New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add dns-01 challenge support to the ACME client #2061

Merged
merged 47 commits into from Aug 1, 2016

Conversation

Projects
None yet
@wteiken
Contributor

wteiken commented Jan 2, 2016

Tested against a local dev version of the non-spec server, should also work against the soon-to-be-updated staging server.

wteiken added some commits Jan 2, 2016

- Lint fixes
- Add test for multiple TXT records returned
- Add extra parameter in DNS01.validation to select hexdigit vs. bas64 encoded
  validation
Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/acme/challenges.py
@alex

This comment has been minimized.

Show comment
Hide comment
@alex

alex Jan 2, 2016

Collaborator

Not sure if it's a bug here or a bug in boulder or a bug in my code, but running https://github.com/alex/letsencrypt-aws/ I pass simple_verify but get an error back from the staging server.

Collaborator

alex commented Jan 2, 2016

Not sure if it's a bug here or a bug in boulder or a bug in my code, but running https://github.com/alex/letsencrypt-aws/ I pass simple_verify but get an error back from the staging server.

@wteiken

This comment has been minimized.

Show comment
Hide comment
@wteiken

wteiken Jan 2, 2016

Contributor

For dns-01 validations? The staging server does not support that yet, it’s on an older branch without DNS-01 support. I had to run my tests against a local server to verify it works.

On Jan 2, 2016, at 11:29 AM, Alex Gaynor notifications@github.com wrote:

Not sure if it's a bug here or a bug in boulder or a bug in my code, but running https://github.com/alex/letsencrypt-aws/ I pass simple_verify but get an error back from the staging server.


Reply to this email directly or view it on GitHub.

Contributor

wteiken commented Jan 2, 2016

For dns-01 validations? The staging server does not support that yet, it’s on an older branch without DNS-01 support. I had to run my tests against a local server to verify it works.

On Jan 2, 2016, at 11:29 AM, Alex Gaynor notifications@github.com wrote:

Not sure if it's a bug here or a bug in boulder or a bug in my code, but running https://github.com/alex/letsencrypt-aws/ I pass simple_verify but get an error back from the staging server.


Reply to this email directly or view it on GitHub.

@alex

This comment has been minimized.

Show comment
Hide comment
@alex

alex Jan 2, 2016

Collaborator

Ah, for some reason I thought staging had DNS-01 deployed. Sorry for the
noise, thanks for working on this!

On Sat, Jan 2, 2016 at 12:31 PM, Wilfried Teiken notifications@github.com
wrote:

For dns-01 validations? The staging server does not support that yet, it’s
on an older branch without DNS-01 support. I had to run my tests against a
local server to verify it works.

On Jan 2, 2016, at 11:29 AM, Alex Gaynor notifications@github.com
wrote:

Not sure if it's a bug here or a bug in boulder or a bug in my code, but
running https://github.com/alex/letsencrypt-aws/ I pass simple_verify but
get an error back from the staging server.


Reply to this email directly or view it on GitHub.


Reply to this email directly or view it on GitHub
#2061 (comment)
.

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

Collaborator

alex commented Jan 2, 2016

Ah, for some reason I thought staging had DNS-01 deployed. Sorry for the
noise, thanks for working on this!

On Sat, Jan 2, 2016 at 12:31 PM, Wilfried Teiken notifications@github.com
wrote:

For dns-01 validations? The staging server does not support that yet, it’s
on an older branch without DNS-01 support. I had to run my tests against a
local server to verify it works.

On Jan 2, 2016, at 11:29 AM, Alex Gaynor notifications@github.com
wrote:

Not sure if it's a bug here or a bug in boulder or a bug in my code, but
running https://github.com/alex/letsencrypt-aws/ I pass simple_verify but
get an error back from the staging server.


Reply to this email directly or view it on GitHub.


Reply to this email directly or view it on GitHub
#2061 (comment)
.

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

@wteiken

This comment has been minimized.

Show comment
Hide comment
@wteiken

wteiken Jan 2, 2016

Contributor

I actually ran into the same problem and was pulling out my hair before I realized where the problem was.

Just in case you are not aware of it: https://acme-staging.api.letsencrypt.org/build tells you the running build.

On Jan 2, 2016, at 12:32 PM, Alex Gaynor notifications@github.com wrote:

Ah, for some reason I thought staging had DNS-01 deployed. Sorry for the
noise, thanks for working on this!

On Sat, Jan 2, 2016 at 12:31 PM, Wilfried Teiken notifications@github.com
wrote:

For dns-01 validations? The staging server does not support that yet, it’s
on an older branch without DNS-01 support. I had to run my tests against a
local server to verify it works.

On Jan 2, 2016, at 11:29 AM, Alex Gaynor notifications@github.com
wrote:

Not sure if it's a bug here or a bug in boulder or a bug in my code, but
running https://github.com/alex/letsencrypt-aws/ I pass simple_verify but
get an error back from the staging server.


Reply to this email directly or view it on GitHub.


Reply to this email directly or view it on GitHub
#2061 (comment)
.

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

Reply to this email directly or view it on GitHub.

Contributor

wteiken commented Jan 2, 2016

I actually ran into the same problem and was pulling out my hair before I realized where the problem was.

Just in case you are not aware of it: https://acme-staging.api.letsencrypt.org/build tells you the running build.

On Jan 2, 2016, at 12:32 PM, Alex Gaynor notifications@github.com wrote:

Ah, for some reason I thought staging had DNS-01 deployed. Sorry for the
noise, thanks for working on this!

On Sat, Jan 2, 2016 at 12:31 PM, Wilfried Teiken notifications@github.com
wrote:

For dns-01 validations? The staging server does not support that yet, it’s
on an older branch without DNS-01 support. I had to run my tests against a
local server to verify it works.

On Jan 2, 2016, at 11:29 AM, Alex Gaynor notifications@github.com
wrote:

Not sure if it's a bug here or a bug in boulder or a bug in my code, but
running https://github.com/alex/letsencrypt-aws/ I pass simple_verify but
get an error back from the staging server.


Reply to this email directly or view it on GitHub.


Reply to this email directly or view it on GitHub
#2061 (comment)
.

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

Reply to this email directly or view it on GitHub.

Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/acme/challenges.py

@pde pde added the area: acme label Jan 3, 2016

Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/setup.py
Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/acme/challenges.py
@kuba

This comment has been minimized.

Show comment
Hide comment
@kuba

kuba Jan 5, 2016

Contributor

Nice job, thanks! :) Couple of nits to fix, couple of idiomatic improvements and possibly-tricky-to-implement extras_require approach of declaring dnspython dependency before next round of review.

Contributor

kuba commented Jan 5, 2016

Nice job, thanks! :) Couple of nits to fix, couple of idiomatic improvements and possibly-tricky-to-implement extras_require approach of declaring dnspython dependency before next round of review.

@wteiken

This comment has been minimized.

Show comment
Hide comment
@wteiken

wteiken Jan 6, 2016

Contributor

Successfully tested the new library against the "Boulder=( +34c1b83 Tue Jan 5 22:16:57 UTC 2016)" staging server.

Contributor

wteiken commented Jan 6, 2016

Successfully tested the new library against the "Boulder=( +34c1b83 Tue Jan 5 22:16:57 UTC 2016)" staging server.

wteiken added some commits Jan 6, 2016

Move dnspython dependency to tests only and only import the dns.resol…
…ver when

actually resolving the client.  That way user code that does not call
'simple_verify' for DNS01 challenges does not depend on dnspython.
@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Jun 7, 2016

Contributor

Kuba almost single-handedly wrote the acme module so he was reviewing and building off this PR, however, he hasn't pushed any commits to his branch in over two months.

While most of the rest of the client team is focusing on nginx support. We'll see if we can get this reviewed for the next release.

Sorry for the delay everyone!

Contributor

bmw commented Jun 7, 2016

Kuba almost single-handedly wrote the acme module so he was reviewing and building off this PR, however, he hasn't pushed any commits to his branch in over two months.

While most of the rest of the client team is focusing on nginx support. We'll see if we can get this reviewed for the next release.

Sorry for the delay everyone!

@bmw bmw added this to the 0.9.0 milestone Jun 7, 2016

@wteiken

This comment has been minimized.

Show comment
Hide comment
@wteiken

wteiken Jun 14, 2016

Contributor

You would have to compromise the DNS server used by the machine that does the verification so you control the required response, which is possible.

But you could make the same argument for any of the controls. If you can compromise the DNS then you can have the domain resolve to your own server, and you can have your URL based verification request answered.

On Jun 13, 2016, at 4:55 PM, Jake notifications@github.com wrote:

can this even happen without DNSSEC? Otherwise if you figure out what IP is requesting the TXT record you could spoof it.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

Contributor

wteiken commented Jun 14, 2016

You would have to compromise the DNS server used by the machine that does the verification so you control the required response, which is possible.

But you could make the same argument for any of the controls. If you can compromise the DNS then you can have the domain resolve to your own server, and you can have your URL based verification request answered.

On Jun 13, 2016, at 4:55 PM, Jake notifications@github.com wrote:

can this even happen without DNSSEC? Otherwise if you figure out what IP is requesting the TXT record you could spoof it.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

@bmw bmw self-assigned this Jul 7, 2016

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Jul 12, 2016

Member

@bmw we talked about whether adding a dnspython dependency would undermine our medium-term goal of having certbot-auto not require gcc and compilation steps. It appears that dnspython is purely Pythonic, so that's not a concern for merging this PR.

Member

pde commented Jul 12, 2016

@bmw we talked about whether adding a dnspython dependency would undermine our medium-term goal of having certbot-auto not require gcc and compilation steps. It appears that dnspython is purely Pythonic, so that's not a concern for merging this PR.

@dropje86

This comment has been minimized.

Show comment
Hide comment
@dropje86

dropje86 Jul 12, 2016

It might be a good idea to adjust the simple_verify() method to query the authoritative nameserver(s) of a domain, instead of the system configured ones. If there's for some reason delay in publishing the newly added records (due to zone transfers for example) the authoritative nameserver will respond with a NXDOMAIN which will be cached.

dropje86 commented Jul 12, 2016

It might be a good idea to adjust the simple_verify() method to query the authoritative nameserver(s) of a domain, instead of the system configured ones. If there's for some reason delay in publishing the newly added records (due to zone transfers for example) the authoritative nameserver will respond with a NXDOMAIN which will be cached.

@moshevds

This comment has been minimized.

Show comment
Hide comment
@moshevds

moshevds Jul 12, 2016

Contributor

@dropje86, Would you require the simple_verify method for something? If not, I now think any effort to improve on this particular method should not delay this PR any further. simple_verify should not be used by certbot anyway (but could be used by other users of the acme package), as you can read about here: #1586 (comment)

I thought about the suggestion you now make myself and I haven't decided about my opinion on it. Sure any sane ACME-based CA would do as you suggest, but that is not the (only) use-case for the acme package. Also: Any implementation improvement for this method is obviously a good idea, but creating a simple_verify that is fully hardened against potential external configurations seems to go counter to the very name of the method.

I am, among many others it seems, impatiently awaiting this PR to be land. I really hope that happens soon!

Contributor

moshevds commented Jul 12, 2016

@dropje86, Would you require the simple_verify method for something? If not, I now think any effort to improve on this particular method should not delay this PR any further. simple_verify should not be used by certbot anyway (but could be used by other users of the acme package), as you can read about here: #1586 (comment)

I thought about the suggestion you now make myself and I haven't decided about my opinion on it. Sure any sane ACME-based CA would do as you suggest, but that is not the (only) use-case for the acme package. Also: Any implementation improvement for this method is obviously a good idea, but creating a simple_verify that is fully hardened against potential external configurations seems to go counter to the very name of the method.

I am, among many others it seems, impatiently awaiting this PR to be land. I really hope that happens soon!

@dropje86

This comment has been minimized.

Show comment
Hide comment
@dropje86

dropje86 Jul 12, 2016

@moshevds totally agree that it shouldn't block the PR. Was just mentioning the downside of the current verification method implementation. For now I've packaged a local version with this PR merged, as it is explicitly what I need.

dropje86 commented Jul 12, 2016

@moshevds totally agree that it shouldn't block the PR. Was just mentioning the downside of the current verification method implementation. For now I've packaged a local version with this PR merged, as it is explicitly what I need.

@cixelsyd

This comment has been minimized.

Show comment
Hide comment
@cixelsyd

cixelsyd Jul 13, 2016

Any updated ETA for the official DNS support this PR represents? As noted, many await with baited breath!

mobile

On Jul 12, 2016, at 7:50 PM, dropje86 notifications@github.com wrote:

@moshevds totally agree that it shouldn't block the PR. Was just mentioning the downside of the current verification method implementation. For now I've packaged a local version with this PR merged, as it is explicitly what I need.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

cixelsyd commented Jul 13, 2016

Any updated ETA for the official DNS support this PR represents? As noted, many await with baited breath!

mobile

On Jul 12, 2016, at 7:50 PM, dropje86 notifications@github.com wrote:

@moshevds totally agree that it shouldn't block the PR. Was just mentioning the downside of the current verification method implementation. For now I've packaged a local version with this PR merged, as it is explicitly what I need.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Jul 13, 2016

Member

@cixelsyd yes it's scheduled for Certbot 0.9.0.

Member

pde commented Jul 13, 2016

@cixelsyd yes it's scheduled for Certbot 0.9.0.

@mithrandi mithrandi referenced this pull request Jul 14, 2016

Closed

Support dns-01 challenges #45

Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/acme/challenges.py
Show outdated Hide outdated acme/setup.py
@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Jul 22, 2016

Contributor

Other than a few tiny nits above, this LGTM. Looks like there's a merge conflict that needs to be fixed as well, but once these changes are made, I'll merge. Sorry again for the delay!

EDIT: Appending "[needs minor revision]" to the title. Please remove it when you'd like a final review.

Contributor

bmw commented Jul 22, 2016

Other than a few tiny nits above, this LGTM. Looks like there's a merge conflict that needs to be fixed as well, but once these changes are made, I'll merge. Sorry again for the delay!

EDIT: Appending "[needs minor revision]" to the title. Please remove it when you'd like a final review.

@bmw bmw changed the title from Add dns-01 challenge support to the ACME client to Add dns-01 challenge support to the ACME client [needs minor revision] Jul 22, 2016

@bmw bmw removed their assignment Jul 22, 2016

@bmw bmw referenced this pull request Jul 22, 2016

Merged

Python 3 support for certonly #3269

@wteiken

This comment has been minimized.

Show comment
Hide comment
@wteiken

wteiken Jul 26, 2016

Contributor

Thanks for the review, I'll try to address the open items this weekend.

Contributor

wteiken commented Jul 26, 2016

Thanks for the review, I'll try to address the open items this weekend.

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Aug 1, 2016

Coverage Status

Changes Unknown when pulling b495d7e on wteiken:add_dns01_challenge into * on certbot:master*.

coveralls commented Aug 1, 2016

Coverage Status

Changes Unknown when pulling b495d7e on wteiken:add_dns01_challenge into * on certbot:master*.

Switch to always using dnspython (requires dnspthon>=1.12).
Also, address some documentation nits.
@wteiken

This comment has been minimized.

Show comment
Hide comment
@wteiken

wteiken Aug 1, 2016

Contributor

The latest update should address the comments and resolve the merge conflict.

Contributor

wteiken commented Aug 1, 2016

The latest update should address the comments and resolve the merge conflict.

@wteiken wteiken changed the title from Add dns-01 challenge support to the ACME client [needs minor revision] to Add dns-01 challenge support to the ACME client Aug 1, 2016

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Aug 1, 2016

Coverage Status

Coverage increased (+0.002%) to 98.815% when pulling b2505b9 on wteiken:add_dns01_challenge into 7ab09f5 on certbot:master.

coveralls commented Aug 1, 2016

Coverage Status

Coverage increased (+0.002%) to 98.815% when pulling b2505b9 on wteiken:add_dns01_challenge into 7ab09f5 on certbot:master.

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Aug 1, 2016

Coverage Status

Coverage increased (+0.002%) to 98.815% when pulling b2505b9 on wteiken:add_dns01_challenge into 7ab09f5 on certbot:master.

coveralls commented Aug 1, 2016

Coverage Status

Coverage increased (+0.002%) to 98.815% when pulling b2505b9 on wteiken:add_dns01_challenge into 7ab09f5 on certbot:master.

@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Aug 1, 2016

Contributor

LGTM. Thanks for this PR @wteiken and sorry again it sat around so long.

Contributor

bmw commented Aug 1, 2016

LGTM. Thanks for this PR @wteiken and sorry again it sat around so long.

@bmw bmw merged commit eff181c into certbot:master Aug 1, 2016

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
coverage/coveralls Coverage increased (+0.002%) to 98.815%
Details

@wteiken wteiken deleted the wteiken:add_dns01_challenge branch Aug 6, 2016

@WhyNotHugo

This comment has been minimized.

Show comment
Hide comment
@WhyNotHugo

WhyNotHugo Aug 20, 2016

Is it possible that documentation is missing for this PR? I haven't been able to figure out how to use certbot with dns-01challenge, either from the docs, or looking at this PR.

Scrub that, #3379 is what I was looking for.

WhyNotHugo commented Aug 20, 2016

Is it possible that documentation is missing for this PR? I haven't been able to figure out how to use certbot with dns-01challenge, either from the docs, or looking at this PR.

Scrub that, #3379 is what I was looking for.

@pde pde removed the has pr label Oct 6, 2016

@bmw bmw referenced this pull request Oct 10, 2016

Closed

Python 3 and dnspython #3603

@brianjmurrell

This comment has been minimized.

Show comment
Hide comment
@brianjmurrell

brianjmurrell Nov 21, 2016

Hopefully I am not going to try too many people's patience with this question, but is this the patch that will give the certbot client the ability to request certificates using the dns-01 challenge method automatically? i.e. by populating DNS with the challenge?

brianjmurrell commented Nov 21, 2016

Hopefully I am not going to try too many people's patience with this question, but is this the patch that will give the certbot client the ability to request certificates using the dns-01 challenge method automatically? i.e. by populating DNS with the challenge?

@@ -231,8 +298,8 @@ def simple_verify(self, chall, domain, account_public_key, port=None):
being authorized.
:param int port: Port used in the validation.
:returns: ``True`` iff validation is successful, ``False``
otherwise.
:returns: ``True`` iff validation with the files currently served by the

This comment has been minimized.

@ad-m

ad-m Jan 13, 2017

Typo iff. It should be if.

@ad-m

ad-m Jan 13, 2017

Typo iff. It should be if.

This comment has been minimized.

This comment has been minimized.

@ad-m

ad-m Jan 13, 2017

@bmw , i'm sorry. Thanks for the link!

@ad-m

ad-m Jan 13, 2017

@bmw , i'm sorry. Thanks for the link!

This comment has been minimized.

@bmw

bmw Jan 13, 2017

Contributor

No worries. Thanks for commenting about a potential typo.

@bmw

bmw Jan 13, 2017

Contributor

No worries. Thanks for commenting about a potential typo.

This comment has been minimized.

@WhyNotHugo

WhyNotHugo Jan 13, 2017

In that case, the otherwise sounds somewhat redundant.

@WhyNotHugo

WhyNotHugo Jan 13, 2017

In that case, the otherwise sounds somewhat redundant.

@jpoa jpoa referenced this pull request Feb 4, 2017

Closed

DNS-01 Challenge #15

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment