]>
Commit | Line | Data |
---|---|---|
98b96d9e WL |
1 | package PVE::ACME::DNSChallenge; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use Digest::SHA qw(sha256); | |
7 | use PVE::Tools; | |
8 | ||
9 | use base qw(PVE::ACME::Challenge); | |
10 | ||
11 | my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme'; | |
12 | ||
13 | sub supported_challenge_types { | |
14 | return { 'dns-01' => 1 }; | |
15 | } | |
16 | ||
17 | sub type { | |
18 | return 'dns'; | |
19 | } | |
20 | ||
21 | my $api_name_list = [ | |
22 | 'acmedns', | |
23 | 'acmeproxy', | |
24 | 'active24', | |
25 | 'ad', | |
26 | 'ali', | |
27 | 'autodns', | |
28 | 'aws', | |
29 | 'azure', | |
30 | 'cf', | |
31 | 'clouddns', | |
32 | 'cloudns', | |
33 | 'cn', | |
34 | 'conoha', | |
35 | 'constellix', | |
36 | 'cx', | |
37 | 'cyon', | |
38 | 'da', | |
39 | 'ddnss', | |
40 | 'desec', | |
41 | 'dgon', | |
42 | 'dnsimple', | |
43 | 'do', | |
44 | 'doapi', | |
45 | 'domeneshop', | |
46 | 'dp', | |
47 | 'dpi', | |
48 | 'dreamhost', | |
49 | 'duckdns', | |
50 | 'durabledns', | |
51 | 'dyn', | |
52 | 'dynu', | |
53 | 'dynv6', | |
54 | 'easydns', | |
55 | 'euserv', | |
56 | 'exoscale', | |
57 | 'freedns', | |
58 | 'gandi_livedns', | |
59 | 'gcloud', | |
60 | 'gd', | |
61 | 'gdnsdk', | |
62 | 'he', | |
63 | 'hexonet', | |
64 | 'hostingde', | |
65 | 'infoblox', | |
66 | 'internetbs', | |
67 | 'inwx', | |
68 | 'ispconfig', | |
69 | 'jd', | |
70 | 'kas', | |
71 | 'kinghost', | |
72 | 'knot', | |
73 | 'leaseweb', | |
74 | 'lexicon', | |
75 | 'linode', | |
76 | 'linode_v4', | |
77 | 'loopia', | |
78 | 'lua', | |
79 | 'maradns', | |
80 | 'me', | |
81 | 'miab', | |
82 | 'misaka', | |
83 | 'myapi', | |
84 | 'mydevil', | |
85 | 'mydnsjp', | |
86 | 'namecheap', | |
87 | 'namecom', | |
88 | 'namesilo', | |
89 | 'nederhost', | |
90 | 'neodigit', | |
91 | 'netcup', | |
92 | 'nic', | |
93 | 'nsd', | |
94 | 'nsone', | |
95 | 'nsupdate', | |
96 | 'nw', | |
97 | 'one', | |
98 | 'online', | |
99 | 'openprovider', | |
100 | 'opnsense', | |
101 | 'ovh', | |
102 | 'pdns', | |
103 | 'pleskxml', | |
104 | 'pointhq', | |
105 | 'rackspace', | |
106 | 'rcode0', | |
107 | 'regru', | |
108 | 'schlundtech', | |
109 | 'selectel', | |
110 | 'servercow', | |
111 | 'tele3', | |
112 | 'ultra', | |
113 | 'unoeuro', | |
114 | 'variomedia', | |
115 | 'vscale', | |
116 | 'vultr', | |
117 | 'yandex', | |
118 | 'zilore', | |
119 | 'zone', | |
120 | 'zonomi', | |
121 | ]; | |
122 | ||
123 | sub properties { | |
124 | return { | |
125 | api => { | |
126 | description => "API plugin name", | |
127 | type => 'string', | |
128 | enum => $api_name_list, | |
129 | }, | |
130 | data => { | |
131 | type => 'string', | |
132 | description => 'DNS plugin data.', | |
133 | }, | |
134 | }; | |
135 | } | |
136 | ||
137 | sub options { | |
138 | return { | |
139 | api => {}, | |
140 | data => {}, | |
141 | nodes => { optional => 1 }, | |
142 | disable => { optional => 1 }, | |
143 | }; | |
144 | } | |
145 | ||
146 | my $outfunc = sub { | |
147 | my $line = shift; | |
148 | print "$line\n"; | |
149 | }; | |
150 | ||
151 | sub extract_challenge { | |
152 | my ($self, $challenge) = @_; | |
153 | ||
154 | return PVE::ACME::Challenge->extract_challenge($challenge, 'dns-01'); | |
155 | } | |
16925001 WL |
156 | |
157 | sub get_subplugins { | |
158 | return $api_name_list; | |
159 | } | |
98b96d9e WL |
160 | |
161 | # The order of the parameters passed to proxmox-acme is important | |
162 | # proxmox-acme setup $plugin [$domain|$alias] $txtvalue $plugin_conf_string | |
163 | sub setup { | |
164 | my ($self, $data) = @_; | |
165 | ||
166 | die "No plugin data for DNSChallenge\n" if !defined($data->{plugin}); | |
167 | my $domain = $data->{plugin}->{alias} ? $data->{plugin}->{alias} : $data->{domain}; | |
168 | my $txtvalue = PVE::ACME::encode(sha256($data->{key_authorization})); | |
169 | my $dnsplugin = $data->{plugin}->{api}; | |
170 | my $plugin_conf_string = $data->{plugin}->{data}; | |
171 | ||
172 | # for security reasons, we execute the command as nobody | |
173 | # we can't verify that the code of the DNSPlugins are harmless. | |
174 | my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--"]; | |
175 | push @$cmd, "/usr/bin/bash", $ACME_PATH, "setup", $dnsplugin, $domain; | |
176 | push @$cmd, $txtvalue, $plugin_conf_string; | |
177 | ||
178 | PVE::Tools::run_command($cmd, outfunc => $outfunc); | |
179 | print "Add TXT record: _acme-challenge.$domain\n"; | |
180 | } | |
181 | ||
182 | # The order of the parameters passed to proxmox-acme is important | |
183 | # proxmox-acme teardown $plugin [$domain|$alias] $txtvalue $plugin_conf_string | |
184 | sub teardown { | |
185 | my ($self, $data) = @_; | |
186 | ||
187 | die "No plugin data for DNSChallenge\n" if !defined($data->{plugin}); | |
188 | my $domain = $data->{plugin}->{alias} ? $data->{plugin}->{alias} : $data->{domain}; | |
189 | my $txtvalue = PVE::ACME::encode(sha256($data->{key_authorization})); | |
190 | my $dnsplugin = $data->{plugin}->{api}; | |
191 | my $plugin_conf_string = $data->{plugin}->{data}; | |
192 | ||
193 | # for security reasons, we execute the command as nobody | |
194 | # we can't verify that the code of the DNSPlugins are harmless. | |
195 | my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--"]; | |
196 | push @$cmd, "/usr/bin/bash", "$ACME_PATH", "teardown", $dnsplugin, $domain ; | |
197 | push @$cmd, $txtvalue, $plugin_conf_string; | |
198 | PVE::Tools::run_command($cmd, outfunc => $outfunc); | |
199 | print "Remove TXT record: _acme-challenge.$domain\n"; | |
200 | } | |
201 | ||
202 | 1; |