Updates of Lego.

2019-02-11 08:52:03 +01:00 · 2019-02-11 08:52:03 +01:00 · 2b2cfdfb32
commit 2b2cfdfb32
parent 5f4d440493
102 changed files with 8355 additions and 902 deletions
--- a/vendor/github.com/xenolf/lego/challenge/dns01/cname.go
+++ b/vendor/github.com/xenolf/lego/challenge/dns01/cname.go
@ -0,0 +1,16 @@
+package dns01
+
+import "github.com/miekg/dns"
+
+// Update FQDN with CNAME if any
+func updateDomainWithCName(r *dns.Msg, fqdn string) string {
+	for _, rr := range r.Answer {
+		if cn, ok := rr.(*dns.CNAME); ok {
+			if cn.Hdr.Name == fqdn {
+				return cn.Target
+			}
+		}
+	}
+
+	return fqdn
+}
--- a/vendor/github.com/xenolf/lego/challenge/dns01/dns_challenge.go
+++ b/vendor/github.com/xenolf/lego/challenge/dns01/dns_challenge.go
@ -4,8 +4,11 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
+	"os"
+	"strconv"
 	"time"

+	"github.com/miekg/dns"
 	"github.com/xenolf/lego/acme"
 	"github.com/xenolf/lego/acme/api"
 	"github.com/xenolf/lego/challenge"
@ -135,7 +138,7 @@ func (c *Challenge) Solve(authz acme.Authorization) error {
 	}

 	chlng.KeyAuthorization = keyAuth
-	return c.validate(c.core, authz.Identifier.Value, chlng)
+	return c.validate(c.core, domain, chlng)
 }

 // CleanUp cleans the challenge.
@ -172,5 +175,14 @@ func GetRecord(domain, keyAuth string) (fqdn string, value string) {
 	// base64URL encoding without padding
 	value = base64.RawURLEncoding.EncodeToString(keyAuthShaBytes[:sha256.Size])
 	fqdn = fmt.Sprintf("_acme-challenge.%s.", domain)
+
+	if ok, _ := strconv.ParseBool(os.Getenv("LEGO_EXPERIMENTAL_CNAME_SUPPORT")); ok {
+		r, err := dnsQuery(fqdn, dns.TypeCNAME, recursiveNameservers, true)
+		// Check if the domain has CNAME then return that
+		if err == nil && r.Rcode == dns.RcodeSuccess {
+			fqdn = updateDomainWithCName(r, fqdn)
+		}
+	}
+
 	return
 }
--- a/vendor/github.com/xenolf/lego/challenge/dns01/precheck.go
+++ b/vendor/github.com/xenolf/lego/challenge/dns01/precheck.go
@ -60,15 +60,7 @@ func (p preCheck) checkDNSPropagation(fqdn, value string) (bool, error) {
 	}

 	if r.Rcode == dns.RcodeSuccess {
-		// If we see a CNAME here then use the alias
-		for _, rr := range r.Answer {
-			if cn, ok := rr.(*dns.CNAME); ok {
-				if cn.Hdr.Name == fqdn {
-					fqdn = cn.Target
-					break
-				}
-			}
-		}
+		fqdn = updateDomainWithCName(r, fqdn)
 	}

 	authoritativeNss, err := lookupNameservers(fqdn)
--- a/vendor/github.com/xenolf/lego/challenge/http01/http_challenge.go
+++ b/vendor/github.com/xenolf/lego/challenge/http01/http_challenge.go
@ -61,5 +61,5 @@ func (c *Challenge) Solve(authz acme.Authorization) error {
 	}()

 	chlng.KeyAuthorization = keyAuth
-	return c.validate(c.core, authz.Identifier.Value, chlng)
+	return c.validate(c.core, domain, chlng)
 }
--- a/vendor/github.com/xenolf/lego/challenge/resolver/solver_manager.go
+++ b/vendor/github.com/xenolf/lego/challenge/resolver/solver_manager.go
@ -1,12 +1,14 @@
 package resolver

 import (
+	"context"
 	"errors"
 	"fmt"
 	"sort"
 	"strconv"
 	"time"

+	"github.com/cenkalti/backoff"
 	"github.com/xenolf/lego/acme"
 	"github.com/xenolf/lego/acme/api"
 	"github.com/xenolf/lego/challenge"
@ -90,16 +92,35 @@ func validate(core *api.Core, domain string, chlg acme.Challenge) error {
 		return nil
 	}

+	ra, err := strconv.Atoi(chlng.RetryAfter)
+	if err != nil {
+		// The ACME server MUST return a Retry-After.
+		// If it doesn't, we'll just poll hard.
+		// Boulder does not implement the ability to retry challenges or the Retry-After header.
+		// https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md#section-82
+		ra = 5
+	}
+	initialInterval := time.Duration(ra) * time.Second
+
+	bo := backoff.NewExponentialBackOff()
+	bo.InitialInterval = initialInterval
+	bo.MaxInterval = 10 * initialInterval
+	bo.MaxElapsedTime = 100 * initialInterval
+
+	ctx, cancel := context.WithCancel(context.Background())
+
 	// After the path is sent, the ACME server will access our server.
 	// Repeatedly check the server for an updated status on our request.
-	for {
+	operation := func() error {
 		authz, err := core.Authorizations.Get(chlng.AuthorizationURL)
 		if err != nil {
+			cancel()
 			return err
 		}

 		valid, err := checkAuthorizationStatus(authz)
 		if err != nil {
+			cancel()
 			return err
 		}

@ -108,16 +129,10 @@ func validate(core *api.Core, domain string, chlg acme.Challenge) error {
 			return nil
 		}

-		ra, err := strconv.Atoi(chlng.RetryAfter)
-		if err != nil {
-			// The ACME server MUST return a Retry-After.
-			// If it doesn't, we'll just poll hard.
-			// Boulder does not implement the ability to retry challenges or the Retry-After header.
-			// https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md#section-82
-			ra = 5
-		}
-		time.Sleep(time.Duration(ra) * time.Second)
+		return errors.New("the server didn't respond to our request")
 	}
+
+	return backoff.Retry(operation, backoff.WithContext(bo, ctx))
 }

 func checkChallengeStatus(chlng acme.ExtendedChallenge) (bool, error) {