Merge remote-tracking branch 'origin/master' into cpu-acme-dns-provider

acme/client.go

@@ -5,6 +5,7 @@ import (
 	"crypto"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -662,9 +663,18 @@ func (c *Client) requestCertificateForOrder(order orderResource, bundle bool, pr
 
 	// determine certificate name(s) based on the authorization resources
 	commonName := order.Domains[0]
-	var san []string
+
+	// ACME draft Section 7.4 "Applying for Certificate Issuance"
+	// https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4
+	// says:
+	//   Clients SHOULD NOT make any assumptions about the sort order of
+	//   "identifiers" or "authorizations" elements in the returned order
+	//   object.
+	san := []string{commonName}
 	for _, auth := range order.Identifiers {
-		san = append(san, auth.Value)
+		if auth.Value != commonName {
+			san = append(san, auth.Value)
+		}
 	}
 
 	// TODO: should the CSR be customizable?
@@ -681,13 +691,13 @@ func (c *Client) requestCertificateForCsr(order orderResource, bundle bool, csr
 
 	csrString := base64.RawURLEncoding.EncodeToString(csr)
 	var retOrder orderMessage
-	_, error := postJSON(c.jws, order.Finalize, csrMessage{Csr: csrString}, &retOrder)
-	if error != nil {
-		return nil, error
+	_, err := postJSON(c.jws, order.Finalize, csrMessage{Csr: csrString}, &retOrder)
+	if err != nil {
+		return nil, err
 	}
 
 	if retOrder.Status == "invalid" {
-		return nil, error
+		return nil, err
 	}
 
 	certRes := CertificateResource{
@@ -753,8 +763,9 @@ func (c *Client) checkCertResponse(order orderMessage, certRes *CertificateResou
 			return false, err
 		}
 
-		// The issuer certificate link is always supplied via an "up" link
-		// in the response headers of a new certificate.
+		// The issuer certificate link may be supplied via an "up" link
+		// in the response headers of a new certificate.  See
+		// https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4.2
 		links := parseLinks(resp.Header["Link"])
 		if link, ok := links["up"]; ok {
 			issuerCert, err := c.getIssuerCertificate(link)
@@ -773,6 +784,13 @@ func (c *Client) checkCertResponse(order orderMessage, certRes *CertificateResou
 
 				certRes.IssuerCertificate = issuerCert
 			}
+		} else {
+			// Get issuerCert from bundled response from Let's Encrypt
+			// See https://community.letsencrypt.org/t/acme-v2-no-up-link-in-response/64962
+			_, rest := pem.Decode(cert)
+			if rest != nil {
+				certRes.IssuerCertificate = rest
+			}
 		}
 
 		certRes.Certificate = cert

acme/crypto.go

@@ -215,9 +215,7 @@ func generatePrivateKey(keyType KeyType) (crypto.PrivateKey, error) {
 
 func generateCsr(privateKey crypto.PrivateKey, domain string, san []string, mustStaple bool) ([]byte, error) {
 	template := x509.CertificateRequest{
-		Subject: pkix.Name{
-			CommonName: domain,
-		},
+		Subject: pkix.Name{CommonName: domain},
 	}
 
 	if len(san) > 0 {

acme/http.go

@@ -26,15 +26,16 @@ var (
 	HTTPClient = http.Client{
 		Transport: &http.Transport{
 			Proxy: http.ProxyFromEnvironment,
-			Dial: (&net.Dialer{
+			DialContext: (&net.Dialer{
 				Timeout:   30 * time.Second,
 				KeepAlive: 30 * time.Second,
-			}).Dial,
+			}).DialContext,
 			TLSHandshakeTimeout:   15 * time.Second,
 			ResponseHeaderTimeout: 15 * time.Second,
 			ExpectContinueTimeout: 1 * time.Second,
 			TLSClientConfig: &tls.Config{
-				RootCAs: initCertPool(),
+				ServerName: os.Getenv(caServerNameEnvVar),
+				RootCAs:    initCertPool(),
 			},
 		},
 	}
@@ -53,6 +54,12 @@ const (
 	// authenticate an ACME server with a HTTPS certificate not issued by a CA in
 	// the system-wide trusted root list.
 	caCertificatesEnvVar = "LEGO_CA_CERTIFICATES"
+
+	// caServerNameEnvVar is the environment variable name that can be used to
+	// specify the CA server name that can be used to
+	// authenticate an ACME server with a HTTPS certificate not issued by a CA in
+	// the system-wide trusted root list.
+	caServerNameEnvVar = "LEGO_CA_SERVER_NAME"
 )
 
 // initCertPool creates a *x509.CertPool populated with the PEM certificates

cli.go

@@ -218,10 +218,12 @@ Here is an example bash command using the CloudFlare DNS provider:
 	fmt.Fprintln(w, "\tmanual:\tnone")
 	fmt.Fprintln(w, "\tnamecheap:\tNAMECHEAP_API_USER, NAMECHEAP_API_KEY")
 	fmt.Fprintln(w, "\tnamedotcom:\tNAMECOM_USERNAME, NAMECOM_API_TOKEN")
+	fmt.Fprintln(w, "\tnifcloud:\tNIFCLOUD_ACCESS_KEY_ID, NIFCLOUD_SECRET_ACCESS_KEY")
 	fmt.Fprintln(w, "\trackspace:\tRACKSPACE_USER, RACKSPACE_API_KEY")
 	fmt.Fprintln(w, "\trfc2136:\tRFC2136_TSIG_KEY, RFC2136_TSIG_SECRET,\n\t\tRFC2136_TSIG_ALGORITHM, RFC2136_NAMESERVER")
 	fmt.Fprintln(w, "\troute53:\tAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, AWS_HOSTED_ZONE_ID")
 	fmt.Fprintln(w, "\tdyn:\tDYN_CUSTOMER_NAME, DYN_USER_NAME, DYN_PASSWORD")
+	fmt.Fprintln(w, "\tvegadns:\tSECRET_VEGADNS_KEY, SECRET_VEGADNS_SECRET, VEGADNS_URL")
 	fmt.Fprintln(w, "\tvultr:\tVULTR_API_KEY")
 	fmt.Fprintln(w, "\tovh:\tOVH_ENDPOINT, OVH_APPLICATION_KEY, OVH_APPLICATION_SECRET, OVH_CONSUMER_KEY")
 	fmt.Fprintln(w, "\tpdns:\tPDNS_API_KEY, PDNS_API_URL")

providers/dns/dns_providers.go

@@ -28,6 +28,7 @@ import (
 	"github.com/xenolf/lego/providers/dns/linode"
 	"github.com/xenolf/lego/providers/dns/namecheap"
 	"github.com/xenolf/lego/providers/dns/namedotcom"
+	"github.com/xenolf/lego/providers/dns/nifcloud"
 	"github.com/xenolf/lego/providers/dns/ns1"
 	"github.com/xenolf/lego/providers/dns/otc"
 	"github.com/xenolf/lego/providers/dns/ovh"
@@ -36,6 +37,7 @@ import (
 	"github.com/xenolf/lego/providers/dns/rfc2136"
 	"github.com/xenolf/lego/providers/dns/route53"
 	"github.com/xenolf/lego/providers/dns/sakuracloud"
+	"github.com/xenolf/lego/providers/dns/vegadns"
 	"github.com/xenolf/lego/providers/dns/vultr"
 )
 
@@ -90,6 +92,8 @@ func NewDNSChallengeProviderByName(name string) (acme.ChallengeProvider, error)
 		return namecheap.NewDNSProvider()
 	case "namedotcom":
 		return namedotcom.NewDNSProvider()
+	case "nifcloud":
+		return nifcloud.NewDNSProvider()
 	case "rackspace":
 		return rackspace.NewDNSProvider()
 	case "route53":
@@ -110,6 +114,8 @@ func NewDNSChallengeProviderByName(name string) (acme.ChallengeProvider, error)
 		return otc.NewDNSProvider()
 	case "exec":
 		return exec.NewDNSProvider()
+	case "vegadns":
+		return vegadns.NewDNSProvider()
 	default:
 		return nil, fmt.Errorf("unrecognised DNS provider: %s", name)
 	}

providers/dns/lightsail/lightsail.go

@@ -4,6 +4,7 @@ package lightsail
 
 import (
 	"math/rand"
+	"os"
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -20,7 +21,8 @@ const (
 
 // DNSProvider implements the acme.ChallengeProvider interface
 type DNSProvider struct {
-	client *lightsail.Lightsail
+	client  *lightsail.Lightsail
+	dnsZone string
 }
 
 // customRetryer implements the client.Retryer interface by composing the
@@ -61,18 +63,24 @@ func (c customRetryer) RetryRules(r *request.Request) time.Duration {
 func NewDNSProvider() (*DNSProvider, error) {
 	r := customRetryer{}
 	r.NumMaxRetries = maxRetries
-	config := request.WithRetryer(aws.NewConfig(), r)
-	client := lightsail.New(session.New(config))
+
+	config := aws.NewConfig().WithRegion("us-east-1")
+	sess, err := session.NewSession(request.WithRetryer(config, r))
+	if err != nil {
+		return nil, err
+	}
 
 	return &DNSProvider{
-		client: client,
+		dnsZone: os.Getenv("DNS_ZONE"),
+		client:  lightsail.New(sess),
 	}, nil
 }
 
 // Present creates a TXT record using the specified parameters
 func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 	fqdn, value, _ := acme.DNS01Record(domain, keyAuth)
 	value = `"` + value + `"`
+
 	err := d.newTxtRecord(domain, fqdn, value)
 	return err
 }
@@ -82,7 +90,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 	fqdn, value, _ := acme.DNS01Record(domain, keyAuth)
 	value = `"` + value + `"`
 	params := &lightsail.DeleteDomainEntryInput{
-		DomainName: aws.String(domain),
+		DomainName: aws.String(d.dnsZone),
 		DomainEntry: &lightsail.DomainEntry{
 			Name:   aws.String(fqdn),
 			Type:   aws.String("TXT"),
@@ -95,7 +103,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 
 func (d *DNSProvider) newTxtRecord(domain string, fqdn string, value string) error {
 	params := &lightsail.CreateDomainEntryInput{
-		DomainName: aws.String(domain),
+		DomainName: aws.String(d.dnsZone),
 		DomainEntry: &lightsail.DomainEntry{
 			Name:   aws.String(fqdn),
 			Target: aws.String(value),

providers/dns/lightsail/lightsail_integration_test.go

@@ -26,7 +26,10 @@ func TestLightsailTTL(t *testing.T) {
 	// we need a separate Lightshail client here as the one in the DNS provider is
 	// unexported.
 	fqdn := "_acme-challenge." + m["lightsailDomain"]
-	svc := lightsail.New(session.New())
+	sess, err := session.NewSession()
+	require.NoError(t, err)
+
+	svc := lightsail.New(sess)
 	if err != nil {
 		provider.CleanUp(m["lightsailDomain"], "foo", "bar")
 		t.Fatal(err)

providers/dns/lightsail/lightsail_test.go

@@ -9,7 +9,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/lightsail"
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 var (
@@ -30,16 +30,21 @@ func restoreEnv() {
 	os.Setenv("AWS_HOSTED_ZONE_ID", lightsailZone)
 }
 
-func makeLightsailProvider(ts *httptest.Server) *DNSProvider {
+func makeLightsailProvider(ts *httptest.Server) (*DNSProvider, error) {
 	config := &aws.Config{
 		Credentials: credentials.NewStaticCredentials("abc", "123", " "),
 		Endpoint:    aws.String(ts.URL),
 		Region:      aws.String("mock-region"),
 		MaxRetries:  aws.Int(1),
 	}
 
-	client := lightsail.New(session.New(config))
-	return &DNSProvider{client: client}
+	sess, err := session.NewSession(config)
+	if err != nil {
+		return nil, err
+	}
+
+	client := lightsail.New(sess)
+	return &DNSProvider{client: client}, nil
 }
 
 func TestCredentialsFromEnv(t *testing.T) {
@@ -52,24 +57,27 @@ func TestCredentialsFromEnv(t *testing.T) {
 		CredentialsChainVerboseErrors: aws.Bool(true),
 	}
 
-	sess := session.New(config)
-	_, err := sess.Config.Credentials.Get()
-	assert.NoError(t, err, "Expected credentials to be set from environment")
+	sess, err := session.NewSession(config)
+	require.NoError(t, err)
+
+	_, err = sess.Config.Credentials.Get()
+	require.NoError(t, err, "Expected credentials to be set from environment")
 }
 
 func TestLightsailPresent(t *testing.T) {
-	mockResponses := MockResponseMap{
-		"/": MockResponse{StatusCode: 200, Body: ""},
+	mockResponses := map[string]MockResponse{
+		"/": {StatusCode: 200, Body: ""},
 	}
 
 	ts := newMockServer(t, mockResponses)
 	defer ts.Close()
 
-	provider := makeLightsailProvider(ts)
+	provider, err := makeLightsailProvider(ts)
+	require.NoError(t, err)
 
 	domain := "example.com"
 	keyAuth := "123456d=="
 
-	err := provider.Present(domain, "", keyAuth)
-	assert.NoError(t, err, "Expected Present to return no error")
+	err = provider.Present(domain, "", keyAuth)
+	require.NoError(t, err, "Expected Present to return no error")
 }

providers/dns/lightsail/testutil_test.go → providers/dns/lightsail/mock_server_test.go

@@ -16,10 +16,7 @@ type MockResponse struct {
 	Body       string
 }
 
-// MockResponseMap maps request paths to responses
-type MockResponseMap map[string]MockResponse
-
-func newMockServer(t *testing.T, responses MockResponseMap) *httptest.Server {
+func newMockServer(t *testing.T, responses map[string]MockResponse) *httptest.Server {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		path := r.URL.Path
 		resp, ok := responses[path]