]> git.proxmox.com Git - proxmox-acme.git/blob - src/PVE/ACME/DNSChallenge.pm
projects / proxmox-acme.git / blob
? search:


f0590de0e4498058dc48c744bf47add9b0b64304
[proxmox-acme.git] / src / PVE / ACME / DNSChallenge.pm
1 package PVE::ACME::DNSChallenge;
2
3 use strict;
4 use warnings;
5
6 use Digest::SHA qw(sha256);
7 use PVE::Tools;
8
9 use base qw(PVE::ACME::Challenge);
10
11 my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
12
13 sub supported_challenge_types {
14 return ["dns-01"];
15 }
16
17 sub type {
18 return 'dns';
19 }
20
21 # describe the data schema of the supported plugins, e.g.:
22 # 'dnsprovider' => {
23 # name => 'Full name of Plugin',
24 # fields => {
25 # 'FOO_API_KEY' => {
26 # description => "The API key",
27 # default => "none",
28 # optional => 1,
29 # type => 'string',
30 # },
31 # # ...
32 # },
33 # },
34 my $plugins = {
35 'acmedns' => {},
36 'acmeproxy' => {},
37 'active24' => {
38 name => 'Active24',
39 fields => {
40 'ACTIVE24_Token' => {
41 description => "The API key",
42 type => 'string',
43 },
44 },
45 },
46 'ad' => {
47 name => 'Alwaysdata',
48 fields => {
49 'AD_API_KEY' => {
50 description => "The API key",
51 type => 'string',
52 },
53 },
54 },
55 'ali' => {
56 name => 'Alibaba Cloud DNS',
57 fields => {
58 'Ali_API' => {
59 description => 'The API endpoint',
60 default => "https://alidns.aliyuncs.com/",
61 type => 'string',
62 optional => 1,
63 },
64 'Ali_Key' => {
65 description => 'The API Key',
66 type => 'string',
67 },
68 'Ali_Secret' => {
69 description => 'The API Secret',
70 type => 'string',
71 },
72 },
73 },
74 'autodns' => {},
75 'aws' => {
76 name => 'Amazon Route53 (AWS)',
77 fields => {
78 'AWS_ACCESS_KEY_ID' => {
79 name => 'ACCESS_KEY_ID',
80 description => 'The AWS access-key ID',
81 type => 'string',
82 },
83 'AWS_SECRET_ACCESS_KEY' => {
84 name => 'SECRET_ACCESS_KEY',
85 description => 'The AWS access-key secret',
86 type => 'string',
87 },
88 },
89 },
90 'azure' => {},
91 'cf' => {
92 name => 'Cloudflare Managed DNS',
93 description => 'Either provide global account key and email, or CF API token and Account ID.',
94 fields => {
95 'CF_Key' => {
96 description => 'The Cloudflare Global API Key',
97 type => 'string',
98 },
99 'CF_Email' => {
100 description => 'The Cloudflare Account EMail-Address',
101 type => 'string',
102 },
103 'CF_Token' => {
104 description => 'The new Cloudflare API Token',
105 type => 'string',
106 },
107 'CF_Account_ID' => {
108 description => 'The new Cloudflare API Account ID',
109 type => 'string',
110 },
111 'CF_Zone_ID' => {
112 description => 'For Zone restricted API Token',
113 type => 'string',
114 },
115 },
116 },
117 'clouddns' => {},
118 'cloudns' => {},
119 'cn' => {},
120 'conoha' => {},
121 'constellix' => {},
122 'cx' => {},
123 'cyon' => {},
124 'da' => {},
125 'ddnss' => {},
126 'desec' => {},
127 'df' => {},
128 'dgon' => {
129 name => 'DigitalOcean DNS',
130 fields => {
131 'DO_API_KEY' => {
132 description => 'The DigitalOcean API Key',
133 type => 'string',
134 },
135 },
136 },
137 'dnsimple' => {},
138 'do' => {},
139 'doapi' => {},
140 'domeneshop' => {},
141 'dp' => {},
142 'dpi' => {},
143 'dreamhost' => {},
144 'duckdns' => {},
145 'durabledns' => {},
146 'dyn' => {},
147 'dynu' => {},
148 'dynv6' => {},
149 'easydns' => {},
150 'euserv' => {},
151 'exoscale' => {},
152 'freedns' => {},
153 'gandi_livedns' => {},
154 'gcloud' => {},
155 'gd' => {
156 name => 'GoDaddy',
157 fields => {
158 'GD_Key' => {
159 description => 'The GoDaddy API Key',
160 type => 'string',
161 },
162 'GD_Secret' => {
163 description => 'The GoDaddy API Secret',
164 type => 'string',
165 },
166 },
167 },
168 'gdnsdk' => {},
169 'he' => {},
170 'hexonet' => {},
171 'hostingde' => {},
172 'infoblox' => {},
173 'internetbs' => {},
174 'inwx' => {},
175 'ispconfig' => {},
176 'jd' => {},
177 'kas' => {},
178 'kinghost' => {},
179 'knot' => {},
180 'leaseweb' => {},
181 'lexicon' => {},
182 'linode' => {},
183 'linode_v4' => {},
184 'loopia' => {},
185 'lua' => {},
186 'maradns' => {},
187 'me' => {},
188 'miab' => {},
189 'misaka' => {},
190 'myapi' => {},
191 'mydevil' => {},
192 'mydnsjp' => {},
193 'namecheap' => {},
194 'namecom' => {},
195 'namesilo' => {},
196 'nederhost' => {},
197 'neodigit' => {},
198 'netcup' => {},
199 'nic' => {},
200 'nsd' => {},
201 'nsone' => {},
202 'nsupdate' => {},
203 'nw' => {},
204 'one' => {},
205 'online' => {},
206 'openprovider' => {},
207 'opnsense' => {},
208 'ovh' => {
209 name => 'OVH',
210 fields => {
211 'OVH_END_POINT' => {
212 description => "The OVH endpoint",
213 default => "ovh-eu",
214 optional => 1,
215 type => 'string',
216 },
217 'OVH_AK' => {
218 description => "The application key.",
219 type => 'string',
220 },
221 'OVH_AS' => {
222 description => "The application secret.",
223 type => 'string',
224 },
225 'OVH_CK' => {
226 description => "The consumer key.",
227 optional => 1,
228 type => 'string',
229 },
230 },
231 },
232 'pdns' => {
233 name => 'PowerDNS server',
234 fields => {
235 'PDNS_Url' => {
236 description => "The PowerDNS API endpoint.",
237 type => 'string',
238 },
239 'PDNS_ServerId'=> {
240 type => 'string',
241 },
242 'PDNS_Token'=> {
243 type => 'string',
244 },
245 'PDNS_Ttl'=> {
246 type => 'integer',
247 },
248 },
249 },
250 'pleskxml' => {},
251 'pointhq' => {},
252 'rackspace' => {},
253 'rcode0' => {},
254 'regru' => {},
255 'schlundtech' => {},
256 'selectel' => {},
257 'servercow' => {},
258 'tele3' => {},
259 'ultra' => {},
260 'unoeuro' => {},
261 'variomedia' => {},
262 'vscale' => {},
263 'vultr' => {},
264 'yandex' => {},
265 'zilore' => {},
266 'zone' => {},
267 'zonomi' => {},
268 };
269
270 sub get_supported_plugins {
271 return $plugins;
272 }
273
274 sub properties {
275 return {
276 api => {
277 description => "API plugin name",
278 type => 'string',
279 enum => [sort keys %$plugins],
280 },
281 data => {
282 type => 'string',
283 description => 'DNS plugin data. (base64 encoded)',
284 },
285 'validation-delay' => {
286 type => 'integer',
287 description => 'Extra delay in seconds to wait before requesting validation.'
288 .' Allows to cope with a long TTL of DNS records.',
289 # low default, but our bet is that the acme-challenge domain isn't
290 # cached at all, so it hopefully shouldn't run into TTL issues
291 default => 30,
292 optional => 1,
293 minimum => 0,
294 maximum => 2 * 24 * 60 * 60,
295 }
296 };
297 }
298
299 sub options {
300 return {
301 api => {},
302 data => { optional => 1 },
303 nodes => { optional => 1 },
304 disable => { optional => 1 },
305 'validation-delay' => { optional => 1 },
306 };
307 }
308
309 my $proxmox_acme_command = sub {
310 my ($self, $acme, $auth, $data, $action) = @_;
311
312 die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
313
314 my $alias = $data->{alias};
315 my $domain = $auth->{identifier}->{value};
316
317 my $challenge = $self->extract_challenge($auth->{challenges});
318 my $key_auth = $acme->key_authorization($challenge->{token});
319
320 my $txtvalue = PVE::ACME::encode(sha256($key_auth));
321 my $dnsplugin = $data->{plugin}->{api};
322 my $plugin_conf_string = $data->{plugin}->{data};
323
324 # for security reasons, we execute the command as nobody
325 # we can't verify that the code of the DNSPlugins are harmless.
326 my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
327
328 # The order of the parameters passed to proxmox-acme is important
329 # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
330 push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
331 if ($alias) {
332 push @$cmd, $alias;
333 } else {
334 push @$cmd, $domain;
335 }
336 my $input = "$txtvalue\n";
337 $input .= "$plugin_conf_string\n" if $plugin_conf_string;
338
339 PVE::Tools::run_command($cmd, input => $input);
340
341 $data->{url} = $challenge->{url};
342
343 return $domain;
344 };
345
346 sub setup {
347 my ($self, $acme, $auth, $data) = @_;
348
349 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
350 print "Add TXT record: _acme-challenge.$domain\n";
351
352 # FIXME: probe ourself for propagation of TXT record, while not 100%
353 # failsafe it's good enough of a heuristic to do away with fixed sleep
354 # intervalls - original acme.sh employs that heuristic too.
355 my $delay = $data->{'validation-delay'} // 30;
356 if ($delay > 0) {
357 print "Sleeping $delay seconds to wait for TXT record propagation\n";
358 sleep($delay); # don't care for EINTR
359 }
360 }
361
362 sub teardown {
363 my ($self, $acme, $auth, $data) = @_;
364
365 my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
366 print "Remove TXT record: _acme-challenge.$domain\n";
367 }
368
369 1;
ACME library and helpers for perl based Proxmox projects