[pve-devel] [manager 5/6] add alias parameter for ACME DNS Challenge.
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Oct 22 11:18:43 CEST 2019
On October 21, 2019 12:11 pm, Wolfgang Link wrote:
>
> On 10/18/19 11:26 AM, Fabian Grünbichler wrote:
>> On October 14, 2019 1:08 pm, Wolfgang Link wrote:
>>> This parameter allows to use an alternative Domain
>>> for setup the DNS record.
>>>
>>> This can be useful for security reasons or if the real domain has none
>>> Ability to automatically set up a DNS record.
>>> ---
>>> PVE/NodeConfig.pm | 7 +++++++
>>> 1 file changed, 7 insertions(+)
>>>
>>> diff --git a/PVE/NodeConfig.pm b/PVE/NodeConfig.pm
>>> index 7817bd1e..b84590ac 100644
>>> --- a/PVE/NodeConfig.pm
>>> +++ b/PVE/NodeConfig.pm
>>> @@ -78,6 +78,13 @@ my $acmedesc = {
>>> optional => 1,
>>> description => 'Supported ACME Plugins',
>>> },
>>> + alias => {
>>> + type => 'string',
>>> + format => 'pve-acme-domain',
>>> + format_description => 'domain',
>>> + description => 'Alias where the TXT DNS record will be set',
>>> + optional => 1,
>>> + },
>> I assume this ishttps://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode ?
> Yes.
>> this is a bit tricky, as it is only relevant for DNS/acme.sh, but it is
>> tied to the domains.. from a logical point of view, we'd need to put
>> this and the plugin instance ID into the domain list, since both are per
>> domain... but that would make for quite the messy config file:
>>
>> acme: account=default,domains=domain1.com:plugin_id1:alias1;domain2.com:plugin_id2:
>>
>> we could of course interpret the existing 'domains' member from the
>> acme line as "no alias, default plugin" and deprecate that format in
>> favour of
> The alias feature is one of the killer features of DNS-Challenge.
> With the aliases, you can give persons the capability to issue
> Certificates without giving them access to the main Domain.
> This use case is prevalent that a server Admin has not accessed to the
> company DNS
> or he won't do give a script access to the main Domain where the key is
> saved in plaintext.
yes, I see the appeal (at least for DNS providers where you cannot set
such restrictions on the API access already, or which don't offer any
API at all).
>> acme: account=default
>> acme_domain0: domain.com,plugin=plugin_id1,alias=alias1
>> acme_domain1: domain2.com
>>
>> which could easily be converted in one r-m-w cycle..
>>
>> @Thomas, Dietmar: any input?
>>
>>> domains => {
>>> type => 'string',
>>> format => 'pve-acme-domain-list',
>>> --
>>> 2.20.1
>>>
>>>
>>> _______________________________________________
>>> pve-devel mailing list
>>> pve-devel at pve.proxmox.com
>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>>
>>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
>
More information about the pve-devel
mailing list