diff --git a/lemur/plugins/lemur_acme/dyn.py b/lemur/plugins/lemur_acme/dyn.py index 28832cbc..6ce117bf 100644 --- a/lemur/plugins/lemur_acme/dyn.py +++ b/lemur/plugins/lemur_acme/dyn.py @@ -5,11 +5,10 @@ import dns.exception import dns.name import dns.query import dns.resolver -from dyn.tm.errors import DynectCreateError +from dyn.tm.errors import DynectGetError from dyn.tm.session import DynectSession -from dyn.tm.zones import Node, Zone +from dyn.tm.zones import Node, Zone, get_all_zones from flask import current_app -from tld import get_tld def get_dynect_session(): @@ -42,28 +41,55 @@ def _has_dns_propagated(name, token): def wait_for_dns_change(change_id, account_number=None): fqdn, token = change_id - while True: + number_of_attempts = 10 + for attempts in range(0, number_of_attempts): status = _has_dns_propagated(fqdn, token) current_app.logger.debug("Record status for fqdn: {}: {}".format(fqdn, status)) if status: break time.sleep(20) + if not status: + raise Exception("Unable to query DNS token for fqdn {}.".format(fqdn)) return +def get_zone_name(domain): + zones = get_all_zones() + + zone_name = "" + + for z in zones: + if domain.endswith(z.name): + # Find the most specific zone possible for the domain + # Ex: If fqdn is a.b.c.com, there is a zone for c.com, + # and a zone for b.c.com, we want to use b.c.com. + if z.name.count(".") > zone_name.count("."): + zone_name = z.name + if not zone_name: + raise Exception("No Dyn zone found for domain: {}".format(domain)) + return zone_name + + def create_txt_record(domain, token, account_number): get_dynect_session() - zone_name = get_tld('http://' + domain) + zone_name = get_zone_name(domain) zone_parts = len(zone_name.split('.')) node_name = '.'.join(domain.split('.')[:-zone_parts]) fqdn = "{0}.{1}".format(node_name, zone_name) zone = Zone(zone_name) try: - zone.add_record(node_name, record_type='TXT', txtdata="\"{}\"".format(token), ttl=5) - except DynectCreateError: - delete_txt_record(None, None, domain, token) - zone.add_record(node_name, record_type='TXT', txtdata="\"{}\"".format(token), ttl=5) - node = zone.get_node(node_name) + # Delete all stale ACME TXT records + delete_acme_txt_records(domain) + except DynectGetError as e: + if ( + "No such zone." in e.message or + "Host is not in this zone" in e.message or + "Host not found in this zone" in e.message + ): + current_app.logger.debug("Unable to delete ACME TXT records. They probably don't exist yet: {}".format(e)) + else: + raise + zone.add_record(node_name, record_type='TXT', txtdata="\"{}\"".format(token), ttl=5) zone.publish() current_app.logger.debug("TXT record created: {0}".format(fqdn)) change_id = (fqdn, token) @@ -76,7 +102,7 @@ def delete_txt_record(change_id, account_number, domain, token): current_app.logger.debug("delete_txt_record: No domain passed") return - zone_name = get_tld('http://' + domain) + zone_name = get_zone_name(domain) zone_parts = len(zone_name.split('.')) node_name = '.'.join(domain.split('.')[:-zone_parts]) fqdn = "{0}.{1}".format(node_name, zone_name) @@ -92,40 +118,70 @@ def delete_txt_record(change_id, account_number, domain, token): zone.publish() +def delete_acme_txt_records(domain): + get_dynect_session() + if not domain: + current_app.logger.debug("delete_acme_txt_records: No domain passed") + return + acme_challenge_string = "_acme-challenge" + if not domain.startswith(acme_challenge_string): + current_app.logger.debug( + "delete_acme_txt_records: Domain {} doesn't start with string {}. " + "Cowardly refusing to delete TXT records".format(domain, acme_challenge_string)) + return + + zone_name = get_zone_name(domain) + zone_parts = len(zone_name.split('.')) + node_name = '.'.join(domain.split('.')[:-zone_parts]) + fqdn = "{0}.{1}".format(node_name, zone_name) + + zone = Zone(zone_name) + node = Node(zone_name, fqdn) + + all_txt_records = node.get_all_records_by_type('TXT') + for txt_record in all_txt_records: + current_app.logger.debug("Deleting TXT record name: {0}".format(fqdn)) + txt_record.delete() + zone.publish() + + def get_authoritative_nameserver(domain): - n = dns.name.from_text(domain) + if current_app.config.get('ACME_DYN_GET_AUTHORATATIVE_NAMESERVER'): + n = dns.name.from_text(domain) - depth = 2 - default = dns.resolver.get_default_resolver() - nameserver = default.nameservers[0] + depth = 2 + default = dns.resolver.get_default_resolver() + nameserver = default.nameservers[0] - last = False - while not last: - s = n.split(depth) + last = False + while not last: + s = n.split(depth) - last = s[0].to_unicode() == u'@' - sub = s[1] + last = s[0].to_unicode() == u'@' + sub = s[1] - query = dns.message.make_query(sub, dns.rdatatype.NS) - response = dns.query.udp(query, nameserver) + query = dns.message.make_query(sub, dns.rdatatype.NS) + response = dns.query.udp(query, nameserver) - rcode = response.rcode() - if rcode != dns.rcode.NOERROR: - if rcode == dns.rcode.NXDOMAIN: - raise Exception('%s does not exist.' % sub) + rcode = response.rcode() + if rcode != dns.rcode.NOERROR: + if rcode == dns.rcode.NXDOMAIN: + raise Exception('%s does not exist.' % sub) + else: + raise Exception('Error %s' % dns.rcode.to_text(rcode)) + + if len(response.authority) > 0: + rrset = response.authority[0] else: - raise Exception('Error %s' % dns.rcode.to_text(rcode)) + rrset = response.answer[0] - if len(response.authority) > 0: - rrset = response.authority[0] - else: - rrset = response.answer[0] + rr = rrset[0] + if rr.rdtype != dns.rdatatype.SOA: + authority = rr.target + nameserver = default.query(authority).rrset[0].to_text() - rr = rrset[0] - if rr.rdtype != dns.rdatatype.SOA: - authority = rr.target - nameserver = default.query(authority).rrset[0].to_text() + depth += 1 - depth += 1 - - return nameserver + return nameserver + else: + return "8.8.8.8" diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py index 4d150e76..43f5244b 100644 --- a/lemur/plugins/lemur_acme/plugin.py +++ b/lemur/plugins/lemur_acme/plugin.py @@ -116,8 +116,8 @@ def request_certificate(acme_client, authorizations, csr, order): try: orderr = acme_client.finalize_order(order, deadline) - except: - current_app.logger.error("Unable to finalize ACME order: {}".format(order), exc_info=True) + except AcmeError: + current_app.logger.error("Unable to resolve Acme order: {}".format(order), exc_info=True) raise pem_certificate = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, @@ -407,3 +407,7 @@ class ACMEIssuerPlugin(IssuerPlugin): if option.get('name') == 'certificate': acme_root = option.get('value') return acme_root, "", [role] + + def cancel_ordered_certificate(self, pending_cert, **kwargs): + # Needed to override issuer function. + pass diff --git a/requirements-docs.txt b/requirements-docs.txt index b4c12d4d..eee0ee35 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -4,7 +4,7 @@ # # pip-compile --no-index --output-file requirements-docs.txt requirements-docs.in # -acme==0.24.0 +acme==0.25.1 alabaster==0.7.11 # via sphinx alembic-autogenerate-enums==0.0.2 alembic==0.9.9 @@ -15,8 +15,8 @@ asyncpool==1.0 babel==2.6.0 # via sphinx bcrypt==3.1.4 blinker==1.4 -boto3==1.7.32 -botocore==1.10.32 +boto3==1.7.39 +botocore==1.10.37 certifi==2018.4.16 cffi==1.11.5 click==6.7 @@ -27,7 +27,7 @@ dnspython==1.15.0 docutils==0.14 dyn==1.8.1 flask-bcrypt==0.7.1 -flask-cors==3.0.4 +flask-cors==3.0.6 flask-mail==0.9.1 flask-migrate==2.1.1 flask-principal==0.4.0 @@ -37,7 +37,7 @@ flask-sqlalchemy==2.3.2 flask==0.12 future==0.16.0 gunicorn==19.8.1 -idna==2.6 +idna==2.7 imagesize==1.0.0 # via sphinx inflection==0.3.1 itsdangerous==0.24 @@ -54,7 +54,7 @@ mock==2.0.0 ndg-httpsclient==0.5.0 packaging==17.1 # via sphinx paramiko==2.4.1 -pbr==4.0.3 +pbr==4.0.4 pem==17.1.0 psycopg2==2.7.4 pyasn1-modules==0.2.1 @@ -65,12 +65,13 @@ pyjwt==1.6.4 pynacl==1.2.1 pyopenssl==17.2.0 pyparsing==2.2.0 # via packaging -pyrfc3339==1.0 +pyrfc3339==1.1 python-dateutil==2.7.3 python-editor==1.0.3 pytz==2018.4 pyyaml==3.12 raven[flask]==6.9.0 +requests-toolbelt==0.8.0 requests[security]==2.11.1 retrying==1.3.3 s3transfer==0.1.13 @@ -83,6 +84,5 @@ sphinxcontrib-websupport==1.1.0 # via sphinx sqlalchemy-utils==0.33.3 sqlalchemy==1.2.8 tabulate==0.8.2 -tld==0.7.10 werkzeug==0.14.1 xmltodict==0.11.0 diff --git a/requirements.in b/requirements.in index 4d287c0d..2a5051a7 100644 --- a/requirements.in +++ b/requirements.in @@ -39,5 +39,4 @@ retrying six SQLAlchemy-Utils tabulate -tld xmltodict