1 package PVE
::ACME
::DNSChallenge
;
6 use Digest
::SHA
qw(sha256);
9 use base
qw(PVE::ACME::Challenge);
11 my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
13 sub supported_challenge_types
{
14 return { 'dns-01' => 1 };
126 description
=> "API plugin name",
128 enum
=> $api_name_list,
132 description
=> 'DNS plugin data.',
140 data
=> { optional
=> 1 },
141 nodes
=> { optional
=> 1 },
142 disable
=> { optional
=> 1 },
146 sub extract_challenge
{
147 my ($self, $challenge) = @_;
149 return PVE
::ACME
::Challenge-
>extract_challenge($challenge, 'dns-01');
153 return $api_name_list;
156 my $proxmox_acme_command = sub {
157 my ($self, $acme, $auth, $data, $action) = @_;
159 die "No plugin data for DNSChallenge\n" if !defined($data->{plugin
});
161 my $alias = $data->{alias
};
162 my $domain = $auth->{identifier
}->{value
};
164 my $challenge = $self->extract_challenge($auth->{challenges
});
165 my $key_auth = $acme->key_authorization($challenge->{token
});
167 my $txtvalue = PVE
::ACME
::encode
(sha256
($key_auth));
168 my $dnsplugin = $data->{plugin
}->{api
};
169 my $plugin_conf_string = $data->{plugin
}->{data
};
171 # for security reasons, we execute the command as nobody
172 # we can't verify that the code of the DNSPlugins are harmless.
173 my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--"];
175 # The order of the parameters passed to proxmox-acme is important
176 # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
177 push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
183 push @$cmd, $txtvalue, $plugin_conf_string;
185 PVE
::Tools
::run_command
($cmd);
187 $data->{url
} = $challenge->{url
};
193 my ($self, $acme, $auth, $data) = @_;
195 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
196 print "Add TXT record: _acme-challenge.$domain\n";
200 my ($self, $acme, $auth, $data) = @_;
202 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
203 print "Remove TXT record: _acme-challenge.$domain\n";