From: Stoiko Ivanov <s.ivanov@proxmox.com>
Date: Thu, 15 Apr 2021 19:46:18 +0000 (+0200)
Subject: acme: handle wildcard dns validation
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=fe0886a97566a53b39e64a6dc8d27dc6404ac2b3;hp=7266d5fd320c01c6d6f23bec4061d0c896d7d064;p=pmg-api.git

acme: handle wildcard dns validation

Wildcard DNS names (*.domain.example) are validated through their
base-domain (domain.example) according to the ACME RFC [0].

We store the indirection while parsing the acme config, and check for
an extra validation target during ordering.

This makes it possible to order wildcard certificates which are not
valid for the base-domain.

[0] https://tools.ietf.org/html/rfc8555#section-7.1.3

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---

diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
index 6794c36..b52f010 100644
--- a/src/PMG/API2/Certificates.pm
+++ b/src/PMG/API2/Certificates.pm
@@ -361,6 +361,11 @@ my $order_certificate = sub {
 	    print "The validation for $domain is pending!\n";
 
 	    my $domain_config = $acme_node_config->{domains}->{$domain};
+	    if (!defined($domain_config)) {
+		# wildcard domains are validated through the basedomain
+		my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
+		$domain_config = $acme_node_config->{domains}->{$vtarget};
+	    }
 	    die "no config for domain '$domain'\n" if !$domain_config;
 
 	    my $plugin_id = $domain_config->{plugin};
diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 6472a9d..5f96e62 100644
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -216,6 +216,12 @@ sub get_acme_conf {
 		if !$plugins->{ids}->{$plugin_id};
 	}
 
+	# validation for wildcard domain names happens on the domain w/o
+	# wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
+	if ($domain =~ /^\*\.(.*)$/ ) {
+	    $res->{validationtarget}->{$1} = $domain;
+	}
+
 	$parsed->{_configkey} = "acmedomain$index";
 	$res->{domains}->{$domain} = $parsed;
     }