Migrate to go-acme/lego.

2019-03-14 11:04:04 +01:00 · 2019-03-14 11:04:04 +01:00 · 87da7520de
commit 87da7520de
parent 4a68d29ce2
286 changed files with 14021 additions and 2501 deletions
--- a/vendor/github.com/go-acme/lego/acme/api/account.go
+++ b/vendor/github.com/go-acme/lego/acme/api/account.go
@ -0,0 +1,69 @@
+package api
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+
+	"github.com/go-acme/lego/acme"
+)
+
+type AccountService service
+
+// New Creates a new account.
+func (a *AccountService) New(req acme.Account) (acme.ExtendedAccount, error) {
+	var account acme.Account
+	resp, err := a.core.post(a.core.GetDirectory().NewAccountURL, req, &account)
+	location := getLocation(resp)
+
+	if len(location) > 0 {
+		a.core.jws.SetKid(location)
+	}
+
+	if err != nil {
+		return acme.ExtendedAccount{Location: location}, err
+	}
+
+	return acme.ExtendedAccount{Account: account, Location: location}, nil
+}
+
+// NewEAB Creates a new account with an External Account Binding.
+func (a *AccountService) NewEAB(accMsg acme.Account, kid string, hmacEncoded string) (acme.ExtendedAccount, error) {
+	hmac, err := base64.RawURLEncoding.DecodeString(hmacEncoded)
+	if err != nil {
+		return acme.ExtendedAccount{}, fmt.Errorf("acme: could not decode hmac key: %v", err)
+	}
+
+	eabJWS, err := a.core.signEABContent(a.core.GetDirectory().NewAccountURL, kid, hmac)
+	if err != nil {
+		return acme.ExtendedAccount{}, fmt.Errorf("acme: error signing eab content: %v", err)
+	}
+	accMsg.ExternalAccountBinding = eabJWS
+
+	return a.New(accMsg)
+}
+
+// Get Retrieves an account.
+func (a *AccountService) Get(accountURL string) (acme.Account, error) {
+	if len(accountURL) == 0 {
+		return acme.Account{}, errors.New("account[get]: empty URL")
+	}
+
+	var account acme.Account
+	_, err := a.core.post(accountURL, acme.Account{}, &account)
+	if err != nil {
+		return acme.Account{}, err
+	}
+	return account, nil
+}
+
+// Deactivate Deactivates an account.
+func (a *AccountService) Deactivate(accountURL string) error {
+	if len(accountURL) == 0 {
+		return errors.New("account[deactivate]: empty URL")
+	}
+
+	req := acme.Account{Status: acme.StatusDeactivated}
+	_, err := a.core.post(accountURL, req, nil)
+	return err
+}
--- a/vendor/github.com/go-acme/lego/acme/api/api.go
+++ b/vendor/github.com/go-acme/lego/acme/api/api.go
@ -0,0 +1,166 @@
+package api
+
+import (
+	"bytes"
+	"context"
+	"crypto"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/cenkalti/backoff"
+	"github.com/go-acme/lego/acme"
+	"github.com/go-acme/lego/acme/api/internal/nonces"
+	"github.com/go-acme/lego/acme/api/internal/secure"
+	"github.com/go-acme/lego/acme/api/internal/sender"
+	"github.com/go-acme/lego/log"
+)
+
+// Core ACME/LE core API.
+type Core struct {
+	doer         *sender.Doer
+	nonceManager *nonces.Manager
+	jws          *secure.JWS
+	directory    acme.Directory
+	HTTPClient   *http.Client
+
+	common         service // Reuse a single struct instead of allocating one for each service on the heap.
+	Accounts       *AccountService
+	Authorizations *AuthorizationService
+	Certificates   *CertificateService
+	Challenges     *ChallengeService
+	Orders         *OrderService
+}
+
+// New Creates a new Core.
+func New(httpClient *http.Client, userAgent string, caDirURL, kid string, privateKey crypto.PrivateKey) (*Core, error) {
+	doer := sender.NewDoer(httpClient, userAgent)
+
+	dir, err := getDirectory(doer, caDirURL)
+	if err != nil {
+		return nil, err
+	}
+
+	nonceManager := nonces.NewManager(doer, dir.NewNonceURL)
+
+	jws := secure.NewJWS(privateKey, kid, nonceManager)
+
+	c := &Core{doer: doer, nonceManager: nonceManager, jws: jws, directory: dir, HTTPClient: httpClient}
+
+	c.common.core = c
+	c.Accounts = (*AccountService)(&c.common)
+	c.Authorizations = (*AuthorizationService)(&c.common)
+	c.Certificates = (*CertificateService)(&c.common)
+	c.Challenges = (*ChallengeService)(&c.common)
+	c.Orders = (*OrderService)(&c.common)
+
+	return c, nil
+}
+
+// post performs an HTTP POST request and parses the response body as JSON,
+// into the provided respBody object.
+func (a *Core) post(uri string, reqBody, response interface{}) (*http.Response, error) {
+	content, err := json.Marshal(reqBody)
+	if err != nil {
+		return nil, errors.New("failed to marshal message")
+	}
+
+	return a.retrievablePost(uri, content, response)
+}
+
+// postAsGet performs an HTTP POST ("POST-as-GET") request.
+// https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-6.3
+func (a *Core) postAsGet(uri string, response interface{}) (*http.Response, error) {
+	return a.retrievablePost(uri, []byte{}, response)
+}
+
+func (a *Core) retrievablePost(uri string, content []byte, response interface{}) (*http.Response, error) {
+	// during tests, allow to support ~90% of bad nonce with a minimum of attempts.
+	bo := backoff.NewExponentialBackOff()
+	bo.InitialInterval = 200 * time.Millisecond
+	bo.MaxInterval = 5 * time.Second
+	bo.MaxElapsedTime = 20 * time.Second
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	var resp *http.Response
+	operation := func() error {
+		var err error
+		resp, err = a.signedPost(uri, content, response)
+		if err != nil {
+			switch err.(type) {
+			// Retry if the nonce was invalidated
+			case *acme.NonceError:
+				log.Infof("nonce error retry: %s", err)
+				return err
+			default:
+				cancel()
+				return err
+			}
+		}
+
+		return nil
+	}
+
+	err := backoff.Retry(operation, backoff.WithContext(bo, ctx))
+	if err != nil {
+		return nil, err
+	}
+
+	return resp, nil
+}
+
+func (a *Core) signedPost(uri string, content []byte, response interface{}) (*http.Response, error) {
+	signedContent, err := a.jws.SignContent(uri, content)
+	if err != nil {
+		return nil, fmt.Errorf("failed to post JWS message -> failed to sign content -> %v", err)
+	}
+
+	signedBody := bytes.NewBuffer([]byte(signedContent.FullSerialize()))
+
+	resp, err := a.doer.Post(uri, signedBody, "application/jose+json", response)
+
+	// nonceErr is ignored to keep the root error.
+	nonce, nonceErr := nonces.GetFromResponse(resp)
+	if nonceErr == nil {
+		a.nonceManager.Push(nonce)
+	}
+
+	return resp, err
+}
+
+func (a *Core) signEABContent(newAccountURL, kid string, hmac []byte) ([]byte, error) {
+	eabJWS, err := a.jws.SignEABContent(newAccountURL, kid, hmac)
+	if err != nil {
+		return nil, err
+	}
+
+	return []byte(eabJWS.FullSerialize()), nil
+}
+
+// GetKeyAuthorization Gets the key authorization
+func (a *Core) GetKeyAuthorization(token string) (string, error) {
+	return a.jws.GetKeyAuthorization(token)
+}
+
+func (a *Core) GetDirectory() acme.Directory {
+	return a.directory
+}
+
+func getDirectory(do *sender.Doer, caDirURL string) (acme.Directory, error) {
+	var dir acme.Directory
+	if _, err := do.Get(caDirURL, &dir); err != nil {
+		return dir, fmt.Errorf("get directory at '%s': %v", caDirURL, err)
+	}
+
+	if dir.NewAccountURL == "" {
+		return dir, errors.New("directory missing new registration URL")
+	}
+	if dir.NewOrderURL == "" {
+		return dir, errors.New("directory missing new order URL")
+	}
+
+	return dir, nil
+}
--- a/vendor/github.com/go-acme/lego/acme/api/authorization.go
+++ b/vendor/github.com/go-acme/lego/acme/api/authorization.go
@ -0,0 +1,34 @@
+package api
+
+import (
+	"errors"
+
+	"github.com/go-acme/lego/acme"
+)
+
+type AuthorizationService service
+
+// Get Gets an authorization.
+func (c *AuthorizationService) Get(authzURL string) (acme.Authorization, error) {
+	if len(authzURL) == 0 {
+		return acme.Authorization{}, errors.New("authorization[get]: empty URL")
+	}
+
+	var authz acme.Authorization
+	_, err := c.core.postAsGet(authzURL, &authz)
+	if err != nil {
+		return acme.Authorization{}, err
+	}
+	return authz, nil
+}
+
+// Deactivate Deactivates an authorization.
+func (c *AuthorizationService) Deactivate(authzURL string) error {
+	if len(authzURL) == 0 {
+		return errors.New("authorization[deactivate]: empty URL")
+	}
+
+	var disabledAuth acme.Authorization
+	_, err := c.core.post(authzURL, acme.Authorization{Status: acme.StatusDeactivated}, &disabledAuth)
+	return err
+}
--- a/vendor/github.com/go-acme/lego/acme/api/certificate.go
+++ b/vendor/github.com/go-acme/lego/acme/api/certificate.go
@ -0,0 +1,99 @@
+package api
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/go-acme/lego/acme"
+	"github.com/go-acme/lego/certcrypto"
+	"github.com/go-acme/lego/log"
+)
+
+// maxBodySize is the maximum size of body that we will read.
+const maxBodySize = 1024 * 1024
+
+type CertificateService service
+
+// Get Returns the certificate and the issuer certificate.
+// 'bundle' is only applied if the issuer is provided by the 'up' link.
+func (c *CertificateService) Get(certURL string, bundle bool) ([]byte, []byte, error) {
+	cert, up, err := c.get(certURL)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Get issuerCert from bundled response from Let's Encrypt
+	// See https://community.letsencrypt.org/t/acme-v2-no-up-link-in-response/64962
+	_, issuer := pem.Decode(cert)
+	if issuer != nil {
+		return cert, issuer, nil
+	}
+
+	issuer, err = c.getIssuerFromLink(up)
+	if err != nil {
+		// If we fail to acquire the issuer cert, return the issued certificate - do not fail.
+		log.Warnf("acme: Could not bundle issuer certificate [%s]: %v", certURL, err)
+	} else if len(issuer) > 0 {
+		// If bundle is true, we want to return a certificate bundle.
+		// To do this, we append the issuer cert to the issued cert.
+		if bundle {
+			cert = append(cert, issuer...)
+		}
+	}
+
+	return cert, issuer, nil
+}
+
+// Revoke Revokes a certificate.
+func (c *CertificateService) Revoke(req acme.RevokeCertMessage) error {
+	_, err := c.core.post(c.core.GetDirectory().RevokeCertURL, req, nil)
+	return err
+}
+
+// get Returns the certificate and the "up" link.
+func (c *CertificateService) get(certURL string) ([]byte, string, error) {
+	if len(certURL) == 0 {
+		return nil, "", errors.New("certificate[get]: empty URL")
+	}
+
+	resp, err := c.core.postAsGet(certURL, nil)
+	if err != nil {
+		return nil, "", err
+	}
+
+	cert, err := ioutil.ReadAll(http.MaxBytesReader(nil, resp.Body, maxBodySize))
+	if err != nil {
+		return nil, "", err
+	}
+
+	// The issuer certificate link may be supplied via an "up" link
+	// in the response headers of a new certificate.
+	// See https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4.2
+	up := getLink(resp.Header, "up")
+
+	return cert, up, err
+}
+
+// getIssuerFromLink requests the issuer certificate
+func (c *CertificateService) getIssuerFromLink(up string) ([]byte, error) {
+	if len(up) == 0 {
+		return nil, nil
+	}
+
+	log.Infof("acme: Requesting issuer cert from %s", up)
+
+	cert, _, err := c.get(up)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = x509.ParseCertificate(cert)
+	if err != nil {
+		return nil, err
+	}
+
+	return certcrypto.PEMEncode(certcrypto.DERCertificateBytes(cert)), nil
+}
--- a/vendor/github.com/go-acme/lego/acme/api/challenge.go
+++ b/vendor/github.com/go-acme/lego/acme/api/challenge.go
@ -0,0 +1,45 @@
+package api
+
+import (
+	"errors"
+
+	"github.com/go-acme/lego/acme"
+)
+
+type ChallengeService service
+
+// New Creates a challenge.
+func (c *ChallengeService) New(chlgURL string) (acme.ExtendedChallenge, error) {
+	if len(chlgURL) == 0 {
+		return acme.ExtendedChallenge{}, errors.New("challenge[new]: empty URL")
+	}
+
+	// Challenge initiation is done by sending a JWS payload containing the trivial JSON object `{}`.
+	// We use an empty struct instance as the postJSON payload here to achieve this result.
+	var chlng acme.ExtendedChallenge
+	resp, err := c.core.post(chlgURL, struct{}{}, &chlng)
+	if err != nil {
+		return acme.ExtendedChallenge{}, err
+	}
+
+	chlng.AuthorizationURL = getLink(resp.Header, "up")
+	chlng.RetryAfter = getRetryAfter(resp)
+	return chlng, nil
+}
+
+// Get Gets a challenge.
+func (c *ChallengeService) Get(chlgURL string) (acme.ExtendedChallenge, error) {
+	if len(chlgURL) == 0 {
+		return acme.ExtendedChallenge{}, errors.New("challenge[get]: empty URL")
+	}
+
+	var chlng acme.ExtendedChallenge
+	resp, err := c.core.postAsGet(chlgURL, &chlng)
+	if err != nil {
+		return acme.ExtendedChallenge{}, err
+	}
+
+	chlng.AuthorizationURL = getLink(resp.Header, "up")
+	chlng.RetryAfter = getRetryAfter(resp)
+	return chlng, nil
+}
--- a/vendor/github.com/go-acme/lego/acme/api/internal/nonces/nonce_manager.go
+++ b/vendor/github.com/go-acme/lego/acme/api/internal/nonces/nonce_manager.go
@ -0,0 +1,78 @@
+package nonces
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"sync"
+
+	"github.com/go-acme/lego/acme/api/internal/sender"
+)
+
+// Manager Manages nonces.
+type Manager struct {
+	do       *sender.Doer
+	nonceURL string
+	nonces   []string
+	sync.Mutex
+}
+
+// NewManager Creates a new Manager.
+func NewManager(do *sender.Doer, nonceURL string) *Manager {
+	return &Manager{
+		do:       do,
+		nonceURL: nonceURL,
+	}
+}
+
+// Pop Pops a nonce.
+func (n *Manager) Pop() (string, bool) {
+	n.Lock()
+	defer n.Unlock()
+
+	if len(n.nonces) == 0 {
+		return "", false
+	}
+
+	nonce := n.nonces[len(n.nonces)-1]
+	n.nonces = n.nonces[:len(n.nonces)-1]
+	return nonce, true
+}
+
+// Push Pushes a nonce.
+func (n *Manager) Push(nonce string) {
+	n.Lock()
+	defer n.Unlock()
+	n.nonces = append(n.nonces, nonce)
+}
+
+// Nonce implement jose.NonceSource
+func (n *Manager) Nonce() (string, error) {
+	if nonce, ok := n.Pop(); ok {
+		return nonce, nil
+	}
+	return n.getNonce()
+}
+
+func (n *Manager) getNonce() (string, error) {
+	resp, err := n.do.Head(n.nonceURL)
+	if err != nil {
+		return "", fmt.Errorf("failed to get nonce from HTTP HEAD -> %v", err)
+	}
+
+	return GetFromResponse(resp)
+}
+
+// GetFromResponse Extracts a nonce from a HTTP response.
+func GetFromResponse(resp *http.Response) (string, error) {
+	if resp == nil {
+		return "", errors.New("nil response")
+	}
+
+	nonce := resp.Header.Get("Replay-Nonce")
+	if nonce == "" {
+		return "", fmt.Errorf("server did not respond with a proper nonce header")
+	}
+
+	return nonce, nil
+}
--- a/vendor/github.com/go-acme/lego/acme/api/internal/secure/jws.go
+++ b/vendor/github.com/go-acme/lego/acme/api/internal/secure/jws.go
@ -0,0 +1,134 @@
+package secure
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"encoding/base64"
+	"errors"
+	"fmt"
+
+	"github.com/go-acme/lego/acme/api/internal/nonces"
+	jose "gopkg.in/square/go-jose.v2"
+)
+
+// JWS Represents a JWS.
+type JWS struct {
+	privKey crypto.PrivateKey
+	kid     string // Key identifier
+	nonces  *nonces.Manager
+}
+
+// NewJWS Create a new JWS.
+func NewJWS(privateKey crypto.PrivateKey, kid string, nonceManager *nonces.Manager) *JWS {
+	return &JWS{
+		privKey: privateKey,
+		nonces:  nonceManager,
+		kid:     kid,
+	}
+}
+
+// SetKid Sets a key identifier.
+func (j *JWS) SetKid(kid string) {
+	j.kid = kid
+}
+
+// SignContent Signs a content with the JWS.
+func (j *JWS) SignContent(url string, content []byte) (*jose.JSONWebSignature, error) {
+	var alg jose.SignatureAlgorithm
+	switch k := j.privKey.(type) {
+	case *rsa.PrivateKey:
+		alg = jose.RS256
+	case *ecdsa.PrivateKey:
+		if k.Curve == elliptic.P256() {
+			alg = jose.ES256
+		} else if k.Curve == elliptic.P384() {
+			alg = jose.ES384
+		}
+	}
+
+	signKey := jose.SigningKey{
+		Algorithm: alg,
+		Key:       jose.JSONWebKey{Key: j.privKey, KeyID: j.kid},
+	}
+
+	options := jose.SignerOptions{
+		NonceSource: j.nonces,
+		ExtraHeaders: map[jose.HeaderKey]interface{}{
+			"url": url,
+		},
+	}
+
+	if j.kid == "" {
+		options.EmbedJWK = true
+	}
+
+	signer, err := jose.NewSigner(signKey, &options)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create jose signer -> %v", err)
+	}
+
+	signed, err := signer.Sign(content)
+	if err != nil {
+		return nil, fmt.Errorf("failed to sign content -> %v", err)
+	}
+	return signed, nil
+}
+
+// SignEABContent Signs an external account binding content with the JWS.
+func (j *JWS) SignEABContent(url, kid string, hmac []byte) (*jose.JSONWebSignature, error) {
+	jwk := jose.JSONWebKey{Key: j.privKey}
+	jwkJSON, err := jwk.Public().MarshalJSON()
+	if err != nil {
+		return nil, fmt.Errorf("acme: error encoding eab jwk key: %v", err)
+	}
+
+	signer, err := jose.NewSigner(
+		jose.SigningKey{Algorithm: jose.HS256, Key: hmac},
+		&jose.SignerOptions{
+			EmbedJWK: false,
+			ExtraHeaders: map[jose.HeaderKey]interface{}{
+				"kid": kid,
+				"url": url,
+			},
+		},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create External Account Binding jose signer -> %v", err)
+	}
+
+	signed, err := signer.Sign(jwkJSON)
+	if err != nil {
+		return nil, fmt.Errorf("failed to External Account Binding sign content -> %v", err)
+	}
+
+	return signed, nil
+}
+
+// GetKeyAuthorization Gets the key authorization for a token.
+func (j *JWS) GetKeyAuthorization(token string) (string, error) {
+	var publicKey crypto.PublicKey
+	switch k := j.privKey.(type) {
+	case *ecdsa.PrivateKey:
+		publicKey = k.Public()
+	case *rsa.PrivateKey:
+		publicKey = k.Public()
+	}
+
+	// Generate the Key Authorization for the challenge
+	jwk := &jose.JSONWebKey{Key: publicKey}
+	if jwk == nil {
+		return "", errors.New("could not generate JWK from key")
+	}
+
+	thumbBytes, err := jwk.Thumbprint(crypto.SHA256)
+	if err != nil {
+		return "", err
+	}
+
+	// unpad the base64URL
+	keyThumb := base64.RawURLEncoding.EncodeToString(thumbBytes)
+
+	return token + "." + keyThumb, nil
+}
--- a/vendor/github.com/go-acme/lego/acme/api/internal/sender/sender.go
+++ b/vendor/github.com/go-acme/lego/acme/api/internal/sender/sender.go
@ -0,0 +1,146 @@
+package sender
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"runtime"
+	"strings"
+
+	"github.com/go-acme/lego/acme"
+)
+
+type RequestOption func(*http.Request) error
+
+func contentType(ct string) RequestOption {
+	return func(req *http.Request) error {
+		req.Header.Set("Content-Type", ct)
+		return nil
+	}
+}
+
+type Doer struct {
+	httpClient *http.Client
+	userAgent  string
+}
+
+// NewDoer Creates a new Doer.
+func NewDoer(client *http.Client, userAgent string) *Doer {
+	return &Doer{
+		httpClient: client,
+		userAgent:  userAgent,
+	}
+}
+
+// Get performs a GET request with a proper User-Agent string.
+// If "response" is not provided, callers should close resp.Body when done reading from it.
+func (d *Doer) Get(url string, response interface{}) (*http.Response, error) {
+	req, err := d.newRequest(http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return d.do(req, response)
+}
+
+// Head performs a HEAD request with a proper User-Agent string.
+// The response body (resp.Body) is already closed when this function returns.
+func (d *Doer) Head(url string) (*http.Response, error) {
+	req, err := d.newRequest(http.MethodHead, url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return d.do(req, nil)
+}
+
+// Post performs a POST request with a proper User-Agent string.
+// If "response" is not provided, callers should close resp.Body when done reading from it.
+func (d *Doer) Post(url string, body io.Reader, bodyType string, response interface{}) (*http.Response, error) {
+	req, err := d.newRequest(http.MethodPost, url, body, contentType(bodyType))
+	if err != nil {
+		return nil, err
+	}
+
+	return d.do(req, response)
+}
+
+func (d *Doer) newRequest(method, uri string, body io.Reader, opts ...RequestOption) (*http.Request, error) {
+	req, err := http.NewRequest(method, uri, body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %v", err)
+	}
+
+	req.Header.Set("User-Agent", d.formatUserAgent())
+
+	for _, opt := range opts {
+		err = opt(req)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create request: %v", err)
+		}
+	}
+
+	return req, nil
+}
+
+func (d *Doer) do(req *http.Request, response interface{}) (*http.Response, error) {
+	resp, err := d.httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = checkError(req, resp); err != nil {
+		return resp, err
+	}
+
+	if response != nil {
+		raw, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return resp, err
+		}
+
+		defer resp.Body.Close()
+
+		err = json.Unmarshal(raw, response)
+		if err != nil {
+			return resp, fmt.Errorf("failed to unmarshal %q to type %T: %v", raw, response, err)
+		}
+	}
+
+	return resp, nil
+}
+
+// formatUserAgent builds and returns the User-Agent string to use in requests.
+func (d *Doer) formatUserAgent() string {
+	ua := fmt.Sprintf("%s %s (%s; %s; %s)", d.userAgent, ourUserAgent, ourUserAgentComment, runtime.GOOS, runtime.GOARCH)
+	return strings.TrimSpace(ua)
+}
+
+func checkError(req *http.Request, resp *http.Response) error {
+	if resp.StatusCode >= http.StatusBadRequest {
+
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return fmt.Errorf("%d :: %s :: %s :: %v", resp.StatusCode, req.Method, req.URL, err)
+		}
+
+		var errorDetails *acme.ProblemDetails
+		err = json.Unmarshal(body, &errorDetails)
+		if err != nil {
+			return fmt.Errorf("%d ::%s :: %s :: %v :: %s", resp.StatusCode, req.Method, req.URL, err, string(body))
+		}
+
+		errorDetails.Method = req.Method
+		errorDetails.URL = req.URL.String()
+
+		// Check for errors we handle specifically
+		if errorDetails.HTTPStatus == http.StatusBadRequest && errorDetails.Type == acme.BadNonceErr {
+			return &acme.NonceError{ProblemDetails: errorDetails}
+		}
+
+		return errorDetails
+	}
+	return nil
+}
--- a/vendor/github.com/go-acme/lego/acme/api/internal/sender/useragent.go
+++ b/vendor/github.com/go-acme/lego/acme/api/internal/sender/useragent.go
@ -0,0 +1,14 @@
+package sender
+
+// CODE GENERATED AUTOMATICALLY
+// THIS FILE MUST NOT BE EDITED BY HAND
+
+const (
+	// ourUserAgent is the User-Agent of this underlying library package.
+	ourUserAgent = "xenolf-acme/2.3.0"
+
+	// ourUserAgentComment is part of the UA comment linked to the version status of this underlying library package.
+	// values: detach|release
+	// NOTE: Update this with each tagged release.
+	ourUserAgentComment = "detach"
+)
--- a/vendor/github.com/go-acme/lego/acme/api/order.go
+++ b/vendor/github.com/go-acme/lego/acme/api/order.go
@ -0,0 +1,65 @@
+package api
+
+import (
+	"encoding/base64"
+	"errors"
+
+	"github.com/go-acme/lego/acme"
+)
+
+type OrderService service
+
+// New Creates a new order.
+func (o *OrderService) New(domains []string) (acme.ExtendedOrder, error) {
+	var identifiers []acme.Identifier
+	for _, domain := range domains {
+		identifiers = append(identifiers, acme.Identifier{Type: "dns", Value: domain})
+	}
+
+	orderReq := acme.Order{Identifiers: identifiers}
+
+	var order acme.Order
+	resp, err := o.core.post(o.core.GetDirectory().NewOrderURL, orderReq, &order)
+	if err != nil {
+		return acme.ExtendedOrder{}, err
+	}
+
+	return acme.ExtendedOrder{
+		Location: resp.Header.Get("Location"),
+		Order:    order,
+	}, nil
+}
+
+// Get Gets an order.
