Merge pull request #2769 from castrapel/lowercase-acme

Ensure hostname is lowercase when comparing DNS challenges. ACME will…
This commit is contained in:
Curtis 2019-04-26 15:45:52 -07:00 committed by GitHub
commit 056dfc34e4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 3 deletions

View File

@ -19,7 +19,7 @@ import OpenSSL.crypto
import josepy as jose import josepy as jose
from acme import challenges, messages from acme import challenges, messages
from acme.client import BackwardsCompatibleClientV2, ClientNetwork from acme.client import BackwardsCompatibleClientV2, ClientNetwork
from acme.errors import PollError, WildcardUnsupportedError from acme.errors import PollError, TimeoutError, WildcardUnsupportedError
from acme.messages import Error as AcmeError from acme.messages import Error as AcmeError
from botocore.exceptions import ClientError from botocore.exceptions import ClientError
from flask import current_app from flask import current_app
@ -56,7 +56,7 @@ class AcmeHandler(object):
def find_dns_challenge(self, host, authorizations): def find_dns_challenge(self, host, authorizations):
dns_challenges = [] dns_challenges = []
for authz in authorizations: for authz in authorizations:
if not authz.body.identifier.value == host: if not authz.body.identifier.value.lower() == host.lower():
continue continue
for combo in authz.body.challenges: for combo in authz.body.challenges:
if isinstance(combo.chall, challenges.DNS01): if isinstance(combo.chall, challenges.DNS01):
@ -79,6 +79,10 @@ class AcmeHandler(object):
host_to_validate = self.maybe_remove_wildcard(host) host_to_validate = self.maybe_remove_wildcard(host)
host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options) host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options)
dns_challenges = self.find_dns_challenge(host_to_validate, order.authorizations) dns_challenges = self.find_dns_challenge(host_to_validate, order.authorizations)
if not dns_challenges:
sentry.captureException()
metrics.send('start_dns_challenge_error_no_dns_challenges', 'counter', 1)
raise Exception("Unable to determine DNS challenges from authorizations")
for dns_challenge in dns_challenges: for dns_challenge in dns_challenges:
change_id = dns_provider.create_txt_record( change_id = dns_provider.create_txt_record(
@ -127,7 +131,7 @@ class AcmeHandler(object):
try: try:
orderr = acme_client.poll_and_finalize(order, deadline) orderr = acme_client.poll_and_finalize(order, deadline)
except AcmeError: except (AcmeError, TimeoutError):
sentry.captureException(extra={"order_url": str(order.uri)}) sentry.captureException(extra={"order_url": str(order.uri)})
metrics.send('request_certificate_error', 'counter', 1) metrics.send('request_certificate_error', 'counter', 1)
current_app.logger.error(f"Unable to resolve Acme order: {order.uri}", exc_info=True) current_app.logger.error(f"Unable to resolve Acme order: {order.uri}", exc_info=True)