diff options
author | Robin C. Ladiges <rcl.git@blackpinguin.de> | 2021-06-24 10:43:40 +0200 |
---|---|---|
committer | siddharth <s@ricketyspace.net> | 2021-06-26 12:08:02 -0400 |
commit | f1df4c2b3f63f3137deca4ced91e081a2746e98a (patch) | |
tree | 1ea2ee3689963d907f2b2b5e0c2d15fe92db4fa7 | |
parent | f71ca723edd8202c7da165738fb4c646dc736f1f (diff) |
acmens.py: fallback to `dns`
Sometimes `http` isn't available as a challenge type. E.g. for wildcards
or when `dns` was used for the domain lately.
Instead of being forced to use `--challenge dns` for wildcard
certificates, the `--challenge` flag can be omitted now and it will
automatically fallback to `dns`.
This is especially useful for SAN certificates, where it can fallback to
the other challenge type, if the preferred type isn't available for one
of the multiple domains.
-rw-r--r-- | acmens.py | 17 |
1 files changed, 14 insertions, 3 deletions
@@ -145,17 +145,28 @@ def _do_challenge(challenge_type, authz_url, nonce_url, auth, account_key, thumb # Choose challenge. preferred_type = "dns-01" if challenge_type == "dns" else "http-01" challenge = None + dns_challenge = None http_challenge = None for c in chl_result["challenges"]: if c["type"] == preferred_type: challenge = c + if c["type"] == "dns-01": + dns_challenge = c if c["type"] == "http-01": http_challenge = c if challenge is None: if http_challenge is None: - sys.stderr.write("Error: Unable to find challenges!") - sys.exit(1) - challenge = http_challenge # Fallback to http challenge. + if dns_challenge is None: + sys.stderr.write("Error: Unable to find challenges!") + sys.exit(1) + else: + # Fallback to dns challenge. + challenge = dns_challenge + challenge_type = "dns" + else: + # Fallback to http challenge. + challenge = http_challenge + challenge_type = "http" keyauthorization = "{0}.{1}".format(challenge["token"], thumbprint) dns_payload = _b64(hashlib.sha256(keyauthorization.encode()).digest()) |