Re: [pve-devel] [manager 5/6] add alias parameter for ACME DNS Challenge.
On October 21, 2019 12:11 pm, Wolfgang Link wrote: > > On 10/18/19 11:26 AM, Fabian Grünbichler wrote: >> On October 14, 2019 1:08 pm, Wolfgang Link wrote: >>> This parameter allows to use an alternative Domain >>> for setup the DNS record. >>> >>> This can be useful for security reasons or if the real domain has none >>> Ability to automatically set up a DNS record. >>> --- >>> PVE/NodeConfig.pm | 7 +++ >>> 1 file changed, 7 insertions(+) >>> >>> diff --git a/PVE/NodeConfig.pm b/PVE/NodeConfig.pm >>> index 7817bd1e..b84590ac 100644 >>> --- a/PVE/NodeConfig.pm >>> +++ b/PVE/NodeConfig.pm >>> @@ -78,6 +78,13 @@ my $acmedesc = { >>> optional => 1, >>> description => 'Supported ACME Plugins', >>> }, >>> +alias => { >>> + type => 'string', >>> + format => 'pve-acme-domain', >>> + format_description => 'domain', >>> + description => 'Alias where the TXT DNS record will be set', >>> + optional => 1, >>> +}, >> I assume this ishttps://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode ? > Yes. >> this is a bit tricky, as it is only relevant for DNS/acme.sh, but it is >> tied to the domains.. from a logical point of view, we'd need to put >> this and the plugin instance ID into the domain list, since both are per >> domain... but that would make for quite the messy config file: >> >> acme: >> account=default,domains=domain1.com:plugin_id1:alias1;domain2.com:plugin_id2: >> >> we could of course interpret the existing 'domains' member from the >> acme line as "no alias, default plugin" and deprecate that format in >> favour of > The alias feature is one of the killer features of DNS-Challenge. > With the aliases, you can give persons the capability to issue > Certificates without giving them access to the main Domain. > This use case is prevalent that a server Admin has not accessed to the > company DNS > or he won't do give a script access to the main Domain where the key is > saved in plaintext. yes, I see the appeal (at least for DNS providers where you cannot set such restrictions on the API access already, or which don't offer any API at all). >> acme: account=default >> acme_domain0: domain.com,plugin=plugin_id1,alias=alias1 >> acme_domain1: domain2.com >> >> which could easily be converted in one r-m-w cycle.. >> >> @Thomas, Dietmar: any input? >> >>> domains => { >>> type => 'string', >>> format => 'pve-acme-domain-list', >>> -- >>> 2.20.1 >>> >>> >>> ___ >>> pve-devel mailing list >>> pve-devel@pve.proxmox.com >>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >>> >>> >> ___ >> pve-devel mailing list >> pve-devel@pve.proxmox.com >> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >> > ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [manager 5/6] add alias parameter for ACME DNS Challenge.
On 10/18/19 11:26 AM, Fabian Grünbichler wrote: On October 14, 2019 1:08 pm, Wolfgang Link wrote: This parameter allows to use an alternative Domain for setup the DNS record. This can be useful for security reasons or if the real domain has none Ability to automatically set up a DNS record. --- PVE/NodeConfig.pm | 7 +++ 1 file changed, 7 insertions(+) diff --git a/PVE/NodeConfig.pm b/PVE/NodeConfig.pm index 7817bd1e..b84590ac 100644 --- a/PVE/NodeConfig.pm +++ b/PVE/NodeConfig.pm @@ -78,6 +78,13 @@ my $acmedesc = { optional => 1, description => 'Supported ACME Plugins', }, +alias => { + type => 'string', + format => 'pve-acme-domain', + format_description => 'domain', + description => 'Alias where the TXT DNS record will be set', + optional => 1, +}, I assume this ishttps://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode ? Yes. this is a bit tricky, as it is only relevant for DNS/acme.sh, but it is tied to the domains.. from a logical point of view, we'd need to put this and the plugin instance ID into the domain list, since both are per domain... but that would make for quite the messy config file: acme: account=default,domains=domain1.com:plugin_id1:alias1;domain2.com:plugin_id2: we could of course interpret the existing 'domains' member from the acme line as "no alias, default plugin" and deprecate that format in favour of The alias feature is one of the killer features of DNS-Challenge. With the aliases, you can give persons the capability to issue Certificates without giving them access to the main Domain. This use case is prevalent that a server Admin has not accessed to the company DNS or he won't do give a script access to the main Domain where the key is saved in plaintext. acme: account=default acme_domain0: domain.com,plugin=plugin_id1,alias=alias1 acme_domain1: domain2.com which could easily be converted in one r-m-w cycle.. @Thomas, Dietmar: any input? domains => { type => 'string', format => 'pve-acme-domain-list', -- 2.20.1 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [manager 5/6] add alias parameter for ACME DNS Challenge.
This parameter allows to use an alternative Domain for setup the DNS record. This can be useful for security reasons or if the real domain has none Ability to automatically set up a DNS record. --- PVE/NodeConfig.pm | 7 +++ 1 file changed, 7 insertions(+) diff --git a/PVE/NodeConfig.pm b/PVE/NodeConfig.pm index 7817bd1e..b84590ac 100644 --- a/PVE/NodeConfig.pm +++ b/PVE/NodeConfig.pm @@ -78,6 +78,13 @@ my $acmedesc = { optional => 1, description => 'Supported ACME Plugins', }, +alias => { + type => 'string', + format => 'pve-acme-domain', + format_description => 'domain', + description => 'Alias where the TXT DNS record will be set', + optional => 1, +}, domains => { type => 'string', format => 'pve-acme-domain-list', -- 2.20.1 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel