[pve-devel] [PATCH manager] fix #2784: always compare ACME domains in lower case

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Jun 17 11:15:11 CEST 2020 

otherwise the ACME endpoint might return the ordered domain in lower
case and we fail to find our plugin config.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 PVE/API2/ACME.pm  | 4 +++-
 PVE/NodeConfig.pm | 9 ++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/PVE/API2/ACME.pm b/PVE/API2/ACME.pm
index c7d6e7e9..f4049db0 100644
--- a/PVE/API2/ACME.pm
+++ b/PVE/API2/ACME.pm
@@ -56,7 +56,9 @@ my $order_certificate = sub {
     for my $auth_url (@{$order->{authorizations}}) {
 	print "\nGetting authorization details from '$auth_url'\n";
 	my $auth = $acme->get_authorization($auth_url);
-	my $domain = $auth->{identifier}->{value};
+
+	# force lower case, like get_acme_conf does
+	my $domain = lc($auth->{identifier}->{value});
 	if ($auth->{status} eq 'valid') {
 	    print "$domain is already validated!\n";
 	} else {
diff --git a/PVE/NodeConfig.pm b/PVE/NodeConfig.pm
index af726b15..ad49e288 100644
--- a/PVE/NodeConfig.pm
+++ b/PVE/NodeConfig.pm
@@ -236,6 +236,9 @@ sub write_node_config {
     return $raw;
 }
 
+# we always convert domain values to lower case, since DNS entries are not case
+# sensitive and ACME implementations might convert the ordered identifiers
+# to lower case
 sub get_acme_conf {
     my ($node_conf, $noerr) = @_;
 
@@ -253,6 +256,10 @@ sub get_acme_conf {
 	my $standalone_domains = delete($res->{domains}) // '';
 	$res->{domains} = {};
 	for my $domain (split(";", $standalone_domains)) {
+	    $domain = lc($domain);
+	    die "duplicate domain '$domain' in ACME config properties\n"
+		if defined($res->{domains}->{$domain});
+
 	    $res->{domains}->{$domain}->{plugin} = 'standalone';
 	    $res->{domains}->{$domain}->{_configkey} = 'acme';
 	}
@@ -271,7 +278,7 @@ sub get_acme_conf {
 	    return undef if $noerr;
 	    die $err;
 	}
-	my $domain = delete $parsed->{domain};
+	my $domain = lc(delete $parsed->{domain});
 	if (my $exists = $res->{domains}->{$domain}) {
 	    return undef if $noerr;
 	    die "duplicate domain '$domain' in ACME config properties"
-- 
2.20.1

More information about the pve-devel mailing list