]> git.proxmox.com Git - proxmox-acme.git/blob - src/PVE/ACME/DNSChallenge.pm
projects / proxmox-acme.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
dns challenge: provide schema for more providers
[proxmox-acme.git] / src / PVE / ACME / DNSChallenge.pm
1 package PVE::ACME::DNSChallenge;
2
3 use strict;
4 use warnings;
5
6 use Digest::SHA qw(sha256);
7 use PVE::Tools;
8
9 use base qw(PVE::ACME::Challenge);
10
11 my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
12
13 sub supported_challenge_types {
14 return ["dns-01"];
15 }
16
17 sub type {
18 return 'dns';
19 }
20
21 # describe the data schema of the supported plugins, e.g.:
22 # 'dnsprovider' => {
23 # name => 'Full name of Plugin',
24 # fields => {
25 # 'FOO_API_KEY' => {
26 # description => "The API key",
27 # default => "none",
28 # optional => 1,
29 # type => 'string',
30 # },
31 # # ...
32 # },
33 # },
34 my $plugins = {
35 'acmedns' => {},
36 'acmeproxy' => {},
37 'active24' => {
38 name => 'Active24',
39 fields => {
40 'ACTIVE24_Token' => {
41 description => "The API key",
42 type => 'string',
43 },
44 },
45 },
46 'ad' => {
47 name => 'Alwaysdata',
48 fields => {
49 'AD_API_KEY' => {
50 description => "The API key",
51 type => 'string',
52 },
53 },
54 },
55 'ali' => {
56 name => 'Alibaba Cloud DNS',
57 fields => {
58 'Ali_API' => {
59 description => 'The API endpoint',
60 default => "https://alidns.aliyuncs.com/",
61 type => 'string',
62 optional => 1,
63 },
64 'Ali_Key' => {
65 description => 'The API Key',
66 type => 'string',
67 },
68 'Ali_Secret' => {
69 description => 'The API Secret',
70 type => 'string',
71 },
72 },
73 },
74 'autodns' => {},
75 'aws' => {
76 name => 'Amazon Route53 (AWS)',
77 fields => {
78 'AWS_ACCESS_KEY_ID' => {
79 name => 'ACCESS_KEY_ID',
80 description => 'The AWS access-key ID',
81 type => 'string',
82 },
83 'AWS_SECRET_ACCESS_KEY' => {
84 name => 'SECRET_ACCESS_KEY',
85 description => 'The AWS access-key secret',
86 type => 'string',
87 },
88 },
89 },
90 'azure' => {},
91 'cf' => {
92 name => 'Cloudflare Managed DNS',
93 description => 'Either provide global account key and email, or CF API token and Account ID.',
94 fields => {
95 'CF_Key' => {
96 description => 'The Cloudflare Global API Key',
97 type => 'string',
98 },
99 'CF_Email' => {
100 description => 'The Cloudflare Account EMail-Address',
101 type => 'string',
102 },
103 'CF_Token' => {
104 description => 'The new Cloudflare API Token',
105 type => 'string',
106 },
107 'CF_Account_ID' => {
108 description => 'The new Cloudflare API Account ID',
109 type => 'string',
110 },
111 'CF_Zone_ID' => {
112 description => 'For Zone restricted API Token',
113 type => 'string',
114 },
115 },
116 },
117 'clouddns' => {},
118 'cloudns' => {},
119 'cn' => {},
120 'conoha' => {},
121 'constellix' => {},
122 'cx' => {},
123 'cyon' => {},
124 'da' => {},
125 'ddnss' => {},
126 'desec' => {},
127 'dgon' => {},
128 'dnsimple' => {},
129 'do' => {},
130 'doapi' => {},
131 'domeneshop' => {},
132 'dp' => {},
133 'dpi' => {},
134 'dreamhost' => {},
135 'duckdns' => {},
136 'durabledns' => {},
137 'dyn' => {},
138 'dynu' => {},
139 'dynv6' => {},
140 'easydns' => {},
141 'euserv' => {},
142 'exoscale' => {},
143 'freedns' => {},
144 'gandi_livedns' => {},
145 'gcloud' => {},
146 'gd' => {
147 name => 'GoDaddy',
148 fields => {
149 'GD_Key' => {
150 description => 'The GoDaddy API Key',
151 type => 'string',
152 },
153 'GD_Secret' => {
154 description => 'The GoDaddy API Secret',
155 type => 'string',
156 },
157 },
158 },
159 'gdnsdk' => {},
160 'he' => {},
161 'hexonet' => {},
162 'hostingde' => {},
163 'infoblox' => {},
164 'internetbs' => {},
165 'inwx' => {},
166 'ispconfig' => {},
167 'jd' => {},
168 'kas' => {},
169 'kinghost' => {},
170 'knot' => {},
171 'leaseweb' => {},
172 'lexicon' => {},
173 'linode' => {},
174 'linode_v4' => {},
175 'loopia' => {},
176 'lua' => {},
177 'maradns' => {},
178 'me' => {},
179 'miab' => {},
180 'misaka' => {},
181 'myapi' => {},
182 'mydevil' => {},
183 'mydnsjp' => {},
184 'namecheap' => {},
185 'namecom' => {},
186 'namesilo' => {},
187 'nederhost' => {},
188 'neodigit' => {},
189 'netcup' => {},
190 'nic' => {},
191 'nsd' => {},
192 'nsone' => {},
193 'nsupdate' => {},
194 'nw' => {},
195 'one' => {},
196 'online' => {},
197 'openprovider' => {},
198 'opnsense' => {},
199 'ovh' => {
200 name => 'OVH',
201 fields => {
202 'OVH_END_POINT' => {
203 description => "The OVH endpoint",
204 default => "ovh-eu",
205 optional => 1,
206 type => 'string',
207 },
208 'OVH_AK' => {
209 description => "The application key.",
210 type => 'string',
211 },
212 'OVH_AS' => {
213 description => "The application secret.",
214 type => 'string',
215 },
216 'OVH_CK' => {
217 description => "The consumer key.",
218 optional => 1,
219 type => 'string',
220 },
221 },
222 },
223 'pdns' => {
224 name => 'PowerDNS server',
225 fields => {
226 'PDNS_Url' => {
227 description => "The PowerDNS API endpoint.",
228 type => 'string',
229 },
230 'PDNS_ServerId'=> {
231 type => 'string',
232 },
233 'PDNS_Token'=> {
234 type => 'string',
235 },
236 'PDNS_Ttl'=> {
237 type => 'integer',
238 },
239 },
240 },
241 'pleskxml' => {},
242 'pointhq' => {},
243 'rackspace' => {},
244 'rcode0' => {},
245 'regru' => {},
246 'schlundtech' => {},
247 'selectel' => {},
248 'servercow' => {},
249 'tele3' => {},
250 'ultra' => {},
251 'unoeuro' => {},
252 'variomedia' => {},
253 'vscale' => {},
254 'vultr' => {},
255 'yandex' => {},
256 'zilore' => {},
257 'zone' => {},
258 'zonomi' => {},
259 };
260
261 sub get_supported_plugins {
262 return $plugins;
263 }
264
265 sub properties {
266 return {
267 api => {
268 description => "API plugin name",
269 type => 'string',
270 enum => [sort keys %$plugins],
271 },
272 data => {
273 type => 'string',
274 description => 'DNS plugin data. (base64 encoded)',
275 },
276 'validation-delay' => {
277 type => 'integer',
278 description => 'Extra delay in seconds to wait before requesting validation.'
279 .' Allows to cope with a long TTL of DNS records.',
280 # low default, but our bet is that the acme-challenge domain isn't
281 # cached at all, so it hopefully shouldn't run into TTL issues
282 default => 30,
283 optional => 1,
284 minimum => 0,
285 maximum => 2 * 24 * 60 * 60,
286 }
287 };
288 }
289
290 sub options {
291 return {
292 api => {},
293 data => { optional => 1 },
294 nodes => { optional => 1 },
295 disable => { optional => 1 },
296 'validation-delay' => { optional => 1 },
297 };
298 }
299
300 my $proxmox_acme_command = sub {
301 my ($self, $acme, $auth, $data, $action) = @_;
302
303 die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
304
305 my $alias = $data->{alias};
306 my $domain = $auth->{identifier}->{value};
307
308 my $challenge = $self->extract_challenge($auth->{challenges});
309 my $key_auth = $acme->key_authorization($challenge->{token});
310
311 my $txtvalue = PVE::ACME::encode(sha256($key_auth));
312 my $dnsplugin = $data->{plugin}->{api};
313 my $plugin_conf_string = $data->{plugin}->{data};
314
315 # for security reasons, we execute the command as nobody
316 # we can't verify that the code of the DNSPlugins are harmless.
317 my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
318
319 # The order of the parameters passed to proxmox-acme is important
320 # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
321 push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
322 if ($alias) {
323 push @$cmd, $alias;
324 } else {
325 push @$cmd, $domain;
326 }
327 my $input = "$txtvalue\n";
328 $input .= "$plugin_conf_string\n" if $plugin_conf_string;
329
330 PVE::Tools::run_command($cmd, input => $input);
331
332 $data->{url} = $challenge->{url};
333
334 return $domain;
335 };
336
337 sub setup {
338 my ($self, $acme, $auth, $data) = @_;
339
340 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
341 print "Add TXT record: _acme-challenge.$domain\n";
342
343 # FIXME: probe ourself for propagation of TXT record, while not 100%
344 # failsafe it's good enough of a heuristic to do away with fixed sleep
345 # intervalls - original acme.sh employs that heuristic too.
346 my $delay = $data->{'validation-delay'} // 30;
347 if ($delay > 0) {
348 print "Sleeping $delay seconds to wait for TXT record propagation\n";
349 sleep($delay); # don't care for EINTR
350 }
351 }
352
353 sub teardown {
354 my ($self, $acme, $auth, $data) = @_;
355
356 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
357 print "Remove TXT record: _acme-challenge.$domain\n";
358 }
359
360 1;
ACME library and helpers for perl based Proxmox projects