[pve-devel] [manager 5/6] add alias parameter for ACME DNS Challenge.

Wolfgang Link w.link at proxmox.com
Mon Oct 21 12:11:41 CEST 2019 

On 10/18/19 11:26 AM, Fabian Grünbichler wrote:
> On October 14, 2019 1:08 pm, Wolfgang Link wrote:
>> This parameter allows to use an alternative Domain
>> for setup the DNS record.
>>
>> This can be useful for security reasons or if the real domain has none
>> Ability to automatically set up a DNS record.
>> ---
>>   PVE/NodeConfig.pm | 7 +++++++
>>   1 file changed, 7 insertions(+)
>>
>> diff --git a/PVE/NodeConfig.pm b/PVE/NodeConfig.pm
>> index 7817bd1e..b84590ac 100644
>> --- a/PVE/NodeConfig.pm
>> +++ b/PVE/NodeConfig.pm
>> @@ -78,6 +78,13 @@ my $acmedesc = {
>>   	optional => 1,
>>   	description => 'Supported ACME Plugins',
>>       },
>> +    alias => {
>> +	type => 'string',
>> +	format => 'pve-acme-domain',
>> +	format_description => 'domain',
>> +	description => 'Alias where the TXT DNS record will be set',
>> +	optional => 1,
>> +    },
> I assume this ishttps://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode  ?
Yes.
> this is a bit tricky, as it is only relevant for DNS/acme.sh, but it is
> tied to the domains.. from a logical point of view, we'd need to put
> this and the plugin instance ID into the domain list, since both are per
> domain... but that would make for quite the messy config file:
>
> acme: account=default,domains=domain1.com:plugin_id1:alias1;domain2.com:plugin_id2:
>
> we could of course interpret the existing 'domains' member from the
> acme line as "no alias, default plugin" and deprecate that format in
> favour of
The alias feature is one of the killer features of DNS-Challenge.
With the aliases, you can give persons the capability to issue 
Certificates without giving them access to the main Domain.
This use case is prevalent that a server Admin has not accessed to the 
company DNS
or he won't do give a script access to the main Domain where the key is 
saved in plaintext.
> acme: account=default
> acme_domain0: domain.com,plugin=plugin_id1,alias=alias1
> acme_domain1: domain2.com
>
> which could easily be converted in one r-m-w cycle..
>
> @Thomas, Dietmar: any input?
>
>>       domains => {
>>   	type => 'string',
>>   	format => 'pve-acme-domain-list',
>> -- 
>> 2.20.1
>>
>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
>>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>

More information about the pve-devel mailing list