mirror of
https://github.com/go-acme/lego.git
synced 2025-01-27 23:46:23 +02:00
2e32f171d2
This is a very subtle bug. In some specific circumstances, when the list of domains in the SAN was > 1, the library may delete the wrong record (specifically the last one) instead of the matching one. The issue is explained here https://groups.google.com/forum/#!topic/golang-nuts/tlWzJUWJKgA Here's the output from one of the various tests ➜ lego git:(dnsimple-subdomain) ✗ DNSIMPLE_DOMAIN=simone.io go test -v ./... --run "TestLiveDNSimpleCleanUp" ? github.com/xenolf/lego [no test files] === RUN TestLiveDNSimpleCleanUp 2016/01/30 01:10:45 Empty records: 2016/01/30 01:10:45 0 2016/01/30 01:10:46 Fetched records: 2016/01/30 01:10:46 [{5326536 41571 v=spf1 a include:_spf.google.com ~all 3600 0 TXT 2016-01-26 12:53:42.85 +0000 UTC 2016-01-26 12:53:42.85 +0000 UTC} {5026157 41571 google-site-verification=obstZAG6j2BVxYg696WxAsC46_d1-bzkv7D0qGm4K_0 3600 0 TXT 2015-10-19 11:21:03.586 +0000 UTC 2015-10-19 11:21:03.586 +0000 UTC} {5340655 41571 _acme-challenge ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-29 23:52:15.657 +0000 UTC 2016-01-29 23:52:15.657 +0000 UTC} {5340677 41571 _acme-challenge.www1 ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-30 00:03:19.89 +0000 UTC 2016-01-30 00:03:19.89 +0000 UTC}] 2016/01/30 01:10:46 Record name: 2016/01/30 01:10:46 _acme-challenge 2016/01/30 01:10:46 {5326536 41571 v=spf1 a include:_spf.google.com ~all 3600 0 TXT 2016-01-26 12:53:42.85 +0000 UTC 2016-01-26 12:53:42.85 +0000 UTC} 2016/01/30 01:10:46 {5026157 41571 google-site-verification=obstZAG6j2BVxYg696WxAsC46_d1-bzkv7D0qGm4K_0 3600 0 TXT 2015-10-19 11:21:03.586 +0000 UTC 2015-10-19 11:21:03.586 +0000 UTC} 2016/01/30 01:10:46 {5340655 41571 _acme-challenge ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-29 23:52:15.657 +0000 UTC 2016-01-29 23:52:15.657 +0000 UTC} 2016/01/30 01:10:46 Deleted>> 2016/01/30 01:10:46 {5340655 41571 _acme-challenge ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-29 23:52:15.657 +0000 UTC 2016-01-29 23:52:15.657 +0000 UTC} 2016/01/30 01:10:46 >>Deleted 2016/01/30 01:10:46 {5340677 41571 _acme-challenge.www1 ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-30 00:03:19.89 +0000 UTC 2016-01-30 00:03:19.89 +0000 UTC} 2016/01/30 01:10:46 Record to delete: 2016/01/30 01:10:46 1 2016/01/30 01:10:46 {5340677 41571 _acme-challenge.www1 ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-30 00:03:19.89 +0000 UTC 2016-01-30 00:03:19.89 +0000 UTC} 2016/01/30 01:10:46 Record to delete (foos): 2016/01/30 01:10:46 [{5340655 41571 _acme-challenge ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-29 23:52:15.657 +0000 UTC 2016-01-29 23:52:15.657 +0000 UTC}] 2016/01/30 01:10:46 Found records to delete: 2016/01/30 01:10:46 1 2016/01/30 01:10:46 [0xc8203be240] 2016/01/30 01:10:46 &{5340677 41571 _acme-challenge.www1 ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY 120 0 TXT 2016-01-30 00:03:19.89 +0000 UTC 2016-01-30 00:03:19.89 +0000 UTC} --- PASS: TestLiveDNSimpleCleanUp (3.10s) PASS ok github.com/xenolf/lego/acme 3.121s The record 5340655 was supposed to be deleted, but 5340677 was deleted instead (notice how the deleted record was always the last one in the returned record set). And of course the validation never passed ➜ letsencrypt-dnsimple git:(master) go run main.go --user xxx --api-key "xxx" --email "xxx@gmail.com" simone.io,foo1.simone.io,foo2.simone.io,foo3.simone.io 2016/01/30 00:27:55 .data/users/xxx@gmail.com 2016/01/30 00:27:55 {xxx@gmail.com <nil> 0xc82009a300} 2016/01/30 00:27:56 [INFO] acme: Registering account for xxx@gmail.com 2016/01/30 00:27:57 &{{ 116016 {RSA xxx} [mailto:xxx@gmail.com] } https://acme-staging.api.letsencrypt.org/acme/reg/116016 https://acme-staging.api.letsencrypt.org/acme/new-authz https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf} 2016/01/30 00:27:58 [INFO][simone.io, foo1.simone.io, foo2.simone.io, foo3.simone.io] acme: Obtaining bundled SAN certificate 2016/01/30 00:27:59 [INFO][simone.io] acme: Could not find solver for: http-01 2016/01/30 00:27:59 [INFO][simone.io] acme: Trying to solve DNS-01 2016/01/30 00:28:00 simone.io 2016/01/30 00:28:00 &{0 0 _acme-challenge Uo7cIEDgw_sCgZhSOML_GU4DkKlgpB6p1Et8lxRVGLI 120 0 TXT <nil> <nil>} 2016/01/30 00:28:12 [INFO][simone.io] The server validated our request 2016/01/30 00:28:14 &{5340584 41571 _acme-challenge Uo7cIEDgw_sCgZhSOML_GU4DkKlgpB6p1Et8lxRVGLI 120 0 TXT 2016-01-29 23:28:00.828 +0000 UTC 2016-01-29 23:28:00.828 +0000 UTC} 2016/01/30 00:28:14 [INFO][foo1.simone.io] acme: Could not find solver for: http-01 2016/01/30 00:28:14 [INFO][foo1.simone.io] acme: Trying to solve DNS-01 2016/01/30 00:28:15 simone.io 2016/01/30 00:28:15 &{0 0 _acme-challenge.foo1 l_HB5ctb2M86FVcgpCaWgURVhCePNY9KIVQ0tsVH2Ew 120 0 TXT <nil> <nil>} 2016/01/30 00:28:19 &{5340585 41571 _acme-challenge.foo1 l_HB5ctb2M86FVcgpCaWgURVhCePNY9KIVQ0tsVH2Ew 120 0 TXT 2016-01-29 23:28:15.996 +0000 UTC 2016-01-29 23:28:15.996 +0000 UTC} 2016/01/30 00:28:19 [INFO][foo2.simone.io] acme: Could not find solver for: http-01 2016/01/30 00:28:19 [INFO][foo2.simone.io] acme: Could not find solver for: tls-sni-01 2016/01/30 00:28:19 [INFO][foo2.simone.io] acme: Trying to solve DNS-01 2016/01/30 00:28:20 simone.io 2016/01/30 00:28:20 &{0 0 _acme-challenge.foo2 rohi66Q0VHSEu0kR3LcGPkFEIftt47xHfeQercf8frU 120 0 TXT <nil> <nil>} 2016/01/30 00:28:22 [INFO][foo2.simone.io] The server validated our request 2016/01/30 00:28:23 &{5340586 41571 _acme-challenge.foo2 rohi66Q0VHSEu0kR3LcGPkFEIftt47xHfeQercf8frU 120 0 TXT 2016-01-29 23:28:21.051 +0000 UTC 2016-01-29 23:28:21.051 +0000 UTC} 2016/01/30 00:28:24 [INFO][foo3.simone.io] acme: Could not find solver for: tls-sni-01 2016/01/30 00:28:24 [INFO][foo3.simone.io] acme: Could not find solver for: http-01 2016/01/30 00:28:24 [INFO][foo3.simone.io] acme: Trying to solve DNS-01 2016/01/30 00:28:25 simone.io 2016/01/30 00:28:25 &{0 0 _acme-challenge.foo3 gmn1sKV_0gP3BiOT3yZQywZq95akKRGup0IJs1cqdVo 120 0 TXT <nil> <nil>} 2016/01/30 00:28:27 [INFO][foo3.simone.io] The server validated our request 2016/01/30 00:28:28 &{5340587 41571 _acme-challenge.foo3 gmn1sKV_0gP3BiOT3yZQywZq95akKRGup0IJs1cqdVo 120 0 TXT 2016-01-29 23:28:25.616 +0000 UTC 2016-01-29 23:28:25.616 +0000 UTC} 2016/01/30 00:28:28 map[foo1.simone.io:acme: Error 0 - urn:acme:error:connection - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.foo1.simone.io Error Detail: ] exit status 1 This is the result of the latest (successful) run: ➜ letsencrypt-dnsimple git:(master) ✗ go run main.go --user xxx --api-key "xxx" --email "xxx@gmail.com" simone.io,yy.simone.io,xx.simone.io 2016/01/30 21:34:01 .data/users/xxx@gmail.com 2016/01/30 21:34:01 {xxx@gmail.com <nil> 0xc820070480} 2016/01/30 21:34:02 [INFO] acme: Registering account for xxx@gmail.com 2016/01/30 21:34:03 &{{ 116199 {RSA xxx} [mailto:xxx@gmail.com] } https://acme-staging.api.letsencrypt.org/acme/reg/116199 https://acme-staging.api.letsencrypt.org/acme/new-authz https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf} 2016/01/30 21:34:03 [INFO][simone.io, yy.simone.io, xx.simone.io] acme: Obtaining bundled SAN certificate 2016/01/30 21:34:04 [INFO][simone.io] acme: Could not find solver for: tls-sni-01 2016/01/30 21:34:04 [INFO][simone.io] acme: Could not find solver for: http-01 2016/01/30 21:34:04 [INFO][simone.io] acme: Trying to solve DNS-01 2016/01/30 21:34:13 [INFO][simone.io] The server validated our request 2016/01/30 21:34:14 Searching for 2016/01/30 21:34:14 simone.io 2016/01/30 21:34:15 To delete: 2016/01/30 21:34:15 {5341831 41571 _acme-challenge TX8-77TN9XHZHO510Yw20u1j89UhdgGXcwScKZHRGNY 120 0 TXT 2016-01-30 20:34:05.859 +0000 UTC 2016-01-30 20:34:05.859 +0000 UTC} 2016/01/30 21:34:15 Will delete: 2016/01/30 21:34:15 [{5341831 41571 _acme-challenge TX8-77TN9XHZHO510Yw20u1j89UhdgGXcwScKZHRGNY 120 0 TXT 2016-01-30 20:34:05.859 +0000 UTC 2016-01-30 20:34:05.859 +0000 UTC}] 2016/01/30 21:34:15 [INFO][yy.simone.io] acme: Could not find solver for: http-01 2016/01/30 21:34:15 [INFO][yy.simone.io] acme: Could not find solver for: tls-sni-01 2016/01/30 21:34:15 [INFO][yy.simone.io] acme: Trying to solve DNS-01 2016/01/30 21:34:18 [INFO][yy.simone.io] The server validated our request 2016/01/30 21:34:19 Searching for 2016/01/30 21:34:19 yy.simone.io 2016/01/30 21:34:19 To delete: 2016/01/30 21:34:19 {5341832 41571 _acme-challenge.yy pHolYM_OqxCThmL3nBA91qRCI6-oEIMG0YOJj3R1Xww 120 0 TXT 2016-01-30 20:34:17.176 +0000 UTC 2016-01-30 20:34:17.176 +0000 UTC} 2016/01/30 21:34:19 Will delete: 2016/01/30 21:34:19 [{5341832 41571 _acme-challenge.yy pHolYM_OqxCThmL3nBA91qRCI6-oEIMG0YOJj3R1Xww 120 0 TXT 2016-01-30 20:34:17.176 +0000 UTC 2016-01-30 20:34:17.176 +0000 UTC}] 2016/01/30 21:34:20 [INFO][xx.simone.io] acme: Could not find solver for: tls-sni-01 2016/01/30 21:34:20 [INFO][xx.simone.io] acme: Trying to solve DNS-01 2016/01/30 21:34:23 [INFO][xx.simone.io] The server validated our request 2016/01/30 21:34:23 Searching for 2016/01/30 21:34:23 xx.simone.io 2016/01/30 21:34:24 To delete: 2016/01/30 21:34:24 {5341833 41571 _acme-challenge.xx LEr6l7KJCr6e7LlqyQgAbZbKCRmLFa5zNC8kNHK1FtQ 120 0 TXT 2016-01-30 20:34:21.793 +0000 UTC 2016-01-30 20:34:21.793 +0000 UTC} 2016/01/30 21:34:24 Will delete: 2016/01/30 21:34:24 [{5341833 41571 _acme-challenge.xx LEr6l7KJCr6e7LlqyQgAbZbKCRmLFa5zNC8kNHK1FtQ 120 0 TXT 2016-01-30 20:34:21.793 +0000 UTC 2016-01-30 20:34:21.793 +0000 UTC}] 2016/01/30 21:34:25 [INFO][simone.io, yy.simone.io, xx.simone.io] acme: Validations succeeded; requesting certificates 2016/01/30 21:34:26 [INFO] acme: Requesting issuer cert from https://acme-staging.api.letsencrypt.org/acme/issuer-cert 2016/01/30 21:34:26 [INFO][simone.io] Server responded with a certificate. [INFO][https://acme-staging.api.letsencrypt.org/acme/cert/fae971fcb1ce12 c4d3bb95a1f577786cccfe] Certificate simone.io, yy.simone.io, xx.simone.io2016/01/30 21:34:26 145 <nil> 2016/01/30 21:34:26 .data/certs/1454186041 2016/01/30 21:34:26 completed!
140 lines
3.5 KiB
Go
140 lines
3.5 KiB
Go
package acme
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/weppos/dnsimple-go/dnsimple"
|
|
)
|
|
|
|
// DNSProviderDNSimple is an implementation of the DNSProvider interface.
|
|
type DNSProviderDNSimple struct {
|
|
client *dnsimple.Client
|
|
}
|
|
|
|
// NewDNSProviderDNSimple returns a DNSProviderDNSimple instance with a configured dnsimple client.
|
|
// Authentication is either done using the passed credentials or - when empty - using the environment
|
|
// variables DNSIMPLE_EMAIL and DNSIMPLE_API_KEY.
|
|
func NewDNSProviderDNSimple(dnsimpleEmail, dnsimpleApiKey string) (*DNSProviderDNSimple, error) {
|
|
if dnsimpleEmail == "" || dnsimpleApiKey == "" {
|
|
dnsimpleEmail, dnsimpleApiKey = dnsimpleEnvAuth()
|
|
if dnsimpleEmail == "" || dnsimpleApiKey == "" {
|
|
return nil, fmt.Errorf("DNSimple credentials missing")
|
|
}
|
|
}
|
|
|
|
c := &DNSProviderDNSimple{
|
|
client: dnsimple.NewClient(dnsimpleApiKey, dnsimpleEmail),
|
|
}
|
|
|
|
return c, nil
|
|
}
|
|
|
|
// Present creates a TXT record to fulfil the dns-01 challenge.
|
|
func (c *DNSProviderDNSimple) Present(domain, token, keyAuth string) error {
|
|
fqdn, value, ttl := DNS01Record(domain, keyAuth)
|
|
|
|
zoneID, zoneName, err := c.getHostedZone(domain)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
recordAttributes := c.newTxtRecord(zoneName, fqdn, value, ttl)
|
|
_, _, err = c.client.Domains.CreateRecord(zoneID, *recordAttributes)
|
|
if err != nil {
|
|
return fmt.Errorf("DNSimple API call failed: %v", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// CleanUp removes the TXT record matching the specified parameters.
|
|
func (c *DNSProviderDNSimple) CleanUp(domain, token, keyAuth string) error {
|
|
fqdn, _, _ := DNS01Record(domain, keyAuth)
|
|
|
|
records, err := c.findTxtRecords(domain, fqdn)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
for _, rec := range records {
|
|
_, err := c.client.Domains.DeleteRecord(rec.DomainId, rec.Id)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c *DNSProviderDNSimple) getHostedZone(domain string) (string, string, error) {
|
|
domains, _, err := c.client.Domains.List()
|
|
if err != nil {
|
|
return "", "", fmt.Errorf("DNSimple API call failed: %v", err)
|
|
}
|
|
|
|
var hostedDomain dnsimple.Domain
|
|
for _, d := range domains {
|
|
if strings.HasSuffix(domain, d.Name) {
|
|
if len(d.Name) > len(hostedDomain.Name) {
|
|
hostedDomain = d
|
|
}
|
|
}
|
|
}
|
|
if hostedDomain.Id == 0 {
|
|
return "", "", fmt.Errorf("No matching DNSimple domain found for domain %s", domain)
|
|
}
|
|
|
|
return fmt.Sprintf("%v", hostedDomain.Id), hostedDomain.Name, nil
|
|
}
|
|
|
|
func (c *DNSProviderDNSimple) findTxtRecords(domain, fqdn string) ([]dnsimple.Record, error) {
|
|
zoneID, zoneName, err := c.getHostedZone(domain)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var records []dnsimple.Record
|
|
result, _, err := c.client.Domains.ListRecords(zoneID, "", "TXT")
|
|
if err != nil {
|
|
return records, fmt.Errorf("DNSimple API call has failed: %v", err)
|
|
}
|
|
|
|
recordName := c.extractRecordName(fqdn, zoneName)
|
|
for _, record := range result {
|
|
if record.Name == recordName {
|
|
records = append(records, record)
|
|
}
|
|
}
|
|
|
|
return records, nil
|
|
}
|
|
|
|
func (c *DNSProviderDNSimple) newTxtRecord(zone, fqdn, value string, ttl int) *dnsimple.Record {
|
|
name := c.extractRecordName(fqdn, zone)
|
|
|
|
return &dnsimple.Record{
|
|
Type: "TXT",
|
|
Name: name,
|
|
Content: value,
|
|
TTL: ttl,
|
|
}
|
|
}
|
|
|
|
func (c *DNSProviderDNSimple) extractRecordName(fqdn, domain string) string {
|
|
name := unFqdn(fqdn)
|
|
if idx := strings.Index(name, "."+domain); idx != -1 {
|
|
return name[:idx]
|
|
}
|
|
return name
|
|
}
|
|
|
|
func dnsimpleEnvAuth() (email, apiKey string) {
|
|
email = os.Getenv("DNSIMPLE_EMAIL")
|
|
apiKey = os.Getenv("DNSIMPLE_API_KEY")
|
|
if len(email) == 0 || len(apiKey) == 0 {
|
|
return "", ""
|
|
}
|
|
return
|
|
}
|