public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3]
@ 2021-04-15 19:46 Stoiko Ivanov
  2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Stoiko Ivanov
                   ` (5 more replies)
  0 siblings, 6 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
  To: pmg-devel

v2->v3:
* incorporated Thomas' excellent feedback (especially that part of wildcard-certs
  without the base-domain being added actually working despite my theoretical
  guess that it would not :)
* added a check for wildcardcert needs DNS plugin during node-config parsing and writing

original cover-letter for v2:
v1->v2:
* reaad up on the requirements and infered from [0], a few HOWTOs and the
response from the LE staging directory that:
```
Orders that contain both a base domain and its wildcard equivalent (...) are
valid.
```
means that only such orders are valid (hence the requirement for the base
name in addition to the wildcard name
* added a short stanza to pmg-docs describing the requirements
* added a patch for pwt to allow '*.' as prefix for domains in ACMEDomains


[0] https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

pmg-api:
Stoiko Ivanov (3):
  acme: handle wildcard dns validation
  acme: check plugin for wildcard certificates
  nodeconfig: parse acme config before writing

 src/PMG/API2/Certificates.pm |  5 +++++
 src/PMG/NodeConfig.pm        | 14 +++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

promox-widget-toolkit:
Stoiko Ivanov (1):
  acme: allow wildcards as domain

 src/Toolkit.js            | 5 +++++
 src/Utils.js              | 1 +
 src/window/ACMEDomains.js | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

pmg-docs:
Stoiko Ivanov (1):
  certs: add wildcard certificate support

 pmg-ssl-certificate.adoc | 12 ++++++++++++
 1 file changed, 12 insertions(+)

-- 
2.20.1





^ permalink raw reply	[flat|nested] 8+ messages in thread

* [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation
  2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
@ 2021-04-15 19:46 ` Stoiko Ivanov
  2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 2/3] acme: check plugin for wildcard certificates Stoiko Ivanov
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
  To: pmg-devel

Wildcard DNS names (*.domain.example) are validated through their
base-domain (domain.example) according to the ACME RFC [0].

We store the indirection while parsing the acme config, and check for
an extra validation target during ordering.

This makes it possible to order wildcard certificates which are not
valid for the base-domain.

[0] https://tools.ietf.org/html/rfc8555#section-7.1.3

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
v2->v3:
* add indirection
 src/PMG/API2/Certificates.pm | 5 +++++
 src/PMG/NodeConfig.pm        | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
index c08deb6..351d1c5 100644
--- a/src/PMG/API2/Certificates.pm
+++ b/src/PMG/API2/Certificates.pm
@@ -359,6 +359,11 @@ my $order_certificate = sub {
 	    print "The validation for $domain is pending!\n";
 
 	    my $domain_config = $acme_node_config->{domains}->{$domain};
+	    if (!defined($domain_config)) {
+		# wildcard domains are validated through the basedomain
+		my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
+		$domain_config = $acme_node_config->{domains}->{$vtarget};
+	    }
 	    die "no config for domain '$domain'\n" if !$domain_config;
 
 	    my $plugin_id = $domain_config->{plugin};
diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 6472a9d..5f96e62 100644
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -216,6 +216,12 @@ sub get_acme_conf {
 		if !$plugins->{ids}->{$plugin_id};
 	}
 
+	# validation for wildcard domain names happens on the domain w/o
+	# wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
+	if ($domain =~ /^\*\.(.*)$/ ) {
+	    $res->{validationtarget}->{$1} = $domain;
+	}
+
 	$parsed->{_configkey} = "acmedomain$index";
 	$res->{domains}->{$domain} = $parsed;
     }
-- 
2.20.1





^ permalink raw reply	[flat|nested] 8+ messages in thread

* [pmg-devel] [PATCH pmg-api v3 2/3] acme: check plugin for wildcard certificates
  2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
  2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Stoiko Ivanov
@ 2021-04-15 19:46 ` Stoiko Ivanov
  2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 3/3] nodeconfig: parse acme config before writing Stoiko Ivanov
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
  To: pmg-devel

Let's Encrypt currently only issues wildcard certificates if the
domain ownership is validated via a dns-01 type plugin.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PMG/NodeConfig.pm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 5f96e62..029b903 100644
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -209,9 +209,9 @@ sub get_acme_conf {
 	}
 	$parsed->{plugin} //= 'standalone';
 
+	my $plugins = PMG::API2::ACMEPlugin::load_config();
 	my $plugin_id = $parsed->{plugin};
 	if ($plugin_id ne 'standalone') {
-	    my $plugins = PMG::API2::ACMEPlugin::load_config();
 	    die "plugin '$plugin_id' for domain '$domain' not found!\n"
 		if !$plugins->{ids}->{$plugin_id};
 	}
@@ -220,6 +220,9 @@ sub get_acme_conf {
 	# wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
 	if ($domain =~ /^\*\.(.*)$/ ) {
 	    $res->{validationtarget}->{$1} = $domain;
+	    die "wildcard domain validation for '$domain' needs a dns-01 plugin.\n"
+		if $plugins->{ids}->{$plugin_id}->{type} ne 'dns';
+
 	}
 
 	$parsed->{_configkey} = "acmedomain$index";
-- 
2.20.1





^ permalink raw reply	[flat|nested] 8+ messages in thread

* [pmg-devel] [PATCH pmg-api v3 3/3] nodeconfig: parse acme config before writing
  2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
  2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Stoiko Ivanov
  2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 2/3] acme: check plugin for wildcard certificates Stoiko Ivanov
@ 2021-04-15 19:46 ` Stoiko Ivanov
  2021-04-15 19:46 ` [pmg-devel] [PATCH v3 1/1] acme: allow wildcards as domain Stoiko Ivanov
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
  To: pmg-devel

we use `get_acme_conf` as higher level sanity checker (e.g. to ensure
that wildcard certificates have a configured DNS plugin)

(adapted from pve-manger (where this is done in the corresponding API
call)

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PMG/NodeConfig.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 029b903..42139e4 100644
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -131,6 +131,9 @@ sub read_pmg_node_config {
 sub write_pmg_node_config {
     my ($filename, $fh, $cfg) = @_;
     my $raw = PVE::JSONSchema::dump_config($config_schema, $filename, $cfg);
+
+    # higher level ACME sanity checking
+    get_acme_conf($cfg);
     PVE::Tools::safe_print($filename, $fh, $raw);
 }
 
-- 
2.20.1





^ permalink raw reply	[flat|nested] 8+ messages in thread

* [pmg-devel] [PATCH v3 1/1] acme: allow wildcards as domain
  2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
                   ` (2 preceding siblings ...)
  2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 3/3] nodeconfig: parse acme config before writing Stoiko Ivanov
@ 2021-04-15 19:46 ` Stoiko Ivanov
  2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-docs v3 1/1] certs: add wildcard certificate support Stoiko Ivanov
  2021-07-13  8:03 ` [pmg-devel] applied-series: [PATCH pmg-api/pwt/pmg-docs v3] Thomas Lamprecht
  5 siblings, 0 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
  To: pmg-devel

allow wildcard dns-names as defined in [0,1] (only the prefix '*.' in
front of a valid dns-name) as domain.

[0] https://tools.ietf.org/html/rfc8555#section-7.1.3
[1] https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/Toolkit.js            | 5 +++++
 src/Utils.js              | 1 +
 src/window/ACMEDomains.js | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/Toolkit.js b/src/Toolkit.js
index 6ae31ed..c6bfe93 100644
--- a/src/Toolkit.js
+++ b/src/Toolkit.js
@@ -131,6 +131,11 @@ Ext.apply(Ext.form.field.VTypes, {
     },
     DnsNameText: gettext('This is not a valid DNS name'),
 
+    DnsNameOrWildcard: function(v) {
+	return Proxmox.Utils.DnsName_or_Wildcard_match.test(v);
+    },
+    DnsNameOrWildcardText: gettext('This is not a valid DNS name'),
+
     // workaround for https://www.sencha.com/forum/showthread.php?302150
     proxmoxMail: function(v) {
         return (/^(\w+)([-+.][\w]+)*@(\w[-\w]*\.){1,5}([A-Za-z]){2,63}$/).test(v);
diff --git a/src/Utils.js b/src/Utils.js
index 3fd8f91..4b53238 100644
--- a/src/Utils.js
+++ b/src/Utils.js
@@ -1041,6 +1041,7 @@ utilities: {
 
 	let DnsName_REGEXP = "(?:(?:(?:[a-zA-Z0-9](?:[a-zA-Z0-9\\-]*[a-zA-Z0-9])?)\\.)*(?:[A-Za-z0-9](?:[A-Za-z0-9\\-]*[A-Za-z0-9])?))";
 	me.DnsName_match = new RegExp("^" + DnsName_REGEXP + "$");
+	me.DnsName_or_Wildcard_match = new RegExp("^(?:\\*\\.)?" + DnsName_REGEXP + "$");
 
