Add dns-01 challenge support to the ACME client #2061

wteiken · Jan 2, 2016

Tested against a local dev version of the non-spec server, should also work against the soon-to-be-updated staging server.

alex · Jan 2, 2016

I think this code can be simplified to:

try:
    dns_response = dns.resolver.query(validation_domain_name, 'TXT')
except dns.exception.DNSException as error:
    logger.error(...)
    return False

for rdata in dns_response:
    for txt_record in rdata.strings:
        if txt_record == validation:
            return True

wteiken · Jan 2, 2016

I factored out the dns query, I'd rather contain the dnspython objects as much as I can. And I think it gives some extra structure that helps.

kuba · Jan 5, 2016

Agreed about containing dnspython. However, too many loops for my taste. This would be more Pythonic and likely more efficient:

exists = validation in txt_records
if not exists:
  logger.debug(...)
return exists

alex · Jan 2, 2016

On reading the discussion on letsencrypt/boulder#1295 I think this maybe should be jose.b64encode? What do you think?

wteiken · Jan 2, 2016

I think it makes sense to use one common encoding, but the spec needs to be updated for that (the last drat I looked at did not even specify urlsafe base64).

The discussion cites passages related to JSON, but this is not a JSON based field so that does not clarify the issue. It is an implementation detail that the server does a byte-to-byte comparison of the encoded values, so it is not necessary (although preferred) that the DNS record and the JSON objects use identical encoding.

janeczku · Jan 4, 2016

@wteiken See this issue in the acme draft repository ietf-wg-acme/acme#64

alex · Jan 2, 2016

Not sure if it's a bug here or a bug in boulder or a bug in my code, but running https://github.com/alex/letsencrypt-aws/ I pass simple_verify but get an error back from the staging server.

wteiken · Jan 2, 2016

For dns-01 validations? The staging server does not support that yet, it’s on an older branch without DNS-01 support. I had to run my tests against a local server to verify it works.

…

alex · Jan 2, 2016

Ah, for some reason I thought staging had DNS-01 deployed. Sorry for the noise, thanks for working on this! On Sat, Jan 2, 2016 at 12:31 PM, Wilfried Teiken <notifications@github.com> wrote:

…

wteiken · Jan 2, 2016

I actually ran into the same problem and was pulling out my hair before I realized where the problem was. Just in case you are not aware of it: https://acme-staging.api.letsencrypt.org/build tells you the running build.

…

alex · Jan 2, 2016

If there's an error in DNS querying now it'll fail with a TypeError: NoneType is not iterable.

wteiken · Jan 2, 2016

Yep, just pushed the fixed version. I ran the wrong test command.

alex · Jan 2, 2016

txt_records is None is more idiomatic (and I think pylint might complain :-))

onovy · Jan 2, 2016

iff -> if

wteiken · Jan 3, 2016

I'd rather remove the superfluous "False otherwise" part. Same in rest of doc.

alex · Jan 4, 2016

The code was landed in boulder to fix the hex stuff, so I think this fallback can be removed.

jmhodges · Jan 5, 2016

Very much agreed that we remove that fallback! Boulder will be fixed Real Soon Now and abiding by Postel's Law is a quick way to build insecure systems. There's also a ticket to clarify the spec on this matter.

wteiken · Jan 5, 2016

Yes, it was only in there in case a server gets released with the old implementation. I will remove the various references (and replace the encoding with jose.b64encode).

jmhodges · Jan 5, 2016

(To be clear, the DNS challenge in boulder is fixed in master and will soon be deployed to staging.)

wteiken · Jan 5, 2016

Done

kuba · Jan 5, 2016

Unfortunately, this adds additional dependency to the project. Moreover, some of the clients using this library (e.g. https://github.com/kuba/simp_le) will never use DNS challenge. Unless there are some technical arguments against, I would strongly prefer to move dnspython to extras_require (say dns) and make sure the rest of the code is importable when dnspython is not installed (i.e. catching ImportError or alternatively importing at the non-module scope - I'm not sure what's better here).

wteiken · Jan 5, 2016

I'll have a look at that (new to python).

I see your point, but I feel it's a little odd to have something covered by the core standard require an "extras" library. And given the core standard includes DNS queries some DNS library dependency is to be expected.

kuba · Jan 5, 2016

Basic DNS queries can by performed by stdlib. On the other hand, official client (rightfully) gets a lot of critique due to too many dependencies (see #1301). :(

kuba · Jan 5, 2016

Those 2 imports should be separated from stdlib imports group.

wteiken · Jan 6, 2016

Done

kuba · Jan 5, 2016

Why do you use sum() here? This should rather be just return [rdata.strings for rdata in dsn_response

wteiken · Jan 5, 2016

this is a list of lists (multiple rdata objects with possibly multiple strings), so this flattens that structure.

kuba · Jan 5, 2016

Please use [rec for rdata in dns_response for rec in rdata.strings]. More readable and more efficient.

wteiken · Jan 6, 2016

Done

kuba · Jan 5, 2016

self is not used :( if this passes tests then that means that pylint config has been messed up

@pde I still feel like a robot :(

wteiken · Jan 5, 2016

Yep, it passes the tests. Will change and move it out of the class.

kuba · Jan 5, 2016

it'd be a lot easier if you returned [] here

wteiken · Jan 6, 2016

Done

kuba · Jan 5, 2016

I would drop this test in favour of returning [] from txt_records_for_name

kuba · Jan 5, 2016

Comment about None is not true, I believe. (I will fix it in a separate PR for other occurrences)

kuba · Jan 10, 2016

Fixed in #2132.

kuba · Jan 5, 2016

pls drop whitespace here

wteiken · Jan 6, 2016

Done

kuba · Jan 5, 2016

let's inline key_authorization

kuba · Jan 5, 2016

nit: please make sure there are 2 separating lines between classes

wteiken · Jan 6, 2016

Done

kuba · Jan 5, 2016

nit: you can squeeze this into the previous line

wteiken · Jan 6, 2016

Done

kuba · Jan 6, 2016

Forgot to push commits? To be clear, I meant: self.msg = DNS01(token=jose.decode_b64jose(\n

wteiken · Jan 6, 2016

Hah, I accidentally fixed another line instead that was similar. Will be fixed in the next merge.

kuba · Jan 5, 2016

Nice job, thanks! :) Couple of nits to fix, couple of idiomatic improvements and possibly-tricky-to-implement extras_require approach of declaring dnspython dependency before next round of review.

wteiken · Jan 6, 2016

Successfully tested the new library against the "Boulder=( +34c1b83 Tue Jan 5 22:16:57 UTC 2016)" staging server.

wteiken · Jan 6, 2016

I have made some progress isolating dnspython, it is now in a separate module which means challenges and challenges_test have no direct dependency on dnspython anymore (in fact, only calling simple_verify will have any issues without it). I moved the dependency to extras_require (via testing_extras).

The functional tests on travis-ci succeed, but lint and coverage fail (as they don't install the extras_require for 'testing'), see https://travis-ci.org/wteiken/letsencrypt/builds/100522564. So problem one will be to make these two get the right dependency.

Another question is how the tests for developers running the tests locally, both as part of the client install and as part of using the ACME client e.g., via PIP. I don't know enough about that part to make any predictions...

kuba · Jan 6, 2016

It seems that you haven't pushed commits with isolated dnspython. Intended?

For Travis, you will need to update tox.ini to call pip install -e acme[dns,testing] instead of just pip install -e acme[testing].

Yeah, we should have some kind of integration testing for the DNS challenge. All the other tests are at the core client (letsencrypt) level, rather than acme library (this might change in future, in order to get acme library separated from this repo, cf. #1958), so I just assumed you were going to create a follow-up PR with new DNS IPlugin and integration tests including deployment of local temporary DNS server.

wteiken · Jan 6, 2016

Yes, I am trying to have it pass checks first :-) I assume otherwise the chatter will be a lot higher for you.
I do the travis-cl tests from my fork, once that is done I will merge the change to the branch linked to the PR.

wteiken · Jan 6, 2016

K, this should work.

I was more wondering how the tests are run outside of travis. The new dns_resolver has a unit test that will of course fail if dnsresolver is not installed.... so there is probably some configuration to translate the option (dns) into which tests to include.

kuba · Jan 6, 2016

dns.resolver.query won't raise an import error - that error would happen at the top of the file (import dns.resolver)

wteiken · Jan 7, 2016

Yep, leftover from an earlier version. It seems the import must be global so the mocking works properly.

kuba · Jan 6, 2016

I wouldn't necessarily hide one import error using another import error, import dns (even if unused) will give a good guidance on which module is missing

wteiken · Jan 7, 2016

Thinking about it it seems that errors.Error is more appropriate.

kuba · Jan 6, 2016

NB One of the standard ways of dealing with optional deps I've seen around in other Python projects is:

try:
  import foo
except ImportError:
  # optionally logger.warning('all function depending on foo will not work because it's not importable')
  foo = None
...
def bar():
  if foo is None:
    raise Error('foo is necessary for bar to work, please install it')

Does anyone else have any ideas, suggestions?

kuba · Jan 7, 2016

In general, please restrict try block to minimum, ie. only from acme import dns_resolver line.

However, it's still not clear whether dns_resolver module approach is best to handle this PR (see main thread for my comment)

wteiken · Jan 7, 2016

Assuming in the long run the DNS interaction may be extended (e.g., checking DANE records for some future validation, or explicitly validating DNSSEC) I figured we might as well move the DNS specific code into a separate module anyway. I am more wondering if a little more should be pushed to the DNS specific file.

The other option of course would be to modularize this code and have challenge-specific files. That way the whole challenge handling could be loaded via an options file. But even then the DNS dependency only applies to simple_verify, which is not strictly needed even if DNS challenges are supported by the client.

kuba · Jan 10, 2016

BTW, if you follow the method I suggested above (catching ImportError), and mock Answer using mock.Mock rather than dns.rrset it should be possible to run tests in environments where dnspython is missing - which answers your question from #2061 (comment) and #2061 (comment)

kuba · Jan 31, 2016

Given DNS has landed in production (https://twitter.com/letsencrypt/status/689919523164721152) we probably want to have this merged ASAP. Will look into that after I come back from FOSDEM.

CyrilPeponnet · Feb 3, 2016

Works like a charm for me. Can't wait to have it merged in master :)

moshevds · Feb 13, 2016

I didn't find this PR before. I'm writing a plugin that needs this challenge, and started working on the ACME challenge myself in PR #2461. I'll test this code with my plugin and close my PR as it isn't needed.

moshevds · Feb 13, 2016

I'm not sure this should raise an error.
A failed self-verification produces a warning only, so perhaps this should also be a warning, followed by return False?

wteiken · Feb 13, 2016

Not sure. My idea was that if you do call self-verification you should have the extra library installed (i.e., code using the client should ensure the lib is installed). Returning false means "I tried the verification and it failed". That is not the case if the library is missing, in that case a precondition for the call is missing.

A "typical" client would have to abort trying to answer the challenge (assuming it will fail). And the client would not be able to determine if it is a problem that is solvable by creating a new challenge and trying to verify it.

Thoughts?

moshevds · Feb 13, 2016

I agree that "failed to do verification" is seperate from "verification failed". I'm not sure how to best indicate this...

kuba · Apr 11, 2016

raising an error here looks good to me, we might want to have a different class of errors, like MissingDependencyError

moshevds · Feb 13, 2016

self.key_authorization should be validation here

wteiken · Feb 13, 2016

I see your argument, but this matches all the other responses in the module. So I'd rather keep it this way (and maybe change it uniformly later, because I do agree that it would be helpful to see the actual expected string).

kuba · Apr 11, 2016

Agreed with @wteiken, we could potentially fix this in follow-up PR, but not here.

NB there is no security issue here as the challenge response is verified at the beginning of the function, so self.key_authorization at this point of the execution must be the same as in the validation

moshevds · Feb 13, 2016

Why return unicode here? DNS TXT records are not encoding aware so I think a string would be better.

wteiken · Feb 13, 2016

Mostly for compatibility with the HTTP version.

moshevds · Feb 13, 2016

The return value from this method becomes available in Authenticator plugins, and this way they will always need to encode it back to a string.

My thought that a string might be better mostly comes from the docstring of the abstract method:

   Subclasses must implement this method, but they are likely to
   return completely different data structures, depending on what's
   necessary to complete the challenge. Interepretation of that
   return value must be known to the caller.

I am tempted to say that even the validation_domain_name and other constants defined by the ACME specification could be returned here. (Thats what I did myself in 83fe5e8)

moshevds · Feb 13, 2016

If the subdomain does not exist NXDOMAIN is raised here, and that's not really an error, just the signal for "no result". Maybe add "except dns.resolver.NXDOMAIN: return []"?

wteiken · Feb 13, 2016

Sounds reasonable. Done.

moshevds · Feb 13, 2016

There is a small merge conflict with 86d6d27 but this code works great. Thanks.

I reviewed the code and it looks good to me. I hope this is merged soon :-)

moshevds · Feb 13, 2016

I uploaded my plugin that uses this pull request to https://github.com/moshevds/le_dnsupdate.

@kuba When do you think you will be able to look at this pullrequest?
Also, is there any interest in having a dnsupdate/RFC2136 plugin directly in the letsencrypt repository?

wteiken · Mar 6, 2016

@kuba Any idea when you'll have a chance to take another look to get this merged?

pde · Mar 12, 2016

@wteiken @kuba has been fairly busy with his day job; if we don't hear from him next week we'll see if someone else can land this...

mitchellrj · Mar 17, 2016

One I noticed while playing around with #2236 was that a dependency needs adding in setup.py for dnspython.

moshevds · Mar 17, 2016

Hi @mitchellrj,

The dnspython dependency is actually already added (you can see it at d842f26). It is only used for the simple_verify method, but there is no need to use that method in the client itself. #2505 is actually created to remove the one place the client currently uses it (the http manual plugin, your new dns manual plugin does not need to use simple_verify either).

siccegge · Apr 9, 2016

Hi!
@pde Any news on this?

kuba · Apr 10, 2016

I'm currently writing integration tests with Boulder to get this merged soon.

kuba · Apr 10, 2016

FYI my WIP branch which builds off @wteiken's code: https://github.com/kuba/letsencrypt/tree/dns-01.

kuba · Apr 10, 2016

Couple of PRs and bug fixing later, bd4a07a has all green (https://travis-ci.org/kuba/letsencrypt/builds/122090126) integration testing for dns-01. At least I know this PR is working... Will look at the code once again and send a new PR soon, stay tuned.

zh99998 · Apr 22, 2016

how will it handle hooks to dns provider?
does it compatible to letsencrypt.sh or https://github.com/AnalogJ/lexicon ?

siccegge · Apr 22, 2016

This is not at all about any client support but only the python library. If you program your tooling against the acme python library you can integrate with your DNS in any way you like.

zh99998 · Apr 22, 2016

It's really bad, consider implement it in CLI ?

if need a "standard" dns update method, here is a "nsupdate" program. although most of DNS service providers don't support RFC2136, There will be nsupdate-compatible program to do it, like AnalogJ/lexicon . It's much better than let every dns-01 user develop them own client.

moshevds · Apr 22, 2016

Hi @zh99998,

I have already implemented a RFC2136 plugin that works with this patch: https://github.com/moshevds/le_dnsupdate

When this DNS-01 support is merged I intend to create a pull request to get RFC2136 support into the standard client. So what you are suggesting is already underway. I have also seen efforts to create a "manual" plugin that works with DNS-01.

coveralls · Apr 25, 2016

Coverage decreased (-0.01%) to 98.638% when pulling 9396e92 on wteiken:add_dns01_challenge into 118e0d6 on letsencrypt:master.

coveralls · Apr 25, 2016

Coverage decreased (-0.01%) to 98.638% when pulling 9396e92 on wteiken:add_dns01_challenge into 118e0d6 on letsencrypt:master.

devth · Jun 2, 2016

What happened with this PR? Is something blocking this from being merged?

HLFH · Jun 3, 2016

cc @bmw

wteiken · Jun 5, 2016

Not exactly sure. Just waiting for somebody to merge...

cixelsyd · Jun 5, 2016

Definitely want to know when this is released.

bmw · Jun 7, 2016

Kuba almost single-handedly wrote the acme module so he was reviewing and building off this PR, however, he hasn't pushed any commits to his branch in over two months.

While most of the rest of the client team is focusing on nginx support. We'll see if we can get this reviewed for the next release.

Sorry for the delay everyone!

wteiken · Jun 14, 2016

You would have to compromise the DNS server used by the machine that does the verification so you control the required response, which is possible. But you could make the same argument for any of the controls. If you can compromise the DNS then you can have the domain resolve to your own server, and you can have your URL based verification request answered.

…

pde · Jul 12, 2016

@bmw we talked about whether adding a dnspython dependency would undermine our medium-term goal of having certbot-auto not require gcc and compilation steps. It appears that dnspython is purely Pythonic, so that's not a concern for merging this PR.

dropje86 · Jul 12, 2016

It might be a good idea to adjust the simple_verify() method to query the authoritative nameserver(s) of a domain, instead of the system configured ones. If there's for some reason delay in publishing the newly added records (due to zone transfers for example) the authoritative nameserver will respond with a NXDOMAIN which will be cached.

moshevds · Jul 12, 2016

@dropje86, Would you require the simple_verify method for something? If not, I now think any effort to improve on this particular method should not delay this PR any further. simple_verify should not be used by certbot anyway (but could be used by other users of the acme package), as you can read about here: #1586 (comment)

I thought about the suggestion you now make myself and I haven't decided about my opinion on it. Sure any sane ACME-based CA would do as you suggest, but that is not the (only) use-case for the acme package. Also: Any implementation improvement for this method is obviously a good idea, but creating a simple_verify that is fully hardened against potential external configurations seems to go counter to the very name of the method.

I am, among many others it seems, impatiently awaiting this PR to be land. I really hope that happens soon!

dropje86 · Jul 12, 2016

@moshevds totally agree that it shouldn't block the PR. Was just mentioning the downside of the current verification method implementation. For now I've packaged a local version with this PR merged, as it is explicitly what I need.

cixelsyd · Jul 13, 2016

Any updated ETA for the official DNS support this PR represents? As noted, many await with baited breath! mobile

…

pde · Jul 13, 2016

@cixelsyd yes it's scheduled for Certbot 0.9.0.

bmw · Jul 22, 2016

nit: Maybe we should remove the quotes around `"dns-01" to be consistent with the other challenge types.

bmw · Jul 22, 2016

nit: Maybe we should remove the quotes around `"dns-01" to be consistent with the other challenge types.

bmw · Jul 22, 2016

This should be :param JWK account_public_key:.

bmw · Jul 22, 2016

This kind of code makes me nervous. My understanding is that we'd have to start building two wheels of our packages, one for Python 2 and one for Python 3. It'd be nice to not have to do that if possible.

Looks like we're in luck though. Since version 1.12, dnspython supports both Python 2 and Python 3. This version of dnspython seems to be available everywhere that we are packaged. With this in mind, I think we should change this to remove the if statement and depend on dnspython>=1.12 allowing us to continue building a single wheel that should work everywhere. We should add a comment saying that version 1.12 is required to provide both Python 2 and Python 3 support.

EDIT: Another reason to do this is dnspython has continued to get updates while dnspython3 has not.

bmw · Jul 22, 2016

Other than a few tiny nits above, this LGTM. Looks like there's a merge conflict that needs to be fixed as well, but once these changes are made, I'll merge. Sorry again for the delay!

EDIT: Appending "[needs minor revision]" to the title. Please remove it when you'd like a final review.

wteiken · Jul 26, 2016

Thanks for the review, I'll try to address the open items this weekend.

coveralls · Aug 1, 2016

Changes Unknown when pulling b495d7e on wteiken:add_dns01_challenge into ** on certbot:master**.

wteiken · Aug 1, 2016

The latest update should address the comments and resolve the merge conflict.

coveralls · Aug 1, 2016

Coverage increased (+0.002%) to 98.815% when pulling b2505b9 on wteiken:add_dns01_challenge into 7ab09f5 on certbot:master.

coveralls · Aug 1, 2016

Coverage increased (+0.002%) to 98.815% when pulling b2505b9 on wteiken:add_dns01_challenge into 7ab09f5 on certbot:master.

bmw · Aug 1, 2016

LGTM. Thanks for this PR @wteiken and sorry again it sat around so long.

wteiken added some commits Jan 1, 2016

wteiken Initial verison of DNS-01 implementation 55ca1b4

wteiken - Lint fixes
- Add test for multiple TXT records returned - Add extra parameter in DNS01.validation to select hexdigit vs. bas64 encoded validation

ffc2b1e

wteiken referenced this pull request Jan 2, 2016
Closed
Implement DNS-01 in ACME library #2057

alex referenced this pull request Jan 2, 2016
Closed
Update DNS challenge code for the latest version of the ACME spec. #2052

wteiken Move dns record retrieval into a separate method.

7e2a153

wteiken Fix

64f3f53

pde added the acme label Jan 3, 2016

wteiken added some commits Jan 3, 2016

wteiken Documentation fixes.

97fb1a0

wteiken Style fix

74a9703

wteiken added some commits Jan 4, 2016

wteiken Remove non-compliant hexdigit encoding for dns-01 challenges (#2052 i…
…s now merged).
7747dc8

wteiken Merge branch 'test-add_dns01_challenge' into add_dns01_challenge

4b4447d

wteiken and others added some commits Jan 5, 2016

wteiken Style changes. b5bb906

wteiken Move txt_records_for_name out of class. 4403a78

wteiken - Move txt_records_for_domain out of class.
- Style fixes.

f090881

wteiken Remove superfluous except: and change Exception returned if dnspython…
… is not available.

02a4930

kuba self-assigned this Jan 11, 2016

wteiken added some commits Jan 14, 2016

wteiken Merge branch 'master' into add_dns01_challenge b9dafc2

wteiken Merge branch 'add_dns01_challenge' into test-add_dns01_challenge b65da1d

wteiken Fix lint problems.

c15581b

This was referenced Feb 13, 2016

Open

Support DNS challenges in the manual plugin #2236

Closed

dns-01 challenge and response #2461

wteiken Merge remote-tracking branch 'upstream/master' into add_dns01_challenge e8d09ea

wteiken Do not log an error when getting NXDOMAIN. 7c32715

lenovouser referenced this pull request in letsencrypt/boulder Mar 4, 2016
Open
Wildcard Certificate Support #21

mitchellrj added a commit to mitchellrj/letsencrypt that referenced this pull request Mar 17, 2016

mitchellrj Initial stab at letsencrypt/letsencrypt#2236, based on @wteiken's wor…
…k for letsencrypt/letsencrypt#2061.
294b068

moshevds referenced this pull request Mar 29, 2016
Closed
Fix DNS challenge name: dns -> dns-01 #2724

wteiken added some commits Apr 25, 2016

wteiken Merge branch 'master' into add_dns01_challenge

6196cf0

wteiken Fix lint issues.

9396e92

kuba was unassigned by wteiken May 6, 2016

mithrandi referenced this pull request in mithrandi/txacme May 7, 2016
Open
Implement dns-01 Route 53 responder #32

bmw added this to the 0.9.0 milestone Jun 7, 2016

bmw self-assigned this Jul 7, 2016

mithrandi referenced this pull request in mithrandi/txacme Jul 14, 2016
Open
Support dns-01 challenges #45

bmw changed the title from Add dns-01 challenge support to the ACME client to Add dns-01 challenge support to the ACME client [needs minor revision] Jul 22, 2016

bmw removed their assignment Jul 22, 2016

bmw referenced this pull request Jul 22, 2016
Open
Python 3 support for certonly #3269

pde referenced this pull request Jul 27, 2016
Open
Rationalise challenge and port selection flags #3343

wteiken Merge branch 'add_dns01_challenge' of github.com:wteiken/letsencrypt …
…into add_dns01_challenge

827c935

wteiken changed the title from Add dns-01 challenge support to the ACME client [needs minor revision] to Add dns-01 challenge support to the ACME client Aug 1, 2016

bmw merged commit eff181c into certbot:master Aug 1, 2016
2 checks passed

2 checks passed

Details continuous-integration/travis-ci/pr The Travis CI build passed

Details coverage/coveralls Coverage increased (+0.002%) to 98.815%

+    +
+    +    LABEL = "_acme-challenge"
+    +    """Label clients prepend to the domain name being validated."""
+    +
+    +    # FIXME: Remove extra parameter once #2052 is integrated
+    +    def validation(self, account_key, dns01_hexdigit_response=True, **unused_kwargs):
+    +        """Generate validation.
+    +
+    +        :param JWK account_key:
+    +        :rtype: unicode
+    +
+    +        """
+    +        key_authorization = self.key_authorization(account_key)
+    +        if dns01_hexdigit_response:
+    +            return hashlib.sha256(key_authorization).hexdigest()
+    +        return base64.urlsafe_b64encode(hashlib.sha256(key_authorization).digest())

+    +            performed!
+    +        :param JWK account_public_key:
+    +
+    +        :returns: ``True`` iff validation is successful, ``False``
+    +            otherwise.
+    +        :rtype: bool
+    +
+    +        """
+    +        if not self.verify(chall, account_public_key):
+    +            logger.debug("Verification of key authorization in response failed")
+    +            return False
+    +
+    +        validation_domain_name = chall.validation_domain_name(domain)
+    +        validation = chall.validation(account_public_key)
+    +        logger.debug("Verifying %s at %s...", chall.typ, validation_domain_name)
+    +        for txt_record in self.txt_records_for_domain(validation_domain_name):

+    +        :param JWK account_public_key:
+    +
+    +        :returns: ``True`` iff validation is successful, ``False``
+    +            otherwise.
+    +        :rtype: bool
+    +
+    +        """
+    +        if not self.verify(chall, account_public_key):
+    +            logger.debug("Verification of key authorization in response failed")
+    +            return False
+    +
+    +        validation_domain_name = chall.validation_domain_name(domain)
+    +        validation = chall.validation(account_public_key)
+    +        logger.debug("Verifying %s at %s...", chall.typ, validation_domain_name)
+    +        txt_records = self.txt_records_for_name(validation_domain_name)
+    +        if txt_records == None:

+    +        except dns.exception.DNSException as error:
+    +            logger.error("Unable to resolve %s: %s", name, error)
+    +            return None
+    +        return sum([rdata.strings for rdata in dns_response], [])
+    +
+    +    def simple_verify(self, chall, domain, account_public_key):
+    +        """Simple verify.
+    +
+    +        :param challenges.DNS01 chall: Corresponding challenge.
+    +        :param unicode domain: Domain name being verified.
+    +        :param account_public_key: Public key for the key pair
+    +            being authorized. If ``None`` key verification is not
+    +            performed!
+    +        :param JWK account_public_key:
+    +
+    +        :returns: ``True`` iff validation is successful, ``False``

+    +    typ = response_cls.typ
+    +
+    +    LABEL = "_acme-challenge"
+    +    """Label clients prepend to the domain name being validated."""
+    +
+    +    # FIXME: Remove extra parameter once #2052 is integrated
+    +    def validation(self, account_key, dns01_hexdigit_response=True, **unused_kwargs):
+    +        """Generate validation.
+    +
+    +        :param JWK account_key:
+    +        :rtype: unicode
+    +
+    +        """
+    +        key_authorization = self.key_authorization(account_key)
+    +        if dns01_hexdigit_response:
+    +            return hashlib.sha256(key_authorization).hexdigest()

certbot/certbot

Add dns-01 challenge support to the ACME client #2061

Labels

Milestone

Assignees

15 participants

Implement DNS-01 in ACME library #2057

Update DNS challenge code for the latest version of the ACME spec. #2052

Support DNS challenges in the manual plugin #2236

dns-01 challenge and response #2461

Wildcard Certificate Support #21

Fix DNS challenge name: dns -> dns-01 #2724

Implement dns-01 Route 53 responder #32

Support dns-01 challenges #45

Python 3 support for certonly #3269

Rationalise challenge and port selection flags #3343

2 checks passed

certbot/certbot

Add dns-01 challenge support to the ACME client #2061

Labels

Milestone

Assignees

15 participants

All checks have passed

2 checks passed