Migrate to go-acme/lego.

vendor/github.com/go-acme/lego/challenge/challenges.go

@@ -0,0 +1,44 @@
+package challenge
+
+import (
+	"fmt"
+
+	"github.com/go-acme/lego/acme"
+)
+
+// Type is a string that identifies a particular challenge type and version of ACME challenge.
+type Type string
+
+const (
+	// HTTP01 is the "http-01" ACME challenge https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-8.3
+	// Note: ChallengePath returns the URL path to fulfill this challenge
+	HTTP01 = Type("http-01")
+
+	// DNS01 is the "dns-01" ACME challenge https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-8.4
+	// Note: GetRecord returns a DNS record which will fulfill this challenge
+	DNS01 = Type("dns-01")
+
+	// TLSALPN01 is the "tls-alpn-01" ACME challenge https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05
+	TLSALPN01 = Type("tls-alpn-01")
+)
+
+func (t Type) String() string {
+	return string(t)
+}
+
+func FindChallenge(chlgType Type, authz acme.Authorization) (acme.Challenge, error) {
+	for _, chlg := range authz.Challenges {
+		if chlg.Type == string(chlgType) {
+			return chlg, nil
+		}
+	}
+
+	return acme.Challenge{}, fmt.Errorf("[%s] acme: unable to find challenge %s", GetTargetedDomain(authz), chlgType)
+}
+
+func GetTargetedDomain(authz acme.Authorization) string {
+	if authz.Wildcard {
+		return "*." + authz.Identifier.Value
+	}
+	return authz.Identifier.Value
+}

vendor/github.com/go-acme/lego/challenge/dns01/cname.go

@@ -0,0 +1,16 @@
+package dns01
+
+import "github.com/miekg/dns"
+
+// Update FQDN with CNAME if any
+func updateDomainWithCName(r *dns.Msg, fqdn string) string {
+	for _, rr := range r.Answer {
+		if cn, ok := rr.(*dns.CNAME); ok {
+			if cn.Hdr.Name == fqdn {
+				return cn.Target
+			}
+		}
+	}
+
+	return fqdn
+}

vendor/github.com/go-acme/lego/challenge/dns01/dns_challenge.go

@@ -0,0 +1,188 @@
+package dns01
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"os"
+	"strconv"
+	"time"
+
+	"github.com/go-acme/lego/acme"
+	"github.com/go-acme/lego/acme/api"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/log"
+	"github.com/go-acme/lego/platform/wait"
+	"github.com/miekg/dns"
+)
+
+const (
+	// DefaultPropagationTimeout default propagation timeout
+	DefaultPropagationTimeout = 60 * time.Second
+
+	// DefaultPollingInterval default polling interval
+	DefaultPollingInterval = 2 * time.Second
+
+	// DefaultTTL default TTL
+	DefaultTTL = 120
+)
+
+type ValidateFunc func(core *api.Core, domain string, chlng acme.Challenge) error
+
+type ChallengeOption func(*Challenge) error
+
+// CondOption Conditional challenge option.
+func CondOption(condition bool, opt ChallengeOption) ChallengeOption {
+	if !condition {
+		// NoOp options
+		return func(*Challenge) error {
+			return nil
+		}
+	}
+	return opt
+}
+
+// Challenge implements the dns-01 challenge
+type Challenge struct {
+	core       *api.Core
+	validate   ValidateFunc
+	provider   challenge.Provider
+	preCheck   preCheck
+	dnsTimeout time.Duration
+}
+
+func NewChallenge(core *api.Core, validate ValidateFunc, provider challenge.Provider, opts ...ChallengeOption) *Challenge {
+	chlg := &Challenge{
+		core:       core,
+		validate:   validate,
+		provider:   provider,
+		preCheck:   newPreCheck(),
+		dnsTimeout: 10 * time.Second,
+	}
+
+	for _, opt := range opts {
+		err := opt(chlg)
+		if err != nil {
+			log.Infof("challenge option error: %v", err)
+		}
+	}
+
+	return chlg
+}
+
+// PreSolve just submits the txt record to the dns provider.
+// It does not validate record propagation, or do anything at all with the acme server.
+func (c *Challenge) PreSolve(authz acme.Authorization) error {
+	domain := challenge.GetTargetedDomain(authz)
+	log.Infof("[%s] acme: Preparing to solve DNS-01", domain)
+
+	chlng, err := challenge.FindChallenge(challenge.DNS01, authz)
+	if err != nil {
+		return err
+	}
+
+	if c.provider == nil {
+		return fmt.Errorf("[%s] acme: no DNS Provider configured", domain)
+	}
+
+	// Generate the Key Authorization for the challenge
+	keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
+	if err != nil {
+		return err
+	}
+
+	err = c.provider.Present(authz.Identifier.Value, chlng.Token, keyAuth)
+	if err != nil {
+		return fmt.Errorf("[%s] acme: error presenting token: %s", domain, err)
+	}
+
+	return nil
+}
+
+func (c *Challenge) Solve(authz acme.Authorization) error {
+	domain := challenge.GetTargetedDomain(authz)
+	log.Infof("[%s] acme: Trying to solve DNS-01", domain)
+
+	chlng, err := challenge.FindChallenge(challenge.DNS01, authz)
+	if err != nil {
+		return err
+	}
+
+	// Generate the Key Authorization for the challenge
+	keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
+	if err != nil {
+		return err
+	}
+
+	fqdn, value := GetRecord(authz.Identifier.Value, keyAuth)
+
+	var timeout, interval time.Duration
+	switch provider := c.provider.(type) {
+	case challenge.ProviderTimeout:
+		timeout, interval = provider.Timeout()
+	default:
+		timeout, interval = DefaultPropagationTimeout, DefaultPollingInterval
+	}
+
+	log.Infof("[%s] acme: Checking DNS record propagation using %+v", domain, recursiveNameservers)
+
+	err = wait.For("propagation", timeout, interval, func() (bool, error) {
+		stop, errP := c.preCheck.call(domain, fqdn, value)
+		if !stop || errP != nil {
+			log.Infof("[%s] acme: Waiting for DNS record propagation.", domain)
+		}
+		return stop, errP
+	})
+	if err != nil {
+		return err
+	}
+
+	chlng.KeyAuthorization = keyAuth
+	return c.validate(c.core, domain, chlng)
+}
+
+// CleanUp cleans the challenge.
+func (c *Challenge) CleanUp(authz acme.Authorization) error {
+	log.Infof("[%s] acme: Cleaning DNS-01 challenge", challenge.GetTargetedDomain(authz))
+
+	chlng, err := challenge.FindChallenge(challenge.DNS01, authz)
+	if err != nil {
+		return err
+	}
+
+	keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
+	if err != nil {
+		return err
+	}
+
+	return c.provider.CleanUp(authz.Identifier.Value, chlng.Token, keyAuth)
+}
+
+func (c *Challenge) Sequential() (bool, time.Duration) {
+	if p, ok := c.provider.(sequential); ok {
+		return ok, p.Sequential()
+	}
+	return false, 0
+}
+
+type sequential interface {
+	Sequential() time.Duration
+}
+
+// GetRecord returns a DNS record which will fulfill the `dns-01` challenge
+func GetRecord(domain, keyAuth string) (fqdn string, value string) {
+	keyAuthShaBytes := sha256.Sum256([]byte(keyAuth))
+	// base64URL encoding without padding
+	value = base64.RawURLEncoding.EncodeToString(keyAuthShaBytes[:sha256.Size])
+	fqdn = fmt.Sprintf("_acme-challenge.%s.", domain)
+
+	if ok, _ := strconv.ParseBool(os.Getenv("LEGO_EXPERIMENTAL_CNAME_SUPPORT")); ok {
+		r, err := dnsQuery(fqdn, dns.TypeCNAME, recursiveNameservers, true)
+		// Check if the domain has CNAME then return that
+		if err == nil && r.Rcode == dns.RcodeSuccess {
+			fqdn = updateDomainWithCName(r, fqdn)
+		}
+	}
+
+	return
+}

vendor/github.com/go-acme/lego/challenge/dns01/dns_challenge_manual.go

@@ -0,0 +1,52 @@
+package dns01
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+)
+
+const (
+	dnsTemplate = `%s %d IN TXT "%s"`
+)
+
+// DNSProviderManual is an implementation of the ChallengeProvider interface
+type DNSProviderManual struct{}
+
+// NewDNSProviderManual returns a DNSProviderManual instance.
+func NewDNSProviderManual() (*DNSProviderManual, error) {
+	return &DNSProviderManual{}, nil
+}
+
+// Present prints instructions for manually creating the TXT record
+func (*DNSProviderManual) Present(domain, token, keyAuth string) error {
+	fqdn, value := GetRecord(domain, keyAuth)
+
+	authZone, err := FindZoneByFqdn(fqdn)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("lego: Please create the following TXT record in your %s zone:\n", authZone)
+	fmt.Printf(dnsTemplate+"\n", fqdn, DefaultTTL, value)
+	fmt.Printf("lego: Press 'Enter' when you are done\n")
+
+	_, err = bufio.NewReader(os.Stdin).ReadBytes('\n')
+
+	return err
+}
+
+// CleanUp prints instructions for manually removing the TXT record
+func (*DNSProviderManual) CleanUp(domain, token, keyAuth string) error {
+	fqdn, _ := GetRecord(domain, keyAuth)
+
+	authZone, err := FindZoneByFqdn(fqdn)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("lego: You can now remove this TXT record from your %s zone:\n", authZone)
+	fmt.Printf(dnsTemplate+"\n", fqdn, DefaultTTL, "...")
+
+	return nil
+}

vendor/github.com/go-acme/lego/challenge/dns01/fqdn.go

@@ -0,0 +1,19 @@
+package dns01
+
+// ToFqdn converts the name into a fqdn appending a trailing dot.
+func ToFqdn(name string) string {
+	n := len(name)
+	if n == 0 || name[n-1] == '.' {
+		return name
+	}
+	return name + "."
+}
+
+// UnFqdn converts the fqdn into a name removing the trailing dot.
+func UnFqdn(name string) string {
+	n := len(name)
+	if n != 0 && name[n-1] == '.' {
+		return name[:n-1]
+	}
+	return name
+}

vendor/github.com/go-acme/lego/challenge/dns01/nameserver.go

@@ -0,0 +1,232 @@
+package dns01
+
+import (
+	"fmt"
+	"net"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/miekg/dns"
+)
+
+const defaultResolvConf = "/etc/resolv.conf"
+
+// dnsTimeout is used to override the default DNS timeout of 10 seconds.
+var dnsTimeout = 10 * time.Second
+
+var (
+	fqdnToZone   = map[string]string{}
+	muFqdnToZone sync.Mutex
+)
+
+var defaultNameservers = []string{
+	"google-public-dns-a.google.com:53",
+	"google-public-dns-b.google.com:53",
+}
+
+// recursiveNameservers are used to pre-check DNS propagation
+var recursiveNameservers = getNameservers(defaultResolvConf, defaultNameservers)
+
+// ClearFqdnCache clears the cache of fqdn to zone mappings. Primarily used in testing.
+func ClearFqdnCache() {
+	muFqdnToZone.Lock()
+	fqdnToZone = map[string]string{}
+	muFqdnToZone.Unlock()
+}
+
+func AddDNSTimeout(timeout time.Duration) ChallengeOption {
+	return func(_ *Challenge) error {
+		dnsTimeout = timeout
+		return nil
+	}
+}
+
+func AddRecursiveNameservers(nameservers []string) ChallengeOption {
+	return func(_ *Challenge) error {
+		recursiveNameservers = ParseNameservers(nameservers)
+		return nil
+	}
+}
+
+// getNameservers attempts to get systems nameservers before falling back to the defaults
+func getNameservers(path string, defaults []string) []string {
+	config, err := dns.ClientConfigFromFile(path)
+	if err != nil || len(config.Servers) == 0 {
+		return defaults
+	}
+
+	return ParseNameservers(config.Servers)
+}
+
+func ParseNameservers(servers []string) []string {
+	var resolvers []string
+	for _, resolver := range servers {
+		// ensure all servers have a port number
+		if _, _, err := net.SplitHostPort(resolver); err != nil {
+			resolvers = append(resolvers, net.JoinHostPort(resolver, "53"))
+		} else {
+			resolvers = append(resolvers, resolver)
+		}
+	}
+	return resolvers
+}
+
+// lookupNameservers returns the authoritative nameservers for the given fqdn.
+func lookupNameservers(fqdn string) ([]string, error) {
+	var authoritativeNss []string
+
+	zone, err := FindZoneByFqdn(fqdn)
+	if err != nil {
+		return nil, fmt.Errorf("could not determine the zone: %v", err)
+	}
+
+	r, err := dnsQuery(zone, dns.TypeNS, recursiveNameservers, true)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, rr := range r.Answer {
+		if ns, ok := rr.(*dns.NS); ok {
+			authoritativeNss = append(authoritativeNss, strings.ToLower(ns.Ns))
+		}
+	}
+
+	if len(authoritativeNss) > 0 {
+		return authoritativeNss, nil
+	}
+	return nil, fmt.Errorf("could not determine authoritative nameservers")
+}
+
+// FindZoneByFqdn determines the zone apex for the given fqdn
+// by recursing up the domain labels until the nameserver returns a SOA record in the answer section.
+func FindZoneByFqdn(fqdn string) (string, error) {
+	return FindZoneByFqdnCustom(fqdn, recursiveNameservers)
+}
+
+// FindZoneByFqdnCustom determines the zone apex for the given fqdn
+// by recursing up the domain labels until the nameserver returns a SOA record in the answer section.
+func FindZoneByFqdnCustom(fqdn string, nameservers []string) (string, error) {
+	muFqdnToZone.Lock()
+	defer muFqdnToZone.Unlock()
+
+	// Do we have it cached?
+	if zone, ok := fqdnToZone[fqdn]; ok {
+		return zone, nil
+	}
+
+	var err error
+	var in *dns.Msg
+
+	labelIndexes := dns.Split(fqdn)
+	for _, index := range labelIndexes {
+		domain := fqdn[index:]
+
+		in, err = dnsQuery(domain, dns.TypeSOA, nameservers, true)
+		if err != nil {
+			continue
+		}
+
+		if in == nil {
+			continue
+		}
+
+		switch in.Rcode {
+		case dns.RcodeSuccess:
+			// Check if we got a SOA RR in the answer section
+
+			if len(in.Answer) == 0 {
+				continue
+			}
+
+			// CNAME records cannot/should not exist at the root of a zone.
+			// So we skip a domain when a CNAME is found.
+			if dnsMsgContainsCNAME(in) {
+				continue
+			}
+
+			for _, ans := range in.Answer {
+				if soa, ok := ans.(*dns.SOA); ok {
+					zone := soa.Hdr.Name
+					fqdnToZone[fqdn] = zone
+					return zone, nil
+				}
+			}
+		case dns.RcodeNameError:
+			// NXDOMAIN
+		default:
+			// Any response code other than NOERROR and NXDOMAIN is treated as error
+			return "", fmt.Errorf("unexpected response code '%s' for %s", dns.RcodeToString[in.Rcode], domain)
+		}
+	}
+
+	return "", fmt.Errorf("could not find the start of authority for %s%s", fqdn, formatDNSError(in, err))
+}
+
+// dnsMsgContainsCNAME checks for a CNAME answer in msg
+func dnsMsgContainsCNAME(msg *dns.Msg) bool {
+	for _, ans := range msg.Answer {
+		if _, ok := ans.(*dns.CNAME); ok {
+			return true
+		}
+	}
+	return false
+}
+
+func dnsQuery(fqdn string, rtype uint16, nameservers []string, recursive bool) (*dns.Msg, error) {
+	m := createDNSMsg(fqdn, rtype, recursive)
+
+	var in *dns.Msg
+	var err error
+
+	for _, ns := range nameservers {
+		in, err = sendDNSQuery(m, ns)
+		if err == nil && len(in.Answer) > 0 {
+			break
+		}
+	}
+	return in, err
+}
+
+func createDNSMsg(fqdn string, rtype uint16, recursive bool) *dns.Msg {
+	m := new(dns.Msg)
+	m.SetQuestion(fqdn, rtype)
+	m.SetEdns0(4096, false)
+
+	if !recursive {
+		m.RecursionDesired = false
+	}
+
+	return m
+}
+
+func sendDNSQuery(m *dns.Msg, ns string) (*dns.Msg, error) {
+	udp := &dns.Client{Net: "udp", Timeout: dnsTimeout}
+	in, _, err := udp.Exchange(m, ns)
+
+	if in != nil && in.Truncated {
+		tcp := &dns.Client{Net: "tcp", Timeout: dnsTimeout}
+		// If the TCP request succeeds, the err will reset to nil
+		in, _, err = tcp.Exchange(m, ns)
+	}
+
+	return in, err
+}
+
+func formatDNSError(msg *dns.Msg, err error) string {
+	var parts []string
+
+	if msg != nil {
+		parts = append(parts, dns.RcodeToString[msg.Rcode])
+	}
+
+	if err != nil {
+		parts = append(parts, fmt.Sprintf("%v", err))
+	}
+
+	if len(parts) > 0 {
+		return ": " + strings.Join(parts, " ")
+	}
+
+	return ""
+}

vendor/github.com/go-acme/lego/challenge/dns01/precheck.go

@@ -0,0 +1,127 @@
+package dns01
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/miekg/dns"
+)
+
+// PreCheckFunc checks DNS propagation before notifying ACME that the DNS challenge is ready.
+type PreCheckFunc func(fqdn, value string) (bool, error)
+
+// WrapPreCheckFunc wraps a PreCheckFunc in order to do extra operations before or after
+// the main check, put it in a loop, etc.
+type WrapPreCheckFunc func(domain, fqdn, value string, check PreCheckFunc) (bool, error)
+
+// WrapPreCheck Allow to define checks before notifying ACME that the DNS challenge is ready.
+func WrapPreCheck(wrap WrapPreCheckFunc) ChallengeOption {
+	return func(chlg *Challenge) error {
+		chlg.preCheck.checkFunc = wrap
+		return nil
+	}
+}
+
+// AddPreCheck Allow to define checks before notifying ACME that the DNS challenge is ready.
+// Deprecated: use WrapPreCheck instead.
+func AddPreCheck(preCheck PreCheckFunc) ChallengeOption {
+	// Prevent race condition
+	check := preCheck
+	return func(chlg *Challenge) error {
+		chlg.preCheck.checkFunc = func(_, fqdn, value string, _ PreCheckFunc) (bool, error) {
+			if check == nil {
+				return false, errors.New("invalid preCheck: preCheck is nil")
+			}
+			return check(fqdn, value)
+		}
+		return nil
+	}
+}
+
+func DisableCompletePropagationRequirement() ChallengeOption {
+	return func(chlg *Challenge) error {
+		chlg.preCheck.requireCompletePropagation = false
+		return nil
+	}
+}
+
+type preCheck struct {
+	// checks DNS propagation before notifying ACME that the DNS challenge is ready.
+	checkFunc WrapPreCheckFunc
+	// require the TXT record to be propagated to all authoritative name servers
+	requireCompletePropagation bool
+}
+
+func newPreCheck() preCheck {
+	return preCheck{
+		requireCompletePropagation: true,
+	}
+}
+
+func (p preCheck) call(domain, fqdn, value string) (bool, error) {
+	if p.checkFunc == nil {
+		return p.checkDNSPropagation(fqdn, value)
+	}
+
+	return p.checkFunc(domain, fqdn, value, p.checkDNSPropagation)
+}
+
+// checkDNSPropagation checks if the expected TXT record has been propagated to all authoritative nameservers.
+func (p preCheck) checkDNSPropagation(fqdn, value string) (bool, error) {
+	// Initial attempt to resolve at the recursive NS
+	r, err := dnsQuery(fqdn, dns.TypeTXT, recursiveNameservers, true)
+	if err != nil {
+		return false, err
+	}
+
+	if !p.requireCompletePropagation {
+		return true, nil
+	}
+
+	if r.Rcode == dns.RcodeSuccess {
+		fqdn = updateDomainWithCName(r, fqdn)
+	}
+
+	authoritativeNss, err := lookupNameservers(fqdn)
+	if err != nil {
+		return false, err
+	}
+
+	return checkAuthoritativeNss(fqdn, value, authoritativeNss)
+}
+
+// checkAuthoritativeNss queries each of the given nameservers for the expected TXT record.
+func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, error) {
+	for _, ns := range nameservers {
+		r, err := dnsQuery(fqdn, dns.TypeTXT, []string{net.JoinHostPort(ns, "53")}, false)
+		if err != nil {
+			return false, err
+		}
+
+		if r.Rcode != dns.RcodeSuccess {
+			return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn)
+		}
+
+		var records []string
+
+		var found bool
+		for _, rr := range r.Answer {
+			if txt, ok := rr.(*dns.TXT); ok {
+				record := strings.Join(txt.Txt, "")
+				records = append(records, record)
+				if record == value {
+					found = true
+					break
+				}
+			}
+		}
+
+		if !found {
+			return false, fmt.Errorf("NS %s did not return the expected TXT record [fqdn: %s, value: %s]: %s", ns, fqdn, value, strings.Join(records, " ,"))
+		}
+	}
+
+	return true, nil
+}

vendor/github.com/go-acme/lego/challenge/http01/http_challenge.go

@@ -0,0 +1,65 @@
+package http01
+
+import (
+	"fmt"
+
+	"github.com/go-acme/lego/acme"
+	"github.com/go-acme/lego/acme/api"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/log"
+)
+
+type ValidateFunc func(core *api.Core, domain string, chlng acme.Challenge) error
+
+// ChallengePath returns the URL path for the `http-01` challenge
+func ChallengePath(token string) string {
+	return "/.well-known/acme-challenge/" + token
+}
+
+type Challenge struct {
+	core     *api.Core
+	validate ValidateFunc
+	provider challenge.Provider
+}
+
+func NewChallenge(core *api.Core, validate ValidateFunc, provider challenge.Provider) *Challenge {
+	return &Challenge{
+		core:     core,
+		validate: validate,
+		provider: provider,
+	}
+}
+
+func (c *Challenge) SetProvider(provider challenge.Provider) {
+	c.provider = provider
+}
+
+func (c *Challenge) Solve(authz acme.Authorization) error {
+	domain := challenge.GetTargetedDomain(authz)
+	log.Infof("[%s] acme: Trying to solve HTTP-01", domain)
+
+	chlng, err := challenge.FindChallenge(challenge.HTTP01, authz)
+	if err != nil {
+		return err
+	}
+
+	// Generate the Key Authorization for the challenge
+	keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
+	if err != nil {
+		return err
+	}
+
+	err = c.provider.Present(authz.Identifier.Value, chlng.Token, keyAuth)
+	if err != nil {
+		return fmt.Errorf("[%s] acme: error presenting token: %v", domain, err)
+	}
+	defer func() {
+		err := c.provider.CleanUp(authz.Identifier.Value, chlng.Token, keyAuth)
+		if err != nil {
+			log.Warnf("[%s] acme: error cleaning up: %v", domain, err)
+		}
+	}()
+
+	chlng.KeyAuthorization = keyAuth
+	return c.validate(c.core, domain, chlng)
+}

vendor/github.com/go-acme/lego/challenge/http01/http_challenge_server.go

@@ -0,0 +1,96 @@
+package http01
+
+import (
+	"fmt"
+	"net"
+	"net/http"
+	"strings"
+
+	"github.com/go-acme/lego/log"
+)
+
+// ProviderServer implements ChallengeProvider for `http-01` challenge
+// It may be instantiated without using the NewProviderServer function if
+// you want only to use the default values.
+type ProviderServer struct {
+	iface    string
+	port     string
+	done     chan bool
+	listener net.Listener
+}
+
+// NewProviderServer creates a new ProviderServer on the selected interface and port.
+// Setting iface and / or port to an empty string will make the server fall back to
+// the "any" interface and port 80 respectively.
+func NewProviderServer(iface, port string) *ProviderServer {
+	return &ProviderServer{iface: iface, port: port}
+}
+
+// Present starts a web server and makes the token available at `ChallengePath(token)` for web requests.
+func (s *ProviderServer) Present(domain, token, keyAuth string) error {
+	if s.port == "" {
+		s.port = "80"
+	}
+
+	var err error
+	s.listener, err = net.Listen("tcp", s.GetAddress())
+	if err != nil {
+		return fmt.Errorf("could not start HTTP server for challenge -> %v", err)
+	}
+
+	s.done = make(chan bool)
+	go s.serve(domain, token, keyAuth)
+	return nil
+}
+
+func (s *ProviderServer) GetAddress() string {
+	return net.JoinHostPort(s.iface, s.port)
+}
+
+// CleanUp closes the HTTP server and removes the token from `ChallengePath(token)`
+func (s *ProviderServer) CleanUp(domain, token, keyAuth string) error {
+	if s.listener == nil {
+		return nil
+	}
+	s.listener.Close()
+	<-s.done
+	return nil
+}
+
+func (s *ProviderServer) serve(domain, token, keyAuth string) {
+	path := ChallengePath(token)
+
+	// The handler validates the HOST header and request type.
+	// For validation it then writes the token the server returned with the challenge
+	mux := http.NewServeMux()
+	mux.HandleFunc(path, func(w http.ResponseWriter, r *http.Request) {
+		if strings.HasPrefix(r.Host, domain) && r.Method == http.MethodGet {
+			w.Header().Add("Content-Type", "text/plain")
+			_, err := w.Write([]byte(keyAuth))
+			if err != nil {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+				return
+			}
+			log.Infof("[%s] Served key authentication", domain)
+		} else {
+			log.Warnf("Received request for domain %s with method %s but the domain did not match any challenge. Please ensure your are passing the HOST header properly.", r.Host, r.Method)
+			_, err := w.Write([]byte("TEST"))
+			if err != nil {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+				return
+			}
+		}
+	})
+
+	httpServer := &http.Server{Handler: mux}
+
+	// Once httpServer is shut down
+	// we don't want any lingering connections, so disable KeepAlives.
+	httpServer.SetKeepAlivesEnabled(false)
+
+	err := httpServer.Serve(s.listener)
+	if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
+		log.Println(err)
+	}
+	s.done <- true
+}

vendor/github.com/go-acme/lego/challenge/provider.go

@@ -0,0 +1,28 @@
+package challenge
+
+import "time"
+
+// Provider enables implementing a custom challenge
+// provider. Present presents the solution to a challenge available to
+// be solved. CleanUp will be called by the challenge if Present ends
+// in a non-error state.
+type Provider interface {
+	Present(domain, token, keyAuth string) error
+	CleanUp(domain, token, keyAuth string) error
+}
+
+// ProviderTimeout allows for implementing a
+// Provider where an unusually long timeout is required when
+// waiting for an ACME challenge to be satisfied, such as when
+// checking for DNS record propagation. If an implementor of a
+// Provider provides a Timeout method, then the return values
+// of the Timeout method will be used when appropriate by the acme
+// package. The interval value is the time between checks.
+//
+// The default values used for timeout and interval are 60 seconds and
+// 2 seconds respectively. These are used when no Timeout method is
+// defined for the Provider.
+type ProviderTimeout interface {
+	Provider
+	Timeout() (timeout, interval time.Duration)
+}

vendor/github.com/go-acme/lego/challenge/resolver/errors.go

@@ -0,0 +1,25 @@
+package resolver
+
+import (
+	"bytes"
+	"fmt"
+	"sort"
+)
+
+// obtainError is returned when there are specific errors available per domain.
+type obtainError map[string]error
+
+func (e obtainError) Error() string {
+	buffer := bytes.NewBufferString("acme: Error -> One or more domains had a problem:\n")
+
+	var domains []string
+	for domain := range e {
+		domains = append(domains, domain)
+	}
+	sort.Strings(domains)
+
+	for _, domain := range domains {
+		buffer.WriteString(fmt.Sprintf("[%s] %s\n", domain, e[domain]))
+	}
+	return buffer.String()
+}

vendor/github.com/go-acme/lego/challenge/resolver/prober.go

@@ -0,0 +1,173 @@
+package resolver
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/go-acme/lego/acme"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/log"
+)
+
+// Interface for all challenge solvers to implement.
+type solver interface {
+	Solve(authorization acme.Authorization) error
+}
+
+// Interface for challenges like dns, where we can set a record in advance for ALL challenges.
+// This saves quite a bit of time vs creating the records and solving them serially.
+type preSolver interface {
+	PreSolve(authorization acme.Authorization) error
+}
+
+// Interface for challenges like dns, where we can solve all the challenges before to delete them.
+type cleanup interface {
+	CleanUp(authorization acme.Authorization) error
+}
+
+type sequential interface {
+	Sequential() (bool, time.Duration)
+}
+
+// an authz with the solver we have chosen and the index of the challenge associated with it
+type selectedAuthSolver struct {
+	authz  acme.Authorization
+	solver solver
+}
+
+type Prober struct {
+	solverManager *SolverManager
+}
+
+func NewProber(solverManager *SolverManager) *Prober {
+	return &Prober{
+		solverManager: solverManager,
+	}
+}
+
+// Solve Looks through the challenge combinations to find a solvable match.
+// Then solves the challenges in series and returns.
+func (p *Prober) Solve(authorizations []acme.Authorization) error {
+	failures := make(obtainError)
+
+	var authSolvers []*selectedAuthSolver
+	var authSolversSequential []*selectedAuthSolver
+
+	// Loop through the resources, basically through the domains.
+	// First pass just selects a solver for each authz.
+	for _, authz := range authorizations {
+		domain := challenge.GetTargetedDomain(authz)
+		if authz.Status == acme.StatusValid {
+			// Boulder might recycle recent validated authz (see issue #267)
+			log.Infof("[%s] acme: authorization already valid; skipping challenge", domain)
+			continue
+		}
+
+		if solvr := p.solverManager.chooseSolver(authz); solvr != nil {
+			authSolver := &selectedAuthSolver{authz: authz, solver: solvr}
+
+			switch s := solvr.(type) {
+			case sequential:
+				if ok, _ := s.Sequential(); ok {
+					authSolversSequential = append(authSolversSequential, authSolver)
+				} else {
+					authSolvers = append(authSolvers, authSolver)
+				}
+			default:
+				authSolvers = append(authSolvers, authSolver)
+			}
+		} else {
+			failures[domain] = fmt.Errorf("[%s] acme: could not determine solvers", domain)
+		}
+	}
+
+	parallelSolve(authSolvers, failures)
+
+	sequentialSolve(authSolversSequential, failures)
+
+	// Be careful not to return an empty failures map,
+	// for even an empty obtainError is a non-nil error value
+	if len(failures) > 0 {
+		return failures
+	}
+	return nil
+}
+
+func sequentialSolve(authSolvers []*selectedAuthSolver, failures obtainError) {
+	for i, authSolver := range authSolvers {
+		// Submit the challenge
+		domain := challenge.GetTargetedDomain(authSolver.authz)
+
+		if solvr, ok := authSolver.solver.(preSolver); ok {
+			err := solvr.PreSolve(authSolver.authz)
+			if err != nil {
+				failures[domain] = err
+				cleanUp(authSolver.solver, authSolver.authz)
+				continue
+			}
+		}
+
+		// Solve challenge
+		err := authSolver.solver.Solve(authSolver.authz)
+		if err != nil {
+			failures[domain] = err
+			cleanUp(authSolver.solver, authSolver.authz)
+			continue
+		}
+
+		// Clean challenge
+		cleanUp(authSolver.solver, authSolver.authz)
+
+		if len(authSolvers)-1 > i {
+			solvr := authSolver.solver.(sequential)
+			_, interval := solvr.Sequential()
+			log.Infof("sequence: wait for %s", interval)
+			time.Sleep(interval)
+		}
+	}
+}
+
+func parallelSolve(authSolvers []*selectedAuthSolver, failures obtainError) {
+	// For all valid preSolvers, first submit the challenges so they have max time to propagate
+	for _, authSolver := range authSolvers {
+		authz := authSolver.authz
+		if solvr, ok := authSolver.solver.(preSolver); ok {
+			err := solvr.PreSolve(authz)
+			if err != nil {
+				failures[challenge.GetTargetedDomain(authz)] = err
+			}
+		}
+	}
+
+	defer func() {
+		// Clean all created TXT records
+		for _, authSolver := range authSolvers {
+			cleanUp(authSolver.solver, authSolver.authz)
+		}
+	}()
+
+	// Finally solve all challenges for real
+	for _, authSolver := range authSolvers {
+		authz := authSolver.authz
+		domain := challenge.GetTargetedDomain(authz)
+		if failures[domain] != nil {
+			// already failed in previous loop
+			continue
+		}
+
+		err := authSolver.solver.Solve(authz)
+		if err != nil {
+			failures[domain] = err
+		}
+	}
+}
+
+func cleanUp(solvr solver, authz acme.Authorization) {
+	if solvr, ok := solvr.(cleanup); ok {
+		domain := challenge.GetTargetedDomain(authz)
+		err := solvr.CleanUp(authz)
+		if err != nil {
+			log.Warnf("[%s] acme: error cleaning up: %v ", domain, err)
+		}
+	}
+}

vendor/github.com/go-acme/lego/challenge/resolver/solver_manager.go

@@ -0,0 +1,169 @@
+package resolver
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sort"
+	"strconv"
+	"time"
+
+	"github.com/cenkalti/backoff"
+	"github.com/go-acme/lego/acme"
+	"github.com/go-acme/lego/acme/api"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/challenge/dns01"
+	"github.com/go-acme/lego/challenge/http01"
+	"github.com/go-acme/lego/challenge/tlsalpn01"
+	"github.com/go-acme/lego/log"
+)
+
+type byType []acme.Challenge
+
+func (a byType) Len() int           { return len(a) }
+func (a byType) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a byType) Less(i, j int) bool { return a[i].Type > a[j].Type }
+
+type SolverManager struct {
+	core    *api.Core
+	solvers map[challenge.Type]solver
+}
+
+func NewSolversManager(core *api.Core) *SolverManager {
+	return &SolverManager{
+		solvers: map[challenge.Type]solver{},
+		core:    core,
+	}
+}
+
+// SetHTTP01Provider specifies a custom provider p that can solve the given HTTP-01 challenge.
+func (c *SolverManager) SetHTTP01Provider(p challenge.Provider) error {
+	c.solvers[challenge.HTTP01] = http01.NewChallenge(c.core, validate, p)
+	return nil
+}
+
+// SetTLSALPN01Provider specifies a custom provider p that can solve the given TLS-ALPN-01 challenge.
+func (c *SolverManager) SetTLSALPN01Provider(p challenge.Provider) error {
+	c.solvers[challenge.TLSALPN01] = tlsalpn01.NewChallenge(c.core, validate, p)
+	return nil
+}
+
+// SetDNS01Provider specifies a custom provider p that can solve the given DNS-01 challenge.
+func (c *SolverManager) SetDNS01Provider(p challenge.Provider, opts ...dns01.ChallengeOption) error {
+	c.solvers[challenge.DNS01] = dns01.NewChallenge(c.core, validate, p, opts...)
+	return nil
+}
+
+// Remove Remove a challenge type from the available solvers.
+func (c *SolverManager) Remove(chlgType challenge.Type) {
+	delete(c.solvers, chlgType)
+}
+
+// Checks all challenges from the server in order and returns the first matching solver.
+func (c *SolverManager) chooseSolver(authz acme.Authorization) solver {
+	// Allow to have a deterministic challenge order
+	sort.Sort(byType(authz.Challenges))
+
+	domain := challenge.GetTargetedDomain(authz)
+	for _, chlg := range authz.Challenges {
+		if solvr, ok := c.solvers[challenge.Type(chlg.Type)]; ok {
+			log.Infof("[%s] acme: use %s solver", domain, chlg.Type)
+			return solvr
+		}
+		log.Infof("[%s] acme: Could not find solver for: %s", domain, chlg.Type)
+	}
+
+	return nil
+}
+
+func validate(core *api.Core, domain string, chlg acme.Challenge) error {
+	chlng, err := core.Challenges.New(chlg.URL)
+	if err != nil {
+		return fmt.Errorf("failed to initiate challenge: %v", err)
+	}
+
+	valid, err := checkChallengeStatus(chlng)
+	if err != nil {
+		return err
+	}
+
+	if valid {
+		log.Infof("[%s] The server validated our request", domain)
+		return nil
+	}
+
+	ra, err := strconv.Atoi(chlng.RetryAfter)
+	if err != nil {
+		// The ACME server MUST return a Retry-After.
+		// If it doesn't, we'll just poll hard.
+		// Boulder does not implement the ability to retry challenges or the Retry-After header.
+		// https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md#section-82
+		ra = 5
+	}
+	initialInterval := time.Duration(ra) * time.Second
+
+	bo := backoff.NewExponentialBackOff()
+	bo.InitialInterval = initialInterval
+	bo.MaxInterval = 10 * initialInterval
+	bo.MaxElapsedTime = 100 * initialInterval
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	// After the path is sent, the ACME server will access our server.
+	// Repeatedly check the server for an updated status on our request.
+	operation := func() error {
+		authz, err := core.Authorizations.Get(chlng.AuthorizationURL)
+		if err != nil {
+			cancel()
+			return err
+		}
+
+		valid, err := checkAuthorizationStatus(authz)
+		if err != nil {
+			cancel()
+			return err
+		}
+
+		if valid {
+			log.Infof("[%s] The server validated our request", domain)
+			return nil
+		}
+
+		return errors.New("the server didn't respond to our request")
+	}
+
+	return backoff.Retry(operation, backoff.WithContext(bo, ctx))
+}
+
+func checkChallengeStatus(chlng acme.ExtendedChallenge) (bool, error) {
+	switch chlng.Status {
+	case acme.StatusValid:
+		return true, nil
+	case acme.StatusPending, acme.StatusProcessing:
+		return false, nil
+	case acme.StatusInvalid:
+		return false, chlng.Error
+	default:
+		return false, errors.New("the server returned an unexpected state")
+	}
+}
+
+func checkAuthorizationStatus(authz acme.Authorization) (bool, error) {
+	switch authz.Status {
+	case acme.StatusValid:
+		return true, nil
+	case acme.StatusPending, acme.StatusProcessing:
+		return false, nil
+	case acme.StatusDeactivated, acme.StatusExpired, acme.StatusRevoked:
+		return false, fmt.Errorf("the authorization state %s", authz.Status)
+	case acme.StatusInvalid:
+		for _, chlg := range authz.Challenges {
+			if chlg.Status == acme.StatusInvalid && chlg.Error != nil {
+				return false, chlg.Error
+			}
+		}
+		return false, fmt.Errorf("the authorization state %s", authz.Status)
+	default:
+		return false, errors.New("the server returned an unexpected state")
+	}
+}

vendor/github.com/go-acme/lego/challenge/tlsalpn01/tls_alpn_challenge.go

@@ -0,0 +1,129 @@
+package tlsalpn01
+
+import (
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"fmt"
+
+	"github.com/go-acme/lego/acme"
+	"github.com/go-acme/lego/acme/api"
+	"github.com/go-acme/lego/certcrypto"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/log"
+)
+
+// idPeAcmeIdentifierV1 is the SMI Security for PKIX Certification Extension OID referencing the ACME extension.
+// Reference: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-5.1
+var idPeAcmeIdentifierV1 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
+
+type ValidateFunc func(core *api.Core, domain string, chlng acme.Challenge) error
+
+type Challenge struct {
+	core     *api.Core
+	validate ValidateFunc
+	provider challenge.Provider
+}
+
+func NewChallenge(core *api.Core, validate ValidateFunc, provider challenge.Provider) *Challenge {
+	return &Challenge{
+		core:     core,
+		validate: validate,
+		provider: provider,
+	}
+}
+
+func (c *Challenge) SetProvider(provider challenge.Provider) {
+	c.provider = provider
+}
+
+// Solve manages the provider to validate and solve the challenge.
+func (c *Challenge) Solve(authz acme.Authorization) error {
+	domain := authz.Identifier.Value
+	log.Infof("[%s] acme: Trying to solve TLS-ALPN-01", challenge.GetTargetedDomain(authz))
+
+	chlng, err := challenge.FindChallenge(challenge.TLSALPN01, authz)
+	if err != nil {
+		return err
+	}
+
+	// Generate the Key Authorization for the challenge
+	keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
+	if err != nil {
+		return err
+	}
+
+	err = c.provider.Present(domain, chlng.Token, keyAuth)
+	if err != nil {
+		return fmt.Errorf("[%s] acme: error presenting token: %v", challenge.GetTargetedDomain(authz), err)
+	}
+	defer func() {
+		err := c.provider.CleanUp(domain, chlng.Token, keyAuth)
+		if err != nil {
+			log.Warnf("[%s] acme: error cleaning up: %v", challenge.GetTargetedDomain(authz), err)
+		}
+	}()
+
+	chlng.KeyAuthorization = keyAuth
+	return c.validate(c.core, domain, chlng)
+}
+
+// ChallengeBlocks returns PEM blocks (certPEMBlock, keyPEMBlock) with the acmeValidation-v1 extension
+// and domain name for the `tls-alpn-01` challenge.
+func ChallengeBlocks(domain, keyAuth string) ([]byte, []byte, error) {
+	// Compute the SHA-256 digest of the key authorization.
+	zBytes := sha256.Sum256([]byte(keyAuth))
+
+	value, err := asn1.Marshal(zBytes[:sha256.Size])
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Add the keyAuth digest as the acmeValidation-v1 extension
+	// (marked as critical such that it won't be used by non-ACME software).
+	// Reference: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-3
+	extensions := []pkix.Extension{
+		{
+			Id:       idPeAcmeIdentifierV1,
+			Critical: true,
+			Value:    value,
+		},
+	}
+
+	// Generate a new RSA key for the certificates.
+	tempPrivateKey, err := certcrypto.GeneratePrivateKey(certcrypto.RSA2048)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	rsaPrivateKey := tempPrivateKey.(*rsa.PrivateKey)
+
+	// Generate the PEM certificate using the provided private key, domain, and extra extensions.
+	tempCertPEM, err := certcrypto.GeneratePemCert(rsaPrivateKey, domain, extensions)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Encode the private key into a PEM format. We'll need to use it to generate the x509 keypair.
+	rsaPrivatePEM := certcrypto.PEMEncode(rsaPrivateKey)
+
+	return tempCertPEM, rsaPrivatePEM, nil
+}
+
+// ChallengeCert returns a certificate with the acmeValidation-v1 extension
+// and domain name for the `tls-alpn-01` challenge.
+func ChallengeCert(domain, keyAuth string) (*tls.Certificate, error) {
+	tempCertPEM, rsaPrivatePEM, err := ChallengeBlocks(domain, keyAuth)
+	if err != nil {
+		return nil, err
+	}
+
+	cert, err := tls.X509KeyPair(tempCertPEM, rsaPrivatePEM)
+	if err != nil {
+		return nil, err
+	}
+
+	return &cert, nil
+}

vendor/github.com/go-acme/lego/challenge/tlsalpn01/tls_alpn_challenge_server.go

@@ -0,0 +1,95 @@
+package tlsalpn01
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net"
+	"net/http"
+	"strings"
+
+	"github.com/go-acme/lego/log"
+)
+
+const (
+	// ACMETLS1Protocol is the ALPN Protocol ID for the ACME-TLS/1 Protocol.
+	ACMETLS1Protocol = "acme-tls/1"
+
+	// defaultTLSPort is the port that the ProviderServer will default to
+	// when no other port is provided.
+	defaultTLSPort = "443"
+)
+
+// ProviderServer implements ChallengeProvider for `TLS-ALPN-01` challenge.
+// It may be instantiated without using the NewProviderServer
+// if you want only to use the default values.
+type ProviderServer struct {
+	iface    string
+	port     string
+	listener net.Listener
+}
+
+// NewProviderServer creates a new ProviderServer on the selected interface and port.
+// Setting iface and / or port to an empty string will make the server fall back to
+// the "any" interface and port 443 respectively.
+func NewProviderServer(iface, port string) *ProviderServer {
+	return &ProviderServer{iface: iface, port: port}
+}
+
+func (s *ProviderServer) GetAddress() string {
+	return net.JoinHostPort(s.iface, s.port)
+}
+
+// Present generates a certificate with a SHA-256 digest of the keyAuth provided
+// as the acmeValidation-v1 extension value to conform to the ACME-TLS-ALPN spec.
+func (s *ProviderServer) Present(domain, token, keyAuth string) error {
+	if s.port == "" {
+		// Fallback to port 443 if the port was not provided.
+		s.port = defaultTLSPort
+	}
+
+	// Generate the challenge certificate using the provided keyAuth and domain.
+	cert, err := ChallengeCert(domain, keyAuth)
+	if err != nil {
+		return err
+	}
+
+	// Place the generated certificate with the extension into the TLS config
+	// so that it can serve the correct details.
+	tlsConf := new(tls.Config)
+	tlsConf.Certificates = []tls.Certificate{*cert}
+
+	// We must set that the `acme-tls/1` application level protocol is supported
+	// so that the protocol negotiation can succeed. Reference:
+	// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01#section-5.2
+	tlsConf.NextProtos = []string{ACMETLS1Protocol}
+
+	// Create the listener with the created tls.Config.
+	s.listener, err = tls.Listen("tcp", s.GetAddress(), tlsConf)
+	if err != nil {
+		return fmt.Errorf("could not start HTTPS server for challenge -> %v", err)
+	}
+
+	// Shut the server down when we're finished.
+	go func() {
+		err := http.Serve(s.listener, nil)
+		if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
+			log.Println(err)
+		}
+	}()
+
+	return nil
+}
+
+// CleanUp closes the HTTPS server.
+func (s *ProviderServer) CleanUp(domain, token, keyAuth string) error {
+	if s.listener == nil {
+		return nil
+	}
+
+	// Server was created, close it.
+	if err := s.listener.Close(); err != nil && err != http.ErrServerClosed {
+		return err
+	}
+
+	return nil
+}