Support concurrent issuance in Route53 for LetsEncrypt
This commit is contained in:
parent
b99aad743b
commit
a141b8c5ea
|
@ -54,15 +54,24 @@ def maybe_remove_wildcard(host):
|
||||||
return host.replace("*.", "")
|
return host.replace("*.", "")
|
||||||
|
|
||||||
|
|
||||||
def start_dns_challenge(acme_client, account_number, host, dns_provider, order):
|
def maybe_add_extension(host, dns_provider_options):
|
||||||
|
if dns_provider_options and dns_provider_options.get("acme_challenge_extension"):
|
||||||
|
host = host + dns_provider_options.get("acme_challenge_extension")
|
||||||
|
return host
|
||||||
|
|
||||||
|
|
||||||
|
def start_dns_challenge(acme_client, account_number, host, dns_provider, order, dns_provider_options):
|
||||||
current_app.logger.debug("Starting DNS challenge for {0}".format(host))
|
current_app.logger.debug("Starting DNS challenge for {0}".format(host))
|
||||||
|
|
||||||
dns_challenges = find_dns_challenge(order.authorizations)
|
dns_challenges = find_dns_challenge(order.authorizations)
|
||||||
change_ids = []
|
change_ids = []
|
||||||
|
|
||||||
|
host_to_validate = maybe_remove_wildcard(host)
|
||||||
|
host_to_validate = maybe_add_extension(host_to_validate, dns_provider_options)
|
||||||
|
|
||||||
for dns_challenge in find_dns_challenge(order.authorizations):
|
for dns_challenge in find_dns_challenge(order.authorizations):
|
||||||
change_id = dns_provider.create_txt_record(
|
change_id = dns_provider.create_txt_record(
|
||||||
dns_challenge.validation_domain_name(maybe_remove_wildcard(host)),
|
dns_challenge.validation_domain_name(host_to_validate),
|
||||||
dns_challenge.validation(acme_client.client.net.key),
|
dns_challenge.validation(acme_client.client.net.key),
|
||||||
account_number
|
account_number
|
||||||
)
|
)
|
||||||
|
@ -104,7 +113,13 @@ def request_certificate(acme_client, authorizations, csr, order):
|
||||||
authorization_resource, _ = acme_client.poll(authz)
|
authorization_resource, _ = acme_client.poll(authz)
|
||||||
|
|
||||||
deadline = datetime.datetime.now() + datetime.timedelta(seconds=90)
|
deadline = datetime.datetime.now() + datetime.timedelta(seconds=90)
|
||||||
|
|
||||||
|
try:
|
||||||
orderr = acme_client.finalize_order(order, deadline)
|
orderr = acme_client.finalize_order(order, deadline)
|
||||||
|
except:
|
||||||
|
current_app.logger.error("Unable to finalize ACME order: {}".format(order), exc_info=True)
|
||||||
|
raise
|
||||||
|
|
||||||
pem_certificate = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM,
|
pem_certificate = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM,
|
||||||
OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,
|
OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,
|
||||||
orderr.fullchain_pem)).decode()
|
orderr.fullchain_pem)).decode()
|
||||||
|
@ -154,24 +169,27 @@ def get_domains(options):
|
||||||
return domains
|
return domains
|
||||||
|
|
||||||
|
|
||||||
def get_authorizations(acme_client, order, order_info, dns_provider):
|
def get_authorizations(acme_client, order, order_info, dns_provider, dns_provider_options):
|
||||||
authorizations = []
|
authorizations = []
|
||||||
for domain in order_info.domains:
|
for domain in order_info.domains:
|
||||||
authz_record = start_dns_challenge(acme_client, order_info.account_number, domain, dns_provider, order)
|
authz_record = start_dns_challenge(acme_client, order_info.account_number, domain, dns_provider, order,
|
||||||
|
dns_provider_options)
|
||||||
authorizations.append(authz_record)
|
authorizations.append(authz_record)
|
||||||
return authorizations
|
return authorizations
|
||||||
|
|
||||||
|
|
||||||
def finalize_authorizations(acme_client, account_number, dns_provider, authorizations):
|
def finalize_authorizations(acme_client, account_number, dns_provider, authorizations, dns_provider_options):
|
||||||
for authz_record in authorizations:
|
for authz_record in authorizations:
|
||||||
complete_dns_challenge(acme_client, account_number, authz_record, dns_provider)
|
complete_dns_challenge(acme_client, account_number, authz_record, dns_provider)
|
||||||
for authz_record in authorizations:
|
for authz_record in authorizations:
|
||||||
dns_challenges = authz_record.dns_challenge
|
dns_challenges = authz_record.dns_challenge
|
||||||
|
host_to_validate = maybe_remove_wildcard(authz_record.host)
|
||||||
|
host_to_validate = maybe_add_extension(host_to_validate, dns_provider_options)
|
||||||
for dns_challenge in dns_challenges:
|
for dns_challenge in dns_challenges:
|
||||||
dns_provider.delete_txt_record(
|
dns_provider.delete_txt_record(
|
||||||
authz_record.change_id,
|
authz_record.change_id,
|
||||||
account_number,
|
account_number,
|
||||||
dns_challenge.validation_domain_name(maybe_remove_wildcard(authz_record.host)),
|
dns_challenge.validation_domain_name(host_to_validate),
|
||||||
dns_challenge.validation(acme_client.client.net.key)
|
dns_challenge.validation(acme_client.client.net.key)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -235,16 +253,17 @@ class ACMEIssuerPlugin(IssuerPlugin):
|
||||||
acme_client, registration = setup_acme_client(pending_cert.authority)
|
acme_client, registration = setup_acme_client(pending_cert.authority)
|
||||||
order_info = authorization_service.get(pending_cert.external_id)
|
order_info = authorization_service.get(pending_cert.external_id)
|
||||||
dns_provider = dns_provider_service.get(pending_cert.dns_provider_id)
|
dns_provider = dns_provider_service.get(pending_cert.dns_provider_id)
|
||||||
|
dns_provider_options = dns_provider.options
|
||||||
dns_provider_type = self.get_dns_provider(dns_provider.provider_type)
|
dns_provider_type = self.get_dns_provider(dns_provider.provider_type)
|
||||||
try:
|
try:
|
||||||
authorizations = get_authorizations(
|
authorizations = get_authorizations(
|
||||||
acme_client, order_info.account_number, order_info.domains, dns_provider_type)
|
acme_client, order_info.account_number, order_info.domains, dns_provider_type, dns_provider_options)
|
||||||
except ClientError:
|
except ClientError:
|
||||||
current_app.logger.error("Unable to resolve pending cert: {}".format(pending_cert.name), exc_info=True)
|
current_app.logger.error("Unable to resolve pending cert: {}".format(pending_cert.name), exc_info=True)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
authorizations = finalize_authorizations(
|
authorizations = finalize_authorizations(
|
||||||
acme_client, order_info.account_number, dns_provider_type, authorizations)
|
acme_client, order_info.account_number, dns_provider_type, authorizations, dns_provider_options)
|
||||||
pem_certificate, pem_certificate_chain = request_certificate(acme_client, authorizations, pending_cert.csr)
|
pem_certificate, pem_certificate_chain = request_certificate(acme_client, authorizations, pending_cert.csr)
|
||||||
cert = {
|
cert = {
|
||||||
'body': "\n".join(str(pem_certificate).splitlines()),
|
'body': "\n".join(str(pem_certificate).splitlines()),
|
||||||
|
@ -261,6 +280,7 @@ class ACMEIssuerPlugin(IssuerPlugin):
|
||||||
acme_client, registration = setup_acme_client(pending_cert.authority)
|
acme_client, registration = setup_acme_client(pending_cert.authority)
|
||||||
order_info = authorization_service.get(pending_cert.external_id)
|
order_info = authorization_service.get(pending_cert.external_id)
|
||||||
dns_provider = dns_provider_service.get(pending_cert.dns_provider_id)
|
dns_provider = dns_provider_service.get(pending_cert.dns_provider_id)
|
||||||
|
dns_provider_options = dns_provider.options
|
||||||
dns_provider_type = self.get_dns_provider(dns_provider.provider_type)
|
dns_provider_type = self.get_dns_provider(dns_provider.provider_type)
|
||||||
try:
|
try:
|
||||||
order = acme_client.new_order(pending_cert.csr)
|
order = acme_client.new_order(pending_cert.csr)
|
||||||
|
@ -268,7 +288,8 @@ class ACMEIssuerPlugin(IssuerPlugin):
|
||||||
raise Exception("The currently selected ACME CA endpoint does"
|
raise Exception("The currently selected ACME CA endpoint does"
|
||||||
" not support issuing wildcard certificates.")
|
" not support issuing wildcard certificates.")
|
||||||
|
|
||||||
authorizations = get_authorizations(acme_client, order, order_info, dns_provider_type)
|
authorizations = get_authorizations(acme_client, order, order_info, dns_provider_type,
|
||||||
|
dns_provider_options)
|
||||||
|
|
||||||
pending.append({
|
pending.append({
|
||||||
"acme_client": acme_client,
|
"acme_client": acme_client,
|
||||||
|
@ -277,6 +298,7 @@ class ACMEIssuerPlugin(IssuerPlugin):
|
||||||
"authorizations": authorizations,
|
"authorizations": authorizations,
|
||||||
"pending_cert": pending_cert,
|
"pending_cert": pending_cert,
|
||||||
"order": order,
|
"order": order,
|
||||||
|
"dns_provider_options": dns_provider_options,
|
||||||
})
|
})
|
||||||
except (ClientError, ValueError, Exception):
|
except (ClientError, ValueError, Exception):
|
||||||
current_app.logger.error("Unable to resolve pending cert: {}".format(pending_cert), exc_info=True)
|
current_app.logger.error("Unable to resolve pending cert: {}".format(pending_cert), exc_info=True)
|
||||||
|
@ -292,6 +314,7 @@ class ACMEIssuerPlugin(IssuerPlugin):
|
||||||
entry["account_number"],
|
entry["account_number"],
|
||||||
entry["dns_provider_type"],
|
entry["dns_provider_type"],
|
||||||
entry["authorizations"],
|
entry["authorizations"],
|
||||||
|
entry["dns_provider_options"],
|
||||||
)
|
)
|
||||||
pem_certificate, pem_certificate_chain = request_certificate(
|
pem_certificate, pem_certificate_chain = request_certificate(
|
||||||
entry["acme_client"],
|
entry["acme_client"],
|
||||||
|
@ -329,6 +352,7 @@ class ACMEIssuerPlugin(IssuerPlugin):
|
||||||
create_immediately = issuer_options.get('create_immediately', False)
|
create_immediately = issuer_options.get('create_immediately', False)
|
||||||
acme_client, registration = setup_acme_client(authority)
|
acme_client, registration = setup_acme_client(authority)
|
||||||
dns_provider = issuer_options.get('dns_provider')
|
dns_provider = issuer_options.get('dns_provider')
|
||||||
|
dns_provider_options = dns_provider.options
|
||||||
if not dns_provider:
|
if not dns_provider:
|
||||||
raise InvalidConfiguration("DNS Provider setting is required for ACME certificates.")
|
raise InvalidConfiguration("DNS Provider setting is required for ACME certificates.")
|
||||||
credentials = json.loads(dns_provider.credentials)
|
credentials = json.loads(dns_provider.credentials)
|
||||||
|
@ -354,8 +378,9 @@ class ACMEIssuerPlugin(IssuerPlugin):
|
||||||
# Return id of the DNS Authorization
|
# Return id of the DNS Authorization
|
||||||
return None, None, dns_authorization.id
|
return None, None, dns_authorization.id
|
||||||
|
|
||||||
authorizations = get_authorizations(acme_client, account_number, domains, dns_provider_type)
|
authorizations = get_authorizations(acme_client, account_number, domains, dns_provider_type,
|
||||||
finalize_authorizations(acme_client, account_number, dns_provider_type, authorizations)
|
dns_provider_options)
|
||||||
|
finalize_authorizations(acme_client, account_number, dns_provider_type, authorizations, dns_provider_options)
|
||||||
pem_certificate, pem_certificate_chain = request_certificate(acme_client, authorizations, csr)
|
pem_certificate, pem_certificate_chain = request_certificate(acme_client, authorizations, csr)
|
||||||
# TODO add external ID (if possible)
|
# TODO add external ID (if possible)
|
||||||
return pem_certificate, pem_certificate_chain, None
|
return pem_certificate, pem_certificate_chain, None
|
||||||
|
|
|
@ -33,6 +33,29 @@ def find_zone_id(domain, client=None):
|
||||||
|
|
||||||
@sts_client('route53')
|
@sts_client('route53')
|
||||||
def change_txt_record(action, zone_id, domain, value, client=None):
|
def change_txt_record(action, zone_id, domain, value, client=None):
|
||||||
|
current_txt_records = []
|
||||||
|
try:
|
||||||
|
current_txt_records = client.list_resource_record_sets(
|
||||||
|
HostedZoneId=zone_id,
|
||||||
|
StartRecordName=domain,
|
||||||
|
StartRecordType='TXT',
|
||||||
|
MaxItems="1")["ResourceRecordSets"][0]["ResourceRecords"]
|
||||||
|
except Exception as e:
|
||||||
|
# Current Resource Record does not exist
|
||||||
|
if "NoSuchHostedZone" not in str(type(e)):
|
||||||
|
raise
|
||||||
|
# For some reason TXT records need to be
|
||||||
|
# manually quoted.
|
||||||
|
current_txt_records.append({"Value": '"{}"'.format(value)})
|
||||||
|
|
||||||
|
if action == "DELETE" and len(current_txt_records) > 1:
|
||||||
|
# If we want to delete one record out of many, we'll update the record to not include the deleted value instead.
|
||||||
|
# This allows us to support concurrent issuance.
|
||||||
|
current_txt_records = [
|
||||||
|
record for record in current_txt_records if not (record.get('Value') == '"{}"'.format(value))
|
||||||
|
]
|
||||||
|
action = "UPSERT"
|
||||||
|
|
||||||
response = client.change_resource_record_sets(
|
response = client.change_resource_record_sets(
|
||||||
HostedZoneId=zone_id,
|
HostedZoneId=zone_id,
|
||||||
ChangeBatch={
|
ChangeBatch={
|
||||||
|
@ -43,11 +66,7 @@ def change_txt_record(action, zone_id, domain, value, client=None):
|
||||||
"Name": domain,
|
"Name": domain,
|
||||||
"Type": "TXT",
|
"Type": "TXT",
|
||||||
"TTL": 300,
|
"TTL": 300,
|
||||||
"ResourceRecords": [
|
"ResourceRecords": current_txt_records,
|
||||||
# For some reason TXT records need to be
|
|
||||||
# manually quoted.
|
|
||||||
{"Value": '"{}"'.format(value)}
|
|
||||||
],
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
Loading…
Reference in New Issue