PyPI - devnomads-cli - Versions diffs - 0.4.1__tar.gz → 0.5.0__tar.gz - Mend

devnomads-cli 0.4.1tar.gz → 0.5.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

{devnomads_cli-0.4.1 → devnomads_cli-0.5.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devnomads-cli
-Version: 0.4.1
+Version: 0.5.0
 Summary: Manage your DevNomads services from the command line
 Author-email: DevNomads <support@devnomads.nl>
 License: MIT
@@ -126,21 +126,38 @@ dncli services list | jq -r '.[].entity'
 ## Certificates
-`dncli` issues Let's Encrypt certificates over DNS-01 and HTTP-01:
+`dncli` issues Let's Encrypt certificates using the DNS-01 challenge:
 ```sh
 dncli cert issue example.com -d www.example.com -d "*.example.com"
 ```
 The first argument is the primary domain (the certificate CN); add
-extra names (SANs) by repeating `--san`/`-d`. The certificate is
-written to `~/.config/dncli/certs/<domain>/` as `cert.pem`,
-`fullchain.pem`, `chain.pem`, and `privkey.pem` (0600); override the
-location with `--out`.
+extra names (SANs) by repeating `--san`/`-d`. Every name must live in
+one of your DevNomads DNS zones, and that zone must be delegated to the
+DevNomads nameservers (`one.dns.infrapod.nl`, `two.dns.infrapod.nl`,
+`three.dns.infrapod.eu`) - otherwise issuance is refused, since the
+DNS-01 challenge records would not be visible to the CA.
+The certificate is always written to `~/.config/dncli/certs/<domain>/`
+as `cert.pem`, `fullchain.pem`, `chain.pem`, and `privkey.pem` (0600).
+Pass `--out <file>` to additionally export a single PEM bundle (key,
+then certificate, then intermediate, in that order).
 Keys are ECDSA P-384 by default. Pick another with `--key-type`
 (`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
+Re-running `cert issue` is a no-op while the existing certificate is
+still valid for more than 21 days; pass `--force` to re-issue anyway.
+List what you have issued and re-export any of them as a single PEM
+bundle without re-issuing:
+```sh
+dncli cert list
+dncli cert export example.com --out bundle.pem   # omit --out to print
+```
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:
 ```sh

{devnomads_cli-0.4.1 → devnomads_cli-0.5.0}/README.md RENAMED Viewed

@@ -110,21 +110,38 @@ dncli services list | jq -r '.[].entity'
 ## Certificates
-`dncli` issues Let's Encrypt certificates over DNS-01 and HTTP-01:
+`dncli` issues Let's Encrypt certificates using the DNS-01 challenge:
 ```sh
 dncli cert issue example.com -d www.example.com -d "*.example.com"
 ```
 The first argument is the primary domain (the certificate CN); add
-extra names (SANs) by repeating `--san`/`-d`. The certificate is
-written to `~/.config/dncli/certs/<domain>/` as `cert.pem`,
-`fullchain.pem`, `chain.pem`, and `privkey.pem` (0600); override the
-location with `--out`.
+extra names (SANs) by repeating `--san`/`-d`. Every name must live in
+one of your DevNomads DNS zones, and that zone must be delegated to the
+DevNomads nameservers (`one.dns.infrapod.nl`, `two.dns.infrapod.nl`,
+`three.dns.infrapod.eu`) - otherwise issuance is refused, since the
+DNS-01 challenge records would not be visible to the CA.
+The certificate is always written to `~/.config/dncli/certs/<domain>/`
+as `cert.pem`, `fullchain.pem`, `chain.pem`, and `privkey.pem` (0600).
+Pass `--out <file>` to additionally export a single PEM bundle (key,
+then certificate, then intermediate, in that order).
 Keys are ECDSA P-384 by default. Pick another with `--key-type`
 (`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
+Re-running `cert issue` is a no-op while the existing certificate is
+still valid for more than 21 days; pass `--force` to re-issue anyway.
+List what you have issued and re-export any of them as a single PEM
+bundle without re-issuing:
+```sh
+dncli cert list
+dncli cert export example.com --out bundle.pem   # omit --out to print
+```
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:
 ```sh

{devnomads_cli-0.4.1 → devnomads_cli-0.5.0}/devnomads_cli.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devnomads-cli
-Version: 0.4.1
+Version: 0.5.0
 Summary: Manage your DevNomads services from the command line
 Author-email: DevNomads <support@devnomads.nl>
 License: MIT
@@ -126,21 +126,38 @@ dncli services list | jq -r '.[].entity'
 ## Certificates
-`dncli` issues Let's Encrypt certificates over DNS-01 and HTTP-01:
+`dncli` issues Let's Encrypt certificates using the DNS-01 challenge:
 ```sh
 dncli cert issue example.com -d www.example.com -d "*.example.com"
 ```
 The first argument is the primary domain (the certificate CN); add
-extra names (SANs) by repeating `--san`/`-d`. The certificate is
-written to `~/.config/dncli/certs/<domain>/` as `cert.pem`,
-`fullchain.pem`, `chain.pem`, and `privkey.pem` (0600); override the
-location with `--out`.
+extra names (SANs) by repeating `--san`/`-d`. Every name must live in
+one of your DevNomads DNS zones, and that zone must be delegated to the
+DevNomads nameservers (`one.dns.infrapod.nl`, `two.dns.infrapod.nl`,
+`three.dns.infrapod.eu`) - otherwise issuance is refused, since the
+DNS-01 challenge records would not be visible to the CA.
+The certificate is always written to `~/.config/dncli/certs/<domain>/`
+as `cert.pem`, `fullchain.pem`, `chain.pem`, and `privkey.pem` (0600).
+Pass `--out <file>` to additionally export a single PEM bundle (key,
+then certificate, then intermediate, in that order).
 Keys are ECDSA P-384 by default. Pick another with `--key-type`
 (`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
+Re-running `cert issue` is a no-op while the existing certificate is
+still valid for more than 21 days; pass `--force` to re-issue anyway.
+List what you have issued and re-export any of them as a single PEM
+bundle without re-issuing:
+```sh
+dncli cert list
+dncli cert export example.com --out bundle.pem   # omit --out to print
+```
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:
 ```sh

{devnomads_cli-0.4.1 → devnomads_cli-0.5.0}/dncli.py RENAMED Viewed

@@ -1360,6 +1360,18 @@ app.add_typer(cert_app, name="cert")
 LE_STAGING_DIRECTORY = "https://acme-staging-v02.api.letsencrypt.org/directory"
 CERT_RENEW_WINDOW_DAYS = 30
+# `cert issue` skips a domain whose current certificate is still valid for
+# longer than this, unless --force is given.
+CERT_REISSUE_WINDOW_DAYS = 21
+# A domain may only get a certificate if it is delegated to these exact
+# nameservers, i.e. the world resolves it through DevNomads and the DNS-01
+# challenge records we write are actually visible to the CA.
+REQUIRED_NAMESERVERS = (
+    "one.dns.infrapod.nl",
+    "two.dns.infrapod.nl",
+    "three.dns.infrapod.eu",
+)
 class KeyType(str, Enum):
@@ -1386,14 +1398,67 @@ def _load_acme() -> Any:
     return acme
-def _cert_out_dir(out: Path | None, domain: str) -> Path:
-    return out if out is not None else config_dir() / "certs" / domain
+def _cert_dir(domain: str) -> Path:
+    return config_dir() / "certs" / domain
 def _account_key_path() -> Path:
     return config_dir() / "acme" / "account.pem"
+def _our_zone_for(name: str, zone_names: set[str]) -> str | None:
+    """The longest of our zones that the cert identifier ``name`` sits in,
+    or None. A leading ``*.`` wildcard is matched against its base zone."""
+    host = name.lstrip("*.").rstrip(".").lower()
+    best: str | None = None
+    for zone in zone_names:
+        if host == zone or host.endswith(f".{zone}"):
+            if best is None or len(zone) > len(best):
+                best = zone
+    return best
+def _zone_nameservers(zone: str) -> set[str]:
+    """Authoritative NS names for ``zone`` from public DNS, lowercased and
+    without the trailing dot."""
+    import dns.exception
+    import dns.resolver
+    try:
+        answers = dns.resolver.resolve(zone, "NS")
+    except dns.exception.DNSException as exc:
+        raise CliError(f"could not look up nameservers for {zone}: {exc}") from exc
+    return {str(rr.target).rstrip(".").lower() for rr in answers}
+def _assert_dns_authority(state: AppState, identifiers: list[str]) -> None:
+    """Refuse issuance unless every identifier lives in one of our DevNomads
+    zones and that zone is delegated to the required nameservers."""
+    zones = get_client(state).request("GET", "/services/dns/zones")
+    zone_names = {str(z.get("name", "")).rstrip(".").lower() for z in (zones or [])}
+    needed: set[str] = set()
+    for ident in identifiers:
+        zone = _our_zone_for(ident, zone_names)
+        if zone is None:
+            raise CliError(
+                f"'{ident}' is not in any of your DevNomads DNS zones; add the "
+                "zone first (dncli dns zones list shows your zones)"
+            )
+        needed.add(zone)
+    required = set(REQUIRED_NAMESERVERS)
+    for zone in sorted(needed):
+        ns = _zone_nameservers(zone)
+        if ns != required:
+            raise CliError(
+                f"{zone} is not delegated to DevNomads: its nameservers are "
+                f"[{', '.join(sorted(ns)) or 'none'}] but must be exactly "
+                f"[{', '.join(REQUIRED_NAMESERVERS)}]"
+            )
 def _write_cert_files(
     out_dir: Path,
     *,
@@ -1412,22 +1477,70 @@ def _write_cert_files(
         (out_dir / name).write_text(content)
+def _combined_pem(privkey: str, leaf: str, chain: str) -> str:
+    """One PEM bundle: key, then certificate, then intermediate(s)."""
+    parts = [privkey, leaf, chain]
+    return "".join(p if p.endswith("\n") else p + "\n" for p in parts if p)
+def _export_combined_pem(path: Path, *, privkey: str, leaf: str, chain: str) -> None:
+    """Write the combined PEM at 0600, since it embeds the private key."""
+    _write_private(path, _combined_pem(privkey, leaf, chain))
+def _cert_info(cert_path: Path) -> dict[str, Any]:
+    """Summarize a stored leaf certificate for `cert list`."""
+    from datetime import datetime, timezone
+    from cryptography import x509
+    from cryptography.hazmat.primitives.asymmetric import ec, rsa
+    cert = x509.load_pem_x509_certificate(cert_path.read_bytes())
+    try:
+        not_after = cert.not_valid_after_utc
+    except AttributeError:  # cryptography < 42 fallback
+        not_after = cert.not_valid_after.replace(tzinfo=timezone.utc)
+    days_left = (not_after - datetime.now(timezone.utc)).days
+    try:
+        sans = cert.extensions.get_extension_for_class(
+            x509.SubjectAlternativeName
+        ).value.get_values_for_type(x509.DNSName)
+    except x509.ExtensionNotFound:
+        sans = []
+    pub = cert.public_key()
+    if isinstance(pub, ec.EllipticCurvePublicKey):
+        key_type = f"ecdsa{pub.curve.key_size}"
+    elif isinstance(pub, rsa.RSAPublicKey):
+        key_type = f"rsa{pub.key_size}"
+    else:
+        key_type = type(pub).__name__
+    return {
+        "expires": not_after.strftime("%Y-%m-%d"),
+        "days_left": days_left,
+        "key_type": key_type,
+        "sans": sans,
+    }
 def _issue_certificate(
     state: AppState,
     domain: str,
     *,
     sans: list[str],
-    use_http01: bool,
-    webroot: str | None,
-    standalone: bool,
     email: str | None,
     key_type: str,
     staging: bool,
     out_dir: Path,
+    export_path: Path | None = None,
 ) -> None:
-    """Obtain a certificate for ``domain`` and write it to ``out_dir``."""
+    """Obtain a DNS-01 certificate for ``domain`` and write it to ``out_dir``;
+    optionally also export a single combined PEM to ``export_path``."""
     acme = _load_acme()
+    _assert_dns_authority(state, [domain, *sans])
     directory_url = LE_STAGING_DIRECTORY if staging else acme.DEFAULT_DIRECTORY_URL
     client = acme.AcmeClient(
@@ -1440,46 +1553,37 @@ def _issue_certificate(
     except acme.AcmeError as exc:
         raise CliError(str(exc)) from exc
-    dns_provider = None
-    http01_solver = None
-    if use_http01:
-        if webroot:
-            http01_solver = acme.WebrootSolver(webroot)
-        else:
-            http01_solver = acme.StandaloneSolver()
-        challenge = "http-01"
-    else:
-        dns_provider = acme.DevNomadsDnsProvider(Dns(get_client(state).api))
-        challenge = "dns-01"
+    dns_provider = acme.DevNomadsDnsProvider(Dns(get_client(state).api))
     err_console.print(
-        f"issuing {challenge} certificate for {domain}"
+        f"issuing dns-01 certificate for {domain}"
         + (f" (+{len(sans)} SAN(s))" if sans else "")
         + (" [staging]" if staging else "")
     )
     try:
-        with http01_solver or nullcontext() as solver:
-            leaf, fullchain, chain, key_pem = client.obtain_certificate(
-                domain,
-                challenge,
-                domain_key,
-                sans=sans or None,
-                dns_provider=dns_provider,
-                http01_solver=solver if use_http01 else None,
-            )
+        leaf, fullchain, chain, key_pem = client.obtain_certificate(
+            domain,
+            "dns-01",
+            domain_key,
+            sans=sans or None,
+            dns_provider=dns_provider,
+        )
     except acme.AcmeError as exc:
         raise CliError(str(exc)) from exc
     except DevNomadsError as exc:
         raise CliError(str(exc)) from exc
+    key_text = key_pem.decode() if isinstance(key_pem, bytes) else key_pem
     _write_cert_files(
         out_dir,
-        privkey=key_pem.decode() if isinstance(key_pem, bytes) else key_pem,
+        privkey=key_text,
         cert=leaf,
         fullchain=fullchain,
         chain=chain,
     )
     err_console.print(f"wrote certificate to {out_dir}")
+    if export_path is not None:
+        _export_combined_pem(export_path, privkey=key_text, leaf=leaf, chain=chain)
+        err_console.print(f"exported combined pem to {export_path}")
 @cert_app.command("issue")
@@ -1490,20 +1594,6 @@ def cert_issue(
         list[str] | None,
         typer.Option("--san", "-d", help="Additional SAN; repeat for more."),
     ] = None,
-    dns_01: Annotated[
-        bool, typer.Option("--dns-01", help="Use the DNS-01 challenge (default).")
-    ] = False,
-    http_01: Annotated[
-        bool, typer.Option("--http-01", help="Use the HTTP-01 challenge.")
-    ] = False,
-    webroot: Annotated[
-        str | None,
-        typer.Option("--webroot", help="HTTP-01 webroot directory to write into."),
-    ] = None,
-    standalone: Annotated[
-        bool,
-        typer.Option("--standalone", help="HTTP-01 via a built-in server on :80."),
-    ] = False,
     email: Annotated[
         str | None, typer.Option("--email", help="ACME account contact email.")
     ] = None,
@@ -1518,34 +1608,47 @@ def cert_issue(
     staging: Annotated[
         bool, typer.Option("--staging", help="Use the Let's Encrypt staging CA.")
     ] = False,
+    force: Annotated[
+        bool,
+        typer.Option(
+            "--force",
+            "-f",
+            help="Re-issue even if the current certificate is still valid.",
+        ),
+    ] = False,
     out: Annotated[
         Path | None,
         typer.Option(
-            "--out", help="Output directory (default <config>/certs/<domain>)."
+            "--out",
+            help="Also export a single PEM bundle (key + certificate + "
+            "intermediate) to this file.",
         ),
     ] = None,
 ) -> None:
-    """Issue a TLS certificate for a domain via ACME (Let's Encrypt)."""
