Re: [pve-devel] [manager 5/6] add alias parameter for ACME DNS Challenge.

[Wolfgang Link]

On 10/18/19 11:26 AM, Fabian Grünbichler wrote:
On October 14, 2019 1:08 pm, Wolfgang Link wrote:
This parameter allows to use an alternative Domain
for setup the DNS record.
This can be useful for security reasons or if the real domain has none
Ability to automatically set up a DNS record.
---
  PVE/NodeConfig.pm | 7 +++++++
  1 file changed, 7 insertions(+)

diff --git a/PVE/NodeConfig.pm b/PVE/NodeConfig.pm
index 7817bd1e..b84590ac 100644
--- a/PVE/NodeConfig.pm
+++ b/PVE/NodeConfig.pm
@@ -78,6 +78,13 @@ my $acmedesc = {
        optional => 1,
        description => 'Supported ACME Plugins',
      },
+    alias => {
+       type => 'string',
+       format => 'pve-acme-domain',
+       format_description => 'domain',
+       description => 'Alias where the TXT DNS record will be set',
+       optional => 1,
+    },
I assume this ishttps://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode  ?
Yes.
this is a bit tricky, as it is only relevant for DNS/acme.sh, but it is
tied to the domains.. from a logical point of view, we'd need to put
this and the plugin instance ID into the domain list, since both are per
domain... but that would make for quite the messy config file:

acme: 
account=default,domains=domain1.com:plugin_id1:alias1;domain2.com:plugin_id2:

we could of course interpret the existing 'domains' member from the
acme line as "no alias, default plugin" and deprecate that format in
favour of
The alias feature is one of the killer features of DNS-Challenge.
With the aliases, you can give persons the capability to issue 
Certificates without giving them access to the main Domain.
This use case is prevalent that a server Admin has not accessed to the 
company DNS
or he won't do give a script access to the main Domain where the key is 
saved in plaintext.
acme: account=default
acme_domain0: domain.com,plugin=plugin_id1,alias=alias1
acme_domain1: domain2.com

which could easily be converted in one r-m-w cycle..

@Thomas, Dietmar: any input?

      domains => {
        type => 'string',
        format => 'pve-acme-domain-list',
--
2.20.1


_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel