From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 193F5738A4 for ; Fri, 16 Apr 2021 10:15:06 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0A1FB21C09 for ; Fri, 16 Apr 2021 10:15:06 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 1907321BFE for ; Fri, 16 Apr 2021 10:15:05 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D611F45ACD for ; Fri, 16 Apr 2021 10:15:04 +0200 (CEST) Date: Fri, 16 Apr 2021 10:14:45 +0200 (CEST) From: Wolfgang Bumiller To: Stoiko Ivanov , pmg-devel@lists.proxmox.com Message-ID: <1847872893.3417.1618560885557@webmail.proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Priority: 3 Importance: Normal X-Mailer: Open-Xchange Mailer v7.10.5-Rev5 X-Originating-Client: open-xchange-appsuite X-SPAM-LEVEL: Spam detection results: 0 AWL 0.027 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [ietf.org, certificates.pm, nodeconfig.pm] Subject: Re: [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2021 08:15:06 -0000 took me a bit to "tune" back into "no, it autovivifies, and no, it won't "panic!()" when indexing with a wrong value (the deliberate empty string)" but hey, that's just perl ;-) lgtm =F0=9F=91=8D > On 04/15/2021 9:46 PM Stoiko Ivanov wrote: >=20 > =20 > Wildcard DNS names (*.domain.example) are validated through their > base-domain (domain.example) according to the ACME RFC [0]. >=20 > We store the indirection while parsing the acme config, and check for > an extra validation target during ordering. >=20 > This makes it possible to order wildcard certificates which are not > valid for the base-domain. >=20 > [0] https://tools.ietf.org/html/rfc8555#section-7.1.3 >=20 > Signed-off-by: Stoiko Ivanov > --- > v2->v3: > * add indirection > src/PMG/API2/Certificates.pm | 5 +++++ > src/PMG/NodeConfig.pm | 6 ++++++ > 2 files changed, 11 insertions(+) >=20 > diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm > index c08deb6..351d1c5 100644 > --- a/src/PMG/API2/Certificates.pm > +++ b/src/PMG/API2/Certificates.pm > @@ -359,6 +359,11 @@ my $order_certificate =3D sub { > =09 print "The validation for $domain is pending!\n"; > =20 > =09 my $domain_config =3D $acme_node_config->{domains}->{$domain}; > +=09 if (!defined($domain_config)) { > +=09=09# wildcard domains are validated through the basedomain > +=09=09my $vtarget =3D $acme_node_config->{validationtarget}->{$domain} /= / ''; > +=09=09$domain_config =3D $acme_node_config->{domains}->{$vtarget}; > +=09 } > =09 die "no config for domain '$domain'\n" if !$domain_config; > =20 > =09 my $plugin_id =3D $domain_config->{plugin}; > diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm > index 6472a9d..5f96e62 100644 > --- a/src/PMG/NodeConfig.pm > +++ b/src/PMG/NodeConfig.pm > @@ -216,6 +216,12 @@ sub get_acme_conf { > =09=09if !$plugins->{ids}->{$plugin_id}; > =09} > =20 > +=09# validation for wildcard domain names happens on the domain w/o > +=09# wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3 > +=09if ($domain =3D~ /^\*\.(.*)$/ ) { > +=09 $res->{validationtarget}->{$1} =3D $domain; > +=09} > + > =09$parsed->{_configkey} =3D "acmedomain$index"; > =09$res->{domains}->{$domain} =3D $parsed; > } > --=20 > 2.20.1