mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-05 18:44:58 +03:00
vendor: Update certmagic and lego
This commit is contained in:
parent
7fe9e13fbf
commit
01f2b85826
18 changed files with 135 additions and 146 deletions
8
vendor/github.com/mholt/certmagic/certmagic.go
generated
vendored
8
vendor/github.com/mholt/certmagic/certmagic.go
generated
vendored
|
@ -476,6 +476,14 @@ var (
|
||||||
// certificates
|
// certificates
|
||||||
KeyType = certcrypto.RSA2048
|
KeyType = certcrypto.RSA2048
|
||||||
|
|
||||||
|
// The maximum amount of time to allow for
|
||||||
|
// obtaining a certificate. If empty, the
|
||||||
|
// default from the underlying lego lib is
|
||||||
|
// used. If set, it must not be too low so
|
||||||
|
// as to cancel orders too early, running
|
||||||
|
// the risk of rate limiting.
|
||||||
|
CertObtainTimeout time.Duration
|
||||||
|
|
||||||
// The state needed to operate on-demand TLS
|
// The state needed to operate on-demand TLS
|
||||||
OnDemand *OnDemandConfig
|
OnDemand *OnDemandConfig
|
||||||
|
|
||||||
|
|
28
vendor/github.com/mholt/certmagic/client.go
generated
vendored
28
vendor/github.com/mholt/certmagic/client.go
generated
vendored
|
@ -59,10 +59,14 @@ func (cfg *Config) newACMEClient(interactive bool) (*acmeClient, error) {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// ensure key type is set
|
// ensure key type and timeout are set
|
||||||
keyType := KeyType
|
keyType := cfg.KeyType
|
||||||
if cfg.KeyType != "" {
|
if keyType == "" {
|
||||||
keyType = cfg.KeyType
|
keyType = KeyType
|
||||||
|
}
|
||||||
|
certObtainTimeout := cfg.CertObtainTimeout
|
||||||
|
if certObtainTimeout == 0 {
|
||||||
|
certObtainTimeout = CertObtainTimeout
|
||||||
}
|
}
|
||||||
|
|
||||||
// ensure CA URL (directory endpoint) is set
|
// ensure CA URL (directory endpoint) is set
|
||||||
|
@ -93,9 +97,12 @@ func (cfg *Config) newACMEClient(interactive bool) (*acmeClient, error) {
|
||||||
// the client facilitates our communication with the CA server
|
// the client facilitates our communication with the CA server
|
||||||
legoCfg := lego.NewConfig(&leUser)
|
legoCfg := lego.NewConfig(&leUser)
|
||||||
legoCfg.CADirURL = caURL
|
legoCfg.CADirURL = caURL
|
||||||
legoCfg.KeyType = keyType
|
|
||||||
legoCfg.UserAgent = buildUAString()
|
legoCfg.UserAgent = buildUAString()
|
||||||
legoCfg.HTTPClient.Timeout = HTTPTimeout
|
legoCfg.HTTPClient.Timeout = HTTPTimeout
|
||||||
|
legoCfg.Certificate = lego.CertificateConfig{
|
||||||
|
KeyType: keyType,
|
||||||
|
Timeout: certObtainTimeout,
|
||||||
|
}
|
||||||
client, err = lego.NewClient(legoCfg)
|
client, err = lego.NewClient(legoCfg)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
cfg.acmeClientsMu.Unlock()
|
cfg.acmeClientsMu.Unlock()
|
||||||
|
@ -189,19 +196,16 @@ func (cfg *Config) newACMEClient(interactive bool) (*acmeClient, error) {
|
||||||
})
|
})
|
||||||
|
|
||||||
// disable any challenges that should not be used
|
// disable any challenges that should not be used
|
||||||
var disabledChallenges []challenge.Type
|
|
||||||
if cfg.DisableHTTPChallenge {
|
if cfg.DisableHTTPChallenge {
|
||||||
disabledChallenges = append(disabledChallenges, challenge.HTTP01)
|
c.acmeClient.Challenge.Remove(challenge.HTTP01)
|
||||||
}
|
}
|
||||||
if cfg.DisableTLSALPNChallenge {
|
if cfg.DisableTLSALPNChallenge {
|
||||||
disabledChallenges = append(disabledChallenges, challenge.TLSALPN01)
|
c.acmeClient.Challenge.Remove(challenge.TLSALPN01)
|
||||||
}
|
|
||||||
if len(disabledChallenges) > 0 {
|
|
||||||
c.acmeClient.Challenge.Exclude(disabledChallenges)
|
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// Otherwise, use DNS challenge exclusively
|
// Otherwise, use DNS challenge exclusively
|
||||||
c.acmeClient.Challenge.Exclude([]challenge.Type{challenge.HTTP01, challenge.TLSALPN01})
|
c.acmeClient.Challenge.Remove(challenge.HTTP01)
|
||||||
|
c.acmeClient.Challenge.Remove(challenge.TLSALPN01)
|
||||||
c.acmeClient.Challenge.SetDNS01Provider(cfg.DNSProvider)
|
c.acmeClient.Challenge.SetDNS01Provider(cfg.DNSProvider)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
11
vendor/github.com/mholt/certmagic/config.go
generated
vendored
11
vendor/github.com/mholt/certmagic/config.go
generated
vendored
|
@ -93,6 +93,14 @@ type Config struct {
|
||||||
// certificates
|
// certificates
|
||||||
KeyType certcrypto.KeyType
|
KeyType certcrypto.KeyType
|
||||||
|
|
||||||
|
// The maximum amount of time to allow for
|
||||||
|
// obtaining a certificate. If empty, the
|
||||||
|
// default from the underlying lego lib is
|
||||||
|
// used. If set, it must not be too low so
|
||||||
|
// as to cancel orders too early, running
|
||||||
|
// the risk of rate limiting.
|
||||||
|
CertObtainTimeout time.Duration
|
||||||
|
|
||||||
// The state needed to operate on-demand TLS
|
// The state needed to operate on-demand TLS
|
||||||
OnDemand *OnDemandConfig
|
OnDemand *OnDemandConfig
|
||||||
|
|
||||||
|
@ -196,6 +204,9 @@ func NewWithCache(certCache *Cache, cfg Config) *Config {
|
||||||
if cfg.KeyType == "" {
|
if cfg.KeyType == "" {
|
||||||
cfg.KeyType = KeyType
|
cfg.KeyType = KeyType
|
||||||
}
|
}
|
||||||
|
if cfg.CertObtainTimeout == 0 {
|
||||||
|
cfg.CertObtainTimeout = CertObtainTimeout
|
||||||
|
}
|
||||||
if cfg.OnDemand == nil {
|
if cfg.OnDemand == nil {
|
||||||
cfg.OnDemand = OnDemand
|
cfg.OnDemand = OnDemand
|
||||||
}
|
}
|
||||||
|
|
2
vendor/github.com/mholt/certmagic/filestorage.go
generated
vendored
2
vendor/github.com/mholt/certmagic/filestorage.go
generated
vendored
|
@ -179,7 +179,7 @@ func (fs *FileStorage) String() string {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (fs *FileStorage) lockFilename(key string) string {
|
func (fs *FileStorage) lockFilename(key string) string {
|
||||||
return filepath.Join(fs.lockDir(), StorageKeys.safe(key)+".lock")
|
return filepath.Join(fs.lockDir(), StorageKeys.Safe(key)+".lock")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (fs *FileStorage) lockDir() string {
|
func (fs *FileStorage) lockDir() string {
|
||||||
|
|
2
vendor/github.com/mholt/certmagic/solvers.go
generated
vendored
2
vendor/github.com/mholt/certmagic/solvers.go
generated
vendored
|
@ -140,7 +140,7 @@ func (dhs distributedSolver) challengeTokensPrefix() string {
|
||||||
// challengeTokensKey returns the key to use to store and access
|
// challengeTokensKey returns the key to use to store and access
|
||||||
// challenge info for domain.
|
// challenge info for domain.
|
||||||
func (dhs distributedSolver) challengeTokensKey(domain string) string {
|
func (dhs distributedSolver) challengeTokensKey(domain string) string {
|
||||||
return filepath.Join(dhs.challengeTokensPrefix(), StorageKeys.safe(domain)+".json")
|
return filepath.Join(dhs.challengeTokensPrefix(), StorageKeys.Safe(domain)+".json")
|
||||||
}
|
}
|
||||||
|
|
||||||
type challengeInfo struct {
|
type challengeInfo struct {
|
||||||
|
|
29
vendor/github.com/mholt/certmagic/storage.go
generated
vendored
29
vendor/github.com/mholt/certmagic/storage.go
generated
vendored
|
@ -84,12 +84,9 @@ type Locker interface {
|
||||||
Lock(key string) error
|
Lock(key string) error
|
||||||
|
|
||||||
// Unlock releases the lock for key. This method must ONLY be
|
// Unlock releases the lock for key. This method must ONLY be
|
||||||
// called after a successful call to TryLock where no Waiter was
|
// called after a successful call to Lock, and only after the
|
||||||
// returned, and only after the operation requiring the lock is
|
// critical section is finished, even if it errored or timed
|
||||||
// finished, even if it errored or timed out. It is INCORRECT to
|
// out. Unlock cleans up any resources allocated during Lock.
|
||||||
// call Unlock if any non-nil value was returned from a call to
|
|
||||||
// TryLock or if Unlock was not called at all. Unlock should also
|
|
||||||
// clean up any unused resources allocated during TryLock.
|
|
||||||
Unlock(key string) error
|
Unlock(key string) error
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -133,28 +130,28 @@ func (keys KeyBuilder) CAPrefix(ca string) string {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
caURL = &url.URL{Host: ca}
|
caURL = &url.URL{Host: ca}
|
||||||
}
|
}
|
||||||
return path.Join(prefixACME, keys.safe(caURL.Host))
|
return path.Join(prefixACME, keys.Safe(caURL.Host))
|
||||||
}
|
}
|
||||||
|
|
||||||
// SitePrefix returns a key prefix for items associated with
|
// SitePrefix returns a key prefix for items associated with
|
||||||
// the site using the given CA URL.
|
// the site using the given CA URL.
|
||||||
func (keys KeyBuilder) SitePrefix(ca, domain string) string {
|
func (keys KeyBuilder) SitePrefix(ca, domain string) string {
|
||||||
return path.Join(keys.CAPrefix(ca), "sites", keys.safe(domain))
|
return path.Join(keys.CAPrefix(ca), "sites", keys.Safe(domain))
|
||||||
}
|
}
|
||||||
|
|
||||||
// SiteCert returns the path to the certificate file for domain.
|
// SiteCert returns the path to the certificate file for domain.
