vault-acme: sleep in lieu of waiting "properly" for DNS propagation

Once we've seen the TXT record on any nameserver, assume that it'll reach the
rest of them within 60 seconds.

This is an awful hack because some peculiarities of my setup don't work
properly with the upstream lego code.
This commit is contained in:
Luke Granger-Brown 2022-03-17 01:03:41 +00:00
parent 148e071c21
commit d2481b1461
2 changed files with 37 additions and 0 deletions

View file

@ -19,6 +19,8 @@ buildGoModule rec {
sha256 = "sha256:0f3d89j51gcrvpxmlr3psvv9mm6y3rw4hwk3rs4rb3a6rj5yg2iq";
};
patches = [ ./just-add-a-sleep.patch ];
vendorSha256 = "sha256:07bqapnrf1fdyaxkna14s5calgj71sk2qysigd32hxl673zd06ic";
subPackages = [

View file

@ -0,0 +1,35 @@
diff --git a/acme/client.go b/acme/client.go
index 20f98a9..cc85277 100644
--- a/acme/client.go
+++ b/acme/client.go
@@ -3,6 +3,7 @@ package acme
import (
"context"
"os"
+ "time"
"github.com/go-acme/lego/v3/certificate"
"github.com/go-acme/lego/v3/challenge/dns01"
@@ -42,6 +43,22 @@ func setupChallengeProviders(ctx context.Context, logger log.Logger, client *leg
nameServer := os.Getenv("LEGO_TEST_NAMESERVER")
isTesting := nameServer != ""
err = client.Challenge.SetDNS01Provider(provider,
+ dns01.WrapPreCheck(func(domain, fqdn, value string, check dns01.PreCheckFunc) (bool, error) {
+ ok, err := check(fqdn, value)
+ if !ok || err != nil {
+ return ok, err
+ }
+
+ if a.IgnoreDNSPropagation {
+ // Just wait 1 minute for stuff to settle...
+ const duration = 60 * time.Second
+ logger.Info("waiting %v for things to settle", duration)
+ time.Sleep(duration)
+ logger.Info("done waiting %v for things to settle", duration)
+ }
+
+ return true, nil
+ }),
dns01.CondOption(isTesting, dns01.AddRecursiveNameservers([]string{nameServer})),
dns01.CondOption(a.IgnoreDNSPropagation || isTesting, dns01.DisableCompletePropagationRequirement()))
if err != nil {