From 738e40f446725ae70a458c47850588c96192022a Mon Sep 17 00:00:00 2001 From: Ludovic Fernandez Date: Tue, 5 Nov 2019 12:58:13 +0100 Subject: [PATCH] fix: use token as unique ID. (#1003) --- e2e/challenges_test.go | 7 ++++- e2e/dnschallenge/dns_challenges_test.go | 6 +++- providers/dns/auroradns/auroradns.go | 6 ++-- providers/dns/cloudflare/cloudflare.go | 31 ++++++++++++------- providers/dns/digitalocean/digitalocean.go | 6 ++-- .../dns/digitalocean/digitalocean_test.go | 4 +-- providers/dns/ovh/ovh.go | 6 ++-- 7 files changed, 42 insertions(+), 24 deletions(-) diff --git a/e2e/challenges_test.go b/e2e/challenges_test.go index aded1c3f..a37a0689 100644 --- a/e2e/challenges_test.go +++ b/e2e/challenges_test.go @@ -32,6 +32,7 @@ var load = loader.EnvLoader{ } func TestMain(m *testing.M) { + os.Setenv("LEGO_E2E_TESTS", "LEGO_E2E_TESTS") os.Exit(load.MainTest(m)) } @@ -258,10 +259,14 @@ func TestChallengeTLS_Client_Obtain(t *testing.T) { require.NoError(t, err) user.registration = reg + // https://github.com/letsencrypt/pebble/issues/285 + privateKeyCSR, err := rsa.GenerateKey(rand.Reader, 2048) + require.NoError(t, err, "Could not generate test key") + request := certificate.ObtainRequest{ Domains: []string{"acme.wtf"}, Bundle: true, - PrivateKey: privateKey, + PrivateKey: privateKeyCSR, } resource, err := client.Certificate.Obtain(request) require.NoError(t, err) diff --git a/e2e/dnschallenge/dns_challenges_test.go b/e2e/dnschallenge/dns_challenges_test.go index c745a2a4..dbcecf31 100644 --- a/e2e/dnschallenge/dns_challenges_test.go +++ b/e2e/dnschallenge/dns_challenges_test.go @@ -103,10 +103,14 @@ func TestChallengeDNS_Client_Obtain(t *testing.T) { domains := []string{"*.légo.acme", "légo.acme"} + // https://github.com/letsencrypt/pebble/issues/285 + privateKeyCSR, err := rsa.GenerateKey(rand.Reader, 2048) + require.NoError(t, err, "Could not generate test key") + request := certificate.ObtainRequest{ Domains: domains, Bundle: true, - PrivateKey: privateKey, + PrivateKey: privateKeyCSR, } resource, err := client.Certificate.Obtain(request) require.NoError(t, err) diff --git a/providers/dns/auroradns/auroradns.go b/providers/dns/auroradns/auroradns.go index 9d40a14e..c12c09a7 100644 --- a/providers/dns/auroradns/auroradns.go +++ b/providers/dns/auroradns/auroradns.go @@ -127,7 +127,7 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error { } d.recordIDsMu.Lock() - d.recordIDs[fqdn] = newRecord.ID + d.recordIDs[token] = newRecord.ID d.recordIDsMu.Unlock() return nil @@ -138,7 +138,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error { fqdn, _ := dns01.GetRecord(domain, keyAuth) d.recordIDsMu.Lock() - recordID, ok := d.recordIDs[fqdn] + recordID, ok := d.recordIDs[token] d.recordIDsMu.Unlock() if !ok { @@ -163,7 +163,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error { } d.recordIDsMu.Lock() - delete(d.recordIDs, fqdn) + delete(d.recordIDs, token) d.recordIDsMu.Unlock() return nil diff --git a/providers/dns/cloudflare/cloudflare.go b/providers/dns/cloudflare/cloudflare.go index 8cc75b84..7c94c7b8 100644 --- a/providers/dns/cloudflare/cloudflare.go +++ b/providers/dns/cloudflare/cloudflare.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "net/http" + "sync" "time" cloudflare "github.com/cloudflare/cloudflare-go" @@ -47,6 +48,9 @@ func NewDefaultConfig() *Config { type DNSProvider struct { client *metaClient config *Config + + recordIDs map[string]string + recordIDsMu sync.Mutex } // NewDNSProvider returns a DNSProvider instance configured for Cloudflare. @@ -140,6 +144,10 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error { return fmt.Errorf("cloudflare: failed to create TXT record: %+v %+v", response.Errors, response.Messages) } + d.recordIDsMu.Lock() + d.recordIDs[token] = response.Result.ID + d.recordIDsMu.Unlock() + log.Infof("cloudflare: new record for %s, ID %s", domain, response.Result.ID) return nil @@ -159,22 +167,23 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error { return fmt.Errorf("cloudflare: failed to find zone %s: %v", authZone, err) } - dnsRecord := cloudflare.DNSRecord{ - Type: "TXT", - Name: dns01.UnFqdn(fqdn), + // get the record's unique ID from when we created it + d.recordIDsMu.Lock() + recordID, ok := d.recordIDs[token] + d.recordIDsMu.Unlock() + if !ok { + return fmt.Errorf("cloudflare: unknown record ID for '%s'", fqdn) } - records, err := d.client.DNSRecords(zoneID, dnsRecord) + err = d.client.DeleteDNSRecord(zoneID, recordID) if err != nil { - return fmt.Errorf("cloudflare: failed to find TXT records: %v", err) + log.Printf("cloudflare: failed to delete TXT record: %v", err) } - for _, record := range records { - err = d.client.DeleteDNSRecord(zoneID, record.ID) - if err != nil { - log.Printf("cloudflare: failed to delete TXT record: %v", err) - } - } + // Delete record ID from map + d.recordIDsMu.Lock() + delete(d.recordIDs, token) + d.recordIDsMu.Unlock() return nil } diff --git a/providers/dns/digitalocean/digitalocean.go b/providers/dns/digitalocean/digitalocean.go index 27744041..e638ed0a 100644 --- a/providers/dns/digitalocean/digitalocean.go +++ b/providers/dns/digitalocean/digitalocean.go @@ -94,7 +94,7 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error { } d.recordIDsMu.Lock() - d.recordIDs[fqdn] = respData.DomainRecord.ID + d.recordIDs[token] = respData.DomainRecord.ID d.recordIDsMu.Unlock() return nil @@ -111,7 +111,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error { // get the record's unique ID from when we created it d.recordIDsMu.Lock() - recordID, ok := d.recordIDs[fqdn] + recordID, ok := d.recordIDs[token] d.recordIDsMu.Unlock() if !ok { return fmt.Errorf("digitalocean: unknown record ID for '%s'", fqdn) @@ -124,7 +124,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error { // Delete record ID from map d.recordIDsMu.Lock() - delete(d.recordIDs, fqdn) + delete(d.recordIDs, token) d.recordIDsMu.Unlock() return nil diff --git a/providers/dns/digitalocean/digitalocean_test.go b/providers/dns/digitalocean/digitalocean_test.go index e7379881..0342a535 100644 --- a/providers/dns/digitalocean/digitalocean_test.go +++ b/providers/dns/digitalocean/digitalocean_test.go @@ -163,9 +163,9 @@ func TestDNSProvider_CleanUp(t *testing.T) { }) provider.recordIDsMu.Lock() - provider.recordIDs["_acme-challenge.example.com."] = 1234567 + provider.recordIDs["token"] = 1234567 provider.recordIDsMu.Unlock() - err := provider.CleanUp("example.com", "", "") + err := provider.CleanUp("example.com", "token", "") require.NoError(t, err, "fail to remove TXT record") } diff --git a/providers/dns/ovh/ovh.go b/providers/dns/ovh/ovh.go index de08fe47..87074601 100644 --- a/providers/dns/ovh/ovh.go +++ b/providers/dns/ovh/ovh.go @@ -141,7 +141,7 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error { } d.recordIDsMu.Lock() - d.recordIDs[fqdn] = respData.ID + d.recordIDs[token] = respData.ID d.recordIDsMu.Unlock() return nil @@ -153,7 +153,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error { // get the record's unique ID from when we created it d.recordIDsMu.Lock() - recordID, ok := d.recordIDs[fqdn] + recordID, ok := d.recordIDs[token] d.recordIDsMu.Unlock() if !ok { return fmt.Errorf("ovh: unknown record ID for '%s'", fqdn) @@ -182,7 +182,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error { // Delete record ID from map d.recordIDsMu.Lock() - delete(d.recordIDs, fqdn) + delete(d.recordIDs, token) d.recordIDsMu.Unlock() return nil