From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <s.ivanov@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 1214473783
 for <pmg-devel@lists.proxmox.com>; Thu, 15 Apr 2021 21:47:07 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id B561C1DF66
 for <pmg-devel@lists.proxmox.com>; Thu, 15 Apr 2021 21:46:36 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 509921DF1C
 for <pmg-devel@lists.proxmox.com>; Thu, 15 Apr 2021 21:46:34 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 14AFC45B1C
 for <pmg-devel@lists.proxmox.com>; Thu, 15 Apr 2021 21:46:34 +0200 (CEST)
From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pmg-devel@lists.proxmox.com
Date: Thu, 15 Apr 2021 21:46:18 +0200
Message-Id: <20210415194622.25632-2-s.ivanov@proxmox.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20210415194622.25632-1-s.ivanov@proxmox.com>
References: <20210415194622.25632-1-s.ivanov@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.058 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [nodeconfig.pm, certificates.pm, ietf.org]
Subject: [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns
 validation
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
 <pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2021 19:47:07 -0000

Wildcard DNS names (*.domain.example) are validated through their
base-domain (domain.example) according to the ACME RFC [0].

We store the indirection while parsing the acme config, and check for
an extra validation target during ordering.

This makes it possible to order wildcard certificates which are not
valid for the base-domain.

[0] https://tools.ietf.org/html/rfc8555#section-7.1.3

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
v2->v3:
* add indirection
 src/PMG/API2/Certificates.pm | 5 +++++
 src/PMG/NodeConfig.pm        | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
index c08deb6..351d1c5 100644
--- a/src/PMG/API2/Certificates.pm
+++ b/src/PMG/API2/Certificates.pm
@@ -359,6 +359,11 @@ my $order_certificate = sub {
 	    print "The validation for $domain is pending!\n";
 
 	    my $domain_config = $acme_node_config->{domains}->{$domain};
+	    if (!defined($domain_config)) {
+		# wildcard domains are validated through the basedomain
+		my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
+		$domain_config = $acme_node_config->{domains}->{$vtarget};
+	    }
 	    die "no config for domain '$domain'\n" if !$domain_config;
 
 	    my $plugin_id = $domain_config->{plugin};
diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 6472a9d..5f96e62 100644
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -216,6 +216,12 @@ sub get_acme_conf {
 		if !$plugins->{ids}->{$plugin_id};
 	}
 
+	# validation for wildcard domain names happens on the domain w/o
+	# wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
+	if ($domain =~ /^\*\.(.*)$/ ) {
+	    $res->{validationtarget}->{$1} = $domain;
+	}
+
 	$parsed->{_configkey} = "acmedomain$index";
 	$res->{domains}->{$domain} = $parsed;
     }
-- 
2.20.1