Update server dependencies

2018-05-04 23:39:27 +02:00 · 2018-05-04 23:39:27 +02:00 · de36fe682a
commit de36fe682a
parent fb8fec38ff
883 changed files with 147940 additions and 68404 deletions
--- a/vendor/github.com/xenolf/lego/acme/client.go
+++ b/vendor/github.com/xenolf/lego/acme/client.go
@ -330,6 +330,10 @@ DNSNames:
 	challenges, failures := c.getChallenges(domains)
 	// If any challenge fails - return. Do not generate partial SAN certificates.
 	if len(failures) > 0 {
+		for _, auth := range challenges {
+			c.disableAuthz(auth)
+		}
+
 		return CertificateResource{}, failures
 	}

@ -373,6 +377,10 @@ func (c *Client) ObtainCertificate(domains []string, bundle bool, privKey crypto
 	challenges, failures := c.getChallenges(domains)
 	// If any challenge fails - return. Do not generate partial SAN certificates.
 	if len(failures) > 0 {
+		for _, auth := range challenges {
+			c.disableAuthz(auth)
+		}
+
 		return CertificateResource{}, failures
 	}

@ -493,10 +501,12 @@ func (c *Client) solveChallenges(challenges []authorizationResource) map[string]
 				// TODO: do not immediately fail if one domain fails to validate.
 				err := solver.Solve(authz.Body.Challenges[i], authz.Domain)
 				if err != nil {
+					c.disableAuthz(authz)
 					failures[authz.Domain] = err
 				}
 			}
 		} else {
+			c.disableAuthz(authz)
 			failures[authz.Domain] = fmt.Errorf("[%s] acme: Could not determine solvers", authz.Domain)
 		}
 	}
@ -586,6 +596,13 @@ func logAuthz(authz []authorizationResource) {
 	}
 }

+// cleanAuthz loops through the passed in slice and disables any auths which are not "valid"
+func (c *Client) disableAuthz(auth authorizationResource) error {
+	var disabledAuth authorization
+	_, err := postJSON(c.jws, auth.AuthURL, deactivateAuthMessage{Resource: "authz", Status: "deactivated"}, &disabledAuth)
+	return err
+}
+
 func (c *Client) requestCertificate(authz []authorizationResource, bundle bool, privKey crypto.PrivateKey, mustStaple bool) (CertificateResource, error) {
 	if len(authz) == 0 {
 		return CertificateResource{}, errors.New("Passed no authorizations to requestCertificate!")
--- a/vendor/github.com/xenolf/lego/acme/dns_challenge.go
+++ b/vendor/github.com/xenolf/lego/acme/dns_challenge.go
@ -11,7 +11,6 @@ import (
 	"time"

 	"github.com/miekg/dns"
-	"golang.org/x/net/publicsuffix"
 )

 type preCheckDNSFunc func(fqdn, value string) (bool, error)
@ -194,7 +193,7 @@ func dnsQuery(fqdn string, rtype uint16, nameservers []string, recursive bool) (

 		if err == dns.ErrTruncated {
 			tcp := &dns.Client{Net: "tcp", Timeout: DNSTimeout}
-			// If the TCP request suceeds, the err will reset to nil
+			// If the TCP request succeeds, the err will reset to nil
 			in, _, err = tcp.Exchange(m, ns)
 		}

@ -242,10 +241,6 @@ func FindZoneByFqdn(fqdn string, nameservers []string) (string, error) {
 	labelIndexes := dns.Split(fqdn)
 	for _, index := range labelIndexes {
 		domain := fqdn[index:]
-		// Give up if we have reached the TLD
-		if isTLD(domain) {
-			break
-		}

 		in, err := dnsQuery(domain, dns.TypeSOA, nameservers, true)
 		if err != nil {
@ -260,6 +255,13 @@ func FindZoneByFqdn(fqdn string, nameservers []string) (string, error) {

 		// Check if we got a SOA RR in the answer section
 		if in.Rcode == dns.RcodeSuccess {
+
+			// CNAME records cannot/should not exist at the root of a zone.
+			// So we skip a domain when a CNAME is found.
+			if dnsMsgContainsCNAME(in) {
+				continue
+			}
+
 			for _, ans := range in.Answer {
 				if soa, ok := ans.(*dns.SOA); ok {
 					zone := soa.Hdr.Name
@ -273,10 +275,12 @@ func FindZoneByFqdn(fqdn string, nameservers []string) (string, error) {
 	return "", fmt.Errorf("Could not find the start of authority")
 }

-func isTLD(domain string) bool {
-	publicsuffix, _ := publicsuffix.PublicSuffix(UnFqdn(domain))
-	if publicsuffix == UnFqdn(domain) {
-		return true
+// dnsMsgContainsCNAME checks for a CNAME answer in msg
+func dnsMsgContainsCNAME(msg *dns.Msg) bool {
+	for _, ans := range msg.Answer {
+		if _, ok := ans.(*dns.CNAME); ok {
+			return true
+		}
 	}
 	return false
 }
--- a/vendor/github.com/xenolf/lego/acme/http.go
+++ b/vendor/github.com/xenolf/lego/acme/http.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"runtime"
 	"strings"
@ -15,7 +16,18 @@ import (
 var UserAgent string

 // HTTPClient is an HTTP client with a reasonable timeout value.
-var HTTPClient = http.Client{Timeout: 10 * time.Second}
+var HTTPClient = http.Client{
+	Transport: &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		Dial: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).Dial,
+		TLSHandshakeTimeout:   15 * time.Second,
+		ResponseHeaderTimeout: 15 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	},
+}

 const (
 	// defaultGoUserAgent is the Go HTTP package user agent string. Too
--- a/vendor/github.com/xenolf/lego/acme/messages.go
+++ b/vendor/github.com/xenolf/lego/acme/messages.go
@ -93,6 +93,11 @@ type revokeCertMessage struct {
 	Certificate string `json:"certificate"`
 }

+type deactivateAuthMessage struct {
+	Resource string `json:"resource,omitempty"`
+	Status   string `jsom:"status"`
+}
+
 // CertificateResource represents a CA issued certificate.
 // PrivateKey, Certificate and IssuerCertificate are all
 // already PEM encoded and can be directly written to disk.