Updated requirements ; Revert change and require DNS validation by provider

This commit is contained in:
Curtis Castrapel 2019-04-29 13:55:26 -07:00
parent 1a90e71884
commit 6e3f394cff
5 changed files with 56 additions and 30 deletions

View File

@ -107,21 +107,45 @@ class AcmeHandler(object):
metrics.send('complete_dns_challenge_error_no_dnsproviders', 'counter', 1) metrics.send('complete_dns_challenge_error_no_dnsproviders', 'counter', 1)
raise Exception("No DNS providers found for domain: {}".format(authz_record.host)) raise Exception("No DNS providers found for domain: {}".format(authz_record.host))
for dns_challenge in authz_record.dns_challenge: for dns_provider in dns_providers:
response = dns_challenge.response(acme_client.client.net.key) # Grab account number (For Route53)
dns_provider_options = json.loads(dns_provider.credentials)
account_number = dns_provider_options.get("account_id")
dns_provider_plugin = self.get_dns_provider(dns_provider.provider_type)
for change_id in authz_record.change_id:
try:
dns_provider_plugin.wait_for_dns_change(change_id, account_number=account_number)
except Exception:
metrics.send('complete_dns_challenge_error', 'counter', 1)
sentry.captureException()
current_app.logger.debug(
f"Unable to resolve DNS challenge for change_id: {change_id}, account_id: "
f"{account_number}", exc_info=True)
raise
verified = response.simple_verify( for dns_challenge in authz_record.dns_challenge:
dns_challenge.chall, response = dns_challenge.response(acme_client.client.net.key)
authz_record.host,
acme_client.client.net.key.public_key() verified = response.simple_verify(
) dns_challenge.chall,
authz_record.host,
acme_client.client.net.key.public_key()
)
if not verified: if not verified:
metrics.send('complete_dns_challenge_verification_error', 'counter', 1) metrics.send('complete_dns_challenge_verification_error', 'counter', 1)
raise ValueError("Failed verification") raise ValueError("Failed verification")
time.sleep(5) time.sleep(5)
acme_client.answer_challenge(dns_challenge, response) res = acme_client.answer_challenge(dns_challenge, response)
current_app.logger.debug(f"answer_challenge response: {res}")
def get_dns_challenge(self, authzr):
for challenge in authzr.body.challenges:
if challenge.chall.typ == 'dns-01':
return challenge
else:
raise Exception("Could not find an HTTP challenge!")
def request_certificate(self, acme_client, authorizations, order): def request_certificate(self, acme_client, authorizations, order):
for authorization in authorizations: for authorization in authorizations:
@ -132,6 +156,7 @@ class AcmeHandler(object):
try: try:
orderr = acme_client.poll_and_finalize(order, deadline) orderr = acme_client.poll_and_finalize(order, deadline)
except (AcmeError, TimeoutError): except (AcmeError, TimeoutError):
sentry.captureException(extra={"order_url": str(order.uri)}) sentry.captureException(extra={"order_url": str(order.uri)})
metrics.send('request_certificate_error', 'counter', 1) metrics.send('request_certificate_error', 'counter', 1)
@ -480,6 +505,7 @@ class ACMEIssuerPlugin(IssuerPlugin):
"pending_cert": entry["pending_cert"], "pending_cert": entry["pending_cert"],
}) })
except (PollError, AcmeError, Exception) as e: except (PollError, AcmeError, Exception) as e:
raise
sentry.captureException() sentry.captureException()
metrics.send('get_ordered_certificates_resolution_error', 'counter', 1) metrics.send('get_ordered_certificates_resolution_error', 'counter', 1)
order_url = order.uri order_url = order.uri

View File

@ -11,7 +11,7 @@ cfgv==1.6.0 # via pre-commit
chardet==3.0.4 # via requests chardet==3.0.4 # via requests
docutils==0.14 # via readme-renderer docutils==0.14 # via readme-renderer
flake8==3.5.0 flake8==3.5.0
identify==1.4.1 # via pre-commit identify==1.4.2 # via pre-commit
idna==2.8 # via requests idna==2.8 # via requests
importlib-metadata==0.9 # via pre-commit importlib-metadata==0.9 # via pre-commit
invoke==1.2.0 invoke==1.2.0
@ -31,6 +31,6 @@ toml==0.10.0 # via pre-commit
tqdm==4.31.1 # via twine tqdm==4.31.1 # via twine
twine==1.13.0 twine==1.13.0
urllib3==1.24.2 # via requests urllib3==1.24.2 # via requests
virtualenv==16.4.3 # via pre-commit virtualenv==16.5.0 # via pre-commit
webencodings==0.5.1 # via bleach webencodings==0.5.1 # via bleach
zipp==0.3.3 # via importlib-metadata zipp==0.4.0 # via importlib-metadata

View File

@ -7,7 +7,7 @@
acme==0.33.1 acme==0.33.1
alabaster==0.7.12 # via sphinx alabaster==0.7.12 # via sphinx
alembic-autogenerate-enums==0.0.2 alembic-autogenerate-enums==0.0.2
alembic==1.0.9 alembic==1.0.10
amqp==2.4.2 amqp==2.4.2
aniso8601==6.0.0 aniso8601==6.0.0
arrow==0.13.1 arrow==0.13.1
@ -17,8 +17,8 @@ babel==2.6.0 # via sphinx
bcrypt==3.1.6 bcrypt==3.1.6
billiard==3.6.0.0 billiard==3.6.0.0
blinker==1.4 blinker==1.4
boto3==1.9.134 boto3==1.9.138
botocore==1.12.134 botocore==1.12.138
celery[redis]==4.3.0 celery[redis]==4.3.0
certifi==2019.3.9 certifi==2019.3.9
certsrv==2.1.1 certsrv==2.1.1
@ -38,7 +38,7 @@ flask-migrate==2.4.0
flask-principal==0.4.0 flask-principal==0.4.0
flask-restful==0.3.7 flask-restful==0.3.7
flask-script==2.0.6 flask-script==2.0.6
flask-sqlalchemy==2.3.2 flask-sqlalchemy==2.4.0
flask==1.0.2 flask==1.0.2
future==0.17.1 future==0.17.1
gunicorn==19.9.0 gunicorn==19.9.0
@ -47,7 +47,7 @@ idna==2.8
imagesize==1.1.0 # via sphinx imagesize==1.1.0 # via sphinx
inflection==0.3.1 inflection==0.3.1
itsdangerous==1.1.0 itsdangerous==1.1.0
javaobj-py3==0.2.4 javaobj-py3==0.3.0
jinja2==2.10.1 jinja2==2.10.1
jmespath==0.9.4 jmespath==0.9.4
josepy==1.1.0 josepy==1.1.0
@ -62,10 +62,10 @@ mock==2.0.0
ndg-httpsclient==0.5.1 ndg-httpsclient==0.5.1
packaging==19.0 # via sphinx packaging==19.0 # via sphinx
paramiko==2.4.2 paramiko==2.4.2
pbr==5.1.3 pbr==5.2.0
pem==19.1.0 pem==19.1.0
psycopg2==2.8.2 psycopg2==2.8.2
pyasn1-modules==0.2.4 pyasn1-modules==0.2.5
pyasn1==0.4.5 pyasn1==0.4.5
pycparser==2.19 pycparser==2.19
pycryptodomex==3.8.1 pycryptodomex==3.8.1

View File

@ -7,11 +7,11 @@
asn1crypto==0.24.0 # via cryptography asn1crypto==0.24.0 # via cryptography
atomicwrites==1.3.0 # via pytest atomicwrites==1.3.0 # via pytest
attrs==19.1.0 # via pytest attrs==19.1.0 # via pytest
aws-sam-translator==1.10.0 # via cfn-lint aws-sam-translator==1.11.0 # via cfn-lint
aws-xray-sdk==2.4.2 # via moto aws-xray-sdk==2.4.2 # via moto
boto3==1.9.134 # via aws-sam-translator, moto boto3==1.9.138 # via aws-sam-translator, moto
boto==2.49.0 # via moto boto==2.49.0 # via moto
botocore==1.12.134 # via aws-xray-sdk, boto3, moto, s3transfer botocore==1.12.138 # via aws-xray-sdk, boto3, moto, s3transfer
certifi==2019.3.9 # via requests certifi==2019.3.9 # via requests
cffi==1.12.3 # via cryptography cffi==1.12.3 # via cryptography
cfn-lint==0.19.1 # via moto cfn-lint==0.19.1 # via moto
@ -42,7 +42,7 @@ mock==2.0.0 # via moto
more-itertools==7.0.0 # via pytest more-itertools==7.0.0 # via pytest
moto==1.3.8 moto==1.3.8
nose==1.3.7 nose==1.3.7
pbr==5.1.3 # via mock pbr==5.2.0 # via mock
pluggy==0.9.0 # via pytest pluggy==0.9.0 # via pytest
py==1.8.0 # via pytest py==1.8.0 # via pytest
pyasn1==0.4.5 # via rsa pyasn1==0.4.5 # via rsa
@ -55,7 +55,7 @@ python-dateutil==2.8.0 # via botocore, faker, freezegun, moto
python-jose==3.0.1 # via moto python-jose==3.0.1 # via moto
pytz==2019.1 # via moto pytz==2019.1 # via moto
pyyaml==5.1 pyyaml==5.1
requests-mock==1.5.2 requests-mock==1.6.0
requests==2.21.0 # via cfn-lint, docker, moto, requests-mock, responses requests==2.21.0 # via cfn-lint, docker, moto, requests-mock, responses
responses==0.10.6 # via moto responses==0.10.6 # via moto
rsa==4.0 # via python-jose rsa==4.0 # via python-jose

View File

@ -6,7 +6,7 @@
# #
acme==0.33.1 acme==0.33.1
alembic-autogenerate-enums==0.0.2 alembic-autogenerate-enums==0.0.2
alembic==1.0.9 # via flask-migrate alembic==1.0.10 # via flask-migrate
amqp==2.4.2 # via kombu amqp==2.4.2 # via kombu
aniso8601==6.0.0 # via flask-restful aniso8601==6.0.0 # via flask-restful
arrow==0.13.1 arrow==0.13.1
@ -15,8 +15,8 @@ asyncpool==1.0
bcrypt==3.1.6 # via flask-bcrypt, paramiko bcrypt==3.1.6 # via flask-bcrypt, paramiko
billiard==3.6.0.0 # via celery billiard==3.6.0.0 # via celery
blinker==1.4 # via flask-mail, flask-principal, raven blinker==1.4 # via flask-mail, flask-principal, raven
boto3==1.9.134 boto3==1.9.138
botocore==1.12.134 botocore==1.12.138
celery[redis]==4.3.0 celery[redis]==4.3.0
certifi==2019.3.9 certifi==2019.3.9
certsrv==2.1.1 certsrv==2.1.1
@ -36,7 +36,7 @@ flask-migrate==2.4.0
flask-principal==0.4.0 flask-principal==0.4.0
flask-restful==0.3.7 flask-restful==0.3.7
flask-script==2.0.6 flask-script==2.0.6
flask-sqlalchemy==2.3.2 flask-sqlalchemy==2.4.0
flask==1.0.2 flask==1.0.2
future==0.17.1 future==0.17.1
gunicorn==19.9.0 gunicorn==19.9.0
@ -44,7 +44,7 @@ hvac==0.8.2
idna==2.8 # via requests idna==2.8 # via requests
inflection==0.3.1 inflection==0.3.1
itsdangerous==1.1.0 # via flask itsdangerous==1.1.0 # via flask
javaobj-py3==0.2.4 # via pyjks javaobj-py3==0.3.0 # via pyjks
jinja2==2.10.1 jinja2==2.10.1
jmespath==0.9.4 # via boto3, botocore jmespath==0.9.4 # via boto3, botocore
josepy==1.1.0 # via acme josepy==1.1.0 # via acme
@ -58,10 +58,10 @@ marshmallow==2.19.2
mock==2.0.0 # via acme mock==2.0.0 # via acme
ndg-httpsclient==0.5.1 ndg-httpsclient==0.5.1
paramiko==2.4.2 paramiko==2.4.2
pbr==5.1.3 # via mock pbr==5.2.0 # via mock
pem==19.1.0 pem==19.1.0
psycopg2==2.8.2 psycopg2==2.8.2
pyasn1-modules==0.2.4 # via pyjks, python-ldap pyasn1-modules==0.2.5 # via pyjks, python-ldap
pyasn1==0.4.5 # via ndg-httpsclient, paramiko, pyasn1-modules, pyjks, python-ldap pyasn1==0.4.5 # via ndg-httpsclient, paramiko, pyasn1-modules, pyjks, python-ldap
pycparser==2.19 # via cffi pycparser==2.19 # via cffi
pycryptodomex==3.8.1 # via pyjks pycryptodomex==3.8.1 # via pyjks