dnscontrol/pkg/acme/acme.go

// Package acme provides a means of performing Let's Encrypt DNS challenges via a DNSConfig
package acme

import (
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"io/ioutil"
	"log"
	"net/url"
	"sort"
	"strings"
	"time"

	"github.com/StackExchange/dnscontrol/models"
	"github.com/StackExchange/dnscontrol/pkg/nameservers"
	"github.com/xenolf/lego/acme"
	acmelog "github.com/xenolf/lego/log"
)

type CertConfig struct {
	CertName string   `json:"cert_name"`
	Names    []string `json:"names"`
}

type Client interface {
	IssueOrRenewCert(config *CertConfig, renewUnder int, verbose bool) (bool, error)
}

type certManager struct {
	email         string
	acmeDirectory string
	acmeHost      string

	storage         Storage
	cfg             *models.DNSConfig
	domains         map[string]*models.DomainConfig
	originalDomains []*models.DomainConfig
	client          *acme.Client

	waitedOnce bool
}

const (
	LetsEncryptLive  = "https://acme-v02.api.letsencrypt.org/directory"
	LetsEncryptStage = "https://acme-staging-v02.api.letsencrypt.org/directory"
)

func New(cfg *models.DNSConfig, directory string, email string, server string) (Client, error) {
	return commonNew(cfg, directoryStorage(directory), email, server)
}

func commonNew(cfg *models.DNSConfig, storage Storage, email string, server string) (Client, error) {
	u, err := url.Parse(server)
	if err != nil || u.Host == "" {
		return nil, fmt.Errorf("ACME directory '%s' is not a valid URL", server)
	}
	c := &certManager{
		storage:       storage,
		email:         email,
		acmeDirectory: server,
		acmeHost:      u.Host,
		cfg:           cfg,
		domains:       map[string]*models.DomainConfig{},
	}

	client, err := c.createAcmeClient()
	if err != nil {
		return nil, err
	}
	client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.TLSALPN01})
	client.SetChallengeProvider(acme.DNS01, c)
	c.client = client
	return c, nil
}

func NewVault(cfg *models.DNSConfig, vaultPath string, email string, server string) (Client, error) {
	storage, err := makeVaultStorage(vaultPath)
	if err != nil {
		return nil, err
	}
	return commonNew(cfg, storage, email, server)
}

// IssueOrRenewCert will obtain a certificate with the given name if it does not exist,
// or renew it if it is close enough to the expiration date.
// It will return true if it issued or updated the certificate.
func (c *certManager) IssueOrRenewCert(cfg *CertConfig, renewUnder int, verbose bool) (bool, error) {
	if !verbose {
		acmelog.Logger = log.New(ioutil.Discard, "", 0)
	}
	defer c.finalCleanUp()

	log.Printf("Checking certificate [%s]", cfg.CertName)
	existing, err := c.storage.GetCertificate(cfg.CertName)
	if err != nil {
		return false, err
	}

	var action = func() (*acme.CertificateResource, error) {
		return c.client.ObtainCertificate(cfg.Names, true, nil, true)
	}

	if existing == nil {
		log.Println("No existing cert found. Issuing new...")
	} else {
		names, daysLeft, err := getCertInfo(existing.Certificate)
		if err != nil {
			return false, err
		}
		log.Printf("Found existing cert. %0.2f days remaining.", daysLeft)
		namesOK := dnsNamesEqual(cfg.Names, names)
		if daysLeft >= float64(renewUnder) && namesOK {
			log.Println("Nothing to do")
			//nothing to do
			return false, nil
		}
		if !namesOK {
			log.Println("DNS Names don't match expected set. Reissuing.")
		} else {
			log.Println("Renewing cert")
			action = func() (*acme.CertificateResource, error) {
				return c.client.RenewCertificate(*existing, true, true)
			}
		}
	}

	acme.PreCheckDNS = c.preCheckDNS
	defer func() { acme.PreCheckDNS = acmePreCheck }()

	certResource, err := action()
	if err != nil {
		return false, err
	}
	fmt.Printf("Obtained certificate for %s\n", cfg.CertName)
	if err = c.storage.StoreCertificate(cfg.CertName, certResource); err != nil {
		return true, err
	}

	return true, nil
}

func getCertInfo(pemBytes []byte) (names []string, remaining float64, err error) {
	block, _ := pem.Decode(pemBytes)
	if block == nil {
		return nil, 0, fmt.Errorf("Invalid certificate pem data")
	}
	cert, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		return nil, 0, err
	}
	var daysLeft = float64(cert.NotAfter.Sub(time.Now())) / float64(time.Hour*24)
	return cert.DNSNames, daysLeft, nil
}

// checks two lists of sans to make sure they have all the same names in them.
func dnsNamesEqual(a []string, b []string) bool {
	if len(a) != len(b) {
		return false
	}
	sort.Strings(a)
	sort.Strings(b)
	for i, s := range a {
		if b[i] != s {
			return false
		}
	}
	return true
}

func (c *certManager) Present(domain, token, keyAuth string) (e error) {
	d := c.cfg.DomainContainingFQDN(domain)
	name := d.Name
	if seen := c.domains[name]; seen != nil {
		// we've already pre-processed this domain, just need to add to it.
		d = seen
	} else {
		// one-time tasks to get this domain ready.
		// if multiple validations on a single domain, we don't need to rebuild all this.

		// fix NS records for this domain's DNS providers
		nsList, err := nameservers.DetermineNameservers(d)
		if err != nil {
			return err
		}
		d.Nameservers = nsList
		nameservers.AddNSRecords(d)

		// make sure we have the latest config before we change anything.
		// alternately, we could avoid a lot of this trouble if we really really trusted no-purge in all cases
		if err := c.ensureNoPendingCorrections(d); err != nil {
			return err
		}

		// copy domain and work from copy from now on. That way original config can be used to "restore" when we are all done.
		copy, err := d.Copy()
		if err != nil {
			return err
		}
		c.originalDomains = append(c.originalDomains, d)
		c.domains[name] = copy
		d = copy
	}

	fqdn, val, _ := acme.DNS01Record(domain, keyAuth)
	txt := &models.RecordConfig{Type: "TXT"}
	txt.SetTargetTXT(val)
	txt.SetLabelFromFQDN(fqdn, d.Name)
	d.Records = append(d.Records, txt)
	return getAndRunCorrections(d)
}

func (c *certManager) ensureNoPendingCorrections(d *models.DomainConfig) error {
	corrections, err := getCorrections(d)
	if err != nil {
		return err
	}
	if len(corrections) != 0 {
		// TODO: maybe allow forcing through this check.
		for _, c := range corrections {
			fmt.Println(c.Msg)
		}
		return fmt.Errorf("Found %d pending corrections for %s. Not going to proceed issuing certificates", len(corrections), d.Name)
	}
	return nil
}

// IgnoredProviders is a lit of provider names that should not be used to fill challenges.
var IgnoredProviders = map[string]bool{}

func getCorrections(d *models.DomainConfig) ([]*models.Correction, error) {
	cs := []*models.Correction{}
	for _, p := range d.DNSProviderInstances {
		if IgnoredProviders[p.Name] {
			continue
		}
		dc, err := d.Copy()
		if err != nil {
			return nil, err
		}
		corrections, err := p.Driver.GetDomainCorrections(dc)
		if err != nil {
			return nil, err
		}
		for _, c := range corrections {
			c.Msg = fmt.Sprintf("[%s] %s", p.Name, strings.TrimSpace(c.Msg))
		}
		cs = append(cs, corrections...)
	}
	return cs, nil
}

func getAndRunCorrections(d *models.DomainConfig) error {
	cs, err := getCorrections(d)
	if err != nil {
		return err
	}
	fmt.Printf("%d corrections\n", len(cs))
	for _, c := range cs {
		fmt.Printf("Running [%s]\n", c.Msg)
		err = c.F()
		if err != nil {
			return err
		}
	}
	return nil
}

func (c *certManager) CleanUp(domain, token, keyAuth string) error {
	// do nothing for now. We will do a final clean up step at the very end.
	return nil
}

func (c *certManager) finalCleanUp() error {
	log.Println("Cleaning up all records we made")
	var lastError error
	for _, d := range c.originalDomains {
		if err := getAndRunCorrections(d); err != nil {
			log.Printf("ERROR cleaning up: %s", err)
			lastError = err
		}
	}
	return lastError
}
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`// Package acme provides a means of performing Let's Encrypt DNS challenges via a DNSConfig`
			`package acme`

			`import (`
			`"crypto/x509"`
			`"encoding/pem"`
			`"fmt"`
			`"io/ioutil"`
			`"log"`
			`"net/url"`
			`"sort"`
			`"strings"`
			`"time"`

			`"github.com/StackExchange/dnscontrol/models"`
			`"github.com/StackExchange/dnscontrol/pkg/nameservers"`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`"github.com/xenolf/lego/acme"`
			`acmelog "github.com/xenolf/lego/log"`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`)`

			`type CertConfig struct {`
			CertName string `json:"cert_name"`
			Names []string `json:"names"`
			`}`

			`type Client interface {`
			`IssueOrRenewCert(config *CertConfig, renewUnder int, verbose bool) (bool, error)`
			`}`

			`type certManager struct {`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`email string`
			`acmeDirectory string`
			`acmeHost string`

			`storage Storage`
			`cfg *models.DNSConfig`
			`domains map[string]*models.DomainConfig`
			`originalDomains []*models.DomainConfig`
			`client *acme.Client`

			`waitedOnce bool`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`}`

			`const (`
			`LetsEncryptLive = "https://acme-v02.api.letsencrypt.org/directory"`
			`LetsEncryptStage = "https://acme-staging-v02.api.letsencrypt.org/directory"`
			`)`

			`func New(cfg *models.DNSConfig, directory string, email string, server string) (Client, error) {`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`return commonNew(cfg, directoryStorage(directory), email, server)`
			`}`

			`func commonNew(cfg *models.DNSConfig, storage Storage, email string, server string) (Client, error) {`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`u, err := url.Parse(server)`
			`if err != nil \|\| u.Host == "" {`
			`return nil, fmt.Errorf("ACME directory '%s' is not a valid URL", server)`
			`}`
			`c := &certManager{`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`storage: storage,`
			`email: email,`
			`acmeDirectory: server,`
			`acmeHost: u.Host,`
			`cfg: cfg,`
			`domains: map[string]*models.DomainConfig{},`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`}`

Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`client, err := c.createAcmeClient()`
			`if err != nil {`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`return nil, err`
			`}`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.TLSALPN01})`
			`client.SetChallengeProvider(acme.DNS01, c)`
			`c.client = client`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`return c, nil`
			`}`

Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`func NewVault(cfg *models.DNSConfig, vaultPath string, email string, server string) (Client, error) {`
			`storage, err := makeVaultStorage(vaultPath)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return commonNew(cfg, storage, email, server)`
			`}`

Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`// IssueOrRenewCert will obtain a certificate with the given name if it does not exist,`
			`// or renew it if it is close enough to the expiration date.`
			`// It will return true if it issued or updated the certificate.`
			`func (c certManager) IssueOrRenewCert(cfg CertConfig, renewUnder int, verbose bool) (bool, error) {`
			`if !verbose {`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`acmelog.Logger = log.New(ioutil.Discard, "", 0)`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`}`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`defer c.finalCleanUp()`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00
			`log.Printf("Checking certificate [%s]", cfg.CertName)`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`existing, err := c.storage.GetCertificate(cfg.CertName)`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`if err != nil {`
			`return false, err`
			`}`

Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`var action = func() (*acme.CertificateResource, error) {`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`return c.client.ObtainCertificate(cfg.Names, true, nil, true)`
			`}`

			`if existing == nil {`
			`log.Println("No existing cert found. Issuing new...")`
			`} else {`
			`names, daysLeft, err := getCertInfo(existing.Certificate)`
			`if err != nil {`
			`return false, err`
			`}`
			`log.Printf("Found existing cert. %0.2f days remaining.", daysLeft)`
			`namesOK := dnsNamesEqual(cfg.Names, names)`
			`if daysLeft >= float64(renewUnder) && namesOK {`
			`log.Println("Nothing to do")`
			`//nothing to do`
			`return false, nil`
			`}`
			`if !namesOK {`
			`log.Println("DNS Names don't match expected set. Reissuing.")`
			`} else {`
			`log.Println("Renewing cert")`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`action = func() (*acme.CertificateResource, error) {`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`return c.client.RenewCertificate(*existing, true, true)`
			`}`
			`}`
			`}`

Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`acme.PreCheckDNS = c.preCheckDNS`
			`defer func() { acme.PreCheckDNS = acmePreCheck }()`

Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`certResource, err := action()`
			`if err != nil {`
			`return false, err`
			`}`
			`fmt.Printf("Obtained certificate for %s\n", cfg.CertName)`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`if err = c.storage.StoreCertificate(cfg.CertName, certResource); err != nil {`
			`return true, err`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`}`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00
			`return true, nil`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`}`

			`func getCertInfo(pemBytes []byte) (names []string, remaining float64, err error) {`
			`block, _ := pem.Decode(pemBytes)`
			`if block == nil {`
			`return nil, 0, fmt.Errorf("Invalid certificate pem data")`
			`}`
			`cert, err := x509.ParseCertificate(block.Bytes)`
			`if err != nil {`
			`return nil, 0, err`
			`}`
			`var daysLeft = float64(cert.NotAfter.Sub(time.Now())) / float64(time.Hour*24)`
			`return cert.DNSNames, daysLeft, nil`
			`}`

			`// checks two lists of sans to make sure they have all the same names in them.`
			`func dnsNamesEqual(a []string, b []string) bool {`
			`if len(a) != len(b) {`
			`return false`
			`}`
			`sort.Strings(a)`
			`sort.Strings(b)`
			`for i, s := range a {`
			`if b[i] != s {`
			`return false`
			`}`
			`}`
			`return true`
			`}`

			`func (c *certManager) Present(domain, token, keyAuth string) (e error) {`
			`d := c.cfg.DomainContainingFQDN(domain)`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`name := d.Name`
			`if seen := c.domains[name]; seen != nil {`
			`// we've already pre-processed this domain, just need to add to it.`
			`d = seen`
			`} else {`
			`// one-time tasks to get this domain ready.`
			`// if multiple validations on a single domain, we don't need to rebuild all this.`

			`// fix NS records for this domain's DNS providers`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`nsList, err := nameservers.DetermineNameservers(d)`
			`if err != nil {`
			`return err`
			`}`
			`d.Nameservers = nsList`
			`nameservers.AddNSRecords(d)`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00
			`// make sure we have the latest config before we change anything.`
			`// alternately, we could avoid a lot of this trouble if we really really trusted no-purge in all cases`
			`if err := c.ensureNoPendingCorrections(d); err != nil {`
			`return err`
			`}`

			`// copy domain and work from copy from now on. That way original config can be used to "restore" when we are all done.`
			`copy, err := d.Copy()`
			`if err != nil {`
			`return err`
			`}`
			`c.originalDomains = append(c.originalDomains, d)`
			`c.domains[name] = copy`
			`d = copy`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`}`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`fqdn, val, _ := acme.DNS01Record(domain, keyAuth)`
			`txt := &models.RecordConfig{Type: "TXT"}`
			`txt.SetTargetTXT(val)`
			`txt.SetLabelFromFQDN(fqdn, d.Name)`
			`d.Records = append(d.Records, txt)`
			`return getAndRunCorrections(d)`
			`}`

			`func (c certManager) ensureNoPendingCorrections(d models.DomainConfig) error {`
			`corrections, err := getCorrections(d)`
			`if err != nil {`
			`return err`
			`}`
			`if len(corrections) != 0 {`
			`// TODO: maybe allow forcing through this check.`
			`for _, c := range corrections {`
			`fmt.Println(c.Msg)`
			`}`
			`return fmt.Errorf("Found %d pending corrections for %s. Not going to proceed issuing certificates", len(corrections), d.Name)`
			`}`
			`return nil`
			`}`

			`// IgnoredProviders is a lit of provider names that should not be used to fill challenges.`
			`var IgnoredProviders = map[string]bool{}`

			`func getCorrections(d models.DomainConfig) ([]models.Correction, error) {`
			`cs := []*models.Correction{}`
			`for _, p := range d.DNSProviderInstances {`
			`if IgnoredProviders[p.Name] {`
			`continue`
			`}`
			`dc, err := d.Copy()`
			`if err != nil {`
			`return nil, err`
			`}`
			`corrections, err := p.Driver.GetDomainCorrections(dc)`
			`if err != nil {`
			`return nil, err`
			`}`
			`for _, c := range corrections {`
			`c.Msg = fmt.Sprintf("[%s] %s", p.Name, strings.TrimSpace(c.Msg))`
			`}`
			`cs = append(cs, corrections...)`
			`}`
			`return cs, nil`
			`}`

			`func getAndRunCorrections(d *models.DomainConfig) error {`
			`cs, err := getCorrections(d)`
			`if err != nil {`
			`return err`
			`}`
			`fmt.Printf("%d corrections\n", len(cs))`
			`for _, c := range cs {`
			`fmt.Printf("Running [%s]\n", c.Msg)`
			`err = c.F()`
			`if err != nil {`
			`return err`
			`}`
			`}`
			`return nil`
			`}`

			`func (c *certManager) CleanUp(domain, token, keyAuth string) error {`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`// do nothing for now. We will do a final clean up step at the very end.`
			`return nil`
			`}`

			`func (c *certManager) finalCleanUp() error {`
			`log.Println("Cleaning up all records we made")`
			`var lastError error`
			`for _, d := range c.originalDomains {`
			`if err := getAndRunCorrections(d); err != nil {`
			`log.Printf("ERROR cleaning up: %s", err)`
			`lastError = err`
			`}`
			`}`
			`return lastError`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`}`