Updates of Lego.

2019-02-11 08:52:03 +01:00 · 2019-02-11 08:52:03 +01:00 · 2b2cfdfb32
commit 2b2cfdfb32
parent 5f4d440493
102 changed files with 8355 additions and 902 deletions
--- a/vendor/github.com/xenolf/lego/acme/api/api.go
+++ b/vendor/github.com/xenolf/lego/acme/api/api.go
@ -2,12 +2,15 @@ package api

 import (
 	"bytes"
+	"context"
 	"crypto"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
+	"time"

+	"github.com/cenkalti/backoff"
 	"github.com/xenolf/lego/acme"
 	"github.com/xenolf/lego/acme/api/internal/nonces"
 	"github.com/xenolf/lego/acme/api/internal/secure"
@ -64,34 +67,46 @@ func (a *Core) post(uri string, reqBody, response interface{}) (*http.Response,
 		return nil, errors.New("failed to marshal message")
 	}

-	return a.retrievablePost(uri, content, response, 0)
+	return a.retrievablePost(uri, content, response)
 }

 // postAsGet performs an HTTP POST ("POST-as-GET") request.
 // https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-6.3
 func (a *Core) postAsGet(uri string, response interface{}) (*http.Response, error) {
-	return a.retrievablePost(uri, []byte{}, response, 0)
+	return a.retrievablePost(uri, []byte{}, response)
 }

-func (a *Core) retrievablePost(uri string, content []byte, response interface{}, retry int) (*http.Response, error) {
-	resp, err := a.signedPost(uri, content, response)
-	if err != nil {
-		// during tests, 5 retries allow to support ~50% of bad nonce.
-		if retry >= 5 {
-			log.Infof("too many retry on a nonce error, retry count: %d", retry)
-			return resp, err
-		}
-		switch err.(type) {
-		// Retry once if the nonce was invalidated
-		case *acme.NonceError:
-			log.Infof("nonce error retry: %s", err)
-			resp, err = a.retrievablePost(uri, content, response, retry+1)
-			if err != nil {
-				return resp, err
+func (a *Core) retrievablePost(uri string, content []byte, response interface{}) (*http.Response, error) {
+	// during tests, allow to support ~90% of bad nonce with a minimum of attempts.
+	bo := backoff.NewExponentialBackOff()
+	bo.InitialInterval = 200 * time.Millisecond
+	bo.MaxInterval = 5 * time.Second
+	bo.MaxElapsedTime = 20 * time.Second
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	var resp *http.Response
+	operation := func() error {
+		var err error
+		resp, err = a.signedPost(uri, content, response)
+		if err != nil {
+			switch err.(type) {
+			// Retry if the nonce was invalidated
+			case *acme.NonceError:
+				log.Infof("nonce error retry: %s", err)
+				return err
+			default:
+				cancel()
+				return err
 			}
-		default:
-			return resp, err
 		}
+
+		return nil
+	}
+
+	err := backoff.Retry(operation, backoff.WithContext(bo, ctx))
+	if err != nil {
+		return nil, err
 	}

 	return resp, nil
--- a/vendor/github.com/xenolf/lego/acme/api/internal/sender/useragent.go
+++ b/vendor/github.com/xenolf/lego/acme/api/internal/sender/useragent.go
@ -5,7 +5,7 @@ package sender

 const (
 	// ourUserAgent is the User-Agent of this underlying library package.
-	ourUserAgent = "xenolf-acme/2.1.0"
+	ourUserAgent = "xenolf-acme/2.2.0"

 	// ourUserAgentComment is part of the UA comment linked to the version status of this underlying library package.
 	// values: detach|release
--- a/vendor/github.com/xenolf/lego/certcrypto/crypto.go
+++ b/vendor/github.com/xenolf/lego/certcrypto/crypto.go
@ -124,6 +124,10 @@ func GenerateCSR(privateKey crypto.PrivateKey, domain string, san []string, must
 }

 func PEMEncode(data interface{}) []byte {
+	return pem.EncodeToMemory(PEMBlock(data))
+}
+
+func PEMBlock(data interface{}) *pem.Block {
 	var pemBlock *pem.Block
 	switch key := data.(type) {
 	case *ecdsa.PrivateKey:
@ -137,7 +141,7 @@ func PEMEncode(data interface{}) []byte {
 		pemBlock = &pem.Block{Type: "CERTIFICATE", Bytes: []byte(data.(DERCertificateBytes))}
 	}

-	return pem.EncodeToMemory(pemBlock)
+	return pemBlock
 }

 func pemDecode(data []byte) (*pem.Block, error) {
--- a/vendor/github.com/xenolf/lego/challenge/dns01/cname.go
+++ b/vendor/github.com/xenolf/lego/challenge/dns01/cname.go
@ -0,0 +1,16 @@
+package dns01
+
+import "github.com/miekg/dns"
+
+// Update FQDN with CNAME if any
+func updateDomainWithCName(r *dns.Msg, fqdn string) string {
+	for _, rr := range r.Answer {
+		if cn, ok := rr.(*dns.CNAME); ok {
+			if cn.Hdr.Name == fqdn {
+				return cn.Target
+			}
+		}
+	}
+
+	return fqdn
+}
--- a/vendor/github.com/xenolf/lego/challenge/dns01/dns_challenge.go
+++ b/vendor/github.com/xenolf/lego/challenge/dns01/dns_challenge.go
@ -4,8 +4,11 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
+	"os"
+	"strconv"
 	"time"

+	"github.com/miekg/dns"
 	"github.com/xenolf/lego/acme"
 	"github.com/xenolf/lego/acme/api"
 	"github.com/xenolf/lego/challenge"
@ -135,7 +138,7 @@ func (c *Challenge) Solve(authz acme.Authorization) error {
 	}

 	chlng.KeyAuthorization = keyAuth
-	return c.validate(c.core, authz.Identifier.Value, chlng)
+	return c.validate(c.core, domain, chlng)
 }

 // CleanUp cleans the challenge.
@ -172,5 +175,14 @@ func GetRecord(domain, keyAuth string) (fqdn string, value string) {
 	// base64URL encoding without padding
 	value = base64.RawURLEncoding.EncodeToString(keyAuthShaBytes[:sha256.Size])
 	fqdn = fmt.Sprintf("_acme-challenge.%s.", domain)
+
+	if ok, _ := strconv.ParseBool(os.Getenv("LEGO_EXPERIMENTAL_CNAME_SUPPORT")); ok {
+		r, err := dnsQuery(fqdn, dns.TypeCNAME, recursiveNameservers, true)
+		// Check if the domain has CNAME then return that
+		if err == nil && r.Rcode == dns.RcodeSuccess {
+			fqdn = updateDomainWithCName(r, fqdn)
+		}
+	}
+
 	return
 }
--- a/vendor/github.com/xenolf/lego/challenge/dns01/precheck.go
+++ b/vendor/github.com/xenolf/lego/challenge/dns01/precheck.go
@ -60,15 +60,7 @@ func (p preCheck) checkDNSPropagation(fqdn, value string) (bool, error) {
 	}

 	if r.Rcode == dns.RcodeSuccess {
-		// If we see a CNAME here then use the alias
-		for _, rr := range r.Answer {
-			if cn, ok := rr.(*dns.CNAME); ok {
-				if cn.Hdr.Name == fqdn {
-					fqdn = cn.Target
-					break
-				}
-			}
-		}
+		fqdn = updateDomainWithCName(r, fqdn)
 	}

 	authoritativeNss, err := lookupNameservers(fqdn)
--- a/vendor/github.com/xenolf/lego/challenge/http01/http_challenge.go
+++ b/vendor/github.com/xenolf/lego/challenge/http01/http_challenge.go
@ -61,5 +61,5 @@ func (c *Challenge) Solve(authz acme.Authorization) error {
 	}()

 	chlng.KeyAuthorization = keyAuth
-	return c.validate(c.core, authz.Identifier.Value, chlng)
+	return c.validate(c.core, domain, chlng)
 }
--- a/vendor/github.com/xenolf/lego/challenge/resolver/solver_manager.go
+++ b/vendor/github.com/xenolf/lego/challenge/resolver/solver_manager.go
@ -1,12 +1,14 @@
 package resolver

 import (
+	"context"
 	"errors"
 	"fmt"
 	"sort"
 	"strconv"
 	"time"

+	"github.com/cenkalti/backoff"
 	"github.com/xenolf/lego/acme"
 	"github.com/xenolf/lego/acme/api"
 	"github.com/xenolf/lego/challenge"
@ -90,16 +92,35 @@ func validate(core *api.Core, domain string, chlg acme.Challenge) error {
 		return nil
 	}

+	ra, err := strconv.Atoi(chlng.RetryAfter)
+	if err != nil {
+		// The ACME server MUST return a Retry-After.
+		// If it doesn't, we'll just poll hard.
+		// Boulder does not implement the ability to retry challenges or the Retry-After header.
+		// https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md#section-82
+		ra = 5
+	}
+	initialInterval := time.Duration(ra) * time.Second
+
+	bo := backoff.NewExponentialBackOff()
+	bo.InitialInterval = initialInterval
+	bo.MaxInterval = 10 * initialInterval
+	bo.MaxElapsedTime = 100 * initialInterval
+
+	ctx, cancel := context.WithCancel(context.Background())
+
 	// After the path is sent, the ACME server will access our server.
 	// Repeatedly check the server for an updated status on our request.
-	for {
+	operation := func() error {
 		authz, err := core.Authorizations.Get(chlng.AuthorizationURL)
 		if err != nil {
+			cancel()
 			return err
 		}

 		valid, err := checkAuthorizationStatus(authz)
 		if err != nil {
+			cancel()
 			return err
 		}

@ -108,16 +129,10 @@ func validate(core *api.Core, domain string, chlg acme.Challenge) error {
 			return nil
 		}

-		ra, err := strconv.Atoi(chlng.RetryAfter)
-		if err != nil {
-			// The ACME server MUST return a Retry-After.
-			// If it doesn't, we'll just poll hard.
-			// Boulder does not implement the ability to retry challenges or the Retry-After header.
-			// https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md#section-82
-			ra = 5
-		}
-		time.Sleep(time.Duration(ra) * time.Second)
+		return errors.New("the server didn't respond to our request")
 	}
+
+	return backoff.Retry(operation, backoff.WithContext(bo, ctx))
 }

 func checkChallengeStatus(chlng acme.ExtendedChallenge) (bool, error) {
--- a/vendor/github.com/xenolf/lego/providers/dns/auroradns/auroradns.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/auroradns/auroradns.go
@ -7,7 +7,7 @@ import (
 	"sync"
 	"time"

-	auroradns "github.com/ldez/go-auroradns"
+	"github.com/nrdcg/auroradns"
 	"github.com/xenolf/lego/challenge/dns01"
 	"github.com/xenolf/lego/platform/config/env"
 )
--- a/vendor/github.com/xenolf/lego/providers/dns/designate/designate.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/designate/designate.go
@ -0,0 +1,249 @@
+// Package designate implements a DNS provider for solving the DNS-01 challenge using the Designate DNSaaS for Openstack.
+package designate
+
+import (
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"sync"
+	"time"
+
+	"github.com/gophercloud/gophercloud"
+	"github.com/gophercloud/gophercloud/openstack"
+	"github.com/gophercloud/gophercloud/openstack/dns/v2/recordsets"
+	"github.com/gophercloud/gophercloud/openstack/dns/v2/zones"
+	"github.com/xenolf/lego/challenge/dns01"
+	"github.com/xenolf/lego/platform/config/env"
+)
+
+// Config is used to configure the creation of the DNSProvider
+type Config struct {
+	PropagationTimeout time.Duration
+	PollingInterval    time.Duration
+	TTL                int
+	opts               gophercloud.AuthOptions
+}
+
+// NewDefaultConfig returns a default configuration for the DNSProvider
+func NewDefaultConfig() *Config {
+	return &Config{
+		TTL:                env.GetOrDefaultInt("DESIGNATE_TTL", 10),
+		PropagationTimeout: env.GetOrDefaultSecond("DESIGNATE_PROPAGATION_TIMEOUT", 10*time.Minute),
+		PollingInterval:    env.GetOrDefaultSecond("DESIGNATE_POLLING_INTERVAL", 10*time.Second),
+	}
+}
+
+// DNSProvider describes a provider for Designate
+type DNSProvider struct {
+	config       *Config
+	client       *gophercloud.ServiceClient
+	dnsEntriesMu sync.Mutex
+}
+
+// NewDNSProvider returns a DNSProvider instance configured for Designate.
+// Credentials must be passed in the environment variables:
+// OS_AUTH_URL, OS_USERNAME, OS_PASSWORD, OS_TENANT_NAME, OS_REGION_NAME.
+func NewDNSProvider() (*DNSProvider, error) {
+	_, err := env.Get("OS_AUTH_URL", "OS_USERNAME", "OS_PASSWORD", "OS_TENANT_NAME", "OS_REGION_NAME")
+	if err != nil {
+		return nil, fmt.Errorf("designate: %v", err)
+	}
+
+	opts, err := openstack.AuthOptionsFromEnv()
+	if err != nil {
+		return nil, fmt.Errorf("designate: %v", err)
+	}
+
+	config := NewDefaultConfig()
+	config.opts = opts
+
+	return NewDNSProviderConfig(config)
+}
+
+// NewDNSProviderConfig return a DNSProvider instance configured for Designate.
+func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
+	if config == nil {
+		return nil, errors.New("designate: the configuration of the DNS provider is nil")
+	}
+
+	provider, err := openstack.AuthenticatedClient(config.opts)
+	if err != nil {
+		return nil, fmt.Errorf("designate: failed to authenticate: %v", err)
+	}
+
+	dnsClient, err := openstack.NewDNSV2(provider, gophercloud.EndpointOpts{
+		Region: os.Getenv("OS_REGION_NAME"),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("designate: failed to get DNS provider: %v", err)
+	}
+
+	return &DNSProvider{client: dnsClient, config: config}, nil
+}
+
+// Timeout returns the timeout and interval to use when checking for DNS propagation.
+// Adjusting here to cope with spikes in propagation times.
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+	return d.config.PropagationTimeout, d.config.PollingInterval
+}
+
+// Present creates a TXT record to fulfill the dns-01 challenge
+func (d *DNSProvider) Present(domain, token, keyAuth string) error {
+	fqdn, value := dns01.GetRecord(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(fqdn)
+	if err != nil {
+		return fmt.Errorf("designate: couldn't get zone ID in Present: %v", err)
+	}
+
+	zoneID, err := d.getZoneID(authZone)
+	if err != nil {
+		return fmt.Errorf("designate: %v", err)
+	}
+
+	// use mutex to prevent race condition between creating the record and verifying it
+	d.dnsEntriesMu.Lock()
+	defer d.dnsEntriesMu.Unlock()
+
+	existingRecord, err := d.getRecord(zoneID, fqdn)
+	if err != nil {
+		return fmt.Errorf("designate: %v", err)
+	}
+
+	if existingRecord != nil {
+		if contains(existingRecord.Records, value) {
+			log.Printf("designate: the record already exists: %s", value)
+			return nil
+		}
+
+		return d.updateRecord(existingRecord, value)
+	}
+
+	err = d.createRecord(zoneID, fqdn, value)
+	if err != nil {
+		return fmt.Errorf("designate: %v", err)
+	}
+
+	return nil
+}
+
+// CleanUp removes the TXT record matching the specified parameters
+func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+	fqdn, _ := dns01.GetRecord(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(fqdn)
+	if err != nil {
+		return err
+	}
+
+	zoneID, err := d.getZoneID(authZone)
+	if err != nil {
+		return fmt.Errorf("designate: couldn't get zone ID in CleanUp: %v", err)
+	}
+
+	// use mutex to prevent race condition between getting the record and deleting it
+	d.dnsEntriesMu.Lock()
+	defer d.dnsEntriesMu.Unlock()
+
+	record, err := d.getRecord(zoneID, fqdn)
+	if err != nil {
+		return fmt.Errorf("designate: couldn't get Record ID in CleanUp: %v", err)
+	}
+
+	if record == nil {
+		// Record is already deleted
+		return nil
+	}
+
+	err = recordsets.Delete(d.client, zoneID, record.ID).ExtractErr()
+	if err != nil {
+		return fmt.Errorf("designate: error for %s in CleanUp: %v", fqdn, err)
+	}
+	return nil
+}
+
+func contains(values []string, value string) bool {
+	for _, v := range values {
+		if v == value {
+			return true
+		}
+	}
+	return false
+}
+
+func (d *DNSProvider) createRecord(zoneID, fqdn, value string) error {
+	createOpts := recordsets.CreateOpts{
+		Name:        fqdn,
+		Type:        "TXT",
+		TTL:         d.config.TTL,
+		Description: "ACME verification record",
+		Records:     []string{value},
+	}
+
+	actual, err := recordsets.Create(d.client, zoneID, createOpts).Extract()
+	if err != nil {
+		return fmt.Errorf("error for %s in Present while creating record: %v", fqdn, err)
+	}
+
+	if actual.Name != fqdn || actual.TTL != d.config.TTL {
+		return fmt.Errorf("the created record doesn't match what we wanted to create")
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) updateRecord(record *recordsets.RecordSet, value string) error {
+	if contains(record.Records, value) {
+		log.Printf("skip: the record already exists: %s", value)
+		return nil
+	}
+
+	values := append([]string{value}, record.Records...)
+
+	updateOpts := recordsets.UpdateOpts{
+		Description: &record.Description,
+		TTL:         record.TTL,
+		Records:     values,
+	}
+
+	result := recordsets.Update(d.client, record.ZoneID, record.ID, updateOpts)
+	return result.Err
+}
+
+func (d *DNSProvider) getZoneID(wanted string) (string, error) {
+	allPages, err := zones.List(d.client, nil).AllPages()
+	if err != nil {
+		return "", err
+	}
+	allZones, err := zones.ExtractZones(allPages)
+	if err != nil {
+		return "", err
+	}
+
+	for _, zone := range allZones {
+		if zone.Name == wanted {
+			return zone.ID, nil
+		}
+	}
+	return "", fmt.Errorf("zone id not found for %s", wanted)
+}
+
+func (d *DNSProvider) getRecord(zoneID string, wanted string) (*recordsets.RecordSet, error) {
+	allPages, err := recordsets.ListByZone(d.client, zoneID, nil).AllPages()
+	if err != nil {
+		return nil, err
+	}
+	allRecords, err := recordsets.ExtractRecordSets(allPages)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, record := range allRecords {
+		if record.Name == wanted {
+			return &record, nil
+		}
+	}
+
+	return nil, nil
+}
--- a/vendor/github.com/xenolf/lego/providers/dns/dns_providers.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/dns_providers.go
@ -13,6 +13,7 @@ import (
 	"github.com/xenolf/lego/providers/dns/cloudflare"
 	"github.com/xenolf/lego/providers/dns/cloudxns"
 	"github.com/xenolf/lego/providers/dns/conoha"
+	"github.com/xenolf/lego/providers/dns/designate"
 	"github.com/xenolf/lego/providers/dns/digitalocean"
 	"github.com/xenolf/lego/providers/dns/dnsimple"
 	"github.com/xenolf/lego/providers/dns/dnsmadeeasy"
@ -76,6 +77,8 @@ func NewDNSChallengeProviderByName(name string) (challenge.Provider, error) {
 		return cloudxns.NewDNSProvider()
 	case "conoha":
 		return conoha.NewDNSProvider()
+	case "designate":
+		return designate.NewDNSProvider()
 	case "digitalocean":
 		return digitalocean.NewDNSProvider()
 	case "dnsimple":
--- a/vendor/github.com/xenolf/lego/providers/dns/fastdns/fastdns.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/fastdns/fastdns.go
@ -89,16 +89,10 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 	_ = record.SetField("target", value)
 	_ = record.SetField("active", true)

-	existingRecord := d.findExistingRecord(zone, recordName)
-
-	if existingRecord != nil {
-		if reflect.DeepEqual(existingRecord.ToMap(), record.ToMap()) {
+	for _, r := range zone.Zone.Txt {
+		if r != nil && reflect.DeepEqual(r.ToMap(), record.ToMap()) {
 			return nil
 		}
-		err = zone.RemoveRecord(existingRecord)
-		if err != nil {
-			return fmt.Errorf("fastdns: %v", err)
-		}
 	}

 	return d.createRecord(zone, record)
@ -119,13 +113,17 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 		return fmt.Errorf("fastdns: %v", err)
 	}

-	existingRecord := d.findExistingRecord(zone, recordName)
-
-	if existingRecord != nil {
-		err := zone.RemoveRecord(existingRecord)
-		if err != nil {
-			return fmt.Errorf("fastdns: %v", err)
+	var removed bool
+	for _, r := range zone.Zone.Txt {
+		if r != nil && r.Name == recordName {
+			if zone.RemoveRecord(r) != nil {
+				return fmt.Errorf("fastdns: %v", err)
+			}
+			removed = true
 		}
+	}
+
+	if removed {
 		return zone.Save()
 	}

@ -150,16 +148,6 @@ func (d *DNSProvider) findZoneAndRecordName(fqdn, domain string) (string, string
 	return zone, name, nil
 }

-func (d *DNSProvider) findExistingRecord(zone *configdns.Zone, recordName string) *configdns.TxtRecord {
-	for _, r := range zone.Zone.Txt {
-		if r.Name == recordName {
-			return r
-		}
-	}
-
-	return nil
-}
-
 func (d *DNSProvider) createRecord(zone *configdns.Zone, record *configdns.TxtRecord) error {
 	err := zone.AddRecord(record)
 	if err != nil {
--- a/vendor/github.com/xenolf/lego/providers/dns/gcloud/googlecloud.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/gcloud/googlecloud.go
@ -7,7 +7,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
-	"os"
 	"strconv"
 	"time"

@ -53,11 +52,12 @@ type DNSProvider struct {

 // NewDNSProvider returns a DNSProvider instance configured for Google Cloud DNS.
 // Project name must be passed in the environment variable: GCE_PROJECT.
-// A Service Account file can be passed in the environment variable: GCE_SERVICE_ACCOUNT_FILE
+// A Service Account can be passed in the environment variable: GCE_SERVICE_ACCOUNT
+// or by specifying the keyfile location: GCE_SERVICE_ACCOUNT_FILE
 func NewDNSProvider() (*DNSProvider, error) {
 	// Use a service account file if specified via environment variable.
-	if saFile, ok := os.LookupEnv("GCE_SERVICE_ACCOUNT_FILE"); ok {
-		return NewDNSProviderServiceAccount(saFile)
+	if saKey := env.GetOrFile("GCE_SERVICE_ACCOUNT"); len(saKey) > 0 {
+		return NewDNSProviderServiceAccountKey([]byte(saKey))
 	}

 	// Use default credentials.
@ -84,16 +84,11 @@ func NewDNSProviderCredentials(project string) (*DNSProvider, error) {
 	return NewDNSProviderConfig(config)
 }

