src/PVE/ACME/DNSChallenge.pm

   1 package PVE::ACME::DNSChallenge;
   2
   3 use strict;
   4 use warnings;
   5
   6 use Digest::SHA qw(sha256);
   7 use PVE::Tools;
   8
   9 use base qw(PVE::ACME::Challenge);
  10
  11 my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
  12
  13 sub supported_challenge_types {
  14     return ["dns-01"];
  15 }
  16
  17 sub type {
  18     return 'dns';
  19 }
  20
  21 # describe the data schema of the supported plugins
  22 my $plugins = {
  23     'acmedns' => {},
  24     'acmeproxy' => {},
  25     'active24' => {},
  26     'ad' => {},
  27     'ali' => {},
  28     'autodns' => {},
  29     'aws' => {},
  30     'azure' => {},
  31     'cf' => {},
  32     'clouddns' => {},
  33     'cloudns' => {},
  34     'cn' => {},
  35     'conoha' => {},
  36     'constellix' => {},
  37     'cx' => {},
  38     'cyon' => {},
  39     'da' => {},
  40     'ddnss' => {},
  41     'desec' => {},
  42     'dgon' => {},
  43     'dnsimple' => {},
  44     'do' => {},
  45     'doapi' => {},
  46     'domeneshop' => {},
  47     'dp' => {},
  48     'dpi' => {},
  49     'dreamhost' => {},
  50     'duckdns' => {},
  51     'durabledns' => {},
  52     'dyn' => {},
  53     'dynu' => {},
  54     'dynv6' => {},
  55     'easydns' => {},
  56     'euserv' => {},
  57     'exoscale' => {},
  58     'freedns' => {},
  59     'gandi_livedns' => {},
  60     'gcloud' => {},
  61     'gd' => {},
  62     'gdnsdk' => {},
  63     'he' => {},
  64     'hexonet' => {},
  65     'hostingde' => {},
  66     'infoblox' => {},
  67     'internetbs' => {},
  68     'inwx' => {},
  69     'ispconfig' => {},
  70     'jd' => {},
  71     'kas' => {},
  72     'kinghost' => {},
  73     'knot' => {},
  74     'leaseweb' => {},
  75     'lexicon' => {},
  76     'linode' => {},
  77     'linode_v4' => {},
  78     'loopia' => {},
  79     'lua' => {},
  80     'maradns' => {},
  81     'me' => {},
  82     'miab' => {},
  83     'misaka' => {},
  84     'myapi' => {},
  85     'mydevil' => {},
  86     'mydnsjp' => {},
  87     'namecheap' => {},
  88     'namecom' => {},
  89     'namesilo' => {},
  90     'nederhost' => {},
  91     'neodigit' => {},
  92     'netcup' => {},
  93     'nic' => {},
  94     'nsd' => {},
  95     'nsone' => {},
  96     'nsupdate' => {},
  97     'nw' => {},
  98     'one' => {},
  99     'online' => {},
 100     'openprovider' => {},
 101     'opnsense' => {},
 102     'ovh' => {
 103         name => 'OVH',
 104         fields => {
 105             'OVH_END_POINT' => {
 106                 description => "The OVH endpoint",
 107                 default => "ovh-eu",
 108                 optional => 1,
 109                 type => 'string',
 110             },
 111             'OVH_AK' => {
 112                 description => "The application key.",
 113                 type => 'string',
 114             },
 115             'OVH_AS' => {
 116                 description => "The application secret.",
 117                 type => 'string',
 118             },
 119             'OVH_CK' => {
 120                 description => "The consumer key.",
 121                 optional => 1,
 122                 type => 'string',
 123             },
 124         },
 125     },
 126     'pdns' => {
 127         name => 'PowerDNS server',
 128         fields => {
 129             'PDNS_Url' => {
 130                 description => "The PowerDNS API endpoint.",
 131                 type => 'string',
 132             },
 133             'PDNS_ServerId'=> {
 134                 type => 'string',
 135             },
 136             'PDNS_Token'=> {
 137                 type => 'string',
 138             },
 139             'PDNS_Ttl'=> {
 140                 type => 'integer',
 141             },
 142         },
 143     },
 144     'pleskxml' => {},
 145     'pointhq' => {},
 146     'rackspace' => {},
 147     'rcode0' => {},
