* [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
@ 2021-04-15 19:46 ` Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 2/3] acme: check plugin for wildcard certificates Stoiko Ivanov
` (4 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
To: pmg-devel
Wildcard DNS names (*.domain.example) are validated through their
base-domain (domain.example) according to the ACME RFC [0].
We store the indirection while parsing the acme config, and check for
an extra validation target during ordering.
This makes it possible to order wildcard certificates which are not
valid for the base-domain.
[0] https://tools.ietf.org/html/rfc8555#section-7.1.3
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
v2->v3:
* add indirection
src/PMG/API2/Certificates.pm | 5 +++++
src/PMG/NodeConfig.pm | 6 ++++++
2 files changed, 11 insertions(+)
diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
index c08deb6..351d1c5 100644
--- a/src/PMG/API2/Certificates.pm
+++ b/src/PMG/API2/Certificates.pm
@@ -359,6 +359,11 @@ my $order_certificate = sub {
print "The validation for $domain is pending!\n";
my $domain_config = $acme_node_config->{domains}->{$domain};
+ if (!defined($domain_config)) {
+ # wildcard domains are validated through the basedomain
+ my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
+ $domain_config = $acme_node_config->{domains}->{$vtarget};
+ }
die "no config for domain '$domain'\n" if !$domain_config;
my $plugin_id = $domain_config->{plugin};
diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 6472a9d..5f96e62 100644
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -216,6 +216,12 @@ sub get_acme_conf {
if !$plugins->{ids}->{$plugin_id};
}
+ # validation for wildcard domain names happens on the domain w/o
+ # wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
+ if ($domain =~ /^\*\.(.*)$/ ) {
+ $res->{validationtarget}->{$1} = $domain;
+ }
+
$parsed->{_configkey} = "acmedomain$index";
$res->{domains}->{$domain} = $parsed;
}
--
2.20.1
^ permalink raw reply [flat|nested] 8+ messages in thread* [pmg-devel] [PATCH pmg-api v3 2/3] acme: check plugin for wildcard certificates
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Stoiko Ivanov
@ 2021-04-15 19:46 ` Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 3/3] nodeconfig: parse acme config before writing Stoiko Ivanov
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
To: pmg-devel
Let's Encrypt currently only issues wildcard certificates if the
domain ownership is validated via a dns-01 type plugin.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/PMG/NodeConfig.pm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 5f96e62..029b903 100644
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -209,9 +209,9 @@ sub get_acme_conf {
}
$parsed->{plugin} //= 'standalone';
+ my $plugins = PMG::API2::ACMEPlugin::load_config();
my $plugin_id = $parsed->{plugin};
if ($plugin_id ne 'standalone') {
- my $plugins = PMG::API2::ACMEPlugin::load_config();
die "plugin '$plugin_id' for domain '$domain' not found!\n"
if !$plugins->{ids}->{$plugin_id};
}
@@ -220,6 +220,9 @@ sub get_acme_conf {
# wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
if ($domain =~ /^\*\.(.*)$/ ) {
$res->{validationtarget}->{$1} = $domain;
+ die "wildcard domain validation for '$domain' needs a dns-01 plugin.\n"
+ if $plugins->{ids}->{$plugin_id}->{type} ne 'dns';
+
}
$parsed->{_configkey} = "acmedomain$index";
--
2.20.1
^ permalink raw reply [flat|nested] 8+ messages in thread* [pmg-devel] [PATCH pmg-api v3 3/3] nodeconfig: parse acme config before writing
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 2/3] acme: check plugin for wildcard certificates Stoiko Ivanov
@ 2021-04-15 19:46 ` Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH v3 1/1] acme: allow wildcards as domain Stoiko Ivanov
` (2 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
To: pmg-devel
we use `get_acme_conf` as higher level sanity checker (e.g. to ensure
that wildcard certificates have a configured DNS plugin)
(adapted from pve-manger (where this is done in the corresponding API
call)
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/PMG/NodeConfig.pm | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 029b903..42139e4 100644
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -131,6 +131,9 @@ sub read_pmg_node_config {
sub write_pmg_node_config {
my ($filename, $fh, $cfg) = @_;
my $raw = PVE::JSONSchema::dump_config($config_schema, $filename, $cfg);
+
+ # higher level ACME sanity checking
+ get_acme_conf($cfg);
PVE::Tools::safe_print($filename, $fh, $raw);
}
--
2.20.1
^ permalink raw reply [flat|nested] 8+ messages in thread* [pmg-devel] [PATCH v3 1/1] acme: allow wildcards as domain
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
` (2 preceding siblings ...)
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 3/3] nodeconfig: parse acme config before writing Stoiko Ivanov
@ 2021-04-15 19:46 ` Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-docs v3 1/1] certs: add wildcard certificate support Stoiko Ivanov
2021-07-13 8:03 ` [pmg-devel] applied-series: [PATCH pmg-api/pwt/pmg-docs v3] Thomas Lamprecht
5 siblings, 0 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
To: pmg-devel
allow wildcard dns-names as defined in [0,1] (only the prefix '*.' in
front of a valid dns-name) as domain.
[0] https://tools.ietf.org/html/rfc8555#section-7.1.3
[1] https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/Toolkit.js | 5 +++++
src/Utils.js | 1 +
src/window/ACMEDomains.js | 2 +-
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/Toolkit.js b/src/Toolkit.js
index 6ae31ed..c6bfe93 100644
--- a/src/Toolkit.js
+++ b/src/Toolkit.js
@@ -131,6 +131,11 @@ Ext.apply(Ext.form.field.VTypes, {
},
DnsNameText: gettext('This is not a valid DNS name'),
+ DnsNameOrWildcard: function(v) {
+ return Proxmox.Utils.DnsName_or_Wildcard_match.test(v);
+ },
+ DnsNameOrWildcardText: gettext('This is not a valid DNS name'),
+
// workaround for https://www.sencha.com/forum/showthread.php?302150
proxmoxMail: function(v) {
return (/^(\w+)([-+.][\w]+)*@(\w[-\w]*\.){1,5}([A-Za-z]){2,63}$/).test(v);
diff --git a/src/Utils.js b/src/Utils.js
index 3fd8f91..4b53238 100644
--- a/src/Utils.js
+++ b/src/Utils.js
@@ -1041,6 +1041,7 @@ utilities: {
let DnsName_REGEXP = "(?:(?:(?:[a-zA-Z0-9](?:[a-zA-Z0-9\\-]*[a-zA-Z0-9])?)\\.)*(?:[A-Za-z0-9](?:[A-Za-z0-9\\-]*[A-Za-z0-9])?))";
me.DnsName_match = new RegExp("^" + DnsName_REGEXP + "$");
+ me.DnsName_or_Wildcard_match = new RegExp("^(?:\\*\\.)?" + DnsName_REGEXP + "$");
me.HostPort_match = new RegExp("^(" + IPV4_REGEXP + "|" + DnsName_REGEXP + ")(?::(\\d+))?$");
me.HostPortBrackets_match = new RegExp("^\\[(" + IPV6_REGEXP + "|" + IPV4_REGEXP + "|" + DnsName_REGEXP + ")\\](?::(\\d+))?$");
diff --git a/src/window/ACMEDomains.js b/src/window/ACMEDomains.js
index 930a4c3..5ec5856 100644
--- a/src/window/ACMEDomains.js
+++ b/src/window/ACMEDomains.js
@@ -150,7 +150,7 @@ Ext.define('Proxmox.window.ACMEDomainEdit', {
xtype: 'proxmoxtextfield',
name: 'domain',
allowBlank: false,
- vtype: 'DnsName',
+ vtype: 'DnsNameOrWildcard',
value: '',
fieldLabel: gettext('Domain'),
},
--
2.20.1
^ permalink raw reply [flat|nested] 8+ messages in thread* [pmg-devel] [PATCH pmg-docs v3 1/1] certs: add wildcard certificate support
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
` (3 preceding siblings ...)
2021-04-15 19:46 ` [pmg-devel] [PATCH v3 1/1] acme: allow wildcards as domain Stoiko Ivanov
@ 2021-04-15 19:46 ` Stoiko Ivanov
2021-07-13 8:03 ` [pmg-devel] applied-series: [PATCH pmg-api/pwt/pmg-docs v3] Thomas Lamprecht
5 siblings, 0 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
pmg-ssl-certificate.adoc | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/pmg-ssl-certificate.adoc b/pmg-ssl-certificate.adoc
index 6cd44b1..64a2521 100644
--- a/pmg-ssl-certificate.adoc
+++ b/pmg-ssl-certificate.adoc
@@ -187,6 +187,18 @@ and set the `alias` property in the {pmg} node configuration file
`/etc/pmg/node.conf` to `domain2.example` to allow the DNS server of
`domain2.example` to validate all challenges for `domain1.example`.
+[[sysadmin_certs_acme_dns_wildcard]]
+Wildcard Certificates
+^^^^^^^^^^^^^^^^^^^^^
+
+Wildcard DNS names start with a `*.` prefix and are considered valid for all
+(one-level) subdomain names of the verified domain. So a certificate for
+`*.domain.example` is valid for example for `foo.domain.example` and
+`bar.domain.example`, but not for `baz.foo.domain.example`.
+
+You can currently create wildcard certificates only with the
+https://letsencrypt.org/docs/challenge-types/#dns-01-challenge[DNS challenge type].
+
Combination of Plugins
^^^^^^^^^^^^^^^^^^^^^^
--
2.20.1
^ permalink raw reply [flat|nested] 8+ messages in thread* [pmg-devel] applied-series: [PATCH pmg-api/pwt/pmg-docs v3]
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
` (4 preceding siblings ...)
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-docs v3 1/1] certs: add wildcard certificate support Stoiko Ivanov
@ 2021-07-13 8:03 ` Thomas Lamprecht
5 siblings, 0 replies; 8+ messages in thread
From: Thomas Lamprecht @ 2021-07-13 8:03 UTC (permalink / raw)
To: Stoiko Ivanov, pmg-devel
On 15.04.21 21:46, Stoiko Ivanov wrote:
> v2->v3:
> * incorporated Thomas' excellent feedback (especially that part of wildcard-certs
> without the base-domain being added actually working despite my theoretical
> guess that it would not :)
> * added a check for wildcardcert needs DNS plugin during node-config parsing and writing
>
> original cover-letter for v2:
> v1->v2:
> * reaad up on the requirements and infered from [0], a few HOWTOs and the
> response from the LE staging directory that:
> ```
> Orders that contain both a base domain and its wildcard equivalent (...) are
> valid.
> ```
> means that only such orders are valid (hence the requirement for the base
> name in addition to the wildcard name
> * added a short stanza to pmg-docs describing the requirements
> * added a patch for pwt to allow '*.' as prefix for domains in ACMEDomains
>
>
> [0] https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
>
> pmg-api:
> Stoiko Ivanov (3):
> acme: handle wildcard dns validation
> acme: check plugin for wildcard certificates
> nodeconfig: parse acme config before writing
>
> src/PMG/API2/Certificates.pm | 5 +++++
> src/PMG/NodeConfig.pm | 14 +++++++++++++-
> 2 files changed, 18 insertions(+), 1 deletion(-)
>
> promox-widget-toolkit:
> Stoiko Ivanov (1):
> acme: allow wildcards as domain
>
> src/Toolkit.js | 5 +++++
> src/Utils.js | 1 +
> src/window/ACMEDomains.js | 2 +-
> 3 files changed, 7 insertions(+), 1 deletion(-)
>
> pmg-docs:
> Stoiko Ivanov (1):
> certs: add wildcard certificate support
>
> pmg-ssl-certificate.adoc | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
applied series, thanks!
^ permalink raw reply [flat|nested] 8+ messages in thread