Generate wildcard certificate with SANs in ACME

2018-04-11 17:16:07 +02:00 · 2018-04-11 17:16:07 +02:00 · 7109910f46
commit 7109910f46
parent 8168d2fdc1
5 changed files with 271 additions and 96 deletions
--- a/acme/acme.go
+++ b/acme/acme.go
@ -46,9 +46,9 @@ type ACME struct {
 	OnHostRule            bool                        `description:"Enable certificate generation on frontends Host rules."`
 	CAServer              string                      `description:"CA server to use."`
 	EntryPoint            string                      `description:"Entrypoint to proxy acme challenge to."`
-	DNSChallenge          *acmeprovider.DNSChallenge  `description:"Activate DNS-02 Challenge"`
+	DNSChallenge          *acmeprovider.DNSChallenge  `description:"Activate DNS-01 Challenge"`
 	HTTPChallenge         *acmeprovider.HTTPChallenge `description:"Activate HTTP-01 Challenge"`
-	DNSProvider           string                      `description:"Activate DNS-02 Challenge (Deprecated)"`                                                       // deprecated
+	DNSProvider           string                      `description:"Activate DNS-01 Challenge (Deprecated)"`                                                       // deprecated
 	DelayDontCheckDNS     flaeg.Duration              `description:"Assume DNS propagates after a delay in seconds rather than finding and querying nameservers."` // deprecated
 	ACMELogging           bool                        `description:"Enable debug logging of ACME actions."`
 	client                *acme.Client
@ -62,20 +62,6 @@ type ACME struct {
 }

 func (a *ACME) init() error {
-	// FIXME temporary fix, waiting for https://github.com/xenolf/lego/pull/478
-	acme.HTTPClient = http.Client{
-		Transport: &http.Transport{
-			Proxy: http.ProxyFromEnvironment,
-			Dial: (&net.Dialer{
-				Timeout:   30 * time.Second,
-				KeepAlive: 30 * time.Second,
-			}).Dial,
-			TLSHandshakeTimeout:   15 * time.Second,
-			ResponseHeaderTimeout: 15 * time.Second,
-			ExpectContinueTimeout: 1 * time.Second,
-		},
-	}
-
 	if a.ACMELogging {
 		acme.Logger = fmtlog.New(os.Stderr, "legolog: ", fmtlog.LstdFlags)
 	} else {
@ -651,6 +637,7 @@ func (a *ACME) runJobs() {

 // getValidDomains checks if given domain is allowed to generate a ACME certificate and return it
 func (a *ACME) getValidDomains(domains []string, wildcardAllowed bool) ([]string, error) {
+	// Check if the domains array is empty or contains only one empty value
 	if len(domains) == 0 || (len(domains) == 1 && len(domains[0]) == 0) {
 		return nil, errors.New("unable to generate a certificate when no domain is given")
 	}
@ -663,15 +650,14 @@ func (a *ACME) getValidDomains(domains []string, wildcardAllowed bool) ([]string
 		if a.DNSChallenge == nil && len(a.DNSProvider) == 0 {
 			return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q : ACME needs a DNSChallenge", strings.Join(domains, ","))
 		}
-
-		if len(domains) > 1 {
-			return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q : SANs are not allowed", strings.Join(domains, ","))
+		if strings.HasPrefix(domains[0], "*.*") {
+			return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q : ACME does not allow '*.*' wildcard domain", strings.Join(domains, ","))
 		}
-	} else {
-		for _, san := range domains[1:] {
-			if strings.HasPrefix(san, "*") {
-				return nil, fmt.Errorf("unable to generate a certificate in ACME provider for domains %q: SANs can not be a wildcard domain", strings.Join(domains, ","))
-			}
+	}
+	for _, san := range domains[1:] {
+		if strings.HasPrefix(san, "*") {
+			return nil, fmt.Errorf("unable to generate a certificate for domains %q: SANs can not be a wildcard domain", strings.Join(domains, ","))
+
 		}
 	}

