all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 6/6] acme: add support for wildcard certificates
Date: Tue,  9 Nov 2021 16:54:22 +0000	[thread overview]
Message-ID: <20211109165422.311089-9-s.ivanov@proxmox.com> (raw)
In-Reply-To: <20211109165422.311089-1-s.ivanov@proxmox.com>

following the implementation in PMG in:
* verifying that a acmedomain with wildcard is not using the standalone
  validation
* the initial '*.' is stripped when searching for the proper domain
  config and when running the validation plugin

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 pbs-api-types/src/lib.rs      | 5 +++++
 src/acme/plugin.rs            | 2 +-
 src/api2/node/certificates.rs | 2 +-
 src/api2/types/acme.rs        | 4 ++--
 src/config/node.rs            | 9 +++++++++
 5 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 96ac657b..73a84ca6 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -82,6 +82,7 @@ pub use zfs::*;
 mod local_macros {
     macro_rules! DNS_LABEL { () => (r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
     macro_rules! DNS_NAME { () => (concat!(r"(?:(?:", DNS_LABEL!() , r"\.)*", DNS_LABEL!(), ")")) }
+    macro_rules! DNS_NAME_OR_WILDCARD { () => (concat!(r"(?:\*\.)?(?:(?:", DNS_LABEL!() , r"\.)*", DNS_LABEL!(), ")")) }
     macro_rules! CIDR_V4_REGEX_STR { () => (concat!(r"(?:", IPV4RE!(), r"/\d{1,2})$")) }
     macro_rules! CIDR_V6_REGEX_STR { () => (concat!(r"(?:", IPV6RE!(), r"/\d{1,3})$")) }
     macro_rules! DNS_ALIAS_LABEL { () => (r"(?:[a-zA-Z0-9_](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
@@ -99,6 +100,7 @@ const_regex! {
     pub CIDR_REGEX =  concat!(r"^(?:", CIDR_V4_REGEX_STR!(), "|",  CIDR_V6_REGEX_STR!(), r")$");
     pub HOSTNAME_REGEX = r"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)$";
     pub DNS_NAME_REGEX =  concat!(r"^", DNS_NAME!(), r"$");
+    pub DNS_NAME_OR_WILDCARD_REGEX =  concat!(r"^", DNS_NAME_OR_WILDCARD!(), r"$");
     pub DNS_ALIAS_REGEX =  concat!(r"^", DNS_ALIAS_NAME!(), r"$");
     pub DNS_NAME_OR_IP_REGEX = concat!(r"^(?:", DNS_NAME!(), "|",  IPRE!(), r")$");
 
@@ -177,6 +179,9 @@ pub const HOSTNAME_SCHEMA: Schema = StringSchema::new("Hostname (as defined in R
 pub const DNS_NAME_FORMAT: ApiStringFormat =
     ApiStringFormat::Pattern(&DNS_NAME_REGEX);
 
+pub const DNS_NAME_OR_WILDCARD_FORMAT: ApiStringFormat =
+    ApiStringFormat::Pattern(&DNS_NAME_OR_WILDCARD_REGEX);
+
 pub const DNS_NAME_OR_IP_FORMAT: ApiStringFormat =
     ApiStringFormat::Pattern(&DNS_NAME_OR_IP_REGEX);
 
diff --git a/src/acme/plugin.rs b/src/acme/plugin.rs
index d31c2b8f..4dedb69b 100644
--- a/src/acme/plugin.rs
+++ b/src/acme/plugin.rs
@@ -145,7 +145,7 @@ impl DnsPlugin {
                 PROXMOX_ACME_SH_PATH,
                 action,
                 &self.core.api,
-                domain.alias.as_deref().unwrap_or(&domain.domain),
+                domain.alias.as_deref().unwrap_or(&domain.domain.trim_start_matches("*.")),
         ]);
 
         // We could use 1 socketpair, but tokio wraps them all in `File` internally causing `close`
diff --git a/src/api2/node/certificates.rs b/src/api2/node/certificates.rs
index 4d26b29f..f6a7c2d3 100644
--- a/src/api2/node/certificates.rs
+++ b/src/api2/node/certificates.rs
@@ -299,7 +299,7 @@ async fn order_certificate(
     let get_domain_config = |domain: &str| {
         domains
             .iter()
-            .find(|d| d.domain == domain)
+            .find(|d| d.domain.trim_start_matches("*.") == domain)
             .ok_or_else(|| format_err!("no config for domain '{}'", domain))
     };
 
diff --git a/src/api2/types/acme.rs b/src/api2/types/acme.rs
index 21e953bb..7b9de74a 100644
--- a/src/api2/types/acme.rs
+++ b/src/api2/types/acme.rs
@@ -4,12 +4,12 @@ use serde_json::Value;
 use proxmox_schema::{api, ApiType, Schema, StringSchema, ApiStringFormat};
 
 use pbs_api_types::{
-    DNS_ALIAS_FORMAT, DNS_NAME_FORMAT, PROXMOX_SAFE_ID_FORMAT,
+    DNS_ALIAS_FORMAT, DNS_NAME_OR_WILDCARD_FORMAT, PROXMOX_SAFE_ID_FORMAT,
 };
 
 #[api(
     properties: {
-        "domain": { format: &DNS_NAME_FORMAT },
+        "domain": { format: &DNS_NAME_OR_WILDCARD_FORMAT },
         "alias": {
             optional: true,
             format: &DNS_ALIAS_FORMAT,
diff --git a/src/config/node.rs b/src/config/node.rs
index 93444216..fb9b1105 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -163,6 +163,15 @@ impl NodeConfig {
             if !domains.insert(domain.domain.to_lowercase()) {
                 bail!("duplicate domain '{}' in ACME config", domain.domain);
             }
+            if domain.domain.starts_with("*.") {
+                let plugin = domain.plugin.as_deref().unwrap_or("standalone");
+                if plugin == "standalone" {
+                    bail!(
+                        "wildcard domain '{}' needs a dns-01 plugin for validation!",
+                        domain.domain
+                    );
+                }
+            }
         }
 
         Ok(())
-- 
2.30.2





      parent reply	other threads:[~2021-11-09 16:59 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-09 16:54 [pbs-devel] [PATCH proxmox-backup/proxmox-acme-rs/pwt] acme: add support for http_proxy and wildcard certs Stoiko Ivanov
2021-11-09 16:54 ` [pbs-devel] [PATCH widget-toolkit 1/1] acmeplugin: add use-proxy checkbox Stoiko Ivanov
2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-acme-rs 1/1] client: add support for proxies Stoiko Ivanov
2021-11-18 10:15   ` [pbs-devel] applied: " Wolfgang Bumiller
2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 1/6] api: config: acme: rustfmt Stoiko Ivanov
2021-11-18 10:33   ` [pbs-devel] applied: " Wolfgang Bumiller
2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 2/6] config: acme: plugin: rustfmt Stoiko Ivanov
2021-11-18 10:34   ` [pbs-devel] applied: " Wolfgang Bumiller
2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 3/6] api: acme: fix typo Stoiko Ivanov
2021-11-18 10:34   ` [pbs-devel] applied: " Wolfgang Bumiller
2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 4/6] acme: client: read http_proxy from node config Stoiko Ivanov
2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 5/6] acme: plugin: add 'use-proxy' property Stoiko Ivanov
2021-11-09 16:54 ` Stoiko Ivanov [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211109165422.311089-9-s.ivanov@proxmox.com \
    --to=s.ivanov@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal