From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation
Date: Thu, 15 Apr 2021 21:46:18 +0200 [thread overview]
Message-ID: <20210415194622.25632-2-s.ivanov@proxmox.com> (raw)
In-Reply-To: <20210415194622.25632-1-s.ivanov@proxmox.com>
Wildcard DNS names (*.domain.example) are validated through their
base-domain (domain.example) according to the ACME RFC [0].
We store the indirection while parsing the acme config, and check for
an extra validation target during ordering.
This makes it possible to order wildcard certificates which are not
valid for the base-domain.
[0] https://tools.ietf.org/html/rfc8555#section-7.1.3
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
v2->v3:
* add indirection
src/PMG/API2/Certificates.pm | 5 +++++
src/PMG/NodeConfig.pm | 6 ++++++
2 files changed, 11 insertions(+)
diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
index c08deb6..351d1c5 100644
--- a/src/PMG/API2/Certificates.pm
+++ b/src/PMG/API2/Certificates.pm
@@ -359,6 +359,11 @@ my $order_certificate = sub {
print "The validation for $domain is pending!\n";
my $domain_config = $acme_node_config->{domains}->{$domain};
+ if (!defined($domain_config)) {
+ # wildcard domains are validated through the basedomain
+ my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
+ $domain_config = $acme_node_config->{domains}->{$vtarget};
+ }
die "no config for domain '$domain'\n" if !$domain_config;
my $plugin_id = $domain_config->{plugin};
diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 6472a9d..5f96e62 100644
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -216,6 +216,12 @@ sub get_acme_conf {
if !$plugins->{ids}->{$plugin_id};
}
+ # validation for wildcard domain names happens on the domain w/o
+ # wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
+ if ($domain =~ /^\*\.(.*)$/ ) {
+ $res->{validationtarget}->{$1} = $domain;
+ }
+
$parsed->{_configkey} = "acmedomain$index";
$res->{domains}->{$domain} = $parsed;
}
--
2.20.1
next prev parent reply other threads:[~2021-04-15 19:47 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
2021-04-15 19:46 ` Stoiko Ivanov [this message]
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 2/3] acme: check plugin for wildcard certificates Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 3/3] nodeconfig: parse acme config before writing Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH v3 1/1] acme: allow wildcards as domain Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-docs v3 1/1] certs: add wildcard certificate support Stoiko Ivanov
2021-07-13 8:03 ` [pmg-devel] applied-series: [PATCH pmg-api/pwt/pmg-docs v3] Thomas Lamprecht
2021-04-16 8:14 [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Wolfgang Bumiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210415194622.25632-2-s.ivanov@proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox