On 2020/12/24 18:11, Florian Obser wrote:
> 'tis the season to be jolly...
sorry for the late reply!
> I think it's time to kick the tires on this one.
Works for me, I tried it with the script I'm already using with uacme
to do updates via rndc.
> I don't like the "exec" keyword, we should find something better.
"hook"
"challenge hook"
"challenge handler"
"exec handler"
"dns handler"
I think I like "dns handler" the best out of those.
It might make sense to optionally allow using a script to handle
http01 validation too. Normally the internal handler makes sense,
but a script could be useful for some configs with load balancers.
So something which allows a variation for that might be a good
idea.
> Also, should the user be optional?
Probably not. There's no already-existing uid that would make sense
as a default (I definitely would like the admin to have to write "as
root" if they do indeed need that).
> Oh, and it's not enforcing that exec is present in the config.
One thing I wanted to say, the block of boilerplate for each domain
is quite long and this adds another line. I think the handler does need
to be configurable per-domain (you might have a bunch of domains with
different providers that need various handlers, and it's nicer to do
that in the config file than in the handler script itself). (I'm
wondering if I can figure out how to steal groups from bgpd, I'm not
sure my yacc skills are up to it though ;)
That's independent to this diff of course, but some possible keywords
might feel more awkward if we do that.
Your manpage diff doesn't apply any more, here's an updated one below
(I made another change too, added some "this is for http" wording
to challengedir). But I haven't changed the keyword in this.
Index: acme-client.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v
retrieving revision 1.28
diff -u -p -r1.28 acme-client.conf.5
--- acme-client.conf.5 3 Jan 2021 16:32:38 -0000 1.28
+++ acme-client.conf.5 26 Jan 2021 01:24:57 -0000
@@ -185,13 +185,60 @@ A backup with name
is created if
.Ar file
exists.
-.It Ic sign with Ar authority
+.It Ic sign with Ar authority Op Ic challenge Ar type
The certificate authority (as declared above in the
.Sx AUTHORITIES
section) to use.
If this setting is absent, the first authority specified is used.
+.Ar type
+can be
+.Cm http
+or
+.Cm dns .
+It defaults to
+.Cm http .
+.It Ic exec Ar script Ic as Ar user
+Run
+.Ar script
+as user
+.Ar user
+for each
+.Cm dns
+challenge.
+This is required when using the
+.Cm dns
+challenge type.
+The script is called with five arguments:
+.Bl -tag -width Ds
[4/70]
+.It Ar method
+.Cm begin ,
+.Cm done ,
+or
+.Cm failed .
+.Cm begin
+indicates that a DNS record should be created and
+.Cm done
+or
+.Cm failed
+indicate that a DNS record should be removed.
+.It Ar type
+.Cm dns-01 .
+.It Ar ident
+The domain.
+.It Ar token
+Unused, for compatibility with existing hook scripts.
+.It Ar auth
+The challenge response.
+.El
+.Pp
+The script needs to create a DNS record of the form
+.Dl _acme-challenge.ident 30 IN TXT auth
+and exit once it has propagated to all name servers.
.It Ic challengedir Ar path
The directory in which the challenge file will be stored.
+This is required when using the
+.Cm http
+challenge type.
If it is not specified, a default of
.Pa /var/www/acme
will be used.
