src/PVE/ACME/DNSChallenge.pm

   1 package PVE::ACME::DNSChallenge;
   2
   3 use strict;
   4 use warnings;
   5
   6 use Digest::SHA qw(sha256);
   7 use JSON;
   8
   9 use PVE::Tools;
  10
  11 use PVE::ACME;
  12
  13 use base qw(PVE::ACME::Challenge);
  14
  15 my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
  16
  17 sub supported_challenge_types {
  18     return ["dns-01"];
  19 }
  20
  21 sub type {
  22     return 'dns';
  23 }
  24
  25 my $DNS_API_CHALLENGE_SCHEMA_FN = '/usr/share/proxmox-acme/dns-challenge-schema.json';
  26 my $plugins = from_json(PVE::Tools::file_get_contents($DNS_API_CHALLENGE_SCHEMA_FN));
  27
  28 sub get_supported_plugins {
  29     return $plugins;
  30 }
  31
  32 sub properties {
  33     return {
  34         api => {
  35             description => "API plugin name",
  36             type => 'string',
  37             enum => [sort keys %$plugins],
  38         },
  39         data => {
  40             type => 'string',
  41             description => 'DNS plugin data. (base64 encoded)',
  42         },
  43         'validation-delay' => {
  44             type => 'integer',
  45             description => 'Extra delay in seconds to wait before requesting validation.'
  46                 .' Allows to cope with a long TTL of DNS records.',
  47             # low default, but our bet is that the acme-challenge domain isn't
  48             # cached at all, so it hopefully shouldn't run into TTL issues
  49             default => 30,
  50             optional => 1,
  51             minimum => 0,
  52             maximum => 2 * 24 * 60 * 60,
  53         }
  54     };
  55 }
  56
  57 sub options {
  58     return {
  59         api => {},
  60         data => { optional => 1 },
  61         nodes => { optional => 1 },
  62         disable => { optional => 1 },
  63         'validation-delay' => { optional => 1 },
  64     };
  65 }
  66
  67 my $proxmox_acme_command = sub {
  68     my ($self, $acme, $auth, $data, $action) = @_;
  69
  70     die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
  71
  72     my $alias = $data->{alias};
  73     my $domain = $auth->{identifier}->{value};
  74
  75     my $challenge = $self->extract_challenge($auth->{challenges});
  76     my $key_auth = $acme->key_authorization($challenge->{token});
  77
  78     my $txtvalue = PVE::ACME::encode(sha256($key_auth));
  79     my $dnsplugin = $data->{plugin}->{api};
  80     my $plugin_conf_string = $data->{plugin}->{data};
  81
  82     # for security reasons, we execute the command as nobody
  83     # we can't verify that the code of the DNSPlugins are harmless.
  84     my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
  85
  86     # The order of the parameters passed to proxmox-acme is important
  87     # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
  88     push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
  89     if ($alias) {
  90         push @$cmd, $alias;
  91     } else {
  92         push @$cmd, $domain;
  93     }
  94     my $input = "$txtvalue\n";
  95     $input .= "$plugin_conf_string\n" if $plugin_conf_string;
  96
  97     PVE::Tools::run_command($cmd, input => $input);
  98
  99     $data->{url} = $challenge->{url};
 100
 101     return $domain;
 102 };
 103
 104 sub setup {
 105     my ($self, $acme, $auth, $data) = @_;
 106
 107     my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
 108     print "Add TXT record: _acme-challenge.$domain\n";
 109
 110     my $delay = $data->{plugin}->{'validation-delay'} // 30;
 111     if ($delay > 0) {
 112         print "Sleeping $delay seconds to wait for TXT record propagation\n";
 113         sleep($delay); # don't care for EINTR
 114     }
 115 }
 116
 117 sub teardown {
 118     my ($self, $acme, $auth, $data) = @_;
 119
 120     my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
 121     print "Remove TXT record: _acme-challenge.$domain\n";
 122 }
 123
 124 1;