+func (o *OrderService) Get(orderURL string) (acme.Order, error) {
+	if len(orderURL) == 0 {
+		return acme.Order{}, errors.New("order[get]: empty URL")
+	}
+
+	var order acme.Order
+	_, err := o.core.postAsGet(orderURL, &order)
+	if err != nil {
+		return acme.Order{}, err
+	}
+
+	return order, nil
+}
+
+// UpdateForCSR Updates an order for a CSR.
+func (o *OrderService) UpdateForCSR(orderURL string, csr []byte) (acme.Order, error) {
+	csrMsg := acme.CSRMessage{
+		Csr: base64.RawURLEncoding.EncodeToString(csr),
+	}
+
+	var order acme.Order
+	_, err := o.core.post(orderURL, csrMsg, &order)
+	if err != nil {
+		return acme.Order{}, err
+	}
+
+	if order.Status == acme.StatusInvalid {
+		return acme.Order{}, order.Error
+	}
+
+	return order, nil
+}
--- a/vendor/github.com/go-acme/lego/acme/api/service.go
+++ b/vendor/github.com/go-acme/lego/acme/api/service.go
@ -0,0 +1,45 @@
+package api
+
+import (
+	"net/http"
+	"regexp"
+)
+
+type service struct {
+	core *Core
+}
+
+// getLink get a rel into the Link header
+func getLink(header http.Header, rel string) string {
+	var linkExpr = regexp.MustCompile(`<(.+?)>;\s*rel="(.+?)"`)
+
+	for _, link := range header["Link"] {
+		for _, m := range linkExpr.FindAllStringSubmatch(link, -1) {
+			if len(m) != 3 {
+				continue
+			}
+			if m[2] == rel {
+				return m[1]
+			}
+		}
+	}
+	return ""
+}
+
+// getLocation get the value of the header Location
+func getLocation(resp *http.Response) string {
+	if resp == nil {
+		return ""
+	}
+
+	return resp.Header.Get("Location")
+}
+
+// getRetryAfter get the value of the header Retry-After
+func getRetryAfter(resp *http.Response) string {
+	if resp == nil {
+		return ""
+	}
+
+	return resp.Header.Get("Retry-After")
+}
--- a/vendor/github.com/go-acme/lego/acme/commons.go
+++ b/vendor/github.com/go-acme/lego/acme/commons.go
@ -0,0 +1,284 @@
+// Package acme contains all objects related the ACME endpoints.
+// https://tools.ietf.org/html/draft-ietf-acme-acme-16
+package acme
+
+import (
+	"encoding/json"
+	"time"
+)
+
+// Challenge statuses
+// https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.1.6
+const (
+	StatusPending     = "pending"
+	StatusInvalid     = "invalid"
+	StatusValid       = "valid"
+	StatusProcessing  = "processing"
+	StatusDeactivated = "deactivated"
+	StatusExpired     = "expired"
+	StatusRevoked     = "revoked"
+)
+
+// Directory the ACME directory object.
+// - https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.1.1
+type Directory struct {
+	NewNonceURL   string `json:"newNonce"`
+	NewAccountURL string `json:"newAccount"`
+	NewOrderURL   string `json:"newOrder"`
+	NewAuthzURL   string `json:"newAuthz"`
+	RevokeCertURL string `json:"revokeCert"`
+	KeyChangeURL  string `json:"keyChange"`
+	Meta          Meta   `json:"meta"`
+}
+
+// Meta the ACME meta object (related to Directory).
+// - https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.1.1
+type Meta struct {
+	// termsOfService (optional, string):
+	// A URL identifying the current terms of service.
+	TermsOfService string `json:"termsOfService"`
+
+	// website (optional, string):
+	// An HTTP or HTTPS URL locating a website providing more information about the ACME server.
+	Website string `json:"website"`
+
+	// caaIdentities (optional, array of string):
+	// The hostnames that the ACME server recognizes as referring to itself
+	// for the purposes of CAA record validation as defined in [RFC6844].
+	// Each string MUST represent the same sequence of ASCII code points
+	// that the server will expect to see as the "Issuer Domain Name" in a CAA issue or issuewild property tag.
+	// This allows clients to determine the correct issuer domain name to use when configuring CAA records.
+	CaaIdentities []string `json:"caaIdentities"`
+
+	// externalAccountRequired (optional, boolean):
+	// If this field is present and set to "true",
+	// then the CA requires that all new- account requests include an "externalAccountBinding" field
+	// associating the new account with an external account.
+	ExternalAccountRequired bool `json:"externalAccountRequired"`
+}
+
+// ExtendedAccount a extended Account.
+type ExtendedAccount struct {
+	Account
+	// Contains the value of the response header `Location`
+	Location string `json:"-"`
+}
+
+// Account the ACME account Object.
+// - https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.1.2
+// - https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.3
+type Account struct {
+	// status (required, string):
+	// The status of this account.
+	// Possible values are: "valid", "deactivated", and "revoked".
+	// The value "deactivated" should be used to indicate client-initiated deactivation
+	// whereas "revoked" should be used to indicate server- initiated deactivation. (See Section 7.1.6)
+	Status string `json:"status,omitempty"`
+
+	// contact (optional, array of string):
+	// An array of URLs that the server can use to contact the client for issues related to this account.
+	// For example, the server may wish to notify the client about server-initiated revocation or certificate expiration.
+	// For information on supported URL schemes, see Section 7.3
+	Contact []string `json:"contact,omitempty"`
+
+	// termsOfServiceAgreed (optional, boolean):
+	// Including this field in a new-account request,
+	// with a value of true, indicates the client's agreement with the terms of service.
+	// This field is not updateable by the client.
+	TermsOfServiceAgreed bool `json:"termsOfServiceAgreed,omitempty"`
+
+	// orders (required, string):
+	// A URL from which a list of orders submitted by this account can be fetched via a POST-as-GET request,
+	// as described in Section 7.1.2.1.
+	Orders string `json:"orders,omitempty"`
+
+	// onlyReturnExisting (optional, boolean):
+	// If this field is present with the value "true",
+	// then the server MUST NOT create a new account if one does not already exist.
+	// This allows a client to look up an account URL based on an account key (see Section 7.3.1).
+	OnlyReturnExisting bool `json:"onlyReturnExisting,omitempty"`
+
+	// externalAccountBinding (optional, object):
+	// An optional field for binding the new account with an existing non-ACME account (see Section 7.3.4).
+	ExternalAccountBinding json.RawMessage `json:"externalAccountBinding,omitempty"`
+}
+
+// ExtendedOrder a extended Order.
+type ExtendedOrder struct {
+	Order
+	// The order URL, contains the value of the response header `Location`
+	Location string `json:"-"`
+}
+
+// Order the ACME order Object.
+// - https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.1.3
+type Order struct {
+	// status (required, string):
+	// The status of this order.
+	// Possible values are: "pending", "ready", "processing", "valid", and "invalid".
+	Status string `json:"status,omitempty"`
+
+	// expires (optional, string):
+	// The timestamp after which the server will consider this order invalid,
+	// encoded in the format specified in RFC 3339 [RFC3339].
+	// This field is REQUIRED for objects with "pending" or "valid" in the status field.
+	Expires string `json:"expires,omitempty"`
+
+	// identifiers (required, array of object):
+	// An array of identifier objects that the order pertains to.
+	Identifiers []Identifier `json:"identifiers"`
+
+	// notBefore (optional, string):
+	// The requested value of the notBefore field in the certificate,
+	// in the date format defined in [RFC3339].
+	NotBefore string `json:"notBefore,omitempty"`
+
+	// notAfter (optional, string):
+	// The requested value of the notAfter field in the certificate,
+	// in the date format defined in [RFC3339].
+	NotAfter string `json:"notAfter,omitempty"`
+
+	// error (optional, object):
+	// The error that occurred while processing the order, if any.
+	// This field is structured as a problem document [RFC7807].
+	Error *ProblemDetails `json:"error,omitempty"`
+
+	// authorizations (required, array of string):
+	// For pending orders,
+	// the authorizations that the client needs to complete before the requested certificate can be issued (see Section 7.5),
+	// including unexpired authorizations that the client has completed in the past for identifiers specified in the order.
+	// The authorizations required are dictated by server policy
+	// and there may not be a 1:1 relationship between the order identifiers and the authorizations required.
+	// For final orders (in the "valid" or "invalid" state), the authorizations that were completed.
+	// Each entry is a URL from which an authorization can be fetched with a POST-as-GET request.
+	Authorizations []string `json:"authorizations,omitempty"`
+
+	// finalize (required, string):
+	// A URL that a CSR must be POSTed to once all of the order's authorizations are satisfied to finalize the order.
+	// The result of a successful finalization will be the population of the certificate URL for the order.
+	Finalize string `json:"finalize,omitempty"`
+
+	// certificate (optional, string):
+	// A URL for the certificate that has been issued in response to this order
+	Certificate string `json:"certificate,omitempty"`
+}
+
+// Authorization the ACME authorization object.
+// - https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.1.4
+type Authorization struct {
+	// status (required, string):
+	// The status of this authorization.
+	// Possible values are: "pending", "valid", "invalid", "deactivated", "expired", and "revoked".
+	Status string `json:"status"`
+
+	// expires (optional, string):
+	// The timestamp after which the server will consider this authorization invalid,
+	// encoded in the format specified in RFC 3339 [RFC3339].
+	// This field is REQUIRED for objects with "valid" in the "status" field.
+	Expires time.Time `json:"expires,omitempty"`
+
+	// identifier (required, object):
+	// The identifier that the account is authorized to represent
+	Identifier Identifier `json:"identifier,omitempty"`
+
+	// challenges (required, array of objects):
+	// For pending authorizations, the challenges that the client can fulfill in order to prove possession of the identifier.
+	// For valid authorizations, the challenge that was validated.
+	// For invalid authorizations, the challenge that was attempted and failed.
+	// Each array entry is an object with parameters required to validate the challenge.
+	// A client should attempt to fulfill one of these challenges,
+	// and a server should consider any one of the challenges sufficient to make the authorization valid.
+	Challenges []Challenge `json:"challenges,omitempty"`
+
+	// wildcard (optional, boolean):
+	// For authorizations created as a result of a newOrder request containing a DNS identifier
+	// with a value that contained a wildcard prefix this field MUST be present, and true.
+	Wildcard bool `json:"wildcard,omitempty"`
+}
+
+// ExtendedChallenge a extended Challenge.
+type ExtendedChallenge struct {
+	Challenge
+	// Contains the value of the response header `Retry-After`
+	RetryAfter string `json:"-"`
+	// Contains the value of the response header `Link` rel="up"
+	AuthorizationURL string `json:"-"`
+}
+
+// Challenge the ACME challenge object.
+// - https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.1.5
+// - https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-8
+type Challenge struct {
+	// type (required, string):
+	// The type of challenge encoded in the object.
+	Type string `json:"type"`
+
+	// url (required, string):
+	// The URL to which a response can be posted.
+	URL string `json:"url"`
+
+	// status (required, string):
+	// The status of this challenge. Possible values are: "pending", "processing", "valid", and "invalid".
+	Status string `json:"status"`
+
+	// validated (optional, string):
+	// The time at which the server validated this challenge,
+	// encoded in the format specified in RFC 3339 [RFC3339].
+	// This field is REQUIRED if the "status" field is "valid".
+	Validated time.Time `json:"validated,omitempty"`
+
+	// error (optional, object):
+	// Error that occurred while the server was validating the challenge, if any,
+	// structured as a problem document [RFC7807].
+	// Multiple errors can be indicated by using subproblems Section 6.7.1.
+	// A challenge object with an error MUST have status equal to "invalid".
+	Error *ProblemDetails `json:"error,omitempty"`
+
+	// token (required, string):
+	// A random value that uniquely identifies the challenge.
+	// This value MUST have at least 128 bits of entropy.
+	// It MUST NOT contain any characters outside the base64url alphabet,
+	// and MUST NOT include base64 padding characters ("=").
+	// See [RFC4086] for additional information on randomness requirements.
+	// https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-8.3
+	// https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-8.4
+	Token string `json:"token"`
+
+	// https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-8.1
+	KeyAuthorization string `json:"keyAuthorization"`
+}
+
+// Identifier the ACME identifier object.
+// - https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-9.7.7
+type Identifier struct {
+	Type  string `json:"type"`
+	Value string `json:"value"`
+}
+
+// CSRMessage Certificate Signing Request
+// - https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.4
+type CSRMessage struct {
+	// csr (required, string):
+	// A CSR encoding the parameters for the certificate being requested [RFC2986].
+	// The CSR is sent in the base64url-encoded version of the DER format.
+	// (Note: Because this field uses base64url, and does not include headers, it is different from PEM.).
+	Csr string `json:"csr"`
+}
+
+// RevokeCertMessage a certificate revocation message
+// - https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.6
+// - https://tools.ietf.org/html/rfc5280#section-5.3.1
+type RevokeCertMessage struct {
+	// certificate (required, string):
+	// The certificate to be revoked, in the base64url-encoded version of the DER format.
+	// (Note: Because this field uses base64url, and does not include headers, it is different from PEM.)
+	Certificate string `json:"certificate"`
+
+	// reason (optional, int):
+	// One of the revocation reasonCodes defined in Section 5.3.1 of [RFC5280] to be used when generating OCSP responses and CRLs.
+	// If this field is not set the server SHOULD omit the reasonCode CRL entry extension when generating OCSP responses and CRLs.
+	// The server MAY disallow a subset of reasonCodes from being used by the user.
+	// If a request contains a disallowed reasonCode the server MUST reject it with the error type "urn:ietf:params:acme:error:badRevocationReason".
+	// The problem document detail SHOULD indicate which reasonCodes are allowed.
+	Reason *uint `json:"reason,omitempty"`
+}
--- a/vendor/github.com/go-acme/lego/acme/errors.go
+++ b/vendor/github.com/go-acme/lego/acme/errors.go
@ -0,0 +1,58 @@
+package acme
+
+import (
+	"fmt"
+)
+
+// Errors types
+const (
+	errNS       = "urn:ietf:params:acme:error:"
+	BadNonceErr = errNS + "badNonce"
+)
+
+// ProblemDetails the problem details object
+// - https://tools.ietf.org/html/rfc7807#section-3.1
+// - https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.3.3
+type ProblemDetails struct {
+	Type        string       `json:"type,omitempty"`
+	Detail      string       `json:"detail,omitempty"`
+	HTTPStatus  int          `json:"status,omitempty"`
+	Instance    string       `json:"instance,omitempty"`
+	SubProblems []SubProblem `json:"subproblems,omitempty"`
+
+	// additional values to have a better error message (Not defined by the RFC)
+	Method string `json:"method,omitempty"`
+	URL    string `json:"url,omitempty"`
+}
+
+// SubProblem a "subproblems"
+// - https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-6.7.1
+type SubProblem struct {
+	Type       string     `json:"type,omitempty"`
+	Detail     string     `json:"detail,omitempty"`
+	Identifier Identifier `json:"identifier,omitempty"`
+}
+
+func (p ProblemDetails) Error() string {
+	msg := fmt.Sprintf("acme: error: %d", p.HTTPStatus)
+	if len(p.Method) != 0 || len(p.URL) != 0 {
+		msg += fmt.Sprintf(" :: %s :: %s", p.Method, p.URL)
+	}
+	msg += fmt.Sprintf(" :: %s :: %s", p.Type, p.Detail)
+
+	for _, sub := range p.SubProblems {
+		msg += fmt.Sprintf(", problem: %q :: %s", sub.Type, sub.Detail)
+	}
+
+	if len(p.Instance) == 0 {
+		msg += ", url: " + p.Instance
+	}
+
+	return msg
+}
+
+// NonceError represents the error which is returned
+// if the nonce sent by the client was not accepted by the server.
+type NonceError struct {
+	*ProblemDetails
+}