Netflix
Implement DNS validation as optional for ACME providers leveraging externalAccountBinding
Please see https://github.com/Netflix/lemur/issues/3129 for additional details.
When I use ACME_DIRECTORY_URL, ACME_REGR and ACME_PRIVATE_KEY information obtained from another ACME client like Certbot, Lemur failed with the following error:
Traceback (most recent call last): File "/opt/app/lemur/lemur/plugins/lemur_acme/plugin.py", line 561, in get_ordered_certificates acme_client, order, order_info File "/opt/app/lemur/lemur/plugins/lemur_acme/plugin.py", line 305, in get_authorizations dns_provider.options, File "/opt/app/lemur/lemur/plugins/lemur_acme/plugin.py", line 110, in start_dns_challenge raise Exception("Unable to determine DNS challenges from authorizations") Exception: Unable to determine DNS challenges from authorizations 2020-09-24 19:46:44,388 ERROR: {'function': 'lemur.common.celery.fetch_acme_cert', 'message': 'Pending certificate creation failure', 'task_id': '84b6997f-1729-464e-be42-bbdad5b24436', 'id': 3, 'pending_cert_id': 3, 'last_error': Exception('Unable to determine DNS challenges from authorizations',), 'cn': 'FQDN'} [in /opt/app/lemur/lemur/common/celery.py:320]
I noticed this behavior with some ACME providers, they simply ignore having DNS challenge as long as EAB Key and EAB ID match.
Do you know, if it's common for certificate authorities to forgo validation, if the external Account binding is used?
Since right now it's not possible to provide the EAB at all (unless using the pre-configured ACME account), I'd propose to implement a new EAB enabled IssuerPlugin if we can waive the validation in these cases. (Since it would also need a different way of creating a new ACME account, where the EAB is transmitted as well)
If one would still need to be able to do the validations, it might be more useful to refactor the ongoing implementation with two dedicated IssuerPlugins for DNS & HTTP challenges, into a single one, where you can choose between validation methods (e.g. either DNS, HTTP, None) and make the EAB a configuration option there as well.
I tested this again today. My current AWS Route53 profile was for a sub domain. I used certbot and EAB to get the certificate. With Certbot, if I do not provide a valid DNS service option it was failing. However, the AWS account I used does not have ability to update the DNS entries of the domain I was trying. It is kind of tricky that certbot appears to use DNS validation. But with just login credentials it worked just fine.
I noticed it works as long as the domains are pre-authorized. When I tried to test with an external domain with certbot and my EAB, I got the following error:
The identifiers are not all linked to the same preauthorized Subject organization name/address
Do you know, if it's common for certificate authorities to forgo validation, if the external Account binding is used?
This is currently the case for DigiCert.
With external account binding support added in https://github.com/Netflix/lemur/pull/3611 (thanks!) I think it would be beneficial if we revisited adding optional support to skip validation for a configured ACME authority. If there are no major objections, I can take a shot at contributing a patch. cc @hosseinsh just in case you have any thoughts here...
Yeah, I noticed the flow of DigiCert for ACME in that they skip the validation part, which might be typical for OV-validated domains.
I shared some thoughts on this other issue, but it boils down to if DigiCert is following the protocol correctly, and sending back Status Valid Challenges, in which case Lemur would be able to skip the validation since https://github.com/Netflix/lemur/pull/3666
otherwise, we need a small variation, controlled via options, to skip validation and move right to finalizing the order.
https://github.com/Netflix/lemur/issues/3669#issuecomment-878671476
I see, thanks for the insight. I haven't tested #3666 yet (just learned about it now) but will do so this week and report back whether they are sending Status Valid challenges correctly or not.