From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 04E471FF15C
	for <inbox@lore.proxmox.com>; Wed, 18 Sep 2024 14:07:10 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 3610F34955;
	Wed, 18 Sep 2024 14:07:18 +0200 (CEST)
From: Gabriel Goller <g.goller@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Wed, 18 Sep 2024 14:06:40 +0200
Message-Id: <20240918120641.308844-1-g.goller@proxmox.com>
X-Mailer: git-send-email 2.39.5
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.043 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [proxmox.com, letsencrypt.org, certificates.rs, node.rs]
Subject: [pbs-devel] [PATCH proxmox-backup v2] config: check if acme domain
 with wildcard uses dns challenge
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pbs-devel-bounces@lists.proxmox.com
Sender: "pbs-devel" <pbs-devel-bounces@lists.proxmox.com>

As already mentioned in our docs [0], wildcard domains are only
supported when the dns-challenge is used. If the dns-challenge is not
used, throw an error.

[0]: https://pbs.proxmox.com/docs/sysadmin.html#wildcard-certificates

Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
---

v2, thanks @Christian:
 - fixed configuration matching with wildcard
 - adjusted error message

 src/api2/node/certificates.rs | 18 +++++++++++++++---
 src/config/node.rs            | 10 ++++++++++
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/api2/node/certificates.rs b/src/api2/node/certificates.rs
index 61ef910e47a7..4b2952feb8bd 100644
--- a/src/api2/node/certificates.rs
+++ b/src/api2/node/certificates.rs
@@ -294,10 +294,22 @@ async fn order_certificate(
         },
     )?;
 
-    let get_domain_config = |domain: &str| {
+    let get_domain_config = |domain: &str, wildcard: bool| {
         domains
             .iter()
-            .find(|d| d.domain == domain)
+            .find(|d| {
+                if !wildcard {
+                    // fast-path, no matching required
+                    d.domain == domain
+                } else {
+                    // https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
+                    // DNS names in certificates may only have a single wildcard character, and it must
+                    // be the entire leftmost DNS label, f.e. *.example.com
+                    d.domain
+                        .strip_prefix("*.")
+                        .map_or(false, |stripped| domain == stripped)
+                }
+            })
             .ok_or_else(|| format_err!("no config for domain '{}'", domain))
     };
 
@@ -339,7 +351,7 @@ async fn order_certificate(
         }
 
         info!("The validation for {domain} is pending");
-        let domain_config: &AcmeDomain = get_domain_config(&domain)?;
+        let domain_config: &AcmeDomain = get_domain_config(&domain, auth.wildcard)?;
         let plugin_id = domain_config.plugin.as_deref().unwrap_or("standalone");
         let mut plugin_cfg = crate::acme::get_acme_plugin(&plugins, plugin_id)?
             .ok_or_else(|| format_err!("plugin '{plugin_id}' for domain '{domain}' not found!"))?;
diff --git a/src/config/node.rs b/src/config/node.rs
index 937beb3a125c..59faf3576b8a 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -272,6 +272,16 @@ impl NodeConfig {
             if !domains.insert(domain.domain.to_lowercase()) {
                 bail!("duplicate domain '{}' in ACME config", domain.domain);
             }
+            if domain.domain.contains('*')
+                && domain.plugin.map_or(true, |value| {
+                    value.as_str() == "" || value.as_str() == "standalone"
+                })
+            {
+                bail!(
+                    "wildcard domains like '{}' are not usable with the HTTP challenge type",
+                    domain.domain
+                );
+            }
         }
         let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
         if let Some(ciphers) = self.ciphers_tls_1_3.as_deref() {
-- 
2.39.5



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel