]>
Commit | Line | Data |
---|---|---|
1 | package PVE::ACME::DNSChallenge; | |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use Digest::SHA qw(sha256); | |
7 | use PVE::Tools; | |
8 | ||
9 | use base qw(PVE::ACME::Challenge); | |
10 | ||
11 | my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme'; | |
12 | ||
13 | sub supported_challenge_types { | |
14 | return ["dns-01"]; | |
15 | } | |
16 | ||
17 | sub type { | |
18 | return 'dns'; | |
19 | } | |
20 | ||
21 | # describe the data schema of the supported plugins, e.g.: | |
22 | # 'dnsprovider' => { | |
23 | # name => 'Full name of Plugin', | |
24 | # fields => { | |
25 | # 'FOO_API_KEY' => { | |
26 | # description => "The API key", | |
27 | # default => "none", | |
28 | # optional => 1, | |
29 | # type => 'string', | |
30 | # }, | |
31 | # # ... | |
32 | # }, | |
33 | # }, | |
34 | my $plugins = { | |
35 | 'acmedns' => {}, | |
36 | 'acmeproxy' => {}, | |
37 | 'active24' => { | |
38 | name => 'Active24', | |
39 | fields => { | |
40 | 'ACTIVE24_Token' => { | |
41 | description => "The API key", | |
42 | type => 'string', | |
43 | }, | |
44 | }, | |
45 | }, | |
46 | 'ad' => { | |
47 | name => 'Alwaysdata', | |
48 | fields => { | |
49 | 'AD_API_KEY' => { | |
50 | description => "The API key", | |
51 | type => 'string', | |
52 | }, | |
53 | }, | |
54 | }, | |
55 | 'ali' => { | |
56 | name => 'Alibaba Cloud DNS', | |
57 | fields => { | |
58 | 'Ali_API' => { | |
59 | description => 'The API endpoint', | |
60 | default => "https://alidns.aliyuncs.com/", | |
61 | type => 'string', | |
62 | optional => 1, | |
63 | }, | |
64 | 'Ali_Key' => { | |
65 | description => 'The API Key', | |
66 | type => 'string', | |
67 | }, | |
68 | 'Ali_Secret' => { | |
69 | description => 'The API Secret', | |
70 | type => 'string', | |
71 | }, | |
72 | }, | |
73 | }, | |
74 | 'autodns' => {}, | |
75 | 'aws' => { | |
76 | name => 'Amazon Route53 (AWS)', | |
77 | fields => { | |
78 | 'AWS_ACCESS_KEY_ID' => { | |
79 | name => 'ACCESS_KEY_ID', | |
80 | description => 'The AWS access-key ID', | |
81 | type => 'string', | |
82 | }, | |
83 | 'AWS_SECRET_ACCESS_KEY' => { | |
84 | name => 'SECRET_ACCESS_KEY', | |
85 | description => 'The AWS access-key secret', | |
86 | type => 'string', | |
87 | }, | |
88 | }, | |
89 | }, | |
90 | 'azure' => {}, | |
91 | 'cf' => { | |
92 | name => 'Cloudflare Managed DNS', | |
93 | description => 'Either provide global account key and email, or CF API token and Account ID.', | |
94 | fields => { | |
95 | 'CF_Key' => { | |
96 | description => 'The Cloudflare Global API Key', | |
97 | type => 'string', | |
98 | }, | |
99 | 'CF_Email' => { | |
100 | description => 'The Cloudflare Account EMail-Address', | |
101 | type => 'string', | |
102 | }, | |
103 | 'CF_Token' => { | |
104 | description => 'The new Cloudflare API Token', | |
105 | type => 'string', | |
106 | }, | |
107 | 'CF_Account_ID' => { | |
108 | description => 'The new Cloudflare API Account ID', | |
109 | type => 'string', | |
110 | }, | |
111 | 'CF_Zone_ID' => { | |
112 | description => 'For Zone restricted API Token', | |
113 | type => 'string', | |
114 | }, | |
115 | }, | |
116 | }, | |
117 | 'clouddns' => {}, | |
118 | 'cloudns' => {}, | |
119 | 'cn' => {}, | |
120 | 'conoha' => {}, | |
121 | 'constellix' => {}, | |
122 | 'cx' => {}, | |
123 | 'cyon' => {}, | |
124 | 'da' => {}, | |
125 | 'ddnss' => {}, | |
126 | 'desec' => {}, | |
127 | 'df' => {}, | |
128 | 'dgon' => { | |
129 | name => 'DigitalOcean DNS', | |
130 | fields => { | |
131 | 'DO_API_KEY' => { | |
132 | description => 'The DigitalOcean API Key', | |
133 | type => 'string', | |
134 | }, | |
135 | }, | |
136 | }, | |
137 | 'dnsimple' => {}, | |
138 | 'do' => {}, | |
139 | 'doapi' => {}, | |
140 | 'domeneshop' => {}, | |
141 | 'dp' => {}, | |
142 | 'dpi' => {}, | |
143 | 'dreamhost' => {}, | |
144 | 'duckdns' => {}, | |
145 | 'durabledns' => {}, | |
146 | 'dyn' => {}, | |
147 | 'dynu' => {}, | |
148 | 'dynv6' => {}, | |
149 | 'easydns' => {}, | |
150 | 'euserv' => {}, | |
151 | 'exoscale' => {}, | |
152 | 'freedns' => {}, | |
153 | 'gandi_livedns' => {}, | |
154 | 'gcloud' => {}, | |
155 | 'gd' => { | |
156 | name => 'GoDaddy', | |
157 | fields => { | |
158 | 'GD_Key' => { | |
159 | description => 'The GoDaddy API Key', | |
160 | type => 'string', | |
161 | }, | |
162 | 'GD_Secret' => { | |
163 | description => 'The GoDaddy API Secret', | |
164 | type => 'string', | |
165 | }, | |
166 | }, | |
167 | }, | |
168 | 'gdnsdk' => {}, | |
169 | 'he' => {}, | |
170 | 'hexonet' => {}, | |
171 | 'hostingde' => {}, | |
172 | 'infoblox' => {}, | |
173 | 'internetbs' => {}, | |
174 | 'inwx' => {}, | |
175 | 'ispconfig' => {}, | |
176 | 'jd' => {}, | |
177 | 'kas' => {}, | |
178 | 'kinghost' => {}, | |
179 | 'knot' => {}, | |
180 | 'leaseweb' => {}, | |
181 | 'lexicon' => {}, | |
182 | 'linode' => {}, | |
183 | 'linode_v4' => {}, | |
184 | 'loopia' => {}, | |
185 | 'lua' => {}, | |
186 | 'maradns' => {}, | |
187 | 'me' => {}, | |
188 | 'miab' => {}, | |
189 | 'misaka' => {}, | |
190 | 'myapi' => {}, | |
191 | 'mydevil' => {}, | |
192 | 'mydnsjp' => {}, | |
193 | 'namecheap' => {}, | |
194 | 'namecom' => {}, | |
195 | 'namesilo' => {}, | |
196 | 'nederhost' => {}, | |
197 | 'neodigit' => {}, | |
198 | 'netcup' => {}, | |
199 | 'nic' => {}, | |
200 | 'nsd' => {}, | |
201 | 'nsone' => {}, | |
202 | 'nsupdate' => {}, | |
203 | 'nw' => {}, | |
204 | 'one' => {}, | |
205 | 'online' => {}, | |
206 | 'openprovider' => {}, | |
207 | 'opnsense' => {}, | |
208 | 'ovh' => { | |
209 | name => 'OVH', | |
210 | fields => { | |
211 | 'OVH_END_POINT' => { | |
212 | description => "The OVH endpoint", | |
213 | default => "ovh-eu", | |
214 | optional => 1, | |
215 | type => 'string', | |
216 | }, | |
217 | 'OVH_AK' => { | |
218 | description => "The application key.", | |
219 | type => 'string', | |
220 | }, | |
221 | 'OVH_AS' => { | |
222 | description => "The application secret.", | |
223 | type => 'string', | |
224 | }, | |
225 | 'OVH_CK' => { | |
226 | description => "The consumer key.", | |
227 | optional => 1, | |
228 | type => 'string', | |
229 | }, | |
230 | }, | |
231 | }, | |
232 | 'pdns' => { | |
233 | name => 'PowerDNS server', | |
234 | fields => { | |
235 | 'PDNS_Url' => { | |
236 | description => "The PowerDNS API endpoint.", | |
237 | type => 'string', | |
238 | }, | |
239 | 'PDNS_ServerId'=> { | |
240 | type => 'string', | |
241 | }, | |
242 | 'PDNS_Token'=> { | |
243 | type => 'string', | |
244 | }, | |
245 | 'PDNS_Ttl'=> { | |
246 | type => 'integer', | |
247 | }, | |
248 | }, | |
249 | }, | |
250 | 'pleskxml' => {}, | |
251 | 'pointhq' => {}, | |
252 | 'rackspace' => {}, | |
253 | 'rcode0' => {}, | |
254 | 'regru' => {}, | |
255 | 'schlundtech' => {}, | |
256 | 'selectel' => {}, | |
257 | 'servercow' => {}, | |
258 | 'tele3' => {}, | |
259 | 'ultra' => {}, | |
260 | 'unoeuro' => {}, | |
261 | 'variomedia' => {}, | |
262 | 'vscale' => {}, | |
263 | 'vultr' => {}, | |
264 | 'yandex' => {}, | |
265 | 'zilore' => {}, | |
266 | 'zone' => {}, | |
267 | 'zonomi' => {}, | |
268 | }; | |
269 | ||
270 | sub get_supported_plugins { | |
271 | return $plugins; | |
272 | } | |
273 | ||
274 | sub properties { | |
275 | return { | |
276 | api => { | |
277 | description => "API plugin name", | |
278 | type => 'string', | |
279 | enum => [sort keys %$plugins], | |
280 | }, | |
281 | data => { | |
282 | type => 'string', | |
283 | description => 'DNS plugin data. (base64 encoded)', | |
284 | }, | |
285 | 'validation-delay' => { | |
286 | type => 'integer', | |
287 | description => 'Extra delay in seconds to wait before requesting validation.' | |
288 | .' Allows to cope with a long TTL of DNS records.', | |
289 | # low default, but our bet is that the acme-challenge domain isn't | |
290 | # cached at all, so it hopefully shouldn't run into TTL issues | |
291 | default => 30, | |
292 | optional => 1, | |
293 | minimum => 0, | |
294 | maximum => 2 * 24 * 60 * 60, | |
295 | } | |
296 | }; | |
297 | } | |
298 | ||
299 | sub options { | |
300 | return { | |
301 | api => {}, | |
302 | data => { optional => 1 }, | |
303 | nodes => { optional => 1 }, | |
304 | disable => { optional => 1 }, | |
305 | 'validation-delay' => { optional => 1 }, | |
306 | }; | |
307 | } | |
308 | ||
309 | my $proxmox_acme_command = sub { | |
310 | my ($self, $acme, $auth, $data, $action) = @_; | |
311 | ||
312 | die "No plugin data for DNSChallenge\n" if !defined($data->{plugin}); | |
313 | ||
314 | my $alias = $data->{alias}; | |
315 | my $domain = $auth->{identifier}->{value}; | |
316 | ||
317 | my $challenge = $self->extract_challenge($auth->{challenges}); | |
318 | my $key_auth = $acme->key_authorization($challenge->{token}); | |
319 | ||
320 | my $txtvalue = PVE::ACME::encode(sha256($key_auth)); | |
321 | my $dnsplugin = $data->{plugin}->{api}; | |
322 | my $plugin_conf_string = $data->{plugin}->{data}; | |
323 | ||
324 | # for security reasons, we execute the command as nobody | |
325 | # we can't verify that the code of the DNSPlugins are harmless. | |
326 | my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"]; | |
327 | ||
328 | # The order of the parameters passed to proxmox-acme is important | |
329 | # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string] | |
330 | push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin; | |
331 | if ($alias) { | |
332 | push @$cmd, $alias; | |
333 | } else { | |
334 | push @$cmd, $domain; | |
335 | } | |
336 | my $input = "$txtvalue\n"; | |
337 | $input .= "$plugin_conf_string\n" if $plugin_conf_string; | |
338 | ||
339 | PVE::Tools::run_command($cmd, input => $input); | |
340 | ||
341 | $data->{url} = $challenge->{url}; | |
342 | ||
343 | return $domain; | |
344 | }; | |
345 | ||
346 | sub setup { | |
347 | my ($self, $acme, $auth, $data) = @_; | |
348 | ||
349 | my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup'); | |
350 | print "Add TXT record: _acme-challenge.$domain\n"; | |
351 | ||
352 | # FIXME: probe ourself for propagation of TXT record, while not 100% | |
353 | # failsafe it's good enough of a heuristic to do away with fixed sleep | |
354 | # intervalls - original acme.sh employs that heuristic too. | |
355 | my $delay = $data->{'validation-delay'} // 30; | |
356 | if ($delay > 0) { | |
357 | print "Sleeping $delay seconds to wait for TXT record propagation\n"; | |
358 | sleep($delay); # don't care for EINTR | |
359 | } | |
360 | } | |
361 | ||
362 | sub teardown { | |
363 | my ($self, $acme, $auth, $data) = @_; | |
364 | ||
365 | my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown'); | |
366 | print "Remove TXT record: _acme-challenge.$domain\n"; | |
367 | } | |
368 | ||
369 | 1; |