From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 1214473783 for ; Thu, 15 Apr 2021 21:47:07 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B561C1DF66 for ; Thu, 15 Apr 2021 21:46:36 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 509921DF1C for ; Thu, 15 Apr 2021 21:46:34 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 14AFC45B1C for ; Thu, 15 Apr 2021 21:46:34 +0200 (CEST) From: Stoiko Ivanov To: pmg-devel@lists.proxmox.com Date: Thu, 15 Apr 2021 21:46:18 +0200 Message-Id: <20210415194622.25632-2-s.ivanov@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210415194622.25632-1-s.ivanov@proxmox.com> References: <20210415194622.25632-1-s.ivanov@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.058 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [nodeconfig.pm, certificates.pm, ietf.org] Subject: [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2021 19:47:07 -0000 Wildcard DNS names (*.domain.example) are validated through their base-domain (domain.example) according to the ACME RFC [0]. We store the indirection while parsing the acme config, and check for an extra validation target during ordering. This makes it possible to order wildcard certificates which are not valid for the base-domain. [0] https://tools.ietf.org/html/rfc8555#section-7.1.3 Signed-off-by: Stoiko Ivanov --- v2->v3: * add indirection src/PMG/API2/Certificates.pm | 5 +++++ src/PMG/NodeConfig.pm | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm index c08deb6..351d1c5 100644 --- a/src/PMG/API2/Certificates.pm +++ b/src/PMG/API2/Certificates.pm @@ -359,6 +359,11 @@ my $order_certificate = sub { print "The validation for $domain is pending!\n"; my $domain_config = $acme_node_config->{domains}->{$domain}; + if (!defined($domain_config)) { + # wildcard domains are validated through the basedomain + my $vtarget = $acme_node_config->{validationtarget}->{$domain} // ''; + $domain_config = $acme_node_config->{domains}->{$vtarget}; + } die "no config for domain '$domain'\n" if !$domain_config; my $plugin_id = $domain_config->{plugin}; diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm index 6472a9d..5f96e62 100644 --- a/src/PMG/NodeConfig.pm +++ b/src/PMG/NodeConfig.pm @@ -216,6 +216,12 @@ sub get_acme_conf { if !$plugins->{ids}->{$plugin_id}; } + # validation for wildcard domain names happens on the domain w/o + # wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3 + if ($domain =~ /^\*\.(.*)$/ ) { + $res->{validationtarget}->{$1} = $domain; + } + $parsed->{_configkey} = "acmedomain$index"; $res->{domains}->{$domain} = $parsed; } -- 2.20.1