Delete TLS-SNI-01 challenge from ACME
This commit is contained in:
NicoMen
Traefiker Bot
parent
d3edccb839
commit
c4529820f2
8 changed files with 61 additions and 230 deletions
|
|
@ -1,11 +1,6 @@
|
|||
package acme
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/sha256"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
|
|
@ -13,7 +8,6 @@ import (
|
|||
"github.com/containous/flaeg"
|
||||
"github.com/containous/traefik/log"
|
||||
"github.com/containous/traefik/safe"
|
||||
tlsgenerate "github.com/containous/traefik/tls/generate"
|
||||
"github.com/xenolf/lego/acme"
|
||||
)
|
||||
|
||||
|
|
@ -35,30 +29,6 @@ func dnsOverrideDelay(delay flaeg.Duration) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func presentTLSChallenge(domain, keyAuth string) ([]byte, []byte, error) {
|
||||
log.Debugf("TLS Challenge Present temp certificate for %s", domain)
|
||||
|
||||
var tempPrivKey crypto.PrivateKey
|
||||
tempPrivKey, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
rsaPrivKey := tempPrivKey.(*rsa.PrivateKey)
|
||||
rsaPrivPEM := tlsgenerate.PemEncode(rsaPrivKey)
|
||||
|
||||
zBytes := sha256.Sum256([]byte(keyAuth))
|
||||
z := hex.EncodeToString(zBytes[:sha256.Size])
|
||||
domainCert := fmt.Sprintf("%s.%s.acme.invalid", z[:32], z[32:])
|
||||
|
||||
tempCertPEM, err := tlsgenerate.PemCert(rsaPrivKey, domainCert, time.Time{})
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
return tempCertPEM, rsaPrivPEM, nil
|
||||
}
|
||||
|
||||
func getTokenValue(token, domain string, store Store) []byte {
|
||||
log.Debugf("Looking for an existing ACME challenge for token %v...", token)
|
||||
var result []byte
|
||||
|
|
|
|||
|
|
@ -323,12 +323,7 @@ func (p *Provider) getClient() (*acme.Client, error) {
|
|||
return nil, err
|
||||
}
|
||||
} else {
|
||||
log.Debug("Using TLS Challenge provider.")
|
||||
client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.DNS01})
|
||||
err = client.SetChallengeProvider(acme.TLSSNI01, p)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return nil, errors.New("ACME challenge not specified, please select HTTP or DNS Challenge")
|
||||
}
|
||||
p.client = client
|
||||
}
|
||||
|
|
@ -338,29 +333,12 @@ func (p *Provider) getClient() (*acme.Client, error) {
|
|||
|
||||
// Present presents a challenge to obtain new ACME certificate
|
||||
func (p *Provider) Present(domain, token, keyAuth string) error {
|
||||
if p.HTTPChallenge != nil {
|
||||
return presentHTTPChallenge(domain, token, keyAuth, p.Store)
|
||||
} else if p.DNSChallenge == nil {
|
||||
log.Debugf("TLS Challenge CleanUp temp certificate for %s", domain)
|
||||
tempCertPEM, rsaPrivPEM, err := presentTLSChallenge(domain, keyAuth)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
p.addCertificateForDomain(types.Domain{Main: "TEMP-" + domain}, tempCertPEM, rsaPrivPEM)
|
||||
}
|
||||
|
||||
return nil
|
||||
return presentHTTPChallenge(domain, token, keyAuth, p.Store)
|
||||
}
|
||||
|
||||
// CleanUp cleans the challenges when certificate is obtained
|
||||
func (p *Provider) CleanUp(domain, token, keyAuth string) error {
|
||||
if p.HTTPChallenge != nil {
|
||||
return cleanUpHTTPChallenge(domain, token, p.Store)
|
||||
} else if p.DNSChallenge == nil {
|
||||
log.Debugf("TLS Challenge CleanUp temp certificate for %s", domain)
|
||||
p.deleteCertificateForDomain(types.Domain{Main: "TEMP-" + domain})
|
||||
}
|
||||
return nil
|
||||
return cleanUpHTTPChallenge(domain, token, p.Store)
|
||||
}
|
||||
|
||||
// Provide allows the file provider to provide configurations to traefik
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue