]> git.proxmox.com Git - proxmox-acme.git/blob - src/PVE/ACME/DNSChallenge.pm
projects / proxmox-acme.git / blob
? search:


3777a14916d7733b9eb00679b3765946533c0771
[proxmox-acme.git] / src / PVE / ACME / DNSChallenge.pm
1 package PVE::ACME::DNSChallenge;
2
3 use strict;
4 use warnings;
5
6 use Digest::SHA qw(sha256);
7 use PVE::Tools;
8
9 use base qw(PVE::ACME::Challenge);
10
11 my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
12
13 sub supported_challenge_types {
14 return ["dns-01"];
15 }
16
17 sub type {
18 return 'dns';
19 }
20
21 # describe the data schema of the supported plugins, e.g.:
22 # 'dnsprovider' => {
23 # name => 'Full name of Plugin',
24 # fields => {
25 # 'FOO_API_KEY' => {
26 # description => "The API key",
27 # default => "none",
28 # optional => 1,
29 # type => 'string',
30 # },
31 # # ...
32 # },
33 # },
34 my $plugins = {
35 'acmedns' => {},
36 'acmeproxy' => {},
37 'active24' => {
38 name => 'Active24',
39 fields => {
40 'ACTIVE24_Token' => {
41 description => "The API key",
42 type => 'string',
43 },
44 },
45 },
46 'ad' => {
47 name => 'Alwaysdata',
48 fields => {
49 'AD_API_KEY' => {
50 description => "The API key",
51 type => 'string',
52 },
53 },
54 },
55 'ali' => {
56 name => 'Alibaba Cloud DNS',
57 fields => {
58 'Ali_API' => {
59 description => 'The API endpoint',
60 default => "https://alidns.aliyuncs.com/",
61 type => 'string',
62 optional => 1,
63 },
64 'Ali_Key' => {
65 description => 'The API Key',
66 type => 'string',
67 },
68 'Ali_Secret' => {
69 description => 'The API Secret',
70 type => 'string',
71 },
72 },
73 },
74 'autodns' => {},
75 'aws' => {
76 name => 'Amazon Route53 (AWS)',
77 fields => {
78 'AWS_ACCESS_KEY_ID' => {
79 name => 'ACCESS_KEY_ID',
80 description => 'The AWS access-key ID',
81 type => 'string',
82 },
83 'AWS_SECRET_ACCESS_KEY' => {
84 name => 'SECRET_ACCESS_KEY',
85 description => 'The AWS access-key secret',
86 type => 'string',
87 },
88 },
89 },
90 'azure' => {},
91 'cf' => {
92 name => 'Cloudflare Managed DNS',
93 description => 'Either provide global account key and email, or CF API token and Account ID.',
94 fields => {
95 'CF_Key' => {
96 description => 'The Cloudflare Global API Key',
97 type => 'string',
98 },
99 'CF_Email' => {
100 description => 'The Cloudflare Account EMail-Address',
101 type => 'string',
102 },
103 'CF_Token' => {
104 description => 'The new Cloudflare API Token',
105 type => 'string',
106 },
107 'CF_Account_ID' => {
108 description => 'The new Cloudflare API Account ID',
109 type => 'string',
110 },
111 'CF_Zone_ID' => {
112 description => 'For Zone restricted API Token',
113 type => 'string',
114 },
115 },
116 },
117 'clouddns' => {},
118 'cloudns' => {},
119 'cn' => {},
120 'conoha' => {},
121 'constellix' => {},
122 'cx' => {},
123 'cyon' => {},
124 'da' => {},
125 'ddnss' => {},
126 'desec' => {},
127 'df' => {},
128 'dgon' => {},
129 'dnsimple' => {},
130 'do' => {},
131 'doapi' => {},
132 'domeneshop' => {},
133 'dp' => {},
134 'dpi' => {},
135 'dreamhost' => {},
136 'duckdns' => {},
137 'durabledns' => {},
138 'dyn' => {},
139 'dynu' => {},
140 'dynv6' => {},
141 'easydns' => {},
142 'euserv' => {},
143 'exoscale' => {},
144 'freedns' => {},
145 'gandi_livedns' => {},
146 'gcloud' => {},
147 'gd' => {
148 name => 'GoDaddy',
149 fields => {
150 'GD_Key' => {
151 description => 'The GoDaddy API Key',
152 type => 'string',
153 },
154 'GD_Secret' => {
155 description => 'The GoDaddy API Secret',
156 type => 'string',
157 },
158 },
159 },
160 'gdnsdk' => {},
161 'he' => {},
162 'hexonet' => {},
163 'hostingde' => {},
164 'infoblox' => {},
165 'internetbs' => {},
166 'inwx' => {},
167 'ispconfig' => {},
168 'jd' => {},
169 'kas' => {},
170 'kinghost' => {},
171 'knot' => {},
172 'leaseweb' => {},
173 'lexicon' => {},
174 'linode' => {},
175 'linode_v4' => {},
176 'loopia' => {},
177 'lua' => {},
178 'maradns' => {},
179 'me' => {},
180 'miab' => {},
181 'misaka' => {},
182 'myapi' => {},
183 'mydevil' => {},
184 'mydnsjp' => {},
185 'namecheap' => {},
186 'namecom' => {},
187 'namesilo' => {},
188 'nederhost' => {},
189 'neodigit' => {},
190 'netcup' => {},
191 'nic' => {},
192 'nsd' => {},
193 'nsone' => {},
194 'nsupdate' => {},
195 'nw' => {},
196 'one' => {},
197 'online' => {},
198 'openprovider' => {},
199 'opnsense' => {},
200 'ovh' => {
201 name => 'OVH',
202 fields => {
203 'OVH_END_POINT' => {
204 description => "The OVH endpoint",
205 default => "ovh-eu",
206 optional => 1,
207 type => 'string',
208 },
209 'OVH_AK' => {
210 description => "The application key.",
211 type => 'string',
212 },
213 'OVH_AS' => {
214 description => "The application secret.",
215 type => 'string',
216 },
217 'OVH_CK' => {
218 description => "The consumer key.",
219 optional => 1,
220 type => 'string',
221 },
222 },
223 },
224 'pdns' => {
225 name => 'PowerDNS server',
226 fields => {
227 'PDNS_Url' => {
228 description => "The PowerDNS API endpoint.",
229 type => 'string',
230 },
231 'PDNS_ServerId'=> {
232 type => 'string',
233 },
234 'PDNS_Token'=> {
235 type => 'string',
236 },
237 'PDNS_Ttl'=> {
238 type => 'integer',
239 },
240 },
241 },
242 'pleskxml' => {},
243 'pointhq' => {},
244 'rackspace' => {},
245 'rcode0' => {},
246 'regru' => {},
247 'schlundtech' => {},
248 'selectel' => {},
249 'servercow' => {},
250 'tele3' => {},
251 'ultra' => {},
252 'unoeuro' => {},
253 'variomedia' => {},
254 'vscale' => {},
255 'vultr' => {},
256 'yandex' => {},
257 'zilore' => {},
258 'zone' => {},
259 'zonomi' => {},
260 };
261
262 sub get_supported_plugins {
263 return $plugins;
264 }
265
266 sub properties {
267 return {
268 api => {
269 description => "API plugin name",
270 type => 'string',
271 enum => [sort keys %$plugins],
272 },
273 data => {
274 type => 'string',
275 description => 'DNS plugin data. (base64 encoded)',
276 },
277 'validation-delay' => {
278 type => 'integer',
279 description => 'Extra delay in seconds to wait before requesting validation.'
280 .' Allows to cope with a long TTL of DNS records.',
281 # low default, but our bet is that the acme-challenge domain isn't
282 # cached at all, so it hopefully shouldn't run into TTL issues
283 default => 30,
284 optional => 1,
285 minimum => 0,
286 maximum => 2 * 24 * 60 * 60,
287 }
288 };
289 }
290
291 sub options {
292 return {
293 api => {},
294 data => { optional => 1 },
295 nodes => { optional => 1 },
296 disable => { optional => 1 },
297 'validation-delay' => { optional => 1 },
298 };
299 }
300
301 my $proxmox_acme_command = sub {
302 my ($self, $acme, $auth, $data, $action) = @_;
303
304 die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
305
306 my $alias = $data->{alias};
307 my $domain = $auth->{identifier}->{value};
308
309 my $challenge = $self->extract_challenge($auth->{challenges});
310 my $key_auth = $acme->key_authorization($challenge->{token});
311
312 my $txtvalue = PVE::ACME::encode(sha256($key_auth));
313 my $dnsplugin = $data->{plugin}->{api};
314 my $plugin_conf_string = $data->{plugin}->{data};
315
316 # for security reasons, we execute the command as nobody
317 # we can't verify that the code of the DNSPlugins are harmless.
318 my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
319
320 # The order of the parameters passed to proxmox-acme is important
321 # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
322 push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
323 if ($alias) {
324 push @$cmd, $alias;
325 } else {
326 push @$cmd, $domain;
327 }
328 my $input = "$txtvalue\n";
329 $input .= "$plugin_conf_string\n" if $plugin_conf_string;
330
331 PVE::Tools::run_command($cmd, input => $input);
332
333 $data->{url} = $challenge->{url};
334
335 return $domain;
336 };
337
338 sub setup {
339 my ($self, $acme, $auth, $data) = @_;
340
341 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
342 print "Add TXT record: _acme-challenge.$domain\n";
343
344 # FIXME: probe ourself for propagation of TXT record, while not 100%
345 # failsafe it's good enough of a heuristic to do away with fixed sleep
346 # intervalls - original acme.sh employs that heuristic too.
347 my $delay = $data->{'validation-delay'} // 30;
348 if ($delay > 0) {
349 print "Sleeping $delay seconds to wait for TXT record propagation\n";
350 sleep($delay); # don't care for EINTR
351 }
352 }
353
354 sub teardown {
355 my ($self, $acme, $auth, $data) = @_;
356
357 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
358 print "Remove TXT record: _acme-challenge.$domain\n";
359 }
360
361 1;
ACME library and helpers for perl based Proxmox projects