable name for clarity
2017-03-30 02:25:34 +02:00
Unknown
ee0018c855
Remove conditional around rate limiting
...
Always limit LE requests to ~18 per second, no matter how many domains are being validated.
2017-03-30 02:06:43 +02:00
Mahmoud Abdelsalam
0e2937900b
Add error checking for the jws httpPost ( #360 )
...
https://github.com/xenolf/lego/issues/359
2017-03-17 19:58:44 +01:00
Etienne
45beff7ed3
Add workaround for new-authz rate limits ( #357 )
2017-03-13 22:41:19 +01:00
xenolf
66d8acbf89
Add some better error messages to http and jws
2017-02-19 05:50:21 +01:00
Pavel Forkert
0c0d57a545
Log authorization urls ( #350 )
...
https://letsencrypt.org/docs/rate-limits/ says:
> The pending authorization objects are represented by URLs of the form https://acme-v01.api.letsencrypt.org/acme/authz/XYZ , and should show up in your client logs.
2017-02-19 05:30:33 +01:00
Pavel Forkert
661e5e690c
Do not get stuck when server accidentally starts responding with bad data ( #349 )
...
If `links["next"] == ""` the early return does not send neither success, nor failure to outer code,
which leads to whole `getChallenges` method being stuck forever, cause it waits for either `resc` or `errc` to receive message.
2017-02-19 05:17:22 +01:00
xenolf
9f94aabbd2
Fix nonce error ( #354 )
...
* Adding a NonceError type to detect nonce errors
* Implement a one off retry on a nonce error.
2017-02-19 05:12:14 +01:00
Pavel Forkert
09d8a49bf2
Reduce nonce locking ( #340 )
...
* [reduce-locking] Prepare for change
* [reduce-locking] Do not lock on http request
* [reduce-locking] Move getNonce and getNonceFromResponse from jws struct cause they do not need access to it
* [reduce-locking] Extract nonceManager
* [reduce-locking] Add test that tries to show locking on http requests problem
2017-02-19 04:48:45 +01:00
Matt Holt
f5d538caab
Close response body in error case and close first one ( #341 )
...
* Close response body in error case
* Ensure the body of both responses is closed when polling for cert
Also make a new const of maxBodySize, and cap the number of polls
to a maximum of 1000.
* More correct placement for polling limit
* Move const to the top
2017-01-15 16:54:49 +01:00
Joe Shaw
e9c3078492
add issuer certificate to CertificateResource ( #325 )
...
* add issuer certificate to CertificateResource
Also write it out to the file system when running "lego run"
Removed caching of the issuer certificate inside the acme client, since
it didn't appear to be used.
* only append issuerCert to issuedCert in case of success
Effectively a no-op since issuerCert will be nil on error, but it seems
more correct to only do it if fetching the issuer succeeds.
2016-12-14 00:22:48 +01:00
Pavel Forkert
d149f14b6b
Properly lock jws.nonces ( #319 )
...
Before read access to `nonces` field in jws structure (in `Nonces` method) was not synchronized and we were still able
to get `slice bounds out of range` panic when trying to "pop" value in `Nonces` method.
The race can be actually observed by running `Nonce` method multiple times in separate goroutines with th precondition is `len(jws.nonces) == 1`.
2016-12-13 09:49:37 +01:00
xenolf
cbd5d04c89
Fix OCSP must staple.
...
Fixes #327
2016-12-06 08:41:28 +01:00
xenolf
3db48c9e13
Fix HTTP-01 and TLS-SNI invalid port tests for go 1.8
2016-11-14 11:08:33 +01:00
xenolf
2abbe6d836
Tweak log message for a wrong host in HTTP-01
...
Fixes #314
2016-11-10 08:24:06 +01:00
Woz
306f5c06fa
Dns from resolv.conf ( #293 )
...
* Get better dns server defaults if available
if an /etc/resolv.conf file exists, then get the dns servers from there
* fix handwritten code...
* Make discovering system dns servers more testable
Allow specifying path to resolv.conf file to allow testing logic
* add tests
* Log which resolvers we are using
* move log statement for dns resolvers used
2016-11-03 19:37:15 +01:00
xenolf
72914df00f
Add OCSP must staple support
...
Introduces a new command line switch `--must-staple` to `run` and `renew`.
Using this switch will add the must staple TLS extension to the CSR generated by lego and thus also to the generated certificate.
This does not work with user specified CSRs!
Fixes #270
2016-10-27 11:22:10 +02:00
xenolf
85eddfa347
Remove check for auto renewed cert from . This is no longer part of the spec
2016-10-17 11:12:54 +02:00
Ely Deckers
4083ff8bc3
Fix duplicate json tag in recoveryKeyMessage
...
