Skip to content

Commit

Permalink
Fix for TLS-SNI-01 removed after warned in v0.33.0 of certbot.
Browse files Browse the repository at this point in the history
  • Loading branch information
@Torxed
Torxed committed Jan 23, 2020
1 parent 07eca04 commit db62ab9
Showing 1 changed file with 2 additions and 77 deletions.
79 changes: 2 additions & 77 deletions certbot_external_auth/plugin.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,14 +111,6 @@ class AuthenticatorOut(common.Plugin):
command on the target server (as root):
{command}
""",
"tls-sni-01": """\
Verification for {domain}:
Make sure your web server serves TLS SNI host on domain:
{z_domain} with the following
- certificate: {cert_path}
- key: {key_path}
"""
}

Expand Down Expand Up @@ -216,7 +208,7 @@ def more_info(self): # pylint: disable=missing-docstring,no-self-use

def get_chall_pref(self, domain):
# pylint: disable=missing-docstring,no-self-use,unused-argument
return [challenges.DNS01, challenges.HTTP01, challenges.TLSSNI01]
return [challenges.DNS01, challenges.HTTP01]

def perform(self, achalls):
"""
Expand All @@ -227,8 +219,7 @@ def perform(self, achalls):
# pylint: disable=missing-docstring
self._get_ip_logging_permission()
mapping = {"http-01": self._perform_http01_challenge,
"dns-01": self._perform_dns01_challenge,
"tls-sni-01": self._perform_tlssni01_challenge,
"dns-01": self._perform_dns01_challenge
}
responses = []
# TODO: group achalls by the same socket.gethostbyname(_ex)
Expand Down Expand Up @@ -364,8 +355,6 @@ def _get_cleanup_json(self, achall):
pass
elif isinstance(achall.chall, challenges.DNS01):
pass
elif isinstance(achall.chall, challenges.TLSSNI01):
pass

cur_record[FIELD_STATUS] = None
cur_record[FIELD_DOMAIN] = achall.domain
Expand Down Expand Up @@ -544,70 +533,6 @@ def _perform_dns01_challenge(self, achall):

return response

def _perform_tlssni01_challenge(self, achall):
tls_help = self._get_tls_sni_help(achall)
response = tls_help._setup_challenge_cert(achall)

json_data = OrderedDict()
json_data[FIELD_CMD] = COMMAND_PERFORM
json_data[FIELD_TYPE] = achall.chall.typ
json_data[FIELD_DOMAIN] = achall.domain
json_data[FIELD_TOKEN] = b64.b64encode(achall.chall.token)
json_data[FIELD_Z_DOMAIN] = achall.response(achall.account_key).z_domain
json_data[FIELD_VALIDATION] = json_data[FIELD_Z_DOMAIN]
json_data[FIELD_CERT_PATH] = tls_help.get_cert_path(achall)
json_data[FIELD_KEY_PATH] = tls_help.get_key_path(achall)
json_data[FIELD_PORT] = str(self.config.tls_sni_01_port)
json_data[FIELD_KEY_AUTH] = response.key_authorization
json_data[FIELD_CERT_PEM] = None
json_data[FIELD_KEY_PEM] = None

try:
with open(json_data[FIELD_CERT_PATH], 'r') as fh:
json_data[FIELD_CERT_PEM] = fh.read()
except:
pass
try:
with open(json_data[FIELD_KEY_PATH], 'r') as fh:
json_data[FIELD_KEY_PEM] = fh.read()
except:
pass

json_data = self._json_sanitize_dict(json_data)

if self._is_text_mode():
self._notify_and_wait(
self._get_message(achall).format(
domain=json_data[FIELD_DOMAIN],
z_domain=json_data[FIELD_Z_DOMAIN],
cert_path=json_data[FIELD_CERT_PATH],
key_path=json_data[FIELD_KEY_PATH],
port=json_data[FIELD_PORT]))

elif self._is_json_mode():
self._json_out_and_wait(json_data)

elif self._is_handler_mode():
self._json_out(json_data, True)
if self._call_handler("perform", **(self._get_json_to_kwargs(json_data))) is None:
raise errors.PluginError("Error in calling the handler to do the perform (challenge) stage")

else:
raise errors.PluginError("Unknown plugin mode selected")

if not response.simple_verify(
achall.chall, achall.domain,
achall.account_key.public_key(),
None):
logger.warning("Self-verify of challenge failed.")

return response

def _get_tls_sni_help(self, achall):
tls_help = common.TLSSNI01(self)
tls_help.add_chall(achall, 0)
return tls_help

def _cleanup_http01_challenge(self, achall):
# pylint: disable=missing-docstring,unused-argument
if self.conf("test-mode"):
Expand Down

0 comments on commit db62ab9

Please sign in to comment.