[pve-devel] [Patch V2 acme 11/12] Add DNSChallenge Plugin

Wolfgang Link w.link at proxmox.com
Tue Mar 31 12:08:50 CEST 2020 

This plugin calls the custom script acme.sh and uses the implementation of the DNS API.

Signed-off-by: Wolfgang Link <w.link at proxmox.com>
---
 debian/control               |   3 +-
 src/Makefile                 |   1 +
 src/PVE/ACME.pm              |   1 +
 src/PVE/ACME/DNSChallenge.pm | 197 +++++++++++++++++++++++++++++++++++
 4 files changed, 201 insertions(+), 1 deletion(-)
 create mode 100644 src/PVE/ACME/DNSChallenge.pm

diff --git a/debian/control b/debian/control
index 87ba731..bb85c98 100644
--- a/debian/control
+++ b/debian/control
@@ -13,5 +13,6 @@ Description: easy and small shell script to automatically issue
  and renew the free certificates from Let's Encrypt.
 Depends: curl (>= 7.64.0-1),
 	 coreutils (>= 8.30-1),
-	 sed (>= 4.7-1)
+	 sed (>= 4.7-1),
+	 libpve-common-perl,
 Recommends: idn
diff --git a/src/Makefile b/src/Makefile
index c56a354..11b35ff 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -107,6 +107,7 @@ LIB_SOURCES = \
 	ACME.pm \
 	ACME/Challenge.pm \
 	ACME/StandAlone.pm \
+	ACME/DNSChallenge.pm \
 
 all:
 
diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index 7c0794a..86fb9b0 100644
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@@ -25,6 +25,7 @@ file_get_contents
 
 use PVE::ACME::Challenge;
 use PVE::ACME::StandAlone;
+use PVE::ACME::DNSChallenge;
 
 Crypt::OpenSSL::RSA->import_random_seed();
 
diff --git a/src/PVE/ACME/DNSChallenge.pm b/src/PVE/ACME/DNSChallenge.pm
new file mode 100644
index 0000000..77d143f
--- /dev/null
+++ b/src/PVE/ACME/DNSChallenge.pm
@@ -0,0 +1,197 @@
+package PVE::ACME::DNSChallenge;
+
+use strict;
+use warnings;
+
+use Digest::SHA qw(sha256);
+use PVE::Tools;
+
+use base qw(PVE::ACME::Challenge);
+
+my $ACME_PATH = '/usr/share/proxmox-ve/proxmox-acme/proxmox-acme';
+
+sub supported_challenge_types {
+    return { 'dns-01' => 1 };
+}
+
+sub type {
+    return 'dns';
+}
+
+my $api_name_list = [
+    'acmedns',
+    'acmeproxy',
+    'active24',
+    'ad',
+    'ali',
+    'autodns',
+    'aws',
+    'azure',
+    'cf',
+    'clouddns',
+    'cloudns',
+    'cn',
+    'conoha',
+    'constellix',
+    'cx',
+    'cyon',
+    'da',
+    'ddnss',
+    'desec',
+    'dgon',
+    'dnsimple',
+    'do',
+    'doapi',
+    'domeneshop',
+    'dp',
+    'dpi',
+    'dreamhost',
+    'duckdns',
+    'durabledns',
+    'dyn',
+    'dynu',
+    'dynv6',
+    'easydns',
+    'euserv',
+    'exoscale',
+    'freedns',
+    'gandi_livedns',
+    'gcloud',
+    'gd',
+    'gdnsdk',
+    'he',
+    'hexonet',
+    'hostingde',
+    'infoblox',
+    'internetbs',
+    'inwx',
+    'ispconfig',
+    'jd',
+    'kas',
+    'kinghost',
+    'knot',
+    'leaseweb',
+    'lexicon',
+    'linode',
+    'linode_v4',
+    'loopia',
+    'lua',
+    'maradns',
+    'me',
+    'miab',
+    'misaka',
+    'myapi',
+    'mydevil',
+    'mydnsjp',
+    'namecheap',
+    'namecom',
+    'namesilo',
+    'nederhost',
+    'neodigit',
+    'netcup',
+    'nic',
+    'nsd',
+    'nsone',
+    'nsupdate',
+    'nw',
+    'one',
+    'online',
+    'openprovider',
+    'opnsense',
+    'ovh',
+    'pdns',
+    'pleskxml',
+    'pointhq',
+    'rackspace',
+    'rcode0',
+    'regru',
+    'schlundtech',
+    'selectel',
+    'servercow',
+    'tele3',
+    'ultra',
+    'unoeuro',
+    'variomedia',
+    'vscale',
+    'vultr',
+    'yandex',
+    'zilore',
+    'zone',
+    'zonomi',
+];
+
+sub properties {
+    return {
+	api => {
+	    description => "API plugin name",
+	    type => 'string',
+	    enum => $api_name_list,
+	},
+	data => {
+	    type => 'string',
+	    description => 'DNS plugin data.',
+	},
+    };
+}
+
+sub options {
+    return {
+	api => {},
+	data => {},
+	nodes => { optional => 1 },
+	disable => { optional => 1 },
+    };
+}
+
+my $outfunc = sub {
+    my $line = shift;
+    print "$line\n";
+};
+
+# The order of the parameters passed to proxmox-acme is important
+# proxmox-acme setup $plugin [$domain|$alias] $txtvalue $plugin_conf_string
+sub setup {
+    my ($class, $acme, $authorization, $plugin) = @_;
+
+    my $plugin_conf_string = PVE::Tools::decode_text($plugin->{data});
+
+    my $dns_challenge =
+	PVE::ACME::extract_challenge($authorization->{'challenges'}, "dns-01");
+    my $url = $dns_challenge->{'url'};
+
+    my $domain = $plugin->{alias} ?
+	$plugin->{'alias'} : $authorization->{'identifier'}->{'value'};
+
+    my $key_auth = $acme->key_authorization($dns_challenge->{'token'});
+    my $txtvalue = PVE::ACME::encode(sha256($key_auth));
+
+    my $dns_plugin = $plugin->{api};
+    my $cmd = ["bash", $ACME_PATH, "setup", $dns_plugin, $domain];
+    push @$cmd, $txtvalue, $plugin_conf_string;
+
+    PVE::Tools::run_command($cmd, outfunc => $outfunc);
+    print "Add TXT record: _acme-challenge.$domain\n";
+    my $self = {
+	dnsplugin => $dns_plugin,
+	domain => $domain,
+	txtvalue => $txtvalue,
+	plugin_conf_string => $plugin_conf_string,
+	url => $url,
+    };
+
+    return bless $self, $class;
+}
+
+# The order of the parameters passed to proxmox-acme is important
+# proxmox-acme teardown $plugin [$domain|$alias] $txtvalue $plugin_conf_string
+sub teardown {
+    my ($class) = @_;
+
+    my $domain = $class->{domain};
+    my $cmd = ["bash", "$ACME_PATH", "teardown",  $class->{dnsplugin}];
+    push @$cmd, $domain, $class->{txtvalue}, $class->{plugin_conf_string};
+    PVE::Tools::run_command($cmd, outfunc => $outfunc);
+    print "Remove TXT record: _acme-challenge.$domain\n";
+}
+
+1;
-- 
2.20.1

More information about the pve-devel mailing list