]> git.proxmox.com Git - proxmox-acme.git/blob - src/PVE/ACME/DNSChallenge.pm
projects / proxmox-acme.git / blob
? search:


7214d8889ecadee1c8b9b1a0c58e2ed127d5e679
[proxmox-acme.git] / src / PVE / ACME / DNSChallenge.pm
1 package PVE::ACME::DNSChallenge;
2
3 use strict;
4 use warnings;
5
6 use Digest::SHA qw(sha256);
7 use JSON;
8
9 use PVE::Tools;
10
11 use PVE::ACME;
12
13 use base qw(PVE::ACME::Challenge);
14
15 my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
16
17 sub supported_challenge_types {
18 return ["dns-01"];
19 }
20
21 sub type {
22 return 'dns';
23 }
24
25 my $DNS_API_CHALLENGE_SCHEMA_FN = '/usr/share/proxmox-acme/dns-challenge-schema.json';
26
27 my $plugin_cache;
28 sub get_supported_plugins {
29 if (!$plugin_cache) {
30 $plugin_cache = -e $DNS_API_CHALLENGE_SCHEMA_FN # we allow this to be optional as not all users require
31 ? from_json(PVE::Tools::file_get_contents($DNS_API_CHALLENGE_SCHEMA_FN))
32 : {};
33 }
34 return $plugin_cache;
35 }
36
37 sub properties {
38 my $plugins = get_supported_plugins();
39 return {
40 api => {
41 description => "API plugin name",
42 type => 'string',
43 enum => [sort keys %$plugins],
44 },
45 data => {
46 type => 'string',
47 description => 'DNS plugin data. (base64 encoded)',
48 },
49 'validation-delay' => {
50 type => 'integer',
51 description => 'Extra delay in seconds to wait before requesting validation.'
52 .' Allows to cope with a long TTL of DNS records.',
53 # low default, but our bet is that the acme-challenge domain isn't
54 # cached at all, so it hopefully shouldn't run into TTL issues
55 default => 30,
56 optional => 1,
57 minimum => 0,
58 maximum => 2 * 24 * 60 * 60,
59 }
60 };
61 }
62
63 sub options {
64 return {
65 api => {},
66 data => { optional => 1 },
67 nodes => { optional => 1 },
68 disable => { optional => 1 },
69 'validation-delay' => { optional => 1 },
70 };
71 }
72
73 my $proxmox_acme_command = sub {
74 my ($self, $acme, $auth, $data, $action) = @_;
75
76 die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
77
78 my $alias = $data->{alias};
79 my $domain = $auth->{identifier}->{value};
80
81 my $challenge = $self->extract_challenge($auth->{challenges});
82 my $key_auth = $acme->key_authorization($challenge->{token});
83
84 my $txtvalue = PVE::ACME::encode(sha256($key_auth));
85 my $dnsplugin = $data->{plugin}->{api};
86 my $plugin_conf_string = $data->{plugin}->{data};
87
88 # for security reasons, we execute the command as nobody
89 # we can't verify that the code of the DNSPlugins are harmless.
90 my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
91
92 # The order of the parameters passed to proxmox-acme is important
93 # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
94 push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
95 if ($alias) {
96 push @$cmd, $alias;
97 } else {
98 push @$cmd, $domain;
99 }
100 my $input = "$txtvalue\n";
101 $input .= "$plugin_conf_string\n" if $plugin_conf_string;
102
103 PVE::Tools::run_command($cmd, input => $input);
104
105 $data->{url} = $challenge->{url};
106
107 return $domain;
108 };
109
110 sub setup {
111 my ($self, $acme, $auth, $data) = @_;
112
113 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
114 print "Add TXT record: _acme-challenge.$domain\n";
115
116 my $delay = $data->{plugin}->{'validation-delay'} // 30;
117 if ($delay > 0) {
118 print "Sleeping $delay seconds to wait for TXT record propagation\n";
119 sleep($delay); # don't care for EINTR
120 }
121 }
122
123 sub teardown {
124 my ($self, $acme, $auth, $data) = @_;
125
126 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
127 print "Remove TXT record: _acme-challenge.$domain\n";
128 }
129
130 1;
ACME library and helpers for perl based Proxmox projects