On 2020/12/24 18:11, Florian Obser wrote: > 'tis the season to be jolly...
sorry for the late reply! > I think it's time to kick the tires on this one. Works for me, I tried it with the script I'm already using with uacme to do updates via rndc. > I don't like the "exec" keyword, we should find something better. "hook" "challenge hook" "challenge handler" "exec handler" "dns handler" I think I like "dns handler" the best out of those. It might make sense to optionally allow using a script to handle http01 validation too. Normally the internal handler makes sense, but a script could be useful for some configs with load balancers. So something which allows a variation for that might be a good idea. > Also, should the user be optional? Probably not. There's no already-existing uid that would make sense as a default (I definitely would like the admin to have to write "as root" if they do indeed need that). > Oh, and it's not enforcing that exec is present in the config. One thing I wanted to say, the block of boilerplate for each domain is quite long and this adds another line. I think the handler does need to be configurable per-domain (you might have a bunch of domains with different providers that need various handlers, and it's nicer to do that in the config file than in the handler script itself). (I'm wondering if I can figure out how to steal groups from bgpd, I'm not sure my yacc skills are up to it though ;) That's independent to this diff of course, but some possible keywords might feel more awkward if we do that. Your manpage diff doesn't apply any more, here's an updated one below (I made another change too, added some "this is for http" wording to challengedir). But I haven't changed the keyword in this. Index: acme-client.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v retrieving revision 1.28 diff -u -p -r1.28 acme-client.conf.5 --- acme-client.conf.5 3 Jan 2021 16:32:38 -0000 1.28 +++ acme-client.conf.5 26 Jan 2021 01:24:57 -0000 @@ -185,13 +185,60 @@ A backup with name is created if .Ar file exists. -.It Ic sign with Ar authority +.It Ic sign with Ar authority Op Ic challenge Ar type The certificate authority (as declared above in the .Sx AUTHORITIES section) to use. If this setting is absent, the first authority specified is used. +.Ar type +can be +.Cm http +or +.Cm dns . +It defaults to +.Cm http . +.It Ic exec Ar script Ic as Ar user +Run +.Ar script +as user +.Ar user +for each +.Cm dns +challenge. +This is required when using the +.Cm dns +challenge type. +The script is called with five arguments: +.Bl -tag -width Ds [4/70] +.It Ar method +.Cm begin , +.Cm done , +or +.Cm failed . +.Cm begin +indicates that a DNS record should be created and +.Cm done +or +.Cm failed +indicate that a DNS record should be removed. +.It Ar type +.Cm dns-01 . +.It Ar ident +The domain. +.It Ar token +Unused, for compatibility with existing hook scripts. +.It Ar auth +The challenge response. +.El +.Pp +The script needs to create a DNS record of the form +.Dl _acme-challenge.ident 30 IN TXT auth +and exit once it has propagated to all name servers. .It Ic challengedir Ar path The directory in which the challenge file will be stored. +This is required when using the +.Cm http +challenge type. If it is not specified, a default of .Pa /var/www/acme will be used.