devnomads-cli 0.4.0__tar.gz → 0.5.0__tar.gz

{devnomads_cli-0.4.0 → devnomads_cli-0.5.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devnomads-cli
-Version: 0.4.0
+Version: 0.5.0
 Summary: Manage your DevNomads services from the command line
 Author-email: DevNomads <support@devnomads.nl>
 License: MIT
@@ -11,7 +11,7 @@ Requires-Dist: typer>=0.12
 Requires-Dist: httpx>=0.27
 Requires-Dist: rich>=13
 Requires-Dist: cryptography>=42
-Requires-Dist: devnomads[acme]>=0.2.1
+Requires-Dist: devnomads[acme]>=0.2.3
 Dynamic: license-file
 
 # dncli
@@ -126,10 +126,36 @@ dncli services list | jq -r '.[].entity'
 
 ## Certificates
 
-`dncli` issues Let's Encrypt certificates over DNS-01 and HTTP-01:
+`dncli` issues Let's Encrypt certificates using the DNS-01 challenge:
 
 ```sh
-dncli cert issue example.com -d "*.example.com"
+dncli cert issue example.com -d www.example.com -d "*.example.com"
+```
+
+The first argument is the primary domain (the certificate CN); add
+extra names (SANs) by repeating `--san`/`-d`. Every name must live in
+one of your DevNomads DNS zones, and that zone must be delegated to the
+DevNomads nameservers (`one.dns.infrapod.nl`, `two.dns.infrapod.nl`,
+`three.dns.infrapod.eu`) - otherwise issuance is refused, since the
+DNS-01 challenge records would not be visible to the CA.
+
+The certificate is always written to `~/.config/dncli/certs/<domain>/`
+as `cert.pem`, `fullchain.pem`, `chain.pem`, and `privkey.pem` (0600).
+Pass `--out <file>` to additionally export a single PEM bundle (key,
+then certificate, then intermediate, in that order).
+
+Keys are ECDSA P-384 by default. Pick another with `--key-type`
+(`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
+
+Re-running `cert issue` is a no-op while the existing certificate is
+still valid for more than 21 days; pass `--force` to re-issue anyway.
+
+List what you have issued and re-export any of them as a single PEM
+bundle without re-issuing:
+
+```sh
+dncli cert list
+dncli cert export example.com --out bundle.pem   # omit --out to print
 ```
 
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:

{devnomads_cli-0.4.0 → devnomads_cli-0.5.0}/README.md

@@ -110,10 +110,36 @@ dncli services list | jq -r '.[].entity'
 
 ## Certificates
 
-`dncli` issues Let's Encrypt certificates over DNS-01 and HTTP-01:
+`dncli` issues Let's Encrypt certificates using the DNS-01 challenge:
 
 ```sh
-dncli cert issue example.com -d "*.example.com"
+dncli cert issue example.com -d www.example.com -d "*.example.com"
+```
+
+The first argument is the primary domain (the certificate CN); add
+extra names (SANs) by repeating `--san`/`-d`. Every name must live in
+one of your DevNomads DNS zones, and that zone must be delegated to the
+DevNomads nameservers (`one.dns.infrapod.nl`, `two.dns.infrapod.nl`,
+`three.dns.infrapod.eu`) - otherwise issuance is refused, since the
+DNS-01 challenge records would not be visible to the CA.
+
+The certificate is always written to `~/.config/dncli/certs/<domain>/`
+as `cert.pem`, `fullchain.pem`, `chain.pem`, and `privkey.pem` (0600).
+Pass `--out <file>` to additionally export a single PEM bundle (key,
+then certificate, then intermediate, in that order).
+
+Keys are ECDSA P-384 by default. Pick another with `--key-type`
+(`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
+
+Re-running `cert issue` is a no-op while the existing certificate is
+still valid for more than 21 days; pass `--force` to re-issue anyway.
+
+List what you have issued and re-export any of them as a single PEM
+bundle without re-issuing:
+
+```sh
+dncli cert list
+dncli cert export example.com --out bundle.pem   # omit --out to print
 ```
 
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:

{devnomads_cli-0.4.0 → devnomads_cli-0.5.0}/devnomads_cli.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devnomads-cli
-Version: 0.4.0
+Version: 0.5.0
 Summary: Manage your DevNomads services from the command line
 Author-email: DevNomads <support@devnomads.nl>
 License: MIT
@@ -11,7 +11,7 @@ Requires-Dist: typer>=0.12
 Requires-Dist: httpx>=0.27
 Requires-Dist: rich>=13
 Requires-Dist: cryptography>=42
-Requires-Dist: devnomads[acme]>=0.2.1
+Requires-Dist: devnomads[acme]>=0.2.3
 Dynamic: license-file
 
 # dncli
@@ -126,10 +126,36 @@ dncli services list | jq -r '.[].entity'
 
 ## Certificates
 
-`dncli` issues Let's Encrypt certificates over DNS-01 and HTTP-01:
+`dncli` issues Let's Encrypt certificates using the DNS-01 challenge:
 
 ```sh
-dncli cert issue example.com -d "*.example.com"
+dncli cert issue example.com -d www.example.com -d "*.example.com"
+```
+
+The first argument is the primary domain (the certificate CN); add
+extra names (SANs) by repeating `--san`/`-d`. Every name must live in
+one of your DevNomads DNS zones, and that zone must be delegated to the
+DevNomads nameservers (`one.dns.infrapod.nl`, `two.dns.infrapod.nl`,
+`three.dns.infrapod.eu`) - otherwise issuance is refused, since the
+DNS-01 challenge records would not be visible to the CA.
+
+The certificate is always written to `~/.config/dncli/certs/<domain>/`
+as `cert.pem`, `fullchain.pem`, `chain.pem`, and `privkey.pem` (0600).
+Pass `--out <file>` to additionally export a single PEM bundle (key,
+then certificate, then intermediate, in that order).
+
+Keys are ECDSA P-384 by default. Pick another with `--key-type`
+(`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
+
+Re-running `cert issue` is a no-op while the existing certificate is
+still valid for more than 21 days; pass `--force` to re-issue anyway.
+
+List what you have issued and re-export any of them as a single PEM
+bundle without re-issuing:
+
+```sh
+dncli cert list
+dncli cert export example.com --out bundle.pem   # omit --out to print
 ```
 
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:

{devnomads_cli-0.4.0 → devnomads_cli-0.5.0}/devnomads_cli.egg-info/requires.txt

@@ -2,4 +2,4 @@ typer>=0.12
 httpx>=0.27
 rich>=13
 cryptography>=42
-devnomads[acme]>=0.2.1
+devnomads[acme]>=0.2.3

{devnomads_cli-0.4.0 → devnomads_cli-0.5.0}/dncli.py

@@ -1360,6 +1360,28 @@ app.add_typer(cert_app, name="cert")
 
 LE_STAGING_DIRECTORY = "https://acme-staging-v02.api.letsencrypt.org/directory"
 CERT_RENEW_WINDOW_DAYS = 30
+# `cert issue` skips a domain whose current certificate is still valid for
+# longer than this, unless --force is given.
+CERT_REISSUE_WINDOW_DAYS = 21
+
+# A domain may only get a certificate if it is delegated to these exact
+# nameservers, i.e. the world resolves it through DevNomads and the DNS-01
+# challenge records we write are actually visible to the CA.
+REQUIRED_NAMESERVERS = (
+    "one.dns.infrapod.nl",
+    "two.dns.infrapod.nl",
+    "three.dns.infrapod.eu",
+)
+
+
+class KeyType(str, Enum):
+    """Certificate key types. ECDSA is the default; RSA on request."""
+
+    ecdsa256 = "ecdsa256"
+    ecdsa384 = "ecdsa384"
+    ecdsa521 = "ecdsa521"
+    rsa2048 = "rsa2048"
+    rsa4096 = "rsa4096"
 
 
 def _load_acme() -> Any:
@@ -1376,14 +1398,67 @@ def _load_acme() -> Any:
     return acme
 
 
-def _cert_out_dir(out: Path | None, domain: str) -> Path:
-    return out if out is not None else config_dir() / "certs" / domain
+def _cert_dir(domain: str) -> Path:
+    return config_dir() / "certs" / domain
 
 
 def _account_key_path() -> Path:
     return config_dir() / "acme" / "account.pem"
 
 
+def _our_zone_for(name: str, zone_names: set[str]) -> str | None:
+    """The longest of our zones that the cert identifier ``name`` sits in,
+    or None. A leading ``*.`` wildcard is matched against its base zone."""
+
+    host = name.lstrip("*.").rstrip(".").lower()
+    best: str | None = None
+    for zone in zone_names:
+        if host == zone or host.endswith(f".{zone}"):
+            if best is None or len(zone) > len(best):
+                best = zone
+    return best
+
+
+def _zone_nameservers(zone: str) -> set[str]:
+    """Authoritative NS names for ``zone`` from public DNS, lowercased and
+    without the trailing dot."""
+
+    import dns.exception
+    import dns.resolver
+
+    try:
+        answers = dns.resolver.resolve(zone, "NS")
+    except dns.exception.DNSException as exc:
+        raise CliError(f"could not look up nameservers for {zone}: {exc}") from exc
+    return {str(rr.target).rstrip(".").lower() for rr in answers}
+
+
+def _assert_dns_authority(state: AppState, identifiers: list[str]) -> None:
+    """Refuse issuance unless every identifier lives in one of our DevNomads
+    zones and that zone is delegated to the required nameservers."""
+
+    zones = get_client(state).request("GET", "/services/dns/zones")
+    zone_names = {str(z.get("name", "")).rstrip(".").lower() for z in (zones or [])}
+    needed: set[str] = set()
+    for ident in identifiers:
+        zone = _our_zone_for(ident, zone_names)
+        if zone is None:
+            raise CliError(
+                f"'{ident}' is not in any of your DevNomads DNS zones; add the "
+                "zone first (dncli dns zones list shows your zones)"
+            )
+        needed.add(zone)
+    required = set(REQUIRED_NAMESERVERS)
+    for zone in sorted(needed):
+        ns = _zone_nameservers(zone)
+        if ns != required:
+            raise CliError(
+                f"{zone} is not delegated to DevNomads: its nameservers are "
+                f"[{', '.join(sorted(ns)) or 'none'}] but must be exactly "
+                f"[{', '.join(REQUIRED_NAMESERVERS)}]"
+            )
+
+
 def _write_cert_files(
     out_dir: Path,
     *,
@@ -1402,22 +1477,70 @@ def _write_cert_files(
         (out_dir / name).write_text(content)
 
 
+def _combined_pem(privkey: str, leaf: str, chain: str) -> str:
+    """One PEM bundle: key, then certificate, then intermediate(s)."""
+
+    parts = [privkey, leaf, chain]
+    return "".join(p if p.endswith("\n") else p + "\n" for p in parts if p)
+
+
+def _export_combined_pem(path: Path, *, privkey: str, leaf: str, chain: str) -> None:
+    """Write the combined PEM at 0600, since it embeds the private key."""
+
+    _write_private(path, _combined_pem(privkey, leaf, chain))
+
+
+def _cert_info(cert_path: Path) -> dict[str, Any]:
+    """Summarize a stored leaf certificate for `cert list`."""
+
+    from datetime import datetime, timezone
+
+    from cryptography import x509
+    from cryptography.hazmat.primitives.asymmetric import ec, rsa
+
+    cert = x509.load_pem_x509_certificate(cert_path.read_bytes())
+    try:
+        not_after = cert.not_valid_after_utc
+    except AttributeError:  # cryptography < 42 fallback
+        not_after = cert.not_valid_after.replace(tzinfo=timezone.utc)
+    days_left = (not_after - datetime.now(timezone.utc)).days
+    try:
+        sans = cert.extensions.get_extension_for_class(
+            x509.SubjectAlternativeName
+        ).value.get_values_for_type(x509.DNSName)
+    except x509.ExtensionNotFound:
+        sans = []
+    pub = cert.public_key()
+    if isinstance(pub, ec.EllipticCurvePublicKey):
+        key_type = f"ecdsa{pub.curve.key_size}"
+    elif isinstance(pub, rsa.RSAPublicKey):
+        key_type = f"rsa{pub.key_size}"
+    else:
+        key_type = type(pub).__name__
+    return {
+        "expires": not_after.strftime("%Y-%m-%d"),
+        "days_left": days_left,
+        "key_type": key_type,
+        "sans": sans,
+    }
+
+
 def _issue_certificate(
     state: AppState,
     domain: str,
     *,
     sans: list[str],
-    use_http01: bool,
-    webroot: str | None,
-    standalone: bool,
     email: str | None,
     key_type: str,
     staging: bool,
     out_dir: Path,
+    export_path: Path | None = None,
 ) -> None:
-    """Obtain a certificate for ``domain`` and write it to ``out_dir``."""
+    """Obtain a DNS-01 certificate for ``domain`` and write it to ``out_dir``;
+    optionally also export a single combined PEM to ``export_path``."""
 
     acme = _load_acme()
+    _assert_dns_authority(state, [domain, *sans])
 
     directory_url = LE_STAGING_DIRECTORY if staging else acme.DEFAULT_DIRECTORY_URL
     client = acme.AcmeClient(
@@ -1430,46 +1553,37 @@ def _issue_certificate(
     except acme.AcmeError as exc:
         raise CliError(str(exc)) from exc
 
-    dns_provider = None
-    http01_solver = None
-    if use_http01:
-        if webroot:
-            http01_solver = acme.WebrootSolver(webroot)
-        else:
-            http01_solver = acme.StandaloneSolver()
-        challenge = "http-01"
-    else:
-        dns_provider = acme.DevNomadsDnsProvider(Dns(get_client(state).api))
-        challenge = "dns-01"
-
+    dns_provider = acme.DevNomadsDnsProvider(Dns(get_client(state).api))
     err_console.print(
-        f"issuing {challenge} certificate for {domain}"
+        f"issuing dns-01 certificate for {domain}"
         + (f" (+{len(sans)} SAN(s))" if sans else "")
         + (" [staging]" if staging else "")
     )
     try:
-        with http01_solver or nullcontext() as solver:
-            leaf, fullchain, chain, key_pem = client.obtain_certificate(
-                domain,
-                challenge,
-                domain_key,
-                sans=sans or None,
-                dns_provider=dns_provider,
-                http01_solver=solver if use_http01 else None,
-            )
+        leaf, fullchain, chain, key_pem = client.obtain_certificate(
+            domain,
+            "dns-01",
+            domain_key,
+            sans=sans or None,
+            dns_provider=dns_provider,
+        )
     except acme.AcmeError as exc:
         raise CliError(str(exc)) from exc
     except DevNomadsError as exc:
         raise CliError(str(exc)) from exc
 
+    key_text = key_pem.decode() if isinstance(key_pem, bytes) else key_pem
     _write_cert_files(
         out_dir,
-        privkey=key_pem.decode() if isinstance(key_pem, bytes) else key_pem,
+        privkey=key_text,
         cert=leaf,
         fullchain=fullchain,
         chain=chain,
     )
     err_console.print(f"wrote certificate to {out_dir}")
+    if export_path is not None:
+        _export_combined_pem(export_path, privkey=key_text, leaf=leaf, chain=chain)
+        err_console.print(f"exported combined pem to {export_path}")
 
 
 @cert_app.command("issue")
@@ -1480,57 +1594,61 @@ def cert_issue(
         list[str] | None,
         typer.Option("--san", "-d", help="Additional SAN; repeat for more."),
     ] = None,
-    dns_01: Annotated[
-        bool, typer.Option("--dns-01", help="Use the DNS-01 challenge (default).")
-    ] = False,
-    http_01: Annotated[
-        bool, typer.Option("--http-01", help="Use the HTTP-01 challenge.")
-    ] = False,
-    webroot: Annotated[
-        str | None,
-        typer.Option("--webroot", help="HTTP-01 webroot directory to write into."),
-    ] = None,
-    standalone: Annotated[
-        bool,
-        typer.Option("--standalone", help="HTTP-01 via a built-in server on :80."),
-    ] = False,
     email: Annotated[
         str | None, typer.Option("--email", help="ACME account contact email.")
     ] = None,
     key_type: Annotated[
-        str, typer.Option("--key-type", help="Certificate key type.")
-    ] = "ec256",
+        KeyType,
+        typer.Option(
+            "--key-type",
+            help="Certificate key type "
+            "(ecdsa256/ecdsa384/ecdsa521/rsa2048/rsa4096).",
+        ),
+    ] = KeyType.ecdsa384,
     staging: Annotated[
         bool, typer.Option("--staging", help="Use the Let's Encrypt staging CA.")
     ] = False,
+    force: Annotated[
+        bool,
+        typer.Option(
+            "--force",
+            "-f",
+            help="Re-issue even if the current certificate is still valid.",
+        ),
+    ] = False,
     out: Annotated[
         Path | None,
         typer.Option(
-            "--out", help="Output directory (default <config>/certs/<domain>)."
+            "--out",
+            help="Also export a single PEM bundle (key + certificate + "
+            "intermediate) to this file.",
         ),
     ] = None,
 ) -> None:
-    """Issue a TLS certificate for a domain via ACME (Let's Encrypt)."""
+    """Issue a TLS certificate for a domain via ACME (Let's Encrypt, DNS-01)."""
 
     state = state_from(ctx)
-    if dns_01 and http_01:
-        raise CliError("choose only one of --dns-01 / --http-01")
-    if webroot and standalone:
-        raise CliError("choose only one of --webroot / --standalone")
-    use_http01 = http_01 or bool(webroot) or standalone
-    if dns_01 and use_http01:
-        raise CliError("--dns-01 cannot be combined with HTTP-01 options")
+    out_dir = _cert_dir(domain)
+    cert_path = out_dir / "cert.pem"
+    if (
+        not force
+        and cert_path.is_file()
+        and not _cert_expires_within(cert_path, CERT_REISSUE_WINDOW_DAYS)
+    ):
+        err_console.print(
+            f"{domain}: certificate still valid for more than "
+            f"{CERT_REISSUE_WINDOW_DAYS} days; pass --force to re-issue"
+        )
+        return
     _issue_certificate(
         state,
         domain,
         sans=list(san or []),
-        use_http01=use_http01,
-        webroot=webroot,
-        standalone=standalone,
         email=email,
-        key_type=key_type,
+        key_type=key_type.value,
         staging=staging,
-        out_dir=_cert_out_dir(out, domain),
+        out_dir=out_dir,
+        export_path=out,
     )
 
 
@@ -1564,8 +1682,13 @@ def cert_renew(
         str | None, typer.Option("--email", help="ACME account contact email.")
     ] = None,
     key_type: Annotated[
-        str, typer.Option("--key-type", help="Certificate key type.")
-    ] = "ec256",
+        KeyType,
+        typer.Option(
+            "--key-type",
+            help="Certificate key type "
+            "(ecdsa256/ecdsa384/ecdsa521/rsa2048/rsa4096).",
+        ),
+    ] = KeyType.ecdsa384,
     staging: Annotated[
         bool, typer.Option("--staging", help="Use the Let's Encrypt staging CA.")
     ] = False,
@@ -1593,16 +1716,77 @@ def cert_renew(
             state,
             name,
             sans=[],
-            use_http01=False,
-            webroot=None,
-            standalone=False,
             email=email,
-            key_type=key_type,
+            key_type=key_type.value,
             staging=staging,
             out_dir=out_dir,
         )
 
 
+@cert_app.command("list")
+def cert_list(
+    ctx: typer.Context, sort: SortOption = None, output: OutputOption = None
+) -> None:
+    """List the certificates you have issued and when they expire."""
+
+    state = state_from(ctx, output)
+    certs_root = config_dir() / "certs"
+    rows = []
+    for cert_dir in sorted(certs_root.glob("*")):
+        cert_path = cert_dir / "cert.pem"
+        if not cert_path.is_file():
+            continue
+        try:
+            info = _cert_info(cert_path)
+        except (OSError, ValueError):
+            continue
+        rows.append({"domain": cert_dir.name, **info})
+    if not rows:
+        err_console.print("[dim]no certificates issued[/]")
+        return
+    render(
+        state,
+        sort_rows(rows, sort),
+        columns=["domain", "expires", "days_left", "key_type", "sans"],
+        title="Certificates",
+    )
+
+
+@cert_app.command("export")
+def cert_export(
+    ctx: typer.Context,
+    domain: Annotated[
+        str, typer.Argument(help="Domain of a previously issued certificate.")
+    ],
+    out: Annotated[
+        Path | None,
+        typer.Option(
+            "--out",
+            help="Write the bundle here (0600); omit to print to stdout.",
+        ),
+    ] = None,
+) -> None:
+    """Re-export an issued certificate as one PEM (key + cert + intermediate)."""
+
+    cert_dir = _cert_dir(domain)
+    privkey = cert_dir / "privkey.pem"
+    leaf = cert_dir / "cert.pem"
+    chain = cert_dir / "chain.pem"
+    if not (privkey.is_file() and leaf.is_file()):
+        raise CliError(
+            f"no certificate for {domain} in {cert_dir}; "
+            "issue one with `dncli cert issue`"
+        )
+    key_text = privkey.read_text()
+    leaf_text = leaf.read_text()
+    chain_text = chain.read_text() if chain.is_file() else ""
+    if out is not None:
+        _export_combined_pem(out, privkey=key_text, leaf=leaf_text, chain=chain_text)
+        err_console.print(f"exported combined pem to {out}")
+    else:
+        sys.stdout.write(_combined_pem(key_text, leaf_text, chain_text))
+
+
 # ---------------------------------------------------------------------------
 # Generated commands. tools/generate.py renders one thin command per
 # OpenAPI operation between the markers below, from openapi.json plus

{devnomads_cli-0.4.0 → devnomads_cli-0.5.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "devnomads-cli"
-version = "0.4.0"
+version = "0.5.0"
 description = "Manage your DevNomads services from the command line"
 readme = "README.md"
 requires-python = ">=3.10"
@@ -11,7 +11,7 @@ dependencies = [
     "httpx>=0.27",
     "rich>=13",
     "cryptography>=42",
-    "devnomads[acme]>=0.2.1",
+    "devnomads[acme]>=0.2.3",
 ]
 
 [project.scripts]

devnomads_cli-0.5.0/tests/test_cert.py

@@ -0,0 +1,414 @@
+"""Certificate issuance: arg wiring, solver/provider selection, output."""
+
+import stat
+
+import pytest
+from typer.testing import CliRunner
+
+import dncli
+from dncli import app
+
+runner = CliRunner()
+
+LEAF = "-----BEGIN CERTIFICATE-----\nLEAF\n-----END CERTIFICATE-----\n"
+CHAIN = "-----BEGIN CERTIFICATE-----\nCHAIN\n-----END CERTIFICATE-----\n"
+FULLCHAIN = LEAF + CHAIN
+KEY = b"-----BEGIN PRIVATE KEY-----\nKEY\n-----END PRIVATE KEY-----\n"
+
+
+@pytest.fixture
+def configured(write_profile):
+    write_profile(api_key="testkey-1234567890", api_url="https://api.test")
+
+
+@pytest.fixture
+def captured(monkeypatch):
+    """Stub AcmeClient.obtain_certificate; record how it was called."""
+
+    import devnomads.acme as acme
+
+    calls = {}
+
+    def fake_obtain(self, domain, challenge, domain_key, **kwargs):
+        calls["domain"] = domain
+        calls["challenge"] = challenge
+        calls["kwargs"] = kwargs
+        calls["directory_url"] = self.directory_url
+        return LEAF, FULLCHAIN, CHAIN, KEY
+
+    monkeypatch.setattr(acme.AcmeClient, "obtain_certificate", fake_obtain)
+    # generate_key touches no network but is slow; keep a tiny stub.
+    monkeypatch.setattr(acme, "generate_key", lambda algo: object())
+    # the zone/delegation pre-flight hits the API and public DNS; bypass it
+    # here so these tests focus on issuance behaviour (it has its own tests).
+    monkeypatch.setattr(dncli, "_assert_dns_authority", lambda state, ids: None)
+    return calls
+
+
+def _write_cert(cert_dir, *, days, with_key_chain=False):
+    """Write a self-signed leaf (and optionally key+chain) into ``cert_dir``,
+    valid until ``days`` from now."""
+
+    import datetime
+
+    from cryptography import x509
+    from cryptography.hazmat.primitives import hashes, serialization
+    from cryptography.hazmat.primitives.asymmetric import ec
+    from cryptography.x509.oid import NameOID
+
+    key = ec.generate_private_key(ec.SECP256R1())
+    now = datetime.datetime.now(datetime.timezone.utc)
+    name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "example.com")])
+    cert = (
+        x509.CertificateBuilder()
+        .subject_name(name)
+        .issuer_name(name)
+        .public_key(key.public_key())
+        .serial_number(x509.random_serial_number())
+        .not_valid_before(now - datetime.timedelta(days=1))
+        .not_valid_after(now + datetime.timedelta(days=days))
+        .add_extension(
+            x509.SubjectAlternativeName([x509.DNSName("example.com")]), critical=False
+        )
+        .sign(key, hashes.SHA256())
+    )
+    cert_dir.mkdir(parents=True, exist_ok=True)
+    (cert_dir / "cert.pem").write_bytes(cert.public_bytes(serialization.Encoding.PEM))
+    if with_key_chain:
+        (cert_dir / "privkey.pem").write_bytes(
+            key.private_bytes(
+                serialization.Encoding.PEM,
+                serialization.PrivateFormat.TraditionalOpenSSL,
+                serialization.NoEncryption(),
+            )
+        )
+        (cert_dir / "chain.pem").write_text("CHAINPEM\n")
+    return cert
+
+
+def test_issue_dns01_default_uses_dns_provider(configured, captured, isolated_config):
+    result = runner.invoke(app, ["cert", "issue", "example.com"])
+    assert result.exit_code == 0, result.output
+    assert captured["challenge"] == "dns-01"
+    assert captured["kwargs"]["dns_provider"] is not None
+    out_dir = dncli.config_dir() / "certs" / "example.com"
+    assert (out_dir / "cert.pem").read_text() == LEAF
+    assert (out_dir / "fullchain.pem").read_text() == FULLCHAIN
+    assert (out_dir / "chain.pem").read_text() == CHAIN
+    privkey = out_dir / "privkey.pem"
+    assert privkey.read_bytes() == KEY
+    assert stat.S_IMODE(privkey.stat().st_mode) == 0o600
+
+
+def _spy_generate_key(monkeypatch, seen):
+    import devnomads.acme as acme
+
+    def spy(algo):
+        seen["algo"] = algo
+        return object()
+
+    monkeypatch.setattr(acme, "generate_key", spy)
+
+
+def test_issue_default_key_type_is_ecdsa384(
+    configured, captured, isolated_config, monkeypatch
+):
+    seen = {}
+    _spy_generate_key(monkeypatch, seen)
+    result = runner.invoke(app, ["cert", "issue", "example.com"])
+    assert result.exit_code == 0, result.output
+    assert seen["algo"] == "ecdsa384"
+
+
+def test_issue_key_type_ecdsa521(configured, captured, isolated_config, monkeypatch):
+    seen = {}
+    _spy_generate_key(monkeypatch, seen)
+    result = runner.invoke(
+        app, ["cert", "issue", "example.com", "--key-type", "ecdsa521"]
+    )
+    assert result.exit_code == 0, result.output
+    assert seen["algo"] == "ecdsa521"
+
+
+def test_issue_key_type_is_selectable(
+    configured, captured, isolated_config, monkeypatch
+):
+    seen = {}
+    _spy_generate_key(monkeypatch, seen)
+    result = runner.invoke(
+        app, ["cert", "issue", "example.com", "--key-type", "rsa4096"]
+    )
+    assert result.exit_code == 0, result.output
+    assert seen["algo"] == "rsa4096"
+
+
+def test_issue_rejects_unknown_key_type():
+    result = runner.invoke(
+        app, ["cert", "issue", "example.com", "--key-type", "ed25519"]
+    )
+    assert result.exit_code != 0
+    assert "ed25519" in result.output
+
+
+def test_issue_is_always_dns01(configured, captured, isolated_config):
+    result = runner.invoke(app, ["cert", "issue", "example.com"])
+    assert result.exit_code == 0, result.output
+    assert captured["challenge"] == "dns-01"
+    assert captured["kwargs"]["dns_provider"] is not None
+
+
+def test_issue_rejects_http01_options(configured, isolated_config):
+    # HTTP-01 was removed; these flags must no longer be accepted.
+    for flag in (["--http-01"], ["--standalone"], ["--webroot", "/tmp/x"]):
+        result = runner.invoke(app, ["cert", "issue", "example.com", *flag])
+        assert result.exit_code != 0, f"{flag} should be rejected: {result.output}"
+
+
+def test_issue_passes_sans(configured, captured, isolated_config):
+    result = runner.invoke(
+        app,
+        [
+            "cert",
+            "issue",
+            "example.com",
+            "-d",
+            "www.example.com",
+            "-d",
+            "a.example.com",
+        ],
+    )
+    assert result.exit_code == 0, result.output
+    assert captured["kwargs"]["sans"] == ["www.example.com", "a.example.com"]
+
+
+def test_issue_staging_switches_directory(configured, captured, isolated_config):
+    result = runner.invoke(app, ["cert", "issue", "example.com", "--staging"])
+    assert result.exit_code == 0, result.output
+    assert captured["directory_url"] == dncli.LE_STAGING_DIRECTORY
+
+
+def test_issue_out_exports_combined_pem(
+    configured, captured, isolated_config, tmp_path
+):
+    out = tmp_path / "bundle.pem"
+    result = runner.invoke(app, ["cert", "issue", "example.com", "--out", str(out)])
+    assert result.exit_code == 0, result.output
+    # the default per-domain dir is still written...
+    default_dir = dncli.config_dir() / "certs" / "example.com"
+    assert (default_dir / "fullchain.pem").read_text() == FULLCHAIN
+    # ...and the combined file has key, then leaf, then intermediate, in order.
+    assert out.read_text() == KEY.decode() + LEAF + CHAIN
+    assert stat.S_IMODE(out.stat().st_mode) == 0o600
+
+
+def test_our_zone_for_matches_longest_suffix():
+    zones = {"example.com", "sub.example.com"}
+    assert dncli._our_zone_for("a.sub.example.com", zones) == "sub.example.com"
+    assert dncli._our_zone_for("a.example.com", zones) == "example.com"
+    assert dncli._our_zone_for("*.example.com", zones) == "example.com"
+    assert dncli._our_zone_for("example.com", zones) == "example.com"
+    assert dncli._our_zone_for("other.org", zones) is None
+
+
+def test_export_combined_pem_order_and_mode(tmp_path):
+    out = tmp_path / "bundle.pem"
+    dncli._export_combined_pem(out, privkey="KEY\n", leaf="LEAF\n", chain="CHAIN\n")
+    assert out.read_text() == "KEY\nLEAF\nCHAIN\n"
+    assert stat.S_IMODE(out.stat().st_mode) == 0o600
+
+
+def _patch_authority(monkeypatch, *, zones, nameservers):
+    class FakeClient:
+        def request(self, method, path):
+            return zones
+
+    monkeypatch.setattr(dncli, "get_client", lambda state: FakeClient())
+    monkeypatch.setattr(dncli, "_zone_nameservers", lambda zone: set(nameservers))
+
+
+def test_assert_dns_authority_accepts_delegated_zone(monkeypatch):
+    _patch_authority(
+        monkeypatch,
+        zones=[{"name": "example.com."}],
+        nameservers=dncli.REQUIRED_NAMESERVERS,
+    )
+    dncli._assert_dns_authority(object(), ["example.com", "www.example.com"])
+
+
+def test_assert_dns_authority_rejects_foreign_domain(monkeypatch):
+    _patch_authority(
+        monkeypatch,
+        zones=[{"name": "example.com."}],
+        nameservers=dncli.REQUIRED_NAMESERVERS,
+    )
+    with pytest.raises(dncli.CliError):
+        dncli._assert_dns_authority(object(), ["notyours.org"])
+
+
+def test_assert_dns_authority_rejects_wrong_nameservers(monkeypatch):
+    _patch_authority(
+        monkeypatch,
+        zones=[{"name": "example.com."}],
+        nameservers={"ns1.other.com", "ns2.other.com"},
+    )
+    with pytest.raises(dncli.CliError):
+        dncli._assert_dns_authority(object(), ["example.com"])
+
+
+def test_load_acme_import_error_message(monkeypatch):
+    import builtins
+
+    real_import = builtins.__import__
+
+    def fake_import(name, *args, **kwargs):
+        if name == "devnomads.acme":
+            raise ImportError("No module named 'acme'")
+        return real_import(name, *args, **kwargs)
+
+    monkeypatch.setattr(builtins, "__import__", fake_import)
+    result = runner.invoke(app, ["cert", "issue", "example.com"])
+    assert result.exit_code == 1
+    assert "devnomads.acme" in result.output
+
+
+def test_renew_skips_valid_cert(configured, captured, isolated_config):
+    import datetime
+
+    from cryptography import x509
+    from cryptography.hazmat.primitives import hashes, serialization
+    from cryptography.hazmat.primitives.asymmetric import ec
+    from cryptography.x509.oid import NameOID
+
+    # write a cert valid for ~60 days so renew should skip it
+    key = ec.generate_private_key(ec.SECP256R1())
+    now = datetime.datetime.now(datetime.timezone.utc)
+    cert = (
+        x509.CertificateBuilder()
+        .subject_name(
+            x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "example.com")])
+        )
+        .issuer_name(
+            x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "example.com")])
+        )
+        .public_key(key.public_key())
+        .serial_number(x509.random_serial_number())
+        .not_valid_before(now - datetime.timedelta(days=1))
+        .not_valid_after(now + datetime.timedelta(days=60))
+        .sign(key, hashes.SHA256())
+    )
+    out_dir = dncli.config_dir() / "certs" / "example.com"
+    out_dir.mkdir(parents=True)
+    (out_dir / "cert.pem").write_bytes(cert.public_bytes(serialization.Encoding.PEM))
+
+    result = runner.invoke(app, ["cert", "renew", "example.com"])
+    assert result.exit_code == 0, result.output
+    assert "still valid" in result.output
+    assert "challenge" not in captured  # obtain_certificate was not called
+
+
+def test_renew_reissues_expiring_cert(configured, captured, isolated_config):
+    import datetime
+
+    from cryptography import x509
+    from cryptography.hazmat.primitives import hashes, serialization
+    from cryptography.hazmat.primitives.asymmetric import ec
+    from cryptography.x509.oid import NameOID
+
+    key = ec.generate_private_key(ec.SECP256R1())
+    now = datetime.datetime.now(datetime.timezone.utc)
+    cert = (
+        x509.CertificateBuilder()
+        .subject_name(
+            x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "example.com")])
+        )
+        .issuer_name(
+            x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "example.com")])
+        )
+        .public_key(key.public_key())
+        .serial_number(x509.random_serial_number())
+        .not_valid_before(now - datetime.timedelta(days=80))
+        .not_valid_after(now + datetime.timedelta(days=5))
+        .sign(key, hashes.SHA256())
+    )
+    out_dir = dncli.config_dir() / "certs" / "example.com"
+    out_dir.mkdir(parents=True)
+    (out_dir / "cert.pem").write_bytes(cert.public_bytes(serialization.Encoding.PEM))
+
+    result = runner.invoke(app, ["cert", "renew", "example.com"])
+    assert result.exit_code == 0, result.output
+    assert captured["challenge"] == "dns-01"
+    assert (out_dir / "fullchain.pem").read_text() == FULLCHAIN
+
+
+def test_issue_skips_when_valid_beyond_window(configured, captured, isolated_config):
+    _write_cert(dncli.config_dir() / "certs" / "example.com", days=60)
+    result = runner.invoke(app, ["cert", "issue", "example.com"])
+    assert result.exit_code == 0, result.output
+    assert "still valid" in result.output
+    assert "challenge" not in captured  # obtain_certificate was not called
+
+
+def test_issue_force_reissues_valid_cert(configured, captured, isolated_config):
+    _write_cert(dncli.config_dir() / "certs" / "example.com", days=60)
+    result = runner.invoke(app, ["cert", "issue", "example.com", "--force"])
+    assert result.exit_code == 0, result.output
+    assert captured["challenge"] == "dns-01"
+
+
+def test_issue_reissues_when_within_window(configured, captured, isolated_config):
+    _write_cert(dncli.config_dir() / "certs" / "example.com", days=10)
+    result = runner.invoke(app, ["cert", "issue", "example.com"])
+    assert result.exit_code == 0, result.output
+    assert captured["challenge"] == "dns-01"
+
+
+def test_cert_list_shows_issued(configured, isolated_config):
+    import json
+
+    _write_cert(dncli.config_dir() / "certs" / "example.com", days=45)
+    result = runner.invoke(app, ["cert", "list", "-o", "json"])
+    assert result.exit_code == 0, result.output
+    rows = json.loads(result.output)
+    assert rows[0]["domain"] == "example.com"
+    assert rows[0]["days_left"] >= 40
+    assert rows[0]["key_type"] == "ecdsa256"
+    assert "example.com" in rows[0]["sans"]
+
+
+def test_cert_list_empty(isolated_config):
+    result = runner.invoke(app, ["cert", "list"])
+    assert result.exit_code == 0, result.output
+    assert "no certificates" in result.output
+
+
+def test_cert_export_to_file(configured, isolated_config, tmp_path):
+    _write_cert(
+        dncli.config_dir() / "certs" / "example.com", days=30, with_key_chain=True
+    )
+    out = tmp_path / "bundle.pem"
+    result = runner.invoke(app, ["cert", "export", "example.com", "--out", str(out)])
+    assert result.exit_code == 0, result.output
+    text = out.read_text()
+    # order: private key, then leaf certificate, then intermediate
+    assert (
+        text.index("EC PRIVATE KEY")
+        < text.index("CERTIFICATE")
+        < text.index("CHAINPEM")
+    )
+    assert stat.S_IMODE(out.stat().st_mode) == 0o600
+
+
+def test_cert_export_to_stdout(configured, isolated_config):
+    _write_cert(
+        dncli.config_dir() / "certs" / "example.com", days=30, with_key_chain=True
+    )
+    result = runner.invoke(app, ["cert", "export", "example.com"])
+    assert result.exit_code == 0, result.output
+    assert "BEGIN CERTIFICATE" in result.stdout
+    assert "CHAINPEM" in result.stdout
+
+
+def test_cert_export_missing(isolated_config):
+    result = runner.invoke(app, ["cert", "export", "nope.com"])
+    assert result.exit_code != 0
+    assert "no certificate" in result.output

devnomads_cli-0.4.0/tests/test_cert.py

@@ -1,204 +0,0 @@
-"""Certificate issuance: arg wiring, solver/provider selection, output."""
-
-import stat
-
-import pytest
-from typer.testing import CliRunner
-
-import dncli
-from dncli import app
-
-runner = CliRunner()
-
-LEAF = "-----BEGIN CERTIFICATE-----\nLEAF\n-----END CERTIFICATE-----\n"
-CHAIN = "-----BEGIN CERTIFICATE-----\nCHAIN\n-----END CERTIFICATE-----\n"
-FULLCHAIN = LEAF + CHAIN
-KEY = b"-----BEGIN PRIVATE KEY-----\nKEY\n-----END PRIVATE KEY-----\n"
-
-
-@pytest.fixture
-def configured(write_profile):
-    write_profile(api_key="testkey-1234567890", api_url="https://api.test")
-
-
-@pytest.fixture
-def captured(monkeypatch):
-    """Stub AcmeClient.obtain_certificate; record how it was called."""
-
-    import devnomads.acme as acme
-
-    calls = {}
-
-    def fake_obtain(self, domain, challenge, domain_key, **kwargs):
-        calls["domain"] = domain
-        calls["challenge"] = challenge
-        calls["kwargs"] = kwargs
-        calls["directory_url"] = self.directory_url
-        return LEAF, FULLCHAIN, CHAIN, KEY
-
-    monkeypatch.setattr(acme.AcmeClient, "obtain_certificate", fake_obtain)
-    # generate_key touches no network but is slow; keep a tiny stub.
-    monkeypatch.setattr(acme, "generate_key", lambda algo: object())
-    return calls
-
-
-def test_issue_dns01_default_uses_dns_provider(configured, captured, isolated_config):
-    result = runner.invoke(app, ["cert", "issue", "example.com"])
-    assert result.exit_code == 0, result.output
-    assert captured["challenge"] == "dns-01"
-    assert captured["kwargs"]["dns_provider"] is not None
-    assert captured["kwargs"]["http01_solver"] is None
-    out_dir = dncli.config_dir() / "certs" / "example.com"
-    assert (out_dir / "cert.pem").read_text() == LEAF
-    assert (out_dir / "fullchain.pem").read_text() == FULLCHAIN
-    assert (out_dir / "chain.pem").read_text() == CHAIN
-    privkey = out_dir / "privkey.pem"
-    assert privkey.read_bytes() == KEY
-    assert stat.S_IMODE(privkey.stat().st_mode) == 0o600
-
-
-def test_issue_http01_webroot_uses_webroot_solver(
-    configured, captured, isolated_config, tmp_path
-):
-    import devnomads.acme as acme
-
-    webroot = tmp_path / "web"
-    result = runner.invoke(
-        app, ["cert", "issue", "example.com", "--webroot", str(webroot)]
-    )
-    assert result.exit_code == 0, result.output
-    assert captured["challenge"] == "http-01"
-    assert captured["kwargs"]["dns_provider"] is None
-    assert isinstance(captured["kwargs"]["http01_solver"], acme.WebrootSolver)
-
-
-def test_issue_standalone_uses_standalone_solver(configured, captured, isolated_config):
-    import devnomads.acme as acme
-
-    result = runner.invoke(app, ["cert", "issue", "example.com", "--standalone"])
-    assert result.exit_code == 0, result.output
-    assert captured["challenge"] == "http-01"
-    assert isinstance(captured["kwargs"]["http01_solver"], acme.StandaloneSolver)
-
-
-def test_issue_passes_sans(configured, captured, isolated_config):
-    result = runner.invoke(
-        app,
-        [
-            "cert",
-            "issue",
-            "example.com",
-            "-d",
-            "www.example.com",
-            "-d",
-            "a.example.com",
-        ],
-    )
-    assert result.exit_code == 0, result.output
-    assert captured["kwargs"]["sans"] == ["www.example.com", "a.example.com"]
-
-
-def test_issue_staging_switches_directory(configured, captured, isolated_config):
-    result = runner.invoke(app, ["cert", "issue", "example.com", "--staging"])
-    assert result.exit_code == 0, result.output
-    assert captured["directory_url"] == dncli.LE_STAGING_DIRECTORY
-
-
-def test_issue_rejects_both_challenges(configured, isolated_config):
-    result = runner.invoke(
-        app, ["cert", "issue", "example.com", "--dns-01", "--http-01"]
-    )
-    assert result.exit_code == 1
-    assert "only one" in result.output
-
-
-def test_issue_out_dir_override(configured, captured, isolated_config, tmp_path):
-    out = tmp_path / "mycerts"
-    result = runner.invoke(app, ["cert", "issue", "example.com", "--out", str(out)])
-    assert result.exit_code == 0, result.output
-    assert (out / "fullchain.pem").read_text() == FULLCHAIN
-
-
-def test_load_acme_import_error_message(monkeypatch):
-    import builtins
-
-    real_import = builtins.__import__
-
-    def fake_import(name, *args, **kwargs):
-        if name == "devnomads.acme":
-            raise ImportError("No module named 'acme'")
-        return real_import(name, *args, **kwargs)
-
-    monkeypatch.setattr(builtins, "__import__", fake_import)
-    result = runner.invoke(app, ["cert", "issue", "example.com"])
-    assert result.exit_code == 1
-    assert "devnomads.acme" in result.output
-
-
-def test_renew_skips_valid_cert(configured, captured, isolated_config):
-    import datetime
-
-    from cryptography import x509
-    from cryptography.hazmat.primitives import hashes, serialization
-    from cryptography.hazmat.primitives.asymmetric import ec
-    from cryptography.x509.oid import NameOID
-
-    # write a cert valid for ~60 days so renew should skip it
-    key = ec.generate_private_key(ec.SECP256R1())
-    now = datetime.datetime.now(datetime.timezone.utc)
-    cert = (
-        x509.CertificateBuilder()
-        .subject_name(
-            x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "example.com")])
-        )
-        .issuer_name(
-            x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "example.com")])
-        )
-        .public_key(key.public_key())
-        .serial_number(x509.random_serial_number())
-        .not_valid_before(now - datetime.timedelta(days=1))
-        .not_valid_after(now + datetime.timedelta(days=60))
-        .sign(key, hashes.SHA256())
-    )
-    out_dir = dncli.config_dir() / "certs" / "example.com"
-    out_dir.mkdir(parents=True)
-    (out_dir / "cert.pem").write_bytes(cert.public_bytes(serialization.Encoding.PEM))
-
-    result = runner.invoke(app, ["cert", "renew", "example.com"])
-    assert result.exit_code == 0, result.output
-    assert "still valid" in result.output
-    assert "challenge" not in captured  # obtain_certificate was not called
-
-
-def test_renew_reissues_expiring_cert(configured, captured, isolated_config):
-    import datetime
-
-    from cryptography import x509
-    from cryptography.hazmat.primitives import hashes, serialization
-    from cryptography.hazmat.primitives.asymmetric import ec
-    from cryptography.x509.oid import NameOID
-
-    key = ec.generate_private_key(ec.SECP256R1())
-    now = datetime.datetime.now(datetime.timezone.utc)
-    cert = (
-        x509.CertificateBuilder()
-        .subject_name(
-            x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "example.com")])
-        )
-        .issuer_name(
-            x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "example.com")])
-        )
-        .public_key(key.public_key())
-        .serial_number(x509.random_serial_number())
-        .not_valid_before(now - datetime.timedelta(days=80))
-        .not_valid_after(now + datetime.timedelta(days=5))
-        .sign(key, hashes.SHA256())
-    )
-    out_dir = dncli.config_dir() / "certs" / "example.com"
-    out_dir.mkdir(parents=True)
-    (out_dir / "cert.pem").write_bytes(cert.public_bytes(serialization.Encoding.PEM))
-
-    result = runner.invoke(app, ["cert", "renew", "example.com"])
-    assert result.exit_code == 0, result.output
-    assert captured["challenge"] == "dns-01"
-    assert (out_dir / "fullchain.pem").read_text() == FULLCHAIN