public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* Re: [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation
@ 2021-04-16  8:14 Wolfgang Bumiller
  0 siblings, 0 replies; 2+ messages in thread
From: Wolfgang Bumiller @ 2021-04-16  8:14 UTC (permalink / raw)
  To: Stoiko Ivanov, pmg-devel

took me a bit to "tune" back into "no, it autovivifies,
and no, it won't "panic!()" when indexing with a wrong value
(the deliberate empty string)"
but hey, that's just perl ;-)

lgtm 👍

> On 04/15/2021 9:46 PM Stoiko Ivanov <s.ivanov@proxmox.com> wrote:
> 
>  
> Wildcard DNS names (*.domain.example) are validated through their
> base-domain (domain.example) according to the ACME RFC [0].
> 
> We store the indirection while parsing the acme config, and check for
> an extra validation target during ordering.
> 
> This makes it possible to order wildcard certificates which are not
> valid for the base-domain.
> 
> [0] https://tools.ietf.org/html/rfc8555#section-7.1.3
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> v2->v3:
> * add indirection
>  src/PMG/API2/Certificates.pm | 5 +++++
>  src/PMG/NodeConfig.pm        | 6 ++++++
>  2 files changed, 11 insertions(+)
> 
> diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
> index c08deb6..351d1c5 100644
> --- a/src/PMG/API2/Certificates.pm
> +++ b/src/PMG/API2/Certificates.pm
> @@ -359,6 +359,11 @@ my $order_certificate = sub {
>  	    print "The validation for $domain is pending!\n";
>  
>  	    my $domain_config = $acme_node_config->{domains}->{$domain};
> +	    if (!defined($domain_config)) {
> +		# wildcard domains are validated through the basedomain
> +		my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
> +		$domain_config = $acme_node_config->{domains}->{$vtarget};
> +	    }
>  	    die "no config for domain '$domain'\n" if !$domain_config;
>  
>  	    my $plugin_id = $domain_config->{plugin};
> diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
> index 6472a9d..5f96e62 100644
> --- a/src/PMG/NodeConfig.pm
> +++ b/src/PMG/NodeConfig.pm
> @@ -216,6 +216,12 @@ sub get_acme_conf {
>  		if !$plugins->{ids}->{$plugin_id};
>  	}
>  
> +	# validation for wildcard domain names happens on the domain w/o
> +	# wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
> +	if ($domain =~ /^\*\.(.*)$/ ) {
> +	    $res->{validationtarget}->{$1} = $domain;
> +	}
> +
>  	$parsed->{_configkey} = "acmedomain$index";
>  	$res->{domains}->{$domain} = $parsed;
>      }
> -- 
> 2.20.1




^ permalink raw reply	[flat|nested] 2+ messages in thread
* [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3]
@ 2021-04-15 19:46 Stoiko Ivanov
  2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Stoiko Ivanov
  0 siblings, 1 reply; 2+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
  To: pmg-devel

v2->v3:
* incorporated Thomas' excellent feedback (especially that part of wildcard-certs
  without the base-domain being added actually working despite my theoretical
  guess that it would not :)
* added a check for wildcardcert needs DNS plugin during node-config parsing and writing

original cover-letter for v2:
v1->v2:
* reaad up on the requirements and infered from [0], a few HOWTOs and the
response from the LE staging directory that:
```
Orders that contain both a base domain and its wildcard equivalent (...) are
valid.
```
means that only such orders are valid (hence the requirement for the base
name in addition to the wildcard name
* added a short stanza to pmg-docs describing the requirements
* added a patch for pwt to allow '*.' as prefix for domains in ACMEDomains


[0] https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

pmg-api:
Stoiko Ivanov (3):
  acme: handle wildcard dns validation
  acme: check plugin for wildcard certificates
  nodeconfig: parse acme config before writing

 src/PMG/API2/Certificates.pm |  5 +++++
 src/PMG/NodeConfig.pm        | 14 +++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

promox-widget-toolkit:
Stoiko Ivanov (1):
  acme: allow wildcards as domain

 src/Toolkit.js            | 5 +++++
 src/Utils.js              | 1 +
 src/window/ACMEDomains.js | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

pmg-docs:
Stoiko Ivanov (1):
  certs: add wildcard certificate support

 pmg-ssl-certificate.adoc | 12 ++++++++++++
 1 file changed, 12 insertions(+)

-- 
2.20.1





^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-04-16  8:15 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-16  8:14 [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Wolfgang Bumiller
  -- strict thread matches above, loose matches on Subject: below --
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Stoiko Ivanov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal