Update github.com/xenolf/lego to 0.4.1

2017-10-31 05:42:03 -04:00 · 2017-10-31 05:42:03 -04:00 · e8d63b2a3b
commit e8d63b2a3b
parent 5042c5bf40
105 changed files with 4299 additions and 2075 deletions
--- a/vendor/github.com/xenolf/lego/providers/dns/azure/azure.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/azure/azure.go
@ -12,6 +12,8 @@ import (

 	"strings"

+	"github.com/Azure/go-autorest/autorest"
+	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/to"
 	"github.com/xenolf/lego/acme"
@ -69,7 +71,9 @@ func (c *DNSProvider) Present(domain, token, keyAuth string) error {
 	}

 	rsc := dns.NewRecordSetsClient(c.subscriptionId)
-	rsc.Authorizer, err = c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
+	spt, err := c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
+	rsc.Authorizer = autorest.NewBearerAuthorizer(spt)
+
 	relative := toRelativeRecord(fqdn, acme.ToFqdn(zone))
 	rec := dns.RecordSet{
 		Name: &relative,
@ -103,7 +107,8 @@ func (c *DNSProvider) CleanUp(domain, token, keyAuth string) error {

 	relative := toRelativeRecord(fqdn, acme.ToFqdn(zone))
 	rsc := dns.NewRecordSetsClient(c.subscriptionId)
-	rsc.Authorizer, err = c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
+	spt, err := c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
+	rsc.Authorizer = autorest.NewBearerAuthorizer(spt)
 	_, err = rsc.Delete(c.resourceGroup, zone, relative, dns.TXT, "")
 	if err != nil {
 		return err
@ -120,8 +125,11 @@ func (c *DNSProvider) getHostedZoneID(fqdn string) (string, error) {
 	}

 	// Now we want to to Azure and get the zone.
+	spt, err := c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
+
 	dc := dns.NewZonesClient(c.subscriptionId)
-	dc.Authorizer, err = c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
+	dc.Authorizer = autorest.NewBearerAuthorizer(spt)
+
 	zone, err := dc.Get(c.resourceGroup, acme.UnFqdn(authZone))

 	if err != nil {
@ -134,10 +142,10 @@ func (c *DNSProvider) getHostedZoneID(fqdn string) (string, error) {

 // NewServicePrincipalTokenFromCredentials creates a new ServicePrincipalToken using values of the
 // passed credentials map.
-func (c *DNSProvider) newServicePrincipalTokenFromCredentials(scope string) (*azure.ServicePrincipalToken, error) {
-	oauthConfig, err := azure.PublicCloud.OAuthConfigForTenant(c.tenantId)
+func (c *DNSProvider) newServicePrincipalTokenFromCredentials(scope string) (*adal.ServicePrincipalToken, error) {
+	oauthConfig, err := adal.NewOAuthConfig(azure.PublicCloud.ActiveDirectoryEndpoint, c.tenantId)
 	if err != nil {
 		panic(err)
 	}
-	return azure.NewServicePrincipalToken(*oauthConfig, c.clientId, c.clientSecret, scope)
+	return adal.NewServicePrincipalToken(*oauthConfig, c.clientId, c.clientSecret, scope)
 }
--- a/vendor/github.com/xenolf/lego/providers/dns/dns_providers.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/dns_providers.go
@ -19,6 +19,7 @@ import (
 	"github.com/xenolf/lego/providers/dns/linode"
 	"github.com/xenolf/lego/providers/dns/namecheap"
 	"github.com/xenolf/lego/providers/dns/ns1"
+	"github.com/xenolf/lego/providers/dns/otc"
 	"github.com/xenolf/lego/providers/dns/ovh"
 	"github.com/xenolf/lego/providers/dns/pdns"
 	"github.com/xenolf/lego/providers/dns/rackspace"
@ -48,7 +49,7 @@ func NewDNSChallengeProviderByName(name string) (acme.ChallengeProvider, error)
 	case "dyn":
 		provider, err = dyn.NewDNSProvider()
 	case "exoscale":
-		provider, err = exoscale.NewDNSProvider()		
+		provider, err = exoscale.NewDNSProvider()
 	case "gandi":
 		provider, err = gandi.NewDNSProvider()
 	case "gcloud":
@ -73,6 +74,8 @@ func NewDNSChallengeProviderByName(name string) (acme.ChallengeProvider, error)
 		provider, err = pdns.NewDNSProvider()
 	case "ns1":
 		provider, err = ns1.NewDNSProvider()
+	case "otc":
+		provider, err = otc.NewDNSProvider()
 	default:
 		err = fmt.Errorf("Unrecognised DNS provider: %s", name)
 	}
--- a/vendor/github.com/xenolf/lego/providers/dns/exoscale/exoscale.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/exoscale/exoscale.go
@ -7,7 +7,7 @@ import (
 	"fmt"
 	"os"

-	"github.com/pyr/egoscale/src/egoscale"
+	"github.com/exoscale/egoscale"
 	"github.com/xenolf/lego/acme"
 )

--- a/vendor/github.com/xenolf/lego/providers/dns/googlecloud/googlecloud.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/googlecloud/googlecloud.go
@ -4,12 +4,14 @@ package googlecloud

 import (
 	"fmt"
+	"io/ioutil"
 	"os"
 	"time"

 	"github.com/xenolf/lego/acme"

 	"golang.org/x/net/context"
+	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"

 	"google.golang.org/api/dns/v1"
@ -22,9 +24,14 @@ type DNSProvider struct {
 }

 // NewDNSProvider returns a DNSProvider instance configured for Google Cloud
-// DNS. Credentials must be passed in the environment variable: GCE_PROJECT.
+// DNS. Project name must be passed in the environment variable: GCE_PROJECT.
+// A Service Account file can be passed in the environment variable:
+// GCE_SERVICE_ACCOUNT_FILE
 func NewDNSProvider() (*DNSProvider, error) {
 	project := os.Getenv("GCE_PROJECT")
+	if saFile, ok := os.LookupEnv("GCE_SERVICE_ACCOUNT_FILE"); ok {
+		return NewDNSProviderServiceAccount(project, saFile)
+	}
 	return NewDNSProviderCredentials(project)
 }

@ -49,6 +56,36 @@ func NewDNSProviderCredentials(project string) (*DNSProvider, error) {
 	}, nil
 }

+// NewDNSProviderServiceAccount uses the supplied service account JSON file to
+// return a DNSProvider instance configured for Google Cloud DNS.
+func NewDNSProviderServiceAccount(project string, saFile string) (*DNSProvider, error) {
+	if project == "" {
+		return nil, fmt.Errorf("Google Cloud project name missing")
+	}
+	if saFile == "" {
+		return nil, fmt.Errorf("Google Cloud Service Account file missing")
+	}
+
+	dat, err := ioutil.ReadFile(saFile)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to read Service Account file: %v", err)
+	}
+	conf, err := google.JWTConfigFromJSON(dat, dns.NdevClouddnsReadwriteScope)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to acquire config: %v", err)
+	}
+	client := conf.Client(oauth2.NoContext)
+
+	svc, err := dns.New(client)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to create Google Cloud DNS service: %v", err)
+	}
+	return &DNSProvider{
+		project: project,
+		client:  svc,
+	}, nil
+}
+
 // Present creates a TXT record to fulfil the dns-01 challenge.
 func (c *DNSProvider) Present(domain, token, keyAuth string) error {
 	fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)
--- a/vendor/github.com/xenolf/lego/providers/dns/otc/mock.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/otc/mock.go
@ -0,0 +1,152 @@
+package otc
+
+import (
+	"fmt"
+	"github.com/stretchr/testify/assert"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+var fakeOTCUserName = "test"
+var fakeOTCPassword = "test"
+var fakeOTCDomainName = "test"
+var fakeOTCProjectName = "test"
+var fakeOTCToken = "62244bc21da68d03ebac94e6636ff01f"
+
+type DNSMock struct {
+	t      *testing.T
+	Server *httptest.Server
+	Mux    *http.ServeMux
+}
+
+func NewDNSMock(t *testing.T) *DNSMock {
+	return &DNSMock{
+		t: t,
+	}
+}
+
+// Setup creates the mock server
+func (m *DNSMock) Setup() {
+	m.Mux = http.NewServeMux()
+	m.Server = httptest.NewServer(m.Mux)
+}
+
+// ShutdownServer creates the mock server
+func (m *DNSMock) ShutdownServer() {
+	m.Server.Close()
+}
+
+func (m *DNSMock) HandleAuthSuccessfully() {
+	m.Mux.HandleFunc("/v3/auth/token", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Subject-Token", fakeOTCToken)
+
+		fmt.Fprintf(w, `{
+		  "token": {
+		    "catalog": [
+		      {
+			"type": "dns",
+			"id": "56cd81db1f8445d98652479afe07c5ba",
+			"name": "",
+			"endpoints": [
+			  {
+			    "url": "%s",
+			    "region": "eu-de",
+			    "region_id": "eu-de",
+			    "interface": "public",
+			    "id": "0047a06690484d86afe04877074efddf"
+			  }
+			]
+		      }
+		    ]
+		  }}`, m.Server.URL)
+	})
+}
+
+func (m *DNSMock) HandleListZonesSuccessfully() {
+	m.Mux.HandleFunc("/v2/zones", func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, `{
+		  "zones":[{
+		    "id":"123123"
+		  }]}
+		`)
+
+		assert.Equal(m.t, r.Method, "GET")
+		assert.Equal(m.t, r.URL.Path, "/v2/zones")
+		assert.Equal(m.t, r.URL.RawQuery, "name=example.com.")
+		assert.Equal(m.t, r.Header.Get("Content-Type"), "application/json")
+	})
+}
+
+func (m *DNSMock) HandleListZonesEmpty() {
+	m.Mux.HandleFunc("/v2/zones", func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, `{
+		  "zones":[
+		  ]}
+		`)
+
+		assert.Equal(m.t, r.Method, "GET")
+		assert.Equal(m.t, r.URL.Path, "/v2/zones")
+		assert.Equal(m.t, r.URL.RawQuery, "name=example.com.")
+		assert.Equal(m.t, r.Header.Get("Content-Type"), "application/json")
+	})
+}
+
+func (m *DNSMock) HandleDeleteRecordsetsSuccessfully() {
+	m.Mux.HandleFunc("/v2/zones/123123/recordsets/321321", func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, `{
+		  "zones":[{
+		    "id":"123123"
+		  }]}
+		`)
+
+		assert.Equal(m.t, r.Method, "DELETE")
+		assert.Equal(m.t, r.URL.Path, "/v2/zones/123123/recordsets/321321")
+		assert.Equal(m.t, r.Header.Get("Content-Type"), "application/json")
+	})
+}
+
+func (m *DNSMock) HandleListRecordsetsEmpty() {
+	m.Mux.HandleFunc("/v2/zones/123123/recordsets", func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, `{
+		  "recordsets":[
+		  ]}
+		`)
+
+		assert.Equal(m.t, r.URL.Path, "/v2/zones/123123/recordsets")
+		assert.Equal(m.t, r.URL.RawQuery, "type=TXT&name=_acme-challenge.example.com.")
+	})
+}
+func (m *DNSMock) HandleListRecordsetsSuccessfully() {
+	m.Mux.HandleFunc("/v2/zones/123123/recordsets", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method == "GET" {
+			fmt.Fprintf(w, `{
+			  "recordsets":[{
+			    "id":"321321"
+			  }]}
+			`)
+
+			assert.Equal(m.t, r.URL.Path, "/v2/zones/123123/recordsets")
+			assert.Equal(m.t, r.URL.RawQuery, "type=TXT&name=_acme-challenge.example.com.")
+
+		} else if r.Method == "POST" {
+			body, err := ioutil.ReadAll(r.Body)
+
+			assert.Nil(m.t, err)
+			exceptedString := "{\"name\":\"_acme-challenge.example.com.\",\"description\":\"Added TXT record for ACME dns-01 challenge using lego client\",\"type\":\"TXT\",\"ttl\":300,\"records\":[\"\\\"w6uP8Tcg6K2QR905Rms8iXTlksL6OD1KOWBxTK7wxPI\\\"\"]}"
+			assert.Equal(m.t, string(body), exceptedString)
+
+			fmt.Fprintf(w, `{
+			  "recordsets":[{
+                            "id":"321321"
+			  }]}
+			`)
+
+		} else {
+			m.t.Errorf("Expected method to be 'GET' or 'POST' but got '%s'", r.Method)
+		}
+
+		assert.Equal(m.t, r.Header.Get("Content-Type"), "application/json")
+	})
+}
--- a/vendor/github.com/xenolf/lego/providers/dns/otc/otc.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/otc/otc.go
@ -0,0 +1,388 @@
+// Package otc implements a DNS provider for solving the DNS-01 challenge
+// using Open Telekom Cloud Managed DNS.
+package otc
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/xenolf/lego/acme"
+)
+
+// DNSProvider is an implementation of the acme.ChallengeProvider interface that uses
+// OTC's Managed DNS API to manage TXT records for a domain.
+type DNSProvider struct {
+	identityEndpoint string
+	otcBaseURL       string
+	domainName       string
+	projectName      string
+	userName         string
+	password         string
+	token            string
+}
+
+// NewDNSProvider returns a DNSProvider instance configured for OTC DNS.
+// Credentials must be passed in the environment variables: OTC_USER_NAME,
+// OTC_DOMAIN_NAME, OTC_PASSWORD OTC_PROJECT_NAME and OTC_IDENTITY_ENDPOINT.
+func NewDNSProvider() (*DNSProvider, error) {
+	domainName := os.Getenv("OTC_DOMAIN_NAME")
+	userName := os.Getenv("OTC_USER_NAME")
+	password := os.Getenv("OTC_PASSWORD")
+	projectName := os.Getenv("OTC_PROJECT_NAME")
+	identityEndpoint := os.Getenv("OTC_IDENTITY_ENDPOINT")
+	return NewDNSProviderCredentials(domainName, userName, password, projectName, identityEndpoint)
+}
+
+// NewDNSProviderCredentials uses the supplied credentials to return a
+// DNSProvider instance configured for OTC DNS.
+func NewDNSProviderCredentials(domainName, userName, password, projectName, identityEndpoint string) (*DNSProvider, error) {
+	if domainName == "" || userName == "" || password == "" || projectName == "" {
+		return nil, fmt.Errorf("OTC credentials missing")
+	}
+
+	if identityEndpoint == "" {
+		identityEndpoint = "https://iam.eu-de.otc.t-systems.com:443/v3/auth/tokens"
+	}
+
+	return &DNSProvider{
+		identityEndpoint: identityEndpoint,
+		domainName:       domainName,
+		userName:         userName,
+		password:         password,
+		projectName:      projectName,
+	}, nil
+}
+
+func (d *DNSProvider) SendRequest(method, resource string, payload interface{}) (io.Reader, error) {
+	url := fmt.Sprintf("%s/%s", d.otcBaseURL, resource)
+
+	body, err := json.Marshal(payload)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(method, url, bytes.NewReader(body))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	if len(d.token) > 0 {
+		req.Header.Set("X-Auth-Token", d.token)
+	}
+
+	// Workaround for keep alive bug in otc api
+	tr := http.DefaultTransport.(*http.Transport)
+	tr.DisableKeepAlives = true
+
+	client := &http.Client{
+		Timeout:   time.Duration(10 * time.Second),
+		Transport: tr,
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode >= 400 {
+		return nil, fmt.Errorf("OTC API request %s failed with HTTP status code %d", url, resp.StatusCode)
+	}
+
+	body1, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	return bytes.NewReader(body1), nil
+}
+
+func (d *DNSProvider) loginRequest() error {
+	type nameResponse struct {
+		Name string `json:"name"`
+	}
+
+	type userResponse struct {
+		Name     string       `json:"name"`
+		Password string       `json:"password"`
+		Domain   nameResponse `json:"domain"`
+	}
+
+	type passwordResponse struct {
+		User userResponse `json:"user"`
+	}
+	type identityResponse struct {
+		Methods  []string         `json:"methods"`
+		Password passwordResponse `json:"password"`
+	}
+
+	type scopeResponse struct {
+		Project nameResponse `json:"project"`
+	}
+
+	type authResponse struct {
+		Identity identityResponse `json:"identity"`
+		Scope    scopeResponse    `json:"scope"`
+	}
+
+	type loginResponse struct {
+		Auth authResponse `json:"auth"`
+	}
+
+	userResp := userResponse{
+		Name:     d.userName,
+		Password: d.password,
+		Domain: nameResponse{
+			Name: d.domainName,
+		},
+	}
+
+	loginResp := loginResponse{
+		Auth: authResponse{
+			Identity: identityResponse{
+				Methods: []string{"password"},
+				Password: passwordResponse{
+					User: userResp,
+				},
+			},
+			Scope: scopeResponse{
+				Project: nameResponse{
+					Name: d.projectName,
+				},
+			},
+		},
+	}
+
+	body, err := json.Marshal(loginResp)
+	if err != nil {
+		return err
+	}
+	req, err := http.NewRequest("POST", d.identityEndpoint, bytes.NewReader(body))
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Content-Type", "application/json")
+
+	client := &http.Client{Timeout: time.Duration(10 * time.Second)}
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode >= 400 {
+		return fmt.Errorf("OTC API request failed with HTTP status code %d", resp.StatusCode)
+	}
+
+	d.token = resp.Header.Get("X-Subject-Token")
+
+	if d.token == "" {
+		return fmt.Errorf("unable to get auth token")
+	}
+
+	type endpointResponse struct {
+		Token struct {
+			Catalog []struct {
+				Type      string `json:"type"`
+				Endpoints []struct {
+					URL string `json:"url"`
+				} `json:"endpoints"`
+			} `json:"catalog"`
+		} `json:"token"`
+	}
+	var endpointResp endpointResponse
+
+	err = json.NewDecoder(resp.Body).Decode(&endpointResp)
+	if err != nil {
+		return err
+	}
+
+	for _, v := range endpointResp.Token.Catalog {
+		if v.Type == "dns" {
+			for _, endpoint := range v.Endpoints {
+				d.otcBaseURL = fmt.Sprintf("%s/v2", endpoint.URL)
+				continue
+			}
+		}
+	}
+
+	if d.otcBaseURL == "" {
+		return fmt.Errorf("unable to get dns endpoint")
+	}
+
+	return nil
+}
+
+// Starts a new OTC API Session. Authenticates using userName, password
+// and receives a token to be used in for subsequent requests.
+func (d *DNSProvider) login() error {
+	err := d.loginRequest()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) getZoneID(zone string) (string, error) {
+	type zoneItem struct {
+		ID string `json:"id"`
+	}
+
+	type zonesResponse struct {
+		Zones []zoneItem `json:"zones"`
+	}
+
+	resource := fmt.Sprintf("zones?name=%s", zone)
+	resp, err := d.SendRequest("GET", resource, nil)
+	if err != nil {
+		return "", err
+	}
+
+	var zonesRes zonesResponse
+	err = json.NewDecoder(resp).Decode(&zonesRes)
+	if err != nil {
+		return "", err
+	}
+
+	if len(zonesRes.Zones) < 1 {
+		return "", fmt.Errorf("zone %s not found", zone)
+	}
+
+	if len(zonesRes.Zones) > 1 {
+		return "", fmt.Errorf("to many zones found")
+	}
+
+	if zonesRes.Zones[0].ID == "" {
+		return "", fmt.Errorf("id not found")
+	}
+
+	return zonesRes.Zones[0].ID, nil
+}
+
+func (d *DNSProvider) getRecordSetID(zoneID string, fqdn string) (string, error) {
+	type recordSet struct {
+		ID string `json:"id"`
+	}
+
+	type recordSetsResponse struct {
+		RecordSets []recordSet `json:"recordsets"`
+	}
+
+	resource := fmt.Sprintf("zones/%s/recordsets?type=TXT&name=%s", zoneID, fqdn)
+	resp, err := d.SendRequest("GET", resource, nil)
+	if err != nil {
+		return "", err
+	}
+
+	var recordSetsRes recordSetsResponse
+	err = json.NewDecoder(resp).Decode(&recordSetsRes)
+	if err != nil {
+		return "", err
+	}
+
+	if len(recordSetsRes.RecordSets) < 1 {
+		return "", fmt.Errorf("record not found")
+	}
+
+	if len(recordSetsRes.RecordSets) > 1 {
+		return "", fmt.Errorf("to many records found")
+	}
+
+	if recordSetsRes.RecordSets[0].ID == "" {
+		return "", fmt.Errorf("id not found")
+	}
+
+	return recordSetsRes.RecordSets[0].ID, nil
+}
+
+func (d *DNSProvider) deleteRecordSet(zoneID, recordID string) error {
+	resource := fmt.Sprintf("zones/%s/recordsets/%s", zoneID, recordID)
+
+	_, err := d.SendRequest("DELETE", resource, nil)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// Present creates a TXT record using the specified parameters
+func (d *DNSProvider) Present(domain, token, keyAuth string) error {
+	fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)
+
+	if ttl < 300 {
+		ttl = 300 // 300 is otc minimum value for ttl
+	}
+
+	authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
+	if err != nil {
+		return err
+	}
+
+	err = d.login()
+	if err != nil {
+		return err
+	}
+
+	zoneID, err := d.getZoneID(authZone)
+	if err != nil {
+		return fmt.Errorf("unable to get zone: %s", err)
+	}
+
+	resource := fmt.Sprintf("zones/%s/recordsets", zoneID)
+
+	type recordset struct {
+		Name        string   `json:"name"`
+		Description string   `json:"description"`
+		Type        string   `json:"type"`
+		Ttl         int      `json:"ttl"`
+		Records     []string `json:"records"`
+	}
+
+	r1 := &recordset{
+		Name:        fqdn,
+		Description: "Added TXT record for ACME dns-01 challenge using lego client",
+		Type:        "TXT",
+		Ttl:         300,
+		Records:     []string{fmt.Sprintf("\"%s\"", value)},
+	}
+	_, err = d.SendRequest("POST", resource, r1)
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// CleanUp removes the TXT record matching the specified parameters
+func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+	fqdn, _, _ := acme.DNS01Record(domain, keyAuth)
+
+	authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
+	if err != nil {
+		return err
+	}
+
+	err = d.login()
+	if err != nil {
+		return err
+	}
+
+	zoneID, err := d.getZoneID(authZone)
+
+	if err != nil {
+		return err
+	}
+
+	recordID, err := d.getRecordSetID(zoneID, fqdn)
+	if err != nil {
+		return fmt.Errorf("unable go get record %s for zone %s: %s", fqdn, domain, err)
+	}
+	return d.deleteRecordSet(zoneID, recordID)
+}
--- a/vendor/github.com/xenolf/lego/providers/dns/rackspace/rackspace.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/rackspace/rackspace.go
@ -269,7 +269,7 @@ func (c *DNSProvider) makeRequest(method, uri string, body io.Reader) (json.RawM
 	return r, nil
 }

-// RackspaceRecords is the list of records sent/recieved from the DNS API
+// RackspaceRecords is the list of records sent/received from the DNS API
 type RackspaceRecords struct {
 	RackspaceRecord []RackspaceRecord `json:"records"`
 }
--- a/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go
@ -20,27 +20,32 @@ type DNSProvider struct {
 	tsigAlgorithm string
 	tsigKey       string
 	tsigSecret    string
+	timeout       time.Duration
 }

 // NewDNSProvider returns a DNSProvider instance configured for rfc2136
-// dynamic update. Credentials must be passed in the environment variables:
-// RFC2136_NAMESERVER, RFC2136_TSIG_ALGORITHM, RFC2136_TSIG_KEY and
-// RFC2136_TSIG_SECRET. To disable TSIG authentication, leave the TSIG
-// variables unset. RFC2136_NAMESERVER must be a network address in the form
-// "host" or "host:port".
+// dynamic update. Configured with environment variables:
+// RFC2136_NAMESERVER: Network address in the form "host" or "host:port".
+// RFC2136_TSIG_ALGORITHM: Defaults to hmac-md5.sig-alg.reg.int. (HMAC-MD5).
+// See https://github.com/miekg/dns/blob/master/tsig.go for supported values. 
+// RFC2136_TSIG_KEY: Name of the secret key as defined in DNS server configuration.
+// RFC2136_TSIG_SECRET: Secret key payload.
+// RFC2136_TIMEOUT: DNS propagation timeout in time.ParseDuration format. (60s)
+// To disable TSIG authentication, leave the RFC2136_TSIG* variables unset.
 func NewDNSProvider() (*DNSProvider, error) {
 	nameserver := os.Getenv("RFC2136_NAMESERVER")
 	tsigAlgorithm := os.Getenv("RFC2136_TSIG_ALGORITHM")
 	tsigKey := os.Getenv("RFC2136_TSIG_KEY")
 	tsigSecret := os.Getenv("RFC2136_TSIG_SECRET")
-	return NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKey, tsigSecret)
+	timeout := os.Getenv("RFC2136_TIMEOUT")
+	return NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKey, tsigSecret, timeout)
 }

