v0.8.5: Pebble v2.10.0 support, dns-persist-01 challenge deser fix#264
v0.8.5: Pebble v2.10.0 support, dns-persist-01 challenge deser fix#264
Conversation
RFC 8555 doesn't specify that this field is always present, it's a property of the specific challenge type. It happens to be the case that all of our supported challenge types have always included a token, but the new dns-persist-01 challenge type does not. To avoid deser errors from a missing token field for ACME CAs that include dns-persist-01 challenges (or other, unknown challenge types), default the field to an empty string when omitted.
The Pebble v2.10.0 release renamed the pebble-challtestsrv binary's -dns01 argument to -dnsserver to match pebble's similar flag.
f61708f to
66e6b31
Compare
|
I think that this is good to get CI unstuck, but not sure I want to release 0.8.5 with the fake empty token? |
Presumably Let's Encrypt's staging and production APIs are going to start offering this challenge type at some point. That's going to hard break all of the 0.8.x users in the wild. It seems reasonable to me to release this fix to avoid that while improving the status quo in the follow-up release. Having the field empty for unsupported challenge types isn't ideal, but doesn't seem likely to cause any significant confusion in practice. |
The announcement blog post says:
So I think the question is whether we can reasonably expect that all users will be on a 0.9 by late Q1/early Q2. Otherwise issuance/renewals will be broken after that point. |
Resolves #258
As a follow up we should consider changing how challenges are represented to avoid the impression that
tokenis always present regardless of theChallengeType, but in the meantime this semver compatible fix will prevent errors talking to CAs that are offering standard-compliant, but unsupported challenge types likedns-persist-01. See this CI failure onmainfor example.Note of course that this branch fixes using
instant-acmewith a CA that offersdns-persist-01(like Pebble v2.10.0+) but it does not allow you to completedns-persist-01challenges. Support for this new challenge type is not yet implemented (see #263).Proposed release notes
Challengedeserialization errors of the form "missing fieldtoken" when usinginstant-acmewith CAs offering challenge types that don't present a token (e.g.dns-persist-01with Pebble v2.10.0+)