]>
Commit | Line | Data |
---|---|---|
1 | package PVE::ACME::DNSChallenge; | |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use Digest::SHA qw(sha256); | |
7 | use PVE::Tools; | |
8 | ||
9 | use base qw(PVE::ACME::Challenge); | |
10 | ||
11 | my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme'; | |
12 | ||
13 | sub supported_challenge_types { | |
14 | return ["dns-01"]; | |
15 | } | |
16 | ||
17 | sub type { | |
18 | return 'dns'; | |
19 | } | |
20 | ||
21 | # describe the data schema of the supported plugins | |
22 | my $plugins = { | |
23 | 'acmedns' => {}, | |
24 | 'acmeproxy' => {}, | |
25 | 'active24' => {}, | |
26 | 'ad' => {}, | |
27 | 'ali' => {}, | |
28 | 'autodns' => {}, | |
29 | 'aws' => {}, | |
30 | 'azure' => {}, | |
31 | 'cf' => {}, | |
32 | 'clouddns' => {}, | |
33 | 'cloudns' => {}, | |
34 | 'cn' => {}, | |
35 | 'conoha' => {}, | |
36 | 'constellix' => {}, | |
37 | 'cx' => {}, | |
38 | 'cyon' => {}, | |
39 | 'da' => {}, | |
40 | 'ddnss' => {}, | |
41 | 'desec' => {}, | |
42 | 'dgon' => {}, | |
43 | 'dnsimple' => {}, | |
44 | 'do' => {}, | |
45 | 'doapi' => {}, | |
46 | 'domeneshop' => {}, | |
47 | 'dp' => {}, | |
48 | 'dpi' => {}, | |
49 | 'dreamhost' => {}, | |
50 | 'duckdns' => {}, | |
51 | 'durabledns' => {}, | |
52 | 'dyn' => {}, | |
53 | 'dynu' => {}, | |
54 | 'dynv6' => {}, | |
55 | 'easydns' => {}, | |
56 | 'euserv' => {}, | |
57 | 'exoscale' => {}, | |
58 | 'freedns' => {}, | |
59 | 'gandi_livedns' => {}, | |
60 | 'gcloud' => {}, | |
61 | 'gd' => {}, | |
62 | 'gdnsdk' => {}, | |
63 | 'he' => {}, | |
64 | 'hexonet' => {}, | |
65 | 'hostingde' => {}, | |
66 | 'infoblox' => {}, | |
67 | 'internetbs' => {}, | |
68 | 'inwx' => {}, | |
69 | 'ispconfig' => {}, | |
70 | 'jd' => {}, | |
71 | 'kas' => {}, | |
72 | 'kinghost' => {}, | |
73 | 'knot' => {}, | |
74 | 'leaseweb' => {}, | |
75 | 'lexicon' => {}, | |
76 | 'linode' => {}, | |
77 | 'linode_v4' => {}, | |
78 | 'loopia' => {}, | |
79 | 'lua' => {}, | |
80 | 'maradns' => {}, | |
81 | 'me' => {}, | |
82 | 'miab' => {}, | |
83 | 'misaka' => {}, | |
84 | 'myapi' => {}, | |
85 | 'mydevil' => {}, | |
86 | 'mydnsjp' => {}, | |
87 | 'namecheap' => {}, | |
88 | 'namecom' => {}, | |
89 | 'namesilo' => {}, | |
90 | 'nederhost' => {}, | |
91 | 'neodigit' => {}, | |
92 | 'netcup' => {}, | |
93 | 'nic' => {}, | |
94 | 'nsd' => {}, | |
95 | 'nsone' => {}, | |
96 | 'nsupdate' => {}, | |
97 | 'nw' => {}, | |
98 | 'one' => {}, | |
99 | 'online' => {}, | |
100 | 'openprovider' => {}, | |
101 | 'opnsense' => {}, | |
102 | 'ovh' => { | |
103 | 'OVH_END_POINT' => { | |
104 | description => "The OVH endpoint", | |
105 | default => "ovh-eu", | |
106 | optional => 1, | |
107 | type => 'string', | |
108 | }, | |
109 | 'OVH_AK' => { | |
110 | description => "The application key.", | |
111 | type => 'string', | |
112 | }, | |
113 | 'OVH_AS' => { | |
114 | description => "The application secret.", | |
115 | type => 'string', | |
116 | }, | |
117 | 'OVH_CK' => { | |
118 | description => "The consumer key.", | |
119 | optional => 1, | |
120 | type => 'string', | |
121 | }, | |
122 | }, | |
123 | 'pdns' => { | |
124 | 'PDNS_Url' => { | |
125 | description => "The PowerDNS API endpoint.", | |
126 | type => 'string', | |
127 | }, | |
128 | 'PDNS_ServerId'=> { | |
129 | type => 'string', | |
130 | }, | |
131 | 'PDNS_Token'=> { | |
132 | type => 'string', | |
133 | }, | |
134 | 'PDNS_Ttl'=> { | |
135 | type => 'integer', | |
136 | }, | |
137 | }, | |
138 | 'pleskxml' => {}, | |
139 | 'pointhq' => {}, | |
140 | 'rackspace' => {}, | |
141 | 'rcode0' => {}, | |
142 | 'regru' => {}, | |
143 | 'schlundtech' => {}, | |
144 | 'selectel' => {}, | |
145 | 'servercow' => {}, | |
146 | 'tele3' => {}, | |
147 | 'ultra' => {}, | |
148 | 'unoeuro' => {}, | |
149 | 'variomedia' => {}, | |
150 | 'vscale' => {}, | |
151 | 'vultr' => {}, | |
152 | 'yandex' => {}, | |
153 | 'zilore' => {}, | |
154 | 'zone' => {}, | |
155 | 'zonomi' => {}, | |
156 | }; | |
157 | ||
158 | sub get_supported_plugins { | |
159 | return $plugins; | |
160 | } | |
161 | ||
162 | sub properties { | |
163 | return { | |
164 | api => { | |
165 | description => "API plugin name", | |
166 | type => 'string', | |
167 | enum => [sort keys %$plugins], | |
168 | }, | |
169 | data => { | |
170 | type => 'string', | |
171 | description => 'DNS plugin data. (base64 encoded)', | |
172 | }, | |
173 | 'validation-delay' => { | |
174 | type => 'integer', | |
175 | description => 'Extra delay in seconds to wait before requesting validation.' | |
176 | .' Allows to cope with a long TTL of DNS records.', | |
177 | # low default, but our bet is that the acme-challenge domain isn't | |
178 | # cached at all, so it hopefully shouldn't run into TTL issues | |
179 | default => 30, | |
180 | optional => 1, | |
181 | minimum => 0, | |
182 | maximum => 2 * 24 * 60 * 60, | |
183 | } | |
184 | }; | |
185 | } | |
186 | ||
187 | sub options { | |
188 | return { | |
189 | api => {}, | |
190 | data => { optional => 1 }, | |
191 | nodes => { optional => 1 }, | |
192 | disable => { optional => 1 }, | |
193 | 'validation-delay' => { optional => 1 }, | |
194 | }; | |
195 | } | |
196 | ||
197 | my $proxmox_acme_command = sub { | |
198 | my ($self, $acme, $auth, $data, $action) = @_; | |
199 | ||
200 | die "No plugin data for DNSChallenge\n" if !defined($data->{plugin}); | |
201 | ||
202 | my $alias = $data->{alias}; | |
203 | my $domain = $auth->{identifier}->{value}; | |
204 | ||
205 | my $challenge = $self->extract_challenge($auth->{challenges}); | |
206 | my $key_auth = $acme->key_authorization($challenge->{token}); | |
207 | ||
208 | my $txtvalue = PVE::ACME::encode(sha256($key_auth)); | |
209 | my $dnsplugin = $data->{plugin}->{api}; | |
210 | my $plugin_conf_string = $data->{plugin}->{data}; | |
211 | ||
212 | # for security reasons, we execute the command as nobody | |
213 | # we can't verify that the code of the DNSPlugins are harmless. | |
214 | my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"]; | |
215 | ||
216 | # The order of the parameters passed to proxmox-acme is important | |
217 | # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string] | |
218 | push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin; | |
219 | if ($alias) { | |
220 | push @$cmd, $alias; | |
221 | } else { | |
222 | push @$cmd, $domain; | |
223 | } | |
224 | my $input = "$txtvalue\n"; | |
225 | $input .= "$plugin_conf_string\n" if $plugin_conf_string; | |
226 | ||
227 | PVE::Tools::run_command($cmd, input => $input); | |
228 | ||
229 | $data->{url} = $challenge->{url}; | |
230 | ||
231 | return $domain; | |
232 | }; | |
233 | ||
234 | sub setup { | |
235 | my ($self, $acme, $auth, $data) = @_; | |
236 | ||
237 | my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup'); | |
238 | print "Add TXT record: _acme-challenge.$domain\n"; | |
239 | ||
240 | # FIXME: probe ourself for propagation of TXT record, while not 100% | |
241 | # failsafe it's good enough of a heuristic to do away with fixed sleep | |
242 | # intervalls - original acme.sh employs that heuristic too. | |
243 | my $delay = $data->{'validation-delay'} // 30; | |
244 | if ($delay > 0) { | |
245 | print "Sleeping $delay seconds to wait for TXT record propagation\n"; | |
246 | sleep($delay); # don't care for EINTR | |
247 | } | |
248 | } | |
249 | ||
250 | sub teardown { | |
251 | my ($self, $acme, $auth, $data) = @_; | |
252 | ||
253 | my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown'); | |
254 | print "Remove TXT record: _acme-challenge.$domain\n"; | |
255 | } | |
256 | ||
257 | 1; |