Add explicit calls to disable authz on errors

This commit is contained in:
Unknown 2017-04-27 01:46:52 +02:00
parent 1293a4a35b
commit f3fc555a98
2 changed files with 22 additions and 0 deletions

View file

@ -330,6 +330,10 @@ DNSNames:
challenges, failures := c.getChallenges(domains) challenges, failures := c.getChallenges(domains)
// If any challenge fails - return. Do not generate partial SAN certificates. // If any challenge fails - return. Do not generate partial SAN certificates.
if len(failures) > 0 { if len(failures) > 0 {
for _, auth := range challenges {
c.disableAuthz(auth)
}
return CertificateResource{}, failures return CertificateResource{}, failures
} }
@ -373,6 +377,10 @@ func (c *Client) ObtainCertificate(domains []string, bundle bool, privKey crypto
challenges, failures := c.getChallenges(domains) challenges, failures := c.getChallenges(domains)
// If any challenge fails - return. Do not generate partial SAN certificates. // If any challenge fails - return. Do not generate partial SAN certificates.
if len(failures) > 0 { if len(failures) > 0 {
for _, auth := range challenges {
c.disableAuthz(auth)
}
return CertificateResource{}, failures return CertificateResource{}, failures
} }
@ -493,10 +501,12 @@ func (c *Client) solveChallenges(challenges []authorizationResource) map[string]
// TODO: do not immediately fail if one domain fails to validate. // TODO: do not immediately fail if one domain fails to validate.
err := solver.Solve(authz.Body.Challenges[i], authz.Domain) err := solver.Solve(authz.Body.Challenges[i], authz.Domain)
if err != nil { if err != nil {
c.disableAuthz(authz)
failures[authz.Domain] = err failures[authz.Domain] = err
} }
} }
} else { } else {
c.disableAuthz(authz)
failures[authz.Domain] = fmt.Errorf("[%s] acme: Could not determine solvers", authz.Domain) failures[authz.Domain] = fmt.Errorf("[%s] acme: Could not determine solvers", authz.Domain)
} }
} }
@ -586,6 +596,13 @@ func logAuthz(authz []authorizationResource) {
} }
} }
// cleanAuthz loops through the passed in slice and disables any auths which are not "valid"
func (c *Client) disableAuthz(auth authorizationResource) error {
var disabledAuth authorization
_, err := postJSON(c.jws, auth.AuthURL, deactivateAuthMessage{Resource: "authz", Status: "deactivated"}, &disabledAuth)
return err
}
func (c *Client) requestCertificate(authz []authorizationResource, bundle bool, privKey crypto.PrivateKey, mustStaple bool) (CertificateResource, error) { func (c *Client) requestCertificate(authz []authorizationResource, bundle bool, privKey crypto.PrivateKey, mustStaple bool) (CertificateResource, error) {
if len(authz) == 0 { if len(authz) == 0 {
return CertificateResource{}, errors.New("Passed no authorizations to requestCertificate!") return CertificateResource{}, errors.New("Passed no authorizations to requestCertificate!")

View file

@ -93,6 +93,11 @@ type revokeCertMessage struct {
Certificate string `json:"certificate"` Certificate string `json:"certificate"`
} }
type deactivateAuthMessage struct {
Resource string `json:"resource,omitempty"`
Status string `jsom:"status"`
}
// CertificateResource represents a CA issued certificate. // CertificateResource represents a CA issued certificate.
// PrivateKey, Certificate and IssuerCertificate are all // PrivateKey, Certificate and IssuerCertificate are all
// already PEM encoded and can be directly written to disk. // already PEM encoded and can be directly written to disk.