a bit to weird of a place to configure this especially as enabling it
does not guarantee any proxying if there's none..
This reverts commit e1088f616f.
this patch adds an optional 'use-proxy' property to the dns
challenges.
If set to 1 the caller is expected to add the proxy url in the plugin
config, which is then set as 'http_proxy' and 'https_proxy'
environment variable by the plugin caller (and then used by curl)
Tested with the pdns plugin, direct traffic to the pdns server being
dropped, and a configured squid proxy
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
we have some places where we just do not need the plugins and the
perl library has no hard dependency on the plugin stuff, http
challenge and acme protocol implementation are independent of those
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
not nice to die plainly on a using this module (which can come in
indirectly/transitively), so lets better cope with that.
Nice side-effect, if nothing uses it, it won't get loaded, so less
IO and memory in that case.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
the current default chains end with an expired root certificate for
maximum compatibility with old Android versions. this breaks some other
older clients (openssl, gnutls) which don't expect chains to contain any
expired certificates, even if they are 'above' the trust anchor.
by setting $root, it is possible to specify which root the ACME provided
certificate chain should end with, downloading alternate chains as
necessary.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Reviewed-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Tested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Commits ae3dda0f8fc3071495cd1e8dff0fe4a339febb1c and
d70b759cb9c5b413cce92e65e841a54a65813962
implementing retrying get and post requests seem worth pulling in.
From a quick look through the diff the remaining changes (between
2.9.0 and 3.0.0) should not be relevant for us
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
The data returned from the acme server (e.g. boulder) should be
considered tainted.
To see which places might need untainted I checked where $self->{ua}
was used (in $self->do) and a quick scan identified __get_result as
the consumer of the tainted data.
In all but one uses the data is decoded from json (which would die if the
result is not valid json).
The remaining use-case yields a certificate in PEM format (and is
handled at the caller of __get_result).
The issue is currently only visible if a proxy is set, because AFAICT
somewhere in SSLeay (or IO::Socket::SSL, which uses SSLeay) a taint
flag is not set on the return value.
A reproducer for the issue:
```
use strict;
use warnings;
use HTTP::Request;
use LWP::UserAgent;
$ENV{PATH} = "/usr/bin:/bin";
my $ua = LWP::UserAgent->new(env_proxy => 0);
my $request = HTTP::Request->new('GET', 'https://google.com/');
my $resp = $ua->request($request);
my $text = substr($resp->decoded_content, 0, 5);;
system("echo \"$text\""); # does work
$request = HTTP::Request->new('GET', 'http://neverssl.com/');
$resp = $ua->request($request);
$text = substr($resp->decoded_content, 0, 5);;
system("echo \"$text\""); # does not work
```
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
proxmox-acme is used to call the dns-plugins from acme.sh and has the
config editing (saving/clearing) turned int no-ops.
bash's `return` statement w/o argument returns the value of the last
executed command (the one before our no-op method was called) (see
`help return` in bash).
This leads to unexpected behavior in some plugins, which call one of
the methods as last statement join the next step with `&&`.
tested bash behavior with:
```
foo() { return; }; if [ -z 'x' ]; then :; else foo ; fi; echo $?
```
reported in our community-forum:
https://forum.proxmox.com/threads/pmg-acme-dns-with-cyon-failing-to-issue-certificate.92762
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
As reported in our community forum [0] certain dns plugins use code
from `acme.sh`, which is currently not in our proxmox-acme.
I initially only added _sign and it's callees, but then though about
trying to get all missing methods somehow (only resethttp() was
missing in addition).
The heuristic used to get all missing methods was grepping for '\b_'
in all dns plugins and then removing:
* declarations in proxmox_acme (already present)
* methods declared in the plugins themselves
* $_.* (or ${_.*) - variable use
* comments
in shell:
```
present=$(awk 'BEGIN{ORS="|";} /^_/{ gsub(/\(\) {/, ""); print $0}' \
src/proxmox-acme | | sed -r 's/\|$//')
local=$(awk 'BEGIN{ORS="|";} /^_/{ gsub(/\(\) {/, ""); print $0}' \
src/acme.sh/dnsapi/dns*.sh | sed -r 's/\|$//')
grep '\b_' src/acme.sh/dnsapi/* | grep -Ev \
"$present|$local|_[a-zA-Z0-9_-]+=|\\$\{?_|^src/acme.sh/dnsapi/.*sh:#"
```
[0] https://forum.proxmox.com/threads/proxmox-acme-with-transip-plugin-_sign-command-not-found.92582/
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
This patch follows 2f8be3bfda203065b22e60862e5f98d831a46921 from
pve-common:
Instead of not specifying a listen address, we first try to bind on
'::', which usually accepts connections for both ipv4 and ipv6,
and fall back to '0.0.0.0' if this fails (if ipv6 is disabled via
kernel commandline).
The arguments are the same for HTTP::Daemon as for IO::Socket::IP,
since the former has IO::Socket::IP as base.
Additionally, by setting 'V6Only' explicitly to '0', the listening
socket will also accept ipv4 connections, even if the sysctl
'net.ipv6.bindv6only' is set to 1 - the sysctl provides a default
value, which can be overridden by a socket-option (see ipv6(7) -
IPV6_ONLY).
setting this option results in the following setsockopt-call being
added:
setsockopt(3, SOL_IPV6, IPV6_V6ONLY, [0], 4) = 0
AFAICT the socket option is available and overridable on Linux > 2.4
see [0] for an explanation of why this might not be wanted
Overriding the default setting set by an admin might be debateable,
but considering that the http-listener for the ACME challenge is
rather short-lived I think this is justified. The only other option
would be to create 2 listening sockets and binding on both - which
would mean reorganizing our perl-deamons to deal with multiple listen
sockets.
quickly tested on a publicly reachable test-machine of mine with:
* ipv6.domain.test (only AAAA record)
* ip46.domain.test (both AAAA and A)
* ipv4.domain.test (only A record)
with:
* sysctl net.ipv6.bindv6only=1 (for all 3 domains)
* disabling ipv6 via kernel-commandline (only ipv4 tested)
* disabling ipv6 via sysctl (only ipv4 tested)
* only configuring an ipv6 address (only ipv6 tested)
[0] https://man.openbsd.org/inet6.4
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Main reason for this split is PBS, which only needs the plugins and
would like to avoid the perl one (which pulls in pve-common too)
This includes a few small changes which are technically not direct
part of the split, but related enough:
* change source name of package from libproxmox-acme-perl to
libproxmox-acme
* make lintian override for script exec permission narrower to avoid
possible false negatives in the future, really only allow the
dnsapi ones.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
