forked from TrueCloudLab/lego
Add explicit calls to disable authz on errors
This commit is contained in:
parent
1293a4a35b
commit
f3fc555a98
2 changed files with 22 additions and 0 deletions
|
@ -330,6 +330,10 @@ DNSNames:
|
||||||
challenges, failures := c.getChallenges(domains)
|
challenges, failures := c.getChallenges(domains)
|
||||||
// If any challenge fails - return. Do not generate partial SAN certificates.
|
// If any challenge fails - return. Do not generate partial SAN certificates.
|
||||||
if len(failures) > 0 {
|
if len(failures) > 0 {
|
||||||
|
for _, auth := range challenges {
|
||||||
|
c.disableAuthz(auth)
|
||||||
|
}
|
||||||
|
|
||||||
return CertificateResource{}, failures
|
return CertificateResource{}, failures
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -373,6 +377,10 @@ func (c *Client) ObtainCertificate(domains []string, bundle bool, privKey crypto
|
||||||
challenges, failures := c.getChallenges(domains)
|
challenges, failures := c.getChallenges(domains)
|
||||||
// If any challenge fails - return. Do not generate partial SAN certificates.
|
// If any challenge fails - return. Do not generate partial SAN certificates.
|
||||||
if len(failures) > 0 {
|
if len(failures) > 0 {
|
||||||
|
for _, auth := range challenges {
|
||||||
|
c.disableAuthz(auth)
|
||||||
|
}
|
||||||
|
|
||||||
return CertificateResource{}, failures
|
return CertificateResource{}, failures
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -493,10 +501,12 @@ func (c *Client) solveChallenges(challenges []authorizationResource) map[string]
|
||||||
// TODO: do not immediately fail if one domain fails to validate.
|
// TODO: do not immediately fail if one domain fails to validate.
|
||||||
err := solver.Solve(authz.Body.Challenges[i], authz.Domain)
|
err := solver.Solve(authz.Body.Challenges[i], authz.Domain)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
c.disableAuthz(authz)
|
||||||
failures[authz.Domain] = err
|
failures[authz.Domain] = err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
c.disableAuthz(authz)
|
||||||
failures[authz.Domain] = fmt.Errorf("[%s] acme: Could not determine solvers", authz.Domain)
|
failures[authz.Domain] = fmt.Errorf("[%s] acme: Could not determine solvers", authz.Domain)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -586,6 +596,13 @@ func logAuthz(authz []authorizationResource) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// cleanAuthz loops through the passed in slice and disables any auths which are not "valid"
|
||||||
|
func (c *Client) disableAuthz(auth authorizationResource) error {
|
||||||
|
var disabledAuth authorization
|
||||||
|
_, err := postJSON(c.jws, auth.AuthURL, deactivateAuthMessage{Resource: "authz", Status: "deactivated"}, &disabledAuth)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
func (c *Client) requestCertificate(authz []authorizationResource, bundle bool, privKey crypto.PrivateKey, mustStaple bool) (CertificateResource, error) {
|
func (c *Client) requestCertificate(authz []authorizationResource, bundle bool, privKey crypto.PrivateKey, mustStaple bool) (CertificateResource, error) {
|
||||||
if len(authz) == 0 {
|
if len(authz) == 0 {
|
||||||
return CertificateResource{}, errors.New("Passed no authorizations to requestCertificate!")
|
return CertificateResource{}, errors.New("Passed no authorizations to requestCertificate!")
|
||||||
|
|
|
@ -93,6 +93,11 @@ type revokeCertMessage struct {
|
||||||
Certificate string `json:"certificate"`
|
Certificate string `json:"certificate"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type deactivateAuthMessage struct {
|
||||||
|
Resource string `json:"resource,omitempty"`
|
||||||
|
Status string `jsom:"status"`
|
||||||
|
}
|
||||||
|
|
||||||
// CertificateResource represents a CA issued certificate.
|
// CertificateResource represents a CA issued certificate.
|
||||||
// PrivateKey, Certificate and IssuerCertificate are all
|
// PrivateKey, Certificate and IssuerCertificate are all
|
||||||
// already PEM encoded and can be directly written to disk.
|
// already PEM encoded and can be directly written to disk.
|
||||||
|
|
Loading…
Reference in a new issue