[pbs-devel] [PATCH proxmox-backup v2] config: check if acme domain with wildcard uses dns challenge
Gabriel Goller
g.goller at proxmox.com
Wed Sep 18 14:06:40 CEST 2024
As already mentioned in our docs [0], wildcard domains are only
supported when the dns-challenge is used. If the dns-challenge is not
used, throw an error.
[0]: https://pbs.proxmox.com/docs/sysadmin.html#wildcard-certificates
Signed-off-by: Gabriel Goller <g.goller at proxmox.com>
---
v2, thanks @Christian:
- fixed configuration matching with wildcard
- adjusted error message
src/api2/node/certificates.rs | 18 +++++++++++++++---
src/config/node.rs | 10 ++++++++++
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/src/api2/node/certificates.rs b/src/api2/node/certificates.rs
index 61ef910e47a7..4b2952feb8bd 100644
--- a/src/api2/node/certificates.rs
+++ b/src/api2/node/certificates.rs
@@ -294,10 +294,22 @@ async fn order_certificate(
},
)?;
- let get_domain_config = |domain: &str| {
+ let get_domain_config = |domain: &str, wildcard: bool| {
domains
.iter()
- .find(|d| d.domain == domain)
+ .find(|d| {
+ if !wildcard {
+ // fast-path, no matching required
+ d.domain == domain
+ } else {
+ // https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
+ // DNS names in certificates may only have a single wildcard character, and it must
+ // be the entire leftmost DNS label, f.e. *.example.com
+ d.domain
+ .strip_prefix("*.")
+ .map_or(false, |stripped| domain == stripped)
+ }
+ })
.ok_or_else(|| format_err!("no config for domain '{}'", domain))
};
@@ -339,7 +351,7 @@ async fn order_certificate(
}
info!("The validation for {domain} is pending");
- let domain_config: &AcmeDomain = get_domain_config(&domain)?;
+ let domain_config: &AcmeDomain = get_domain_config(&domain, auth.wildcard)?;
let plugin_id = domain_config.plugin.as_deref().unwrap_or("standalone");
let mut plugin_cfg = crate::acme::get_acme_plugin(&plugins, plugin_id)?
.ok_or_else(|| format_err!("plugin '{plugin_id}' for domain '{domain}' not found!"))?;
diff --git a/src/config/node.rs b/src/config/node.rs
index 937beb3a125c..59faf3576b8a 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -272,6 +272,16 @@ impl NodeConfig {
if !domains.insert(domain.domain.to_lowercase()) {
bail!("duplicate domain '{}' in ACME config", domain.domain);
}
+ if domain.domain.contains('*')
+ && domain.plugin.map_or(true, |value| {
+ value.as_str() == "" || value.as_str() == "standalone"
+ })
+ {
+ bail!(
+ "wildcard domains like '{}' are not usable with the HTTP challenge type",
+ domain.domain
+ );
+ }
}
let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
if let Some(ciphers) = self.ciphers_tls_1_3.as_deref() {
--
2.39.5
More information about the pbs-devel
mailing list