public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation
Date: Thu, 15 Apr 2021 21:46:18 +0200	[thread overview]
Message-ID: <20210415194622.25632-2-s.ivanov@proxmox.com> (raw)
In-Reply-To: <20210415194622.25632-1-s.ivanov@proxmox.com>

Wildcard DNS names (*.domain.example) are validated through their
base-domain (domain.example) according to the ACME RFC [0].

We store the indirection while parsing the acme config, and check for
an extra validation target during ordering.

This makes it possible to order wildcard certificates which are not
valid for the base-domain.

[0] https://tools.ietf.org/html/rfc8555#section-7.1.3

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
v2->v3:
* add indirection
 src/PMG/API2/Certificates.pm | 5 +++++
 src/PMG/NodeConfig.pm        | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
index c08deb6..351d1c5 100644
--- a/src/PMG/API2/Certificates.pm
+++ b/src/PMG/API2/Certificates.pm
@@ -359,6 +359,11 @@ my $order_certificate = sub {
 	    print "The validation for $domain is pending!\n";
 
 	    my $domain_config = $acme_node_config->{domains}->{$domain};
+	    if (!defined($domain_config)) {
+		# wildcard domains are validated through the basedomain
+		my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
+		$domain_config = $acme_node_config->{domains}->{$vtarget};
+	    }
 	    die "no config for domain '$domain'\n" if !$domain_config;
 
 	    my $plugin_id = $domain_config->{plugin};
diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 6472a9d..5f96e62 100644
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -216,6 +216,12 @@ sub get_acme_conf {
 		if !$plugins->{ids}->{$plugin_id};
 	}
 
+	# validation for wildcard domain names happens on the domain w/o
+	# wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
+	if ($domain =~ /^\*\.(.*)$/ ) {
+	    $res->{validationtarget}->{$1} = $domain;
+	}
+
 	$parsed->{_configkey} = "acmedomain$index";
 	$res->{domains}->{$domain} = $parsed;
     }
-- 
2.20.1





  reply	other threads:[~2021-04-15 19:47 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
2021-04-15 19:46 ` Stoiko Ivanov [this message]
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 2/3] acme: check plugin for wildcard certificates Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 3/3] nodeconfig: parse acme config before writing Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH v3 1/1] acme: allow wildcards as domain Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-docs v3 1/1] certs: add wildcard certificate support Stoiko Ivanov
2021-07-13  8:03 ` [pmg-devel] applied-series: [PATCH pmg-api/pwt/pmg-docs v3] Thomas Lamprecht
2021-04-16  8:14 [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Wolfgang Bumiller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210415194622.25632-2-s.ivanov@proxmox.com \
    --to=s.ivanov@proxmox.com \
    --cc=pmg-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal