Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

First change to get CNAME redirection working

This commit is contained in:
csine-nflx 2020-10-26 11:57:33 -07:00
parent 9af8d63f11
commit 749aa772ba
2 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
docs/administration.rst
View File

@ -620,6 +620,20 @@ If you are not using a metric provider you do not need to configure any of these
Plugin Specific Options Plugin Specific Options
----------------------- -----------------------
ACME Plugin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. data:: ACME_DNS_PROVIDER_TYPES
:noindex:
Dictionary of ACME DNS Providers and their requirements.
.. data:: ACME_ENABLE_DELEGATED_CNAME
:noindex:
Enables delegated DNS domain validation using CNAMES. When enabled, Lemur will attempt to follow CNAME records to authoritative DNS servers when creating DNS-01 challenges.
Active Directory Certificate Services Plugin Active Directory Certificate Services Plugin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

22
lemur/plugins/lemur_acme/plugin.py
View File

@ -16,6 +16,7 @@ import json
import time import time
import OpenSSL.crypto import OpenSSL.crypto
import dns.resolver
import josepy as jose import josepy as jose
from acme import challenges, errors, messages from acme import challenges, errors, messages
from acme.client import BackwardsCompatibleClientV2, ClientNetwork from acme.client import BackwardsCompatibleClientV2, ClientNetwork
@ -23,7 +24,6 @@ from acme.errors import PollError, TimeoutError, WildcardUnsupportedError
from acme.messages import Error as AcmeError from acme.messages import Error as AcmeError
from botocore.exceptions import ClientError from botocore.exceptions import ClientError
from flask import current_app from flask import current_app
from lemur.authorizations import service as authorization_service from lemur.authorizations import service as authorization_service
from lemur.common.utils import generate_private_key from lemur.common.utils import generate_private_key
from lemur.dns_providers import service as dns_provider_service from lemur.dns_providers import service as dns_provider_service
@ -287,6 +287,13 @@ class AcmeHandler(object):
authorizations = [] authorizations = []
for domain in order_info.domains: for domain in order_info.domains:
# Replace domain if doing CNAME delegation
if current_app.config.get("ACME_ENABLE_DELEGATED_CNAME", False):
cname = self.get_cname(domain)
if cname:
domain = cname
if not self.dns_providers_for_domain.get(domain): if not self.dns_providers_for_domain.get(domain):
metrics.send( metrics.send(
"get_authorizations_no_dns_provider_for_domain", "counter", 1 "get_authorizations_no_dns_provider_for_domain", "counter", 1
@ -407,6 +414,19 @@ class AcmeHandler(object):
raise UnknownProvider("No such DNS provider: {}".format(type)) raise UnknownProvider("No such DNS provider: {}".format(type))
return provider return provider
def get_cname(self, domain):
"""
:param domain: Domain name to look up a CNAME for.
:param record_type: Type of DNS record to lookup.
:return: First CNAME target or False if no CNAME record exists.
"""
try:
result = dns.resolver.query(domain, 'CNAME')
if len(result) > 0:
return str(result[0].target).rstrip('.')
except dns.exception.DNSException:
return False
class ACMEIssuerPlugin(IssuerPlugin): class ACMEIssuerPlugin(IssuerPlugin):
title = "Acme" title = "Acme"