mirror of
https://github.com/StackExchange/dnscontrol.git
synced 2024-05-11 05:55:12 +00:00
switch to new go-acme imports from xenolf. Fix api changes (#540)
* switch to new go-acme imports from xenolf. Fix api changes * update many vault related dependencies
This commit is contained in:
Craig Peterson
GitHub
@@ -15,8 +15,12 @@ import (
|
||||
"github.com/StackExchange/dnscontrol/models"
|
||||
"github.com/StackExchange/dnscontrol/pkg/nameservers"
|
||||
"github.com/StackExchange/dnscontrol/pkg/notifications"
|
||||
"github.com/xenolf/lego/acme"
|
||||
acmelog "github.com/xenolf/lego/log"
|
||||
"github.com/go-acme/lego/certcrypto"
|
||||
"github.com/go-acme/lego/certificate"
|
||||
"github.com/go-acme/lego/challenge"
|
||||
"github.com/go-acme/lego/challenge/dns01"
|
||||
"github.com/go-acme/lego/lego"
|
||||
acmelog "github.com/go-acme/lego/log"
|
||||
)
|
||||
|
||||
type CertConfig struct {
|
||||
@@ -101,10 +105,14 @@ func (c *certManager) IssueOrRenewCert(cfg *CertConfig, renewUnder int, verbose
|
||||
return false, err
|
||||
}
|
||||
|
||||
var client *acme.Client
|
||||
var client *lego.Client
|
||||
|
||||
var action = func() (*acme.CertificateResource, error) {
|
||||
return client.ObtainCertificate(cfg.Names, true, nil, cfg.MustStaple)
|
||||
var action = func() (*certificate.Resource, error) {
|
||||
return client.Certificate.Obtain(certificate.ObtainRequest{
|
||||
Bundle: true,
|
||||
Domains: cfg.Names,
|
||||
MustStaple: cfg.MustStaple,
|
||||
})
|
||||
}
|
||||
|
||||
if existing == nil {
|
||||
@@ -125,25 +133,28 @@ func (c *certManager) IssueOrRenewCert(cfg *CertConfig, renewUnder int, verbose
|
||||
log.Println("DNS Names don't match expected set. Reissuing.")
|
||||
} else {
|
||||
log.Println("Renewing cert")
|
||||
action = func() (*acme.CertificateResource, error) {
|
||||
return client.RenewCertificate(*existing, true, cfg.MustStaple)
|
||||
action = func() (*certificate.Resource, error) {
|
||||
return client.Certificate.Renew(*existing, true, cfg.MustStaple)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
kt := acme.RSA2048
|
||||
kt := certcrypto.RSA2048
|
||||
if cfg.UseECC {
|
||||
kt = acme.EC256
|
||||
kt = certcrypto.EC256
|
||||
}
|
||||
client, err = acme.NewClient(c.acmeDirectory, c.account, kt)
|
||||
config := lego.NewConfig(c.account)
|
||||
config.CADirURL = c.acmeDirectory
|
||||
config.Certificate.KeyType = kt
|
||||
client, err = lego.NewClient(config)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.TLSALPN01})
|
||||
client.SetChallengeProvider(acme.DNS01, c)
|
||||
client.Challenge.Remove(challenge.HTTP01)
|
||||
client.Challenge.Remove(challenge.TLSALPN01)
|
||||
client.Challenge.SetDNS01Provider(c)
|
||||
|
||||
acme.PreCheckDNS = c.preCheckDNS
|
||||
defer func() { acme.PreCheckDNS = acmePreCheck }()
|
||||
dns01.WrapPreCheck(c.preCheckDNS)
|
||||
|
||||
certResource, err := action()
|
||||
if err != nil {
|
||||
@@ -219,7 +230,7 @@ func (c *certManager) Present(domain, token, keyAuth string) (e error) {
|
||||
d = copy
|
||||
}
|
||||
|
||||
fqdn, val, _ := acme.DNS01Record(domain, keyAuth)
|
||||
fqdn, val := dns01.GetRecord(domain, keyAuth)
|
||||
txt := &models.RecordConfig{Type: "TXT"}
|
||||
txt.SetTargetTXT(val)
|
||||
txt.SetLabelFromFQDN(fqdn, d.Name)
|
||||
|
||||
@@ -4,17 +4,15 @@ import (
|
||||
"log"
|
||||
"time"
|
||||
|
||||
"github.com/xenolf/lego/acme"
|
||||
"github.com/go-acme/lego/challenge/dns01"
|
||||
)
|
||||
|
||||
var acmePreCheck = acme.PreCheckDNS
|
||||
|
||||
func (c *certManager) preCheckDNS(fqdn, value string) (bool, error) {
|
||||
func (c *certManager) preCheckDNS(domain, fqdn, value string, native dns01.PreCheckFunc) (bool, error) {
|
||||
// default record verification in the client library makes sure the authoritative nameservers
|
||||
// have the expected records.
|
||||
// Sometimes the Let's Encrypt verification fails anyway because records have not propagated the provider's network fully.
|
||||
// So we add an additional 60 second sleep just for safety.
|
||||
v, err := acmePreCheck(fqdn, value)
|
||||
v, err := native(fqdn, value)
|
||||
if err != nil {
|
||||
return v, err
|
||||
}
|
||||
|
||||
@@ -9,7 +9,7 @@ import (
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/xenolf/lego/acme"
|
||||
"github.com/go-acme/lego/certificate"
|
||||
)
|
||||
|
||||
// directoryStorage implements storage in a local file directory
|
||||
@@ -38,7 +38,7 @@ func (d directoryStorage) accountKeyFile(acmeHost string) string {
|
||||
const perms os.FileMode = 0644
|
||||
const dirPerms os.FileMode = 0700
|
||||
|
||||
func (d directoryStorage) GetCertificate(name string) (*acme.CertificateResource, error) {
|
||||
func (d directoryStorage) GetCertificate(name string) (*certificate.Resource, error) {
|
||||
f, err := os.Open(d.certFile(name, "json"))
|
||||
if err != nil && os.IsNotExist(err) {
|
||||
// if json does not exist, nothing does
|
||||
@@ -49,7 +49,7 @@ func (d directoryStorage) GetCertificate(name string) (*acme.CertificateResource
|
||||
}
|
||||
defer f.Close()
|
||||
dec := json.NewDecoder(f)
|
||||
cr := &acme.CertificateResource{}
|
||||
cr := &certificate.Resource{}
|
||||
if err = dec.Decode(cr); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -62,7 +62,7 @@ func (d directoryStorage) GetCertificate(name string) (*acme.CertificateResource
|
||||
return cr, nil
|
||||
}
|
||||
|
||||
func (d directoryStorage) StoreCertificate(name string, cert *acme.CertificateResource) error {
|
||||
func (d directoryStorage) StoreCertificate(name string, cert *certificate.Resource) error {
|
||||
// make sure actual cert data never gets into metadata json
|
||||
if err := os.MkdirAll(d.certDir(name), dirPerms); err != nil {
|
||||
return err
|
||||
|
||||
@@ -6,7 +6,9 @@ import (
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
|
||||
"github.com/xenolf/lego/acme"
|
||||
"github.com/go-acme/lego/certcrypto"
|
||||
"github.com/go-acme/lego/lego"
|
||||
"github.com/go-acme/lego/registration"
|
||||
)
|
||||
|
||||
func (c *certManager) getOrCreateAccount() (*Account, error) {
|
||||
@@ -35,11 +37,14 @@ func (c *certManager) createAccount(email string) (*Account, error) {
|
||||
key: privateKey,
|
||||
Email: c.email,
|
||||
}
|
||||
client, err := acme.NewClient(c.acmeDirectory, acct, acme.EC384)
|
||||
config := lego.NewConfig(acct)
|
||||
config.CADirURL = c.acmeDirectory
|
||||
config.Certificate.KeyType = certcrypto.EC384
|
||||
client, err := lego.NewClient(config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
reg, err := client.Register(true)
|
||||
reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -48,9 +53,9 @@ func (c *certManager) createAccount(email string) (*Account, error) {
|
||||
}
|
||||
|
||||
type Account struct {
|
||||
Email string `json:"email"`
|
||||
key *ecdsa.PrivateKey `json:"-"`
|
||||
Registration *acme.RegistrationResource `json:"registration"`
|
||||
Email string `json:"email"`
|
||||
key *ecdsa.PrivateKey `json:"-"`
|
||||
Registration *registration.Resource `json:"registration"`
|
||||
}
|
||||
|
||||
func (a *Account) GetEmail() string {
|
||||
@@ -59,6 +64,6 @@ func (a *Account) GetEmail() string {
|
||||
func (a *Account) GetPrivateKey() crypto.PrivateKey {
|
||||
return a.key
|
||||
}
|
||||
func (a *Account) GetRegistration() *acme.RegistrationResource {
|
||||
func (a *Account) GetRegistration() *registration.Resource {
|
||||
return a.Registration
|
||||
}
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
package acme
|
||||
|
||||
import "github.com/xenolf/lego/acme"
|
||||
import "github.com/go-acme/lego/certificate"
|
||||
|
||||
// Storage is an abstracrion around how certificates, keys, and account info are stored on disk or elsewhere.
|
||||
type Storage interface {
|
||||
// Get Existing certificate, or return nil if it does not exist
|
||||
GetCertificate(name string) (*acme.CertificateResource, error)
|
||||
StoreCertificate(name string, cert *acme.CertificateResource) error
|
||||
GetCertificate(name string) (*certificate.Resource, error)
|
||||
StoreCertificate(name string, cert *certificate.Resource) error
|
||||
|
||||
GetAccount(acmeHost string) (*Account, error)
|
||||
StoreAccount(acmeHost string, account *Account) error
|
||||
|
||||
@@ -7,7 +7,7 @@ import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/xenolf/lego/acme"
|
||||
"github.com/go-acme/lego/certificate"
|
||||
|
||||
"github.com/hashicorp/vault/api"
|
||||
)
|
||||
@@ -32,7 +32,7 @@ func makeVaultStorage(vaultPath string) (Storage, error) {
|
||||
return storage, nil
|
||||
}
|
||||
|
||||
func (v *vaultStorage) GetCertificate(name string) (*acme.CertificateResource, error) {
|
||||
func (v *vaultStorage) GetCertificate(name string) (*certificate.Resource, error) {
|
||||
path := v.certPath(name)
|
||||
secret, err := v.client.Read(path)
|
||||
if err != nil {
|
||||
@@ -41,7 +41,7 @@ func (v *vaultStorage) GetCertificate(name string) (*acme.CertificateResource, e
|
||||
if secret == nil {
|
||||
return nil, nil
|
||||
}
|
||||
cert := &acme.CertificateResource{}
|
||||
cert := &certificate.Resource{}
|
||||
if dat, err := v.getString("meta", secret.Data, path); err != nil {
|
||||
return nil, err
|
||||
} else if err = json.Unmarshal(dat, cert); err != nil {
|
||||
@@ -75,7 +75,7 @@ func (v *vaultStorage) getString(key string, data map[string]interface{}, path s
|
||||
return []byte(str), nil
|
||||
}
|
||||
|
||||
func (v *vaultStorage) StoreCertificate(name string, cert *acme.CertificateResource) error {
|
||||
func (v *vaultStorage) StoreCertificate(name string, cert *certificate.Resource) error {
|
||||
jDat, err := json.MarshalIndent(cert, "", " ")
|
||||
if err != nil {
|
||||
return err
|
||||
|
||||
Reference in New Issue
Block a user