]> git.proxmox.com Git - proxmox-acme.git/blob - src/PVE/ACME/DNSChallenge.pm
projects / proxmox-acme.git / blob
? search:


300cdc97d1a8cf07a58b30a5f4ddc0f76af26842
[proxmox-acme.git] / src / PVE / ACME / DNSChallenge.pm
1 package PVE::ACME::DNSChallenge;
2
3 use strict;
4 use warnings;
5
6 use Digest::SHA qw(sha256);
7 use PVE::Tools;
8
9 use PVE::ACME;
10
11 use base qw(PVE::ACME::Challenge);
12
13 my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
14
15 sub supported_challenge_types {
16 return ["dns-01"];
17 }
18
19 sub type {
20 return 'dns';
21 }
22
23 # describe the data schema of the supported plugins, e.g.:
24 # 'dnsprovider' => {
25 # name => 'Full name of Plugin',
26 # fields => {
27 # 'FOO_API_KEY' => {
28 # description => "The API key",
29 # default => "none",
30 # optional => 1,
31 # type => 'string',
32 # },
33 # # ...
34 # },
35 # },
36 my $plugins = {
37 '1984hosting' => {},
38 'acmedns' => {
39 name => 'acme-dns',
40 fields => {
41 'ACMEDNS_UPDATE_URL' => {
42 description => 'The API update endpoint',
43 type => 'string',
44 },
45 'ACMEDNS_USERNAME' => {
46 description => 'The acme-dns user',
47 type => 'string',
48 },
49 'ACMEDNS_PASSWORD' => {
50 description => 'The acme-dns password',
51 type => 'string',
52 },
53 'ACMEDNS_SUBDOMAIN' => {
54 description => 'The subdomain you got from acme-dns registration',
55 type => 'string',
56 },
57 },
58 },
59 'acmeproxy' => {},
60 'active24' => {
61 name => 'Active24',
62 fields => {
63 'ACTIVE24_Token' => {
64 description => "The API key",
65 type => 'string',
66 },
67 },
68 },
69 'ad' => {
70 name => 'Alwaysdata',
71 fields => {
72 'AD_API_KEY' => {
73 description => "The API key",
74 type => 'string',
75 },
76 },
77 },
78 'ali' => {
79 name => 'Alibaba Cloud DNS',
80 fields => {
81 'Ali_API' => {
82 description => 'The API endpoint',
83 default => "https://alidns.aliyuncs.com/",
84 type => 'string',
85 optional => 1,
86 },
87 'Ali_Key' => {
88 description => 'The API Key',
89 type => 'string',
90 },
91 'Ali_Secret' => {
92 description => 'The API Secret',
93 type => 'string',
94 },
95 },
96 },
97 'anx' => {},
98 'arvan' => {},
99 'autodns' => {},
100 'aws' => {
101 name => 'Amazon Route53 (AWS)',
102 fields => {
103 'AWS_ACCESS_KEY_ID' => {
104 name => 'ACCESS_KEY_ID',
105 description => 'The AWS access-key ID',
106 type => 'string',
107 },
108 'AWS_SECRET_ACCESS_KEY' => {
109 name => 'SECRET_ACCESS_KEY',
110 description => 'The AWS access-key secret',
111 type => 'string',
112 },
113 },
114 },
115 'azure' => {},
116 'cf' => {
117 name => 'Cloudflare Managed DNS',
118 description => 'Either provide global account key and email, or CF API token and Account ID.',
119 fields => {
120 'CF_Key' => {
121 description => 'The Cloudflare Global API Key',
122 type => 'string',
123 },
124 'CF_Email' => {
125 description => 'The Cloudflare Account EMail-Address',
126 type => 'string',
127 },
128 'CF_Token' => {
129 description => 'The new Cloudflare API Token',
130 type => 'string',
131 },
132 'CF_Account_ID' => {
133 description => 'The new Cloudflare API Account ID',
134 type => 'string',
135 },
136 'CF_Zone_ID' => {
137 description => 'For Zone restricted API Token',
138 type => 'string',
139 },
140 },
141 },
142 'clouddns' => {},
143 'cloudns' => {},
144 'cn' => {},
145 'conoha' => {},
146 'constellix' => {},
147 'cx' => {},
148 'cyon' => {},
149 'da' => {},
150 'ddnss' => {},
151 'desec' => {},
152 'df' => {},
153 'dgon' => {
154 name => 'DigitalOcean DNS',
155 fields => {
156 'DO_API_KEY' => {
157 description => 'The DigitalOcean API Key',
158 type => 'string',
159 },
160 },
161 },
162 'dnsimple' => {},
163 'do' => {},
164 'doapi' => {},
165 'domeneshop' => {},
166 'dp' => {},
167 'dpi' => {},
168 'dreamhost' => {},
169 'duckdns' => {},
170 'durabledns' => {},
171 'dyn' => {},
172 'dynu' => {},
173 'dynv6' => {},
174 'easydns' => {},
175 'edgedns' => {},
176 'euserv' => {},
177 'exoscale' => {},
178 'freedns' => {},
179 'gandi_livedns' => {},
180 'gcloud' => {},
181 'gd' => {
182 name => 'GoDaddy',
183 fields => {
184 'GD_Key' => {
185 description => 'The GoDaddy API Key',
186 type => 'string',
187 },
188 'GD_Secret' => {
189 description => 'The GoDaddy API Secret',
190 type => 'string',
191 },
192 },
193 },
194 'gdnsdk' => {},
195 'he' => {},
196 'hetzner' => {},
197 'hexonet' => {},
198 'hostingde' => {},
199 'huaweicloud' => {},
200 'infoblox' => {},
201 'infomaniak' => {},
202 'internetbs' => {},
203 'inwx' => {
204 name => 'INWX',
205 fields => {
206 'INWX_User' => {
207 description => 'The INWX username',
208 type => 'string',
209 },
210 'INWX_Password' => {
211 description => 'The INWX password',
212 type => 'string',
213 },
214 },
215 },
216 'ionos' => {},
217 'ispconfig' => {},
218 'jd' => {},
219 'joker' => {},
220 'kappernet' => {
221 name => 'kapper.net',
222 fields => {
223 'KAPPERNETDNS_Key' => {
224 description => 'Your kapper.net API key',
225 type => 'string',
226 },
227 'KAPPERNETDNS_Secret' => {
228 description => 'Your kapper.net API secret',
229 type => 'string',
230 },
231 },
232 },
233 'kas' => {},
234 'kinghost' => {},
235 'knot' => {},
236 'leaseweb' => {},
237 'lexicon' => {},
238 'linode' => {},
239 'linode_v4' => {},
240 'loopia' => {},
241 'lua' => {},
242 'maradns' => {},
243 'me' => {},
244 'miab' => {},
245 'misaka' => {},
246 'myapi' => {},
247 'mydevil' => {},
248 'mydnsjp' => {},
249 'namecheap' => {},
250 'namecom' => {},
251 'namesilo' => {},
252 'nederhost' => {},
253 'neodigit' => {},
254 'netcup' => {},
255 'netlify' => {},
256 'nic' => {},
257 'njalla' => {},
258 'nm' => {},
259 'nsd' => {},
260 'nsone' => {},
261 'nsupdate' => {},
262 'nw' => {},
263 'one' => {},
264 'online' => {},
265 'openprovider' => {},
266 'openstack' => {},
267 'opnsense' => {},
268 'ovh' => {
269 name => 'OVH',
270 fields => {
271 'OVH_END_POINT' => {
272 description => "The OVH endpoint",
273 default => "ovh-eu",
274 optional => 1,
275 type => 'string',
276 },
277 'OVH_AK' => {
278 description => "The application key.",
279 type => 'string',
280 },
281 'OVH_AS' => {
282 description => "The application secret.",
283 type => 'string',
284 },
285 'OVH_CK' => {
286 description => "The consumer key.",
287 optional => 1,
288 type => 'string',
289 },
290 },
291 },
292 'pdns' => {
293 name => 'PowerDNS server',
294 fields => {
295 'PDNS_Url' => {
296 description => "The PowerDNS API endpoint.",
297 type => 'string',
298 },
299 'PDNS_ServerId'=> {
300 type => 'string',
301 },
302 'PDNS_Token'=> {
303 type => 'string',
304 },
305 'PDNS_Ttl'=> {
306 type => 'integer',
307 },
308 },
309 },
310 'pleskxml' => {},
311 'pointhq' => {},
312 'rackcorp' => {},
313 'rackspace' => {},
314 'rcode0' => {},
315 'regru' => {},
316 'scaleway' => {},
317 'schlundtech' => {},
318 'selectel' => {},
319 'servercow' => {},
320 'simply' => {},
321 'tele3' => {},
322 'transip' => {},
323 'ultra' => {},
324 'unoeuro' => {},
325 'variomedia' => {},
326 'vscale' => {},
327 'vultr' => {},
328 'world4you' => {},
329 'yandex' => {},
330 'zilore' => {},
331 'zone' => {},
332 'zonomi' => {},
333 };
334
335 sub get_supported_plugins {
336 return $plugins;
337 }
338
339 sub properties {
340 return {
341 api => {
342 description => "API plugin name",
343 type => 'string',
344 enum => [sort keys %$plugins],
345 },
346 data => {
347 type => 'string',
348 description => 'DNS plugin data. (base64 encoded)',
349 },
350 'validation-delay' => {
351 type => 'integer',
352 description => 'Extra delay in seconds to wait before requesting validation.'
353 .' Allows to cope with a long TTL of DNS records.',
354 # low default, but our bet is that the acme-challenge domain isn't
355 # cached at all, so it hopefully shouldn't run into TTL issues
356 default => 30,
357 optional => 1,
358 minimum => 0,
359 maximum => 2 * 24 * 60 * 60,
360 }
361 };
362 }
363
364 sub options {
365 return {
366 api => {},
367 data => { optional => 1 },
368 nodes => { optional => 1 },
369 disable => { optional => 1 },
370 'validation-delay' => { optional => 1 },
371 };
372 }
373
374 my $proxmox_acme_command = sub {
375 my ($self, $acme, $auth, $data, $action) = @_;
376
377 die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
378
379 my $alias = $data->{alias};
380 my $domain = $auth->{identifier}->{value};
381
382 my $challenge = $self->extract_challenge($auth->{challenges});
383 my $key_auth = $acme->key_authorization($challenge->{token});
384
385 my $txtvalue = PVE::ACME::encode(sha256($key_auth));
386 my $dnsplugin = $data->{plugin}->{api};
387 my $plugin_conf_string = $data->{plugin}->{data};
388
389 # for security reasons, we execute the command as nobody
390 # we can't verify that the code of the DNSPlugins are harmless.
391 my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
392
393 # The order of the parameters passed to proxmox-acme is important
394 # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
395 push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
396 if ($alias) {
397 push @$cmd, $alias;
398 } else {
399 push @$cmd, $domain;
400 }
401 my $input = "$txtvalue\n";
402 $input .= "$plugin_conf_string\n" if $plugin_conf_string;
403
404 PVE::Tools::run_command($cmd, input => $input);
405
406 $data->{url} = $challenge->{url};
407
408 return $domain;
409 };
410
411 sub setup {
412 my ($self, $acme, $auth, $data) = @_;
413
414 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
415 print "Add TXT record: _acme-challenge.$domain\n";
416
417 my $delay = $data->{plugin}->{'validation-delay'} // 30;
418 if ($delay > 0) {
419 print "Sleeping $delay seconds to wait for TXT record propagation\n";
420 sleep($delay); # don't care for EINTR
421 }
422 }
423
424 sub teardown {
425 my ($self, $acme, $auth, $data) = @_;
426
427 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
428 print "Remove TXT record: _acme-challenge.$domain\n";
429 }
430
431 1;
ACME library and helpers for perl based Proxmox projects