Typo "turaround"

* Test multiple zone records (@, foo, *.foo)
* Use random _acme-challenge-xxxx

.prettierrc

@@ -0,0 +1,8 @@
+{
+  "bracketSpacing": true,
+  "printWidth": 80,
+  "singleQuote": true,
+  "tabWidth": 2,
+  "trailingComma": "none",
+  "useTabs": true
+}

LICENSE

@@ -0,0 +1,375 @@
+Copyright 2019 AJ ONeal
+
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.

README.md

@@ -1,92 +1,445 @@
-# [greenlock-challenge-test](https://git.coolaj86.com/coolaj86/greenlock-challenge-test.js.git)
+# Let's Encrypt + DNS = [acme-dns-01-test](https://git.rootprojects.org/root/acme-dns-01-test.js.git)
 
-| A [Root](https://rootprojects.org) Project |
+| Built by [Root](https://rootprojects.org) for [Hub](https://rootprojects.org/hub/)
 
-The test harness you should use when writing an ACME challenge strategy
+An ACME dns-01 test harness for Let's Encrypt integrations.
-for [Greenlock](https://git.coolaj86.com/coolaj86/greenlock-express.js) v2.7+ (and v3).
 
-All implementations MUST pass these tests, which is a very easy thing to do (just `set()`, `get()`, and `remove()`).
+| [ACME HTTP-01](https://git.rootprojects.org/root/acme-http-01-test.js)
+| [ACME DNS-01](https://git.rootprojects.org/root/acme-dns-01-test.js)
+| [Greenlock Express](https://git.rootprojects.org/root/greenlock-express.js)
+| [Greenlock.js](https://git.rootprojects.org/root/greenlock.js)
+| [ACME.js](https://git.rootprojects.org/root/acme.js)
 
-The tests account for single-domain certificates (`example.com`) as well as multiple domain certs (SAN / AltName),
+This was specificially designed for [ACME.js](https://git.coolaj86.com/coolaj86/acme-v2.js)
-wildcards (`*.example.com`), and valid private / localhost certificates. As someone creating a challenge strategy
+and [Greenlock.js](https://git.coolaj86.com/coolaj86/greenlock-express.js),
-that's not something you have to take special consideration for - just pass the tests.
+but will be generically useful to any JavaScript DNS plugin for Let's Encrypt.
-
-## Install
 
 ```bash
-npm install --save-dev greenlock-challenge-test@3.x
+npm install --save-dev acme-dns-01-test@3.x
 ```
 
-## Usage
+<!--
+
+```bash
+npx acme-dns-01-test --module /path/to/module.js --foo-user --bar--token
+```
+
+-->
+
+# How Let's Encrypt works with DNS
+
+In order to validate **wildcard**, **localhost**, and **private domains** through Let's Encrypt,
+you must use set some special TXT records in your domain's DNS.
+
+This is called the **ACME DNS-01 Challenge**
+
+For example:
+
+```txt
+dig TXT example.com
+
+;; QUESTION SECTION:
+;_acme-challenge.example.com.		IN	TXT
+
+;; ANSWER SECTION:
+_acme-challenge.example.com.	300	IN	TXT	"xxxxxxx"
+_acme-challenge.example.com.	300	IN	TXT	"xxxxxxx"
+```
+
+## ACME DNS-01 Challenge Process
+
+The ACME DNS-01 Challenge process works like this:
+
+1. The ACME client order's an SSL Certificate from Let's Encrypt
+2. Let's Encrypt asks for validation of the domains on the certificate
+3. The ACME client asks to use DNS record verification
+4. Let's Encrypt gives a DNS authorization token
+5. The ACME client manipulates the token and sets TXT record with the result
+6. Let's Encrypt checks the TXT record from DNS clients in diverse locations
+7. The ACME client gets a certificate if the validate passes
+
+# Using a Let's Encrypt DNS plugin
+
+Each plugin will define some options, such as an api key, or username and password
+that are specific to that plugin.
+
+Other than that, they're all used the same.
+
+## ACME.js + Let's Encrypt DNS-01
+
+This is how an ACME challenge module is with ACME.js:
 
 ```js
-var tester = require('greenlock-challenge-test');
+acme.certificates.create({
-
+	accountKey,
-//var challenger = require('greenlock-challenge-http').create({});
+	csr,
-//var challenger = require('greenlock-challenge-dns').create({});
+	domains,
-var challenger = require('./YOUR-CHALLENGE-STRATEGY').create({});
+	challenges: {
-
+		'dns-01': require('acme-dns-01-MODULE_NAME').create({
-// The dry-run tests can pass on, literally, 'example.com'
+			fooUser: 'A_PLUGIN_SPECIFIC_OPTION',
-// but the integration tests require that you have control over the domain
+			barToken: 'A_PLUGIN_SPECIFIC_OPTION'
-var domain = 'example.com';
+		})
-
+	}
-tester.test('http-01', domain, challenger).then(function () {
-  console.info("PASS");
 });
 ```
 
+## Greenlock + Let's Encrypt DNS-01
+
+This is how modules are used with Greenlock / Greenlock Express
+
+**Global** default:
+
+```js
+greenlock.manager.defaults({
+	challenges: {
+		'dns-01': {
+			module: 'acme-dns-01-_MODULE_NAME',
+			fooUser: 'A_PLUGIN_SPECIFIC_OPTION',
+			barToken: 'A_PLUGIN_SPECIFIC_OPTION'
+		}
+	}
+});
+```
+
+**Per-Site** config:
+
+```js
+greenlock.add({
+	subject: 'example.com',
+	altnames: ['example.com', '*.example.com', 'foo.bar.example.com'],
+	challenges: {
+		'dns-01': {
+			module: 'acme-dns-01-YOUR_MODULE_NAME',
+			fooUser: 'A_PLUGIN_SPECIFIC_OPTION',
+			barToken: 'A_PLUGIN_SPECIFIC_OPTION'
+		}
+	}
+});
+```
+
+# The Easy Way to Build a Plugin
+
+This repo includes **unit test suite** which makes it _very_ easy to create a plugin.
+
+You can start with a **template file** that will fail all of the tests, and just
+build until you pass all of the tests.
+
+After that, you can **test the Greenlock CLI** to see if
+you actually get a valid SSL certificate.
+
 ## Overview
 
+There are only a few methods to implement - just basic CRUD operations.
+
+For most serivices these are very simple to implement
+(see the **reference implementations** down below).
+
+Some enterprise-y services are more difficult as they may have special
+rules about zones (Google Cloud) or intricate authentication schemes (AWS).
+
+```
+init({ request })
+
+zones({ dnsHosts })
+
+set({ challenge: { dnsZone, dnsPrefix, dnsHost, keyAuthorizationDigest } })
+
+get({ challenge: { dnsZone, dnsPrefix, dnsHost, keyAuthorizationDigest } })
+
+remove({ challenge: { dnsZone, dnsPrefix, dnsHost, keyAuthorizationDigest } })
+```
+
+## Plugin Outline
+
+This is an even better starter template below,
+but this outline shows the bare bones of a plugin.
+
+```
+'use strict';
+
+var MyModule = module.exports;
+
+MyModule.create = function (options) {
+
+    var m = {};
+
+    m.init = async function ({ request }) {
+        // (optional) initialize your module
+    }
+
+    m.zones = async function ({ dnsHosts }) {
+        // return a list of "Zones" or "Apex Domains" (i.e. example.com, NOT foo.example.com)
+    }
+
+    m.set = async function ({ challenge: { dnsZone, dnsPrefix, dnsHost, keyAuthorizationDigest } }) {
+        // set a TXT record for dnsHost with keyAuthorizationDigest as the value
+    }
+
+    m.get = async function ({ challenge: { dnsZone, dnsPrefix, dnsHost, keyAuthorizationDigest } }) {
+        // check that the EXACT a TXT record that was set, exists, and return it
+    }
+
+    m.remove = async function ({ challenge: { dnsZone, dnsPrefix, dnsHost, keyAuthorizationDigest } }) {
+        // remove the exact TXT record that was set
+    }
+
+    return m;
+}
+```
+
+## Using the Test Suite
+
+Test setup:
+
 ```js
-tester.test('http-01', 'example.com', {
+var tester = require('acme-dns-01-test');
-  set: function (opts) {
+var YOUR_PLUGIN = require('./YOUR-CHALLENGE-STRATEGY');
-    var ch = opts.challenge;
-    // { type: 'http-01' // or 'dns-01'
-    // , identifier: { type: 'dns', value: 'example.com' }
-    // , wildcard: false
-    // , token: 'xxxx'
-    // , keyAuthorization: 'xxxx.yyyy'
-    // , dnsHost: '_acme-challenge.example.com'
-    // , dnsAuthorization: 'zzzz' }
 
-    return API.set(...);
+var challenger = YOUR_PLUGIN.create({
-  }
+	YOUR_TOKEN_OPTION: 'SOME_API_KEY'
-, get: function (query) {
-    var ch = query.challenge;
-    // { type: 'http-01' // or 'dns-01', 'tls-alpn-01', etc
-    // , identifier: { type: 'dns', value: 'example.com' }
-    //   // http-01 only
-    // , token: 'xxxx'
-    // , url: '...' // for testing and debugging
-    //   // dns-01 only, for testing / dubgging
-    // , altname: '...'
-    // , dnsHost: '...'
-    // , wildcard: false }
-    // Note: query.identifier.value is different for http-01 than for dns-01
-
-    return API.get(...).then(function (secret) {
-      // http-01
-      return { keyAuthorization: secret };
-      // dns-01
-      //return { dnsAuthorization: secret };
-    });
-  }
-, remove: function (opts) {
-    var ch = opts.challenge;
-    // same options as in `set()` (which are not the same as `get()`
-
-    return API.remove(...);
-  }
-}).then(function () {
-  console.info("PASS");
 });
 ```
 
-Note: The `API.get()`, `API.set()`, and `API.remove()` is where you do your magic up to upload a file to the correct
+Run the tests:
-location on an http serever, set DNS records, or add the appropriate data to the database that handles such things.
 
-## Example
+```
+var zone = 'example.com';
+
+tester.testZone('dns-01', zone, challenger).then(function() {
+	console.info('PASS');
+});
+```
+
+**Note**: Special DNS services, like **DuckDNS**, only give you a **single sub-domain**,
+not a full "zone". You can test them too:
+
+Some DNS services, such as **DuckDNS**, only give you a **single sub-domain**,
+not not _multiple_ records in a zone. Testing them is slightly different:
+
+```js
+var record = 'foo.example.com';
+
+tester.testRecord('dns-01', record, challenger).then(function() {
+	console.info('PASS');
+});
+```
+
+## Reference Implementations
+
+- Compatibility
+  - [x] Let's Encrypt v2.1 / ACME draft 18
+  - [x] Node v6+
+  - [x] Chrome, Firefox, Safari, Edge, etc
+- Quality
+  - [x] Written in VanillaJS
+  - [x] No compliers or build scripts
+  - [x] Simple, minimal code, in a single file
+  - [x] **Zero dependencies**
+
+These libraries are useful as a model for any plugins that you create.
+
+- dns-01
+  - [`cli`](https://git.rootprojects.org/root/acme-dns-01-cli.js)
+  - [`digitalocean`](https://git.rootprojects.org/root/acme-dns-01-digitalocean.js)
+  - [`vultr`](https://git.rootprojects.org/root/acme-dns-01-vultr.js)
+  - [`gandi`](https://git.rootprojects.org/root/acme-dns-01-gandi.js)
+  - [`duckdns`](https://git.rootprojects.org/root/acme-dns-01-duckdns.js)
+- http-01
+  - [`cli`](https://git.rootprojects.org/root/acme-http-01-cli.js)
+  - [`fs`](https://git.rootprojects.org/root/acme-http-01-fs.js)
+
+You can find other implementations by searching npm for [acme-http-01-](https://www.npmjs.com/search?q=acme-http-01-)
+and [acme-dns-01-](https://www.npmjs.com/search?q=acme-dns-01-).
+
+If you are building a plugin, please let us know.
+We may like to co-author and help maintain and promote your module.
+
+<small>Note: In some cases (such as non-HTTP, or very complex APIs) you will not be able to maintain
+browser compatibility. Other than than, if you keep your code simple, it will also work in browser
+implementations of ACME.js.</small>
+
+# Example
 
 See `example.js` (it works).
 
-Will post reference implementations here later...
+## Starter Template
+
+Here's what you could start with.
+
+```js
+var tester = require('acme-dns-01-test');
+
+// The dry-run tests can pass on, literally, 'example.com'
+// but the integration tests require that you have control over the domain
+var zone = 'example.com';
+var deps = {};
+
+tester
+	.testZone('dns-01', zone, {
+		// Gives you the promisified `request` object for HTTP APIs
+		init: function(deps) {
+			request = deps.request;
+			return null;
+		},
+
+		// Should return an array of zone domain name strings
+		// (APIs that don't implement zones, such as DuckDNS, should return an empty array)
+		zones: function(opts) {
+			console.log('dnsHosts:', opts.dnsHosts);
+			throw new Error('_zone not implemented');
+		},
+
+		// Should set a TXT record for dnsHost with dnsAuthorization and ttl || 300
+		set: function(opts) {
+			console.log('set opts:', opts);
+			throw new Error('set not implemented');
+		},
+
+		// Should remove the *one* TXT record for dnsHost with dnsAuthorization
+		// Should NOT remove otherrecords for dnsHost (wildcard shares dnsHost with
+		// non-wildcard)
+		remove: function(opts) {
+			console.log('remove opts:', opts);
+			throw new Error('remove not implemented');
+		},
+
+		// Should get the record via the DNS server's API
+		// (Note: gets different options than set or remove)
+		get: function(opts) {
+			console.log('get opts:', opts);
+			throw new Error('get not implemented');
+		}
+	})
+	.then(function() {
+		console.info('PASS');
+	});
+```
+
+## Full Detailed Example
+
+Here's a quick pseudo stub-out of what a test-passing plugin object might look like:
+
+```js
+var deps = {};
+
+tester
+	.testZone('dns-01', 'example.com', {
+		init: function({ request }) {
+			// { request: { get, post, put, delete } }
+
+			deps.request = request;
+			return null;
+		},
+
+		zones: function({ dnsHosts }) {
+			// { dnsHosts: [
+			//     '_acme-challenge.foo.example.com',
+			//     '_acme-challenge.bar.example.com'
+			//  ] }
+
+			return YourApi(
+				'GET',
+				// Most Domain Zone apis don't have a search or filter option,
+				// but `opts` includes list of dnsHosts is provided just in case.
+				'https://exampledns.com/api/dns/zones?search=' + opts.dnsHosts.join(',')
+			).then(function(result) {
+				return result.zones.map(function(zone) {
+					return zone.name;
+				});
+			});
+		},
+
+		set: function(opts) {
+			var ch = opts.challenge;
+			// { type: 'dns-01'
+			// , identifier: { type: 'dns', value: 'foo.example.com' }
+			// , wildcard: false
+			// , dnsHost: '_acme-challenge.foo.example.com'
+			// , dnsPrefix: '_acme-challenge.foo'
+			// , dnsZone: 'example.com'
+			// , dnsAuthorization: 'zzzz' }
+
+			return YourApi(
+				'POST',
+				'https://exampledns.com/api/dns/txt/' + ch.dnsZone + '/' + ch.dnsPrefix,
+				{ value: ch.dnsAuthorization }
+			);
+		},
+
+		get: function(query) {
+			var ch = query.challenge;
+			// { type: 'dns-01'
+			// , identifier: { type: 'dns', value: 'foo.example.com' }
+			// , altname: '...'
+			// , dnsHost: '...'
+			// , wildcard: false }
+			// Note: query.identifier.value is different for http-01 than for dns-01
+			//       because of how a DNS query is different from an HTTP request
+
+			return YourApi(
+				'GET',
+				'https://exampledns.com/api/dns/txt/' + ch.dnsZone + '/' + ch.dnsPrefix
+			).then(function(secret) {
+				return { dnsAuthorization: secret };
+			});
+		},
+
+		remove: function(opts) {
+			var ch = opts.challenge;
+			// same options as in `set()` (which are not the same as `get()`
+
+			return YourApi(
+				'DELETE',
+				'https://exampledns.com/api/dns/txt/' + ch.dnsZone + '/' + ch.dnsPrefix
+			);
+		}
+	})
+	.then(function() {
+		console.info('PASS');
+	});
+```
+
+Where `YourApi` might look something like this:
+
+```js
+var YourApi = function createApi(config) {
+	return function(method, url, body) {
+		return request({
+			method: method,
+			url: url,
+			json: body || true,
+			headers: {
+				Authorization: 'Bearer ' + config.apiToken
+			}
+		}).then(function(resp) {
+			return resp.body;
+		});
+	};
+};
+```
+
+Note: `request` is actually `@root/request`, but the API is the same as the standard `request`.
+
+Avoid using 3rd party API libraries where you can - they tend to bloat your dependencies and
+add security risk. Instead, just use the API documentation and cURL examples.
+
+### Two notes:
+
+Note 1:
+
+The `API.get()`, `API.set()`, and `API.remove()` is where you do your magic up to upload a file to the correct
+location on an http serever, set DNS records, or add the appropriate data to the database that handles such things.
+
+Note 2:
+
+- When `altname` is `foo.example.com` the `dnsHost` will be `_acme-challenge.foo.example.com`
+- When `altname` is `*.foo.example.com` the `dnsHost` will _still_ be `_acme-challenge.foo.example.com`!!
+- When `altname` is `bar.foo.example.com` the `dnsHost` will be `_acme-challenge.bar.foo.example.com`
+
+# We Build Let's Encrypt Plugins for You
+
+Want to get the experts involved? [Contact Root](acme-plugins@therootcompany.com)
+
+We can take it on ourselves, work within your team, or guide an outsourced team.
+
+Turnaround is typically a few days for simple modules with publicly available APIs.

example.js

@@ -1,24 +1,26 @@
 'use strict';
 
-//var tester = require('greenlock-challenge-test');
+//var tester = require('acme-dns-01-test');
 var tester = require('./');
 
-var type = 'http-01';
+var type = 'dns-01';
-var challenger = require('greenlock-challenge-http').create({});
+var challenger = require('acme-dns-01-cli').create({});
-//var type = 'dns-01';
-//var challenger = require('greenlock-challenge-dns').create({});
-//var challenger = require('./YOUR-CHALLENGE-STRATEGY').create({});
-//var type = 'YOUR-TYPE-01';
 
 // The dry-run tests can pass on, literally, 'example.com'
 // but the integration tests require that you have control over the domain
-var domain = 'example.com';
+var zone = 'example.com';
-//var domain = '*.example.com';
 
-tester.test(type, domain, challenger).then(function () {
+tester
-  console.info("PASS");
+	// Will test these domain records
-}).catch(function (err) {
+	// - example.com
-  console.error("FAIL");
+	// - foo.example.com
-  console.error(err);
+	// - *.foo.example.com
-  process.exit(20);
+	.testZone(type, zone, challenger)
-});
+	.then(function() {
+		console.info('ALL PASSED');
+	})
+	.catch(function(err) {
+		console.error('FAIL');
+		console.error(err);
+		process.exit(20);
+	});

index.js

@@ -1,171 +1,3 @@
 'use strict';
-/*global Promise*/
-var crypto = require('crypto');
 
-module.exports.create = function () {
+module.exports = require('acme-challenge-test');
-  throw new Error("greenlock-challenge-test is a test fixture for greenlock-challenge-* plugins, not a plugin itself");
-};
-
-// ignore all of this, it's just to normalize Promise vs node-style callback thunk vs synchronous
-function promiseCheckAndCatch(obj, name) {
-  var promisify = require('util').promisify;
-  // don't loose this-ness, just in case that's important
-  var fn = obj[name].bind(obj);
-  var promiser;
-
-  // function signature must match, or an error will be thrown
-  if (1 === fn.length) {
-    // wrap so that synchronous errors are caught (alsa handles synchronous results)
-    promiser = function (opts) {
-      return Promise.resolve().then(function () {
-        return fn(opts);
-      });
-    };
-  } else if (2 === fn.length) {
-    // wrap as a promise
-    promiser = promisify(fn);
-  } else {
-    return Promise.reject(new Error("'challenge." + name + "' should accept either one argument, the options,"
-      + " and return a Promise or accept two arguments, the options and a node-style callback thunk"));
-  }
-
-  function shouldntBeNull(result) {
-    if ('undefined' === typeof result) {
-      throw new Error("'challenge.'" + name + "' should never return `undefined`. Please explicitly return null"
-        + " (or fix the place where a value should have been returned but wasn't).");
-    }
-    return result;
-  }
-
-  return function (opts) {
-    return promiser(opts).then(shouldntBeNull);
-  };
-}
-
-// Here's the meat, where the tests are happening:
-function run(challenger, opts) {
-  var ch = opts.challenge;
-  if ('http-01' === ch.type && ch.wildname) {
-    throw new Error("http-01 cannot be used for wildcard domains");
-  }
-
-  var set = promiseCheckAndCatch(challenger, 'set');
-  if ('function' !== typeof challenger.get) {
-    throw new Error("'challenge.get' should be implemented for the sake of testing."
-      + " It should be implemented as the internal method for fetching the challenge"
-      + " (i.e. reading from a database, file system or API, not return internal),"
-      + " not the external check (the http call, dns query, etc), which will already be done as part of this test.");
-  }
-  var get = promiseCheckAndCatch(challenger, 'get');
-  var remove = promiseCheckAndCatch(challenger, 'remove');
-
-  // The first time we just check it against itself
-  // this will cause the prompt to appear
-  return set(opts).then(function () {
-    // this will cause the final completion message to appear
-    // _test is used by the manual cli reference implementations
-    var query = { type: ch.type, /*debug*/ status: ch.status, _test: true };
-    if ('http-01' === ch.type) {
-      query.identifier = ch.identifier;
-      query.token = ch.token;
-      // For testing only
-      query.url = ch.token;
-    } else if ('dns-01' === ch.type) {
-      query.identifier = { type: 'dns', value: ch.dnsHost };
-      // For testing only
-      query.altname = ch.altname;
-      // there should only be two possible TXT records per challenge domain:
-      // one for the bare domain, and the other if and only if there's a wildcard
-      query.wildcard = ch.wildcard;
-    } else {
-      query = JSON.parse(JSON.stringify(ch));
-      query.comment = "unknown challenge type, supplying everything";
-    }
-    return get({ challenge: query }).then(function (secret) {
-      if ('string' === typeof secret) {
-        console.info("secret was passed as a string, which works historically, but should be an object instead:");
-        console.info('{ "keyAuthorization": "' + secret + '" }');
-        console.info("or");
-        // TODO this should be "keyAuthorizationDigest"
-        console.info('{ "dnsAuthorization": "' + secret + '" }');
-        console.info("This is to help keep greenlock (and associated plugins) future-proof for new challenge types");
-      }
-      // historically 'secret' has been a string, but I'd like it to transition to be an object.
-      // to make it backwards compatible in v2.7 to change it,
-      // so I'm not sure that we really need to.
-      if ('http-01' === ch.type) {
-        secret = secret.keyAuthorization || secret;
-        if (ch.keyAuthorization !== secret) {
-          throw new Error("http-01 challenge.get() returned '" + secret + "', which does not match the keyAuthorization"
-            + " saved with challenge.set(), which was '" + ch.keyAuthorization + "'");
-        }
-      } else if ('dns-01' === ch.type) {
-        secret = secret.dnsAuthorization || secret;
-        if (ch.dnsAuthorization !== secret) {
-          throw new Error("dns-01 challenge.get() returned '" + secret + "', which does not match the dnsAuthorization"
-            + " (keyAuthDigest) saved with challenge.set(), which was '" + ch.dnsAuthorization + "'");
-        }
-      } else {
-        if ('tls-alpn-01' === ch.type) {
-          console.warn("'tls-alpn-01' support is in development"
-            + " (or developed and we haven't update this yet). Please contact us.");
-        } else {
-          console.warn("We don't know how to test '" + ch.type + "'... are you sure that's a thing?");
-        }
-        secret = secret.keyAuthorization || secret;
-        if (ch.keyAuthorization !== secret) {
-          console.warn("The returned value doesn't match keyAuthorization", ch.keyAuthorization, secret);
-        }
-      }
-    }).then(function () {
-      return remove(opts).then(function () {
-        return get(opts).then(function (result) {
-          if (result) {
-            throw new Error("challenge.remove() should have made it not possible for challenge.get() to return a value");
-          }
-          if (null !== result) {
-            throw new Error("challenge.get() should return null when the value is not set");
-          }
-        });
-      });
-    });
-  }).then(function () {
-    console.info("All soft tests: PASS");
-    console.warn("Hard tests (actually checking http URLs and dns records) is implemented in acme-v2.");
-    console.warn("We'll copy them over here as well, but that's a TODO for next week.");
-  });
-}
-
-module.exports.test = function (type, altname, challenger) {
-  var expires = new Date(Date.now() + (10*60*1000)).toISOString();
-  var token = crypto.randomBytes(8).toString('hex');
-  var thumb = crypto.randomBytes(16).toString('hex');
-  var keyAuth = token + '.' + crypto.randomBytes(16).toString('hex');
-  var dnsAuth = crypto.createHash('sha256').update(keyAuth).digest('base64')
-    .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-
-  var challenge = {
-    type: type
-  , identifier: { type: 'dns', value: null }  // completed below
-  , wildcard: false                           // completed below
-  , status: 'pending'
-  , expires: expires
-  , token: token
-  , thumbprint: thumb
-  , keyAuthorization: keyAuth
-  , url: null                                 // completed below
-  , dnsHost: '_acme-challenge.'               // completed below
-  , dnsAuthorization: dnsAuth
-  , altname: altname
-  , _test: true                               // used by CLI referenced implementations
-  };
-  if ('*.' === altname.slice(0, 2)) {
-    challenge.wildcard = true;
-    altname = altname.slice(2);
-  }
-  challenge.identifier.value = altname;
-  challenge.url = 'http://' + altname + '/.well-known/acme-challenge/' + challenge.token;
-  challenge.dnsHost += altname;
-
-  return run(challenger, { challenge: challenge });
-};

package-lock.json

@@ -0,0 +1,25 @@
+{
+	"name": "acme-dns-01-test",
+	"version": "3.3.1",
+	"lockfileVersion": 1,
+	"requires": true,
+	"dependencies": {
+		"@root/request": {
+			"version": "1.3.11",
+			"resolved": "https://registry.npmjs.org/@root/request/-/request-1.3.11.tgz",
+			"integrity": "sha512-3a4Eeghcjsfe6zh7EJ+ni1l8OK9Fz2wL1OjP4UCa0YdvtH39kdXB9RGWuzyNv7dZi0+Ffkc83KfH0WbPMiuJFw=="
+		},
+		"acme-challenge-test": {
+			"version": "3.3.1",
+			"resolved": "https://registry.npmjs.org/acme-challenge-test/-/acme-challenge-test-3.3.1.tgz",
+			"integrity": "sha512-y7iCHb70hWuFgPvtAWwQd1sz9I2Atu+6PKhN5sIIfqDhkg/sVmlxAVKXn6/SBx9TSrP50xHtiAnMkmt+umemDw==",
+			"requires": {
+				"@root/request": "^1.3.11"
+			}
+		},
+		"acme-dns-01-cli": {
+			"version": "3.1.0",
+			"dev": true
+		}
+	}
+}

package.json

@@ -1,27 +1,36 @@
 {
-  "name": "greenlock-challenge-test",
+	"name": "acme-dns-01-test",
-  "version": "3.0.0",
+	"version": "3.3.2",
-  "description": "The base set of tests for all ACME challenge strategies. Any `greenlock-challenge-` plugin should be able to pass these tests.",
+	"description": "ACME dns-01 tests for Let's Encrypt integration. Any `acme-dns-01-` plugin should be able to pass these tests.",
-  "main": "index.js",
+	"main": "index.js",
-  "dependencies": {},
+	"homepage": "https://git.rootprojects.org/root/acme-dns-01-test.js",
-  "devDependencies": {},
+	"files": [
-  "scripts": {
+		"example.js",
-    "test": "node example.js"
+		"lib"
-  },
+	],
-  "repository": {
+	"dependencies": {
-    "type": "git",
+		"acme-challenge-test": "^3.3.1"
-    "url": "https://git.coolaj86.com/coolaj86/greenlock-challenge-test.js.git"
+	},
-  },
+	"devDependencies": {
-  "keywords": [
+		"acme-dns-01-cli": "^3.1.0"
-    "Let's Encrypt",
+	},
-    "ACME",
+	"scripts": {
-    "http-01",
+		"test": "node example.js"
-    "dns-01",
+	},
-    "challenge",
+	"repository": {
-    "plugin",
+		"type": "git",
-    "module",
+		"url": "https://git.rootprojects.org/root/acme-dns-01-test.js.git"
-    "strategy"
+	},
-  ],
+	"keywords": [
-  "author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)",
+		"Let's Encrypt",
-  "license": "MPL-2.0"
+		"ACME",
+		"dns-01",
+		"challenge",
+		"plugin",
+		"module",
+		"strategy",
+		"greenlock"
+	],
+	"author": "AJ ONeal <solderjs@gmail.com> (https://solderjs.com/)",
+	"license": "MPL-2.0"
 }