Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Ensure hostname is lowercase when comparing DNS challenges. ACME will automatically lowercase the hostname

This commit is contained in:
Curtis Castrapel 2019-04-26 15:45:04 -07:00
parent 517a96c6eb
commit 333ba8030a
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lemur/plugins/lemur_acme/plugin.py
View File

@ -19,7 +19,7 @@ import OpenSSL.crypto
import josepy as jose import josepy as jose
from acme import challenges, messages from acme import challenges, messages
from acme.client import BackwardsCompatibleClientV2, ClientNetwork from acme.client import BackwardsCompatibleClientV2, ClientNetwork
from acme.errors import PollError, WildcardUnsupportedError from acme.errors import PollError, TimeoutError, WildcardUnsupportedError
from acme.messages import Error as AcmeError from acme.messages import Error as AcmeError
from botocore.exceptions import ClientError from botocore.exceptions import ClientError
from flask import current_app from flask import current_app
@ -56,7 +56,7 @@ class AcmeHandler(object):
def find_dns_challenge(self, host, authorizations): def find_dns_challenge(self, host, authorizations):
dns_challenges = [] dns_challenges = []
for authz in authorizations: for authz in authorizations:
if not authz.body.identifier.value == host: if not authz.body.identifier.value.lower() == host.lower():
continue continue
for combo in authz.body.challenges: for combo in authz.body.challenges:
if isinstance(combo.chall, challenges.DNS01): if isinstance(combo.chall, challenges.DNS01):
@ -79,6 +79,10 @@ class AcmeHandler(object):
host_to_validate = self.maybe_remove_wildcard(host) host_to_validate = self.maybe_remove_wildcard(host)
host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options) host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options)
dns_challenges = self.find_dns_challenge(host_to_validate, order.authorizations) dns_challenges = self.find_dns_challenge(host_to_validate, order.authorizations)
if not dns_challenges:
sentry.captureException()
metrics.send('start_dns_challenge_error_no_dns_challenges', 'counter', 1)
raise Exception("Unable to determine DNS challenges from authorizations")
for dns_challenge in dns_challenges: for dns_challenge in dns_challenges:
change_id = dns_provider.create_txt_record( change_id = dns_provider.create_txt_record(
@ -127,7 +131,7 @@ class AcmeHandler(object):
try: try:
orderr = acme_client.poll_and_finalize(order, deadline) orderr = acme_client.poll_and_finalize(order, deadline)
except AcmeError: except (AcmeError, TimeoutError):
sentry.captureException(extra={"order_url": str(order.uri)}) sentry.captureException(extra={"order_url": str(order.uri)})
metrics.send('request_certificate_error', 'counter', 1) metrics.send('request_certificate_error', 'counter', 1)
current_app.logger.error(f"Unable to resolve Acme order: {order.uri}", exc_info=True) current_app.logger.error(f"Unable to resolve Acme order: {order.uri}", exc_info=True)