Hi,
thanks for your input Stuart.
On Sun, Feb 25, 2024 at 11:27:33AM +0000, Stuart Henderson wrote:
On 2024/02/24 21:44, Christopher Zimmermann wrote:
Keep it simple, there's no need to handle every way to do things here.
TLS-ALPN-01 […] doesn't seem very useful for acme-client to support.
true.
HTTP-01 I don't think really needs to be supported by a hook, ok it
would add some more options, but are they really useful? You can already
redirect .well-known/acme_challenge to the machine where you run
acme-client if you're trying to deal with multiple servers, and that
handles most of the important cases.
What I'm trying to do is kind of the reverse of a redirect of
.well-known/acme_challenge. I want multiple machines to run acme-client
to get certificates for the _same_ domain name. So either they need to
set an _acme-challenge DNS record or send their token files to the http
host on that domain.
Only support DNS-01 and pass the digest and things become much simpler
to implement in the hook.
I need HTTP-01 support, too. But this doasn't add much complexity to the
hook. All that is needed is:
exit 1 unless $ENV{ACME_TYPE} eq 'dns-01';
passing the digest in a ACME_DIGEST environment variable will indeed
simplify the hook.
+ #delay 310
Seems unnecessary, just sleep in the hook, or do your own propagation
tests and don't exit until they're ok.
The only downside would be that the delay will trigger unnecessarily for
each of the alternative names, too. But since acme-client will need to
authenticate challenges only every 1-2 months, that additional delay is
bearable.
Here is a pledged and unveiled perl script using ACME_DIGEST:
======================================================================
#!/usr/bin/perl -wT
use OpenBSD::Pledge;
use OpenBSD::Unveil;
use IO::Socket::SSL;
use HTTP::Tiny;
unveil("/etc/ssl/cert.pem", "r") || die "Unable to unveil: $!";
pledge (qw( rpath prot_exec dns inet )) || die "Unable to pledge: $!";
exit 1 unless $ENV{ACME_TYPE} eq 'dns-01';
my $password = 'XXXX_PASSWORD_XXXX';
my $domain = "_acme-challenge.$ENV{ACME_IDENTIFIER}";
if ($ENV{ACME_TASK} eq 'handle') {
update($domain, $ENV{ACME_DIGEST});
}
elsif ($ENV{ACME_TASK} eq 'cleanup') {
update($domain, "X");
}
else {
die "Unknown task: $ENV{ACME_TASK}\n";
}
sub update {
my ($domain, $digest) = @_;
print STDERR "acme-hook.pl: Setting $domain to $digest: ";
my $http = HTTP::Tiny->new(timeout => 5, verify_SSL => 1);
my $response = $http->post_form(
"https://${domain}:${password}\@dyn.dns.he.net/nic/update";,
{txt => $digest});
die "$response->{content}\n" if $response->{status} == 599;
die "$response->{status} $response->{reason}\n" unless $response->{success};
print STDERR "$response->{status} $response->{reason} $response->{content}\n";
}
======================================================================
Would this be a sensible interface?
Theo thought my first attempt was too powerfull and too rich.
I'm afraid it has become neither less powerfull nor poorer. But I'm
unsure what he actually meant by powerfull and rich. Is it too general?
Christopher
--
http://gmerlin.de
OpenPGP: http://gmerlin.de/christopher.pub
CB07 DA40 B0B6 571D 35E2 0DEF 87E2 92A7 13E5 DEE1
