From 5dfb6acb17eaf34ce4970da3154934113188577b Mon Sep 17 00:00:00 2001
From: csine-nflx <csine@netflix.com>
Date: Thu, 5 Mar 2020 14:59:21 -0800
Subject: [PATCH] adding support for ACME_POWERDNS_VERIFY option to support CA
 Bundles and disabling Server validation

---
 docs/administration.rst              | 9 +++++++++
 lemur/plugins/lemur_acme/powerdns.py | 7 +++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/docs/administration.rst b/docs/administration.rst
index 8f055147..ea9537da 100644
--- a/docs/administration.rst
+++ b/docs/administration.rst
@@ -1008,6 +1008,15 @@ The following configuration properties are required to use the PowerDNS ACME Plu
 
             This is the number of times DNS Verification should be attempted (i.e. 20)
 
+
+.. data:: ACME_POWERDNS_VERIFY
+    :noindex:
+
+            This configures how PowerDNS verifies TLS certificates.  The PowerDNS Plugin relies on the requests library, supported options are as follows:
+            * True: Verifies the certificate chains to a known publicly-trusted CA. (Default)
+            * False: Disable certificate validation (Not Recommended)
+            * File/Dir path to CA Bundle: Verify that the certificate chains to a Certificate Authority in the provided CA bundle.
+
 .. _CommandLineInterface:
 
 Command Line Interface
diff --git a/lemur/plugins/lemur_acme/powerdns.py b/lemur/plugins/lemur_acme/powerdns.py
index f3ad9965..1b7cf1d4 100644
--- a/lemur/plugins/lemur_acme/powerdns.py
+++ b/lemur/plugins/lemur_acme/powerdns.py
@@ -246,11 +246,12 @@ def _get_zone_name(domain, account_number):
 def _get(path, params=None):
     """ Execute a GET request on the given URL (base_uri + path) and return response as JSON object """
     base_uri = current_app.config.get("ACME_POWERDNS_DOMAIN")
+    verify_value = current_app.config.get("ACME_POWERDNS_VERIFY", True)
     resp = requests.get(
         f"{base_uri}{path}",
         headers=_generate_header(),
         params=params,
-        verify=True,
+        verify=verify_value,
     )
     resp.raise_for_status()
     return resp.json()
@@ -259,9 +260,11 @@ def _get(path, params=None):
 def _patch(path, payload):
     """ Execute a Patch request on the given URL (base_uri + path) with given payload """
     base_uri = current_app.config.get("ACME_POWERDNS_DOMAIN")
+    verify_value = current_app.config.get("ACME_POWERDNS_VERIFY", True)
     resp = requests.patch(
         f"{base_uri}{path}",
         data=json.dumps(payload),
-        headers=_generate_header()
+        headers=_generate_header(),
+        verify=verify_value,
     )
     resp.raise_for_status()