 // NewDNSProviderCredentials uses the supplied credentials to return a
 // DNSProvider instance configured for rfc2136 dynamic update. To disable TSIG
 // authentication, leave the TSIG parameters as empty strings.
 // nameserver must be a network address in the form "host" or "host:port".
-func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKey, tsigSecret string) (*DNSProvider, error) {
+func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKey, tsigSecret, timeout string) (*DNSProvider, error) {
 	if nameserver == "" {
 		return nil, fmt.Errorf("RFC2136 nameserver missing")
 	}
@ -65,9 +70,27 @@ func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKey, tsigSecret st
 		d.tsigSecret = tsigSecret
 	}

+	if timeout == "" {
+		d.timeout = 60 * time.Second
+	} else {
+		t, err := time.ParseDuration(timeout)
+		if err != nil {
+			return nil, err
+		} else if t < 0 {
+			return nil, fmt.Errorf("Invalid/negative RFC2136_TIMEOUT: %v", timeout)
+		} else {
+			d.timeout = t
+		}
+	}
+
 	return d, nil
 }

+// Returns the timeout configured with RFC2136_TIMEOUT, or 60s.
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+    return d.timeout, 2 * time.Second
+}
+
 // Present creates a TXT record using the specified parameters
 func (r *DNSProvider) Present(domain, token, keyAuth string) error {
 	fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)
--- a/vendor/github.com/xenolf/lego/providers/dns/route53/route53.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/route53/route53.go
@ -5,6 +5,7 @@ package route53
 import (
 	"fmt"
 	"math/rand"
+	"os"
 	"strings"
 	"time"

@ -23,7 +24,8 @@ const (

 // DNSProvider implements the acme.ChallengeProvider interface
 type DNSProvider struct {
-	client *route53.Route53
+	client       *route53.Route53
+	hostedZoneID string
 }

 // customRetryer implements the client.Retryer interface by composing the
@ -58,14 +60,22 @@ func (d customRetryer) RetryRules(r *request.Request) time.Duration {
 // 2. Shared credentials file (defaults to ~/.aws/credentials)
 // 3. Amazon EC2 IAM role
 //
+// If AWS_HOSTED_ZONE_ID is not set, Lego tries to determine the correct
+// public hosted zone via the FQDN.
+//
 // See also: https://github.com/aws/aws-sdk-go/wiki/configuring-sdk
 func NewDNSProvider() (*DNSProvider, error) {
+	hostedZoneID := os.Getenv("AWS_HOSTED_ZONE_ID")
+
 	r := customRetryer{}
 	r.NumMaxRetries = maxRetries
 	config := request.WithRetryer(aws.NewConfig(), r)
 	client := route53.New(session.New(config))

-	return &DNSProvider{client: client}, nil
+	return &DNSProvider{
+		client:       client,
+		hostedZoneID: hostedZoneID,
+	}, nil
 }

 // Present creates a TXT record using the specified parameters
@ -83,7 +93,7 @@ func (r *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 }

 func (r *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error {
-	hostedZoneID, err := getHostedZoneID(fqdn, r.client)
+	hostedZoneID, err := r.getHostedZoneID(fqdn)
 	if err != nil {
 		return fmt.Errorf("Failed to determine Route 53 hosted zone ID: %v", err)
 	}
@ -124,7 +134,11 @@ func (r *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error {
 	})
 }

-func getHostedZoneID(fqdn string, client *route53.Route53) (string, error) {
+func (r *DNSProvider) getHostedZoneID(fqdn string) (string, error) {
+	if r.hostedZoneID != "" {
+		return r.hostedZoneID, nil
+	}
+
 	authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
 	if err != nil {
 		return "", err
@ -134,7 +148,7 @@ func getHostedZoneID(fqdn string, client *route53.Route53) (string, error) {
 	reqParams := &route53.ListHostedZonesByNameInput{
 		DNSName: aws.String(acme.UnFqdn(authZone)),
 	}
-	resp, err := client.ListHostedZonesByName(reqParams)
+	resp, err := r.client.ListHostedZonesByName(reqParams)
 	if err != nil {
 		return "", err
 	}