fix: update lego.

2019-01-11 16:22:03 +01:00 · 2019-01-11 16:22:03 +01:00 · 227fab3867
parent 9537449b07
commit 227fab3867
11 changed files with 107 additions and 73 deletions
--- a/Gopkg.lock
+++ b/Gopkg.lock
@ -1704,8 +1704,7 @@
  revision = "0c8571ac0ce161a5feb57375a9cdf148c98c0f70"

 [[projects]]
-  branch = "master"
-  digest = "1:f3f9f7b883b89edc06283285964a8125b15f31c1634a8ccb2860c8c8b3f6231d"
+  digest = "1:9eab86777ed6cf496e7659b9c67a0b7ebd1d76f55e1771f8bf52fb68f5f2d040"
  name = "github.com/xenolf/lego"
  packages = [
    "acme",
@ -1784,7 +1783,8 @@
    "registration",
  ]
  pruneopts = "NUT"
-  revision = "43401f2475dd1f6cc2e220908f0caba246ea854e"
+  revision = "86c9de3db61436d07de2471508067f18c16c1997"
+  version = "v2.0.1"

 [[projects]]
  branch = "master"
@ -2363,7 +2363,6 @@
    "github.com/vulcand/oxy/ratelimit",
    "github.com/vulcand/oxy/roundrobin",
    "github.com/vulcand/oxy/utils",
-    "github.com/xenolf/lego/acme",
    "github.com/xenolf/lego/certcrypto",
    "github.com/xenolf/lego/certificate",
    "github.com/xenolf/lego/challenge",
--- a/Gopkg.toml
+++ b/Gopkg.toml
@ -178,9 +178,9 @@
  name = "github.com/vulcand/oxy"

 [[constraint]]
-  branch = "master"
+#  branch = "master"
  name = "github.com/xenolf/lego"
-#  version = "1.0.0"
+  version = "2.0.1"

 [[constraint]]
  name = "google.golang.org/grpc"
--- a/acme/acme.go
+++ b/acme/acme.go
@ -423,7 +423,7 @@ func (a *ACME) buildACMEClient(account *Account) (*lego.Client, error) {

 	config := lego.NewConfig(account)
 	config.CADirURL = caServer
-	config.KeyType = account.KeyType
+	config.Certificate.KeyType = account.KeyType
 	config.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version)

 	client, err := lego.NewClient(config)
--- a/provider/acme/provider.go
+++ b/provider/acme/provider.go
@ -250,7 +250,7 @@ func (p *Provider) getClient() (*lego.Client, error) {

 	config := lego.NewConfig(account)
 	config.CADirURL = caServer
-	config.KeyType = account.KeyType
+	config.Certificate.KeyType = account.KeyType
 	config.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version)

 	client, err := lego.NewClient(config)
--- a/vendor/github.com/xenolf/lego/acme/api/internal/sender/useragent.go
+++ b/vendor/github.com/xenolf/lego/acme/api/internal/sender/useragent.go
@ -5,10 +5,10 @@ package sender

 const (
 	// ourUserAgent is the User-Agent of this underlying library package.
-	ourUserAgent = "xenolf-acme/1.2.1"
+	ourUserAgent = "xenolf-acme/2.0.1"

 	// ourUserAgentComment is part of the UA comment linked to the version status of this underlying library package.
 	// values: detach|release
 	// NOTE: Update this with each tagged release.
-	ourUserAgentComment = "detach"
+	ourUserAgentComment = "release"
 )
--- a/vendor/github.com/xenolf/lego/certificate/certificates.go
+++ b/vendor/github.com/xenolf/lego/certificate/certificates.go
@ -17,6 +17,7 @@ import (
 	"github.com/xenolf/lego/certcrypto"
 	"github.com/xenolf/lego/challenge"
 	"github.com/xenolf/lego/log"
+	"github.com/xenolf/lego/platform/wait"
 	"golang.org/x/crypto/ocsp"
 	"golang.org/x/net/idna"
 )
@ -60,17 +61,24 @@ type resolver interface {
 	Solve(authorizations []acme.Authorization) error
 }

-type Certifier struct {
-	core     *api.Core
-	keyType  certcrypto.KeyType
-	resolver resolver
+type CertifierOptions struct {
+	KeyType certcrypto.KeyType
+	Timeout time.Duration
 }

-func NewCertifier(core *api.Core, keyType certcrypto.KeyType, resolver resolver) *Certifier {
+// Certifier A service to obtain/renew/revoke certificates.
+type Certifier struct {
+	core     *api.Core
+	resolver resolver
+	options  CertifierOptions
+}
+
+// NewCertifier creates a Certifier.
+func NewCertifier(core *api.Core, resolver resolver, options CertifierOptions) *Certifier {
 	return &Certifier{
 		core:     core,
-		keyType:  keyType,
 		resolver: resolver,
+		options:  options,
 	}
 }

@ -191,7 +199,7 @@ func (c *Certifier) ObtainForCSR(csr x509.CertificateRequest, bundle bool) (*Res
 func (c *Certifier) getForOrder(domains []string, order acme.ExtendedOrder, bundle bool, privateKey crypto.PrivateKey, mustStaple bool) (*Resource, error) {
 	if privateKey == nil {
 		var err error
-		privateKey, err = certcrypto.GeneratePrivateKey(c.keyType)
+		privateKey, err = certcrypto.GeneratePrivateKey(c.options.KeyType)
 		if err != nil {
 			return nil, err
 		}
@ -237,9 +245,9 @@ func (c *Certifier) getForCSR(domains []string, order acme.ExtendedOrder, bundle

 	if respOrder.Status == acme.StatusValid {
 		// if the certificate is available right away, short cut!
-		ok, err := c.checkResponse(respOrder, certRes, bundle)
-		if err != nil {
-			return nil, err
+		ok, errR := c.checkResponse(respOrder, certRes, bundle)
+		if errR != nil {
+			return nil, errR
 		}

 		if ok {
@ -247,34 +255,26 @@ func (c *Certifier) getForCSR(domains []string, order acme.ExtendedOrder, bundle
 		}
 	}

-	return c.waitForCertificate(certRes, order.Location, bundle)
-}
-
-func (c *Certifier) waitForCertificate(certRes *Resource, orderURL string, bundle bool) (*Resource, error) {
-	stopTimer := time.NewTimer(30 * time.Second)
-	defer stopTimer.Stop()
-	retryTick := time.NewTicker(500 * time.Millisecond)
-	defer retryTick.Stop()
-
-	for {
-		select {
-		case <-stopTimer.C:
-			return nil, errors.New("certificate polling timed out")
-		case <-retryTick.C:
-			order, err := c.core.Orders.Get(orderURL)
-			if err != nil {
-				return nil, err
-			}
-
-			done, err := c.checkResponse(order, certRes, bundle)
-			if err != nil {
-				return nil, err
-			}
-			if done {
-				return certRes, nil
-			}
-		}
+	timeout := c.options.Timeout
+	if c.options.Timeout <= 0 {
+		timeout = 30 * time.Second
 	}
+
+	err = wait.For("certificate", timeout, timeout/60, func() (bool, error) {
+		ord, errW := c.core.Orders.Get(order.Location)
+		if errW != nil {
+			return false, errW
+		}
+
+		done, errW := c.checkResponse(ord, certRes, bundle)
+		if errW != nil {
+			return false, errW
+		}
+
+		return done, nil
+	})
+
+	return certRes, err
 }

 // checkResponse checks to see if the certificate is ready and a link is contained in the response.
--- a/vendor/github.com/xenolf/lego/lego/client.go
+++ b/vendor/github.com/xenolf/lego/lego/client.go
@ -53,9 +53,10 @@ func NewClient(config *Config) (*Client, error) {
 	solversManager := resolver.NewSolversManager(core)

 	prober := resolver.NewProber(solversManager)
+	certifier := certificate.NewCertifier(core, prober, certificate.CertifierOptions{KeyType: config.Certificate.KeyType, Timeout: config.Certificate.Timeout})

 	return &Client{
-		Certificate:  certificate.NewCertifier(core, config.KeyType, prober),
+		Certificate:  certifier,
 		Challenge:    solversManager,
 		Registration: registration.NewRegistrar(core, config.User),
 		core:         core,
--- a/vendor/github.com/xenolf/lego/lego/client_config.go
+++ b/vendor/github.com/xenolf/lego/lego/client_config.go
@ -35,22 +35,30 @@ const (
 )

 type Config struct {
-	CADirURL   string
-	User       registration.User
-	KeyType    certcrypto.KeyType
-	UserAgent  string
-	HTTPClient *http.Client
+	CADirURL    string
+	User        registration.User
+	UserAgent   string
+	HTTPClient  *http.Client
+	Certificate CertificateConfig
 }

 func NewConfig(user registration.User) *Config {
 	return &Config{
 		CADirURL:   LEDirectoryProduction,
 		User:       user,
-		KeyType:    certcrypto.RSA2048,
 		HTTPClient: createDefaultHTTPClient(),
+		Certificate: CertificateConfig{
+			KeyType: certcrypto.RSA2048,
+			Timeout: 30 * time.Second,
+		},
 	}
 }

+type CertificateConfig struct {
+	KeyType certcrypto.KeyType
+	Timeout time.Duration
+}
+
 // createDefaultHTTPClient Creates an HTTP client with a reasonable timeout value
 // and potentially a custom *x509.CertPool
 // based on the caCertificatesEnvVar environment variable (see the `initCertPool` function)
--- a/vendor/github.com/xenolf/lego/providers/dns/gcloud/googlecloud.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/gcloud/googlecloud.go
@ -55,10 +55,12 @@ type DNSProvider struct {
 // Project name must be passed in the environment variable: GCE_PROJECT.
 // A Service Account file can be passed in the environment variable: GCE_SERVICE_ACCOUNT_FILE
 func NewDNSProvider() (*DNSProvider, error) {
+	// Use a service account file if specified via environment variable.
 	if saFile, ok := os.LookupEnv("GCE_SERVICE_ACCOUNT_FILE"); ok {
 		return NewDNSProviderServiceAccount(saFile)
 	}

+	// Use default credentials.
 	project := os.Getenv("GCE_PROJECT")
 	return NewDNSProviderCredentials(project)
 }
@ -94,15 +96,20 @@ func NewDNSProviderServiceAccount(saFile string) (*DNSProvider, error) {
 		return nil, fmt.Errorf("googlecloud: unable to read Service Account file: %v", err)
 	}

-	// read project id from service account file
-	var datJSON struct {
-		ProjectID string `json:"project_id"`
+	// If GCE_PROJECT is non-empty it overrides the project in the service
+	// account file.
+	project := os.Getenv("GCE_PROJECT")
+	if project == "" {
+		// read project id from service account file
+		var datJSON struct {
+			ProjectID string `json:"project_id"`
+		}
+		err = json.Unmarshal(dat, &datJSON)
+		if err != nil || datJSON.ProjectID == "" {
+			return nil, fmt.Errorf("googlecloud: project ID not found in Google Cloud Service Account file")
+		}
+		project = datJSON.ProjectID
 	}
-	err = json.Unmarshal(dat, &datJSON)
-	if err != nil || datJSON.ProjectID == "" {
-		return nil, fmt.Errorf("googlecloud: project ID not found in Google Cloud Service Account file")
-	}
-	project := datJSON.ProjectID

 	conf, err := google.JWTConfigFromJSON(dat, dns.NdevClouddnsReadwriteScope)
 	if err != nil {
--- a/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go
@ -22,16 +22,19 @@ type Config struct {
 	PropagationTimeout time.Duration
 	PollingInterval    time.Duration
 	TTL                int
+	SequenceInterval   time.Duration
+	DNSTimeout         time.Duration
 }

 // NewDefaultConfig returns a default configuration for the DNSProvider
 func NewDefaultConfig() *Config {
 	return &Config{
-		TSIGAlgorithm: env.GetOrDefaultString("RFC2136_TSIG_ALGORITHM", dns.HmacMD5),
-		TTL:           env.GetOrDefaultInt("RFC2136_TTL", dns01.DefaultTTL),
-		PropagationTimeout: env.GetOrDefaultSecond("RFC2136_PROPAGATION_TIMEOUT",
-			env.GetOrDefaultSecond("RFC2136_TIMEOUT", 60*time.Second)),
-		PollingInterval: env.GetOrDefaultSecond("RFC2136_POLLING_INTERVAL", 2*time.Second),
+		TSIGAlgorithm:      env.GetOrDefaultString("RFC2136_TSIG_ALGORITHM", dns.HmacMD5),
+		TTL:                env.GetOrDefaultInt("RFC2136_TTL", dns01.DefaultTTL),
+		PropagationTimeout: env.GetOrDefaultSecond("RFC2136_PROPAGATION_TIMEOUT", env.GetOrDefaultSecond("RFC2136_TIMEOUT", 60*time.Second)),
+		PollingInterval:    env.GetOrDefaultSecond("RFC2136_POLLING_INTERVAL", 2*time.Second),
+		SequenceInterval:   env.GetOrDefaultSecond("RFC2136_SEQUENCE_INTERVAL", dns01.DefaultPropagationTimeout),
+		DNSTimeout:         env.GetOrDefaultSecond("RFC2136_DNS_TIMEOUT", 10*time.Second),
 	}
 }

@ -102,13 +105,19 @@ func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
 	return d.config.PropagationTimeout, d.config.PollingInterval
 }

+// Sequential All DNS challenges for this provider will be resolved sequentially.
+// Returns the interval between each iteration.
+func (d *DNSProvider) Sequential() time.Duration {
+	return d.config.SequenceInterval
+}
+
 // Present creates a TXT record using the specified parameters
 func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 	fqdn, value := dns01.GetRecord(domain, keyAuth)

 	err := d.changeRecord("INSERT", fqdn, value, d.config.TTL)
 	if err != nil {
-		return fmt.Errorf("rfc2136: %v", err)
+		return fmt.Errorf("rfc2136: failed to insert: %v", err)
 	}
 	return nil
 }
@ -119,7 +128,7 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {

 	err := d.changeRecord("REMOVE", fqdn, value, d.config.TTL)
 	if err != nil {
-		return fmt.Errorf("rfc2136: %v", err)
+		return fmt.Errorf("rfc2136: failed to remove: %v", err)
 	}
 	return nil
 }
@ -152,7 +161,7 @@ func (d *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error {
 	}

 	// Setup client
-	c := new(dns.Client)
+	c := &dns.Client{Timeout: d.config.DNSTimeout}
 	c.SingleInflight = true

 	// TSIG authentication / msg signing
@ -167,7 +176,7 @@ func (d *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error {
 		return fmt.Errorf("DNS update failed: %v", err)
 	}
 	if reply != nil && reply.Rcode != dns.RcodeSuccess {
-		return fmt.Errorf("DNS update failed. Server replied: %s", dns.RcodeToString[reply.Rcode])
+		return fmt.Errorf("DNS update failed: server replied: %s", dns.RcodeToString[reply.Rcode])
 	}

 	return nil
--- a/vendor/github.com/xenolf/lego/providers/dns/transip/transip.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/transip/transip.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"strings"
+	"sync"
 	"time"

 	"github.com/transip/gotransip"
@ -33,8 +34,9 @@ func NewDefaultConfig() *Config {

 // DNSProvider describes a provider for TransIP
 type DNSProvider struct {
-	config *Config
-	client gotransip.SOAPClient
+	config       *Config
+	client       gotransip.Client
+	dnsEntriesMu sync.Mutex
 }

 // NewDNSProvider returns a DNSProvider instance configured for TransIP.
@ -90,6 +92,10 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 	// get the subDomain
 	subDomain := strings.TrimSuffix(dns01.UnFqdn(fqdn), "."+domainName)

+	// use mutex to prevent race condition from GetInfo until SetDNSEntries
+	d.dnsEntriesMu.Lock()
+	defer d.dnsEntriesMu.Unlock()
+
 	// get all DNS entries
 	info, err := transipdomain.GetInfo(d.client, domainName)
 	if err != nil {
@ -126,6 +132,10 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 	// get the subDomain
 	subDomain := strings.TrimSuffix(dns01.UnFqdn(fqdn), "."+domainName)

+	// use mutex to prevent race condition from GetInfo until SetDNSEntries
+	d.dnsEntriesMu.Lock()
+	defer d.dnsEntriesMu.Unlock()
+
 	// get all DNS entries
 	info, err := transipdomain.GetInfo(d.client, domainName)
 	if err != nil {