[pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns validation
Stoiko Ivanov
s.ivanov at proxmox.com
Thu Apr 15 21:46:18 CEST 2021
Wildcard DNS names (*.domain.example) are validated through their
base-domain (domain.example) according to the ACME RFC [0].
We store the indirection while parsing the acme config, and check for
an extra validation target during ordering.
This makes it possible to order wildcard certificates which are not
valid for the base-domain.
[0] https://tools.ietf.org/html/rfc8555#section-7.1.3
Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
v2->v3:
* add indirection
src/PMG/API2/Certificates.pm | 5 +++++
src/PMG/NodeConfig.pm | 6 ++++++
2 files changed, 11 insertions(+)
diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
index c08deb6..351d1c5 100644
--- a/src/PMG/API2/Certificates.pm
+++ b/src/PMG/API2/Certificates.pm
@@ -359,6 +359,11 @@ my $order_certificate = sub {
print "The validation for $domain is pending!\n";
my $domain_config = $acme_node_config->{domains}->{$domain};
+ if (!defined($domain_config)) {
+ # wildcard domains are validated through the basedomain
+ my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
+ $domain_config = $acme_node_config->{domains}->{$vtarget};
+ }
die "no config for domain '$domain'\n" if !$domain_config;
my $plugin_id = $domain_config->{plugin};
diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 6472a9d..5f96e62 100644
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -216,6 +216,12 @@ sub get_acme_conf {
if !$plugins->{ids}->{$plugin_id};
}
+ # validation for wildcard domain names happens on the domain w/o
+ # wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
+ if ($domain =~ /^\*\.(.*)$/ ) {
+ $res->{validationtarget}->{$1} = $domain;
+ }
+
$parsed->{_configkey} = "acmedomain$index";
$res->{domains}->{$domain} = $parsed;
}
--
2.20.1
More information about the pmg-devel
mailing list