add and use request_authorizations

2026-05-28 04:34:11 -04:00 · 2018-02-16 16:21:02 -08:00 · 2018-02-16 16:21:02 -08:00 · 73bd801f35
commit 73bd801f35
parent e95e963ad6
4 changed files with 29 additions and 20 deletions
--- a/acme/acme/client.py
+++ b/acme/acme/client.py
@ -671,6 +671,7 @@ class BackwardsCompatibleClientV2(object):
            self.client = Client(directory, key=key, net=net)
        else:
            self.client = ClientV2(directory, net=net)
+            self.orderr = None

    def __getattr__(self, name):
        if name in vars(self.client):
@ -705,6 +706,19 @@ class BackwardsCompatibleClientV2(object):
                regr = regr.update(terms_of_service_agreed=True)
            return self.client.new_account(regr)

+    def request_authorizations(self, csr_pem):
+        if self.acme_version == 1:
+            csr = OpenSSL.crypto.load_certificate_request(OpenSSL.crypto.FILETYPE_PEM, csr_pem)
+            # pylint: disable=protected-access
+            dnsNames = crypto_util._pyopenssl_cert_or_req_all_names(csr)
+            authorizations = []
+            for domain in dnsNames:
+                authorizations.append(self.client.request_domain_challenges(domain))
+            return authorizations
+        else:
+            self.orderr = self.client.new_order(csr_pem)
+            return self.orderr.authorizations
+
    def _acme_version_from_directory(self, directory):
        if hasattr(directory, 'newNonce'):
            return 2
--- a/certbot/auth_handler.py
+++ b/certbot/auth_handler.py
@ -48,10 +48,10 @@ class AuthHandler(object):
        # List must be used to keep responses straight.
        self.achalls = []

-    def get_authorizations(self, domains, best_effort=False):
+    def get_authorizations(self, csr_pem, best_effort=False):
        """Retrieve all authorizations for challenges.

-        :param list domains: Domains for authorization
+        :param list csr_pem: CSR containing domains for authorization
        :param bool best_effort: Whether or not all authorizations are
             required (this is useful in renewal)

@ -62,8 +62,10 @@ class AuthHandler(object):
            authorizations

        """
-        for domain in domains:
-            self.authzr[domain] = self.acme.request_domain_challenges(domain)
+        authzrs = self.acme.request_authorizations(csr_pem)
+        for authzr in authzrs:
+            self.authzr[authzr.body.identifier.value] = authzr
+        domains = self.authzr.keys()

        self._choose_challenges(domains)
        config = zope.component.getUtility(interfaces.IConfig)
--- a/certbot/client.py
+++ b/certbot/client.py
@ -235,13 +235,9 @@ class Client(object):
        else:
            self.auth_handler = None

-    def obtain_certificate_from_csr(self, domains, csr, authzr=None):
+    def obtain_certificate_from_csr(self, csr, authzr=None):
        """Obtain certificate.

-        Internal function with precondition that `domains` are
-        consistent with identifiers present in the `csr`.
-
-        :param list domains: Domain names.
        :param .util.CSR csr: PEM-encoded Certificate Signing
            Request. The key used to generate this CSR can be different
            than `authkey`.
@ -261,10 +257,10 @@ class Client(object):
        if self.account.regr is None:
            raise errors.Error("Please register with the ACME server first.")

-        logger.debug("CSR: %s, domains: %s", csr, domains)
+        logger.debug("CSR: %s", csr)

        if authzr is None:
-            authzr = self.auth_handler.get_authorizations(domains)
+            authzr = self.auth_handler.get_authorizations(csr)

        certr = self.acme.request_issuance(
            jose.ComparableX509(
@ -307,13 +303,6 @@ class Client(object):
        :rtype: tuple

        """
-        authzr = self.auth_handler.get_authorizations(
-                domains,
-                self.config.allow_subset_of_names)
-
-        auth_domains = set(a.body.identifier.value for a in authzr)
-        domains = [d for d in domains if d in auth_domains]
-
        # Create CSR from names
        if self.config.dry_run:
            key = util.Key(file=None,
@ -326,8 +315,12 @@ class Client(object):
                self.config.rsa_key_size, self.config.key_dir)
            csr = crypto_util.init_save_csr(key, domains, self.config.csr_dir)

+        authzr = self.auth_handler.get_authorizations(
+                csr,
+                self.config.allow_subset_of_names)
+
        certr, chain = self.obtain_certificate_from_csr(
-            domains, csr, authzr=authzr)
+            csr, authzr=authzr)

        return certr, chain, key, csr

--- a/certbot/main.py
+++ b/certbot/main.py
@ -1064,7 +1064,7 @@ def _csr_get_and_save_cert(config, le_client):

    """
    csr, _ = config.actual_csr
-    certr, chain = le_client.obtain_certificate_from_csr(config.domains, csr)
+    certr, chain = le_client.obtain_certificate_from_csr(csr)
    if config.dry_run:
        logger.debug(
            "Dry run: skipping saving certificate to %s", config.cert_path)