diff --git a/lemur/plugins/lemur_acme/acme_handlers.py b/lemur/plugins/lemur_acme/acme_handlers.py index 83dfb1ba..78c160b2 100644 --- a/lemur/plugins/lemur_acme/acme_handlers.py +++ b/lemur/plugins/lemur_acme/acme_handlers.py @@ -36,12 +36,13 @@ from retrying import retry class AuthorizationRecord(object): - def __init__(self, domain, target_domain, authz, dns_challenge, change_id): + def __init__(self, domain, target_domain, authz, dns_challenge, change_id, cname_delegation): self.domain = domain self.target_domain = target_domain self.authz = authz self.dns_challenge = dns_challenge self.change_id = change_id + self.cname_delegation = cname_delegation class AcmeHandler(object): @@ -305,6 +306,7 @@ class AcmeDnsHandler(AcmeHandler): current_app.logger.debug(f"Starting DNS challenge for {domain} using target domain {target_domain}.") change_ids = [] + cname_delegation = domain != target_domain dns_challenges = self.get_dns_challenges(domain, order.authorizations) host_to_validate, _ = self.strip_wildcard(target_domain) host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options) @@ -315,9 +317,7 @@ class AcmeDnsHandler(AcmeHandler): raise Exception("Unable to determine DNS challenges from authorizations") for dns_challenge in dns_challenges: - - # Only prepend '_acme-challenge' if not using CNAME redirection - if domain == target_domain: + if not cname_delegation: host_to_validate = dns_challenge.validation_domain_name(host_to_validate) change_id = dns_provider.create_txt_record( @@ -328,7 +328,7 @@ class AcmeDnsHandler(AcmeHandler): change_ids.append(change_id) return AuthorizationRecord( - domain, target_domain, order.authorizations, dns_challenges, change_ids + domain, target_domain, order.authorizations, dns_challenges, change_ids, cname_delegation ) def complete_dns_challenge(self, acme_client, authz_record): @@ -395,6 +395,9 @@ class AcmeDnsHandler(AcmeHandler): if cname_result: target_domain = cname_result self.autodetect_dns_providers(target_domain) + metrics.send( + "get_authorizations_cname_delegation_for_domain", "counter", 1, metric_tags={"domain": domain} + ) if not self.dns_providers_for_domain.get(target_domain): metrics.send( @@ -455,7 +458,7 @@ class AcmeDnsHandler(AcmeHandler): account_number = dns_provider_options.get("account_id") host_to_validate, _ = self.strip_wildcard(authz_record.target_domain) host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options) - if authz_record.domain == authz_record.target_domain: + if not authz_record.cname_delegation: host_to_validate = challenges.DNS01().validation_domain_name(host_to_validate) dns_provider_plugin.delete_txt_record( authz_record.change_id, @@ -492,7 +495,7 @@ class AcmeDnsHandler(AcmeHandler): dns_provider_plugin = self.get_dns_provider(dns_provider.provider_type) for dns_challenge in dns_challenges: - if authz_record.domain == authz_record.target_domain: + if not authz_record.cname_delegation: host_to_validate = dns_challenge.validation_domain_name(host_to_validate) try: dns_provider_plugin.delete_txt_record( diff --git a/lemur/plugins/lemur_acme/tests/test_acme_handler.py b/lemur/plugins/lemur_acme/tests/test_acme_handler.py index cfc18c83..324af5ac 100644 --- a/lemur/plugins/lemur_acme/tests/test_acme_handler.py +++ b/lemur/plugins/lemur_acme/tests/test_acme_handler.py @@ -30,7 +30,7 @@ class TestAcmeHandler(unittest.TestCase): self.assertEqual(expected, result) def test_authz_record(self): - a = acme_handlers.AuthorizationRecord("domain", "host", "authz", "challenge", "id") + a = acme_handlers.AuthorizationRecord("domain", "host", "authz", "challenge", "id", "cname_delegation") self.assertEqual(type(a), acme_handlers.AuthorizationRecord) def test_setup_acme_client_fail(self):