Warn manual authenticator users not to remove/undo previous challenges (#6370)

* Warn users not to remove/undo previous challenges * Even more specific DNS challenge message * Fix spacing and variable names * Create a second test DNS challenge for UI testing * Changelog for subsequent manual challenge behavior
2026-06-04 14:26:10 -04:00 · 2018-10-18 04:44:45 -07:00 · 2018-10-18 04:44:45 -07:00 · 3de3188dd6
commit 3de3188dd6
parent 92501eaf8f
4 changed files with 27 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -10,7 +10,7 @@ Certbot adheres to [Semantic Versioning](http://semver.org/).

 ### Changed

-*
+*  `--manual` will explicitly warn users that earlier challenges should remain in place when setting up subsequent challenges.

 ### Fixed

--- a/certbot/plugins/manual.py
+++ b/certbot/plugins/manual.py
@ -94,6 +94,16 @@ using the secret key
 {key}
 when it receives a TLS ClientHello with the SNI extension set to
 {sni_domain}
+"""
+    _SUBSEQUENT_CHALLENGE_INSTRUCTIONS = """
+(This must be set up in addition to the previous challenges; do not remove,
+replace, or undo the previous challenge tasks yet.)
+"""
+    _SUBSEQUENT_DNS_CHALLENGE_INSTRUCTIONS = """
+(This must be set up in addition to the previous challenges; do not remove,
+replace, or undo the previous challenge tasks yet. Note that you might be
+asked to create multiple distinct TXT records with the same name. This is
+permitted by DNS standards.)
 """

    def __init__(self, *args, **kwargs):
@ -103,6 +113,8 @@ when it receives a TLS ClientHello with the SNI extension set to
        self.env = dict() \
        # type: Dict[achallenges.KeyAuthorizationAnnotatedChallenge, Dict[str, str]]
        self.tls_sni_01 = None
+        self.subsequent_dns_challenge = False
+        self.subsequent_any_challenge = False

    @classmethod
    def add_parser_arguments(cls, add):
@ -212,8 +224,17 @@ when it receives a TLS ClientHello with the SNI extension set to
                key=self.tls_sni_01.get_key_path(achall),
                port=self.config.tls_sni_01_port,
                sni_domain=self.tls_sni_01.get_z_domain(achall))
+        if isinstance(achall.chall, challenges.DNS01):
+            if self.subsequent_dns_challenge:
+                # 2nd or later dns-01 challenge
+                msg += self._SUBSEQUENT_DNS_CHALLENGE_INSTRUCTIONS
+            self.subsequent_dns_challenge = True
+        elif self.subsequent_any_challenge:
+            # 2nd or later challenge of another type
+            msg += self._SUBSEQUENT_CHALLENGE_INSTRUCTIONS
        display = zope.component.getUtility(interfaces.IDisplay)
        display.notification(msg, wrap=False, force_interactive=True)
+        self.subsequent_any_challenge = True

    def cleanup(self, achalls):  # pylint: disable=missing-docstring
        if self.conf('cleanup-hook'):
--- a/certbot/plugins/manual_test.py
+++ b/certbot/plugins/manual_test.py
@ -20,8 +20,9 @@ class AuthenticatorTest(test_util.TempDirTestCase):
        super(AuthenticatorTest, self).setUp()
        self.http_achall = acme_util.HTTP01_A
        self.dns_achall = acme_util.DNS01_A
+        self.dns_achall_2 = acme_util.DNS01_A_2
        self.tls_sni_achall = acme_util.TLSSNI01_A
-        self.achalls = [self.http_achall, self.dns_achall, self.tls_sni_achall]
+        self.achalls = [self.http_achall, self.dns_achall, self.tls_sni_achall, self.dns_achall_2]
        for d in ["config_dir", "work_dir", "in_progress"]:
            os.mkdir(os.path.join(self.tempdir, d))
            # "backup_dir" and "temp_checkpoint_dir" get created in
--- a/certbot/tests/acme_util.py
+++ b/certbot/tests/acme_util.py
@ -21,6 +21,7 @@ HTTP01 = challenges.HTTP01(
 TLSSNI01 = challenges.TLSSNI01(
    token=jose.b64decode(b"evaGxfADs6pSRb2LAv9IZf17Dt3juxGJyPCt92wrDoA"))
 DNS01 = challenges.DNS01(token=b"17817c66b60ce2e4012dfad92657527a")
+DNS01_2 = challenges.DNS01(token=b"cafecafecafecafecafecafe0feedbac")

 CHALLENGES = [HTTP01, TLSSNI01, DNS01]

@ -49,6 +50,7 @@ def chall_to_challb(chall, status):  # pylint: disable=redefined-outer-name
 TLSSNI01_P = chall_to_challb(TLSSNI01, messages.STATUS_PENDING)
 HTTP01_P = chall_to_challb(HTTP01, messages.STATUS_PENDING)
 DNS01_P = chall_to_challb(DNS01, messages.STATUS_PENDING)
+DNS01_P_2 = chall_to_challb(DNS01_2, messages.STATUS_PENDING)

 CHALLENGES_P = [HTTP01_P, TLSSNI01_P, DNS01_P]

@ -57,6 +59,7 @@ CHALLENGES_P = [HTTP01_P, TLSSNI01_P, DNS01_P]
 HTTP01_A = auth_handler.challb_to_achall(HTTP01_P, JWK, "example.com")
 TLSSNI01_A = auth_handler.challb_to_achall(TLSSNI01_P, JWK, "example.net")
 DNS01_A = auth_handler.challb_to_achall(DNS01_P, JWK, "example.org")
+DNS01_A_2 = auth_handler.challb_to_achall(DNS01_P_2, JWK, "esimerkki.example.org")

 ACHALLENGES = [HTTP01_A, TLSSNI01_A, DNS01_A]