Fixed issue by removing unused recoveryKeyMessage struct
Issue appears in Go 1.8+ due to this improvement to vet:
https://go-review.googlesource.com/#/c/16704/
2016-10-15 19:32:28 +02:00
Matthew Holt
70a2b229e2
Document that challenge providers get replaced on these calls
2016-09-28 18:19:52 -06:00
Kate Jefferson
2569c53efe
Add sync.Mutex to lock and unlock j.nonces
2016-08-18 16:35:03 -04:00
Matthew Holt
6bd7f505e1
Log when skipping challenges due to valid authz
2016-08-16 14:00:17 -06:00
Matthew Holt
b2d7a1821e
Skip solving challenges when authz is already valid ( fixes #267 )
2016-08-16 13:50:56 -06:00
Cristian Graziano
2818a41068
Export PreCheckDNS so library users can manage the DNS check in tests
2016-08-09 22:15:54 -07:00
liz
5eae7e889c
Fix documentation for acme.NewClient
2016-08-04 12:09:42 -04:00
janeczku
d6197084fc
Fixes zone lookup for domains that have a CNAME with the target in another zone
2016-07-29 21:28:28 +02:00
xenolf
e2f341198f
Remove unneeded re-checking of OCSP responses. The stdlib has us covered already.
...
Fixes #247
2016-07-21 03:32:56 +02:00
xenolf
029ece0fd2
Well a timeout of 10 something is a good idea indeed...
2016-07-21 03:27:34 +02:00
xenolf
082ff6d029
Removed HTTPTimeout and exported a new HTTPClient variable as a replacement.
...
The HTTPTimeout was not honored by the default client. Clients should now construct their own HTTPClient for overriding the timeout.
Fixes #246
2016-07-21 03:24:11 +02:00
Chris Marchesi
575370e196
cert: Extend acme.CertificateResource, support CSRs on renew
...
client.RenewCertificate now supports CSRs, and in fact prefers them,
when renewing certificates. In other words, if the certificate was
created via a CSR then using that will be attempted before re-generating
off a new private key.
Also adjusted the API of ObtainCertificateForCSR to be a little
more in line with the original ObtainCertificate function.
2016-06-14 21:15:25 -07:00
Will Glynn
8d7afd02b9
Add ObtainCertificateForCSR()
...
This commit also breaks requestCertificate() into two parts, the first of
which generates a CSR, the second of which became requestCertificateForCsr()
which does what the name implies.
2016-06-14 21:15:25 -07:00
xenolf
c570b320ae
Merge pull request #222 from connctd/registration
...
In case of conflict during registration, the old registration is now recovered
2016-06-14 13:13:50 +02:00
Till Klocke
402756c1c5
registration message in case of conflict 409 should not contain contact details
2016-06-14 09:50:12 +02:00
Derek McGowan
be785fda33
Updated original signature and removed new function
2016-06-12 22:57:22 -07:00
Russ Cox
c8b0781028
Add TLS SNI Challenge function which returns domain
...
Used by rsc.io/letsencrypt to get the challenge domain.
Originally committed under rsc.io/letsencrypt/vendor.
2016-06-10 11:47:43 -07:00
Chris Marchesi
3028225371
reg: Add Query and Delete functions
...
Add 2 new functions to acme.Client for registration stuff:
* QueryRegistration: This performs a POST on the client
registration's URI and gets the updated registration info.
* DeleteRegistration: This deletes the registration as currently
configured in the client.
The latter, while a part of the IETF draft, may not be 100%
functional in LE yet, my tests showed that resources were still
available after deletion.
2016-06-08 16:36:42 -07:00
Till Klocke
599eb9a739
In case of conflict during registration, the old registration is now recovered
2016-06-06 15:32:02 +02:00
zealic
88932f9167
Add dns-timeout support.
2016-05-25 11:22:09 +08:00
xenolf
9e0c21c439
Add HTTPTimeout variable to http.go.
...
This lets users of this library override the default internal timeout for HTTP requests issued by the library. The default is 10 seconds.
2016-05-19 18:51:47 +02:00
xenolf
094e3d41bb
httpError - Set detail string to the content of the HTTP response if it's not parsed as JSON
...
Fixes #188
2016-04-15 03:09:29 +02:00
xenolf
cbca761215
Merge pull request #186 from LukeHandle/patch-dns-retryquery
...
Retry logic for dnsQuery
2016-04-14 20:27:14 +02:00
LukeHandle
a684bab9a4
Fix typo in "retry"
2016-04-12 07:36:42 +01:00
xenolf
23e88185c2
Merge pull request #185 from rekby/jws-out-of-range
...
Fix out of range
2016-04-12 02:41:31 +02:00
LukeHandle
dbad97ebc6
Retry logic for dnsQuery
...
Added a slice of NS to be used when retrying queries. Also used with FindZoneByFqdn()
Adjusted 2 error messages given to better differentiate the returned error string
2016-04-12 00:24:11 +01:00
Rekby
e81192c912
errors.New -> fmt.Errorf
2016-04-11 11:49:20 +03:00
Rekby
3ab9b75696
simple, without retriing
2016-04-11 11:43:32 +03:00
Rekby
334ebd6ee6
gofmt
2016-04-11 07:27:12 +03:00
Rekby
7557681b06
doesn't sleep after last try
2016-04-11 07:26:45 +03:00
Rekby
3a426a1382
retry get nonce few times before return error
2016-04-11 07:22:00 +03:00
Rekby
f32c8a55e7
typo
2016-04-11 07:03:21 +03:00
Rekby
1107e337a5
returt to master version for clean pull request
2016-04-11 07:02:06 +03:00
Rekby
ec18c6e42f
Fix out of range
2016-04-11 06:45:32 +03:00
Rekby
232fbbef08
Fix out of range
2016-04-10 16:06:49 +03:00
xenolf
44d92633c6
Move duplicate code to a function
...
Signed-off-by: xenolf <xenolf@users.noreply.github.com>
2016-04-08 01:04:38 +02:00
Alexander Neumann
ec667a7ed1
Only try to parse JSON documents
...
This patch adds code to only parse the HTTP response body as JSON if the
content-type header advertises the content as JSON. In my case, the
directory server was unavailable: it returned a 503 HTTP response code
with an HTML document, and the only thing lego reported was:
2016/04/04 19:12:56 Could not create client: get directory at 'https://acme-v01.api.letsencrypt.org/directory ': invalid character '<' looking for beginning of value
This was caused by trying to parse the document body (HTML) as JSON,
without looking at the content-type header and returning the JSON parse
error.
2016-04-04 23:15:49 +02:00
Cedric Staub
6528bf217e
Build with go-jose.v1 instead of master
2016-03-27 12:38:49 -07:00
LukeHandle
20ab8300eb
Use zone name when talking to DNS APIs
...
This should handle multiple zones more efficiently
2016-03-21 00:18:49 +00:00
xenolf
d6fb247c29
Fix typo in dns_challenge
2016-03-19 17:48:50 +01:00
Michael Cross
8aa797f49d
Add ChallengeProviderTimeout type to acme package
...
This type allows for implementing DNS ChallengeProviders that require
an unsually long timeout when checking for record propagation.
2016-03-16 18:17:03 +00:00
Michael Cross
f70a48e28a
Improve wording of ChallengeProvider comment
2016-03-15 12:46:48 +00:00
xenolf
98c95e83c9
Add link to account to certificate meta data.
2016-03-14 03:29:29 +01:00
xenolf
3252b0bcb9
Fix WaitFor calls
2016-03-11 04:52:59 +01:00
xenolf
c50baa67cb
Move WaitFor into new utils.go and switch timeout and interval to time.Duration.
2016-03-11 03:52:46 +01:00
xenolf
2ae35a755d
Rename provider types as provider names are already in the package name. Added package level comments and fixed the name of the interface the providers are importing.
2016-03-11 03:46:09 +01:00
xenolf
9008ec6949
Move functions from dns package back into ACME.
2016-03-11 03:40:28 +01:00
xenolf
b412c67aa6
Move providers out of ACME package.
2016-03-03 01:14:32 +01:00
Pauline Middelink
8b90b1a380
Added testcase for in-valid.co.uk
...
Camelcased: fqdn2zone to fqdnToZone
Grammatical fix in externally visible error message
2016-02-29 08:46:15 +01:00
Pauline Middelink
4945919c69
- Moved findZone from rfc2136 to dns_challenge.go and renamed to findZoneByFqdn
...
- Reworked the code in dns_challenge.go to not assume nameserver is
port-less or defaults to 53. (messes up testing)
- Updated nameserver test to clear the fqdn2zone cache and return a dummy
SOA RR to make initial findZoneByFqdn call happy.
- Used publicsuffix library to determine if the "authorative" zone we found
is a public registry, in that case error out. (Also used by boulder btw)
2016-02-28 21:09:05 +01:00
Pauline Middelink
bc5c3b53e1
Merge remote-tracking branch 'upstream/master' into issue-140-multi-zone-certs
...
Conflicts solved:
README.md
cli.go
2016-02-28 15:42:09 +01:00
Pauline Middelink
e772779caf
Fix for issue/140:
...
- Removal of RFC2136_ZONE from help text
- Query nameserver directly to find zone we have to update
- During insert, make sure the new record is the ONLY challence.
(I had a few panics, hence 3 challences left. Not good.)
2016-02-28 01:08:59 +01:00
Pauline Middelink
b5e0b91c05
Merge remote-tracking branch 'upstream/master'
2016-02-27 17:47:25 +01:00
xenolf
fcd05ae397
Merge pull request #130 from xenolf/add-ecc-support
...
Add EC support
2016-02-27 03:38:12 +01:00
Pauline Middelink
ec18e5ce07
Unneeded assignment
2016-02-26 02:52:13 +01:00
xenolf
da7dd0f7b8
Remove no longer needed crypto function. ACME spec no longer requires this.
2016-02-21 04:31:02 +01:00
xenolf
c9e1d0a482
Remove keyBits from tests, use keyType instead.
2016-02-21 04:22:03 +01:00
xenolf
a61e41c90e
Fix typo in the constant for the P384 curve.
2016-02-21 04:18:45 +01:00
xenolf
1f777a0d77
Adapt tests to EC changes
2016-02-21 04:18:45 +01:00
xenolf
0e26bb45ca
Add support for EC certificates / account keys
2016-02-21 04:18:45 +01:00
xenolf
f203a8e336
Fix wrong variables being used in DNSimple test.
2016-02-21 04:14:32 +01:00
xenolf
a4d8c0e6b9
Fix a couple of misspelled words and lint errors.
2016-02-15 03:59:43 +01:00
Michael Cross
06b3802346
DNS Challenge: Fix handling of CNAMEs
...
Prior to this commit, the checkDNSPropagation function was exiting
early if the TXT record could not be found on the recursive
nameserver, and thus the authoritative nameservers were not being
queried until after the record showed up on the recursive nameserver
causing a delay.
This commit changes that behaviour so that the authoritative
nameservers are queried on each execution of checkDNSPropagation when
possible.
2016-02-19 21:44:35 +00:00
xenolf
d17982745f
Merge pull request #137 from xi2/fix-TestCheckAuthoritativeNss-failure-report
...
Fix TestCheckAuthoritativeNss failure report
2016-02-19 18:25:45 +01:00
Michael Cross
fc64f8b99d
DNS Challenge: Fix TestCheckAuthoritativeNss failure report
2016-02-19 10:24:39 +00:00
Jan Broer
453a3d6b3f
Declare own HTTP client
2016-02-18 20:41:27 +01:00
Jan Broer
93cfae053a
Use custom lego user-agent in requests
2016-02-16 18:38:51 +01:00
Jan Broer
d03fb496c0
Refactor CloudFlare provider to have no 3rd party dependencies
2016-02-16 15:50:24 +01:00
xenolf
f1a1e081c8
Merge pull request #127 from xenolf/tweaks
...
Add go vet to the CI checks, fix vet errors and set default HTTP timeout to 10 seconds.
2016-02-15 00:02:11 +01:00
Matthew Holt
971541dc0a
Use http client with timeout of 10s
...
This will prevent indefinitely-hanging requests in case some service or middle box is malfunctioning.
Fix vet errors and lint warnings
Add vet to CI check
Only get issuer certificate if it would be used
No need to make a GET request if the OCSP server is not specified in leaf certificate
Fix CI tests
Make tests verbose
2016-02-14 14:33:54 -07:00
xenolf
a44384f52f
Fix tests for new naming.
2016-02-14 22:07:27 +01:00
xenolf
21de29e902
Take the magic out of defaulting to the Server implementations of HTTP-01 and TLS-SNI-01
2016-02-14 16:57:06 +01:00
xenolf
7475e7f9c2
Move the HTTP-01 and TLS-SNI-01 default solvers to a more unified layout.
...
Made the solvers exported and added New... functions to them.
2016-02-14 16:56:14 +01:00
xenolf
bf66ac9e17
Resolve issue where the route53 tests would take 30secs to complete.
...
The default AWS HTTP client retries three times with a deadline of 10 seconds in order to fetch metadata from EC2. Replaced the default HTTP client with one that does not retry and has a low timeout.
2016-02-14 00:55:03 +01:00
Philipp Kern
f00f09f19c
Allow to specify RFC2136_NAMESERVER without the port.
...
Append the default DNS port if the nameserver specification does not
contain any.
2016-02-13 18:46:32 +01:00
Philipp Kern
b3d25a9a61
Allow to specify the TSIG algorithm for RFC2136 DNS-01 authentication.
...
Add a new environment variable RFC2136_TSIG_ALGORITHM that accepts the
TSIG algorithm pseudo-domain name. Let it default to
"hmac-md5.sig-alg.reg.int." if unset.
2016-02-13 18:46:28 +01:00
xenolf
ba64faa4e1
Merge pull request #116 from janeczku/dns-check
...
Refactor DNS check
2016-02-11 02:50:28 +01:00
Jan Broer
b594acbc2a
Validation domain may be a CNAME or delegated to another NS
2016-02-10 16:56:50 +01:00
Jan Broer
c97b5a52a1
Refactor DNS check
...
* Gets a list of all authoritative nameservers by looking up the NS RRs for the root domain (zone apex)
* Verifies that the expected TXT record exists on all nameservers before sending off the challenge to ACME server
2016-02-09 05:23:58 +01:00
xenolf
614f5ea7ce
Merge pull request #108 from xi2/http01-disable-keepalives
...
http-01 challenge: disable TCP connection reuse
2016-02-08 02:15:30 +01:00
xenolf
da953623bf
Add package comments to make the library and CLI more discoverable on godoc.org
...
Fixes #106
2016-02-08 01:59:03 +01:00
Michael Cross
9350fb4aef
http-01 challenge: disable TCP connection reuse
...
If TCP connection reuse (KeepAlives) are left on then, in a sequence
of challenges arising from a multiple-domain certficate, challenges
after the 1st can fail due to reusing the now defunct tcp connection
used in the first challenge. This has been observed when using the Go
standard library reverse proxy to forward the challenges to Lego.
Fixes #107
2016-02-07 13:40:47 +00:00
xenolf
e4978657b2
Merge pull request #102 from willglynn/aws_authentication
...
Add support for additional AWS authentication sources
2016-02-07 14:28:57 +01:00
Chris Moos
7bdc9e26f7
GetOCSPCert should fail if there are no OCSP servers in the cert.
2016-02-06 23:19:32 -07:00
Will Glynn
13e01e1751
Add support for additional AWS authentication sources
...
AWS client tools commonly support passing credentials via
`AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY`, but supporting only this is
insufficient. For example, access key IDs provided by STS require passing in
`AWS_SECURITY_TOKEN` as a third value, and EC2 instances are often provided
dynamic credentials at runtime via the EC2 metadata service.
This changeset makes `lego` attempt to find credentials in the same way that
the `aws` CLI tool attempts to find credentials. The result is even less
auth code than before because `goamz` provides all this with `aws.GetAuth()`.
