Sync with upstream go-acme/lego v4.33.0 and fix vulnerabilities

[suhail-sullad]

Summary

• Synced with upstream go-acme/lego through v4.33.0 (b682f849) — 30 new upstream commits merged
• Fixed 16 govulncheck vulnerabilities by bumping Go directive and golang.org/x/net
• Preserved all DigiCert-specific customizations (BlueCat Micetro provider, raw keyAuth, enhanced cleanup logic)

New DNS Providers Added (from upstream)

• ArtFiles, Czechia (CZ.NIC), EuroDNS, Excedo, FusionLayer NameSurfer, Leaseweb, Netnod, 1cloud.ru

Upstream Bug Fixes Merged

• Deduplicate authz for DNS-01 challenge (fix: deduplicate authz for DNS01 challenge go-acme/lego#2828)
• Retry-After header parsing per RFC 7231 (fix: implement parsing for Retry-After header according to RFC 7231 go-acme/lego#2830)
• Use IPs to define the main domain (fix: use IPs to define the main domain go-acme/lego#2817)
• Preserve domain order (fix: preserve domain order go-acme/lego#2862)
• timewebcloud subdomain fix (timewebcloud: fix subdomain support go-acme/lego#2845)
• namesurfer updateDNSHost fix (namesurfer: fix updateDNSHost go-acme/lego#2854)

Vulnerability Fixes

• go directive bumped from 1.24.0 → 1.25.0 (fixes 13 stdlib vulns in crypto/tls, crypto/x509, net/http, net/url, encoding/asn1, encoding/pem, os/exec)
• golang.org/x/net upgraded from v0.50.0 → v0.51.0 (fixes GO-2026-4559: HTTP/2 server panic)

DigiCert Changes Preserved

• ✅ Module path: github.com/digicert/lego/v4
• ✅ BlueCat Micetro DNS provider (providers/dns/bluecatmicetro/)
• ✅ Raw keyAuth in GetChallengeInfo() (intentional ACME deviation)
• ✅ Enhanced enumerate-then-delete cleanup in DigitalOcean, OVH, DreamHost, GoDaddy
• ✅ Debug fmt.Printf statements in provider cleanup functions

Test plan

• go build ./... — full codebase compiles
• go test ./providers/dns/bluecatmicetro/... — 4/4 tests pass
• go test -run TestGetChallengeInfo ./challenge/dns01/ — 3/3 tests pass
• govulncheck ./... — vulnerabilities identified and addressed
• Full CI pipeline validation

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR syncs the DigiCert fork with upstream go-acme/lego through v4.33.0, incorporates upstream provider/ACME fixes, and updates dependencies/runtime behavior to address reported vulnerabilities.

Changes:

• Merge upstream changes through v4.33.0, including ACME Retry-After handling and authz/token de-dup logic.
• Add multiple upstream DNS providers (ArtFiles, Czechia, EuroDNS, Excedo, Leaseweb, Netnod, 1cloud.ru, NameSurfer) plus generated docs/help updates.
• Update CLI/cert handling to support IP SANs and bump internal version/user-agent strings.

Reviewed changes

Copilot reviewed 159 out of 160 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
providers/dns/timewebcloud/timewebcloud.go	Fix TimewebCloud TXT record subdomain formatting.
providers/dns/timewebcloud/internal/types.go	Clarify TimewebCloud subdomain semantics.
providers/dns/safedns/safedns.toml	Update SafeDNS provider branding metadata.
providers/dns/safedns/safedns.go	Update SafeDNS provider comments/branding.
providers/dns/safedns/internal/client.go	Update SafeDNS client comment/branding.
providers/dns/onecloudru/onecloudru_test.go	Add 1cloud.ru provider tests.
providers/dns/onecloudru/onecloudru.toml	Add 1cloud.ru provider metadata/config docs.
providers/dns/onecloudru/onecloudru.go	Add 1cloud.ru provider implementation.
providers/dns/onecloudru/internal/types.go	Add 1cloud.ru API types.
providers/dns/onecloudru/internal/fixtures/domainlist.json	Add 1cloud.ru fixtures for tests.
providers/dns/onecloudru/internal/fixtures/create_record_txt.json	Add 1cloud.ru fixtures for tests.
providers/dns/onecloudru/internal/fixtures/create_record_txt-request.json	Add 1cloud.ru fixtures for tests.
providers/dns/onecloudru/internal/client_test.go	Add 1cloud.ru internal client tests.
providers/dns/onecloudru/internal/client.go	Add 1cloud.ru internal API client.
providers/dns/netnod/netnod_test.go	Add Netnod provider tests.
providers/dns/netnod/netnod.toml	Add Netnod provider metadata/config docs.
providers/dns/netnod/netnod.go	Add Netnod provider implementation.
providers/dns/netnod/internal/types.go	Add Netnod API types.
providers/dns/netnod/internal/fixtures/zones.json	Add Netnod fixtures for tests.
providers/dns/netnod/internal/fixtures/partial_zone_update-request.json	Add Netnod fixtures for tests.
providers/dns/netnod/internal/fixtures/partial_zone_update-prune-request.json	Add Netnod fixtures for tests.
providers/dns/netnod/internal/fixtures/partial_zone_update-extend-request.json	Add Netnod fixtures for tests.
providers/dns/netnod/internal/client_test.go	Add Netnod internal client tests.
providers/dns/netnod/internal/client.go	Add Netnod internal API client.
providers/dns/namesurfer/namesurfer_test.go	Add NameSurfer provider tests.
providers/dns/namesurfer/namesurfer.toml	Add NameSurfer provider metadata/config docs.
providers/dns/namesurfer/internal/types.go	Add NameSurfer JSON-RPC types/errors.
providers/dns/namesurfer/internal/fixtures/updateDNSHost.json	Add NameSurfer fixtures for tests.
providers/dns/namesurfer/internal/fixtures/updateDNSHost-request.json	Add NameSurfer fixtures for tests.
providers/dns/namesurfer/internal/fixtures/searchDNSHosts.json	Add NameSurfer fixtures for tests.
providers/dns/namesurfer/internal/fixtures/searchDNSHosts-request.json	Add NameSurfer fixtures for tests.
providers/dns/namesurfer/internal/fixtures/listZones.json	Add NameSurfer fixtures for tests.
providers/dns/namesurfer/internal/fixtures/listZones-request.json	Add NameSurfer fixtures for tests.
providers/dns/namesurfer/internal/fixtures/error.json	Add NameSurfer fixtures for tests.
providers/dns/namesurfer/internal/fixtures/addDNSRecord.json	Add NameSurfer fixtures for tests.
providers/dns/namesurfer/internal/fixtures/addDNSRecord-request.json	Add NameSurfer fixtures for tests.
providers/dns/namesurfer/internal/client_test.go	Add NameSurfer internal client tests.
providers/dns/mittwald/internal/types.go	Refine Mittwald API error formatting.
providers/dns/liara/liara.toml	Document new Liara TEAM_ID option.
providers/dns/liara/liara.go	Add Liara TEAM_ID support wiring.
providers/dns/liara/internal/client_test.go	Add Liara teamID query param test coverage.
providers/dns/liara/internal/client.go	Add Liara teamID query parameter behavior.
providers/dns/leaseweb/leaseweb.toml	Add Leaseweb provider metadata/config docs.
providers/dns/leaseweb/leaseweb.go	Add Leaseweb provider implementation.
providers/dns/leaseweb/internal/types.go	Add Leaseweb API error/rrset types.
providers/dns/leaseweb/internal/fixtures/updateResourceRecordSet.json	Add Leaseweb fixtures for tests.
providers/dns/leaseweb/internal/fixtures/updateResourceRecordSet-request2.json	Add Leaseweb fixtures for tests.
providers/dns/leaseweb/internal/fixtures/updateResourceRecordSet-request.json	Add Leaseweb fixtures for tests.
providers/dns/leaseweb/internal/fixtures/getResourceRecordSet2.json	Add Leaseweb fixtures for tests.
providers/dns/leaseweb/internal/fixtures/getResourceRecordSet.json	Add Leaseweb fixtures for tests.
providers/dns/leaseweb/internal/fixtures/error_404.json	Add Leaseweb fixtures for tests.
providers/dns/leaseweb/internal/fixtures/error_401.json	Add Leaseweb fixtures for tests.
providers/dns/leaseweb/internal/fixtures/error_400.json	Add Leaseweb fixtures for tests.
providers/dns/leaseweb/internal/fixtures/createResourceRecordSet.json	Add Leaseweb fixtures for tests.
providers/dns/leaseweb/internal/fixtures/createResourceRecordSet-request.json	Add Leaseweb fixtures for tests.
providers/dns/leaseweb/internal/client_test.go	Add Leaseweb internal client tests.
providers/dns/internal/useragent/useragent.go	Bump DNS providers user-agent version string.
providers/dns/hosttech/internal/types.go	Refine Hosttech API error formatting.
providers/dns/hostinger/internal/types.go	Refine Hostinger API error formatting.
providers/dns/hetzner/internal/hetznerv1/internal/types.go	Refine Hetzner v1 API error formatting.
providers/dns/gravity/internal/types.go	Refine Gravity API error formatting.
providers/dns/godaddy/internal/types.go	Refine GoDaddy API error formatting.
providers/dns/gigahostno/internal/types.go	Adjust Gigahost zone type model fields.
providers/dns/gigahostno/internal/fixtures/zones.json	Update Gigahost fixtures to match API shape.
providers/dns/gigahostno/internal/client_test.go	Update Gigahost client tests for new model.
providers/dns/excedo/internal/types.go	Add Excedo API types + response checking.
providers/dns/excedo/internal/identity_test.go	Add Excedo auth/login tests.
providers/dns/excedo/internal/identity.go	Add Excedo token caching/authentication flow.
providers/dns/excedo/internal/fixtures/login.json	Add Excedo fixtures for tests.
providers/dns/excedo/internal/fixtures/getrecords.json	Add Excedo fixtures for tests.
providers/dns/excedo/internal/fixtures/error.json	Add Excedo fixtures for tests.
providers/dns/excedo/internal/fixtures/deleterecord.json	Add Excedo fixtures for tests.
providers/dns/excedo/internal/fixtures/addrecord.json	Add Excedo fixtures for tests.
providers/dns/excedo/internal/client_test.go	Add Excedo internal client tests.
providers/dns/excedo/internal/client.go	Add Excedo internal API client implementation.
providers/dns/excedo/excedo.toml	Add Excedo provider metadata/config docs.
providers/dns/excedo/excedo.go	Add Excedo provider implementation.
providers/dns/eurodns/internal/types.go	Add EuroDNS API types and report errors.
providers/dns/eurodns/internal/fixtures/zone_remove.json	Add EuroDNS fixtures for tests.
providers/dns/eurodns/internal/fixtures/zone_get.json	Add EuroDNS fixtures for tests.
providers/dns/eurodns/internal/fixtures/zone_add_validate_ok.json	Add EuroDNS fixtures for tests.
providers/dns/eurodns/internal/fixtures/zone_add_validate_ko.json	Add EuroDNS fixtures for tests.
providers/dns/eurodns/internal/fixtures/zone_add_empty_forwards.json	Add EuroDNS fixtures for tests.
providers/dns/eurodns/internal/fixtures/zone_add.json	Add EuroDNS fixtures for tests.
providers/dns/eurodns/internal/fixtures/error.json	Add EuroDNS fixtures for tests.
providers/dns/eurodns/internal/client.go	Add EuroDNS internal API client implementation.
providers/dns/eurodns/eurodns.toml	Add EuroDNS provider metadata/config docs.
providers/dns/dnsexit/internal/types.go	Refine DNSExit API error formatting.
providers/dns/czechia/internal/types.go	Add Czechia API types.
providers/dns/czechia/internal/fixtures/delete_txt_record-request.json	Add Czechia fixtures for tests.
providers/dns/czechia/internal/fixtures/add_txt_record-request.json	Add Czechia fixtures for tests.
providers/dns/czechia/internal/client_test.go	Add Czechia internal client tests.
providers/dns/czechia/internal/client.go	Add Czechia internal API client implementation.
providers/dns/czechia/czechia_test.go	Add Czechia provider tests.
providers/dns/czechia/czechia.toml	Add Czechia provider metadata/config docs.
providers/dns/czechia/czechia.go	Add Czechia provider implementation.
providers/dns/cloudflare/internal/types.go	Refine Cloudflare error formatting.
providers/dns/binarylane/internal/types.go	Refine BinaryLane error formatting.
providers/dns/artfiles/internal/types.go	Add ArtFiles record parsing/value helpers.
providers/dns/artfiles/internal/fixtures/txt_record.txt	Add ArtFiles fixtures for tests.
providers/dns/artfiles/internal/fixtures/txt_record-multiple.txt	Add ArtFiles fixtures for tests.
providers/dns/artfiles/internal/fixtures/set_dns.json	Add ArtFiles fixtures for tests.
providers/dns/artfiles/internal/fixtures/get_dns.json	Add ArtFiles fixtures for tests.
providers/dns/artfiles/internal/fixtures/domains.txt	Add ArtFiles fixtures for tests.
providers/dns/artfiles/internal/client_test.go	Add ArtFiles internal client tests.
providers/dns/artfiles/internal/client.go	Add ArtFiles internal API client implementation.
providers/dns/artfiles/artfiles.toml	Add ArtFiles provider metadata/config docs.
providers/dns/artfiles/artfiles.go	Add ArtFiles provider implementation.
providers/dns/allinkl/allinkl.go	Refactor All-Inkl zone discovery into helper.
providers/dns/alidns/alidns.toml	Document new AliDNS region/line options.
providers/dns/alidns/alidns.go	Add AliDNS line option into TXT creation.
docs/data/zz_cli_help.toml	Update supported provider list in CLI docs.
docs/content/dns/zz_gen_safedns.md	Regenerate SafeDNS docs with new branding.
docs/content/dns/zz_gen_onecloudru.md	Add generated docs for 1cloud.ru provider.
docs/content/dns/zz_gen_netnod.md	Add generated docs for Netnod provider.
docs/content/dns/zz_gen_namesurfer.md	Add generated docs for NameSurfer provider.
docs/content/dns/zz_gen_liara.md	Update generated docs for Liara TEAM_ID option.
docs/content/dns/zz_gen_leaseweb.md	Add generated docs for Leaseweb provider.
docs/content/dns/zz_gen_excedo.md	Add generated docs for Excedo provider.
docs/content/dns/zz_gen_eurodns.md	Add generated docs for EuroDNS provider.
docs/content/dns/zz_gen_czechia.md	Add generated docs for Czechia provider.
docs/content/dns/zz_gen_artfiles.md	Add generated docs for ArtFiles provider.
docs/content/dns/zz_gen_alidns.md	Update generated docs for AliDNS options.
cmd/lego/zz_gen_version.go	Bump default CLI version string to v4.33.0.
cmd/cmd_list.go	Print IP SANs in lego list output.
challenge/resolver/solver_manager.go	Parse Retry-After per RFC (seconds/date).
challenge/resolver/prober_test.go	Extend tests for DNS-01 token de-dup behavior.
challenge/resolver/prober_mock_test.go	Improve mocks + counters for prober tests.
challenge/resolver/prober.go	Add DNS-01 duplicate token pre-solve/cleanup logic.
challenge/resolver/errors_test.go	Add tests for obtainError formatting/unwrapping.
challenge/resolver/errors.go	Add obtainError.Unwrap for multi-error support.
challenge/dns01/dns_challenge_test.go	Update tests for DigiCert raw-keyAuth behavior.
certificate/renewal_test.go	Add test for RFC Retry-After date parsing.
certificate/renewal.go	Use ParseRetryAfter for ARI Retry-After header.
certcrypto/crypto.go	Allow main-domain selection from IP SANs.
acme/errors.go	Refine ProblemDetails error string formatting.
acme/api/service_test.go	Add ParseRetryAfter unit tests.
acme/api/service.go	Implement RFC 7231 Retry-After parsing helper.
acme/api/internal/sender/useragent.go	Bump ACME sender user-agent version string.
acme/api/identifier.go	Preserve identifier input order while de-duping.
.golangci.yml	Update revive suppression patterns.
.github/workflows/pr.yml	Update lint version and run memcached via Docker.
.github/ISSUE_TEMPLATE/new_dns_provider.yml	Update issue template wording/options.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In sequentialSolve(), when a duplicate DNS-01 token is detected you continue, which skips not only PreSolve but also the subsequent Solve/CleanUp for that authorization. This can leave some authorizations unsolved in sequential mode. Consider skipping only the TXT creation step and ensuring Solve still runs; if you also need to avoid duplicate cleanup, precompute per-(identifier,token) occurrence counts and only CleanUp after the last authorization using that token.

[Copilot]

The de-duplication map key is built by concatenating authz.Identifier.Value+chlg.Token. This can theoretically collide (e.g., "ab"+"c" vs "a"+"bc") and makes the logic harder to reason about. Use a structured key (e.g., a small struct with separate fields) or at least add an unambiguous separator.

[Copilot]

ParseRecordValue() can panic when encountering an empty line or a line without whitespace: strings.IndexFunc returns -1, and then line[:idx] / line[idx+1:] will slice out of bounds. Add guards to skip empty/malformed lines (or return an error) before slicing.