|
||||||
func (keys KeyBuilder) SiteCert(ca, domain string) string {
|
func (keys KeyBuilder) SiteCert(ca, domain string) string {
|
||||||
return path.Join(keys.SitePrefix(ca, domain), keys.safe(domain)+".crt")
|
return path.Join(keys.SitePrefix(ca, domain), keys.Safe(domain)+".crt")
|
||||||
}
|
}
|
||||||
|
|
||||||
// SitePrivateKey returns the path to domain's private key file.
|
// SitePrivateKey returns the path to domain's private key file.
|
||||||
func (keys KeyBuilder) SitePrivateKey(ca, domain string) string {
|
func (keys KeyBuilder) SitePrivateKey(ca, domain string) string {
|
||||||
return path.Join(keys.SitePrefix(ca, domain), keys.safe(domain)+".key")
|
return path.Join(keys.SitePrefix(ca, domain), keys.Safe(domain)+".key")
|
||||||
}
|
}
|
||||||
|
|
||||||
// SiteMeta returns the path to the domain's asset metadata file.
|
// SiteMeta returns the path to the domain's asset metadata file.
|
||||||
func (keys KeyBuilder) SiteMeta(ca, domain string) string {
|
func (keys KeyBuilder) SiteMeta(ca, domain string) string {
|
||||||
return path.Join(keys.SitePrefix(ca, domain), keys.safe(domain)+".json")
|
return path.Join(keys.SitePrefix(ca, domain), keys.Safe(domain)+".json")
|
||||||
}
|
}
|
||||||
|
|
||||||
// UsersPrefix returns a key prefix for items related to
|
// UsersPrefix returns a key prefix for items related to
|
||||||
|
@ -169,7 +166,7 @@ func (keys KeyBuilder) UserPrefix(ca, email string) string {
|
||||||
if email == "" {
|
if email == "" {
|
||||||
email = emptyEmail
|
email = emptyEmail
|
||||||
}
|
}
|
||||||
return path.Join(keys.UsersPrefix(ca), keys.safe(email))
|
return path.Join(keys.UsersPrefix(ca), keys.Safe(email))
|
||||||
}
|
}
|
||||||
|
|
||||||
// UserReg gets the path to the registration file for the user
|
// UserReg gets the path to the registration file for the user
|
||||||
|
@ -190,7 +187,7 @@ func (keys KeyBuilder) UserPrivateKey(ca, email string) string {
|
||||||
func (keys KeyBuilder) OCSPStaple(cert *Certificate, pemBundle []byte) string {
|
func (keys KeyBuilder) OCSPStaple(cert *Certificate, pemBundle []byte) string {
|
||||||
var ocspFileName string
|
var ocspFileName string
|
||||||
if len(cert.Names) > 0 {
|
if len(cert.Names) > 0 {
|
||||||
firstName := keys.safe(cert.Names[0])
|
firstName := keys.Safe(cert.Names[0])
|
||||||
ocspFileName = firstName + "-"
|
ocspFileName = firstName + "-"
|
||||||
}
|
}
|
||||||
ocspFileName += fastHash(pemBundle)
|
ocspFileName += fastHash(pemBundle)
|
||||||
|
@ -208,7 +205,7 @@ func (keys KeyBuilder) safeUserKey(ca, email, defaultFilename, extension string)
|
||||||
if filename == "" {
|
if filename == "" {
|
||||||
filename = defaultFilename
|
filename = defaultFilename
|
||||||
}
|
}
|
||||||
filename = keys.safe(filename)
|
filename = keys.Safe(filename)
|
||||||
return path.Join(keys.UserPrefix(ca, email), filename+extension)
|
return path.Join(keys.UserPrefix(ca, email), filename+extension)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -224,9 +221,9 @@ func (keys KeyBuilder) emailUsername(email string) string {
|
||||||
return email[:at]
|
return email[:at]
|
||||||
}
|
}
|
||||||
|
|
||||||
// safe standardizes and sanitizes str for use as
|
// Safe standardizes and sanitizes str for use as
|
||||||
// a storage key. This method is idempotent.
|
// a storage key. This method is idempotent.
|
||||||
func (keys KeyBuilder) safe(str string) string {
|
func (keys KeyBuilder) Safe(str string) string {
|
||||||
str = strings.ToLower(str)
|
str = strings.ToLower(str)
|
||||||
str = strings.TrimSpace(str)
|
str = strings.TrimSpace(str)
|
||||||
|
|
||||||
|
|
2
vendor/github.com/xenolf/lego/acme/api/api.go
generated
vendored
2
vendor/github.com/xenolf/lego/acme/api/api.go
generated
vendored
|
@ -44,7 +44,7 @@ func New(httpClient *http.Client, userAgent string, caDirURL, kid string, privat
|
||||||
|
|
||||||
jws := secure.NewJWS(privateKey, kid, nonceManager)
|
jws := secure.NewJWS(privateKey, kid, nonceManager)
|
||||||
|
|
||||||
c := &Core{doer: doer, nonceManager: nonceManager, jws: jws, directory: dir}
|
c := &Core{doer: doer, nonceManager: nonceManager, jws: jws, directory: dir, HTTPClient: httpClient}
|
||||||
|
|
||||||
c.common.core = c
|
c.common.core = c
|
||||||
c.Accounts = (*AccountService)(&c.common)
|
c.Accounts = (*AccountService)(&c.common)
|
||||||
|
|
2
vendor/github.com/xenolf/lego/acme/api/internal/secure/jws.go
generated
vendored
2
vendor/github.com/xenolf/lego/acme/api/internal/secure/jws.go
generated
vendored
|
@ -10,7 +10,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"github.com/xenolf/lego/acme/api/internal/nonces"
|
"github.com/xenolf/lego/acme/api/internal/nonces"
|
||||||
"gopkg.in/square/go-jose.v2"
|
jose "gopkg.in/square/go-jose.v2"
|
||||||
)
|
)
|
||||||
|
|
||||||
// JWS Represents a JWS.
|
// JWS Represents a JWS.
|
||||||
|
|
2
vendor/github.com/xenolf/lego/acme/api/internal/sender/useragent.go
generated
vendored
2
vendor/github.com/xenolf/lego/acme/api/internal/sender/useragent.go
generated
vendored
|
@ -5,7 +5,7 @@ package sender
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// ourUserAgent is the User-Agent of this underlying library package.
|
// ourUserAgent is the User-Agent of this underlying library package.
|
||||||
ourUserAgent = "xenolf-acme/1.2.1"
|
ourUserAgent = "xenolf-acme/2.0.1"
|
||||||
|
|
||||||
// ourUserAgentComment is part of the UA comment linked to the version status of this underlying library package.
|
// ourUserAgentComment is part of the UA comment linked to the version status of this underlying library package.
|
||||||
// values: detach|release
|
// values: detach|release
|
||||||
|
|
74
vendor/github.com/xenolf/lego/certificate/certificates.go
generated
vendored
74
vendor/github.com/xenolf/lego/certificate/certificates.go
generated
vendored
|
@ -17,6 +17,7 @@ import (
|
||||||
"github.com/xenolf/lego/certcrypto"
|
"github.com/xenolf/lego/certcrypto"
|
||||||
"github.com/xenolf/lego/challenge"
|
"github.com/xenolf/lego/challenge"
|
||||||
"github.com/xenolf/lego/log"
|
"github.com/xenolf/lego/log"
|
||||||
|
"github.com/xenolf/lego/platform/wait"
|
||||||
"golang.org/x/crypto/ocsp"
|
"golang.org/x/crypto/ocsp"
|
||||||
"golang.org/x/net/idna"
|
"golang.org/x/net/idna"
|
||||||
)
|
)
|
||||||
|
@ -60,17 +61,24 @@ type resolver interface {
|
||||||
Solve(authorizations []acme.Authorization) error
|
Solve(authorizations []acme.Authorization) error
|
||||||
}
|
}
|
||||||
|
|
||||||
type Certifier struct {
|
type CertifierOptions struct {
|
||||||
core *api.Core
|
KeyType certcrypto.KeyType
|
||||||
keyType certcrypto.KeyType
|
Timeout time.Duration
|
||||||
resolver resolver
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewCertifier(core *api.Core, keyType certcrypto.KeyType, resolver resolver) *Certifier {
|
// Certifier A service to obtain/renew/revoke certificates.
|
||||||
|
type Certifier struct {
|
||||||
|
core *api.Core
|
||||||
|
resolver resolver
|
||||||
|
options CertifierOptions
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewCertifier creates a Certifier.
|
||||||
|
func NewCertifier(core *api.Core, resolver resolver, options CertifierOptions) *Certifier {
|
||||||
return &Certifier{
|
return &Certifier{
|
||||||
core: core,
|
core: core,
|
||||||
keyType: keyType,
|
|
||||||
resolver: resolver,
|
resolver: resolver,
|
||||||
|
options: options,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -191,7 +199,7 @@ func (c *Certifier) ObtainForCSR(csr x509.CertificateRequest, bundle bool) (*Res
|
||||||
func (c *Certifier) getForOrder(domains []string, order acme.ExtendedOrder, bundle bool, privateKey crypto.PrivateKey, mustStaple bool) (*Resource, error) {
|
func (c *Certifier) getForOrder(domains []string, order acme.ExtendedOrder, bundle bool, privateKey crypto.PrivateKey, mustStaple bool) (*Resource, error) {
|
||||||
if privateKey == nil {
|
if privateKey == nil {
|
||||||
var err error
|
var err error
|
||||||
privateKey, err = certcrypto.GeneratePrivateKey(c.keyType)
|
privateKey, err = certcrypto.GeneratePrivateKey(c.options.KeyType)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -237,9 +245,9 @@ func (c *Certifier) getForCSR(domains []string, order acme.ExtendedOrder, bundle
|
||||||
|
|
||||||
if respOrder.Status == acme.StatusValid {
|
if respOrder.Status == acme.StatusValid {
|
||||||
// if the certificate is available right away, short cut!
|
// if the certificate is available right away, short cut!
|
||||||
ok, err := c.checkResponse(respOrder, certRes, bundle)
|
ok, errR := c.checkResponse(respOrder, certRes, bundle)
|
||||||
if err != nil {
|
if errR != nil {
|
||||||
return nil, err
|
return nil, errR
|
||||||
}
|
}
|
||||||
|
|
||||||
if ok {
|
if ok {
|
||||||
|
@ -247,34 +255,26 @@ func (c *Certifier) getForCSR(domains []string, order acme.ExtendedOrder, bundle
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return c.waitForCertificate(certRes, order.Location, bundle)
|
timeout := c.options.Timeout
|
||||||
}
|
if c.options.Timeout <= 0 {
|
||||||
|
timeout = 30 * time.Second
|
||||||
func (c *Certifier) waitForCertificate(certRes *Resource, orderURL string, bundle bool) (*Resource, error) {
|
|
||||||
stopTimer := time.NewTimer(30 * time.Second)
|
|
||||||
defer stopTimer.Stop()
|
|
||||||
retryTick := time.NewTicker(500 * time.Millisecond)
|
|
||||||
defer retryTick.Stop()
|
|
||||||
|
|
||||||
for {
|
|
||||||
select {
|
|
||||||
case <-stopTimer.C:
|
|
||||||
return nil, errors.New("certificate polling timed out")
|
|
||||||
case <-retryTick.C:
|
|
||||||
order, err := c.core.Orders.Get(orderURL)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
done, err := c.checkResponse(order, certRes, bundle)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
if done {
|
|
||||||
return certRes, nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err = wait.For("certificate", timeout, timeout/60, func() (bool, error) {
|
||||||
|
ord, errW := c.core.Orders.Get(order.Location)
|
||||||
|
if errW != nil {
|
||||||
|
return false, errW
|
||||||
|
}
|
||||||
|
|
||||||
|
done, errW := c.checkResponse(ord, certRes, bundle)
|
||||||
|
if errW != nil {
|
||||||
|
return false, errW
|
||||||
|
}
|
||||||
|
|
||||||
|
return done, nil
|
||||||
|
})
|
||||||
|
|
||||||
|
return certRes, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// checkResponse checks to see if the certificate is ready and a link is contained in the response.
|
// checkResponse checks to see if the certificate is ready and a link is contained in the response.
|
||||||
|
|
4
vendor/github.com/xenolf/lego/challenge/dns01/dns_challenge.go
generated
vendored
4
vendor/github.com/xenolf/lego/challenge/dns01/dns_challenge.go
generated
vendored
|
@ -123,7 +123,7 @@ func (c *Challenge) Solve(authz acme.Authorization) error {
|
||||||
|
|
||||||
log.Infof("[%s] acme: Checking DNS record propagation using %+v", domain, recursiveNameservers)
|
log.Infof("[%s] acme: Checking DNS record propagation using %+v", domain, recursiveNameservers)
|
||||||
|
|
||||||
err = wait.For(timeout, interval, func() (bool, error) {
|
err = wait.For("propagation", timeout, interval, func() (bool, error) {
|
||||||
stop, errP := c.preCheck.call(fqdn, value)
|
stop, errP := c.preCheck.call(fqdn, value)
|
||||||
if !stop || errP != nil {
|
if !stop || errP != nil {
|
||||||
log.Infof("[%s] acme: Waiting for DNS record propagation.", domain)
|
log.Infof("[%s] acme: Waiting for DNS record propagation.", domain)
|
||||||
|
@ -140,6 +140,8 @@ func (c *Challenge) Solve(authz acme.Authorization) error {
|
||||||
|
|
||||||
// CleanUp cleans the challenge.
|
// CleanUp cleans the challenge.
|
||||||
func (c *Challenge) CleanUp(authz acme.Authorization) error {
|
func (c *Challenge) CleanUp(authz acme.Authorization) error {
|
||||||
|
log.Infof("[%s] acme: Cleaning DNS-01 challenge", challenge.GetTargetedDomain(authz))
|
||||||
|
|
||||||
chlng, err := challenge.FindChallenge(challenge.DNS01, authz)
|
chlng, err := challenge.FindChallenge(challenge.DNS01, authz)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
8
vendor/github.com/xenolf/lego/challenge/dns01/precheck.go
generated
vendored
8
vendor/github.com/xenolf/lego/challenge/dns01/precheck.go
generated
vendored
|
@ -91,10 +91,14 @@ func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, erro
|
||||||
return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn)
|
return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var records []string
|
||||||
|
|
||||||
var found bool
|
var found bool
|
||||||
for _, rr := range r.Answer {
|
for _, rr := range r.Answer {
|
||||||
if txt, ok := rr.(*dns.TXT); ok {
|
if txt, ok := rr.(*dns.TXT); ok {
|
||||||
if strings.Join(txt.Txt, "") == value {
|
record := strings.Join(txt.Txt, "")
|
||||||
|
records = append(records, record)
|
||||||
|
if record == value {
|
||||||
found = true
|
found = true
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
@ -102,7 +106,7 @@ func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, erro
|
||||||
}
|
}
|
||||||
|
|
||||||
if !found {
|
if !found {
|
||||||
return false, fmt.Errorf("NS %s did not return the expected TXT record [fqdn: %s]", ns, fqdn)
|
return false, fmt.Errorf("NS %s did not return the expected TXT record [fqdn: %s, value: %s]: %s", ns, fqdn, value, strings.Join(records, " ,"))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
7
vendor/github.com/xenolf/lego/challenge/resolver/prober.go
generated
vendored
7
vendor/github.com/xenolf/lego/challenge/resolver/prober.go
generated
vendored
|
@ -110,7 +110,7 @@ func sequentialSolve(authSolvers []*selectedAuthSolver, failures obtainError) {
|
||||||
// Solve challenge
|
// Solve challenge
|
||||||
err := authSolver.solver.Solve(authSolver.authz)
|
err := authSolver.solver.Solve(authSolver.authz)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
failures[authSolver.authz.Identifier.Value] = err
|
failures[domain] = err
|
||||||
cleanUp(authSolver.solver, authSolver.authz)
|
cleanUp(authSolver.solver, authSolver.authz)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
@ -149,14 +149,15 @@ func parallelSolve(authSolvers []*selectedAuthSolver, failures obtainError) {
|
||||||
// Finally solve all challenges for real
|
// Finally solve all challenges for real
|
||||||
for _, authSolver := range authSolvers {
|
for _, authSolver := range authSolvers {
|
||||||
authz := authSolver.authz
|
authz := authSolver.authz
|
||||||
if failures[authz.Identifier.Value] != nil {
|
domain := challenge.GetTargetedDomain(authz)
|
||||||
|
if failures[domain] != nil {
|
||||||
// already failed in previous loop
|
// already failed in previous loop
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
err := authSolver.solver.Solve(authz)
|
err := authSolver.solver.Solve(authz)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
failures[authz.Identifier.Value] = err
|
failures[domain] = err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
59
vendor/github.com/xenolf/lego/challenge/resolver/solver_manager.go
generated
vendored
59
vendor/github.com/xenolf/lego/challenge/resolver/solver_manager.go
generated
vendored
|
@ -3,7 +3,6 @@ package resolver
|
||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
|
||||||
"sort"
|
"sort"
|
||||||
"strconv"
|
"strconv"
|
||||||
"time"
|
"time"
|
||||||
|
@ -21,7 +20,7 @@ type byType []acme.Challenge
|
||||||
|
|
||||||
func (a byType) Len() int { return len(a) }
|
func (a byType) Len() int { return len(a) }
|
||||||
func (a byType) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
|
func (a byType) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
|
||||||
func (a byType) Less(i, j int) bool { return a[i].Type < a[j].Type }
|
func (a byType) Less(i, j int) bool { return a[i].Type > a[j].Type }
|
||||||
|
|
||||||
type SolverManager struct {
|
type SolverManager struct {
|
||||||
core *api.Core
|
core *api.Core
|
||||||
|
@ -29,55 +28,12 @@ type SolverManager struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewSolversManager(core *api.Core) *SolverManager {
|
func NewSolversManager(core *api.Core) *SolverManager {
|
||||||
solvers := map[challenge.Type]solver{
|
|
||||||
challenge.HTTP01: http01.NewChallenge(core, validate, &http01.ProviderServer{}),
|
|
||||||
challenge.TLSALPN01: tlsalpn01.NewChallenge(core, validate, &tlsalpn01.ProviderServer{}),
|
|
||||||
}
|
|
||||||
|
|
||||||
return &SolverManager{
|
return &SolverManager{
|
||||||
solvers: solvers,
|
solvers: map[challenge.Type]solver{},
|
||||||
core: core,
|
core: core,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetHTTP01Address specifies a custom interface:port to be used for HTTP based challenges.
|
|
||||||
// If this option is not used, the default port 80 and all interfaces will be used.
|
|
||||||
// To only specify a port and no interface use the ":port" notation.
|
|
||||||
//
|
|
||||||
// NOTE: This REPLACES any custom HTTP provider previously set by calling
|
|
||||||
// c.SetProvider with the default HTTP challenge provider.
|
|
||||||
func (c *SolverManager) SetHTTP01Address(iface string) error {
|
|
||||||
host, port, err := net.SplitHostPort(iface)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if chlng, ok := c.solvers[challenge.HTTP01]; ok {
|
|
||||||
chlng.(*http01.Challenge).SetProvider(http01.NewProviderServer(host, port))
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetTLSALPN01Address specifies a custom interface:port to be used for TLS based challenges.
|
|
||||||
// If this option is not used, the default port 443 and all interfaces will be used.
|
|
||||||
// To only specify a port and no interface use the ":port" notation.
|
|
||||||
//
|
|
||||||
// NOTE: This REPLACES any custom TLS-ALPN provider previously set by calling
|
|
||||||
// c.SetProvider with the default TLS-ALPN challenge provider.
|
|
||||||
func (c *SolverManager) SetTLSALPN01Address(iface string) error {
|
|
||||||
host, port, err := net.SplitHostPort(iface)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if chlng, ok := c.solvers[challenge.TLSALPN01]; ok {
|
|
||||||
chlng.(*tlsalpn01.Challenge).SetProvider(tlsalpn01.NewProviderServer(host, port))
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetHTTP01Provider specifies a custom provider p that can solve the given HTTP-01 challenge.
|
// SetHTTP01Provider specifies a custom provider p that can solve the given HTTP-01 challenge.
|
||||||
func (c *SolverManager) SetHTTP01Provider(p challenge.Provider) error {
|
func (c *SolverManager) SetHTTP01Provider(p challenge.Provider) error {
|
||||||
c.solvers[challenge.HTTP01] = http01.NewChallenge(c.core, validate, p)
|
c.solvers[challenge.HTTP01] = http01.NewChallenge(c.core, validate, p)
|
||||||
|
@ -96,18 +52,15 @@ func (c *SolverManager) SetDNS01Provider(p challenge.Provider, opts ...dns01.Cha
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Exclude explicitly removes challenges from the pool for solving.
|
// Remove Remove a challenge type from the available solvers.
|
||||||
func (c *SolverManager) Exclude(challenges []challenge.Type) {
|
func (c *SolverManager) Remove(chlgType challenge.Type) {
|
||||||
// Loop through all challenges and delete the requested one if found.
|
delete(c.solvers, chlgType)
|
||||||
for _, chlg := range challenges {
|
|
||||||
delete(c.solvers, chlg)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Checks all challenges from the server in order and returns the first matching solver.
|
// Checks all challenges from the server in order and returns the first matching solver.
|
||||||
func (c *SolverManager) chooseSolver(authz acme.Authorization) solver {
|
func (c *SolverManager) chooseSolver(authz acme.Authorization) solver {
|
||||||
// Allow to have a deterministic challenge order
|
// Allow to have a deterministic challenge order
|
||||||
sort.Sort(sort.Reverse(byType(authz.Challenges)))
|
sort.Sort(byType(authz.Challenges))
|
||||||
|
|
||||||
domain := challenge.GetTargetedDomain(authz)
|
domain := challenge.GetTargetedDomain(authz)
|
||||||
for _, chlg := range authz.Challenges {
|
for _, chlg := range authz.Challenges {
|
||||||
|
|
3
vendor/github.com/xenolf/lego/lego/client.go
generated
vendored
3
vendor/github.com/xenolf/lego/lego/client.go
generated
vendored
|
@ -53,9 +53,10 @@ func NewClient(config *Config) (*Client, error) {
|
||||||
solversManager := resolver.NewSolversManager(core)
|
solversManager := resolver.NewSolversManager(core)
|
||||||
|
|
||||||
prober := resolver.NewProber(solversManager)
|
prober := resolver.NewProber(solversManager)
|
||||||
|
certifier := certificate.NewCertifier(core, prober, certificate.CertifierOptions{KeyType: config.Certificate.KeyType, Timeout: config.Certificate.Timeout})
|
||||||
|
|
||||||
return &Client{
|
return &Client{
|
||||||
Certificate: certificate.NewCertifier(core, config.KeyType, prober),
|
Certificate: certifier,
|
||||||
Challenge: solversManager,
|
Challenge: solversManager,
|
||||||
Registration: registration.NewRegistrar(core, config.User),
|
Registration: registration.NewRegistrar(core, config.User),
|
||||||
core: core,
|
core: core,
|
||||||
|
|
20
vendor/github.com/xenolf/lego/lego/client_config.go
generated
vendored
20
vendor/github.com/xenolf/lego/lego/client_config.go
generated
vendored
|
@ -35,22 +35,30 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
type Config struct {
|
type Config struct {
|
||||||
CADirURL string
|
CADirURL string
|
||||||
User registration.User
|
User registration.User
|
||||||
KeyType certcrypto.KeyType
|
UserAgent string
|
||||||
UserAgent string
|
HTTPClient *http.Client
|
||||||
HTTPClient *http.Client
|
Certificate CertificateConfig
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewConfig(user registration.User) *Config {
|
func NewConfig(user registration.User) *Config {
|
||||||
return &Config{
|
return &Config{
|
||||||
CADirURL: LEDirectoryProduction,
|
CADirURL: LEDirectoryProduction,
|
||||||
User: user,
|
User: user,
|
||||||
KeyType: certcrypto.RSA2048,
|
|
||||||
HTTPClient: createDefaultHTTPClient(),
|
HTTPClient: createDefaultHTTPClient(),
|
||||||
|
Certificate: CertificateConfig{
|
||||||
|
KeyType: certcrypto.RSA2048,
|
||||||
|
Timeout: 30 * time.Second,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type CertificateConfig struct {
|
||||||
|
KeyType certcrypto.KeyType
|
||||||
|
Timeout time.Duration
|
||||||
|
}
|
||||||
|
|
||||||
// createDefaultHTTPClient Creates an HTTP client with a reasonable timeout value
|
// createDefaultHTTPClient Creates an HTTP client with a reasonable timeout value
|
||||||
// and potentially a custom *x509.CertPool
|
// and potentially a custom *x509.CertPool
|
||||||
// based on the caCertificatesEnvVar environment variable (see the `initCertPool` function)
|
// based on the caCertificatesEnvVar environment variable (see the `initCertPool` function)
|
||||||
|
|
4
vendor/github.com/xenolf/lego/platform/wait/wait.go
generated
vendored
4
vendor/github.com/xenolf/lego/platform/wait/wait.go
generated
vendored
|
@ -8,8 +8,8 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
// For polls the given function 'f', once every 'interval', up to 'timeout'.
|
// For polls the given function 'f', once every 'interval', up to 'timeout'.
|
||||||
func For(timeout, interval time.Duration, f func() (bool, error)) error {
|
func For(msg string, timeout, interval time.Duration, f func() (bool, error)) error {
|
||||||
log.Infof("Wait [timeout: %s, interval: %s]", timeout, interval)
|
log.Infof("Wait for %s [timeout: %s, interval: %s]", msg, timeout, interval)
|
||||||
|
|
||||||
var lastErr string
|
var lastErr string
|
||||||
timeUp := time.After(timeout)
|
timeUp := time.After(timeout)
|
||||||
|
|
16
vendor/manifest
vendored
16
vendor/manifest
vendored
|
@ -138,7 +138,7 @@
|
||||||
"importpath": "github.com/mholt/certmagic",
|
"importpath": "github.com/mholt/certmagic",
|
||||||
"repository": "https://github.com/mholt/certmagic",
|
"repository": "https://github.com/mholt/certmagic",
|
||||||
"vcs": "git",
|
"vcs": "git",
|
||||||
"revision": "a3b276a1b44e1c2c3dcab752729976ea04f4839b",
|
"revision": "707b20497ed70e559300ae4e91c6fd7db973fffc",
|
||||||
"branch": "master",
|
"branch": "master",
|
||||||
"notests": true
|
"notests": true
|
||||||
},
|
},
|
||||||
|
@ -178,7 +178,7 @@
|
||||||
"importpath": "github.com/xenolf/lego/acme",
|
"importpath": "github.com/xenolf/lego/acme",
|
||||||
"repository": "https://github.com/xenolf/lego",
|
"repository": "https://github.com/xenolf/lego",
|
||||||
"vcs": "git",
|
"vcs": "git",
|
||||||
"revision": "b05b54d1f69a31ceed92e2995243c5b17821c9e4",
|
"revision": "a43ec709e8034f388aab28d14b97aeed0e7aa98c",
|
||||||
"branch": "master",
|
"branch": "master",
|
||||||
"path": "acme",
|
"path": "acme",
|
||||||
"notests": true
|
"notests": true
|
||||||
|
@ -187,7 +187,7 @@
|
||||||
"importpath": "github.com/xenolf/lego/certcrypto",
|
"importpath": "github.com/xenolf/lego/certcrypto",
|
||||||
"repository": "https://github.com/xenolf/lego",
|
"repository": "https://github.com/xenolf/lego",
|
||||||
"vcs": "git",
|
"vcs": "git",
|
||||||
"revision": "b05b54d1f69a31ceed92e2995243c5b17821c9e4",
|
"revision": "a43ec709e8034f388aab28d14b97aeed0e7aa98c",
|
||||||
"branch": "master",
|
"branch": "master",
|
||||||
"path": "certcrypto",
|
"path": "certcrypto",
|
||||||
"notests": true
|
"notests": true
|
||||||
|
@ -196,7 +196,7 @@
|
||||||
"importpath": "github.com/xenolf/lego/certificate",
|
"importpath": "github.com/xenolf/lego/certificate",
|
||||||
"repository": "https://github.com/xenolf/lego",
|
"repository": "https://github.com/xenolf/lego",
|
||||||
"vcs": "git",
|
"vcs": "git",
|
||||||
"revision": "b05b54d1f69a31ceed92e2995243c5b17821c9e4",
|
"revision": "a43ec709e8034f388aab28d14b97aeed0e7aa98c",
|
||||||
"branch": "master",
|
"branch": "master",
|
||||||
"path": "certificate",
|
"path": "certificate",
|
||||||
"notests": true
|
"notests": true
|
||||||
|
@ -205,7 +205,7 @@
|
||||||
"importpath": "github.com/xenolf/lego/challenge",
|
"importpath": "github.com/xenolf/lego/challenge",
|
||||||
"repository": "https://github.com/xenolf/lego",
|
"repository": "https://github.com/xenolf/lego",
|
||||||
"vcs": "git",
|
"vcs": "git",
|
||||||
"revision": "b05b54d1f69a31ceed92e2995243c5b17821c9e4",
|
"revision": "a43ec709e8034f388aab28d14b97aeed0e7aa98c",
|
||||||
"branch": "master",
|
"branch": "master",
|
||||||
"path": "/challenge",
|
"path": "/challenge",
|
||||||
"notests": true
|
"notests": true
|
||||||
|
@ -214,7 +214,7 @@
|
||||||
"importpath": "github.com/xenolf/lego/lego",
|
"importpath": "github.com/xenolf/lego/lego",
|
||||||
"repository": "https://github.com/xenolf/lego",
|
"repository": "https://github.com/xenolf/lego",
|
||||||
"vcs": "git",
|
"vcs": "git",
|
||||||
"revision": "b05b54d1f69a31ceed92e2995243c5b17821c9e4",
|
"revision": "a43ec709e8034f388aab28d14b97aeed0e7aa98c",
|
||||||
"branch": "master",
|
"branch": "master",
|
||||||
"path": "/lego",
|
"path": "/lego",
|
||||||
"notests": true
|
"notests": true
|
||||||
|
@ -232,7 +232,7 @@
|
||||||
"importpath": "github.com/xenolf/lego/platform/wait",
|
"importpath": "github.com/xenolf/lego/platform/wait",
|
||||||
"repository": "https://github.com/xenolf/lego",
|
"repository": "https://github.com/xenolf/lego",
|
||||||
"vcs": "git",
|
"vcs": "git",
|
||||||
"revision": "b05b54d1f69a31ceed92e2995243c5b17821c9e4",
|
"revision": "a43ec709e8034f388aab28d14b97aeed0e7aa98c",
|
||||||
"branch": "master",
|
"branch": "master",
|
||||||
"path": "platform/wait",
|
"path": "platform/wait",
|
||||||
"notests": true
|
"notests": true
|
||||||
|
@ -241,7 +241,7 @@
|
||||||
"importpath": "github.com/xenolf/lego/registration",
|
"importpath": "github.com/xenolf/lego/registration",
|
||||||
"repository": "https://github.com/xenolf/lego",
|
"repository": "https://github.com/xenolf/lego",
|
||||||
"vcs": "git",
|
"vcs": "git",
|
||||||
"revision": "b05b54d1f69a31ceed92e2995243c5b17821c9e4",
|
"revision": "a43ec709e8034f388aab28d14b97aeed0e7aa98c",
|
||||||
"branch": "master",
|
"branch": "master",
|
||||||
"path": "registration",
|
"path": "registration",
|
||||||
"notests": true
|
"notests": true
|
||||||
|
|
Loading…
Reference in a new issue