1 package PVE
::ACME
::DNSChallenge
;
6 use Digest
::SHA
qw(sha256);
11 use base
qw(PVE::ACME::Challenge);
13 my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
15 sub supported_challenge_types
{
23 # describe the data schema of the supported plugins, e.g.:
25 # name => 'Full name of Plugin',
28 # description => "The API key",
41 'ACMEDNS_UPDATE_URL' => {
42 description
=> 'The API update endpoint',
45 'ACMEDNS_USERNAME' => {
46 description
=> 'The acme-dns user',
49 'ACMEDNS_PASSWORD' => {
50 description
=> 'The acme-dns password',
53 'ACMEDNS_SUBDOMAIN' => {
54 description
=> 'The subdomain you got from acme-dns registration',
64 description
=> "The API key",
73 description
=> "The API key",
79 name
=> 'Alibaba Cloud DNS',
82 description
=> 'The API endpoint',
83 default => "https://alidns.aliyuncs.com/",
88 description
=> 'The API Key',
92 description
=> 'The API Secret',
103 description
=> 'The API Key',
107 description
=> 'The API Secret',
114 name
=> 'Amazon Route53 (AWS)',
116 'AWS_ACCESS_KEY_ID' => {
117 name
=> 'ACCESS_KEY_ID',
118 description
=> 'The AWS access-key ID',
121 'AWS_SECRET_ACCESS_KEY' => {
122 name
=> 'SECRET_ACCESS_KEY',
123 description
=> 'The AWS access-key secret',
130 name
=> 'Cloudflare Managed DNS',
131 description
=> 'Either provide global account key and email, or CF API token and Account ID.',
134 description
=> 'The Cloudflare Global API Key',
138 description
=> 'The Cloudflare Account EMail-Address',
142 description
=> 'The new Cloudflare API Token',
146 description
=> 'The new Cloudflare API Account ID',
150 description
=> 'For Zone restricted API Token',
167 name
=> 'DigitalOcean DNS',
170 description
=> 'The DigitalOcean API Key',
192 'gandi_livedns' => {},
198 description
=> 'The GoDaddy API Key',
202 description
=> 'The GoDaddy API Secret',
220 description
=> 'The INWX username',
224 description
=> 'The INWX password',
234 name
=> 'kapper.net',
236 'KAPPERNETDNS_Key' => {
237 description
=> 'Your kapper.net API key',
240 'KAPPERNETDNS_Secret' => {
241 description
=> 'Your kapper.net API secret',
278 'openprovider' => {},
285 description
=> "The OVH endpoint",
291 description
=> "The application key.",
295 description
=> "The application secret.",
299 description
=> "The consumer key.",
306 name
=> 'PowerDNS server',
309 description
=> "The PowerDNS API endpoint.",
328 'PORKBUN_API_KEY' => {
329 description
=> 'The API Key',
332 'PORKBUN_SECRET_API_KEY' => {
333 description
=> 'The API Secret',
357 'WORLD4YOU_USERNAME' => {
358 description
=> "The World4You customer id or package id",
361 'WORLD4YOU_PASSWORD' => {
362 description
=> "The World4You password",
374 sub get_supported_plugins
{
381 description
=> "API plugin name",
383 enum
=> [sort keys %$plugins],
387 description
=> 'DNS plugin data. (base64 encoded)',
389 'validation-delay' => {
391 description
=> 'Extra delay in seconds to wait before requesting validation.'
392 .' Allows to cope with a long TTL of DNS records.',
393 # low default, but our bet is that the acme-challenge domain isn't
394 # cached at all, so it hopefully shouldn't run into TTL issues
398 maximum
=> 2 * 24 * 60 * 60,
406 data
=> { optional
=> 1 },
407 nodes
=> { optional
=> 1 },
408 disable
=> { optional
=> 1 },
409 'validation-delay' => { optional
=> 1 },
413 my $proxmox_acme_command = sub {
414 my ($self, $acme, $auth, $data, $action) = @_;
416 die "No plugin data for DNSChallenge\n" if !defined($data->{plugin
});
418 my $alias = $data->{alias
};
419 my $domain = $auth->{identifier
}->{value
};
421 my $challenge = $self->extract_challenge($auth->{challenges
});
422 my $key_auth = $acme->key_authorization($challenge->{token
});
424 my $txtvalue = PVE
::ACME
::encode
(sha256
($key_auth));
425 my $dnsplugin = $data->{plugin
}->{api
};
426 my $plugin_conf_string = $data->{plugin
}->{data
};
428 # for security reasons, we execute the command as nobody
429 # we can't verify that the code of the DNSPlugins are harmless.
430 my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
432 # The order of the parameters passed to proxmox-acme is important
433 # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
434 push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
440 my $input = "$txtvalue\n";
441 $input .= "$plugin_conf_string\n" if $plugin_conf_string;
443 PVE
::Tools
::run_command
($cmd, input
=> $input);
445 $data->{url
} = $challenge->{url
};
451 my ($self, $acme, $auth, $data) = @_;
453 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
454 print "Add TXT record: _acme-challenge.$domain\n";
456 my $delay = $data->{plugin
}->{'validation-delay'} // 30;
458 print "Sleeping $delay seconds to wait for TXT record propagation\n";
459 sleep($delay); # don't care for EINTR
464 my ($self, $acme, $auth, $data) = @_;
466 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
467 print "Remove TXT record: _acme-challenge.$domain\n";