+    """Issue a TLS certificate for a domain via ACME (Let's Encrypt, DNS-01)."""
     state = state_from(ctx)
-    if dns_01 and http_01:
-        raise CliError("choose only one of --dns-01 / --http-01")
-    if webroot and standalone:
-        raise CliError("choose only one of --webroot / --standalone")
-    use_http01 = http_01 or bool(webroot) or standalone
-    if dns_01 and use_http01:
-        raise CliError("--dns-01 cannot be combined with HTTP-01 options")
+    out_dir = _cert_dir(domain)
+    cert_path = out_dir / "cert.pem"
+    if (
+        not force
+        and cert_path.is_file()
+        and not _cert_expires_within(cert_path, CERT_REISSUE_WINDOW_DAYS)
+    ):
+        err_console.print(
+            f"{domain}: certificate still valid for more than "
+            f"{CERT_REISSUE_WINDOW_DAYS} days; pass --force to re-issue"
+        )
+        return
     _issue_certificate(
         state,
         domain,
         sans=list(san or []),
-        use_http01=use_http01,
-        webroot=webroot,
-        standalone=standalone,
         email=email,
         key_type=key_type.value,
         staging=staging,
-        out_dir=_cert_out_dir(out, domain),
+        out_dir=out_dir,
+        export_path=out,
     )
@@ -1613,9 +1716,6 @@ def cert_renew(
             state,
             name,
             sans=[],
-            use_http01=False,
-            webroot=None,
-            standalone=False,
             email=email,
             key_type=key_type.value,
             staging=staging,
@@ -1623,6 +1723,70 @@ def cert_renew(
         )
+@cert_app.command("list")
+def cert_list(
+    ctx: typer.Context, sort: SortOption = None, output: OutputOption = None
+) -> None:
+    """List the certificates you have issued and when they expire."""
+    state = state_from(ctx, output)
+    certs_root = config_dir() / "certs"
+    rows = []
+    for cert_dir in sorted(certs_root.glob("*")):
+        cert_path = cert_dir / "cert.pem"
+        if not cert_path.is_file():
+            continue
+        try:
+            info = _cert_info(cert_path)
+        except (OSError, ValueError):
+            continue
+        rows.append({"domain": cert_dir.name, **info})
+    if not rows:
+        err_console.print("[dim]no certificates issued[/]")
+        return
+    render(
+        state,
+        sort_rows(rows, sort),
+        columns=["domain", "expires", "days_left", "key_type", "sans"],
+        title="Certificates",
+    )
+@cert_app.command("export")
+def cert_export(
+    ctx: typer.Context,
+    domain: Annotated[
+        str, typer.Argument(help="Domain of a previously issued certificate.")
+    ],
+    out: Annotated[
+        Path | None,
+        typer.Option(
+            "--out",
+            help="Write the bundle here (0600); omit to print to stdout.",
+        ),
+    ] = None,
+) -> None:
+    """Re-export an issued certificate as one PEM (key + cert + intermediate)."""
+    cert_dir = _cert_dir(domain)
+    privkey = cert_dir / "privkey.pem"
+    leaf = cert_dir / "cert.pem"
+    chain = cert_dir / "chain.pem"
+    if not (privkey.is_file() and leaf.is_file()):
+        raise CliError(
+            f"no certificate for {domain} in {cert_dir}; "
+            "issue one with `dncli cert issue`"
+        )
+    key_text = privkey.read_text()
+    leaf_text = leaf.read_text()
+    chain_text = chain.read_text() if chain.is_file() else ""
+    if out is not None:
+        _export_combined_pem(out, privkey=key_text, leaf=leaf_text, chain=chain_text)
+        err_console.print(f"exported combined pem to {out}")
+    else:
+        sys.stdout.write(_combined_pem(key_text, leaf_text, chain_text))
 # ---------------------------------------------------------------------------
 # Generated commands. tools/generate.py renders one thin command per
 # OpenAPI operation between the markers below, from openapi.json plus

{devnomads_cli-0.4.1 → devnomads_cli-0.5.0}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "devnomads-cli"
-version = "0.4.1"
+version = "0.5.0"
 description = "Manage your DevNomads services from the command line"
 readme = "README.md"
 requires-python = ">=3.10"

{devnomads_cli-0.4.1 → devnomads_cli-0.5.0}/tests/test_cert.py RENAMED Viewed

@@ -39,15 +39,58 @@ def captured(monkeypatch):
     monkeypatch.setattr(acme.AcmeClient, "obtain_certificate", fake_obtain)
