public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* Re: [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation
@ 2021-04-16  8:14 Wolfgang Bumiller
  0 siblings, 0 replies; 2+ messages in thread
From: Wolfgang Bumiller @ 2021-04-16  8:14 UTC (permalink / raw)
  To: Stoiko Ivanov, pmg-devel

took me a bit to "tune" back into "no, it autovivifies,
and no, it won't "panic!()" when indexing with a wrong value
(the deliberate empty string)"
but hey, that's just perl ;-)

lgtm 👍

> On 04/15/2021 9:46 PM Stoiko Ivanov <s.ivanov@proxmox.com> wrote:
> 
>  
> Wildcard DNS names (*.domain.example) are validated through their
> base-domain (domain.example) according to the ACME RFC [0].
> 
> We store the indirection while parsing the acme config, and check for
> an extra validation target during ordering.
> 
> This makes it possible to order wildcard certificates which are not
> valid for the base-domain.
> 
> [0] https://tools.ietf.org/html/rfc8555#section-7.1.3
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> v2->v3:
> * add indirection
>  src/PMG/API2/Certificates.pm | 5 +++++
>  src/PMG/NodeConfig.pm        | 6 ++++++
>  2 files changed, 11 insertions(+)
> 
> diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
> index c08deb6..351d1c5 100644
> --- a/src/PMG/API2/Certificates.pm
> +++ b/src/PMG/API2/Certificates.pm
> @@ -359,6 +359,11 @@ my $order_certificate = sub {
>  	    print "The validation for $domain is pending!\n";
>  
>  	    my $domain_config = $acme_node_config->{domains}->{$domain};
> +	    if (!defined($domain_config)) {
> +		# wildcard domains are validated through the basedomain
> +		my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
> +		$domain_config = $acme_node_config->{domains}->{$vtarget};
> +	    }
>  	    die "no config for domain '$domain'\n" if !$domain_config;
>  
>  	    my $plugin_id = $domain_config->{plugin};
> diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
> index 6472a9d..5f96e62 100644
> --- a/src/PMG/NodeConfig.pm
> +++ b/src/PMG/NodeConfig.pm
> @@ -216,6 +216,12 @@ sub get_acme_conf {
>  		if !$plugins->{ids}->{$plugin_id};
>  	}
>  
> +	# validation for wildcard domain names happens on the domain w/o
> +	# wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
> +	if ($domain =~ /^\*\.(.*)$/ ) {
> +	    $res->{validationtarget}->{$1} = $domain;
> +	}
> +
>  	$parsed->{_configkey} = "acmedomain$index";
>  	$res->{domains}->{$domain} = $parsed;
>      }
> -- 
> 2.20.1




^ permalink raw reply	[flat|nested] 2+ messages in thread

* [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation
  2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
@ 2021-04-15 19:46 ` Stoiko Ivanov
  0 siblings, 0 replies; 2+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
  To: pmg-devel

Wildcard DNS names (*.domain.example) are validated through their
base-domain (domain.example) according to the ACME RFC [0].

We store the indirection while parsing the acme config, and check for
an extra validation target during ordering.

This makes it possible to order wildcard certificates which are not
valid for the base-domain.

[0] https://tools.ietf.org/html/rfc8555#section-7.1.3

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
v2->v3:
* add indirection
 src/PMG/API2/Certificates.pm | 5 +++++
 src/PMG/NodeConfig.pm        | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
index c08deb6..351d1c5 100644
--- a/src/PMG/API2/Certificates.pm
+++ b/src/PMG/API2/Certificates.pm
@@ -359,6 +359,11 @@ my $order_certificate = sub {
 	    print "The validation for $domain is pending!\n";
 
 	    my $domain_config = $acme_node_config->{domains}->{$domain};
+	    if (!defined($domain_config)) {
+		# wildcard domains are validated through the basedomain
+		my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
+		$domain_config = $acme_node_config->{domains}->{$vtarget};
+	    }
 	    die "no config for domain '$domain'\n" if !$domain_config;
 
 	    my $plugin_id = $domain_config->{plugin};
diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 6472a9d..5f96e62 100644
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -216,6 +216,12 @@ sub get_acme_conf {
 		if !$plugins->{ids}->{$plugin_id};
 	}
 
+	# validation for wildcard domain names happens on the domain w/o
+	# wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
+	if ($domain =~ /^\*\.(.*)$/ ) {
+	    $res->{validationtarget}->{$1} = $domain;
+	}
+
 	$parsed->{_configkey} = "acmedomain$index";
 	$res->{domains}->{$domain} = $parsed;
     }
-- 
2.20.1





^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-04-16  8:15 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-16  8:14 [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Wolfgang Bumiller
  -- strict thread matches above, loose matches on Subject: below --
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Stoiko Ivanov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal