[pve-devel] [common 6/9] command composer for acme.sh

Wolfgang Link w.link at proxmox.com
Mon Oct 21 12:11:33 CEST 2019


comment inline

On 10/18/19 11:27 AM, Fabian Grünbichler wrote:
> On October 14, 2019 1:08 pm, Wolfgang Link wrote:
>> This composer supports two different operations.
>> pve-setup:     this operation adds the DNS TXT record.
>> pve-teardown:  this operation removes the DNS TXT record
>> ---
>>   src/PVE/ACME/ACME_sh.pm | 16 ++++++++++++++++
>>   1 file changed, 16 insertions(+)
>>
>> diff --git a/src/PVE/ACME/ACME_sh.pm b/src/PVE/ACME/ACME_sh.pm
>> index db8af9a..40be772 100644
>> --- a/src/PVE/ACME/ACME_sh.pm
>> +++ b/src/PVE/ACME/ACME_sh.pm
>> @@ -38,6 +38,22 @@ my $get_dnsapi_conf = sub {
>>       return ($api_plugin, "$API_CRED_DIR/$api_plugin.cred");
>>   };
>>   
>> +my $compose_cmd = sub {
>> +    my ($op, $token, $domain, $alias) = @_;
> $token is not the token from the challenge, but the base64url-encoded,
> hashed key_authorization? please name variables for what they actually
> contain..
>
>> +
>> +    my ($dns_api_plugin, $cred_file_path) = &$get_dnsapi_conf();
>> +
>> +    # valid operations for this composer are pve-setup and pve-teardown
>> +    my @cmd = ('/usr/sbin/acme', "--$op");
>> +    push @cmd, '--webroot', $dns_api_plugin;
> huh? webroot is something different altogether, why use this term here?
Internal at the acme.sh script not.
>> +    push @cmd, '--domain', "_acme-challenge.$domain";
> either the domain is $domain (if it is still used to derive some
> validation response value somehow?)
>
>> +    push @cmd, '--token', $token;
> same here..
>
>> +    push @cmd, '--accountconf', $cred_file_path;
>> +    push @cmd, '--challenge-alias', $alias if defined($alias);
> or the domain should be replaced with the aliased domain, since it just
> signifies under which key the TXT record is created?
>
> this command is supposed to be just a thin wrapper around the DNS API
> plugins, I'd expect the following:
>
> acme --pve-setup --plugin-conf $cred_file_path --plugin foo --domain $fulldomain --txtvalue $txtvalue
>
> where $fulldomain is either the regular domain, or the alias.. or am I
> missing something here?

The FQDN Letsencrypt is locking for is

_acme-challenge.[subdomain.]<Domain>.<TLD>

This can be a CNAME record or a TXT record.

The CNAME must be a redirection to the TXT record.

If _acme-challenge. is set on our site or in the wrapper makes no mater.

>> +
>> +    return \@cmd;
>> +};
>> +
>>   sub validating_url {
>>       my ($class, $acme, $auth, $auth_url, $node_config) = @_;
>>   
>> -- 
>> 2.20.1
>>
>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
>>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>




More information about the pve-devel mailing list