From 227fab3867663d80d71418e981662a4dd278b1f7 Mon Sep 17 00:00:00 2001 From: Ludovic Fernandez Date: Fri, 11 Jan 2019 16:22:03 +0100 Subject: [PATCH] fix: update lego. --- Gopkg.lock | 7 +- Gopkg.toml | 4 +- acme/acme.go | 2 +- provider/acme/provider.go | 2 +- .../acme/api/internal/sender/useragent.go | 4 +- .../xenolf/lego/certificate/certificates.go | 74 +++++++++---------- vendor/github.com/xenolf/lego/lego/client.go | 3 +- .../xenolf/lego/lego/client_config.go | 20 +++-- .../lego/providers/dns/gcloud/googlecloud.go | 23 ++++-- .../lego/providers/dns/rfc2136/rfc2136.go | 27 ++++--- .../lego/providers/dns/transip/transip.go | 14 +++- 11 files changed, 107 insertions(+), 73 deletions(-) diff --git a/Gopkg.lock b/Gopkg.lock index e96a8fe6f..c7e02393d 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -1704,8 +1704,7 @@ revision = "0c8571ac0ce161a5feb57375a9cdf148c98c0f70" [[projects]] - branch = "master" - digest = "1:f3f9f7b883b89edc06283285964a8125b15f31c1634a8ccb2860c8c8b3f6231d" + digest = "1:9eab86777ed6cf496e7659b9c67a0b7ebd1d76f55e1771f8bf52fb68f5f2d040" name = "github.com/xenolf/lego" packages = [ "acme", @@ -1784,7 +1783,8 @@ "registration", ] pruneopts = "NUT" - revision = "43401f2475dd1f6cc2e220908f0caba246ea854e" + revision = "86c9de3db61436d07de2471508067f18c16c1997" + version = "v2.0.1" [[projects]] branch = "master" @@ -2363,7 +2363,6 @@ "github.com/vulcand/oxy/ratelimit", "github.com/vulcand/oxy/roundrobin", "github.com/vulcand/oxy/utils", - "github.com/xenolf/lego/acme", "github.com/xenolf/lego/certcrypto", "github.com/xenolf/lego/certificate", "github.com/xenolf/lego/challenge", diff --git a/Gopkg.toml b/Gopkg.toml index 3ed84c8ad..a10a7a974 100644 --- a/Gopkg.toml +++ b/Gopkg.toml @@ -178,9 +178,9 @@ name = "github.com/vulcand/oxy" [[constraint]] - branch = "master" +# branch = "master" name = "github.com/xenolf/lego" -# version = "1.0.0" + version = "2.0.1" [[constraint]] name = "google.golang.org/grpc" diff --git a/acme/acme.go b/acme/acme.go index b699c686b..5e551392a 100644 --- a/acme/acme.go +++ b/acme/acme.go @@ -423,7 +423,7 @@ func (a *ACME) buildACMEClient(account *Account) (*lego.Client, error) { config := lego.NewConfig(account) config.CADirURL = caServer - config.KeyType = account.KeyType + config.Certificate.KeyType = account.KeyType config.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version) client, err := lego.NewClient(config) diff --git a/provider/acme/provider.go b/provider/acme/provider.go index 3315bd27a..76aa1cee7 100644 --- a/provider/acme/provider.go +++ b/provider/acme/provider.go @@ -250,7 +250,7 @@ func (p *Provider) getClient() (*lego.Client, error) { config := lego.NewConfig(account) config.CADirURL = caServer - config.KeyType = account.KeyType + config.Certificate.KeyType = account.KeyType config.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version) client, err := lego.NewClient(config) diff --git a/vendor/github.com/xenolf/lego/acme/api/internal/sender/useragent.go b/vendor/github.com/xenolf/lego/acme/api/internal/sender/useragent.go index 4b129b6a0..66ab8e281 100644 --- a/vendor/github.com/xenolf/lego/acme/api/internal/sender/useragent.go +++ b/vendor/github.com/xenolf/lego/acme/api/internal/sender/useragent.go @@ -5,10 +5,10 @@ package sender const ( // ourUserAgent is the User-Agent of this underlying library package. - ourUserAgent = "xenolf-acme/1.2.1" + ourUserAgent = "xenolf-acme/2.0.1" // ourUserAgentComment is part of the UA comment linked to the version status of this underlying library package. // values: detach|release // NOTE: Update this with each tagged release. - ourUserAgentComment = "detach" + ourUserAgentComment = "release" ) diff --git a/vendor/github.com/xenolf/lego/certificate/certificates.go b/vendor/github.com/xenolf/lego/certificate/certificates.go index e9c041979..10003ac0b 100644 --- a/vendor/github.com/xenolf/lego/certificate/certificates.go +++ b/vendor/github.com/xenolf/lego/certificate/certificates.go @@ -17,6 +17,7 @@ import ( "github.com/xenolf/lego/certcrypto" "github.com/xenolf/lego/challenge" "github.com/xenolf/lego/log" + "github.com/xenolf/lego/platform/wait" "golang.org/x/crypto/ocsp" "golang.org/x/net/idna" ) @@ -60,17 +61,24 @@ type resolver interface { Solve(authorizations []acme.Authorization) error } -type Certifier struct { - core *api.Core - keyType certcrypto.KeyType - resolver resolver +type CertifierOptions struct { + KeyType certcrypto.KeyType + Timeout time.Duration } -func NewCertifier(core *api.Core, keyType certcrypto.KeyType, resolver resolver) *Certifier { +// Certifier A service to obtain/renew/revoke certificates. +type Certifier struct { + core *api.Core + resolver resolver + options CertifierOptions +} + +// NewCertifier creates a Certifier. +func NewCertifier(core *api.Core, resolver resolver, options CertifierOptions) *Certifier { return &Certifier{ core: core, - keyType: keyType, resolver: resolver, + options: options, } } @@ -191,7 +199,7 @@ func (c *Certifier) ObtainForCSR(csr x509.CertificateRequest, bundle bool) (*Res func (c *Certifier) getForOrder(domains []string, order acme.ExtendedOrder, bundle bool, privateKey crypto.PrivateKey, mustStaple bool) (*Resource, error) { if privateKey == nil { var err error - privateKey, err = certcrypto.GeneratePrivateKey(c.keyType) + privateKey, err = certcrypto.GeneratePrivateKey(c.options.KeyType) if err != nil { return nil, err } @@ -237,9 +245,9 @@ func (c *Certifier) getForCSR(domains []string, order acme.ExtendedOrder, bundle if respOrder.Status == acme.StatusValid { // if the certificate is available right away, short cut! - ok, err := c.checkResponse(respOrder, certRes, bundle) - if err != nil { - return nil, err + ok, errR := c.checkResponse(respOrder, certRes, bundle) + if errR != nil { + return nil, errR } if ok { @@ -247,34 +255,26 @@ func (c *Certifier) getForCSR(domains []string, order acme.ExtendedOrder, bundle } } - return c.waitForCertificate(certRes, order.Location, bundle) -} - -func (c *Certifier) waitForCertificate(certRes *Resource, orderURL string, bundle bool) (*Resource, error) { - stopTimer := time.NewTimer(30 * time.Second) - defer stopTimer.Stop() - retryTick := time.NewTicker(500 * time.Millisecond) - defer retryTick.Stop() - - for { - select { - case <-stopTimer.C: - return nil, errors.New("certificate polling timed out") - case <-retryTick.C: - order, err := c.core.Orders.Get(orderURL) - if err != nil { - return nil, err - } - - done, err := c.checkResponse(order, certRes, bundle) - if err != nil { - return nil, err - } - if done { - return certRes, nil - } - } + timeout := c.options.Timeout + if c.options.Timeout <= 0 { + timeout = 30 * time.Second } + + err = wait.For("certificate", timeout, timeout/60, func() (bool, error) { + ord, errW := c.core.Orders.Get(order.Location) + if errW != nil { + return false, errW + } + + done, errW := c.checkResponse(ord, certRes, bundle) + if errW != nil { + return false, errW + } + + return done, nil + }) + + return certRes, err } // checkResponse checks to see if the certificate is ready and a link is contained in the response. diff --git a/vendor/github.com/xenolf/lego/lego/client.go b/vendor/github.com/xenolf/lego/lego/client.go index 5235b1de8..1f7b5c8d1 100644 --- a/vendor/github.com/xenolf/lego/lego/client.go +++ b/vendor/github.com/xenolf/lego/lego/client.go @@ -53,9 +53,10 @@ func NewClient(config *Config) (*Client, error) { solversManager := resolver.NewSolversManager(core) prober := resolver.NewProber(solversManager) + certifier := certificate.NewCertifier(core, prober, certificate.CertifierOptions{KeyType: config.Certificate.KeyType, Timeout: config.Certificate.Timeout}) return &Client{ - Certificate: certificate.NewCertifier(core, config.KeyType, prober), + Certificate: certifier, Challenge: solversManager, Registration: registration.NewRegistrar(core, config.User), core: core, diff --git a/vendor/github.com/xenolf/lego/lego/client_config.go b/vendor/github.com/xenolf/lego/lego/client_config.go index 738be86ae..4807fcfe9 100644 --- a/vendor/github.com/xenolf/lego/lego/client_config.go +++ b/vendor/github.com/xenolf/lego/lego/client_config.go @@ -35,22 +35,30 @@ const ( ) type Config struct { - CADirURL string - User registration.User - KeyType certcrypto.KeyType - UserAgent string - HTTPClient *http.Client + CADirURL string + User registration.User + UserAgent string + HTTPClient *http.Client + Certificate CertificateConfig } func NewConfig(user registration.User) *Config { return &Config{ CADirURL: LEDirectoryProduction, User: user, - KeyType: certcrypto.RSA2048, HTTPClient: createDefaultHTTPClient(), + Certificate: CertificateConfig{ + KeyType: certcrypto.RSA2048, + Timeout: 30 * time.Second, + }, } } +type CertificateConfig struct { + KeyType certcrypto.KeyType + Timeout time.Duration +} + // createDefaultHTTPClient Creates an HTTP client with a reasonable timeout value // and potentially a custom *x509.CertPool // based on the caCertificatesEnvVar environment variable (see the `initCertPool` function) diff --git a/vendor/github.com/xenolf/lego/providers/dns/gcloud/googlecloud.go b/vendor/github.com/xenolf/lego/providers/dns/gcloud/googlecloud.go index 9d0651740..3efd4a258 100644 --- a/vendor/github.com/xenolf/lego/providers/dns/gcloud/googlecloud.go +++ b/vendor/github.com/xenolf/lego/providers/dns/gcloud/googlecloud.go @@ -55,10 +55,12 @@ type DNSProvider struct { // Project name must be passed in the environment variable: GCE_PROJECT. // A Service Account file can be passed in the environment variable: GCE_SERVICE_ACCOUNT_FILE func NewDNSProvider() (*DNSProvider, error) { + // Use a service account file if specified via environment variable. if saFile, ok := os.LookupEnv("GCE_SERVICE_ACCOUNT_FILE"); ok { return NewDNSProviderServiceAccount(saFile) } + // Use default credentials. project := os.Getenv("GCE_PROJECT") return NewDNSProviderCredentials(project) } @@ -94,15 +96,20 @@ func NewDNSProviderServiceAccount(saFile string) (*DNSProvider, error) { return nil, fmt.Errorf("googlecloud: unable to read Service Account file: %v", err) } - // read project id from service account file - var datJSON struct { - ProjectID string `json:"project_id"` + // If GCE_PROJECT is non-empty it overrides the project in the service + // account file. + project := os.Getenv("GCE_PROJECT") + if project == "" { + // read project id from service account file + var datJSON struct { + ProjectID string `json:"project_id"` + } + err = json.Unmarshal(dat, &datJSON) + if err != nil || datJSON.ProjectID == "" { + return nil, fmt.Errorf("googlecloud: project ID not found in Google Cloud Service Account file") + } + project = datJSON.ProjectID } - err = json.Unmarshal(dat, &datJSON) - if err != nil || datJSON.ProjectID == "" { - return nil, fmt.Errorf("googlecloud: project ID not found in Google Cloud Service Account file") - } - project := datJSON.ProjectID conf, err := google.JWTConfigFromJSON(dat, dns.NdevClouddnsReadwriteScope) if err != nil { diff --git a/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go b/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go index dcc80197f..395e7dc9b 100644 --- a/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go +++ b/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go @@ -22,16 +22,19 @@ type Config struct { PropagationTimeout time.Duration PollingInterval time.Duration TTL int + SequenceInterval time.Duration + DNSTimeout time.Duration } // NewDefaultConfig returns a default configuration for the DNSProvider func NewDefaultConfig() *Config { return &Config{ - TSIGAlgorithm: env.GetOrDefaultString("RFC2136_TSIG_ALGORITHM", dns.HmacMD5), - TTL: env.GetOrDefaultInt("RFC2136_TTL", dns01.DefaultTTL), - PropagationTimeout: env.GetOrDefaultSecond("RFC2136_PROPAGATION_TIMEOUT", - env.GetOrDefaultSecond("RFC2136_TIMEOUT", 60*time.Second)), - PollingInterval: env.GetOrDefaultSecond("RFC2136_POLLING_INTERVAL", 2*time.Second), + TSIGAlgorithm: env.GetOrDefaultString("RFC2136_TSIG_ALGORITHM", dns.HmacMD5), + TTL: env.GetOrDefaultInt("RFC2136_TTL", dns01.DefaultTTL), + PropagationTimeout: env.GetOrDefaultSecond("RFC2136_PROPAGATION_TIMEOUT", env.GetOrDefaultSecond("RFC2136_TIMEOUT", 60*time.Second)), + PollingInterval: env.GetOrDefaultSecond("RFC2136_POLLING_INTERVAL", 2*time.Second), + SequenceInterval: env.GetOrDefaultSecond("RFC2136_SEQUENCE_INTERVAL", dns01.DefaultPropagationTimeout), + DNSTimeout: env.GetOrDefaultSecond("RFC2136_DNS_TIMEOUT", 10*time.Second), } } @@ -102,13 +105,19 @@ func (d *DNSProvider) Timeout() (timeout, interval time.Duration) { return d.config.PropagationTimeout, d.config.PollingInterval } +// Sequential All DNS challenges for this provider will be resolved sequentially. +// Returns the interval between each iteration. +func (d *DNSProvider) Sequential() time.Duration { + return d.config.SequenceInterval +} + // Present creates a TXT record using the specified parameters func (d *DNSProvider) Present(domain, token, keyAuth string) error { fqdn, value := dns01.GetRecord(domain, keyAuth) err := d.changeRecord("INSERT", fqdn, value, d.config.TTL) if err != nil { - return fmt.Errorf("rfc2136: %v", err) + return fmt.Errorf("rfc2136: failed to insert: %v", err) } return nil } @@ -119,7 +128,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error { err := d.changeRecord("REMOVE", fqdn, value, d.config.TTL) if err != nil { - return fmt.Errorf("rfc2136: %v", err) + return fmt.Errorf("rfc2136: failed to remove: %v", err) } return nil } @@ -152,7 +161,7 @@ func (d *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error { } // Setup client - c := new(dns.Client) + c := &dns.Client{Timeout: d.config.DNSTimeout} c.SingleInflight = true // TSIG authentication / msg signing @@ -167,7 +176,7 @@ func (d *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error { return fmt.Errorf("DNS update failed: %v", err) } if reply != nil && reply.Rcode != dns.RcodeSuccess { - return fmt.Errorf("DNS update failed. Server replied: %s", dns.RcodeToString[reply.Rcode]) + return fmt.Errorf("DNS update failed: server replied: %s", dns.RcodeToString[reply.Rcode]) } return nil diff --git a/vendor/github.com/xenolf/lego/providers/dns/transip/transip.go b/vendor/github.com/xenolf/lego/providers/dns/transip/transip.go index 062fc91aa..ee88af283 100644 --- a/vendor/github.com/xenolf/lego/providers/dns/transip/transip.go +++ b/vendor/github.com/xenolf/lego/providers/dns/transip/transip.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "strings" + "sync" "time" "github.com/transip/gotransip" @@ -33,8 +34,9 @@ func NewDefaultConfig() *Config { // DNSProvider describes a provider for TransIP type DNSProvider struct { - config *Config - client gotransip.SOAPClient + config *Config + client gotransip.Client + dnsEntriesMu sync.Mutex } // NewDNSProvider returns a DNSProvider instance configured for TransIP. @@ -90,6 +92,10 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error { // get the subDomain subDomain := strings.TrimSuffix(dns01.UnFqdn(fqdn), "."+domainName) + // use mutex to prevent race condition from GetInfo until SetDNSEntries + d.dnsEntriesMu.Lock() + defer d.dnsEntriesMu.Unlock() + // get all DNS entries info, err := transipdomain.GetInfo(d.client, domainName) if err != nil { @@ -126,6 +132,10 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error { // get the subDomain subDomain := strings.TrimSuffix(dns01.UnFqdn(fqdn), "."+domainName) + // use mutex to prevent race condition from GetInfo until SetDNSEntries + d.dnsEntriesMu.Lock() + defer d.dnsEntriesMu.Unlock() + // get all DNS entries info, err := transipdomain.GetInfo(d.client, domainName) if err != nil {