* [pmg-devel] [PATCH pmg-api/pmg-docs/proxmox-widget-toolkit v2 0/1] allow wildcard DNS-names for ACME
@ 2021-04-12 19:28 Stoiko Ivanov
2021-04-12 19:28 ` [pmg-devel] [PATCH pmg-api v2 1/1] acme: allow wildcard domain entries Stoiko Ivanov
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Stoiko Ivanov @ 2021-04-12 19:28 UTC (permalink / raw)
To: pmg-devel
v1->v2:
* reaad up on the requirements and infered from [0], a few HOWTOs and the
response from the LE staging directory that:
```
Orders that contain both a base domain and its wildcard equivalent (...) are
valid.
```
means that only such orders are valid (hence the requirement for the base
name in addition to the wildcard name
* added a short stanza to pmg-docs describing the requirements
* added a patch for pwt to allow '*.' as prefix for domains in ACMEDomains
[0] https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
pmg-api:
Stoiko Ivanov (1):
acme: allow wildcard domain entries
src/PMG/CertHelpers.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
pmg-docs:
Stoiko Ivanov (1):
certs: add wildcard certificate support
pmg-ssl-certificate.adoc | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
proxmox-widget-toolkit:
Stoiko Ivanov (1):
acme: allow wildcards as domain
src/Toolkit.js | 5 +++++
src/Utils.js | 1 +
src/window/ACMEDomains.js | 2 +-
3 files changed, 7 insertions(+), 1 deletion(-)
--
2.20.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pmg-devel] [PATCH pmg-api v2 1/1] acme: allow wildcard domain entries
2021-04-12 19:28 [pmg-devel] [PATCH pmg-api/pmg-docs/proxmox-widget-toolkit v2 0/1] allow wildcard DNS-names for ACME Stoiko Ivanov
@ 2021-04-12 19:28 ` Stoiko Ivanov
2021-04-15 13:18 ` [pmg-devel] applied: " Thomas Lamprecht
2021-04-12 19:28 ` [pmg-devel] [PATCH v2 proxmox-widget-toolkit 1/1] acme: allow wildcards as domain Stoiko Ivanov
` (2 subsequent siblings)
3 siblings, 1 reply; 7+ messages in thread
From: Stoiko Ivanov @ 2021-04-12 19:28 UTC (permalink / raw)
To: pmg-devel
Reported in our community forum [0], support for wildcard certificates
via ACME sounds like a good enhancement (especially for PMG).
In order for this to work you need to configure both:
* the wild-card subentry (*.domain.example)
* the base entry (domain.example)
as ACME domains (and be able to verify both of them via DNS Plugin).
This is best described in the announcement by Let's Encrypt announcing
wildcard certificate support [1].
Quickly tested with a domain of mine (and the powerdns plugin)
[0]
https://forum.proxmox.com/threads/feature-request-add-wildcard-support-for-acme.87495/
[1]
https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/PMG/CertHelpers.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PMG/CertHelpers.pm b/src/PMG/CertHelpers.pm
index 5122f71..b7e79b7 100644
--- a/src/PMG/CertHelpers.pm
+++ b/src/PMG/CertHelpers.pm
@@ -57,7 +57,7 @@ PVE::JSONSchema::register_format('pmg-acme-domain', sub {
my $label = qr/[a-z0-9][a-z0-9_-]*/i;
- return $domain if $domain =~ /^$label(?:\.$label)+$/;
+ return $domain if $domain =~ /^(?:\*\.)?$label(?:\.$label)+$/;
return undef if $noerr;
die "value '$domain' does not look like a valid domain name!\n";
});
--
2.20.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pmg-devel] [PATCH v2 proxmox-widget-toolkit 1/1] acme: allow wildcards as domain
2021-04-12 19:28 [pmg-devel] [PATCH pmg-api/pmg-docs/proxmox-widget-toolkit v2 0/1] allow wildcard DNS-names for ACME Stoiko Ivanov
2021-04-12 19:28 ` [pmg-devel] [PATCH pmg-api v2 1/1] acme: allow wildcard domain entries Stoiko Ivanov
@ 2021-04-12 19:28 ` Stoiko Ivanov
2021-04-12 19:28 ` [pmg-devel] [PATCH pmg-docs v2 1/1] certs: add wildcard certificate support Stoiko Ivanov
2021-04-13 4:55 ` [pmg-devel] [PATCH pmg-api/pmg-docs/proxmox-widget-toolkit v2 0/1] allow wildcard DNS-names for ACME Thomas Lamprecht
3 siblings, 0 replies; 7+ messages in thread
From: Stoiko Ivanov @ 2021-04-12 19:28 UTC (permalink / raw)
To: pmg-devel
allow wildcard dns-names as defined in [0,1] (only the prefix '*.' in
front of a valid dns-name) as domain.
[0] https://tools.ietf.org/html/rfc8555#section-7.1.3
[1] https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/Toolkit.js | 5 +++++
src/Utils.js | 1 +
src/window/ACMEDomains.js | 2 +-
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/Toolkit.js b/src/Toolkit.js
index b011c38..56dcee8 100644
--- a/src/Toolkit.js
+++ b/src/Toolkit.js
@@ -131,6 +131,11 @@ Ext.apply(Ext.form.field.VTypes, {
},
DnsNameText: gettext('This is not a valid DNS name'),
+ DnsNameOrWildcard: function(v) {
+ return Proxmox.Utils.DnsName_or_Wildcard_match.test(v);
+ },
+ DnsNameOrWildcardText: gettext('This is not a valid DNS name'),
+
// workaround for https://www.sencha.com/forum/showthread.php?302150
proxmoxMail: function(v) {
return (/^(\w+)([-+.][\w]+)*@(\w[-\w]*\.){1,5}([A-Za-z]){2,63}$/).test(v);
diff --git a/src/Utils.js b/src/Utils.js
index 3fd8f91..4b53238 100644
--- a/src/Utils.js
+++ b/src/Utils.js
@@ -1041,6 +1041,7 @@ utilities: {
let DnsName_REGEXP = "(?:(?:(?:[a-zA-Z0-9](?:[a-zA-Z0-9\\-]*[a-zA-Z0-9])?)\\.)*(?:[A-Za-z0-9](?:[A-Za-z0-9\\-]*[A-Za-z0-9])?))";
me.DnsName_match = new RegExp("^" + DnsName_REGEXP + "$");
+ me.DnsName_or_Wildcard_match = new RegExp("^(?:\\*\\.)?" + DnsName_REGEXP + "$");
me.HostPort_match = new RegExp("^(" + IPV4_REGEXP + "|" + DnsName_REGEXP + ")(?::(\\d+))?$");
me.HostPortBrackets_match = new RegExp("^\\[(" + IPV6_REGEXP + "|" + IPV4_REGEXP + "|" + DnsName_REGEXP + ")\\](?::(\\d+))?$");
diff --git a/src/window/ACMEDomains.js b/src/window/ACMEDomains.js
index 930a4c3..5ec5856 100644
--- a/src/window/ACMEDomains.js
+++ b/src/window/ACMEDomains.js
@@ -150,7 +150,7 @@ Ext.define('Proxmox.window.ACMEDomainEdit', {
xtype: 'proxmoxtextfield',
name: 'domain',
allowBlank: false,
- vtype: 'DnsName',
+ vtype: 'DnsNameOrWildcard',
value: '',
fieldLabel: gettext('Domain'),
},
--
2.20.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pmg-devel] [PATCH pmg-docs v2 1/1] certs: add wildcard certificate support
2021-04-12 19:28 [pmg-devel] [PATCH pmg-api/pmg-docs/proxmox-widget-toolkit v2 0/1] allow wildcard DNS-names for ACME Stoiko Ivanov
2021-04-12 19:28 ` [pmg-devel] [PATCH pmg-api v2 1/1] acme: allow wildcard domain entries Stoiko Ivanov
2021-04-12 19:28 ` [pmg-devel] [PATCH v2 proxmox-widget-toolkit 1/1] acme: allow wildcards as domain Stoiko Ivanov
@ 2021-04-12 19:28 ` Stoiko Ivanov
2021-04-13 5:07 ` Thomas Lamprecht
2021-04-13 4:55 ` [pmg-devel] [PATCH pmg-api/pmg-docs/proxmox-widget-toolkit v2 0/1] allow wildcard DNS-names for ACME Thomas Lamprecht
3 siblings, 1 reply; 7+ messages in thread
From: Stoiko Ivanov @ 2021-04-12 19:28 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
pmg-ssl-certificate.adoc | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/pmg-ssl-certificate.adoc b/pmg-ssl-certificate.adoc
index 6cd44b1..24e8d71 100644
--- a/pmg-ssl-certificate.adoc
+++ b/pmg-ssl-certificate.adoc
@@ -187,6 +187,23 @@ and set the `alias` property in the {pmg} node configuration file
`/etc/pmg/node.conf` to `domain2.example` to allow the DNS server of
`domain2.example` to validate all challenges for `domain1.example`.
+[[sysadmin_certs_acme_dns_wildcard]]
+Wildcard Certificates
+^^^^^^^^^^^^^^^^^^^^^
+You can create a certificate for a 'wildcard DNS name' as described in
+https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578[ACME v2 Production Environment & Wildcards].
+
+Wildcard DNS names start with a `*.` prefix and are considered valid for all
+(one-level) subdomain names of the verified domain. So a certificate for
+`*.domain.example` is valid for example for `foo.domain.example` and
+`bar.domain.example`.
+
+Verification for wildcard DNS names only works with the `dns-01` validation
+method.
+
+You need to configure both the base domain (`domain.example`) as well as the
+wildcard equivalent (`*.domain.example`) under `Certificates` with a DNS plugin.
+
Combination of Plugins
^^^^^^^^^^^^^^^^^^^^^^
--
2.20.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [pmg-devel] [PATCH pmg-api/pmg-docs/proxmox-widget-toolkit v2 0/1] allow wildcard DNS-names for ACME
2021-04-12 19:28 [pmg-devel] [PATCH pmg-api/pmg-docs/proxmox-widget-toolkit v2 0/1] allow wildcard DNS-names for ACME Stoiko Ivanov
` (2 preceding siblings ...)
2021-04-12 19:28 ` [pmg-devel] [PATCH pmg-docs v2 1/1] certs: add wildcard certificate support Stoiko Ivanov
@ 2021-04-13 4:55 ` Thomas Lamprecht
3 siblings, 0 replies; 7+ messages in thread
From: Thomas Lamprecht @ 2021-04-13 4:55 UTC (permalink / raw)
To: Stoiko Ivanov, pmg-devel
On 12.04.21 21:28, Stoiko Ivanov wrote:
> v1->v2:
> * reaad up on the requirements and infered from [0], a few HOWTOs and the
> response from the LE staging directory that:
> ```
> Orders that contain both a base domain and its wildcard equivalent (...) are
> valid.
> ```
> means that only such orders are valid (hence the requirement for the base
I'm afraid, that's bogus.
> name in addition to the wildcard name
> * added a short stanza to pmg-docs describing the requirements
> * added a patch for pwt to allow '*.' as prefix for domains in ACMEDomains
actually read your linked article:
> To request a wildcard certificate simply send a wildcard DNS identifier in the newOrder request.
And from the actual RFC #8555
> Any identifier of type "dns" in a newOrder request MAY have a wildcard domain name as its value.
So, it's:
1. just wildcard '*.domain.tld', totally fine
2. if an order contains a wildcard and the base domain, it's seen as valid too,
but definitively *not* a requirement..
2. stand in contrast to cases where a wildcard domain and a subdomain, which the
wildcard would already cover, are passed in an order - as that is bogus.
How do I know it works? Because I order wildcard certs with just the wildcard
domain since ACME/Let's Encrypt supports it ;-)
> [0] https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [pmg-devel] [PATCH pmg-docs v2 1/1] certs: add wildcard certificate support
2021-04-12 19:28 ` [pmg-devel] [PATCH pmg-docs v2 1/1] certs: add wildcard certificate support Stoiko Ivanov
@ 2021-04-13 5:07 ` Thomas Lamprecht
0 siblings, 0 replies; 7+ messages in thread
From: Thomas Lamprecht @ 2021-04-13 5:07 UTC (permalink / raw)
To: Stoiko Ivanov, pmg-devel
On 12.04.21 21:28, Stoiko Ivanov wrote:
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> pmg-ssl-certificate.adoc | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/pmg-ssl-certificate.adoc b/pmg-ssl-certificate.adoc
> index 6cd44b1..24e8d71 100644
> --- a/pmg-ssl-certificate.adoc
> +++ b/pmg-ssl-certificate.adoc
> @@ -187,6 +187,23 @@ and set the `alias` property in the {pmg} node configuration file
> `/etc/pmg/node.conf` to `domain2.example` to allow the DNS server of
> `domain2.example` to validate all challenges for `domain1.example`.
>
> +[[sysadmin_certs_acme_dns_wildcard]]
> +Wildcard Certificates
> +^^^^^^^^^^^^^^^^^^^^^
> +You can create a certificate for a 'wildcard DNS name' as described in
why the single quotes? I'd rather go for something like
"You can create wildcard certificates with the DNS challenge type."
> +https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578[ACME v2 Production Environment & Wildcards].
Maybe rather link:
https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
> +
> +Wildcard DNS names start with a `*.` prefix and are considered valid for all
> +(one-level) subdomain names of the verified domain. So a certificate for
> +`*.domain.example` is valid for example for `foo.domain.example` and
> +`bar.domain.example`.
above paragraph should come first, as it's the actual introduction to wildcards.
A example for not being valid for deeper level would also help, something like:
"is valid for example for `foo.domain.example` and `bar.domain.example`, but not
for `baz.foo.domain.example`."
> +
> +Verification for wildcard DNS names only works with the `dns-01` validation
> +method.
> +
We should probably check above in the frontend and backend for better UX.
> +You need to configure both the base domain (`domain.example`) as well as the
> +wildcard equivalent (`*.domain.example`) under `Certificates` with a DNS plugin.
> +
above paragraph is wrong.
>
> Combination of Plugins
> ^^^^^^^^^^^^^^^^^^^^^^
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pmg-devel] applied: [PATCH pmg-api v2 1/1] acme: allow wildcard domain entries
2021-04-12 19:28 ` [pmg-devel] [PATCH pmg-api v2 1/1] acme: allow wildcard domain entries Stoiko Ivanov
@ 2021-04-15 13:18 ` Thomas Lamprecht
0 siblings, 0 replies; 7+ messages in thread
From: Thomas Lamprecht @ 2021-04-15 13:18 UTC (permalink / raw)
To: Stoiko Ivanov, pmg-devel
On 12.04.21 21:28, Stoiko Ivanov wrote:
> Reported in our community forum [0], support for wildcard certificates
> via ACME sounds like a good enhancement (especially for PMG).
>
> In order for this to work you need to configure both:
> * the wild-card subentry (*.domain.example)
> * the base entry (domain.example)
> as ACME domains (and be able to verify both of them via DNS Plugin).
> This is best described in the announcement by Let's Encrypt announcing
> wildcard certificate support [1].
>
> Quickly tested with a domain of mine (and the powerdns plugin)
>
> [0]
> https://forum.proxmox.com/threads/feature-request-add-wildcard-support-for-acme.87495/
> [1]
> https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
>
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> src/PMG/CertHelpers.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>
applied this one with an adapted commit message, thanks!
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-04-15 13:18 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-12 19:28 [pmg-devel] [PATCH pmg-api/pmg-docs/proxmox-widget-toolkit v2 0/1] allow wildcard DNS-names for ACME Stoiko Ivanov
2021-04-12 19:28 ` [pmg-devel] [PATCH pmg-api v2 1/1] acme: allow wildcard domain entries Stoiko Ivanov
2021-04-15 13:18 ` [pmg-devel] applied: " Thomas Lamprecht
2021-04-12 19:28 ` [pmg-devel] [PATCH v2 proxmox-widget-toolkit 1/1] acme: allow wildcards as domain Stoiko Ivanov
2021-04-12 19:28 ` [pmg-devel] [PATCH pmg-docs v2 1/1] certs: add wildcard certificate support Stoiko Ivanov
2021-04-13 5:07 ` Thomas Lamprecht
2021-04-13 4:55 ` [pmg-devel] [PATCH pmg-api/pmg-docs/proxmox-widget-toolkit v2 0/1] allow wildcard DNS-names for ACME Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox