1 package PVE
::ACME
::DNSChallenge
;
6 use Digest
::SHA
qw(sha256);
9 use base
qw(PVE::ACME::Challenge);
11 my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
13 sub supported_challenge_types
{
21 # describe the data schema of the supported plugins
59 'gandi_livedns' => {},
100 'openprovider' => {},
106 description
=> "The OVH endpoint",
112 description
=> "The application key.",
116 description
=> "The application secret.",
120 description
=> "The consumer key.",
127 name
=> 'PowerDNS server',
130 description
=> "The PowerDNS API endpoint.",
164 sub get_supported_plugins
{
171 description
=> "API plugin name",
173 enum
=> [sort keys %$plugins],
177 description
=> 'DNS plugin data. (base64 encoded)',
179 'validation-delay' => {
181 description
=> 'Extra delay in seconds to wait before requesting validation.'
182 .' Allows to cope with a long TTL of DNS records.',
183 # low default, but our bet is that the acme-challenge domain isn't
184 # cached at all, so it hopefully shouldn't run into TTL issues
188 maximum
=> 2 * 24 * 60 * 60,
196 data
=> { optional
=> 1 },
197 nodes
=> { optional
=> 1 },
198 disable
=> { optional
=> 1 },
199 'validation-delay' => { optional
=> 1 },
203 my $proxmox_acme_command = sub {
204 my ($self, $acme, $auth, $data, $action) = @_;
206 die "No plugin data for DNSChallenge\n" if !defined($data->{plugin
});
208 my $alias = $data->{alias
};
209 my $domain = $auth->{identifier
}->{value
};
211 my $challenge = $self->extract_challenge($auth->{challenges
});
212 my $key_auth = $acme->key_authorization($challenge->{token
});
214 my $txtvalue = PVE
::ACME
::encode
(sha256
($key_auth));
215 my $dnsplugin = $data->{plugin
}->{api
};
216 my $plugin_conf_string = $data->{plugin
}->{data
};
218 # for security reasons, we execute the command as nobody
219 # we can't verify that the code of the DNSPlugins are harmless.
220 my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
222 # The order of the parameters passed to proxmox-acme is important
223 # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
224 push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
230 my $input = "$txtvalue\n";
231 $input .= "$plugin_conf_string\n" if $plugin_conf_string;
233 PVE
::Tools
::run_command
($cmd, input
=> $input);
235 $data->{url
} = $challenge->{url
};
241 my ($self, $acme, $auth, $data) = @_;
243 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
244 print "Add TXT record: _acme-challenge.$domain\n";
246 # FIXME: probe ourself for propagation of TXT record, while not 100%
247 # failsafe it's good enough of a heuristic to do away with fixed sleep
248 # intervalls - original acme.sh employs that heuristic too.
249 my $delay = $data->{'validation-delay'} // 30;
251 print "Sleeping $delay seconds to wait for TXT record propagation\n";
252 sleep($delay); # don't care for EINTR
257 my ($self, $acme, $auth, $data) = @_;
259 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
260 print "Remove TXT record: _acme-challenge.$domain\n";