--dns flag ignored after core refactor

[justinludwig]

Just got the latest code (42941cc), and tried to run the lego command I usually run to update a cert via dns challenge, but it failed with a bunch of errors related to the tls solver (appearing to ignore the --dns flag). I rolled back to the previous commit (4e842a5), and everything worked without errors as normal.

This is the command I ran (with a couple example.com domain names in place of the dozen or so real domain names I used):

export AWS_DEFAULT_REGION=us-west-2
export AWS_ACCESS_KEY_ID=my-id
export AWS_SECRET_ACCESS_KEY=my-key

lego -a --dns=route53 --path=/home/me/my-certs --email=me@example.com --domains=example.com --domains=www.example.com run

And this is the output from the failure with the latest code:

2018/12/08 15:52:45 [INFO] [example.com, www.example.com] acme: Obtaining bundled SAN certificate
2018/12/08 15:52:46 [INFO] [www.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/ABC123
2018/12/08 15:52:46 [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/DEF456
2018/12/08 15:52:46 [INFO] [www.example.com] acme: Could not find solver for: tls-sni-01
2018/12/08 15:52:46 [INFO] [www.example.com] acme: use tls-alpn-01 solver
2018/12/08 15:52:46 [INFO] [example.com] acme: Could not find solver for: tls-sni-01
2018/12/08 15:52:46 [INFO] [example.com] acme: use tls-alpn-01 solver
2018/12/08 15:52:46 [INFO] [www.example.com] acme: Trying to solve TLS-ALPN-01
2018/12/08 15:52:49 [INFO] [example.com] acme: Trying to solve TLS-ALPN-01
2018/12/08 15:52:51 Could not obtain certificates: acme: Error -> One or more domains had a problem:
[www.example.com] [www.example.com] acme: error presenting token: could not start HTTPS server for challenge -> listen tcp :443: bind: permission denied
[example.com] [example.com] acme: error presenting token: could not start HTTPS server for challenge -> listen tcp :443: bind: permission denied

[ldez]

Now you have to explicitly exclude HTTP01 and TLSALPN01: -x http-01 -x tls-alpn-01

[mholt]

On this note, I think it might be good to disable those automatically when using the DNS challenge. They seem mutually exclusive in 99.9% of use cases.

[ldez]

Before my pr it's was not possible to use DNS01 (for wildcard) and HTTP01. I think we need to be able to mix all challenges. I have removed the limitation for that.

[mholt]

To clarify: I'm OK with that -- but I am curious if anyone is using both DNS challenges and the HTTP challenge in the same command. (Caddy treats them mutually exclusively, with no complaints -- so I am interested in seeing if we're missing something.)

[ldez]

Traefik treats them mutually exclusively also but we have users who want that : traefik/traefik#3378

[justinludwig]

@ldez Thanks for the quick reply, and explaining the correct usage with the latest code. It's pretty nifty that you can mix DNS and HTTP-based challenges with lego now.

Perhaps for backwards compatibility, it would be better to continue interpreting the --dns flag as excluding other challenges by default, and add a new flag that overrides that default (maybe something like an --includes flag)? That would allow the old way of using DNS challenges exclusively to continue to work unchanged (ie by running lego --email=me@example.com --domains=example.com --dns=my-provider run), but enable the new capability of combining DNS with other challenge types via that new flag (ie something like lego --email=me@example.com --domains=example.com --dns=my-provider --include=dns-01 --include=http-01 --include=tls-alpn-01 run).

[ldez]

The changes performs in #700 are breaking, it's the goal of this PR.

I recommend to use the binaries or the docker images that we produce instead of building from the master.

[ldez]

I will spend some time to refactor the way to manage the challenges before the v2.0 release.