2016-02-06 18:38:40 -06:00
Jehiah Czebotar
9dc7fa9d52
httpHead: return error before referencying resp.Body
2016-02-06 15:06:42 -05:00
Jan Broer
bae7428c08
Fixes issues with the Present() method of Route53 provider:
...
- InvalidTXTRDATA error when creating TXT record (closes #94 )
- Present() should poll and wait until the status of the record change becomes INSYNC (thanks @oov)
Adds a retry/timeout utility function to dns_challenge.go that may be used in other places
2016-02-04 00:34:52 +01:00
xenolf
29423c6293
Merge pull request #91 from weppos/log-with-name
...
Add missing domain name for consistency
2016-01-30 23:58:21 +01:00
xenolf
1ab8907f82
Merge pull request #90 from weppos/dnsimple-subdomain
...
Fix bugs with subdomains
2016-01-30 23:57:27 +01:00
Simone Carletti
ae7184b339
Add missing domain name for consistency
...
Before the change:
2016/01/30 00:23:37 [INFO][simonecarletti.com, foo1.simonecarletti.com, foo2.simonecarletti.com, foo3.simonecarletti.com] acme: Obtaining bundled SAN certificate
2016/01/30 00:23:38 [INFO][simonecarletti.com] acme: Could not find solver for: tls-sni-01
2016/01/30 00:23:38 [INFO] acme: Trying to solve DNS-01
2016/01/30 00:23:42 [INFO][simonecarletti.com] The server validated our request
2016/01/30 00:23:44 [INFO] acme: Trying to solve DNS-01
2016/01/30 00:23:47 [INFO][foo1.simonecarletti.com] The server validated our request
2016/01/30 00:23:49 [INFO][foo2.simonecarletti.com] acme: Could not find solver for: tls-sni-01
2016/01/30 00:23:49 [INFO][foo2.simonecarletti.com] acme: Could not find solver for: http-01
2016/01/30 00:23:49 [INFO] acme: Trying to solve DNS-01
2016/01/30 00:23:53 [INFO][foo3.simonecarletti.com] acme: Could not find solver for: http-01
2016/01/30 00:23:53 [INFO] acme: Trying to solve DNS-01
2016/01/30 00:23:56 [INFO][foo3.simonecarletti.com] The server validated our request
After the change:
2016/01/30 00:27:58 [INFO][simonecarletti.com, foo1.simonecarletti.com, foo2.simonecarletti.com, foo3.simonecarletti.com] acme: Obtaining bundled SAN certificate
2016/01/30 00:27:59 [INFO][simonecarletti.com] acme: Could not find solver for: http-01
2016/01/30 00:27:59 [INFO][simonecarletti.com] acme: Trying to solve DNS-01
2016/01/30 00:28:12 [INFO][simonecarletti.com] The server validated our request
2016/01/30 00:28:14 [INFO][foo1.simonecarletti.com] acme: Could not find solver for: http-01
2016/01/30 00:28:14 [INFO][foo1.simonecarletti.com] acme: Trying to solve DNS-01
2016/01/30 00:28:19 [INFO][foo2.simonecarletti.com] acme: Could not find solver for: http-01
2016/01/30 00:28:19 [INFO][foo2.simonecarletti.com] acme: Could not find solver for: tls-sni-01
2016/01/30 00:28:19 [INFO][foo2.simonecarletti.com] acme: Trying to solve DNS-01
2016/01/30 00:28:22 [INFO][foo1.simonecarletti.com] The server validated our request
2016-01-30 22:17:41 +01:00
Simone Carletti
2e32f171d2
DNSimpleProvider: Fix wrong record deletion
...
This is a very subtle bug. In some specific circumstances, when the
list of domains in the SAN was > 1, the library may delete the wrong
record (specifically the last one) instead of the matching one.
The issue is explained here
https://groups.google.com/forum/#!topic/golang-nuts/tlWzJUWJKgA
Here's the output from one of the various tests
➜ lego git:(dnsimple-subdomain) ✗ DNSIMPLE_DOMAIN=simone.io go test -v ./... --run "TestLiveDNSimpleCleanUp"
? github.com/xenolf/lego [no test files]
=== RUN TestLiveDNSimpleCleanUp
2016/01/30 01:10:45 Empty records:
2016/01/30 01:10:45 0
2016/01/30 01:10:46 Fetched records:
2016/01/30 01:10:46 [{5326536 41571 v=spf1 a include:_spf.google.com ~all 3600 0 TXT 2016-01-26 12:53:42.85 +0000 UTC 2016-01-26 12:53:42.85 +0000 UTC} {5026157 41571 google-site-verification=obstZAG6j2BVxYg696WxAsC46_d1-bzkv7D0qGm4K_0 3600 0 TXT 2015-10-19 11:21:03.586 +0000 UTC 2015-10-19 11:21:03.586 +0000 UTC} {5340655 41571 _acme-challenge ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-29 23:52:15.657 +0000 UTC 2016-01-29 23:52:15.657 +0000 UTC} {5340677 41571 _acme-challenge.www1 ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-30 00:03:19.89 +0000 UTC 2016-01-30 00:03:19.89 +0000 UTC}]
2016/01/30 01:10:46 Record name:
2016/01/30 01:10:46 _acme-challenge
2016/01/30 01:10:46 {5326536 41571 v=spf1 a include:_spf.google.com ~all 3600 0 TXT 2016-01-26 12:53:42.85 +0000 UTC 2016-01-26 12:53:42.85 +0000 UTC}
2016/01/30 01:10:46 {5026157 41571 google-site-verification=obstZAG6j2BVxYg696WxAsC46_d1-bzkv7D0qGm4K_0 3600 0 TXT 2015-10-19 11:21:03.586 +0000 UTC 2015-10-19 11:21:03.586 +0000 UTC}
2016/01/30 01:10:46 {5340655 41571 _acme-challenge ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-29 23:52:15.657 +0000 UTC 2016-01-29 23:52:15.657 +0000 UTC}
2016/01/30 01:10:46 Deleted>>
2016/01/30 01:10:46 {5340655 41571 _acme-challenge ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-29 23:52:15.657 +0000 UTC 2016-01-29 23:52:15.657 +0000 UTC}
2016/01/30 01:10:46 >>Deleted
2016/01/30 01:10:46 {5340677 41571 _acme-challenge.www1 ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-30 00:03:19.89 +0000 UTC 2016-01-30 00:03:19.89 +0000 UTC}
2016/01/30 01:10:46 Record to delete:
2016/01/30 01:10:46 1
2016/01/30 01:10:46 {5340677 41571 _acme-challenge.www1 ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-30 00:03:19.89 +0000 UTC 2016-01-30 00:03:19.89 +0000 UTC}
2016/01/30 01:10:46 Record to delete (foos):
2016/01/30 01:10:46 [{5340655 41571 _acme-challenge ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-29 23:52:15.657 +0000 UTC 2016-01-29 23:52:15.657 +0000 UTC}]
2016/01/30 01:10:46 Found records to delete:
2016/01/30 01:10:46 1
2016/01/30 01:10:46 [0xc8203be240]
2016/01/30 01:10:46 &{5340677 41571 _acme-challenge.www1 ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-30 00:03:19.89 +0000 UTC 2016-01-30 00:03:19.89 +0000 UTC}
--- PASS: TestLiveDNSimpleCleanUp (3.10s)
PASS
ok github.com/xenolf/lego/acme 3.121s
The record 5340655 was supposed to be deleted, but 5340677 was deleted
instead (notice how the deleted record was always the last one in the
returned record set).
And of course the validation never passed
➜ letsencrypt-dnsimple git:(master) go run main.go --user xxx --api-key "xxx" --email "xxx@gmail.com" simone.io,foo1.simone.io,foo2.simone.io,foo3.simone.io
2016/01/30 00:27:55 .data/users/xxx@gmail.com
2016/01/30 00:27:55 {xxx@gmail.com <nil> 0xc82009a300}
2016/01/30 00:27:56 [INFO] acme: Registering account for xxx@gmail.com
2016/01/30 00:27:57 &{{ 116016 {RSA xxx} [mailto:xxx@gmail.com] } https://acme-staging.api.letsencrypt.org/acme/reg/116016 https://acme-staging.api.letsencrypt.org/acme/new-authz https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf }
2016/01/30 00:27:58 [INFO][simone.io, foo1.simone.io, foo2.simone.io, foo3.simone.io] acme: Obtaining bundled SAN certificate
2016/01/30 00:27:59 [INFO][simone.io] acme: Could not find solver for: http-01
2016/01/30 00:27:59 [INFO][simone.io] acme: Trying to solve DNS-01
2016/01/30 00:28:00 simone.io
2016/01/30 00:28:00 &{0 0 _acme-challenge Uo7cIEDgw_sCgZhSOML_GU4DkKlgpB6p1Et8lxRVGLI 120 0 TXT <nil> <nil>}
2016/01/30 00:28:12 [INFO][simone.io] The server validated our request
2016/01/30 00:28:14 &{5340584 41571 _acme-challenge Uo7cIEDgw_sCgZhSOML_GU4DkKlgpB6p1Et8lxRVGLI 120 0 TXT 2016-01-29 23:28:00.828 +0000 UTC 2016-01-29 23:28:00.828 +0000 UTC}
2016/01/30 00:28:14 [INFO][foo1.simone.io] acme: Could not find solver for: http-01
2016/01/30 00:28:14 [INFO][foo1.simone.io] acme: Trying to solve DNS-01
2016/01/30 00:28:15 simone.io
2016/01/30 00:28:15 &{0 0 _acme-challenge.foo1 l_HB5ctb2M86FVcgpCaWgURVhCePNY9KIVQ0tsVH2Ew 120 0 TXT <nil> <nil>}
2016/01/30 00:28:19 &{5340585 41571 _acme-challenge.foo1 l_HB5ctb2M86FVcgpCaWgURVhCePNY9KIVQ0tsVH2Ew 120 0 TXT 2016-01-29 23:28:15.996 +0000 UTC 2016-01-29 23:28:15.996 +0000 UTC}
2016/01/30 00:28:19 [INFO][foo2.simone.io] acme: Could not find solver for: http-01
2016/01/30 00:28:19 [INFO][foo2.simone.io] acme: Could not find solver for: tls-sni-01
2016/01/30 00:28:19 [INFO][foo2.simone.io] acme: Trying to solve DNS-01
2016/01/30 00:28:20 simone.io
2016/01/30 00:28:20 &{0 0 _acme-challenge.foo2 rohi66Q0VHSEu0kR3LcGPkFEIftt47xHfeQercf8frU 120 0 TXT <nil> <nil>}
2016/01/30 00:28:22 [INFO][foo2.simone.io] The server validated our request
2016/01/30 00:28:23 &{5340586 41571 _acme-challenge.foo2 rohi66Q0VHSEu0kR3LcGPkFEIftt47xHfeQercf8frU 120 0 TXT 2016-01-29 23:28:21.051 +0000 UTC 2016-01-29 23:28:21.051 +0000 UTC}
2016/01/30 00:28:24 [INFO][foo3.simone.io] acme: Could not find solver for: tls-sni-01
2016/01/30 00:28:24 [INFO][foo3.simone.io] acme: Could not find solver for: http-01
2016/01/30 00:28:24 [INFO][foo3.simone.io] acme: Trying to solve DNS-01
2016/01/30 00:28:25 simone.io
2016/01/30 00:28:25 &{0 0 _acme-challenge.foo3 gmn1sKV_0gP3BiOT3yZQywZq95akKRGup0IJs1cqdVo 120 0 TXT <nil> <nil>}
2016/01/30 00:28:27 [INFO][foo3.simone.io] The server validated our request
2016/01/30 00:28:28 &{5340587 41571 _acme-challenge.foo3 gmn1sKV_0gP3BiOT3yZQywZq95akKRGup0IJs1cqdVo 120 0 TXT 2016-01-29 23:28:25.616 +0000 UTC 2016-01-29 23:28:25.616 +0000 UTC}
2016/01/30 00:28:28 map[foo1.simone.io:acme: Error 0 - urn:acme:error:connection - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.foo1.simone.io
Error Detail:
]
exit status 1
This is the result of the latest (successful) run:
➜ letsencrypt-dnsimple git:(master) ✗ go run main.go --user xxx --api-key "xxx" --email "xxx@gmail.com" simone.io,yy.simone.io,xx.simone.io
2016/01/30 21:34:01 .data/users/xxx@gmail.com
2016/01/30 21:34:01 {xxx@gmail.com <nil> 0xc820070480}
2016/01/30 21:34:02 [INFO] acme: Registering account for xxx@gmail.com
2016/01/30 21:34:03 &{{ 116199 {RSA xxx} [mailto:xxx@gmail.com] } https://acme-staging.api.letsencrypt.org/acme/reg/116199 https://acme-staging.api.letsencrypt.org/acme/new-authz https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf }
2016/01/30 21:34:03 [INFO][simone.io, yy.simone.io, xx.simone.io] acme: Obtaining bundled SAN certificate
2016/01/30 21:34:04 [INFO][simone.io] acme: Could not find solver for: tls-sni-01
2016/01/30 21:34:04 [INFO][simone.io] acme: Could not find solver for: http-01
2016/01/30 21:34:04 [INFO][simone.io] acme: Trying to solve DNS-01
2016/01/30 21:34:13 [INFO][simone.io] The server validated our request
2016/01/30 21:34:14 Searching for
2016/01/30 21:34:14 simone.io
2016/01/30 21:34:15 To delete:
2016/01/30 21:34:15 {5341831 41571 _acme-challenge TX8-77TN9XHZHO510Yw20u1j89UhdgGXcwScKZHRGNY 120 0 TXT 2016-01-30 20:34:05.859 +0000 UTC 2016-01-30 20:34:05.859 +0000 UTC}
2016/01/30 21:34:15 Will delete:
2016/01/30 21:34:15 [{5341831 41571 _acme-challenge TX8-77TN9XHZHO510Yw20u1j89UhdgGXcwScKZHRGNY 120 0 TXT 2016-01-30 20:34:05.859 +0000 UTC 2016-01-30 20:34:05.859 +0000 UTC}]
2016/01/30 21:34:15 [INFO][yy.simone.io] acme: Could not find solver for: http-01
2016/01/30 21:34:15 [INFO][yy.simone.io] acme: Could not find solver for: tls-sni-01
2016/01/30 21:34:15 [INFO][yy.simone.io] acme: Trying to solve DNS-01
2016/01/30 21:34:18 [INFO][yy.simone.io] The server validated our request
2016/01/30 21:34:19 Searching for
2016/01/30 21:34:19 yy.simone.io
2016/01/30 21:34:19 To delete:
2016/01/30 21:34:19 {5341832 41571 _acme-challenge.yy pHolYM_OqxCThmL3nBA91qRCI6-oEIMG0YOJj3R1Xww 120 0 TXT 2016-01-30 20:34:17.176 +0000 UTC 2016-01-30 20:34:17.176 +0000 UTC}
2016/01/30 21:34:19 Will delete:
2016/01/30 21:34:19 [{5341832 41571 _acme-challenge.yy pHolYM_OqxCThmL3nBA91qRCI6-oEIMG0YOJj3R1Xww 120 0 TXT 2016-01-30 20:34:17.176 +0000 UTC 2016-01-30 20:34:17.176 +0000 UTC}]
2016/01/30 21:34:20 [INFO][xx.simone.io] acme: Could not find solver for: tls-sni-01
2016/01/30 21:34:20 [INFO][xx.simone.io] acme: Trying to solve DNS-01
2016/01/30 21:34:23 [INFO][xx.simone.io] The server validated our request
2016/01/30 21:34:23 Searching for
2016/01/30 21:34:23 xx.simone.io
2016/01/30 21:34:24 To delete:
2016/01/30 21:34:24 {5341833 41571 _acme-challenge.xx LEr6l7KJCr6e7LlqyQgAbZbKCRmLFa5zNC8kNHK1FtQ 120 0 TXT 2016-01-30 20:34:21.793 +0000 UTC 2016-01-30 20:34:21.793 +0000 UTC}
2016/01/30 21:34:24 Will delete:
2016/01/30 21:34:24 [{5341833 41571 _acme-challenge.xx LEr6l7KJCr6e7LlqyQgAbZbKCRmLFa5zNC8kNHK1FtQ 120 0 TXT 2016-01-30 20:34:21.793 +0000 UTC 2016-01-30 20:34:21.793 +0000 UTC}]
2016/01/30 21:34:25 [INFO][simone.io, yy.simone.io, xx.simone.io] acme: Validations succeeded; requesting certificates
2016/01/30 21:34:26 [INFO] acme: Requesting issuer cert from https://acme-staging.api.letsencrypt.org/acme/issuer-cert
2016/01/30 21:34:26 [INFO][simone.io] Server responded with a certificate.
[INFO][https://acme-staging.api.letsencrypt.org/acme/cert/fae971fcb1ce12 c4d3bb95a1f577786cccfe] Certificate simone.io, yy.simone.io, xx.simone.io2016/01/30 21:34:26 145 <nil>
2016/01/30 21:34:26 .data/certs/1454186041
2016/01/30 21:34:26 completed!
2016-01-30 22:14:29 +01:00
Den Quixote
0e53e51ba5
dns_challenge preCheckDNS: let system resolver decide IPv4 ./. IPv6.
...
We can ask the OS resolver for the IP of Google's public anycast DNS.
No need to "bootstrap" with literal IP address. The OS resolver knows
best about IPv4 ./. IPv6.
Mostly fixes #88 .
2016-01-30 19:39:10 +01:00
Simone Carletti
753f9ca798
DNSimpleProvider: Fix bug with subdomains
...
When requesting a certificate for a subdomain, the DNS record was
attached to the domain instead.
E.g.
Requested:
ww1.example.com
Created:
_acme-challenge.example.com
instead of
_acme-challenge.ww1.example.com
2016-01-30 00:03:50 +01:00
Simone Carletti
adc8afbb89
Update the path to the go lib
2016-01-29 23:47:56 +01:00
xenolf
815d8bba0c
Merge pull request #84 from weppos/dnsimple
...
Add DNSimple DNS support
2016-01-29 23:06:42 +01:00
xenolf
54e272aaa3
Fix regression in Renew with SAN.
...
re-apply 5930ea52f0
Fixes #87
2016-01-29 14:10:57 +01:00
Matthew Holt
cf4ca2a89d
Use http.DefaultClient
...
The Go docs recommend this.
2016-01-27 20:43:51 -07:00
Matthew Holt
b42b256d5c
Add DigitalOcean DNS provider
...
Also a few vet/lint fixes and improved some error messages
2016-01-26 17:57:55 -07:00
Simone Carletti
d70e2869d2
Move toFqdn and unFqdn into a shared place (see GH-84)
2016-01-26 16:37:50 +01:00
Simone Carletti
08516614dd
DNSimpleProvider: implement Present/CleanUp
2016-01-26 15:09:33 +01:00
Simone Carletti
6a3297e36f
DNSimpleProvider: fetch credentials from env
...
I also had to rename the `envAuth()` in the Cloudflare implementation
to avoid the "redeclared" error
acme/dns_challenge_dnsimple.go:41: envAuth redeclared in this block
previous declaration at acme/dns_challenge_cloudflare.go:154
2016-01-26 13:13:40 +01:00
Simone Carletti
bcfce0809a
DNSimpleProvider: Check valid credentials
2016-01-26 12:25:51 +01:00
Simone Carletti
3f4b078329
Basic DNSimple implementation for DNSProvider
2016-01-26 12:14:10 +01:00
xenolf
50031525c9
Fix DNS-01 challenge resource property
2016-01-25 00:32:47 +01:00
xenolf
08cd016ed3
Switch DNS-01 challenge over to central validation function
2016-01-25 00:23:21 +01:00
Jehiah Czebotar
617dd4d37c
Refactor challenge providers to new ChallengeProvider interface
...
* new ChallengeProvider with Present and CleanUp methods
* new Challenge type describing `http-01`, `tls-sni-01`, `dns-01`
* new client.SetChallengeProvider to support custom implementations
2016-01-24 16:10:50 -05:00
Matthew Holt
1ceed018fd
Tweak comment
2016-01-22 13:39:32 -07:00
Jan Broer
323bb88640
Fetch remaining zones when response is truncated.
...
Route53 API won’t return more than 100 zones per request.
2016-01-22 18:50:18 +01:00