]> git.proxmox.com Git - proxmox-acme.git/blob - src/PVE/ACME/DNSChallenge.pm
projects / proxmox-acme.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
acme: define kapper.net and acme-dns schema
[proxmox-acme.git] / src / PVE / ACME / DNSChallenge.pm
1 package PVE::ACME::DNSChallenge;
2
3 use strict;
4 use warnings;
5
6 use Digest::SHA qw(sha256);
7 use PVE::Tools;
8
9 use base qw(PVE::ACME::Challenge);
10
11 my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
12
13 sub supported_challenge_types {
14 return ["dns-01"];
15 }
16
17 sub type {
18 return 'dns';
19 }
20
21 # describe the data schema of the supported plugins, e.g.:
22 # 'dnsprovider' => {
23 # name => 'Full name of Plugin',
24 # fields => {
25 # 'FOO_API_KEY' => {
26 # description => "The API key",
27 # default => "none",
28 # optional => 1,
29 # type => 'string',
30 # },
31 # # ...
32 # },
33 # },
34 my $plugins = {
35 '1984hosting' => {},
36 'acmedns' => {
37 name => 'acme-dns',
38 fields => {
39 'ACMEDNS_UPDATE_URL' => {
40 description => 'The API update endpoint',
41 type => 'string',
42 },
43 'ACMEDNS_USERNAME' => {
44 description => 'The acme-dns user',
45 type => 'string',
46 },
47 'ACMEDNS_PASSWORD' => {
48 description => 'The acme-dns password',
49 type => 'string',
50 },
51 'ACMEDNS_SUBDOMAIN' => {
52 description => 'The subdomain you got from acme-dns registration',
53 type => 'string',
54 },
55 },
56 },
57 'acmeproxy' => {},
58 'active24' => {
59 name => 'Active24',
60 fields => {
61 'ACTIVE24_Token' => {
62 description => "The API key",
63 type => 'string',
64 },
65 },
66 },
67 'ad' => {
68 name => 'Alwaysdata',
69 fields => {
70 'AD_API_KEY' => {
71 description => "The API key",
72 type => 'string',
73 },
74 },
75 },
76 'ali' => {
77 name => 'Alibaba Cloud DNS',
78 fields => {
79 'Ali_API' => {
80 description => 'The API endpoint',
81 default => "https://alidns.aliyuncs.com/",
82 type => 'string',
83 optional => 1,
84 },
85 'Ali_Key' => {
86 description => 'The API Key',
87 type => 'string',
88 },
89 'Ali_Secret' => {
90 description => 'The API Secret',
91 type => 'string',
92 },
93 },
94 },
95 'anx' => {},
96 'arvan' => {},
97 'autodns' => {},
98 'aws' => {
99 name => 'Amazon Route53 (AWS)',
100 fields => {
101 'AWS_ACCESS_KEY_ID' => {
102 name => 'ACCESS_KEY_ID',
103 description => 'The AWS access-key ID',
104 type => 'string',
105 },
106 'AWS_SECRET_ACCESS_KEY' => {
107 name => 'SECRET_ACCESS_KEY',
108 description => 'The AWS access-key secret',
109 type => 'string',
110 },
111 },
112 },
113 'azure' => {},
114 'cf' => {
115 name => 'Cloudflare Managed DNS',
116 description => 'Either provide global account key and email, or CF API token and Account ID.',
117 fields => {
118 'CF_Key' => {
119 description => 'The Cloudflare Global API Key',
120 type => 'string',
121 },
122 'CF_Email' => {
123 description => 'The Cloudflare Account EMail-Address',
124 type => 'string',
125 },
126 'CF_Token' => {
127 description => 'The new Cloudflare API Token',
128 type => 'string',
129 },
130 'CF_Account_ID' => {
131 description => 'The new Cloudflare API Account ID',
132 type => 'string',
133 },
134 'CF_Zone_ID' => {
135 description => 'For Zone restricted API Token',
136 type => 'string',
137 },
138 },
139 },
140 'clouddns' => {},
141 'cloudns' => {},
142 'cn' => {},
143 'conoha' => {},
144 'constellix' => {},
145 'cx' => {},
146 'cyon' => {},
147 'da' => {},
148 'ddnss' => {},
149 'desec' => {},
150 'df' => {},
151 'dgon' => {
152 name => 'DigitalOcean DNS',
153 fields => {
154 'DO_API_KEY' => {
155 description => 'The DigitalOcean API Key',
156 type => 'string',
157 },
158 },
159 },
160 'dnsimple' => {},
161 'do' => {},
162 'doapi' => {},
163 'domeneshop' => {},
164 'dp' => {},
165 'dpi' => {},
166 'dreamhost' => {},
167 'duckdns' => {},
168 'durabledns' => {},
169 'dyn' => {},
170 'dynu' => {},
171 'dynv6' => {},
172 'easydns' => {},
173 'edgedns' => {},
174 'euserv' => {},
175 'exoscale' => {},
176 'freedns' => {},
177 'gandi_livedns' => {},
178 'gcloud' => {},
179 'gd' => {
180 name => 'GoDaddy',
181 fields => {
182 'GD_Key' => {
183 description => 'The GoDaddy API Key',
184 type => 'string',
185 },
186 'GD_Secret' => {
187 description => 'The GoDaddy API Secret',
188 type => 'string',
189 },
190 },
191 },
192 'gdnsdk' => {},
193 'he' => {},
194 'hetzner' => {},
195 'hexonet' => {},
196 'hostingde' => {},
197 'huaweicloud' => {},
198 'infoblox' => {},
199 'infomaniak' => {},
200 'internetbs' => {},
201 'inwx' => {
202 name => 'INWX',
203 fields => {
204 'INWX_User' => {
205 description => 'The INWX username',
206 type => 'string',
207 },
208 'INWX_Password' => {
209 description => 'The INWX password',
210 type => 'string',
211 },
212 },
213 },
214 'ispconfig' => {},
215 'jd' => {},
216 'joker' => {},
217 'kappernet' => {
218 name => 'kapper.net',
219 fields => {
220 'KAPPERNETDNS_Key' => {
221 description => 'Your kapper.net API key',
222 type => 'string',
223 },
224 'KAPPERNETDNS_Secret' => {
225 description => 'Your kapper.net API secret',
226 type => 'string',
227 },
228 },
229 },
230 'kas' => {},
231 'kinghost' => {},
232 'knot' => {},
233 'leaseweb' => {},
234 'lexicon' => {},
235 'linode' => {},
236 'linode_v4' => {},
237 'loopia' => {},
238 'lua' => {},
239 'maradns' => {},
240 'me' => {},
241 'miab' => {},
242 'misaka' => {},
243 'myapi' => {},
244 'mydevil' => {},
245 'mydnsjp' => {},
246 'namecheap' => {},
247 'namecom' => {},
248 'namesilo' => {},
249 'nederhost' => {},
250 'neodigit' => {},
251 'netcup' => {},
252 'netlify' => {},
253 'nic' => {},
254 'njalla' => {},
255 'nm' => {},
256 'nsd' => {},
257 'nsone' => {},
258 'nsupdate' => {},
259 'nw' => {},
260 'one' => {},
261 'online' => {},
262 'openprovider' => {},
263 'openstack' => {},
264 'opnsense' => {},
265 'ovh' => {
266 name => 'OVH',
267 fields => {
268 'OVH_END_POINT' => {
269 description => "The OVH endpoint",
270 default => "ovh-eu",
271 optional => 1,
272 type => 'string',
273 },
274 'OVH_AK' => {
275 description => "The application key.",
276 type => 'string',
277 },
278 'OVH_AS' => {
279 description => "The application secret.",
280 type => 'string',
281 },
282 'OVH_CK' => {
283 description => "The consumer key.",
284 optional => 1,
285 type => 'string',
286 },
287 },
288 },
289 'pdns' => {
290 name => 'PowerDNS server',
291 fields => {
292 'PDNS_Url' => {
293 description => "The PowerDNS API endpoint.",
294 type => 'string',
295 },
296 'PDNS_ServerId'=> {
297 type => 'string',
298 },
299 'PDNS_Token'=> {
300 type => 'string',
301 },
302 'PDNS_Ttl'=> {
303 type => 'integer',
304 },
305 },
306 },
307 'pleskxml' => {},
308 'pointhq' => {},
309 'rackspace' => {},
310 'rcode0' => {},
311 'regru' => {},
312 'schlundtech' => {},
313 'selectel' => {},
314 'servercow' => {},
315 'tele3' => {},
316 'transip' => {},
317 'ultra' => {},
318 'unoeuro' => {},
319 'variomedia' => {},
320 'vscale' => {},
321 'vultr' => {},
322 'world4you' => {},
323 'yandex' => {},
324 'zilore' => {},
325 'zone' => {},
326 'zonomi' => {},
327 };
328
329 sub get_supported_plugins {
330 return $plugins;
331 }
332
333 sub properties {
334 return {
335 api => {
336 description => "API plugin name",
337 type => 'string',
338 enum => [sort keys %$plugins],
339 },
340 data => {
341 type => 'string',
342 description => 'DNS plugin data. (base64 encoded)',
343 },
344 'validation-delay' => {
345 type => 'integer',
346 description => 'Extra delay in seconds to wait before requesting validation.'
347 .' Allows to cope with a long TTL of DNS records.',
348 # low default, but our bet is that the acme-challenge domain isn't
349 # cached at all, so it hopefully shouldn't run into TTL issues
350 default => 30,
351 optional => 1,
352 minimum => 0,
353 maximum => 2 * 24 * 60 * 60,
354 }
355 };
356 }
357
358 sub options {
359 return {
360 api => {},
361 data => { optional => 1 },
362 nodes => { optional => 1 },
363 disable => { optional => 1 },
364 'validation-delay' => { optional => 1 },
365 };
366 }
367
368 my $proxmox_acme_command = sub {
369 my ($self, $acme, $auth, $data, $action) = @_;
370
371 die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
372
373 my $alias = $data->{alias};
374 my $domain = $auth->{identifier}->{value};
375
376 my $challenge = $self->extract_challenge($auth->{challenges});
377 my $key_auth = $acme->key_authorization($challenge->{token});
378
379 my $txtvalue = PVE::ACME::encode(sha256($key_auth));
380 my $dnsplugin = $data->{plugin}->{api};
381 my $plugin_conf_string = $data->{plugin}->{data};
382
383 # for security reasons, we execute the command as nobody
384 # we can't verify that the code of the DNSPlugins are harmless.
385 my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
386
387 # The order of the parameters passed to proxmox-acme is important
388 # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
389 push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
390 if ($alias) {
391 push @$cmd, $alias;
392 } else {
393 push @$cmd, $domain;
394 }
395 my $input = "$txtvalue\n";
396 $input .= "$plugin_conf_string\n" if $plugin_conf_string;
397
398 PVE::Tools::run_command($cmd, input => $input);
399
400 $data->{url} = $challenge->{url};
401
402 return $domain;
403 };
404
405 sub setup {
406 my ($self, $acme, $auth, $data) = @_;
407
408 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
409 print "Add TXT record: _acme-challenge.$domain\n";
410
411 my $delay = $data->{plugin}->{'validation-delay'} // 30;
412 if ($delay > 0) {
413 print "Sleeping $delay seconds to wait for TXT record propagation\n";
414 sleep($delay); # don't care for EINTR
415 }
416 }
417
418 sub teardown {
419 my ($self, $acme, $auth, $data) = @_;
420
421 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
422 print "Remove TXT record: _acme-challenge.$domain\n";
423 }
424
425 1;
ACME library and helpers for perl based Proxmox projects