-// NewDNSProviderServiceAccount uses the supplied service account JSON file
+// NewDNSProviderServiceAccountKey uses the supplied service account JSON
 // to return a DNSProvider instance configured for Google Cloud DNS.
-func NewDNSProviderServiceAccount(saFile string) (*DNSProvider, error) {
-	if saFile == "" {
-		return nil, fmt.Errorf("googlecloud: Service Account file missing")
-	}
-
-	dat, err := ioutil.ReadFile(saFile)
-	if err != nil {
-		return nil, fmt.Errorf("googlecloud: unable to read Service Account file: %v", err)
+func NewDNSProviderServiceAccountKey(saKey []byte) (*DNSProvider, error) {
+	if len(saKey) == 0 {
+		return nil, fmt.Errorf("googlecloud: Service Account is missing")
 	}

 	// If GCE_PROJECT is non-empty it overrides the project in the service
@ -104,14 +99,14 @@ func NewDNSProviderServiceAccount(saFile string) (*DNSProvider, error) {
 		var datJSON struct {
 			ProjectID string `json:"project_id"`
 		}
-		err = json.Unmarshal(dat, &datJSON)
+		err := json.Unmarshal(saKey, &datJSON)
 		if err != nil || datJSON.ProjectID == "" {
 			return nil, fmt.Errorf("googlecloud: project ID not found in Google Cloud Service Account file")
 		}
 		project = datJSON.ProjectID
 	}

-	conf, err := google.JWTConfigFromJSON(dat, dns.NdevClouddnsReadwriteScope)
+	conf, err := google.JWTConfigFromJSON(saKey, dns.NdevClouddnsReadwriteScope)
 	if err != nil {
 		return nil, fmt.Errorf("googlecloud: unable to acquire config: %v", err)
 	}
@ -124,6 +119,21 @@ func NewDNSProviderServiceAccount(saFile string) (*DNSProvider, error) {
 	return NewDNSProviderConfig(config)
 }

+// NewDNSProviderServiceAccount uses the supplied service account JSON file
+// to return a DNSProvider instance configured for Google Cloud DNS.
+func NewDNSProviderServiceAccount(saFile string) (*DNSProvider, error) {
+	if saFile == "" {
+		return nil, fmt.Errorf("googlecloud: Service Account file missing")
+	}
+
+	saKey, err := ioutil.ReadFile(saFile)
+	if err != nil {
+		return nil, fmt.Errorf("googlecloud: unable to read Service Account file: %v", err)
+	}
+
+	return NewDNSProviderServiceAccountKey(saKey)
+}
+
 // NewDNSProviderConfig return a DNSProvider instance configured for Google Cloud DNS.
 func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
 	if config == nil {
--- a/vendor/github.com/xenolf/lego/providers/dns/httpreq/httpreq.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/httpreq/httpreq.go
@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"path"
 	"time"

 	"github.com/xenolf/lego/challenge/dns01"
@ -158,7 +159,8 @@ func (d *DNSProvider) doPost(uri string, msg interface{}) error {
 		return err
 	}

-	endpoint, err := d.config.Endpoint.Parse(uri)
+	newURI := path.Join(d.config.Endpoint.EscapedPath(), uri)
+	endpoint, err := d.config.Endpoint.Parse(newURI)
 	if err != nil {
 		return err
 	}
--- a/vendor/github.com/xenolf/lego/providers/dns/inwx/inwx.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/inwx/inwx.go
@ -6,7 +6,7 @@ import (
 	"fmt"
 	"time"

-	"github.com/smueller18/goinwx"
+	"github.com/nrdcg/goinwx"
 	"github.com/xenolf/lego/challenge/dns01"
 	"github.com/xenolf/lego/log"
 	"github.com/xenolf/lego/platform/config/env"
@ -99,7 +99,7 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 		Name:    dns01.UnFqdn(fqdn),
 		Type:    "TXT",
 		Content: value,
-		Ttl:     d.config.TTL,
+		TTL:     d.config.TTL,
 	}

 	_, err = d.client.Nameservers.CreateRecord(request)
@ -150,7 +150,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {

 	var lastErr error
 	for _, record := range response.Records {
-		err = d.client.Nameservers.DeleteRecord(record.Id)
+		err = d.client.Nameservers.DeleteRecord(record.ID)
 		if err != nil {
 			lastErr = fmt.Errorf("inwx: %v", err)
 		}