Commit graph

371 commits

Author SHA1 Message Date
Fernandez Ludovic
eb2440e3ff detach v2.0 2019-01-09 19:02:36 +01:00
Fernandez Ludovic
9b4afbb998 Prepare release v2.0 2019-01-09 19:02:36 +01:00
Ludovic Fernandez
b05b54d1f6
Release helper (#728) 2018-12-11 01:14:49 +01:00
Ludovic Fernandez
42941ccea6
Refactor the core of the lib (#700)
- Packages
- Isolate code used by the CLI into the package `cmd`
- (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) 
- Support non-ascii domain name (punnycode)
- Check all challenges in a predictable order
- No more global exported variables
- Archive revoked certificates
- Fixes revocation for subdomains and non-ascii domains
- Disable pending authorizations
- use pointer for RemoteError/ProblemDetails
- Poll authz URL instead of challenge URL
- The ability for a DNS provider to solve the challenge sequentially
- Check all nameservers in a predictable order
- Option to disable the complete propagation Requirement
- CLI, support for renew with CSR
- CLI, add SAN on renew
- Add command to list certificates.
- Logs every iteration of waiting for the propagation
- update DNSimple client
- update github.com/miekg/dns
2018-12-06 22:50:17 +01:00
Jacob Hoffman-Andrews
a5f0a3ff80 Add version to xenolf-acme in User-Agent. (#719)
Also, remove "Go-http-client/1.1". In practice this added detail doesn't
wind up being useful in diagnosing problems, particularly since it can
be deduced from the xenolf-acme version.

* add UA comments.
2018-11-15 23:02:34 +01:00
Ludovic Fernandez
4f36f4354b
Support POST-as-GET. (#695) 2018-11-04 01:51:53 +01:00
Daniel McCarney
2b0aa0aadf TLS-ALPN-01: Update idPeAcmeIdentifierV1, draft refs. (#690)
The latest versions of draft-ietf-acme-tls-alpn specify a different
idPeAcmeIdentifierV1 than LEGO was previously using. The old value had
a conflict with an existing assignment.

This commit updates the idPeAcmeIdentifierV1 value to match draft-05 and
updates any references to the draft RFC to use the latest draft number.
2018-10-29 18:20:49 +01:00
Daniel McCarney
1164f441bd Client: Do not send a JWS body when POSTing challenges. (#689)
* Client: Do not send a JWS body when POSTing challenges.

In legacy ACME there was a requirement to send a JWS body that contained
a key authorization as part of all challenge initiation POSTs. Since
both the client and server can reconstitute the key authorization there
is no need to send it and modern ACME expects challenges to be initiated
with a JWS carrying the trivial empty JSON object (`{}`).  Some ACME
servers (e.g. Pebble in `-strict` mode) will reject all challenge POSTs
that have a legacy JWS body.

This commit updates the LEGO `acme/client.go`'s `validate` function to
send the correct JWS payload for challenge POSTs.
2018-10-29 17:35:49 +01:00
Ludovic Fernandez
4d21f8eec1
Add a test helper to manage env vars. (#675) 2018-10-16 17:52:57 +02:00
Ludovic Fernandez
122c354163
Homogenization of the DNS provider tests (#671)
* refactor: min TTL
* refactor: sandbox.
* refactor: tests homogenization.
* refactor: missing require.
2018-10-12 19:29:18 +02:00
Ludovic Fernandez
20d50a559f
route53: fix challenge. (#665) 2018-10-09 19:03:07 +02:00
Ludovic Fernandez
18fe57183d
cloudflare: use the official go client. (#658) 2018-10-03 00:02:01 +02:00
Ludovic Fernandez
c09b12be08 fix: ns1 wildcard. (#657) 2018-10-02 20:21:02 +00:00
Ludovic Fernandez
ad20bf90ff Migrate to golangci-lint (#644)
* refactor: linting.

- errcheck
- govet
- golint
- goconst
- spellcheck
- ...

* refactor: migrate from gometalinter to golangci-lint.
2018-09-24 19:07:20 +00:00
Ludovic Fernandez
3a46680b73 Fix: gcloud wildcard (#643)
* fix: gcloud wildcard.

* refactor: minor changes.
2018-09-21 15:28:50 +00:00
Ludovic Fernandez
55361cea8c
Use Testify. (#630) 2018-09-15 19:16:35 +02:00
Ludovic Fernandez
bba134ce87
Allow to configure TTL, interval and timeout (#634)
* feat: add GetOrDefaultXXX methods.
* refactor: configuration (alidns).
* refactor: configuration (azure).
* refactor: configuration (auroradns).
* refactor: configuration (bluecat).
* refactor: configuration (cloudflare).
* refactor: configuration (digitalocean).
* refactor: configuration (dnsimple).
* refactor: configuration (dnmadeeasy).
* refactor: configuration (dnspod).
* refactor: configuration (duckdns).
* refactor: configuration (dyn).
* refactor: configuration (exoscale).
* refactor: configuration (fastdns).
* refactor: configuration (gandi).
* refactor: configuration (gandiv5).
* refactor: configuration (gcloud).
* refactor: configuration (glesys).
* refactor: configuration (godaddy).
* refactor: configuration (iij).
* refactor: configuration (lightsail).
* refactor: configuration (linode).
* refactor: configuration (namecheap).
* refactor: configuration (namedotcom).
* refactor: configuration (netcup).
* refactor: configuration (nifcloud).
* refactor: configuration (ns1).
* refactor: configuration (otc).
* refactor: configuration (ovh).
* refactor: configuration (pdns).
* refactor: configuration (rackspace).
* refactor: configuration (rfc2136).
* refactor: configuration (route53).
* refactor: configuration (sakuracloud).
* refactor: configuration (vegadns).
* refactor: configuration (vultr).
2018-09-15 19:07:24 +02:00
Sten Spans
cd5479a6b1 Panic on generating a certificate (#627) 2018-09-09 12:37:30 +02:00
Craig Peterson
de3accf531 Submit all dns records up front, then validate serially (#607) 2018-09-08 11:56:51 +02:00
Bill Shupp
e0d512138c Fix missing issuer certificates from Let's Encrypt (#587) 2018-07-01 02:35:39 +02:00
Ludovic Fernandez
9bb5589e17
feat: CA Server Name. (#590) 2018-07-01 01:12:36 +02:00
Ludovic Fernandez
a2543a2fde
Don't trust identifiers order. (#589)
ACME draft Section 7.4 "Applying for Certificate Issuance"
https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4
says:
	Clients SHOULD NOT make any assumptions about the sort order of
	"identifiers" or "authorizations" elements in the returned order
	object.
2018-07-01 01:06:46 +02:00
Ludovic Fernandez
94e14328ab
refactor: replace Dial by DialContext. (#585) 2018-07-01 00:55:57 +02:00
Robert Kästel
54422ab226 Order polling wait (#581) 2018-06-25 23:22:42 +02:00
Ludovic Fernandez
a1585a7b9a
Review DNS providers (#580)
* refactor: create log.Infof and log.Warnf
* refactor: review DNS providers.
    - use one `http.Client` by provider instead of one client by request
    - use the same receiver name `d` for all `DNSProvider`
    - use `http.MethodXXX`
* refactor: logger init.
2018-06-21 19:06:16 +02:00
Ludovic Fernandez
57782ac3c1
tls-alpn: add a function to return PEM blocks. (#579)
* feature(tls-alpn): add function to return PEM blocks.
2018-06-18 15:44:18 +02:00
Wyatt Johnson
d457f70ae0 TLS-ALPN-01 Challenge (#572)
* feat: implemented TLS-ALPN-01 challenge
2018-06-14 01:20:56 +02:00
Daniel McCarney
8f9e90b2a0 ACME HTTP: Allow customizing HTTP client x509.CertPool (#571)
This commit updates `acme/http.go` to allow customizing the
`*x509.CertPool` used by the `HTTPClient` by specifying the filepath of
a custom CA certificate via the `CA_CERTIFICATE` environment variable.

This allows developers to easily trust a non-standard CA when
interacting with an ACME test server (e.g. Pebble):

```
CA_CERTIFICATE=~/go/src/github.com/letsencrypt/pebble/test/certs/pebble.minica.pem \
lego \
  --server https://localhost:14000/dir \
  --email foo@bar.com \
  -d example.com \
  run
```
2018-06-11 15:45:59 +02:00
Ludovic Fernandez
7fedfd1388 fix: user-agent string order. (#566) 2018-06-03 12:23:01 -06:00
nelsonkram
f17b1ce516 Added 'processing' status as valid challenge status (#561) 2018-05-31 17:22:37 +02:00
Ludovic Fernandez
1b12c25e43 Add linters (#556)
* feat: add linters.
* fix: lint.
2018-05-30 16:03:55 -06:00
Ludovic Fernandez
e7fd871a9c
ACME V2 support (#555) 2018-05-30 19:53:04 +02:00
Philippe M. Chiasson
6bddbfd17a Use proxies from environment when making outbound http connections (#478)
Fixes #477
2018-01-25 09:10:08 -07:00
Simon Menke
b929aa5aab Fix zone detection for cross-zone cnames (#449)
* Fix zone detection for cross-zone cnames

CNAMEs cannot co-exist with SOA records so responses with
a CNAME should be skipped.

The `cross-zone-example.assets.sh.` is currently hosted by
me (@fd) and will continue to exist for as long as the assets.sh
domain exists. (The assets.sh domain is used as a CDN and is unlikely
to go away.)

See #330

* Extracted CNAME checking to simplify the FindZoneByFqdn control flow.
2017-11-15 11:03:00 +01:00
LeSuisse
a80b046ca8 Users of an effective top-level domain can use the DNS challenge (#436)
They will not get anymore an error message saying
"Could not find the start of authority".

Finding the zone cut of a FQDN now only rely on the presence
of a SOA record. Indeed, in the context of an eTLD the
authority will be the eTLD itself so you need to continue
to recurse until you get an answer instead of cutting the search
when you find the public suffix of a domain.

Fixes #434
2017-10-25 21:47:54 +02:00
Shawn Smith
92ed209099 fix typo (#419) 2017-08-10 11:47:37 -06:00
Janez Troha
147b326cb0 acme/http: saner http client timeouts (#377)
LE is becoming quite popular and it was observed that response time can be around 15s. I've increased this to 30s and added changes recomended here https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/
2017-07-17 21:57:01 +02:00
Unknown
f3fc555a98 Add explicit calls to disable authz on errors 2017-04-27 01:46:52 +02:00
Manuel Valls Fernández
a111d61d85 Move nonce retry from jws to http (#367)
* Move nonce retry from jws to http

The error raised by an "invalid nonce" response never appeared
inside jws.go, but instead it was handled at http.go, so it makes
sense to move the retry logic to that file. The previous code from
jws.go had no effect and did not solve issues related to invalid
nonces.

* Rename retry response variable name for clarity
2017-03-30 02:25:34 +02:00
Unknown
ee0018c855 Remove conditional around rate limiting
Always limit LE requests to ~18 per second, no matter how many domains are being validated.
2017-03-30 02:06:43 +02:00
Mahmoud Abdelsalam
0e2937900b Add error checking for the jws httpPost (#360)
https://github.com/xenolf/lego/issues/359
2017-03-17 19:58:44 +01:00
Etienne
45beff7ed3 Add workaround for new-authz rate limits (#357) 2017-03-13 22:41:19 +01:00
xenolf
66d8acbf89 Add some better error messages to http and jws 2017-02-19 05:50:21 +01:00
Pavel Forkert
0c0d57a545 Log authorization urls (#350)
https://letsencrypt.org/docs/rate-limits/ says:
> The pending authorization objects are represented by URLs of the form https://acme-v01.api.letsencrypt.org/acme/authz/XYZ, and should show up in your client logs.
2017-02-19 05:30:33 +01:00
Pavel Forkert
661e5e690c Do not get stuck when server accidentally starts responding with bad data (#349)
If `links["next"] == ""` the early return does not send neither success, nor failure to outer code,
which leads to whole `getChallenges` method being stuck forever, cause it waits for either `resc` or `errc` to receive message.
2017-02-19 05:17:22 +01:00
xenolf
9f94aabbd2 Fix nonce error (#354)
* Adding a NonceError type to detect nonce errors

* Implement a one off retry on a nonce error.
2017-02-19 05:12:14 +01:00
Pavel Forkert
09d8a49bf2 Reduce nonce locking (#340)
* [reduce-locking] Prepare for change

* [reduce-locking] Do not lock on http request

* [reduce-locking] Move getNonce and getNonceFromResponse from jws struct cause they do not need access to it

* [reduce-locking] Extract nonceManager

* [reduce-locking] Add test that tries to show locking on http requests problem
2017-02-19 04:48:45 +01:00
Matt Holt
f5d538caab Close response body in error case and close first one (#341)
* Close response body in error case

* Ensure the body of both responses is closed when polling for cert

Also make a new const of maxBodySize, and cap the number of polls
to a maximum of 1000.

* More correct placement for polling limit

* Move const to the top
2017-01-15 16:54:49 +01:00
Joe Shaw
e9c3078492 add issuer certificate to CertificateResource (#325)
* add issuer certificate to CertificateResource

Also write it out to the file system when running "lego run"

Removed caching of the issuer certificate inside the acme client, since
it didn't appear to be used.

* only append issuerCert to issuedCert in case of success

Effectively a no-op since issuerCert will be nil on error, but it seems
more correct to only do it if fetching the issuer succeeds.
2016-12-14 00:22:48 +01:00
Pavel Forkert
d149f14b6b Properly lock jws.nonces (#319)
Before read access to `nonces` field in jws structure (in `Nonces` method) was not synchronized and we were still able
to get `slice bounds out of range` panic when trying to "pop" value in `Nonces` method.

The race can be actually observed by running `Nonce` method multiple times in separate goroutines with th precondition is `len(jws.nonces) == 1`.
2016-12-13 09:49:37 +01:00
xenolf
cbd5d04c89 Fix OCSP must staple.
Fixes #327
2016-12-06 08:41:28 +01:00
xenolf
3db48c9e13 Fix HTTP-01 and TLS-SNI invalid port tests for go 1.8 2016-11-14 11:08:33 +01:00
xenolf
2abbe6d836 Tweak log message for a wrong host in HTTP-01
Fixes #314
2016-11-10 08:24:06 +01:00
Woz
306f5c06fa Dns from resolv.conf (#293)
* Get better dns server defaults if available

if an /etc/resolv.conf file exists, then get the dns servers from there

* fix handwritten code...

* Make discovering system dns servers more testable

Allow specifying path to resolv.conf file to allow testing logic

* add tests

* Log which resolvers we are using

* move log statement for dns resolvers used
2016-11-03 19:37:15 +01:00
xenolf
72914df00f Add OCSP must staple support
Introduces a new command line switch `--must-staple` to `run` and `renew`.
Using this switch will add the must staple TLS extension to the CSR generated by lego and thus also to the generated certificate.
This does not work with user specified CSRs!

Fixes #270
2016-10-27 11:22:10 +02:00
xenolf
85eddfa347 Remove check for auto renewed cert from . This is no longer part of the spec 2016-10-17 11:12:54 +02:00
Ely Deckers
4083ff8bc3 Fix duplicate json tag in recoveryKeyMessage
Fixed issue by removing unused recoveryKeyMessage struct

Issue appears in Go 1.8+ due to this improvement to vet:
https://go-review.googlesource.com/#/c/16704/
2016-10-15 19:32:28 +02:00
Matthew Holt
70a2b229e2 Document that challenge providers get replaced on these calls 2016-09-28 18:19:52 -06:00
Kate Jefferson
2569c53efe Add sync.Mutex to lock and unlock j.nonces 2016-08-18 16:35:03 -04:00
Matthew Holt
6bd7f505e1 Log when skipping challenges due to valid authz 2016-08-16 14:00:17 -06:00
Matthew Holt
b2d7a1821e Skip solving challenges when authz is already valid (fixes #267) 2016-08-16 13:50:56 -06:00
Cristian Graziano
2818a41068 Export PreCheckDNS so library users can manage the DNS check in tests 2016-08-09 22:15:54 -07:00
liz
5eae7e889c Fix documentation for acme.NewClient 2016-08-04 12:09:42 -04:00
janeczku
d6197084fc Fixes zone lookup for domains that have a CNAME with the target in another zone 2016-07-29 21:28:28 +02:00
xenolf
e2f341198f Remove unneeded re-checking of OCSP responses. The stdlib has us covered already.
Fixes #247
2016-07-21 03:32:56 +02:00
xenolf
029ece0fd2 Well a timeout of 10 something is a good idea indeed... 2016-07-21 03:27:34 +02:00
xenolf
082ff6d029 Removed HTTPTimeout and exported a new HTTPClient variable as a replacement.
The HTTPTimeout was not honored by the default client. Clients should now construct their own HTTPClient for overriding the timeout.
Fixes #246
2016-07-21 03:24:11 +02:00
Chris Marchesi
575370e196 cert: Extend acme.CertificateResource, support CSRs on renew
client.RenewCertificate now supports CSRs, and in fact prefers them,
when renewing certificates. In other words, if the certificate was
created via a CSR then using that will be attempted before re-generating
off a new private key.

Also adjusted the API of ObtainCertificateForCSR to be a little
more in line with the original ObtainCertificate function.
2016-06-14 21:15:25 -07:00
Will Glynn
8d7afd02b9 Add ObtainCertificateForCSR()
This commit also breaks requestCertificate() into two parts, the first of
which generates a CSR, the second of which became requestCertificateForCsr()
which does what the name implies.
2016-06-14 21:15:25 -07:00
xenolf
c570b320ae Merge pull request #222 from connctd/registration
In case of conflict during registration, the old registration is now recovered
2016-06-14 13:13:50 +02:00
Till Klocke
402756c1c5 registration message in case of conflict 409 should not contain contact details 2016-06-14 09:50:12 +02:00
Derek McGowan
be785fda33 Updated original signature and removed new function 2016-06-12 22:57:22 -07:00
Russ Cox
c8b0781028 Add TLS SNI Challenge function which returns domain
Used by rsc.io/letsencrypt to get the challenge domain.
Originally committed under rsc.io/letsencrypt/vendor.
2016-06-10 11:47:43 -07:00
Chris Marchesi
3028225371 reg: Add Query and Delete functions
Add 2 new functions to acme.Client for registration stuff:

 * QueryRegistration: This performs a POST on the client
   registration's URI and gets the updated registration info.
 * DeleteRegistration: This deletes the registration as currently
   configured in the client.

The latter, while a part of the IETF draft, may not be 100%
functional in LE yet, my tests showed that resources were still
available after deletion.
2016-06-08 16:36:42 -07:00
Till Klocke
599eb9a739 In case of conflict during registration, the old registration is now recovered 2016-06-06 15:32:02 +02:00
zealic
88932f9167 Add dns-timeout support. 2016-05-25 11:22:09 +08:00
xenolf
9e0c21c439 Add HTTPTimeout variable to http.go.
This lets users of this library override the default internal timeout for HTTP requests issued by the library. The default is 10 seconds.
2016-05-19 18:51:47 +02:00
xenolf
094e3d41bb httpError - Set detail string to the content of the HTTP response if it's not parsed as JSON
Fixes #188
2016-04-15 03:09:29 +02:00
xenolf
cbca761215 Merge pull request #186 from LukeHandle/patch-dns-retryquery
Retry logic for dnsQuery
2016-04-14 20:27:14 +02:00
LukeHandle
a684bab9a4 Fix typo in "retry" 2016-04-12 07:36:42 +01:00
xenolf
23e88185c2 Merge pull request #185 from rekby/jws-out-of-range
Fix out of range
2016-04-12 02:41:31 +02:00
LukeHandle
dbad97ebc6 Retry logic for dnsQuery
Added a slice of NS to be used when retrying queries. Also used with FindZoneByFqdn()
Adjusted 2 error messages given to better differentiate the returned error string
2016-04-12 00:24:11 +01:00
Rekby
e81192c912 errors.New -> fmt.Errorf 2016-04-11 11:49:20 +03:00
Rekby
3ab9b75696 simple, without retriing 2016-04-11 11:43:32 +03:00
Rekby
334ebd6ee6 gofmt 2016-04-11 07:27:12 +03:00
Rekby
7557681b06 doesn't sleep after last try 2016-04-11 07:26:45 +03:00
Rekby
3a426a1382 retry get nonce few times before return error 2016-04-11 07:22:00 +03:00
Rekby
f32c8a55e7 typo 2016-04-11 07:03:21 +03:00
Rekby
1107e337a5 returt to master version for clean pull request 2016-04-11 07:02:06 +03:00
Rekby
ec18c6e42f Fix out of range 2016-04-11 06:45:32 +03:00
Rekby
232fbbef08 Fix out of range 2016-04-10 16:06:49 +03:00
xenolf
44d92633c6
Move duplicate code to a function
Signed-off-by: xenolf <xenolf@users.noreply.github.com>
2016-04-08 01:04:38 +02:00
Alexander Neumann
ec667a7ed1 Only try to parse JSON documents
This patch adds code to only parse the HTTP response body as JSON if the
content-type header advertises the content as JSON. In my case, the
directory server was unavailable: it returned a 503 HTTP response code
with an HTML document, and the only thing lego reported was:

    2016/04/04 19:12:56 Could not create client: get directory at 'https://acme-v01.api.letsencrypt.org/directory': invalid character '<' looking for beginning of value

This was caused by trying to parse the document body (HTML) as JSON,
without looking at the content-type header and returning the JSON parse
error.
2016-04-04 23:15:49 +02:00
Cedric Staub
6528bf217e Build with go-jose.v1 instead of master 2016-03-27 12:38:49 -07:00
LukeHandle
20ab8300eb Use zone name when talking to DNS APIs
This should handle multiple zones more efficiently
2016-03-21 00:18:49 +00:00
xenolf
d6fb247c29 Fix typo in dns_challenge 2016-03-19 17:48:50 +01:00
Michael Cross
8aa797f49d Add ChallengeProviderTimeout type to acme package
This type allows for implementing DNS ChallengeProviders that require
an unsually long timeout when checking for record propagation.
2016-03-16 18:17:03 +00:00
Michael Cross
f70a48e28a Improve wording of ChallengeProvider comment 2016-03-15 12:46:48 +00:00
xenolf
98c95e83c9 Add link to account to certificate meta data. 2016-03-14 03:29:29 +01:00
xenolf
3252b0bcb9 Fix WaitFor calls 2016-03-11 04:52:59 +01:00