client.RenewCertificate now supports CSRs, and in fact prefers them,
when renewing certificates. In other words, if the certificate was
created via a CSR then using that will be attempted before re-generating
off a new private key.
Also adjusted the API of ObtainCertificateForCSR to be a little
more in line with the original ObtainCertificate function.
Different DNS providers were handling credentials in different ways.
Some were reading credential environment variables in cli_handlers.go
and then passing them into the NewDNSProvider function, while others
were reading the environment variables within their NewDNSProvider
functions.
This change replaces each DNS challenge's NewDNSProvider function with
two new functions: (1) a NewDNSProvider function that takes no
parameters and uses the environment to read credentials, and (2) a
NewDNSProviderCredentials that takes credentials as parameters.
Use GCE_PROJECT to designate your GCE project.
Authentication is automatically picked up from gcloud credentials if
running locally and from GCE metadata if run within Google Cloud.
Requires at least permission scope
"https://www.googleapis.com/auth/ndev.clouddns.readwrite"
This commit adds support for Dyn, specifically Dyn Managed DNS. Makes
use of the Dyn REST API [1] and requires 3 environment variables for
credentails:
DYN_CUSTOMER_NAME
DYN_USER_NAME
DYN_PASSWORD
The Dyn DNS API requires a session to be established first using the
credentials above, After creating a session an api token is used for
subsequent requests.
The unit test performs a "live test" and currently requires a valid Dyn
account and domain.
[1] https://help.dyn.com/rest/
- Removal of RFC2136_ZONE from help text
- Query nameserver directly to find zone we have to update
- During insert, make sure the new record is the ONLY challence.
(I had a few panics, hence 3 challences left. Not good.)
Add a new environment variable RFC2136_TSIG_ALGORITHM that accepts the
TSIG algorithm pseudo-domain name. Let it default to
"hmac-md5.sig-alg.reg.int." if unset.
Other providers should be used with the SetChallengeProvider function
and should supply a New function. In your case this would be
NewHTTPProviderWebroot taking the path as an argument.
When using this option, the challenge will be written in a file in
".well-known/acme-challenge/" inside the given webroot folder.
This allows lego to work without binding any port at all.
Also removes revokation abilities from RenewCertificate.
Makes the API more orthogonal. These things are not provided by the
ACME protocol, but were convenience helpers.