* Re: [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation
@ 2021-04-16 8:14 Wolfgang Bumiller
0 siblings, 0 replies; 2+ messages in thread
From: Wolfgang Bumiller @ 2021-04-16 8:14 UTC (permalink / raw)
To: Stoiko Ivanov, pmg-devel
took me a bit to "tune" back into "no, it autovivifies,
and no, it won't "panic!()" when indexing with a wrong value
(the deliberate empty string)"
but hey, that's just perl ;-)
lgtm 👍
> On 04/15/2021 9:46 PM Stoiko Ivanov <s.ivanov@proxmox.com> wrote:
>
>
> Wildcard DNS names (*.domain.example) are validated through their
> base-domain (domain.example) according to the ACME RFC [0].
>
> We store the indirection while parsing the acme config, and check for
> an extra validation target during ordering.
>
> This makes it possible to order wildcard certificates which are not
> valid for the base-domain.
>
> [0] https://tools.ietf.org/html/rfc8555#section-7.1.3
>
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> v2->v3:
> * add indirection
> src/PMG/API2/Certificates.pm | 5 +++++
> src/PMG/NodeConfig.pm | 6 ++++++
> 2 files changed, 11 insertions(+)
>
> diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
> index c08deb6..351d1c5 100644
> --- a/src/PMG/API2/Certificates.pm
> +++ b/src/PMG/API2/Certificates.pm
> @@ -359,6 +359,11 @@ my $order_certificate = sub {
> print "The validation for $domain is pending!\n";
>
> my $domain_config = $acme_node_config->{domains}->{$domain};
> + if (!defined($domain_config)) {
> + # wildcard domains are validated through the basedomain
> + my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
> + $domain_config = $acme_node_config->{domains}->{$vtarget};
> + }
> die "no config for domain '$domain'\n" if !$domain_config;
>
> my $plugin_id = $domain_config->{plugin};
> diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
> index 6472a9d..5f96e62 100644
> --- a/src/PMG/NodeConfig.pm
> +++ b/src/PMG/NodeConfig.pm
> @@ -216,6 +216,12 @@ sub get_acme_conf {
> if !$plugins->{ids}->{$plugin_id};
> }
>
> + # validation for wildcard domain names happens on the domain w/o
> + # wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
> + if ($domain =~ /^\*\.(.*)$/ ) {
> + $res->{validationtarget}->{$1} = $domain;
> + }
> +
> $parsed->{_configkey} = "acmedomain$index";
> $res->{domains}->{$domain} = $parsed;
> }
> --
> 2.20.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3]
@ 2021-04-15 19:46 Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Stoiko Ivanov
0 siblings, 1 reply; 2+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
To: pmg-devel
v2->v3:
* incorporated Thomas' excellent feedback (especially that part of wildcard-certs
without the base-domain being added actually working despite my theoretical
guess that it would not :)
* added a check for wildcardcert needs DNS plugin during node-config parsing and writing
original cover-letter for v2:
v1->v2:
* reaad up on the requirements and infered from [0], a few HOWTOs and the
response from the LE staging directory that:
```
Orders that contain both a base domain and its wildcard equivalent (...) are
valid.
```
means that only such orders are valid (hence the requirement for the base
name in addition to the wildcard name
* added a short stanza to pmg-docs describing the requirements
* added a patch for pwt to allow '*.' as prefix for domains in ACMEDomains
[0] https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
pmg-api:
Stoiko Ivanov (3):
acme: handle wildcard dns validation
acme: check plugin for wildcard certificates
nodeconfig: parse acme config before writing
src/PMG/API2/Certificates.pm | 5 +++++
src/PMG/NodeConfig.pm | 14 +++++++++++++-
2 files changed, 18 insertions(+), 1 deletion(-)
promox-widget-toolkit:
Stoiko Ivanov (1):
acme: allow wildcards as domain
src/Toolkit.js | 5 +++++
src/Utils.js | 1 +
src/window/ACMEDomains.js | 2 +-
3 files changed, 7 insertions(+), 1 deletion(-)
pmg-docs:
Stoiko Ivanov (1):
certs: add wildcard certificate support
pmg-ssl-certificate.adoc | 12 ++++++++++++
1 file changed, 12 insertions(+)
--
2.20.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
@ 2021-04-15 19:46 ` Stoiko Ivanov
0 siblings, 0 replies; 2+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
To: pmg-devel
Wildcard DNS names (*.domain.example) are validated through their
base-domain (domain.example) according to the ACME RFC [0].
We store the indirection while parsing the acme config, and check for
an extra validation target during ordering.
This makes it possible to order wildcard certificates which are not
valid for the base-domain.
[0] https://tools.ietf.org/html/rfc8555#section-7.1.3
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
v2->v3:
* add indirection
src/PMG/API2/Certificates.pm | 5 +++++
src/PMG/NodeConfig.pm | 6 ++++++
2 files changed, 11 insertions(+)
diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
index c08deb6..351d1c5 100644
--- a/src/PMG/API2/Certificates.pm
+++ b/src/PMG/API2/Certificates.pm
@@ -359,6 +359,11 @@ my $order_certificate = sub {
print "The validation for $domain is pending!\n";
my $domain_config = $acme_node_config->{domains}->{$domain};
+ if (!defined($domain_config)) {
+ # wildcard domains are validated through the basedomain
+ my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
+ $domain_config = $acme_node_config->{domains}->{$vtarget};
+ }
die "no config for domain '$domain'\n" if !$domain_config;
my $plugin_id = $domain_config->{plugin};
diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 6472a9d..5f96e62 100644
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -216,6 +216,12 @@ sub get_acme_conf {
if !$plugins->{ids}->{$plugin_id};
}
+ # validation for wildcard domain names happens on the domain w/o
+ # wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
+ if ($domain =~ /^\*\.(.*)$/ ) {
+ $res->{validationtarget}->{$1} = $domain;
+ }
+
$parsed->{_configkey} = "acmedomain$index";
$res->{domains}->{$domain} = $parsed;
}
--
2.20.1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-16 8:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-16 8:14 [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Wolfgang Bumiller
-- strict thread matches above, loose matches on Subject: below --
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Stoiko Ivanov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox