forked from TrueCloudLab/lego
04e2d74406
This commit adds a new DNS provider for [acme-dns](https://github.com/joohoi/acme-dns) to allow Lego to set DNS-01 challenge response TXT with an ACME-DNS server automatically. ACME-DNS allows ceding minimal zone editing permissions to the ACME client and can be useful when the primary DNS provider for the zone does not allow scripting/API access but can set a CNAME to an ACME-DNS server. Lower level ACME-DNS API calls & account loading/storing is handled by the `github.com/cpu/goacmedns` library. The provider loads existing ACME-DNS accounts from the specified JSON file on disk. Any accounts the provider registers on behalf of the user will also be saved to this JSON file. When required, the provider handles registering accounts with the ACME-DNS server domains that do not already have an ACME-DNS account. This will halt issuance with an error prompting the user to set the one-time manual CNAME required to delegate the DNS-01 challenge record to the ACME-DNS server. Subsequent runs will use the account from disk and assume the CNAME is in-place.
170 lines
6.2 KiB
Go
170 lines
6.2 KiB
Go
// Package acmedns implements a DNS provider for solving DNS-01 challenges using
|
|
// Joohoi's acme-dns project. For more information see the ACME-DNS homepage:
|
|
// https://github.com/joohoi/acme-dns
|
|
package acmedns
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/cpu/goacmedns"
|
|
"github.com/xenolf/lego/acme"
|
|
"github.com/xenolf/lego/platform/config/env"
|
|
)
|
|
|
|
const (
|
|
// envNamespace is the prefix for ACME-DNS environment variables.
|
|
envNamespace = "ACME_DNS_"
|
|
// apiBaseEnvVar is the environment variable name for the ACME-DNS API address
|
|
// (e.g. https://acmedns.your-domain.com).
|
|
apiBaseEnvVar = envNamespace + "API_BASE"
|
|
// storagePathEnvVar is the environment variable name for the ACME-DNS JSON
|
|
// account data file. A per-domain account will be registered/persisted to
|
|
// this file and used for TXT updates.
|
|
storagePathEnvVar = envNamespace + "STORAGE_PATH"
|
|
)
|
|
|
|
// acmeDNSClient is an interface describing the goacmedns.Client functions
|
|
// the DNSProvider uses. It makes it easier for tests to shim a mock Client into
|
|
// the DNSProvider.
|
|
type acmeDNSClient interface {
|
|
// UpdateTXTRecord updates the provided account's TXT record to the given
|
|
// value or returns an error.
|
|
UpdateTXTRecord(goacmedns.Account, string) error
|
|
// RegisterAccount registers and returns a new account with the given
|
|
// allowFrom restriction or returns an error.
|
|
RegisterAccount([]string) (goacmedns.Account, error)
|
|
}
|
|
|
|
// DNSProvider is an implementation of the acme.ChallengeProvider interface for
|
|
// an ACME-DNS server.
|
|
type DNSProvider struct {
|
|
client acmeDNSClient
|
|
storage goacmedns.Storage
|
|
}
|
|
|
|
// NewDNSProvider creates an ACME-DNS provider using file based account storage.
|
|
// Its configuration is loaded from the environment by reading apiBaseEnvVar and
|
|
// storagePathEnvVar.
|
|
func NewDNSProvider() (*DNSProvider, error) {
|
|
values, err := env.Get(apiBaseEnvVar, storagePathEnvVar)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("acme-dns: %v", err)
|
|
}
|
|
|
|
client := goacmedns.NewClient(values[apiBaseEnvVar])
|
|
storage := goacmedns.NewFileStorage(values[storagePathEnvVar], 0600)
|
|
return NewDNSProviderClient(client, storage)
|
|
}
|
|
|
|
// NewDNSProviderClient creates an ACME-DNS DNSProvider with the given
|
|
// acmeDNSClient and goacmedns.Storage.
|
|
func NewDNSProviderClient(client acmeDNSClient, storage goacmedns.Storage) (*DNSProvider, error) {
|
|
if client == nil {
|
|
return nil, errors.New("ACME-DNS Client must be not nil")
|
|
}
|
|
|
|
if storage == nil {
|
|
return nil, errors.New("ACME-DNS Storage must be not nil")
|
|
}
|
|
|
|
return &DNSProvider{
|
|
client: client,
|
|
storage: storage,
|
|
}, nil
|
|
}
|
|
|
|
// ErrCNAMERequired is returned by Present when the Domain indicated had no
|
|
// existing ACME-DNS account in the Storage and additional setup is required.
|
|
// The user must create a CNAME in the DNS zone for Domain that aliases FQDN
|
|
// to Target in order to complete setup for the ACME-DNS account that was
|
|
// created.
|
|
type ErrCNAMERequired struct {
|
|
// The Domain that is being issued for.
|
|
Domain string
|
|
// The alias of the CNAME (left hand DNS label).
|
|
FQDN string
|
|
// The RDATA of the CNAME (right hand side, canonical name).
|
|
Target string
|
|
}
|
|
|
|
// Error returns a descriptive message for the ErrCNAMERequired instance telling
|
|
// the user that a CNAME needs to be added to the DNS zone of c.Domain before
|
|
// the ACME-DNS hook will work. The CNAME to be created should be of the form:
|
|
// {{ c.FQDN }} CNAME {{ c.Target }}
|
|
func (e ErrCNAMERequired) Error() string {
|
|
return fmt.Sprintf("acme-dns: new account created for %q. "+
|
|
"To complete setup for %q you must provision the following "+
|
|
"CNAME in your DNS zone and re-run this provider when it is "+
|
|
"in place:\n"+
|
|
"%s CNAME %s.",
|
|
e.Domain, e.Domain, e.FQDN, e.Target)
|
|
}
|
|
|
|
// Present creates a TXT record to fulfil the DNS-01 challenge. If there is an
|
|
// existing account for the domain in the provider's storage then it will be
|
|
// used to set the challenge response TXT record with the ACME-DNS server and
|
|
// issuance will continue. If there is not an account for the given domain
|
|
// present in the DNSProvider storage one will be created and registered with
|
|
// the ACME DNS server and an ErrCNAMERequired error is returned. This will halt
|
|
// issuance and indicate to the user that a one-time manual setup is required
|
|
// for the domain.
|
|
func (d *DNSProvider) Present(domain, _, keyAuth string) error {
|
|
// Compute the challenge response FQDN and TXT value for the domain based
|
|
// on the keyAuth.
|
|
fqdn, value, _ := acme.DNS01Record(domain, keyAuth)
|
|
|
|
// Check if credentials were previously saved for this domain.
|
|
account, err := d.storage.Fetch(domain)
|
|
// Errors other than goacmeDNS.ErrDomainNotFound are unexpected.
|
|
if err != nil && err != goacmedns.ErrDomainNotFound {
|
|
return err
|
|
}
|
|
if err == goacmedns.ErrDomainNotFound {
|
|
// The account did not exist. Create a new one and return an error
|
|
// indicating the required one-time manual CNAME setup.
|
|
return d.register(domain, fqdn)
|
|
}
|
|
|
|
// Update the acme-dns TXT record.
|
|
return d.client.UpdateTXTRecord(account, value)
|
|
}
|
|
|
|
// CleanUp removes the record matching the specified parameters. It is not
|
|
// implemented for the ACME-DNS provider.
|
|
func (d *DNSProvider) CleanUp(_, _, _ string) error {
|
|
// ACME-DNS doesn't support the notion of removing a record. For users of
|
|
// ACME-DNS it is expected the stale records remain in-place.
|
|
return nil
|
|
}
|
|
|
|
// register creates a new ACME-DNS account for the given domain. If account
|
|
// creation works as expected a ErrCNAMERequired error is returned describing
|
|
// the one-time manual CNAME setup required to complete setup of the ACME-DNS
|
|
// hook for the domain. If any other error occurs it is returned as-is.
|
|
func (d *DNSProvider) register(domain, fqdn string) error {
|
|
// TODO(@cpu): Read CIDR whitelists from the environment
|
|
newAcct, err := d.client.RegisterAccount(nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Store the new account in the storage and call save to persist the data.
|
|
err = d.storage.Put(domain, newAcct)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
err = d.storage.Save()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Stop issuance by returning an error. The user needs to perform a manual
|
|
// one-time CNAME setup in their DNS zone to complete the setup of the new
|
|
// account we created.
|
|
return ErrCNAMERequired{
|
|
Domain: domain,
|
|
FQDN: fqdn,
|
|
Target: newAcct.FullDomain,
|
|
}
|
|
}
|