From: Christian Ebner <c.ebner@proxmox.com>
To: Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>,
Gabriel Goller <g.goller@proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox-backup] config: check if acme domain with wildcard uses dns challenge
Date: Wed, 18 Sep 2024 10:43:05 +0200 [thread overview]
Message-ID: <e0ddcdc2-7f82-4668-a1f7-4a04f7410f95@proxmox.com> (raw)
In-Reply-To: <20240917094704.168668-1-g.goller@proxmox.com>
Tried to generate a wildcard certificate using the cloudflare DNS plugin
with these patches applied.
Unfortunately this fails with an error (domain obfuscated, but its the
domain without the "*." prefix):
```
TASK ERROR: no config for domain 'mydomain'
```
So it seem there still is an issue when retrieving the domain from the
config here:
https://git.proxmox.com/?p=proxmox-backup.git;a=blob;f=src/api2/node/certificates.rs;h=61ef910e47a71a005064d2b1e99d3d97b0d43f51;hb=HEAD#l342
Also, nit inline.
On 9/17/24 11:47, Gabriel Goller wrote:
> As already mentioned in our docs [0], wildcard domains are only
> supported when the dns-challenge is used. If the dns-challenge is not
> used, throw an error.
>
> [0]: https://pbs.proxmox.com/docs/sysadmin.html#wildcard-certificates
>
> Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
> ---
> src/config/node.rs | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/src/config/node.rs b/src/config/node.rs
> index 937beb3a125c..80a503635344 100644
> --- a/src/config/node.rs
> +++ b/src/config/node.rs
> @@ -272,6 +272,16 @@ impl NodeConfig {
> if !domains.insert(domain.domain.to_lowercase()) {
> bail!("duplicate domain '{}' in ACME config", domain.domain);
> }
> + if domain.domain.contains('*')
> + && domain.plugin.map_or(true, |value| {
> + value.as_str() == "" || value.as_str() == "standalone"
> + })
> + {
> + bail!(
> + "wildcard domains like '{}' are only usable with the DNS challenge type",
nit: Above checks for standalone HTTP challenge, so instead of stating
that the wildcard is only usable with DNS challenges, I think it would
be better to state that it is not usable with the HTTP challenge instead.
> + domain.domain
> + );
> + }
> }
> let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
> if let Some(ciphers) = self.ciphers_tls_1_3.as_deref() {
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2024-09-18 8:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-17 9:47 Gabriel Goller
2024-09-17 9:47 ` [pbs-devel] [PATCH] schema: add regex for dns domains with wildcard Gabriel Goller
2024-09-18 8:43 ` Christian Ebner [this message]
2024-09-18 9:19 ` [pbs-devel] [PATCH proxmox-backup] config: check if acme domain with wildcard uses dns challenge Christian Ebner
2024-09-18 12:03 ` Gabriel Goller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e0ddcdc2-7f82-4668-a1f7-4a04f7410f95@proxmox.com \
--to=c.ebner@proxmox.com \
--cc=g.goller@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.