solveHTTPChallengeBlindly will try to respond correctly with an http-01 challenge response. The request must be an http-01 challenge request. We cannot know for sure the ACME CA that is requesting this, so we have to guess as we load the account to use for a thumbprint as part of the response body.
(w http.ResponseWriter, r *http.Request)
| 132 | // part of the response body. It is a no-op if the last component of the URL path contains |
| 133 | // characters outside of the base64url alphabet. |
| 134 | func (am *ACMEIssuer) solveHTTPChallengeBlindly(w http.ResponseWriter, r *http.Request) error { |
| 135 | tokenStart := strings.LastIndex(r.URL.Path, "/") + 1 |
| 136 | token := r.URL.Path[tokenStart:] |
| 137 | if allBase64URL(token) { |
| 138 | acct, err := am.getAccountToUse(r.Context(), am.CA) // assume production CA, I guess |
| 139 | if err != nil { |
| 140 | return fmt.Errorf("getting an account to use: %v", err) |
| 141 | } |
| 142 | thumbprint, err := acct.Thumbprint() |
| 143 | if err != nil { |
| 144 | return fmt.Errorf("could not encode account thumbprint: %v", err) |
| 145 | } |
| 146 | w.Header().Add("Content-Type", "text/plain") |
| 147 | _, _ = w.Write([]byte(token + "." + thumbprint)) |
| 148 | r.Close = true |
| 149 | am.Logger.Info("served key authentication", |
| 150 | zap.String("identifier", hostOnly(r.Host)), |
| 151 | zap.String("challenge", "http-01"), |
| 152 | zap.String("remote", r.RemoteAddr), |
| 153 | zap.Bool("distributed", false), |
| 154 | zap.Bool("blind", true), |
| 155 | zap.String("ca", am.CA)) |
| 156 | } |
| 157 | return nil |
| 158 | } |
| 159 | |
| 160 | // allBase64URL returns true if all characters of s are in the base64url alphabet. |
| 161 | func allBase64URL(s string) bool { |
no test coverage detected