From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Stoiko Ivanov <s.ivanov@proxmox.com>, pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation
Date: Fri, 16 Apr 2021 10:14:45 +0200 (CEST) [thread overview]
Message-ID: <1847872893.3417.1618560885557@webmail.proxmox.com> (raw)
took me a bit to "tune" back into "no, it autovivifies,
and no, it won't "panic!()" when indexing with a wrong value
(the deliberate empty string)"
but hey, that's just perl ;-)
lgtm 👍
> On 04/15/2021 9:46 PM Stoiko Ivanov <s.ivanov@proxmox.com> wrote:
>
>
> Wildcard DNS names (*.domain.example) are validated through their
> base-domain (domain.example) according to the ACME RFC [0].
>
> We store the indirection while parsing the acme config, and check for
> an extra validation target during ordering.
>
> This makes it possible to order wildcard certificates which are not
> valid for the base-domain.
>
> [0] https://tools.ietf.org/html/rfc8555#section-7.1.3
>
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> v2->v3:
> * add indirection
> src/PMG/API2/Certificates.pm | 5 +++++
> src/PMG/NodeConfig.pm | 6 ++++++
> 2 files changed, 11 insertions(+)
>
> diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
> index c08deb6..351d1c5 100644
> --- a/src/PMG/API2/Certificates.pm
> +++ b/src/PMG/API2/Certificates.pm
> @@ -359,6 +359,11 @@ my $order_certificate = sub {
> print "The validation for $domain is pending!\n";
>
> my $domain_config = $acme_node_config->{domains}->{$domain};
> + if (!defined($domain_config)) {
> + # wildcard domains are validated through the basedomain
> + my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
> + $domain_config = $acme_node_config->{domains}->{$vtarget};
> + }
> die "no config for domain '$domain'\n" if !$domain_config;
>
> my $plugin_id = $domain_config->{plugin};
> diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
> index 6472a9d..5f96e62 100644
> --- a/src/PMG/NodeConfig.pm
> +++ b/src/PMG/NodeConfig.pm
> @@ -216,6 +216,12 @@ sub get_acme_conf {
> if !$plugins->{ids}->{$plugin_id};
> }
>
> + # validation for wildcard domain names happens on the domain w/o
> + # wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
> + if ($domain =~ /^\*\.(.*)$/ ) {
> + $res->{validationtarget}->{$1} = $domain;
> + }
> +
> $parsed->{_configkey} = "acmedomain$index";
> $res->{domains}->{$domain} = $parsed;
> }
> --
> 2.20.1
next reply other threads:[~2021-04-16 8:15 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-16 8:14 Wolfgang Bumiller [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Stoiko Ivanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1847872893.3417.1618560885557@webmail.proxmox.com \
--to=w.bumiller@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
--cc=s.ivanov@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal