Mirror
/
acme.sh
mirror of https://github.com/acmesh-official/acme.sh.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Implement CNAME-based nsupdate validation 

Implements validation using CNAMEs and RFC2138, as described in the
Let's Encrypt documentation.

For instance, if requesting the domain "test.net" with a CNAME from
"_acme-challenge.test.net" to "_acme-challenge.ledomain.net". As per the
spec this is fully supported, but using RFC2138 and nsupdate, acme.sh
did not support this properly, instead trying to add the record to the
original fulldomain unconditionally.

To implement this, this commit adds an additional environment variable,
NSUPDATE_CNAME_ZONE, which would contain the target zone, for instance
in the example above, "ledomain.net". If this variable is set, nsupdate
then adds/removes the _acme-validation TXT record to that zone instead
of the requested zone, as well as printing a helpful message mentioning
that the CNAME must exist for this to succeed.
pull/2506/head
Joshua Boniface 5 years ago
parent
2a03695327
commit
426ca01bcf
1 changed files with 29 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 33
      dnsapi/dns_nsupdate.sh

33
dnsapi/dns_nsupdate.sh
View File

@ -10,6 +10,7 @@ dns_nsupdate_add() {
NSUPDATE_SERVER_PORT="${NSUPDATE_SERVER_PORT:-$(_readaccountconf_mutable NSUPDATE_SERVER_PORT)}" NSUPDATE_SERVER_PORT="${NSUPDATE_SERVER_PORT:-$(_readaccountconf_mutable NSUPDATE_SERVER_PORT)}"
NSUPDATE_KEY="${NSUPDATE_KEY:-$(_readaccountconf_mutable NSUPDATE_KEY)}" NSUPDATE_KEY="${NSUPDATE_KEY:-$(_readaccountconf_mutable NSUPDATE_KEY)}"
NSUPDATE_ZONE="${NSUPDATE_ZONE:-$(_readaccountconf_mutable NSUPDATE_ZONE)}" NSUPDATE_ZONE="${NSUPDATE_ZONE:-$(_readaccountconf_mutable NSUPDATE_ZONE)}"
NSUPDATE_CNAME_ZONE="${NSUPDATE_CNAME_ZONE:-$(_readaccountconf_mutable NSUPDATE_CNAME_ZONE)}"
_checkKeyFile || return 1 _checkKeyFile || return 1
@ -18,14 +19,27 @@ dns_nsupdate_add() {
_saveaccountconf_mutable NSUPDATE_SERVER_PORT "${NSUPDATE_SERVER_PORT}" _saveaccountconf_mutable NSUPDATE_SERVER_PORT "${NSUPDATE_SERVER_PORT}"
_saveaccountconf_mutable NSUPDATE_KEY "${NSUPDATE_KEY}" _saveaccountconf_mutable NSUPDATE_KEY "${NSUPDATE_KEY}"
_saveaccountconf_mutable NSUPDATE_ZONE "${NSUPDATE_ZONE}" _saveaccountconf_mutable NSUPDATE_ZONE "${NSUPDATE_ZONE}"
_saveaccountconf_mutable NSUPDATE_CNAME_ZONE "${NSUPDATE_CNAME_ZONE}"
[ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost" [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
[ -n "${NSUPDATE_SERVER_PORT}" ] || NSUPDATE_SERVER_PORT=53 [ -n "${NSUPDATE_SERVER_PORT}" ] || NSUPDATE_SERVER_PORT=53
_info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
if [ -n "${NSUPDATE_CNAME_ZONE}" ]; then
_info "adding _acme-challenge.${NSUPDATE_CNAME_ZONE}. 60 in txt \"${txtvalue}\""
_info "the record ${fulldomain}. must be a CNAME to this record for validation to succeed"
else
_info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
fi
[ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d" [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d"
[ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D" [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D"
if [ -n "${NSUPDATE_ZONE}" ]; then
if [ -n "${NSUPDATE_CNAME_ZONE}" ]; then
nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
server ${NSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT}
zone ${NSUPDATE_CNAME_ZONE}.
update add _acme-challenge.${NSUPDATE_CNAME_ZONE}. 60 in txt "${txtvalue}"
send
EOF
elif [ -n "${NSUPDATE_ZONE}" ]; then
nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
server ${NSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT} server ${NSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT}
zone ${NSUPDATE_ZONE}. zone ${NSUPDATE_ZONE}.
@ -59,10 +73,21 @@ dns_nsupdate_rm() {
_checkKeyFile || return 1 _checkKeyFile || return 1
[ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost" [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
[ -n "${NSUPDATE_SERVER_PORT}" ] || NSUPDATE_SERVER_PORT=53 [ -n "${NSUPDATE_SERVER_PORT}" ] || NSUPDATE_SERVER_PORT=53
_info "removing ${fulldomain}. txt"
if [ -n "${NSUPDATE_CNAME_ZONE}" ]; then
_info "removing _acme-challenge.${NSUPDATE_CNAME_ZONE}. txt"
else
_info "removing ${fulldomain}. txt"
fi
[ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d" [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d"
[ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D" [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D"
if [ -n "${NSUPDATE_ZONE}" ]; then
if [ -n "${NSUPDATE_CNAME_ZONE}" ]; then
nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
server ${NSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT}
update delete _acme-challenge.${NSUPDATE_CNAME_ZONE}. txt
zone ${NSUPDATE_CNAME_ZONE}.
send
EOF
elif [ -n "${NSUPDATE_ZONE}" ]; then
nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
server ${NSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT} server ${NSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT}
update delete ${fulldomain}. txt update delete ${fulldomain}. txt

Write Preview
Loading…
Cancel
Save