     # generate_key touches no network but is slow; keep a tiny stub.
     monkeypatch.setattr(acme, "generate_key", lambda algo: object())
+    # the zone/delegation pre-flight hits the API and public DNS; bypass it
+    # here so these tests focus on issuance behaviour (it has its own tests).
+    monkeypatch.setattr(dncli, "_assert_dns_authority", lambda state, ids: None)
     return calls
+def _write_cert(cert_dir, *, days, with_key_chain=False):
+    """Write a self-signed leaf (and optionally key+chain) into ``cert_dir``,
+    valid until ``days`` from now."""
+    import datetime
+    from cryptography import x509
+    from cryptography.hazmat.primitives import hashes, serialization
+    from cryptography.hazmat.primitives.asymmetric import ec
+    from cryptography.x509.oid import NameOID
+    key = ec.generate_private_key(ec.SECP256R1())
+    now = datetime.datetime.now(datetime.timezone.utc)
+    name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "example.com")])
+    cert = (
+        x509.CertificateBuilder()
+        .subject_name(name)
+        .issuer_name(name)
+        .public_key(key.public_key())
+        .serial_number(x509.random_serial_number())
+        .not_valid_before(now - datetime.timedelta(days=1))
+        .not_valid_after(now + datetime.timedelta(days=days))
+        .add_extension(
+            x509.SubjectAlternativeName([x509.DNSName("example.com")]), critical=False
+        )
+        .sign(key, hashes.SHA256())
+    )
+    cert_dir.mkdir(parents=True, exist_ok=True)
+    (cert_dir / "cert.pem").write_bytes(cert.public_bytes(serialization.Encoding.PEM))
+    if with_key_chain:
+        (cert_dir / "privkey.pem").write_bytes(
+            key.private_bytes(
+                serialization.Encoding.PEM,
+                serialization.PrivateFormat.TraditionalOpenSSL,
+                serialization.NoEncryption(),
+            )
+        )
+        (cert_dir / "chain.pem").write_text("CHAINPEM\n")
+    return cert
 def test_issue_dns01_default_uses_dns_provider(configured, captured, isolated_config):
     result = runner.invoke(app, ["cert", "issue", "example.com"])
     assert result.exit_code == 0, result.output
     assert captured["challenge"] == "dns-01"
     assert captured["kwargs"]["dns_provider"] is not None
-    assert captured["kwargs"]["http01_solver"] is None
     out_dir = dncli.config_dir() / "certs" / "example.com"
     assert (out_dir / "cert.pem").read_text() == LEAF
     assert (out_dir / "fullchain.pem").read_text() == FULLCHAIN
@@ -107,28 +150,18 @@ def test_issue_rejects_unknown_key_type():
     assert "ed25519" in result.output
-def test_issue_http01_webroot_uses_webroot_solver(
-    configured, captured, isolated_config, tmp_path
-):
-    import devnomads.acme as acme
-    webroot = tmp_path / "web"
-    result = runner.invoke(
-        app, ["cert", "issue", "example.com", "--webroot", str(webroot)]
-    )
+def test_issue_is_always_dns01(configured, captured, isolated_config):
+    result = runner.invoke(app, ["cert", "issue", "example.com"])
     assert result.exit_code == 0, result.output
-    assert captured["challenge"] == "http-01"
-    assert captured["kwargs"]["dns_provider"] is None
-    assert isinstance(captured["kwargs"]["http01_solver"], acme.WebrootSolver)
+    assert captured["challenge"] == "dns-01"
+    assert captured["kwargs"]["dns_provider"] is not None
-def test_issue_standalone_uses_standalone_solver(configured, captured, isolated_config):
-    import devnomads.acme as acme
-    result = runner.invoke(app, ["cert", "issue", "example.com", "--standalone"])
-    assert result.exit_code == 0, result.output
-    assert captured["challenge"] == "http-01"
-    assert isinstance(captured["kwargs"]["http01_solver"], acme.StandaloneSolver)
+def test_issue_rejects_http01_options(configured, isolated_config):
+    # HTTP-01 was removed; these flags must no longer be accepted.
+    for flag in (["--http-01"], ["--standalone"], ["--webroot", "/tmp/x"]):
+        result = runner.invoke(app, ["cert", "issue", "example.com", *flag])
+        assert result.exit_code != 0, f"{flag} should be rejected: {result.output}"
 def test_issue_passes_sans(configured, captured, isolated_config):
@@ -154,19 +187,72 @@ def test_issue_staging_switches_directory(configured, captured, isolated_config)
     assert captured["directory_url"] == dncli.LE_STAGING_DIRECTORY
-def test_issue_rejects_both_challenges(configured, isolated_config):
-    result = runner.invoke(
-        app, ["cert", "issue", "example.com", "--dns-01", "--http-01"]
+def test_issue_out_exports_combined_pem(
+    configured, captured, isolated_config, tmp_path
+):
+    out = tmp_path / "bundle.pem"
+    result = runner.invoke(app, ["cert", "issue", "example.com", "--out", str(out)])
+    assert result.exit_code == 0, result.output
+    # the default per-domain dir is still written...
+    default_dir = dncli.config_dir() / "certs" / "example.com"
+    assert (default_dir / "fullchain.pem").read_text() == FULLCHAIN
+    # ...and the combined file has key, then leaf, then intermediate, in order.
+    assert out.read_text() == KEY.decode() + LEAF + CHAIN
+    assert stat.S_IMODE(out.stat().st_mode) == 0o600
+def test_our_zone_for_matches_longest_suffix():
+    zones = {"example.com", "sub.example.com"}
+    assert dncli._our_zone_for("a.sub.example.com", zones) == "sub.example.com"
+    assert dncli._our_zone_for("a.example.com", zones) == "example.com"
+    assert dncli._our_zone_for("*.example.com", zones) == "example.com"
+    assert dncli._our_zone_for("example.com", zones) == "example.com"
+    assert dncli._our_zone_for("other.org", zones) is None
+def test_export_combined_pem_order_and_mode(tmp_path):
+    out = tmp_path / "bundle.pem"
+    dncli._export_combined_pem(out, privkey="KEY\n", leaf="LEAF\n", chain="CHAIN\n")
+    assert out.read_text() == "KEY\nLEAF\nCHAIN\n"
+    assert stat.S_IMODE(out.stat().st_mode) == 0o600
+def _patch_authority(monkeypatch, *, zones, nameservers):
+    class FakeClient:
+        def request(self, method, path):
+            return zones
+    monkeypatch.setattr(dncli, "get_client", lambda state: FakeClient())
+    monkeypatch.setattr(dncli, "_zone_nameservers", lambda zone: set(nameservers))
+def test_assert_dns_authority_accepts_delegated_zone(monkeypatch):
+    _patch_authority(
+        monkeypatch,
+        zones=[{"name": "example.com."}],
+        nameservers=dncli.REQUIRED_NAMESERVERS,
     )
-    assert result.exit_code == 1
-    assert "only one" in result.output
+    dncli._assert_dns_authority(object(), ["example.com", "www.example.com"])
-def test_issue_out_dir_override(configured, captured, isolated_config, tmp_path):
-    out = tmp_path / "mycerts"
-    result = runner.invoke(app, ["cert", "issue", "example.com", "--out", str(out)])
-    assert result.exit_code == 0, result.output
-    assert (out / "fullchain.pem").read_text() == FULLCHAIN
+def test_assert_dns_authority_rejects_foreign_domain(monkeypatch):
+    _patch_authority(
+        monkeypatch,
+        zones=[{"name": "example.com."}],
+        nameservers=dncli.REQUIRED_NAMESERVERS,
+    )
+    with pytest.raises(dncli.CliError):
+        dncli._assert_dns_authority(object(), ["notyours.org"])
+def test_assert_dns_authority_rejects_wrong_nameservers(monkeypatch):
+    _patch_authority(
+        monkeypatch,
+        zones=[{"name": "example.com."}],
+        nameservers={"ns1.other.com", "ns2.other.com"},
+    )
+    with pytest.raises(dncli.CliError):
+        dncli._assert_dns_authority(object(), ["example.com"])
 def test_load_acme_import_error_message(monkeypatch):
@@ -252,3 +338,77 @@ def test_renew_reissues_expiring_cert(configured, captured, isolated_config):
     assert result.exit_code == 0, result.output
     assert captured["challenge"] == "dns-01"
     assert (out_dir / "fullchain.pem").read_text() == FULLCHAIN
+def test_issue_skips_when_valid_beyond_window(configured, captured, isolated_config):
+    _write_cert(dncli.config_dir() / "certs" / "example.com", days=60)
+    result = runner.invoke(app, ["cert", "issue", "example.com"])
+    assert result.exit_code == 0, result.output
+    assert "still valid" in result.output
+    assert "challenge" not in captured  # obtain_certificate was not called
+def test_issue_force_reissues_valid_cert(configured, captured, isolated_config):
+    _write_cert(dncli.config_dir() / "certs" / "example.com", days=60)
+    result = runner.invoke(app, ["cert", "issue", "example.com", "--force"])
+    assert result.exit_code == 0, result.output
+    assert captured["challenge"] == "dns-01"
+def test_issue_reissues_when_within_window(configured, captured, isolated_config):
+    _write_cert(dncli.config_dir() / "certs" / "example.com", days=10)
+    result = runner.invoke(app, ["cert", "issue", "example.com"])
+    assert result.exit_code == 0, result.output
+    assert captured["challenge"] == "dns-01"
+def test_cert_list_shows_issued(configured, isolated_config):
+    import json
+    _write_cert(dncli.config_dir() / "certs" / "example.com", days=45)
+    result = runner.invoke(app, ["cert", "list", "-o", "json"])
+    assert result.exit_code == 0, result.output
+    rows = json.loads(result.output)
+    assert rows[0]["domain"] == "example.com"
+    assert rows[0]["days_left"] >= 40
+    assert rows[0]["key_type"] == "ecdsa256"
+    assert "example.com" in rows[0]["sans"]
+def test_cert_list_empty(isolated_config):
+    result = runner.invoke(app, ["cert", "list"])
+    assert result.exit_code == 0, result.output
+    assert "no certificates" in result.output
+def test_cert_export_to_file(configured, isolated_config, tmp_path):
+    _write_cert(
+        dncli.config_dir() / "certs" / "example.com", days=30, with_key_chain=True
+    )
+    out = tmp_path / "bundle.pem"
+    result = runner.invoke(app, ["cert", "export", "example.com", "--out", str(out)])
+    assert result.exit_code == 0, result.output
+    text = out.read_text()
+    # order: private key, then leaf certificate, then intermediate
+    assert (
+        text.index("EC PRIVATE KEY")
+        < text.index("CERTIFICATE")
+        < text.index("CHAINPEM")
+    )
+    assert stat.S_IMODE(out.stat().st_mode) == 0o600
+def test_cert_export_to_stdout(configured, isolated_config):
+    _write_cert(
+        dncli.config_dir() / "certs" / "example.com", days=30, with_key_chain=True
+    )
+    result = runner.invoke(app, ["cert", "export", "example.com"])
+    assert result.exit_code == 0, result.output
+    assert "BEGIN CERTIFICATE" in result.stdout
+    assert "CHAINPEM" in result.stdout
+def test_cert_export_missing(isolated_config):
+    result = runner.invoke(app, ["cert", "export", "nope.com"])
+    assert result.exit_code != 0
+    assert "no certificate" in result.output