 148     'regru' => {},
 149     'schlundtech' => {},
 150     'selectel' => {},
 151     'servercow' => {},
 152     'tele3' => {},
 153     'ultra' => {},
 154     'unoeuro' => {},
 155     'variomedia' => {},
 156     'vscale' => {},
 157     'vultr' => {},
 158     'yandex' => {},
 159     'zilore' => {},
 160     'zone' => {},
 161     'zonomi' => {},
 162 };
 163
 164 sub get_supported_plugins {
 165     return $plugins;
 166 }
 167
 168 sub properties {
 169     return {
 170         api => {
 171             description => "API plugin name",
 172             type => 'string',
 173             enum => [sort keys %$plugins],
 174         },
 175         data => {
 176             type => 'string',
 177             description => 'DNS plugin data. (base64 encoded)',
 178         },
 179         'validation-delay' => {
 180             type => 'integer',
 181             description => 'Extra delay in seconds to wait before requesting validation.'
 182                 .' Allows to cope with a long TTL of DNS records.',
 183             # low default, but our bet is that the acme-challenge domain isn't
 184             # cached at all, so it hopefully shouldn't run into TTL issues
 185             default => 30,
 186             optional => 1,
 187             minimum => 0,
 188             maximum => 2 * 24 * 60 * 60,
 189         }
 190     };
 191 }
 192
 193 sub options {
 194     return {
 195         api => {},
 196         data => { optional => 1 },
 197         nodes => { optional => 1 },
 198         disable => { optional => 1 },
 199         'validation-delay' => { optional => 1 },
 200     };
 201 }
 202
 203 my $proxmox_acme_command = sub {
 204     my ($self, $acme, $auth, $data, $action) = @_;
 205
 206     die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
 207
 208     my $alias = $data->{alias};
 209     my $domain = $auth->{identifier}->{value};
 210
 211     my $challenge = $self->extract_challenge($auth->{challenges});
 212     my $key_auth = $acme->key_authorization($challenge->{token});
 213
 214     my $txtvalue = PVE::ACME::encode(sha256($key_auth));
 215     my $dnsplugin = $data->{plugin}->{api};
 216     my $plugin_conf_string = $data->{plugin}->{data};
 217
 218     # for security reasons, we execute the command as nobody
 219     # we can't verify that the code of the DNSPlugins are harmless.
 220     my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
 221
 222     # The order of the parameters passed to proxmox-acme is important
 223     # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
 224     push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
 225     if ($alias) {
 226         push @$cmd, $alias;
 227     } else {
 228         push @$cmd, $domain;
 229     }
 230     my $input = "$txtvalue\n";
 231     $input .= "$plugin_conf_string\n" if $plugin_conf_string;
 232
 233     PVE::Tools::run_command($cmd, input => $input);
 234
 235     $data->{url} = $challenge->{url};
 236
 237     return $domain;
 238 };
 239
 240 sub setup {
 241     my ($self, $acme, $auth, $data) = @_;
 242
 243     my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
 244     print "Add TXT record: _acme-challenge.$domain\n";
 245
 246     # FIXME: probe ourself for propagation of TXT record, while not 100%
 247     # failsafe it's good enough of a heuristic to do away with fixed sleep
 248     # intervalls - original acme.sh employs that heuristic too.
 249     my $delay = $data->{'validation-delay'} // 30;
 250     if ($delay > 0) {
 251         print "Sleeping $delay seconds to wait for TXT record propagation\n";
 252         sleep($delay); # don't care for EINTR
 253     }
 254 }
 255
 256 sub teardown {
 257     my ($self, $acme, $auth, $data) = @_;
 258
 259     my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
 260     print "Remove TXT record: _acme-challenge.$domain\n";
 261 }
 262
 263 1;