Wildcard DNS names (*.domain.example) are validated through their
base-domain (domain.example) according to the ACME RFC [0].
We store the indirection while parsing the acme config, and check for
an extra validation target during ordering.
This makes it possible to order wildcard certificates which are not
valid for the base-domain.
[0] https://tools.ietf.org/html/rfc8555#section-7.1.3
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
print "The validation for $domain is pending!\n";
my $domain_config = $acme_node_config->{domains}->{$domain};
+ if (!defined($domain_config)) {
+ # wildcard domains are validated through the basedomain
+ my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
+ $domain_config = $acme_node_config->{domains}->{$vtarget};
+ }
die "no config for domain '$domain'\n" if !$domain_config;
my $plugin_id = $domain_config->{plugin};
if !$plugins->{ids}->{$plugin_id};
}
+ # validation for wildcard domain names happens on the domain w/o
+ # wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
+ if ($domain =~ /^\*\.(.*)$/ ) {
+ $res->{validationtarget}->{$1} = $domain;
+ }
+
$parsed->{_configkey} = "acmedomain$index";
$res->{domains}->{$domain} = $parsed;
}