On 2024-02-21 09:03 +01, Florian Obser <flor...@openbsd.org> wrote: > On 2024-02-20 22:32 +01, Christopher Zimmermann <chr...@openbsd.org> wrote: >> Hi, >> >> this diff adds a challenge hook to acme-client. This hook can be used >> to fulfill challenges. For example by putting the requested files onto >> a remote http server (http-01 challenge) or by modifying dns records >> (dns-01 challenge). The latter are needed to obtain wildcard >> certificates. >> Is this diff ok? Is the design of the hook interface sane? Any >> feedback is welcome. >> > > I'm not convinced passing random crap coming from the internet to a > shell script running as root is a good idea. >
btw. a few years back I came up with this: https://marc.info/?l=openbsd-tech&m=160883000402270&w=2 I still have the diff lying around somewhere. I have no recollection if it's actually better. But looking at the email some things stick out: | I implemented the uacme api since I find that less ugly. It should be | trivial to transmogrify it with a shell one-liner to support | dehydrated. that kinda seems sensible. And than this: +.It Ic exec Ar script Ic as Ar user +Run +.Ar script +as user +.Ar user +for each +.Cm dns +challenge. +This is required when using the +.Cm dns +challenge type. However, one stated requirement at the time was that the dns-01 challenge must work with base tools out of the box, i.e. nsd(8). I have no idea how one would do that. So I dropped the diff and figured out how to avoid wildcard certs. The only annoying bit is that I have some servers that run httpd(8) that wouldn't strictly need to *shrug* >> >> Christopher >> >> > > -- > In my defence, I have been left unsupervised. > -- In my defence, I have been left unsupervised.
