Support concurrent issuance in Route53 for LetsEncrypt

This commit is contained in:
Curtis Castrapel 2018-06-19 16:27:58 -07:00
parent b99aad743b
commit a141b8c5ea
2 changed files with 61 additions and 17 deletions

View File

@ -54,15 +54,24 @@ def maybe_remove_wildcard(host):
return host.replace("*.", "") return host.replace("*.", "")
def start_dns_challenge(acme_client, account_number, host, dns_provider, order): def maybe_add_extension(host, dns_provider_options):
if dns_provider_options and dns_provider_options.get("acme_challenge_extension"):
host = host + dns_provider_options.get("acme_challenge_extension")
return host
def start_dns_challenge(acme_client, account_number, host, dns_provider, order, dns_provider_options):
current_app.logger.debug("Starting DNS challenge for {0}".format(host)) current_app.logger.debug("Starting DNS challenge for {0}".format(host))
dns_challenges = find_dns_challenge(order.authorizations) dns_challenges = find_dns_challenge(order.authorizations)
change_ids = [] change_ids = []
host_to_validate = maybe_remove_wildcard(host)
host_to_validate = maybe_add_extension(host_to_validate, dns_provider_options)
for dns_challenge in find_dns_challenge(order.authorizations): for dns_challenge in find_dns_challenge(order.authorizations):
change_id = dns_provider.create_txt_record( change_id = dns_provider.create_txt_record(
dns_challenge.validation_domain_name(maybe_remove_wildcard(host)), dns_challenge.validation_domain_name(host_to_validate),
dns_challenge.validation(acme_client.client.net.key), dns_challenge.validation(acme_client.client.net.key),
account_number account_number
) )
@ -104,7 +113,13 @@ def request_certificate(acme_client, authorizations, csr, order):
authorization_resource, _ = acme_client.poll(authz) authorization_resource, _ = acme_client.poll(authz)
deadline = datetime.datetime.now() + datetime.timedelta(seconds=90) deadline = datetime.datetime.now() + datetime.timedelta(seconds=90)
try:
orderr = acme_client.finalize_order(order, deadline) orderr = acme_client.finalize_order(order, deadline)
except:
current_app.logger.error("Unable to finalize ACME order: {}".format(order), exc_info=True)
raise
pem_certificate = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, pem_certificate = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM,
OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,
orderr.fullchain_pem)).decode() orderr.fullchain_pem)).decode()
@ -154,24 +169,27 @@ def get_domains(options):
return domains return domains
def get_authorizations(acme_client, order, order_info, dns_provider): def get_authorizations(acme_client, order, order_info, dns_provider, dns_provider_options):
authorizations = [] authorizations = []
for domain in order_info.domains: for domain in order_info.domains:
authz_record = start_dns_challenge(acme_client, order_info.account_number, domain, dns_provider, order) authz_record = start_dns_challenge(acme_client, order_info.account_number, domain, dns_provider, order,
dns_provider_options)
authorizations.append(authz_record) authorizations.append(authz_record)
return authorizations return authorizations
def finalize_authorizations(acme_client, account_number, dns_provider, authorizations): def finalize_authorizations(acme_client, account_number, dns_provider, authorizations, dns_provider_options):
for authz_record in authorizations: for authz_record in authorizations:
complete_dns_challenge(acme_client, account_number, authz_record, dns_provider) complete_dns_challenge(acme_client, account_number, authz_record, dns_provider)
for authz_record in authorizations: for authz_record in authorizations:
dns_challenges = authz_record.dns_challenge dns_challenges = authz_record.dns_challenge
host_to_validate = maybe_remove_wildcard(authz_record.host)
host_to_validate = maybe_add_extension(host_to_validate, dns_provider_options)
for dns_challenge in dns_challenges: for dns_challenge in dns_challenges:
dns_provider.delete_txt_record( dns_provider.delete_txt_record(
authz_record.change_id, authz_record.change_id,
account_number, account_number,
dns_challenge.validation_domain_name(maybe_remove_wildcard(authz_record.host)), dns_challenge.validation_domain_name(host_to_validate),
dns_challenge.validation(acme_client.client.net.key) dns_challenge.validation(acme_client.client.net.key)
) )
@ -235,16 +253,17 @@ class ACMEIssuerPlugin(IssuerPlugin):
acme_client, registration = setup_acme_client(pending_cert.authority) acme_client, registration = setup_acme_client(pending_cert.authority)
order_info = authorization_service.get(pending_cert.external_id) order_info = authorization_service.get(pending_cert.external_id)
dns_provider = dns_provider_service.get(pending_cert.dns_provider_id) dns_provider = dns_provider_service.get(pending_cert.dns_provider_id)
dns_provider_options = dns_provider.options
dns_provider_type = self.get_dns_provider(dns_provider.provider_type) dns_provider_type = self.get_dns_provider(dns_provider.provider_type)
try: try:
authorizations = get_authorizations( authorizations = get_authorizations(
acme_client, order_info.account_number, order_info.domains, dns_provider_type) acme_client, order_info.account_number, order_info.domains, dns_provider_type, dns_provider_options)
except ClientError: except ClientError:
current_app.logger.error("Unable to resolve pending cert: {}".format(pending_cert.name), exc_info=True) current_app.logger.error("Unable to resolve pending cert: {}".format(pending_cert.name), exc_info=True)
return False return False
authorizations = finalize_authorizations( authorizations = finalize_authorizations(
acme_client, order_info.account_number, dns_provider_type, authorizations) acme_client, order_info.account_number, dns_provider_type, authorizations, dns_provider_options)
pem_certificate, pem_certificate_chain = request_certificate(acme_client, authorizations, pending_cert.csr) pem_certificate, pem_certificate_chain = request_certificate(acme_client, authorizations, pending_cert.csr)
cert = { cert = {
'body': "\n".join(str(pem_certificate).splitlines()), 'body': "\n".join(str(pem_certificate).splitlines()),
@ -261,6 +280,7 @@ class ACMEIssuerPlugin(IssuerPlugin):
acme_client, registration = setup_acme_client(pending_cert.authority) acme_client, registration = setup_acme_client(pending_cert.authority)
order_info = authorization_service.get(pending_cert.external_id) order_info = authorization_service.get(pending_cert.external_id)
dns_provider = dns_provider_service.get(pending_cert.dns_provider_id) dns_provider = dns_provider_service.get(pending_cert.dns_provider_id)
dns_provider_options = dns_provider.options
dns_provider_type = self.get_dns_provider(dns_provider.provider_type) dns_provider_type = self.get_dns_provider(dns_provider.provider_type)
try: try:
order = acme_client.new_order(pending_cert.csr) order = acme_client.new_order(pending_cert.csr)
@ -268,7 +288,8 @@ class ACMEIssuerPlugin(IssuerPlugin):
raise Exception("The currently selected ACME CA endpoint does" raise Exception("The currently selected ACME CA endpoint does"
" not support issuing wildcard certificates.") " not support issuing wildcard certificates.")
authorizations = get_authorizations(acme_client, order, order_info, dns_provider_type) authorizations = get_authorizations(acme_client, order, order_info, dns_provider_type,
dns_provider_options)
pending.append({ pending.append({
"acme_client": acme_client, "acme_client": acme_client,
@ -277,6 +298,7 @@ class ACMEIssuerPlugin(IssuerPlugin):
"authorizations": authorizations, "authorizations": authorizations,
"pending_cert": pending_cert, "pending_cert": pending_cert,
"order": order, "order": order,
"dns_provider_options": dns_provider_options,
}) })
except (ClientError, ValueError, Exception): except (ClientError, ValueError, Exception):
current_app.logger.error("Unable to resolve pending cert: {}".format(pending_cert), exc_info=True) current_app.logger.error("Unable to resolve pending cert: {}".format(pending_cert), exc_info=True)
@ -292,6 +314,7 @@ class ACMEIssuerPlugin(IssuerPlugin):
entry["account_number"], entry["account_number"],
entry["dns_provider_type"], entry["dns_provider_type"],
entry["authorizations"], entry["authorizations"],
entry["dns_provider_options"],
) )
pem_certificate, pem_certificate_chain = request_certificate( pem_certificate, pem_certificate_chain = request_certificate(
entry["acme_client"], entry["acme_client"],
@ -329,6 +352,7 @@ class ACMEIssuerPlugin(IssuerPlugin):
create_immediately = issuer_options.get('create_immediately', False) create_immediately = issuer_options.get('create_immediately', False)
acme_client, registration = setup_acme_client(authority) acme_client, registration = setup_acme_client(authority)
dns_provider = issuer_options.get('dns_provider') dns_provider = issuer_options.get('dns_provider')
dns_provider_options = dns_provider.options
if not dns_provider: if not dns_provider:
raise InvalidConfiguration("DNS Provider setting is required for ACME certificates.") raise InvalidConfiguration("DNS Provider setting is required for ACME certificates.")
credentials = json.loads(dns_provider.credentials) credentials = json.loads(dns_provider.credentials)
@ -354,8 +378,9 @@ class ACMEIssuerPlugin(IssuerPlugin):
# Return id of the DNS Authorization # Return id of the DNS Authorization
return None, None, dns_authorization.id return None, None, dns_authorization.id
authorizations = get_authorizations(acme_client, account_number, domains, dns_provider_type) authorizations = get_authorizations(acme_client, account_number, domains, dns_provider_type,
finalize_authorizations(acme_client, account_number, dns_provider_type, authorizations) dns_provider_options)
finalize_authorizations(acme_client, account_number, dns_provider_type, authorizations, dns_provider_options)
pem_certificate, pem_certificate_chain = request_certificate(acme_client, authorizations, csr) pem_certificate, pem_certificate_chain = request_certificate(acme_client, authorizations, csr)
# TODO add external ID (if possible) # TODO add external ID (if possible)
return pem_certificate, pem_certificate_chain, None return pem_certificate, pem_certificate_chain, None

View File

@ -33,6 +33,29 @@ def find_zone_id(domain, client=None):
@sts_client('route53') @sts_client('route53')
def change_txt_record(action, zone_id, domain, value, client=None): def change_txt_record(action, zone_id, domain, value, client=None):
current_txt_records = []
try:
current_txt_records = client.list_resource_record_sets(
HostedZoneId=zone_id,
StartRecordName=domain,
StartRecordType='TXT',
MaxItems="1")["ResourceRecordSets"][0]["ResourceRecords"]
except Exception as e:
# Current Resource Record does not exist
if "NoSuchHostedZone" not in str(type(e)):
raise
# For some reason TXT records need to be
# manually quoted.
current_txt_records.append({"Value": '"{}"'.format(value)})
if action == "DELETE" and len(current_txt_records) > 1:
# If we want to delete one record out of many, we'll update the record to not include the deleted value instead.
# This allows us to support concurrent issuance.
current_txt_records = [
record for record in current_txt_records if not (record.get('Value') == '"{}"'.format(value))
]
action = "UPSERT"
response = client.change_resource_record_sets( response = client.change_resource_record_sets(
HostedZoneId=zone_id, HostedZoneId=zone_id,
ChangeBatch={ ChangeBatch={
@ -43,11 +66,7 @@ def change_txt_record(action, zone_id, domain, value, client=None):
"Name": domain, "Name": domain,
"Type": "TXT", "Type": "TXT",
"TTL": 300, "TTL": 300,
"ResourceRecords": [ "ResourceRecords": current_txt_records,
# For some reason TXT records need to be
# manually quoted.
{"Value": '"{}"'.format(value)}
],
} }
} }
] ]