Merge pull request #2769 from castrapel/lowercase-acme

Ensure hostname is lowercase when comparing DNS challenges. ACME will…
This commit is contained in:
Curtis 2019-04-26 15:45:52 -07:00 committed by GitHub
commit 056dfc34e4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -19,7 +19,7 @@ import OpenSSL.crypto
import josepy as jose
from acme import challenges, messages
from acme.client import BackwardsCompatibleClientV2, ClientNetwork
from acme.errors import PollError, WildcardUnsupportedError
from acme.errors import PollError, TimeoutError, WildcardUnsupportedError
from acme.messages import Error as AcmeError
from botocore.exceptions import ClientError
from flask import current_app
@ -56,7 +56,7 @@ class AcmeHandler(object):
def find_dns_challenge(self, host, authorizations):
dns_challenges = []
for authz in authorizations:
if not authz.body.identifier.value == host:
if not authz.body.identifier.value.lower() == host.lower():
continue
for combo in authz.body.challenges:
if isinstance(combo.chall, challenges.DNS01):
@ -79,6 +79,10 @@ class AcmeHandler(object):
host_to_validate = self.maybe_remove_wildcard(host)
host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options)
dns_challenges = self.find_dns_challenge(host_to_validate, order.authorizations)
if not dns_challenges:
sentry.captureException()
metrics.send('start_dns_challenge_error_no_dns_challenges', 'counter', 1)
raise Exception("Unable to determine DNS challenges from authorizations")
for dns_challenge in dns_challenges:
change_id = dns_provider.create_txt_record(
@ -127,7 +131,7 @@ class AcmeHandler(object):
try:
orderr = acme_client.poll_and_finalize(order, deadline)
except AcmeError:
except (AcmeError, TimeoutError):
sentry.captureException(extra={"order_url": str(order.uri)})
metrics.send('request_certificate_error', 'counter', 1)
current_app.logger.error(f"Unable to resolve Acme order: {order.uri}", exc_info=True)