Hi,

thanks for your input Stuart.

On Sun, Feb 25, 2024 at 11:27:33AM +0000, Stuart Henderson wrote:
>On 2024/02/24 21:44, Christopher Zimmermann wrote:
>Keep it simple, there's no need to handle every way to do things here.
>
>TLS-ALPN-01 […] doesn't seem very useful for acme-client to support.

true.

>HTTP-01 I don't think really needs to be supported by a hook, ok it
>would add some more options, but are they really useful? You can already
>redirect .well-known/acme_challenge to the machine where you run
>acme-client if you're trying to deal with multiple servers, and that
>handles most of the important cases.

What I'm trying to do is kind of the reverse of a redirect of 
.well-known/acme_challenge. I want multiple machines to run acme-client 
to get certificates for the _same_ domain name. So either they need to 
set an _acme-challenge DNS record or send their token files to the http 
host on that domain.

>Only support DNS-01 and pass the digest and things become much simpler
>to implement in the hook.

I need HTTP-01 support, too. But this doasn't add much complexity to the 
hook. All that is needed is:

exit 1 unless $ENV{ACME_TYPE} eq 'dns-01';

passing the digest in a ACME_DIGEST environment variable will indeed 
simplify the hook.

>> +	#delay 310
>
>Seems unnecessary, just sleep in the hook, or do your own propagation
>tests and don't exit until they're ok.

The only downside would be that the delay will trigger unnecessarily for 
each of the alternative names, too. But since acme-client will need to 
authenticate challenges only every 1-2 months, that additional delay is 
bearable.

Here is a pledged and unveiled perl script using ACME_DIGEST:

======================================================================
#!/usr/bin/perl -wT

use OpenBSD::Pledge;
use OpenBSD::Unveil;
use IO::Socket::SSL;
use HTTP::Tiny;

unveil("/etc/ssl/cert.pem", "r") || die "Unable to unveil: $!";
pledge (qw( rpath prot_exec dns inet )) || die "Unable to pledge: $!";

exit 1 unless $ENV{ACME_TYPE} eq 'dns-01';

my $password = 'XXXX_PASSWORD_XXXX';
my $domain = "_acme-challenge.$ENV{ACME_IDENTIFIER}";

if ($ENV{ACME_TASK} eq 'handle') {
   update($domain, $ENV{ACME_DIGEST});
}
elsif ($ENV{ACME_TASK} eq 'cleanup') {
   update($domain, "X");
}
else {
   die "Unknown task: $ENV{ACME_TASK}\n";
}

sub update {
   my ($domain, $digest) = @_;
   print STDERR "acme-hook.pl: Setting $domain to $digest: ";
   my $http = HTTP::Tiny->new(timeout => 5, verify_SSL => 1);
   my $response = $http->post_form(
     "https://${domain}:${password}\@dyn.dns.he.net/nic/update",
     {txt => $digest});

   die "$response->{content}\n" if $response->{status} == 599;
   die "$response->{status} $response->{reason}\n" unless $response->{success};
   print STDERR "$response->{status} $response->{reason} $response->{content}\n";
}
======================================================================

Would this be a sensible interface?
Theo thought my first attempt was too powerfull and too rich.
I'm afraid it has become neither less powerfull nor poorer. But I'm 
unsure what he actually meant by powerfull and rich. Is it too general?


Christopher


-- 
http://gmerlin.de
OpenPGP: http://gmerlin.de/christopher.pub
CB07 DA40 B0B6 571D 35E2  0DEF 87E2 92A7 13E5 DEE1