From 333ba8030a37ec11e1036fc456c1efe78ea7f69d Mon Sep 17 00:00:00 2001 From: Curtis Castrapel Date: Fri, 26 Apr 2019 15:45:04 -0700 Subject: [PATCH] Ensure hostname is lowercase when comparing DNS challenges. ACME will automatically lowercase the hostname --- lemur/plugins/lemur_acme/plugin.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py index 3350682c..8380c966 100644 --- a/lemur/plugins/lemur_acme/plugin.py +++ b/lemur/plugins/lemur_acme/plugin.py @@ -19,7 +19,7 @@ import OpenSSL.crypto import josepy as jose from acme import challenges, messages from acme.client import BackwardsCompatibleClientV2, ClientNetwork -from acme.errors import PollError, WildcardUnsupportedError +from acme.errors import PollError, TimeoutError, WildcardUnsupportedError from acme.messages import Error as AcmeError from botocore.exceptions import ClientError from flask import current_app @@ -56,7 +56,7 @@ class AcmeHandler(object): def find_dns_challenge(self, host, authorizations): dns_challenges = [] for authz in authorizations: - if not authz.body.identifier.value == host: + if not authz.body.identifier.value.lower() == host.lower(): continue for combo in authz.body.challenges: if isinstance(combo.chall, challenges.DNS01): @@ -79,6 +79,10 @@ class AcmeHandler(object): host_to_validate = self.maybe_remove_wildcard(host) host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options) dns_challenges = self.find_dns_challenge(host_to_validate, order.authorizations) + if not dns_challenges: + sentry.captureException() + metrics.send('start_dns_challenge_error_no_dns_challenges', 'counter', 1) + raise Exception("Unable to determine DNS challenges from authorizations") for dns_challenge in dns_challenges: change_id = dns_provider.create_txt_record( @@ -127,7 +131,7 @@ class AcmeHandler(object): try: orderr = acme_client.poll_and_finalize(order, deadline) - except AcmeError: + except (AcmeError, TimeoutError): sentry.captureException(extra={"order_url": str(order.uri)}) metrics.send('request_certificate_error', 'counter', 1) current_app.logger.error(f"Unable to resolve Acme order: {order.uri}", exc_info=True)