Merge pull request #2393 from letsencrypt/webroot-map-and-flags

Allow webroot-map and --csr to exist together.
2026-06-09 00:32:12 -04:00 · 2016-02-08 17:13:22 -08:00 · 2016-02-08 17:13:22 -08:00 · c8623fdd91
commit c8623fdd91
parent 764594b300 7b0e701731
5 changed files with 43 additions and 27 deletions
--- a/letsencrypt/cli.py
+++ b/letsencrypt/cli.py
@ -672,11 +672,6 @@ def run(config, plugins):  # pylint: disable=too-many-branches,too-many-locals
 def obtain_cert(config, plugins, lineage=None):
    """Implements "certonly": authenticate & obtain cert, but do not install it."""

-    if config.domains and config.csr is not None:
-        # TODO: --csr could have a priority, when --domains is
-        # supplied, check if CSR matches given domains?
-        return "--domains and --csr are mutually exclusive"
-
    try:
        # installers are used in auth mode to determine domain names
        installer, authenticator = choose_configurator_plugins(config, plugins, "certonly")
@ -689,8 +684,7 @@ def obtain_cert(config, plugins, lineage=None):
    # This is a special case; cert and chain are simply saved
    if config.csr is not None:
        assert lineage is None, "Did not expect a CSR with a RenewableCert"
-        certr, chain = le_client.obtain_certificate_from_csr(le_util.CSR(
-            file=config.csr[0], data=config.csr[1], form="der"))
+        certr, chain = le_client.obtain_certificate_from_csr(_process_domain)
        if config.dry_run:
            logger.info(
                "Dry run: skipping saving certificate to %s", config.cert_path)
--- a/letsencrypt/client.py
+++ b/letsencrypt/client.py
@ -228,21 +228,34 @@ class Client(object):
            authzr)
        return certr, self.acme.fetch_chain(certr)

-    def obtain_certificate_from_csr(self, csr):
+    def obtain_certificate_from_csr(self, domain_callback):
        """Obtain certficiate from CSR.

-        :param .le_util.CSR csr: DER-encoded Certificate Signing
-            Request.
+        :param function(config, domains) domain_callback: callback for each
+        domain extracted from the CSR, to ensure that webroot-map and similar
+        housekeeping in cli.py is performed correctly

        :returns: `.CertificateResource` and certificate chain (as
            returned by `.fetch_chain`).
        :rtype: tuple

        """
-        return self._obtain_certificate(
-            # TODO: add CN to domains?
-            crypto_util.get_sans_from_csr(
-                csr.data, OpenSSL.crypto.FILETYPE_ASN1), csr)
+
+        #raise TypeError("About to call %r" % le_util.CSR)
+        csr = le_util.CSR(file=self.config.csr[0], data=self.config.csr[1], form="der")
+        # TODO: add CN to domains?
+        domains = crypto_util.get_sans_from_csr(csr.data, OpenSSL.crypto.FILETYPE_ASN1)
+        for d in domains:
+            domain_callback(self.config, d)
+
+        csr_domains, config_domains = set(domains), set(self.config.domains)
+        if csr_domains != config_domains:
+            raise errors.ConfigurationError(
+                "Inconsistent domain requests:\ncsr: {0}\ncli config: {1}"
+                .format(", ".join(csr_domains), ", ".join(config_domains))
+            )
+
+        return self._obtain_certificate(domains, csr)

    def obtain_certificate(self, domains):
        """Obtains a certificate from the ACME server.
--- a/letsencrypt/plugins/webroot.py
+++ b/letsencrypt/plugins/webroot.py
@ -49,8 +49,10 @@ to serve all files under specified web root ({0})."""
        path_map = self.conf("map")

        if not path_map:
-            raise errors.PluginError("--{0} must be set".format(
-                self.option_name("path")))
+            raise errors.PluginError(
+                "Missing parts of webroot configuration; please set either "
+                "--webroot-path and --domains, or --webroot-map. Run with "
+                " --help webroot for examples.")
        for name, path in path_map.items():
            if not os.path.isdir(path):
                raise errors.PluginError(path + " does not exist or is not a directory")
--- a/letsencrypt/tests/cli_test.py
+++ b/letsencrypt/tests/cli_test.py
@ -228,7 +228,7 @@ class CLITest(unittest.TestCase):  # pylint: disable=too-many-public-methods

        args = ["certonly", "--webroot"]
        ret, _, _, _ = self._call(args)
-        self.assertTrue("--webroot-path must be set" in ret)
+        self.assertTrue("please set either --webroot-path" in ret)

        self._cli_missing_flag(["--standalone"], "With the standalone plugin, you probably")

@ -323,9 +323,6 @@ class CLITest(unittest.TestCase):  # pylint: disable=too-many-public-methods
        self.assertEqual(config.fullchain_path, os.path.abspath(fullchain))

    def test_certonly_bad_args(self):
-        ret, _, _, _ = self._call(['-d', 'foo.bar', 'certonly', '--csr', CSR])
-        self.assertEqual(ret, '--domains and --csr are mutually exclusive')
-
        ret, _, _, _ = self._call(['-a', 'bad_auth', 'certonly'])
        self.assertEqual(ret, 'The requested bad_auth plugin does not appear to be installed')

--- a/letsencrypt/tests/client_test.py
+++ b/letsencrypt/tests/client_test.py
@ -82,6 +82,7 @@ class ClientTest(unittest.TestCase):
            no_verify_ssl=False, config_dir="/etc/letsencrypt")
        # pylint: disable=star-args
        self.account = mock.MagicMock(**{"key.pem": KEY})
+        self.eg_domains = ["example.com", "www.example.com"]

        from letsencrypt.client import Client
        with mock.patch("letsencrypt.client.acme_client.Client") as acme:
@ -101,8 +102,7 @@ class ClientTest(unittest.TestCase):
        self.acme.fetch_chain.return_value = mock.sentinel.chain

    def _check_obtain_certificate(self):
-        self.client.auth_handler.get_authorizations.assert_called_once_with(
-            ["example.com", "www.example.com"])
+        self.client.auth_handler.get_authorizations.assert_called_once_with(self.eg_domains)
        self.acme.request_issuance.assert_called_once_with(
            jose.ComparableX509(OpenSSL.crypto.load_certificate_request(
                OpenSSL.crypto.FILETYPE_ASN1, CSR_SAN)),
@ -111,11 +111,21 @@ class ClientTest(unittest.TestCase):

    def test_obtain_certificate_from_csr(self):
        self._mock_obtain_certificate()
-        self.assertEqual(
-            (mock.sentinel.certr, mock.sentinel.chain),
-            self.client.obtain_certificate_from_csr(le_util.CSR(
-                form="der", file=None, data=CSR_SAN)))
-        self._check_obtain_certificate()
+        mock_process_domain = mock.MagicMock()
+        test_csr = le_util.CSR(form="der", file=None, data=CSR_SAN)
+        with mock.patch("letsencrypt.client.le_util.CSR") as mock_CSR:
+            mock_CSR.return_value = test_csr
+            self.client.config.domains = self.eg_domains
+            self.assertEqual(
+                (mock.sentinel.certr, mock.sentinel.chain),
+                self.client.obtain_certificate_from_csr(mock_process_domain))
+
+            # make sure cli processing occurred
+            cli_processed = (call[0][1] for call in mock_process_domain.call_args_list)
+            self.assertEqual(set(cli_processed), set(("example.com", "www.example.com")))
+
+            # and that the cert was obtained correctly
+            self._check_obtain_certificate()

    @mock.patch("letsencrypt.client.crypto_util")
    def test_obtain_certificate(self, mock_crypto_util):