Re: [pve-devel] [manager 5/6] add alias parameter for ACME DNS Challenge.
On October 21, 2019 12:11 pm, Wolfgang Link wrote:
>
> On 10/18/19 11:26 AM, Fabian Grünbichler wrote:
>> On October 14, 2019 1:08 pm, Wolfgang Link wrote:
>>> This parameter allows to use an alternative Domain
>>> for setup the DNS record.
>>>
>>> This can be useful for security reasons or if the real domain has none
>>> Ability to automatically set up a DNS record.
>>> ---
>>> PVE/NodeConfig.pm | 7 +++
>>> 1 file changed, 7 insertions(+)
>>>
>>> diff --git a/PVE/NodeConfig.pm b/PVE/NodeConfig.pm
>>> index 7817bd1e..b84590ac 100644
>>> --- a/PVE/NodeConfig.pm
>>> +++ b/PVE/NodeConfig.pm
>>> @@ -78,6 +78,13 @@ my $acmedesc = {
>>> optional => 1,
>>> description => 'Supported ACME Plugins',
>>> },
>>> +alias => {
>>> + type => 'string',
>>> + format => 'pve-acme-domain',
>>> + format_description => 'domain',
>>> + description => 'Alias where the TXT DNS record will be set',
>>> + optional => 1,
>>> +},
>> I assume this ishttps://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode ?
> Yes.
>> this is a bit tricky, as it is only relevant for DNS/acme.sh, but it is
>> tied to the domains.. from a logical point of view, we'd need to put
>> this and the plugin instance ID into the domain list, since both are per
>> domain... but that would make for quite the messy config file:
>>
>> acme:
>> account=default,domains=domain1.com:plugin_id1:alias1;domain2.com:plugin_id2:
>>
>> we could of course interpret the existing 'domains' member from the
>> acme line as "no alias, default plugin" and deprecate that format in
>> favour of
> The alias feature is one of the killer features of DNS-Challenge.
> With the aliases, you can give persons the capability to issue
> Certificates without giving them access to the main Domain.
> This use case is prevalent that a server Admin has not accessed to the
> company DNS
> or he won't do give a script access to the main Domain where the key is
> saved in plaintext.
yes, I see the appeal (at least for DNS providers where you cannot set
such restrictions on the API access already, or which don't offer any
API at all).
>> acme: account=default
>> acme_domain0: domain.com,plugin=plugin_id1,alias=alias1
>> acme_domain1: domain2.com
>>
>> which could easily be converted in one r-m-w cycle..
>>
>> @Thomas, Dietmar: any input?
>>
>>> domains => {
>>> type => 'string',
>>> format => 'pve-acme-domain-list',
>>> --
>>> 2.20.1
>>>
>>>
>>> ___
>>> pve-devel mailing list
>>> pve-devel@pve.proxmox.com
>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>>
>>>
>> ___
>> pve-devel mailing list
>> pve-devel@pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
>
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [manager 5/6] add alias parameter for ACME DNS Challenge.
On 10/18/19 11:26 AM, Fabian Grünbichler wrote:
On October 14, 2019 1:08 pm, Wolfgang Link wrote:
This parameter allows to use an alternative Domain
for setup the DNS record.
This can be useful for security reasons or if the real domain has none
Ability to automatically set up a DNS record.
---
PVE/NodeConfig.pm | 7 +++
1 file changed, 7 insertions(+)
diff --git a/PVE/NodeConfig.pm b/PVE/NodeConfig.pm
index 7817bd1e..b84590ac 100644
--- a/PVE/NodeConfig.pm
+++ b/PVE/NodeConfig.pm
@@ -78,6 +78,13 @@ my $acmedesc = {
optional => 1,
description => 'Supported ACME Plugins',
},
+alias => {
+ type => 'string',
+ format => 'pve-acme-domain',
+ format_description => 'domain',
+ description => 'Alias where the TXT DNS record will be set',
+ optional => 1,
+},
I assume this ishttps://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode ?
Yes.
this is a bit tricky, as it is only relevant for DNS/acme.sh, but it is
tied to the domains.. from a logical point of view, we'd need to put
this and the plugin instance ID into the domain list, since both are per
domain... but that would make for quite the messy config file:
acme:
account=default,domains=domain1.com:plugin_id1:alias1;domain2.com:plugin_id2:
we could of course interpret the existing 'domains' member from the
acme line as "no alias, default plugin" and deprecate that format in
favour of
The alias feature is one of the killer features of DNS-Challenge.
With the aliases, you can give persons the capability to issue
Certificates without giving them access to the main Domain.
This use case is prevalent that a server Admin has not accessed to the
company DNS
or he won't do give a script access to the main Domain where the key is
saved in plaintext.
acme: account=default
acme_domain0: domain.com,plugin=plugin_id1,alias=alias1
acme_domain1: domain2.com
which could easily be converted in one r-m-w cycle..
@Thomas, Dietmar: any input?
domains => {
type => 'string',
format => 'pve-acme-domain-list',
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [manager 5/6] add alias parameter for ACME DNS Challenge.
This parameter allows to use an alternative Domain
for setup the DNS record.
This can be useful for security reasons or if the real domain has none
Ability to automatically set up a DNS record.
---
PVE/NodeConfig.pm | 7 +++
1 file changed, 7 insertions(+)
diff --git a/PVE/NodeConfig.pm b/PVE/NodeConfig.pm
index 7817bd1e..b84590ac 100644
--- a/PVE/NodeConfig.pm
+++ b/PVE/NodeConfig.pm
@@ -78,6 +78,13 @@ my $acmedesc = {
optional => 1,
description => 'Supported ACME Plugins',
},
+alias => {
+ type => 'string',
+ format => 'pve-acme-domain',
+ format_description => 'domain',
+ description => 'Alias where the TXT DNS record will be set',
+ optional => 1,
+},
domains => {
type => 'string',
format => 'pve-acme-domain-list',
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
