diff --git a/go.mod b/go.mod index 5e072197f..d0bda6774 100644 --- a/go.mod +++ b/go.mod @@ -6,12 +6,12 @@ require ( github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.1 github.com/apparentlymart/go-cidr v1.1.0 github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d - github.com/aws/aws-sdk-go v1.44.144 + github.com/aws/aws-sdk-go v1.44.146 github.com/cloudfoundry/bosh-cli v6.4.1+incompatible github.com/cppforlife/go-patch v0.2.0 github.com/fatih/color v1.13.0 github.com/ghodss/yaml v1.0.0 - github.com/go-acme/lego/v4 v4.9.0 + github.com/go-acme/lego/v4 v4.9.1 github.com/imdario/mergo v0.3.13 github.com/lib/pq v1.10.7 github.com/maxbrunsfeld/counterfeiter/v6 v6.5.0 diff --git a/go.sum b/go.sum index 7ab56c1b6..b74ef62d0 100644 --- a/go.sum +++ b/go.sum @@ -297,8 +297,8 @@ github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4t github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc= github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ= github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.44.144 h1:mMWdnYL8HZsobrQe1mwvQ18Xt8UbOVhWgipjuma5Mkg= -github.com/aws/aws-sdk-go v1.44.144/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= +github.com/aws/aws-sdk-go v1.44.146 h1:7YdGgPxDPRJu/yYffzZp/H7yHzQ6AqmuNFZPYraaN8I= +github.com/aws/aws-sdk-go v1.44.146/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/bmatcuk/doublestar v1.3.4 h1:gPypJ5xD31uhX6Tf54sDPUOBXTqKH4c9aPY66CyQrS0= @@ -358,8 +358,8 @@ github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYF github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-acme/lego/v4 v4.9.0 h1:8Hjj44IqRS7cigshMyFQ+0pIZvwgkG/+9A0UnNh7G8A= -github.com/go-acme/lego/v4 v4.9.0/go.mod h1:g3JRUyWS3L/VObpp4bCxzJftKyf/Wba8QrSSnoiqjg4= +github.com/go-acme/lego/v4 v4.9.1 h1:n9Z5MQwANeGSQKlVE3bEh9SDvAySK9oVYOKCGCESqQE= +github.com/go-acme/lego/v4 v4.9.1/go.mod h1:g3JRUyWS3L/VObpp4bCxzJftKyf/Wba8QrSSnoiqjg4= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= diff --git a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go index 3fc271a56..a1417674e 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go @@ -17316,6 +17316,88 @@ var awsPartition = partition{ }: endpoint{}, }, }, + "oam": service{ + Endpoints: serviceEndpoints{ + endpointKey{ + Region: "af-south-1", + }: endpoint{}, + endpointKey{ + Region: "ap-east-1", + }: endpoint{}, + endpointKey{ + Region: "ap-northeast-1", + }: endpoint{}, + endpointKey{ + Region: "ap-northeast-2", + }: endpoint{}, + endpointKey{ + Region: "ap-northeast-3", + }: endpoint{}, + endpointKey{ + Region: "ap-south-1", + }: endpoint{}, + endpointKey{ + Region: "ap-south-2", + }: endpoint{}, + endpointKey{ + Region: "ap-southeast-1", + }: endpoint{}, + endpointKey{ + Region: "ap-southeast-2", + }: endpoint{}, + endpointKey{ + Region: "ap-southeast-3", + }: endpoint{}, + endpointKey{ + Region: "ca-central-1", + }: endpoint{}, + endpointKey{ + Region: "eu-central-1", + }: endpoint{}, + endpointKey{ + Region: "eu-central-2", + }: endpoint{}, + endpointKey{ + Region: "eu-north-1", + }: endpoint{}, + endpointKey{ + Region: "eu-south-1", + }: endpoint{}, + endpointKey{ + Region: "eu-south-2", + }: endpoint{}, + endpointKey{ + Region: "eu-west-1", + }: endpoint{}, + endpointKey{ + Region: "eu-west-2", + }: endpoint{}, + endpointKey{ + Region: "eu-west-3", + }: endpoint{}, + endpointKey{ + Region: "me-central-1", + }: endpoint{}, + endpointKey{ + Region: "me-south-1", + }: endpoint{}, + endpointKey{ + Region: "sa-east-1", + }: endpoint{}, + endpointKey{ + Region: "us-east-1", + }: endpoint{}, + endpointKey{ + Region: "us-east-2", + }: endpoint{}, + endpointKey{ + Region: "us-west-1", + }: endpoint{}, + endpointKey{ + Region: "us-west-2", + }: endpoint{}, + }, + }, "oidc": service{ Endpoints: serviceEndpoints{ endpointKey{ @@ -34549,6 +34631,9 @@ var awsisoPartition = partition{ endpointKey{ Region: "us-iso-east-1", }: endpoint{}, + endpointKey{ + Region: "us-iso-west-1", + }: endpoint{}, }, }, "glacier": service{ diff --git a/vendor/github.com/aws/aws-sdk-go/aws/version.go b/vendor/github.com/aws/aws-sdk-go/aws/version.go index a015fdb05..244216b09 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/version.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/version.go @@ -5,4 +5,4 @@ package aws const SDKName = "aws-sdk-go" // SDKVersion is the version of this SDK -const SDKVersion = "1.44.144" +const SDKVersion = "1.44.146" diff --git a/vendor/github.com/go-acme/lego/v4/acme/api/internal/sender/useragent.go b/vendor/github.com/go-acme/lego/v4/acme/api/internal/sender/useragent.go index 9d65f8913..260fcc090 100644 --- a/vendor/github.com/go-acme/lego/v4/acme/api/internal/sender/useragent.go +++ b/vendor/github.com/go-acme/lego/v4/acme/api/internal/sender/useragent.go @@ -5,7 +5,7 @@ package sender const ( // ourUserAgent is the User-Agent of this underlying library package. - ourUserAgent = "xenolf-acme/4.9.0" + ourUserAgent = "xenolf-acme/4.9.1" // ourUserAgentComment is part of the UA comment linked to the version status of this underlying library package. // values: detach|release diff --git a/vendor/github.com/go-acme/lego/v4/challenge/dns01/dns_challenge.go b/vendor/github.com/go-acme/lego/v4/challenge/dns01/dns_challenge.go index ca24e7af7..354eb4e38 100644 --- a/vendor/github.com/go-acme/lego/v4/challenge/dns01/dns_challenge.go +++ b/vendor/github.com/go-acme/lego/v4/challenge/dns01/dns_challenge.go @@ -194,14 +194,20 @@ func getChallengeFqdn(domain string) string { // Keep following CNAMEs r, err := dnsQuery(fqdn, dns.TypeCNAME, recursiveNameservers, true) + if err != nil || r.Rcode != dns.RcodeSuccess { + // No more CNAME records to follow, exit + break + } + // Check if the domain has CNAME then use that - if err == nil && r.Rcode == dns.RcodeSuccess { - fqdn = updateDomainWithCName(r, fqdn) - continue + cname := updateDomainWithCName(r, fqdn) + if cname == fqdn { + break } - // No more CNAME records to follow, exit - break + log.Infof("Found CNAME entry for %q: %q", fqdn, cname) + + fqdn = cname } return fqdn diff --git a/vendor/github.com/go-acme/lego/v4/providers/dns/route53/route53.toml b/vendor/github.com/go-acme/lego/v4/providers/dns/route53/route53.toml index 5b541d97f..41278d0a7 100644 --- a/vendor/github.com/go-acme/lego/v4/providers/dns/route53/route53.toml +++ b/vendor/github.com/go-acme/lego/v4/providers/dns/route53/route53.toml @@ -28,37 +28,91 @@ See also: - [Setting AWS Credentials](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials) - [Setting AWS Region](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-the-region) -## Policy +## IAM Policy Examples -The following AWS IAM policy document describes the permissions required for lego to complete the DNS challenge. +### Broad privileges for testing purposes + +The following [IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) document grants access to the required APIs needed by lego to complete the DNS challenge. +A word of caution: +These permissions grant write access to any DNS record in any hosted zone, +so it is recommended to narrow them down as much as possible if you are using this policy in production. ```json { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "", - "Effect": "Allow", - "Action": [ - "route53:GetChange", - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets" - ], - "Resource": [ - "arn:aws:route53:::hostedzone/*", - "arn:aws:route53:::change/*" - ] - }, - { - "Sid": "", - "Effect": "Allow", - "Action": "route53:ListHostedZonesByName", - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:GetChange", + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets" + ], + "Resource": [ + "arn:aws:route53:::hostedzone/*", + "arn:aws:route53:::change/*" + ] + }, + { + "Effect": "Allow", + "Action": "route53:ListHostedZonesByName", + "Resource": "*" + } + ] } ``` +### Least privilege policy for production purposes + +The following AWS IAM policy document describes least privilege permissions required for lego to complete the DNS challenge. +Write access is limited to a specified hosted zone's DNS TXT records with a key of `_acme-challenge.example.com`. +Replace `Z11111112222222333333` with your hosted zone ID and `example.com` with your domain name to use this policy. + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "route53:GetChange", + "Resource": "arn:aws:route53:::change/*" + }, + { + "Effect": "Allow", + "Action": "route53:ListHostedZonesByName", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "route53:ListResourceRecordSets" + ], + "Resource": [ + "arn:aws:route53:::hostedzone/Z11111112222222333333" + ] + }, + { + "Effect": "Allow", + "Action": [ + "route53:ChangeResourceRecordSets" + ], + "Resource": [ + "arn:aws:route53:::hostedzone/Z11111112222222333333" + ], + "Condition": { + "ForAllValues:StringEquals": { + "route53:ChangeResourceRecordSetsNormalizedRecordNames": [ + "_acme-challenge.example.com" + ], + "route53:ChangeResourceRecordSetsRecordTypes": [ + "TXT" + ] + } + } + } + ] +} +``` ''' [Configuration] diff --git a/vendor/modules.txt b/vendor/modules.txt index e99c7e8be..18954cd4c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -47,7 +47,7 @@ github.com/apparentlymart/go-cidr/cidr # github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d ## explicit; go 1.13 github.com/asaskevich/govalidator -# github.com/aws/aws-sdk-go v1.44.144 +# github.com/aws/aws-sdk-go v1.44.146 ## explicit; go 1.11 github.com/aws/aws-sdk-go/aws github.com/aws/aws-sdk-go/aws/arn @@ -136,7 +136,7 @@ github.com/fatih/color # github.com/ghodss/yaml v1.0.0 ## explicit github.com/ghodss/yaml -# github.com/go-acme/lego/v4 v4.9.0 +# github.com/go-acme/lego/v4 v4.9.1 ## explicit; go 1.18 github.com/go-acme/lego/v4/acme github.com/go-acme/lego/v4/acme/api