Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #2769 from castrapel/lowercase-acme 

Ensure hostname is lowercase when comparing DNS challenges. ACME will…
This commit is contained in:
Curtis 2019-04-26 15:45:52 -07:00 committed by GitHub
parent 517a96c6eb 333ba8030a
commit 056dfc34e4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lemur/plugins/lemur_acme/plugin.py
View File

@ -19,7 +19,7 @@ import OpenSSL.crypto
import josepy as jose
from acme import challenges, messages
from acme.client import BackwardsCompatibleClientV2, ClientNetwork
from acme.errors import PollError, WildcardUnsupportedError
from acme.errors import PollError, TimeoutError, WildcardUnsupportedError
from acme.messages import Error as AcmeError
from botocore.exceptions import ClientError
from flask import current_app
@ -56,7 +56,7 @@ class AcmeHandler(object):
def find_dns_challenge(self, host, authorizations):
dns_challenges = []
for authz in authorizations:
if not authz.body.identifier.value == host:
if not authz.body.identifier.value.lower() == host.lower():
continue
for combo in authz.body.challenges:
if isinstance(combo.chall, challenges.DNS01):
@ -79,6 +79,10 @@ class AcmeHandler(object):
host_to_validate = self.maybe_remove_wildcard(host)
host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options)
dns_challenges = self.find_dns_challenge(host_to_validate, order.authorizations)
if not dns_challenges:
sentry.captureException()
metrics.send('start_dns_challenge_error_no_dns_challenges', 'counter', 1)
raise Exception("Unable to determine DNS challenges from authorizations")
for dns_challenge in dns_challenges:
change_id = dns_provider.create_txt_record(
@ -127,7 +131,7 @@ class AcmeHandler(object):
try:
orderr = acme_client.poll_and_finalize(order, deadline)
except AcmeError:
except (AcmeError, TimeoutError):
sentry.captureException(extra={"order_url": str(order.uri)})
metrics.send('request_certificate_error', 'counter', 1)
current_app.logger.error(f"Unable to resolve Acme order: {order.uri}", exc_info=True)