The current implementation of the DNS challenge does not allow
to set multiple TXT records at once.
As PowerDNS has the concept of record sets, and so all records
for the same type and name must set during one call, we would override
existing records.
To avoid this, we merge the new TXT record with existing ones
After removing the challenge record from OVH, the zone itself
does not get refreshed and leaving the obsolete record in place.
Calling '/domain/zone/ZONE/refresh' after deleting the record will
apply the changes to the zone.
Added the option to provide the gcloud service account as a string via the environment variable `GCE_SERVICE_ACCOUNT` in addition to the already available option to specify a filepath to a keyfile `GCE_SERVICE_ACCOUNT_FILE`.
- Packages
- Isolate code used by the CLI into the package `cmd`
- (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv)
- Support non-ascii domain name (punnycode)
- Check all challenges in a predictable order
- No more global exported variables
- Archive revoked certificates
- Fixes revocation for subdomains and non-ascii domains
- Disable pending authorizations
- use pointer for RemoteError/ProblemDetails
- Poll authz URL instead of challenge URL
- The ability for a DNS provider to solve the challenge sequentially
- Check all nameservers in a predictable order
- Option to disable the complete propagation Requirement
- CLI, support for renew with CSR
- CLI, add SAN on renew
- Add command to list certificates.
- Logs every iteration of waiting for the propagation
- update DNSimple client
- update github.com/miekg/dns
This commit adds a new DNS provider for
[acme-dns](https://github.com/joohoi/acme-dns) to allow Lego to set
DNS-01 challenge response TXT with an ACME-DNS server automatically.
ACME-DNS allows ceding minimal zone editing permissions to the ACME
client and can be useful when the primary DNS provider for the zone does
not allow scripting/API access but can set a CNAME to an ACME-DNS
server.
Lower level ACME-DNS API calls & account loading/storing is handled by
the `github.com/cpu/goacmedns` library.
The provider loads existing ACME-DNS accounts from the specified JSON
file on disk. Any accounts the provider registers on behalf of the user
will also be saved to this JSON file.
When required, the provider handles registering accounts with the
ACME-DNS server domains that do not already have an ACME-DNS account.
This will halt issuance with an error prompting the user to set the
one-time manual CNAME required to delegate the DNS-01 challenge record
to the ACME-DNS server. Subsequent runs will use the account from disk
and assume the CNAME is in-place.
* refactor: create log.Infof and log.Warnf
* refactor: review DNS providers.
- use one `http.Client` by provider instead of one client by request
- use the same receiver name `d` for all `DNSProvider`
- use `http.MethodXXX`
* refactor: logger init.
This adds a function NewDNSProviderProgram() to the exec provider that allows to set the program to run directly instead of via the environment variable. This is similar to how other providers allow to set their credentials.
This commit fixes the naming inconsistency of Google Cloud DNS being
named `googlecloud` in the source and `gcloud` in the user interface.
Furthermore, improving my previous commit, I realized that the project ID
is stored in the service account file. We can save one environment variable
when using service account file (e.g. in automation applications).
* Adding output of which envvars are missing in Cloudflare dns provider
* go fmt, duh
* Fixing & adding test(s)
* Adding azure missing env vars checking
* Fixing test
* Doh, fixing up expected output
* Add dns provider duckdns see http://www.duckdns.org/spec.jsp for more info
* Add DNS challenge provider 'exec' (#508)
As discussed in #505, this commits adds a very simple DNS provider which
calls out to an external program which must then add or remove the DNS
record.
* Update duckdns to support caddy, and cleanup some comments
As discussed in #505, this commits adds a very simple DNS provider which
calls out to an external program which must then add or remove the DNS
record.
If Dyn responds with a 3xx or 4xx status code, information describing exactly
what went wrong is generally included in the body of the response (as part of
the typical Dyn JSON response). On the other hand, if Dyn responds with a 5xx
status code, we very likely have extremely limited information.
This commit modifies the reporting to display the explanatory messages included
in the body of the Dyn response for 3xx and 4xx status codes. The intent is to
make it much easier to determine what might be going wrong (when something is
going wrong).
* Add otc provider.
* Added tests for provider otc.
* Format dns_providers
* fix getZoneId
* Add for tests for provider otc.
* Add proxy to transport in otc provider.
* Use DefaultTransport in otc provider.
* Make loginRequest private in provider otc.
* better error handling in provider otc.
* add more tests for provider otc.
* dns/route53: Allow specifying hosted zone ID
This commit adds support for specifying hosted zone ID via the
environment variable AWS_HOSTED_ZONE_ID. If this is not specified, the
previous discovery process is used.
This is useful in environments where multiple hosted zones for the same
domain name are present in an account.
* dns/route53: Fix up getHostedZoneID method params
Now that getHostedZoneID is a method on the DNSProvider struct, there is
no reason for it to take the Route53 client as a parameter - we can
simply use the reference stored in the struct.
When record already exists in gcloud we can't add a new record without removing the other one first. This is a simple fix that doesn't attempt to create multiple entries for the record but just removes the previous data.
fixes#218
Introduces a new command line switch `--must-staple` to `run` and `renew`.
Using this switch will add the must staple TLS extension to the CSR generated by lego and thus also to the generated certificate.
This does not work with user specified CSRs!
Fixes#270
* Add NS1 DNS provider.
Integrates Lego with NS1 using their rest API.
It uses NS1's official Go package as client:
https://github.com/ns1/ns1-go
Signed-off-by: David Calavera <david.calavera@gmail.com>
* Add NS1 to the cli handlers.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Fixes#257
Previously the google cloud provider assumed the domain being provided
was also the authoritative zone. This fix uses an acme function to
recursively lookup the authoritative zone for a provided domain.
While more than likely never to come up in a real-world situation,
during renewal integration testing a value of 120 seconds has
proven to be too high (the old challenge record has not expired
by the time the new one is created).
Dyn provider was using incorrect zone in Present and Cleanup functions.
This uses FindZoneByFqdn() to find the correct zone for use in the
subsequent API calls.
Route 53 allows multiple zones with the same name to co-exist in an
account. The most common use case for this is a split-view DNS with one
private and one public zone for the same domain name. This patch makes
sure we don’t ever provision the authorization record to the private
zone.
The other case where a user has multiple public zones with the same
name is not covered here since this would require a bigger change in
code in order to determine which of the zones is active from the
viewpoint of the internet. Also this is probably an edge use case that
can be addressed once it comes up in the issues.
Added a slice of NS to be used when retrying queries. Also used with FindZoneByFqdn()
Adjusted 2 error messages given to better differentiate the returned error string
Fully backwards compatible in terms of credential mechanisms
(environment variables, shared credentials file, EC2 metadata). If a
custom AWS IAM policy is in use it needs to be updated with permissions
for the route53:ListHostedZonesByName action.
Different DNS providers were handling credentials in different ways.
Some were reading credential environment variables in cli_handlers.go
and then passing them into the NewDNSProvider function, while others
were reading the environment variables within their NewDNSProvider
functions.
This change replaces each DNS challenge's NewDNSProvider function with
two new functions: (1) a NewDNSProvider function that takes no
parameters and uses the environment to read credentials, and (2) a
NewDNSProviderCredentials that takes credentials as parameters.
Use GCE_PROJECT to designate your GCE project.
Authentication is automatically picked up from gcloud credentials if
running locally and from GCE metadata if run within Google Cloud.
Requires at least permission scope
"https://www.googleapis.com/auth/ndev.clouddns.readwrite"