Use lego binary for DNS-01 challenge #1753
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@accuser let me know when it's ready for review |
|
I've tested with my own DNS (Gandi) and it seems to be working. I forgot to use LE's staging environment and managed to go over rate, so please don't make the same mistake... 🤣 But please review and let me know if this approach is suitable. |
|
One thought I have had, but probably not for this PR: the HTTP-01 challenge could also be implemented using the |
|
@accuser yeah, since we'll be shipping the lego binary anyway, we may as well move all of it to the external binary. |
stgraber
reviewed
Mar 13, 2025
internal/server/acme/acme.go
Outdated
| return nil, fmt.Errorf("Failed setting challenge provider: %w", err) | ||
| } | ||
| logger.Info("Running lego command", logger.Ctx{"cmd": cmd.String()}) | ||
| err = cmd.Run() |
There was a problem hiding this comment.
Should be able to use our subprocess.RunCommandSplit for this instead.
_, _, err := subprocess.RunCommandSplit(ctx, append(os.Environ(), environment), nil, "lego", args...)
stgraber
reviewed
Mar 13, 2025
internal/server/acme/acme.go
Outdated
Comment on lines
169
to
172
| } else { | ||
| // Default URL for Let's Encrypt | ||
| config.CADirURL = "https://acme-v02.api.letsencrypt.org/directory" | ||
| } |
There was a problem hiding this comment.
Shouldn't be needed now that you set the default value in the config package
stgraber
reviewed
Mar 13, 2025
cmd/incusd/acme.go
Outdated
| if domain == "" || email == "" || !agreeToS || challengeType == "" { | ||
| if domain == "" || email == "" || !agreeToS { |
There was a problem hiding this comment.
We should still keep this one. challengeType is still returned and it has a default value so it's fine to ensure it's not empty.
stgraber
reviewed
Mar 13, 2025
cmd/incusd/acme.go
Outdated
Comment on lines
119
to
101
| newCert, err := acme.UpdateCertificate(s, challengeProvider, s.ServerClustered, domain, email, caURL, force) | ||
| newCert, err := acme.UpdateCertificate(s, d.http01Provider, s.ServerClustered, domain, email, caURL, challengeType, force) |
There was a problem hiding this comment.
I'd probably move challengeType to be the second argument here
|
Looks good, just a few minor tweaks needed. I'll take care of those myself now as that should be rather quick. |
Signed-off-by: Matthew Gibbons <[email protected]>
Signed-off-by: Matthew Gibbons <[email protected]>
Signed-off-by: Matthew Gibbons <[email protected]>
Signed-off-by: Matthew Gibbons <[email protected]>
stgraber
force-pushed
the
use-lego-binary-for-dns-01-challenge
branch
from
0ecbaaa to
804cd96
Compare
Signed-off-by: Matthew Gibbons <[email protected]>
Signed-off-by: Matthew Gibbons <[email protected]>
stgraber
force-pushed
the
use-lego-binary-for-dns-01-challenge
branch
from
804cd96 to
1cede63
Compare
stgraber
approved these changes
Mar 13, 2025
This was referenced Mar 13, 2025
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Mar 31, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [lxc/incus](https://github.com/lxc/incus) | minor | `v6.10.1` -> `v6.11.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>lxc/incus (lxc/incus)</summary> ### [`v6.11.0`](https://github.com/lxc/incus/releases/tag/v6.11.0): Incus 6.11 [Compare Source](lxc/incus@v6.10.1...v6.11.0) ### Announcement https://discuss.linuxcontainers.org/t/incus-6-11-has-been-released/23322 #### What's Changed - Allow ICMP and low ports for unprivileged users in OCI containers by [@​gwenya](https://github.com/gwenya) in lxc/incus#1706 - doc: Clarify virtiofsd requirements by [@​stgraber](https://github.com/stgraber) in lxc/incus#1718 - Fix generate-database usage for incusd/db by [@​breml](https://github.com/breml) in lxc/incus#1719 - Do not allow mounting of custom block volume snapshots by [@​presztak](https://github.com/presztak) in lxc/incus#1720 - generate-database: Abstract db connection / db transaction by [@​breml](https://github.com/breml) in lxc/incus#1721 - Fix snapshot size handling in cross-pool copy/move by [@​presztak](https://github.com/presztak) in lxc/incus#1717 - generate-database: Accept interface in PrepareStmts by [@​breml](https://github.com/breml) in lxc/incus#1725 - Simplify `evaluateShorthandFilter` by reducing nesting levels by [@​presztak](https://github.com/presztak) in lxc/incus#1727 - incusd/storage: Don't use sparse writer on thick LVM by [@​stgraber](https://github.com/stgraber) in lxc/incus#1729 - generate-database: Add support for marshal to JSON by [@​breml](https://github.com/breml) in lxc/incus#1731 - Fixed incus edk2 path overwrite issue by [@​nanjj](https://github.com/nanjj) in lxc/incus#1726 - Do not download instance types if cache loadable by [@​nanjj](https://github.com/nanjj) in lxc/incus#1732 - Clarify security.secureboot setting by [@​gwenya](https://github.com/gwenya) in lxc/incus#1740 - Fix DNS for isolated OVN networks by [@​gwenya](https://github.com/gwenya) in lxc/incus#1738 - Allow announcing extra routes through DHCPv4 by [@​gwenya](https://github.com/gwenya) in lxc/incus#1734 - Fix link parsing failure on non-ethernet devices by [@​stgraber](https://github.com/stgraber) in lxc/incus#1742 - Fix revert on OCI container creation failure by [@​gwenya](https://github.com/gwenya) in lxc/incus#1744 - generate-database: Handle non tx DB connections by [@​breml](https://github.com/breml) in lxc/incus#1745 - incus file edit extension by [@​gwenya](https://github.com/gwenya) in lxc/incus#1746 - Cleanup internal API endpoints by [@​stgraber](https://github.com/stgraber) in lxc/incus#1747 - Tweak help message for rebuild by [@​stgraber](https://github.com/stgraber) in lxc/incus#1754 - Use lego binary for DNS-01 challenge by [@​accuser](https://github.com/accuser) in lxc/incus#1753 - incusd/storage/zfs: Fix ZFS CreateVolume deletes pre-existing data on failure by [@​mrstux](https://github.com/mrstux) in lxc/incus#1749 - incus/file: Always use 1MB chunks for SFTP by [@​stgraber](https://github.com/stgraber) in lxc/incus#1758 - Use the correct path for ingesting DNS-01 challenge certificate outputs by [@​accuser](https://github.com/accuser) in lxc/incus#1759 - incusd/bgp: Rework start/stop logic by [@​stgraber](https://github.com/stgraber) in lxc/incus#1761 - incusd/network/ovn: Skip existing static routes by [@​stgraber](https://github.com/stgraber) in lxc/incus#1762 - incusd/instance/qemu: Set caching-mode with intel-iommu by [@​stgraber](https://github.com/stgraber) in lxc/incus#1772 - incus-agent: Improve SFTP performance by [@​stgraber](https://github.com/stgraber) in lxc/incus#1773 - incusd/network/ovn: Keep getting router name when network none by [@​diegofernandes](https://github.com/diegofernandes) in lxc/incus#1771 - make `incus copy --device xx,type=none` drop remaining device properties by [@​schnoddelbotz](https://github.com/schnoddelbotz) in lxc/incus#1764 - incusd/instance/qemu: rtc base localtime for windows by [@​nanjj](https://github.com/nanjj) in lxc/incus#1767 - Add option to configure DNS server for bridge and OVN networks by [@​gwenya](https://github.com/gwenya) in lxc/incus#1739 - Use lego binary for http 01 challenge by [@​accuser](https://github.com/accuser) in lxc/incus#1770 - Handle live migration between QEMU versions by [@​stgraber](https://github.com/stgraber) in lxc/incus#1775 - incusd/instance/qemu: Skip to link nvram to itself by [@​nanjj](https://github.com/nanjj) in lxc/incus#1760 - Switch to new MAC address prefix by [@​stgraber](https://github.com/stgraber) in lxc/incus#1776 - client: Fix spelling errors found by codespell by [@​cjwatson](https://github.com/cjwatson) in lxc/incus#1777 - Add ipv4.dhcp.expiry option for ovn networks by [@​gwenya](https://github.com/gwenya) in lxc/incus#1781 - Configure DHCP on existing instance interfaces when it is enabled on a network by [@​gwenya](https://github.com/gwenya) in lxc/incus#1780 - incusd/instance/edk2: Select SecureBoot capable firmware on Debian by [@​stgraber](https://github.com/stgraber) in lxc/incus#1782 - Fix some `go vet` warnings by [@​stgraber](https://github.com/stgraber) in lxc/incus#1784 - Clear gofumpt by [@​stgraber](https://github.com/stgraber) in lxc/incus#1803 - Fix some BGP issues by [@​stgraber](https://github.com/stgraber) in lxc/incus#1805 - incusd/instance/qemu: bad pid check by [@​nanjj](https://github.com/nanjj) in lxc/incus#1806 - Fix spelling errors and run codespell automatically by [@​cjwatson](https://github.com/cjwatson) in lxc/incus#1778 - incus/file: Properly handle relative source paths by [@​stgraber](https://github.com/stgraber) in lxc/incus#1809 - cmd/storage: incorrect CLI syntax in storage pool creation examples by [@​ViniRodrig](https://github.com/ViniRodrig) in lxc/incus#1810 - Improve DB performance by [@​stgraber](https://github.com/stgraber) in lxc/incus#1811 - incusd/network/ovn: Fix default DNS IPv4 server by [@​stgraber](https://github.com/stgraber) in lxc/incus#1812 - Extend OS detection logic by [@​stgraber](https://github.com/stgraber) in lxc/incus#1813 - Add allocated CPU time to instance state by [@​bensmrs](https://github.com/bensmrs) in lxc/incus#1807 - incusd/certificates: Properly handle bad PEM data by [@​stgraber](https://github.com/stgraber) in lxc/incus#1816 - Extra `generate-database` features by [@​masnax](https://github.com/masnax) in lxc/incus#1817 - incusd/network/common: Handle missing BGP peer by [@​stgraber](https://github.com/stgraber) in lxc/incus#1818 - incusd/cluster/evacuate: Don't live-migrate stopped instances by [@​stgraber](https://github.com/stgraber) in lxc/incus#1819 - Fix generator table pluralization by [@​masnax](https://github.com/masnax) in lxc/incus#1823 - incusd/instance/qemu enable s4 by default by [@​nanjj](https://github.com/nanjj) in lxc/incus#1820 - Add support for USB NICs by [@​bensmrs](https://github.com/bensmrs) in lxc/incus#1814 - incusd/storage/s3 Fixed minio client mc too ambious issue by [@​nanjj](https://github.com/nanjj) in lxc/incus#1821 - incusd/networks: Validate configuration on join too by [@​stgraber](https://github.com/stgraber) in lxc/incus#1824 - Update gomod for go-jwt vulnerability by [@​stgraber](https://github.com/stgraber) in lxc/incus#1825 - cmd/generate-database/db: Fix GetNames spacing by [@​masnax](https://github.com/masnax) in lxc/incus#1826 - github: Rework issue templates by [@​stgraber](https://github.com/stgraber) in lxc/incus#1827 - Update Debian installation documentation by [@​gibmat](https://github.com/gibmat) in lxc/incus#1830 - Extend minio client naming by [@​gibmat](https://github.com/gibmat) in lxc/incus#1829 - Various fixes from address set MR by [@​stgraber](https://github.com/stgraber) in lxc/incus#1831 - incusd/instance/lxc: Cleanup OCI mount paths by [@​stgraber](https://github.com/stgraber) in lxc/incus#1834 - Add `io.bus=usb` for disks by [@​bensmrs](https://github.com/bensmrs) in lxc/incus#1835 - golangci: Upgrade to version 2 by [@​stgraber](https://github.com/stgraber) in lxc/incus#1836 - golangci: Disable STI005 error checks by [@​stgraber](https://github.com/stgraber) in lxc/incus#1841 - Standalone changes from the Linstor branch by [@​stgraber](https://github.com/stgraber) in lxc/incus#1842 - incusd/storage/s3 minio client check enhancement by [@​nanjj](https://github.com/nanjj) in lxc/incus#1839 - incusd/network/ovn: Remove internal routes to forward/load-balancers by [@​stgraber](https://github.com/stgraber) in lxc/incus#1843 - incusd/instance/edk2: Always prefer the EDK2 override by [@​stgraber](https://github.com/stgraber) in lxc/incus#1847 - Fixes from Linstor branch by [@​stgraber](https://github.com/stgraber) in lxc/incus#1846 - Add `linstor` storage driver by [@​luissimas](https://github.com/luissimas) in lxc/incus#1621 - Add `linstor.remove_snapshots` config option by [@​luissimas](https://github.com/luissimas) in lxc/incus#1848 - doc/support: Update feature release version by [@​bensmrs](https://github.com/bensmrs) in lxc/incus#1853 - incusd/instance: Don't enforce device/config validation on snapshots by [@​stgraber](https://github.com/stgraber) in lxc/incus#1854 - OCI entrypoint configuration by [@​gwenya](https://github.com/gwenya) in lxc/incus#1845 #### New Contributors - [@​mrstux](https://github.com/mrstux) made their first contribution in lxc/incus#1749 - [@​diegofernandes](https://github.com/diegofernandes) made their first contribution in lxc/incus#1771 - [@​schnoddelbotz](https://github.com/schnoddelbotz) made their first contribution in lxc/incus#1764 - [@​cjwatson](https://github.com/cjwatson) made their first contribution in lxc/incus#1777 - [@​ViniRodrig](https://github.com/ViniRodrig) made their first contribution in lxc/incus#1810 - [@​masnax](https://github.com/masnax) made their first contribution in lxc/incus#1817 **Full Changelog**: lxc/incus@v6.10.1...v6.11.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMTguMSIsInVwZGF0ZWRJblZlciI6IjM5LjIxOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR replaces the recently added DNS-01 challenge provider with an invocation of the LEGO binary to address #1722, removing the need for bundling the entirety of the supported LEGO 3rd-party DNS clients.
ACME configuration remains the same.
Closes #1722