acmens.py: fallback to `dns`

Sometimes `http` isn't available as a challenge type. E.g. for wildcards
or when `dns` was used for the domain lately.

Instead of being forced to use `--challenge dns` for wildcard
certificates, the `--challenge` flag can be omitted now and it will
automatically fallback to `dns`.

This is especially useful for SAN certificates, where it can fallback to
the other challenge type, if the preferred type isn't available for one
of the multiple domains.

1 files changed, 14 insertions, 3 deletions

diff --git a/acmens.py b/acmens.py
index 2ea3291..37e187f 100644
--- a/acmens.py
+++ b/acmens.py
@@ -145,17 +145,28 @@ def _do_challenge(challenge_type, authz_url, nonce_url, auth, account_key, thumb
     # Choose challenge.
     preferred_type = "dns-01" if challenge_type == "dns" else "http-01"
     challenge = None
+    dns_challenge = None
     http_challenge = None
     for c in chl_result["challenges"]:
         if c["type"] == preferred_type:
             challenge = c
+        if c["type"] == "dns-01":
+            dns_challenge = c
         if c["type"] == "http-01":
             http_challenge = c
     if challenge is None:
         if http_challenge is None:
-            sys.stderr.write("Error: Unable to find challenges!")
-            sys.exit(1)
-        challenge = http_challenge  # Fallback to http challenge.
+            if dns_challenge is None:
+                sys.stderr.write("Error: Unable to find challenges!")
+                sys.exit(1)
+            else:
+                # Fallback to dns challenge.
+                challenge = dns_challenge
+                challenge_type = "dns"
+        else:
+            # Fallback to http challenge.
+            challenge = http_challenge
+            challenge_type = "http"
     keyauthorization = "{0}.{1}".format(challenge["token"], thumbprint)
     dns_payload = _b64(hashlib.sha256(keyauthorization.encode()).digest())