Remove the deprecated tls-sni-02 challenge method. (#38137)
This commit is contained in:
parent
45e4dfda3d
commit
8b98c29afd
1 changed files with 4 additions and 20 deletions
|
@ -23,14 +23,13 @@ description:
|
|||
- "Create and renew SSL certificates with Let's Encrypt. Let's Encrypt is a
|
||||
free, automated, and open certificate authority (CA), run for the
|
||||
public's benefit. For details see U(https://letsencrypt.org). The current
|
||||
implementation supports the http-01, tls-sni-02 and dns-01 challenges."
|
||||
implementation supports the http-01 and dns-01 challenges."
|
||||
- "To use this module, it has to be executed at least twice. Either as two
|
||||
different tasks in the same run or during multiple runs."
|
||||
- "Between these two tasks you have to fulfill the required steps for the
|
||||
chosen challenge by whatever means necessary. For http-01 that means
|
||||
creating the necessary challenge file on the destination webserver. For
|
||||
dns-01 the necessary dns record has to be created. tls-sni-02 requires
|
||||
you to create a SSL certificate with the appropriate subjectAlternativeNames.
|
||||
dns-01 the necessary dns record has to be created.
|
||||
It is I(not) the responsibility of this module to perform these steps."
|
||||
- "For details on how to fulfill these challenges, you might have to read through
|
||||
U(https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8)"
|
||||
|
@ -109,7 +108,7 @@ options:
|
|||
version_added: "2.5"
|
||||
challenge:
|
||||
description: The challenge to be performed.
|
||||
choices: [ 'http-01', 'dns-01', 'tls-sni-02']
|
||||
choices: [ 'http-01', 'dns-01']
|
||||
default: 'http-01'
|
||||
csr:
|
||||
description:
|
||||
|
@ -937,25 +936,10 @@ class ACMEClient(object):
|
|||
token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge['token'])
|
||||
keyauthorization = self.account.get_keyauthorization(token)
|
||||
|
||||
# NOTE: tls-sni-01 is not supported by choice
|
||||
# too complex to be useful and tls-sni-02 is an alternative
|
||||
# as soon as it is implemented server side
|
||||
if type == 'http-01':
|
||||
# https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.3
|
||||
resource = '.well-known/acme-challenge/' + token
|
||||
data[type] = {'resource': resource, 'resource_value': keyauthorization}
|
||||
elif type == 'tls-sni-02':
|
||||
# https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.4
|
||||
token_digest = hashlib.sha256(token.encode('utf8')).hexdigest()
|
||||
ka_digest = hashlib.sha256(keyauthorization.encode('utf8')).hexdigest()
|
||||
len_token_digest = len(token_digest)
|
||||
len_ka_digest = len(ka_digest)
|
||||
resource = 'subjectAlternativeNames'
|
||||
value = [
|
||||
"{0}.{1}.token.acme.invalid".format(token_digest[:len_token_digest // 2], token_digest[len_token_digest // 2:]),
|
||||
"{0}.{1}.ka.acme.invalid".format(ka_digest[:len_ka_digest // 2], ka_digest[len_ka_digest // 2:]),
|
||||
]
|
||||
data[type] = {'resource': resource, 'resource_value': value}
|
||||
elif type == 'dns-01':
|
||||
# https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.5
|
||||
resource = '_acme-challenge'
|
||||
|
@ -1296,7 +1280,7 @@ def main():
|
|||
acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
|
||||
agreement=dict(required=False, type='str'),
|
||||
terms_agreed=dict(required=False, default=False, type='bool'),
|
||||
challenge=dict(required=False, default='http-01', choices=['http-01', 'dns-01', 'tls-sni-02'], type='str'),
|
||||
challenge=dict(required=False, default='http-01', choices=['http-01', 'dns-01'], type='str'),
|
||||
csr=dict(required=True, aliases=['src'], type='path'),
|
||||
data=dict(required=False, default=None, type='dict'),
|
||||
dest=dict(aliases=['cert'], type='path'),
|
||||
|
|
Loading…
Reference in a new issue