]> git.proxmox.com Git - proxmox-acme.git/blob - src/PVE/ACME/DNSChallenge.pm
projects / proxmox-acme.git / blob
? search:


2d20ffb8c51c927b32a9b919eccbbfd84c1dcec1
[proxmox-acme.git] / src / PVE / ACME / DNSChallenge.pm
1 package PVE::ACME::DNSChallenge;
2
3 use strict;
4 use warnings;
5
6 use Digest::SHA qw(sha256);
7 use PVE::Tools;
8
9 use base qw(PVE::ACME::Challenge);
10
11 my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
12
13 sub supported_challenge_types {
14 return ["dns-01"];
15 }
16
17 sub type {
18 return 'dns';
19 }
20
21 # describe the data schema of the supported plugins, e.g.:
22 # 'dnsprovider' => {
23 # name => 'Full name of Plugin',
24 # fields => {
25 # 'FOO_API_KEY' => {
26 # description => "The API key",
27 # default => "none",
28 # optional => 1,
29 # type => 'string',
30 # },
31 # # ...
32 # },
33 # },
34 my $plugins = {
35 '1984hosting' => {},
36 'acmedns' => {},
37 'acmeproxy' => {},
38 'active24' => {
39 name => 'Active24',
40 fields => {
41 'ACTIVE24_Token' => {
42 description => "The API key",
43 type => 'string',
44 },
45 },
46 },
47 'ad' => {
48 name => 'Alwaysdata',
49 fields => {
50 'AD_API_KEY' => {
51 description => "The API key",
52 type => 'string',
53 },
54 },
55 },
56 'ali' => {
57 name => 'Alibaba Cloud DNS',
58 fields => {
59 'Ali_API' => {
60 description => 'The API endpoint',
61 default => "https://alidns.aliyuncs.com/",
62 type => 'string',
63 optional => 1,
64 },
65 'Ali_Key' => {
66 description => 'The API Key',
67 type => 'string',
68 },
69 'Ali_Secret' => {
70 description => 'The API Secret',
71 type => 'string',
72 },
73 },
74 },
75 'anx' => {},
76 'arvan' => {},
77 'autodns' => {},
78 'aws' => {
79 name => 'Amazon Route53 (AWS)',
80 fields => {
81 'AWS_ACCESS_KEY_ID' => {
82 name => 'ACCESS_KEY_ID',
83 description => 'The AWS access-key ID',
84 type => 'string',
85 },
86 'AWS_SECRET_ACCESS_KEY' => {
87 name => 'SECRET_ACCESS_KEY',
88 description => 'The AWS access-key secret',
89 type => 'string',
90 },
91 },
92 },
93 'azure' => {},
94 'cf' => {
95 name => 'Cloudflare Managed DNS',
96 description => 'Either provide global account key and email, or CF API token and Account ID.',
97 fields => {
98 'CF_Key' => {
99 description => 'The Cloudflare Global API Key',
100 type => 'string',
101 },
102 'CF_Email' => {
103 description => 'The Cloudflare Account EMail-Address',
104 type => 'string',
105 },
106 'CF_Token' => {
107 description => 'The new Cloudflare API Token',
108 type => 'string',
109 },
110 'CF_Account_ID' => {
111 description => 'The new Cloudflare API Account ID',
112 type => 'string',
113 },
114 'CF_Zone_ID' => {
115 description => 'For Zone restricted API Token',
116 type => 'string',
117 },
118 },
119 },
120 'clouddns' => {},
121 'cloudns' => {},
122 'cn' => {},
123 'conoha' => {},
124 'constellix' => {},
125 'cx' => {},
126 'cyon' => {},
127 'da' => {},
128 'ddnss' => {},
129 'desec' => {},
130 'df' => {},
131 'dgon' => {
132 name => 'DigitalOcean DNS',
133 fields => {
134 'DO_API_KEY' => {
135 description => 'The DigitalOcean API Key',
136 type => 'string',
137 },
138 },
139 },
140 'dnsimple' => {},
141 'do' => {},
142 'doapi' => {},
143 'domeneshop' => {},
144 'dp' => {},
145 'dpi' => {},
146 'dreamhost' => {},
147 'duckdns' => {},
148 'durabledns' => {},
149 'dyn' => {},
150 'dynu' => {},
151 'dynv6' => {},
152 'easydns' => {},
153 'edgedns' => {},
154 'euserv' => {},
155 'exoscale' => {},
156 'freedns' => {},
157 'gandi_livedns' => {},
158 'gcloud' => {},
159 'gd' => {
160 name => 'GoDaddy',
161 fields => {
162 'GD_Key' => {
163 description => 'The GoDaddy API Key',
164 type => 'string',
165 },
166 'GD_Secret' => {
167 description => 'The GoDaddy API Secret',
168 type => 'string',
169 },
170 },
171 },
172 'gdnsdk' => {},
173 'he' => {},
174 'hetzner' => {},
175 'hexonet' => {},
176 'hostingde' => {},
177 'huaweicloud' => {},
178 'infoblox' => {},
179 'infomaniak' => {},
180 'internetbs' => {},
181 'inwx' => {
182 name => 'INWX',
183 fields => {
184 'INWX_User' => {
185 description => 'The INWX username',
186 type => 'string',
187 },
188 'INWX_Password' => {
189 description => 'The INWX password',
190 type => 'string',
191 },
192 },
193 },
194 'ispconfig' => {},
195 'jd' => {},
196 'joker' => {},
197 'kappernet' => {},
198 'kas' => {},
199 'kinghost' => {},
200 'knot' => {},
201 'leaseweb' => {},
202 'lexicon' => {},
203 'linode' => {},
204 'linode_v4' => {},
205 'loopia' => {},
206 'lua' => {},
207 'maradns' => {},
208 'me' => {},
209 'miab' => {},
210 'misaka' => {},
211 'myapi' => {},
212 'mydevil' => {},
213 'mydnsjp' => {},
214 'namecheap' => {},
215 'namecom' => {},
216 'namesilo' => {},
217 'nederhost' => {},
218 'neodigit' => {},
219 'netcup' => {},
220 'netlify' => {},
221 'nic' => {},
222 'njalla' => {},
223 'nm' => {},
224 'nsd' => {},
225 'nsone' => {},
226 'nsupdate' => {},
227 'nw' => {},
228 'one' => {},
229 'online' => {},
230 'openprovider' => {},
231 'openstack' => {},
232 'opnsense' => {},
233 'ovh' => {
234 name => 'OVH',
235 fields => {
236 'OVH_END_POINT' => {
237 description => "The OVH endpoint",
238 default => "ovh-eu",
239 optional => 1,
240 type => 'string',
241 },
242 'OVH_AK' => {
243 description => "The application key.",
244 type => 'string',
245 },
246 'OVH_AS' => {
247 description => "The application secret.",
248 type => 'string',
249 },
250 'OVH_CK' => {
251 description => "The consumer key.",
252 optional => 1,
253 type => 'string',
254 },
255 },
256 },
257 'pdns' => {
258 name => 'PowerDNS server',
259 fields => {
260 'PDNS_Url' => {
261 description => "The PowerDNS API endpoint.",
262 type => 'string',
263 },
264 'PDNS_ServerId'=> {
265 type => 'string',
266 },
267 'PDNS_Token'=> {
268 type => 'string',
269 },
270 'PDNS_Ttl'=> {
271 type => 'integer',
272 },
273 },
274 },
275 'pleskxml' => {},
276 'pointhq' => {},
277 'rackspace' => {},
278 'rcode0' => {},
279 'regru' => {},
280 'schlundtech' => {},
281 'selectel' => {},
282 'servercow' => {},
283 'tele3' => {},
284 'transip' => {},
285 'ultra' => {},
286 'unoeuro' => {},
287 'variomedia' => {},
288 'vscale' => {},
289 'vultr' => {},
290 'world4you' => {},
291 'yandex' => {},
292 'zilore' => {},
293 'zone' => {},
294 'zonomi' => {},
295 };
296
297 sub get_supported_plugins {
298 return $plugins;
299 }
300
301 sub properties {
302 return {
303 api => {
304 description => "API plugin name",
305 type => 'string',
306 enum => [sort keys %$plugins],
307 },
308 data => {
309 type => 'string',
310 description => 'DNS plugin data. (base64 encoded)',
311 },
312 'validation-delay' => {
313 type => 'integer',
314 description => 'Extra delay in seconds to wait before requesting validation.'
315 .' Allows to cope with a long TTL of DNS records.',
316 # low default, but our bet is that the acme-challenge domain isn't
317 # cached at all, so it hopefully shouldn't run into TTL issues
318 default => 30,
319 optional => 1,
320 minimum => 0,
321 maximum => 2 * 24 * 60 * 60,
322 }
323 };
324 }
325
326 sub options {
327 return {
328 api => {},
329 data => { optional => 1 },
330 nodes => { optional => 1 },
331 disable => { optional => 1 },
332 'validation-delay' => { optional => 1 },
333 };
334 }
335
336 my $proxmox_acme_command = sub {
337 my ($self, $acme, $auth, $data, $action) = @_;
338
339 die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
340
341 my $alias = $data->{alias};
342 my $domain = $auth->{identifier}->{value};
343
344 my $challenge = $self->extract_challenge($auth->{challenges});
345 my $key_auth = $acme->key_authorization($challenge->{token});
346
347 my $txtvalue = PVE::ACME::encode(sha256($key_auth));
348 my $dnsplugin = $data->{plugin}->{api};
349 my $plugin_conf_string = $data->{plugin}->{data};
350
351 # for security reasons, we execute the command as nobody
352 # we can't verify that the code of the DNSPlugins are harmless.
353 my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
354
355 # The order of the parameters passed to proxmox-acme is important
356 # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
357 push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
358 if ($alias) {
359 push @$cmd, $alias;
360 } else {
361 push @$cmd, $domain;
362 }
363 my $input = "$txtvalue\n";
364 $input .= "$plugin_conf_string\n" if $plugin_conf_string;
365
366 PVE::Tools::run_command($cmd, input => $input);
367
368 $data->{url} = $challenge->{url};
369
370 return $domain;
371 };
372
373 sub setup {
374 my ($self, $acme, $auth, $data) = @_;
375
376 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
377 print "Add TXT record: _acme-challenge.$domain\n";
378
379 my $delay = $data->{plugin}->{'validation-delay'} // 30;
380 if ($delay > 0) {
381 print "Sleeping $delay seconds to wait for TXT record propagation\n";
382 sleep($delay); # don't care for EINTR
383 }
384 }
385
386 sub teardown {
387 my ($self, $acme, $auth, $data) = @_;
388
389 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
390 print "Remove TXT record: _acme-challenge.$domain\n";
391 }
392
393 1;
ACME library and helpers for perl based Proxmox projects