 	me.HostPort_match = new RegExp("^(" + IPV4_REGEXP + "|" + DnsName_REGEXP + ")(?::(\\d+))?$");
 	me.HostPortBrackets_match = new RegExp("^\\[(" + IPV6_REGEXP + "|" + IPV4_REGEXP + "|" + DnsName_REGEXP + ")\\](?::(\\d+))?$");
diff --git a/src/window/ACMEDomains.js b/src/window/ACMEDomains.js
index 930a4c3..5ec5856 100644
--- a/src/window/ACMEDomains.js
+++ b/src/window/ACMEDomains.js
@@ -150,7 +150,7 @@ Ext.define('Proxmox.window.ACMEDomainEdit', {
 		    xtype: 'proxmoxtextfield',
 		    name: 'domain',
 		    allowBlank: false,
-		    vtype: 'DnsName',
+		    vtype: 'DnsNameOrWildcard',
 		    value: '',
 		    fieldLabel: gettext('Domain'),
 		},
-- 
2.20.1





^ permalink raw reply	[flat|nested] 8+ messages in thread

* [pmg-devel] [PATCH pmg-docs v3 1/1] certs: add wildcard certificate support
  2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
                   ` (3 preceding siblings ...)
  2021-04-15 19:46 ` [pmg-devel] [PATCH v3 1/1] acme: allow wildcards as domain Stoiko Ivanov
@ 2021-04-15 19:46 ` Stoiko Ivanov
  2021-07-13  8:03 ` [pmg-devel] applied-series: [PATCH pmg-api/pwt/pmg-docs v3] Thomas Lamprecht
  5 siblings, 0 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2021-04-15 19:46 UTC (permalink / raw)
  To: pmg-devel

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 pmg-ssl-certificate.adoc | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/pmg-ssl-certificate.adoc b/pmg-ssl-certificate.adoc
index 6cd44b1..64a2521 100644
--- a/pmg-ssl-certificate.adoc
+++ b/pmg-ssl-certificate.adoc
@@ -187,6 +187,18 @@ and set the `alias` property in the {pmg} node configuration file
 `/etc/pmg/node.conf` to `domain2.example` to allow the DNS server of
 `domain2.example` to validate all challenges for `domain1.example`.
 
+[[sysadmin_certs_acme_dns_wildcard]]
+Wildcard Certificates
+^^^^^^^^^^^^^^^^^^^^^
+
+Wildcard DNS names start with a `*.` prefix and are considered valid for all
+(one-level) subdomain names of the verified domain. So a certificate for
+`*.domain.example` is valid for example for `foo.domain.example` and
+`bar.domain.example`, but not for `baz.foo.domain.example`.
+
+You can currently create wildcard certificates only with the
+https://letsencrypt.org/docs/challenge-types/#dns-01-challenge[DNS challenge type].
+
 
 Combination of Plugins
 ^^^^^^^^^^^^^^^^^^^^^^
-- 
2.20.1





^ permalink raw reply	[flat|nested] 8+ messages in thread

* [pmg-devel] applied-series:  [PATCH pmg-api/pwt/pmg-docs v3]
  2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
                   ` (4 preceding siblings ...)
  2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-docs v3 1/1] certs: add wildcard certificate support Stoiko Ivanov
@ 2021-07-13  8:03 ` Thomas Lamprecht
  5 siblings, 0 replies; 8+ messages in thread
From: Thomas Lamprecht @ 2021-07-13  8:03 UTC (permalink / raw)
  To: Stoiko Ivanov, pmg-devel

On 15.04.21 21:46, Stoiko Ivanov wrote:
> v2->v3:
> * incorporated Thomas' excellent feedback (especially that part of wildcard-certs
>   without the base-domain being added actually working despite my theoretical
>   guess that it would not :)
> * added a check for wildcardcert needs DNS plugin during node-config parsing and writing
> 
> original cover-letter for v2:
> v1->v2:
> * reaad up on the requirements and infered from [0], a few HOWTOs and the
> response from the LE staging directory that:
> ```
> Orders that contain both a base domain and its wildcard equivalent (...) are
> valid.
> ```
> means that only such orders are valid (hence the requirement for the base
> name in addition to the wildcard name
> * added a short stanza to pmg-docs describing the requirements
> * added a patch for pwt to allow '*.' as prefix for domains in ACMEDomains
> 
> 
> [0] https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
> 
> pmg-api:
> Stoiko Ivanov (3):
>   acme: handle wildcard dns validation
>   acme: check plugin for wildcard certificates
>   nodeconfig: parse acme config before writing
> 
>  src/PMG/API2/Certificates.pm |  5 +++++
>  src/PMG/NodeConfig.pm        | 14 +++++++++++++-
>  2 files changed, 18 insertions(+), 1 deletion(-)
> 
> promox-widget-toolkit:
> Stoiko Ivanov (1):
>   acme: allow wildcards as domain
> 
>  src/Toolkit.js            | 5 +++++
>  src/Utils.js              | 1 +
>  src/window/ACMEDomains.js | 2 +-
>  3 files changed, 7 insertions(+), 1 deletion(-)
> 
> pmg-docs:
> Stoiko Ivanov (1):
>   certs: add wildcard certificate support
> 
>  pmg-ssl-certificate.adoc | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 


applied series, thanks!




^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation
@ 2021-04-16  8:14 Wolfgang Bumiller
  0 siblings, 0 replies; 8+ messages in thread
From: Wolfgang Bumiller @ 2021-04-16  8:14 UTC (permalink / raw)
  To: Stoiko Ivanov, pmg-devel

took me a bit to "tune" back into "no, it autovivifies,
and no, it won't "panic!()" when indexing with a wrong value
(the deliberate empty string)"
but hey, that's just perl ;-)

lgtm 👍

> On 04/15/2021 9:46 PM Stoiko Ivanov <s.ivanov@proxmox.com> wrote:
> 
>  
> Wildcard DNS names (*.domain.example) are validated through their
> base-domain (domain.example) according to the ACME RFC [0].
> 
> We store the indirection while parsing the acme config, and check for
> an extra validation target during ordering.
> 
> This makes it possible to order wildcard certificates which are not
> valid for the base-domain.
> 
> [0] https://tools.ietf.org/html/rfc8555#section-7.1.3
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> v2->v3:
> * add indirection
>  src/PMG/API2/Certificates.pm | 5 +++++
>  src/PMG/NodeConfig.pm        | 6 ++++++
>  2 files changed, 11 insertions(+)
> 
> diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
> index c08deb6..351d1c5 100644
> --- a/src/PMG/API2/Certificates.pm
> +++ b/src/PMG/API2/Certificates.pm
> @@ -359,6 +359,11 @@ my $order_certificate = sub {
>  	    print "The validation for $domain is pending!\n";
>  
>  	    my $domain_config = $acme_node_config->{domains}->{$domain};
> +	    if (!defined($domain_config)) {
> +		# wildcard domains are validated through the basedomain
> +		my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
> +		$domain_config = $acme_node_config->{domains}->{$vtarget};
> +	    }
>  	    die "no config for domain '$domain'\n" if !$domain_config;
>  
>  	    my $plugin_id = $domain_config->{plugin};
> diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
> index 6472a9d..5f96e62 100644
> --- a/src/PMG/NodeConfig.pm
> +++ b/src/PMG/NodeConfig.pm
> @@ -216,6 +216,12 @@ sub get_acme_conf {
>  		if !$plugins->{ids}->{$plugin_id};
>  	}
>  
> +	# validation for wildcard domain names happens on the domain w/o
> +	# wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
> +	if ($domain =~ /^\*\.(.*)$/ ) {
> +	    $res->{validationtarget}->{$1} = $domain;
> +	}
> +
>  	$parsed->{_configkey} = "acmedomain$index";
>  	$res->{domains}->{$domain} = $parsed;
>      }
> -- 
> 2.20.1




^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2021-07-13  8:04 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-15 19:46 [pmg-devel] [PATCH pmg-api/pwt/pmg-docs v3] Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 2/3] acme: check plugin for wildcard certificates Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-api v3 3/3] nodeconfig: parse acme config before writing Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH v3 1/1] acme: allow wildcards as domain Stoiko Ivanov
2021-04-15 19:46 ` [pmg-devel] [PATCH pmg-docs v3 1/1] certs: add wildcard certificate support Stoiko Ivanov
2021-07-13  8:03 ` [pmg-devel] applied-series: [PATCH pmg-api/pwt/pmg-docs v3] Thomas Lamprecht
2021-04-16  8:14 [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation Wolfgang Bumiller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal