acme: handle wildcard dns validation

Wildcard DNS names (*.domain.example) are validated through their
base-domain (domain.example) according to the ACME RFC [0].

We store the indirection while parsing the acme config, and check for
an extra validation target during ordering.

This makes it possible to order wildcard certificates which are not
valid for the base-domain.

[0] https://tools.ietf.org/html/rfc8555#section-7.1.3

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
index 6794c3696ff141934b696092ac552b8392617790..b52f010adecf5978af3a3b3fd7361a294b5dfb7d 100644 (file)
--- a/src/PMG/API2/Certificates.pm
+++ b/src/PMG/API2/Certificates.pm
@@ -361,6 +361,11 @@ my $order_certificate = sub {
            print "The validation for $domain is pending!\n";
 
            my $domain_config = $acme_node_config->{domains}->{$domain};
+           if (!defined($domain_config)) {
+               # wildcard domains are validated through the basedomain
+               my $vtarget = $acme_node_config->{validationtarget}->{$domain} // '';
+               $domain_config = $acme_node_config->{domains}->{$vtarget};
+           }
            die "no config for domain '$domain'\n" if !$domain_config;
 
            my $plugin_id = $domain_config->{plugin};

diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
index 6472a9d07dd9605c3adccd1393cb4bd81ff284d0..5f96e62307be84cf3eda0a57544840e8d867c93e 100644 (file)
--- a/src/PMG/NodeConfig.pm
+++ b/src/PMG/NodeConfig.pm
@@ -216,6 +216,12 @@ sub get_acme_conf {
                if !$plugins->{ids}->{$plugin_id};
        }
 
+       # validation for wildcard domain names happens on the domain w/o
+       # wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
+       if ($domain =~ /^\*\.(.*)$/ ) {
+           $res->{validationtarget}->{$1} = $domain;
+       }
+
        $parsed->{_configkey} = "acmedomain$index";
        $res->{domains}->{$domain} = $parsed;
     }