-
Notifications
You must be signed in to change notification settings - Fork 378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes for http-01 stray tokens, dns-01 CNAMEs, contact e-mail format and updates; account security operations; misc #841
base: master
Are you sure you want to change the base?
Conversation
Fixes #827 Note that prior registrations included a space after Note that a simple way to update the contact e-mail without renewing/issuing certificates is to use Footnote: The Edit: ... and now it does. Yet another commit. |
Added the missing admin/security functions to rotate account key (key compromise, or policy) and deactivate account. Could use tests - verified with LE. These functions (and --account-id) really shouldn't require a domain. Fixing that requires more logic change than I have time for at the moment. |
@timkimber : The test "failures" with this PR are due to invalid CNAMEs in the test environment, which These CNAMEs must have the format:
where [from-domain] is optional. The reason is that the The current CNAMEs in the test environment have targets that could not be updated by the The test failures are The reasonable choices are:
You'll have to change the CNAMEs in the test environment for (1) or (3). I don't recommend (2) - it uses a lot of test time to validate a trivial diagnostic in For a (currently) working example: dig @8.8.8.8 _acme-challenge.andreasvonhuene.com txt _acme-challenge.www.andreasvonhuene.com txt I put some dummy The It should be OK to merge. Edit: updated required CNAME format to match later commit |
Implemented a version of #267 ( @zazaz-de )'s token substitution in challenge ACLs. Not clear why the proposal wanted to substitute $DOMAIN; $SAN seems more useful. But if you place an ACL in the main config file, maybe. I added both. These seem harmless if not used. Something similar might be useful for the certificate/key/chain files (in which case updating Also fixed some typos in the template domain config. |
Fixed #801 - added support for specifying local IP address in Also rebased to latest master. |
@tlhackque thanks so much for all your recent changes, I'll start looking through and merging them as soon as I can (hopefully this week) |
I relaxed the (new) restriction on CNAME targets to allow for hashed names. The target must start with One might use hashed names if worried that a stolen zone file on the updateable server could be used to find clients. In corner cases, a hash target also can prevent the target domain name from being too long. E.g., Tested both ways (on real domains), including wildcard cert. Everyone is still happy. Also, the next release of
|
@timkimber I did release Also, I made changes (mostly whitespace) to ensure that the account management commands don't require or play with any domain. Besides doing busy work, there can be side effects. e.g. before, if you tried So you'd try Things go down hill. Now, what happens is what you expect. Just what's necessary to register your account and execute the command. It would be cleaner to reorganize the code, but with all the global variables & shared state, that seemed too risky. If you suppress the whitespace changes ( Hopefully you can merge before I find something else... |
Should now fix #818 - and any cousin bugs. LC_ALL overrides all I18n variables (except LANGUAGE, which doesn't effect |
@timkimber: Some of the test failures were not due to CNAME issues. Those had to do with curl version changes, and some FTP issues in the new token removals that use FTP variants. These were masked by curl and CNAME test issues. Fixed now. DNS failures remain that I'm out of cycles to address. Not clear why the bad CNAME shows up randomly. The only way to eliminate the bad CNAME restriction would be to change the How are the CNAMEs setup for the tests? Below are 3 references in the tests where even the comments have invalid targets. I can't see how they ever worked. Maybe with dns_*_manual - and ignoring the suggested record?
E.g.
This is the bad CNAME (acmedns):
Unbuntu14 fails to get installed token
|
FTP_PORT not used by ftp. No code for sftp, davfs, ftpes, or ftps. Needs tests, but at least this won't fall thru to attempting to delete from local file system.
This is useful for debugging; it leaves any tokens in the DNS & records its environment. It's only meaningful for debuggers (and some problem reports for which ask for them.
See issue srvrco#840.
Also fixes bug that caused previous registrations to be invalid.
RFC operations for account security: --new-account-key replaces the account key with a new one. Can modify the type or size as well. (update .cfg first) Does not affect certificate validity or pending operations. --DEACTIVATE-account permanently deactivates the account on the server. Per RFC, can not be revived. Should not revoke existing certificates. (Server's choice.)
Idea from srvrco#267 Fixes typos in template domain.cfg
It's OK for the target of a CNAME not to include the source domain. It's handy for debug and for system management. But some people prefer a hash. We can handle that.
…nt more than once.
Skip everything having to do with domains & certificates when doing --account-id, --new-account-key, --DEACTIVATE-account This avoids the need to specify a domain name, creating directories, trying to check the remote - and other unnecessary (and sometimes harmful) work. Most of the diffs in this commit are white space.
Handle e-mail update with buggy 409 responses from registration. Improve contact parsing by replacing call to json_get, which doesn't seem to handle string array values well. (It's also easier to parse the values at the same time.) No reason to save register response JSON in TEMP_DIR, so don't. Appears to be stale debugging code. Exit after deactivating account.
FIXES srvrco#818 (I hope). in srvrco#818, @mslavkov reported that date fails in the BG.UTF-8 locale, but that LC_ALL=C resolved the issue. Since we already export LANG=C, that would seem to indicate that LC_TIME is overriding it. LC_ALL is the safer (stronger) choice.
SERVER_TYPE implies a port number (and possibly s_client options). Previously, these were hard-coded, requiring a code change for any new/unique services. Now, /etc/services is used, so every assigned name is available, and new services "just work". The old alias names (and renames) are supported. And the old hardcoded defaults will be used if /etc/services is not available. SERVICES_FILE can be defined to local taste - e.g. on windows, C:\Windows\System32\drivers\etc\services is equivalent.
Also make constant arrays in find_service_port() read-only
Prompt for confirmation of account deactivation. If a domain is specified, allow its getssl.cfg to specify the account key & type. Don't create an account key for rotation or deactivate if none exists.
Score 1 for the tests.
curl isn't changing directory to the specified directory. Make it explicit in the DELE command.
Replaced with --ssl-reqd. Note that --ftp-ssl-reqd is an old alias for --ssl-reqd. --ftp-ssl-reqd is equivalent, but could eventually go away. -ssl-reqd has been supported since curl version 7.20.0 - in 2010 (though a related CVE was fixed in 7.79.0 in 2021...) So this change shouldn't inconvenience any getssl users.
Apparently centos6 is stuck on curl version 7.19, just before --ssl-reqd turned up in 7.20. Wow! Check curl version and select --ssl-reqd for version 7.20+.
Adds -starttls for all protocols currently documented by openssl s_client (their master branch). Also allows REMOTE_EXTRA in config files to override built-in usage. Reordered extra_cmds to match openssl documentation so it's easier to see when openssl adds new protocols.
Fixes #693
Fixes #827
Fixes #839
Fixes #840
Fixes #267
Fixes #801
Fixes #818
Tests for the http-01 fixes should be added. See e#839 and #693 for the issues; I don't have servers for the missing protocols.
The dns-01 fixes break some of the current tests - it's the tests that need fixing.
This restricts CNAMEs to what
getssl
itself is capable of handline. The previous code, as described in #840, was incompatible with the APIs used by the dns_add and dns_del dns_scripts. The restrictions don't seem onerous and avoid cryptic DNS entries.Short form: CNAMEs in the validating domain must be from _acme-challenge.(something in the domain, or null) to _acme-challenge.(the same full domain name).(the domain updatable by the DNS scripts). See #840 for an example - which belongs in the documentation. [changed: see edit below]
This commit also includes a developer's script - most people can ignore it.
Additional commits in later comments.
Finally, note that tlhackque/certtools has useful tools for monitoring certificate expiration, and dealing with any stray dns-01 tokens.
Edit: A later commit allows CNAMEs to omit the client domain name in the target, but they still must begin with
_acme-challenge
.