From 73bd801f352fb9bad7fe8bc35c368f573c15a21e Mon Sep 17 00:00:00 2001
From: Erica Portnoy <ebportnoy@gmail.com>
Date: Fri, 16 Feb 2018 16:21:02 -0800
Subject: [PATCH] add and use request_authorizations

---
 acme/acme/client.py     | 14 ++++++++++++++
 certbot/auth_handler.py | 10 ++++++----
 certbot/client.py       | 23 ++++++++---------------
 certbot/main.py         |  2 +-
 4 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/acme/acme/client.py b/acme/acme/client.py
index 1f4ae4fad..6b4d65233 100644
--- a/acme/acme/client.py
+++ b/acme/acme/client.py
@@ -671,6 +671,7 @@ class BackwardsCompatibleClientV2(object):
             self.client = Client(directory, key=key, net=net)
         else:
             self.client = ClientV2(directory, net=net)
+            self.orderr = None
 
     def __getattr__(self, name):
         if name in vars(self.client):
@@ -705,6 +706,19 @@ class BackwardsCompatibleClientV2(object):
                 regr = regr.update(terms_of_service_agreed=True)
             return self.client.new_account(regr)
 
+    def request_authorizations(self, csr_pem):
+        if self.acme_version == 1:
+            csr = OpenSSL.crypto.load_certificate_request(OpenSSL.crypto.FILETYPE_PEM, csr_pem)
+            # pylint: disable=protected-access
+            dnsNames = crypto_util._pyopenssl_cert_or_req_all_names(csr)
+            authorizations = []
+            for domain in dnsNames:
+                authorizations.append(self.client.request_domain_challenges(domain))
+            return authorizations
+        else:
+            self.orderr = self.client.new_order(csr_pem)
+            return self.orderr.authorizations
+
     def _acme_version_from_directory(self, directory):
         if hasattr(directory, 'newNonce'):
             return 2
diff --git a/certbot/auth_handler.py b/certbot/auth_handler.py
index 5f520cbcb..4f88199e3 100644
--- a/certbot/auth_handler.py
+++ b/certbot/auth_handler.py
@@ -48,10 +48,10 @@ class AuthHandler(object):
         # List must be used to keep responses straight.
         self.achalls = []
 
-    def get_authorizations(self, domains, best_effort=False):
+    def get_authorizations(self, csr_pem, best_effort=False):
         """Retrieve all authorizations for challenges.
 
-        :param list domains: Domains for authorization
+        :param list csr_pem: CSR containing domains for authorization
         :param bool best_effort: Whether or not all authorizations are
              required (this is useful in renewal)
 
@@ -62,8 +62,10 @@ class AuthHandler(object):
             authorizations
 
         """
-        for domain in domains:
-            self.authzr[domain] = self.acme.request_domain_challenges(domain)
+        authzrs = self.acme.request_authorizations(csr_pem)
+        for authzr in authzrs:
+            self.authzr[authzr.body.identifier.value] = authzr
+        domains = self.authzr.keys()
 
         self._choose_challenges(domains)
         config = zope.component.getUtility(interfaces.IConfig)
diff --git a/certbot/client.py b/certbot/client.py
index 67ee8f7fa..8e3ec6c62 100644
--- a/certbot/client.py
+++ b/certbot/client.py
@@ -235,13 +235,9 @@ class Client(object):
         else:
             self.auth_handler = None
 
-    def obtain_certificate_from_csr(self, domains, csr, authzr=None):
+    def obtain_certificate_from_csr(self, csr, authzr=None):
         """Obtain certificate.
 
-        Internal function with precondition that `domains` are
-        consistent with identifiers present in the `csr`.
-
-        :param list domains: Domain names.
         :param .util.CSR csr: PEM-encoded Certificate Signing
             Request. The key used to generate this CSR can be different
             than `authkey`.
@@ -261,10 +257,10 @@ class Client(object):
         if self.account.regr is None:
             raise errors.Error("Please register with the ACME server first.")
 
-        logger.debug("CSR: %s, domains: %s", csr, domains)
+        logger.debug("CSR: %s", csr)
 
         if authzr is None:
-            authzr = self.auth_handler.get_authorizations(domains)
+            authzr = self.auth_handler.get_authorizations(csr)
 
         certr = self.acme.request_issuance(
             jose.ComparableX509(
@@ -307,13 +303,6 @@ class Client(object):
         :rtype: tuple
 
         """
-        authzr = self.auth_handler.get_authorizations(
-                domains,
-                self.config.allow_subset_of_names)
-
-        auth_domains = set(a.body.identifier.value for a in authzr)
-        domains = [d for d in domains if d in auth_domains]
-
         # Create CSR from names
         if self.config.dry_run:
             key = util.Key(file=None,
@@ -326,8 +315,12 @@ class Client(object):
                 self.config.rsa_key_size, self.config.key_dir)
             csr = crypto_util.init_save_csr(key, domains, self.config.csr_dir)
 
+        authzr = self.auth_handler.get_authorizations(
+                csr,
+                self.config.allow_subset_of_names)
+
         certr, chain = self.obtain_certificate_from_csr(
-            domains, csr, authzr=authzr)
+            csr, authzr=authzr)
 
         return certr, chain, key, csr
 
diff --git a/certbot/main.py b/certbot/main.py
index ff3758985..d01f68920 100644
--- a/certbot/main.py
+++ b/certbot/main.py
@@ -1064,7 +1064,7 @@ def _csr_get_and_save_cert(config, le_client):
 
     """
     csr, _ = config.actual_csr
-    certr, chain = le_client.obtain_certificate_from_csr(config.domains, csr)
+    certr, chain = le_client.obtain_certificate_from_csr(csr)
     if config.dry_run:
         logger.debug(
             "Dry run: skipping saving certificate to %s", config.cert_path)