From 7dac0e1dd8978c055a6201d80e67a5cb30525362 Mon Sep 17 00:00:00 2001
From: csine-nflx <59457265+csine-nflx@users.noreply.github.com>
Date: Fri, 31 Jan 2020 16:54:25 -0800
Subject: [PATCH 1/3] Update administration.rst

---
 docs/administration.rst | 40 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/docs/administration.rst b/docs/administration.rst
index e292ae03..252a7dec 100644
--- a/docs/administration.rst
+++ b/docs/administration.rst
@@ -973,6 +973,41 @@ Will be the sender of all notifications, so ensure that it is verified with AWS.
 SES if the default notification gateway and will be used unless SMTP settings are configured in the application configuration
 settings.
 
+PowerDNS ACME Plugin
+~~~~~~~~~~~~~~~~~~~~~~
+
+The following configuration properties are required to use the PowerDNS ACME Plugin for domain validation.
+
+
+.. data:: ACME_POWERDNS_DOMAIN
+    :noindex:
+
+            This is the FQDN for the PowerDNS API (without path)
+
+
+.. data:: ACME_POWERDNS_SERVERID
+    :noindex:
+
+            This is the ServerID attribute of the PowerDNS API Server (i.e. "localhost"
+
+
+.. data:: ACME_POWERDNS_APIKEYNAME
+    :noindex:
+
+            This is the Key name to use for authentication (i.e. "X-API-Key")
+
+
+.. data:: ACME_POWERDNS_APIKEY
+    :noindex:
+
+            This is the API Key to use for authentication (i.e. "Password")
+
+
+.. data:: ACME_POWERDNS_RETRIES
+    :noindex:
+
+            This is the number of times DNS Verification should be attempted (i.e. 20)
+
 .. _CommandLineInterface:
 
 Command Line Interface
@@ -1172,11 +1207,12 @@ Acme
     Kevin Glisson <kglisson@netflix.com>,
     Curtis Castrapel <ccastrapel@netflix.com>,
     Hossein Shafagh <hshafagh@netflix.com>,
-    Mikhail Khodorovskiy <mikhail.khodorovskiy@jivesoftware.com>
+    Mikhail Khodorovskiy <mikhail.khodorovskiy@jivesoftware.com>,
+    Chad Sine <csine@netflix.com>
 :Type:
     Issuer
 :Description:
-    Adds support for the ACME protocol (including LetsEncrypt) with domain validation being handled Route53.
+    Adds support for the ACME protocol (including LetsEncrypt) with domain validation using several providers.
 
 
 Atlas

From 5324290234fdb865a89fcdabe6c4811f0889060b Mon Sep 17 00:00:00 2001
From: csine-nflx <csine@netflix.com>
Date: Tue, 4 Feb 2020 16:23:53 -0800
Subject: [PATCH 2/3] updating documentation based on feedback

---
 docs/administration.rst | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/docs/administration.rst b/docs/administration.rst
index 252a7dec..8f055147 100644
--- a/docs/administration.rst
+++ b/docs/administration.rst
@@ -988,7 +988,7 @@ The following configuration properties are required to use the PowerDNS ACME Plu
 .. data:: ACME_POWERDNS_SERVERID
     :noindex:
 
-            This is the ServerID attribute of the PowerDNS API Server (i.e. "localhost"
+            This is the ServerID attribute of the PowerDNS API Server (i.e. "localhost")
 
 
 .. data:: ACME_POWERDNS_APIKEYNAME
@@ -1106,6 +1106,15 @@ All commands default to `~/.lemur/lemur.conf.py` if a configuration is not speci
         lemur notify
 
 
+.. data:: acme
+
+    Handles all ACME related tasks, like ACME plugin testing.
+
+    ::
+
+        lemur acme
+
+
 Sub-commands
 ------------
 

From ca8e73286f6f0ade5ffb130e276397e9d6b96273 Mon Sep 17 00:00:00 2001
From: csine-nflx <csine@netflix.com>
Date: Wed, 12 Feb 2020 15:10:24 -0800
Subject: [PATCH 3/3] fixed get_domains() to remove duplicate entries, updated
 usage and tests

---
 lemur/plugins/lemur_acme/plugin.py          | 14 ++++----------
 lemur/plugins/lemur_acme/tests/test_acme.py | 21 +++++++++++++++++++--
 2 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py
index 8991efdf..95689a13 100644
--- a/lemur/plugins/lemur_acme/plugin.py
+++ b/lemur/plugins/lemur_acme/plugin.py
@@ -254,8 +254,9 @@ class AcmeHandler(object):
 
         domains = [options["common_name"]]
         if options.get("extensions"):
-            for name in options["extensions"]["sub_alt_names"]["names"]:
-                domains.append(name)
+            for dns_name in options["extensions"]["sub_alt_names"]["names"]:
+                if dns_name.value not in domains:
+                    domains.append(dns_name.value)
 
         current_app.logger.debug("Got these domains: {0}".format(domains))
         return domains
@@ -640,15 +641,8 @@ class ACMEIssuerPlugin(IssuerPlugin):
         domains = self.acme.get_domains(issuer_options)
         if not create_immediately:
             # Create pending authorizations that we'll need to do the creation
-            authz_domains = []
-            for d in domains:
-                if type(d) == str:
-                    authz_domains.append(d)
-                else:
-                    authz_domains.append(d.value)
-
             dns_authorization = authorization_service.create(
-                account_number, authz_domains, provider_type
+                account_number, domains, provider_type
             )
             # Return id of the DNS Authorization
             return None, None, dns_authorization.id
diff --git a/lemur/plugins/lemur_acme/tests/test_acme.py b/lemur/plugins/lemur_acme/tests/test_acme.py
index 04997ace..990a556e 100644
--- a/lemur/plugins/lemur_acme/tests/test_acme.py
+++ b/lemur/plugins/lemur_acme/tests/test_acme.py
@@ -1,4 +1,6 @@
 import unittest
+
+from cryptography.x509 import DNSName
 from requests.models import Response
 
 from mock import MagicMock, Mock, patch
@@ -74,12 +76,14 @@ class TestAcme(unittest.TestCase):
     @patch("acme.client.Client")
     @patch("lemur.plugins.lemur_acme.plugin.current_app")
     @patch("lemur.plugins.lemur_acme.cloudflare.wait_for_dns_change")
+    @patch("time.sleep")
     def test_complete_dns_challenge_success(
-        self, mock_wait_for_dns_change, mock_current_app, mock_acme
+        self, mock_sleep, mock_wait_for_dns_change, mock_current_app, mock_acme
     ):
         mock_dns_provider = Mock()
         mock_dns_provider.wait_for_dns_change = Mock(return_value=True)
         mock_authz = Mock()
+        mock_sleep.return_value = False
         mock_authz.dns_challenge.response = Mock()
         mock_authz.dns_challenge.response.simple_verify = Mock(return_value=True)
         mock_authz.authz = []
@@ -179,7 +183,7 @@ class TestAcme(unittest.TestCase):
         options = {
             "common_name": "test.netflix.net",
             "extensions": {
-                "sub_alt_names": {"names": ["test2.netflix.net", "test3.netflix.net"]}
+                "sub_alt_names": {"names": [DNSName("test2.netflix.net"), DNSName("test3.netflix.net")]}
             },
         }
         result = self.acme.get_domains(options)
@@ -187,6 +191,19 @@ class TestAcme(unittest.TestCase):
             result, [options["common_name"], "test2.netflix.net", "test3.netflix.net"]
         )
 
+    @patch("lemur.plugins.lemur_acme.plugin.current_app")
+    def test_get_domains_san(self, mock_current_app):
+        options = {
+            "common_name": "test.netflix.net",
+            "extensions": {
+                "sub_alt_names": {"names": [DNSName("test.netflix.net"), DNSName("test2.netflix.net")]}
+            },
+        }
+        result = self.acme.get_domains(options)
+        self.assertEqual(
+            result, [options["common_name"], "test2.netflix.net"]
+        )
+
     @patch(
         "lemur.plugins.lemur_acme.plugin.AcmeHandler.start_dns_challenge",
         return_value="test",