@ -710,31 +696,37 @@ func (a *ACME) deleteUnnecessaryDomains() {
 					keepDomain = false
 				}
 				break
-			} else if strings.HasPrefix(domain.Main, "*") && domain.SANs == nil {
-				// Check if domains can be validated by the wildcard domain
-
-				var newDomainsToCheck []string
-
-				// Check if domains can be validated by the wildcard domain
-				domainsMap := make(map[string]*tls.Certificate)
-				domainsMap[domain.Main] = &tls.Certificate{}
-
-				for _, domainProcessed := range domainToCheck.ToStrArray() {
-					if isDomainAlreadyChecked(domainProcessed, domainsMap) {
-						log.Warnf("Domain %q will not be processed by ACME because it is validated by the wildcard %q", domainProcessed, domain.Main)
-						continue
-					}
-					newDomainsToCheck = append(newDomainsToCheck, domainProcessed)
-				}
-
-				// Delete the domain if both Main and SANs can be validated by the wildcard domain
-				// otherwise keep the unchecked values
-				if newDomainsToCheck == nil {
-					keepDomain = false
-					break
-				}
-				domainToCheck.Set(newDomainsToCheck)
 			}
+
+			var newDomainsToCheck []string
+
+			// Check if domains can be validated by the wildcard domain
+			domainsMap := make(map[string]*tls.Certificate)
+			domainsMap[domain.Main] = &tls.Certificate{}
+			if len(domain.SANs) > 0 {
+				domainsMap[strings.Join(domain.SANs, ",")] = &tls.Certificate{}
+			}
+
+			for _, domainProcessed := range domainToCheck.ToStrArray() {
+				if idxDomain < idxDomainToCheck && isDomainAlreadyChecked(domainProcessed, domainsMap) {
+					// The domain is duplicated in a CN
+					log.Warnf("Domain %q is duplicated in the configuration or validated by the domain %v. It will be processed once.", domainProcessed, domain)
+					continue
+				} else if domain.Main != domainProcessed && strings.HasPrefix(domain.Main, "*") && types.MatchDomain(domainProcessed, domain.Main) {
+					// Check if a wildcard can validate the domain
+					log.Warnf("Domain %q will not be processed by ACME provider because it is validated by the wildcard %q", domainProcessed, domain.Main)
+					continue
+				}
+				newDomainsToCheck = append(newDomainsToCheck, domainProcessed)
+			}
+
+			// Delete the domain if both Main and SANs can be validated by the wildcard domain
+			// otherwise keep the unchecked values
+			if newDomainsToCheck == nil {
+				keepDomain = false
+				break
+			}
+			domainToCheck.Set(newDomainsToCheck)
 		}

 		if keepDomain {
--- a/acme/acme_test.go
+++ b/acme/acme_test.go
@ -417,11 +417,27 @@ func TestAcme_getValidDomain(t *testing.T) {
 			expectedDomains: nil,
 		},
 		{
-			desc:            "unexpected SANs",
-			domains:         []string{"*.traefik.wtf", "foo.traefik.wtf"},
+			desc:            "unauthorized wildcard with SAN",
+			domains:         []string{"*.*.traefik.wtf", "foo.traefik.wtf"},
 			dnsChallenge:    &acmeprovider.DNSChallenge{},
 			wildcardAllowed: true,
-			expectedErr:     "unable to generate a wildcard certificate for domain \"*.traefik.wtf,foo.traefik.wtf\" : SANs are not allowed",
+			expectedErr:     "unable to generate a wildcard certificate for domain \"*.*.traefik.wtf,foo.traefik.wtf\" : ACME does not allow '*.*' wildcard domain",
+			expectedDomains: nil,
+		},
+		{
+			desc:            "wildcard with SANs",
+			domains:         []string{"*.traefik.wtf", "traefik.wtf"},
+			dnsChallenge:    &acmeprovider.DNSChallenge{},
+			wildcardAllowed: true,
+			expectedErr:     "",
+			expectedDomains: []string{"*.traefik.wtf", "traefik.wtf"},
+		},
+		{
+			desc:            "unexpected SANs",
+			domains:         []string{"*.traefik.wtf", "*.acme.wtf"},
+			dnsChallenge:    &acmeprovider.DNSChallenge{},
+			wildcardAllowed: true,
+			expectedErr:     "unable to generate a certificate for domains \"*.traefik.wtf,*.acme.wtf\": SANs can not be a wildcard domain",
 			expectedDomains: nil,
 		},
 	}