mirrors/maddy
1
0
Fork 0
mirror of https://github.com/foxcpp/maddy.git synced 2025-04-06 06:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity

tls/acme: Add support for DNS-01 domain delegation

Browse source 
See #588.
This commit is contained in:
fox.cpp 2023-05-29 22:19:01 +03:00
parent 6d5cd3b618
commit de756c8dc5
No known key found for this signature in database
GPG key ID: 5B991F6215D2FCC0
2 changed files with 30 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

17
docs/reference/tls-acme.md
View file

@ -20,7 +20,13 @@ smtp tcp://127.0.0.1:25 {
You can also use a global `tls` directive to use automatically You can also use a global `tls` directive to use automatically
obtained certificates for all endpoints: obtained certificates for all endpoints:
``` ```
tls &local_tls tls {
loader acme {
email maddy-acme@example.org
agreed
challenge dns-01
}
}
``` ```
Currently the only supported challenge is dns-01 one therefore Currently the only supported challenge is dns-01 one therefore
@ -87,6 +93,15 @@ back to the one configured via 'ca' option.
This avoids rate limit issues with production CA. This avoids rate limit issues with production CA.
**Syntax:** override\_domain _domain_ <br>
**Default:** not set
Override the domain to set the TXT record on for DNS-01 challenge.
This is to delegate the challenge to a different domain.
See https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
for explanation why this might be useful.
**Syntax:** email _str_ <br> **Syntax:** email _str_ <br>
**Default:** not set **Default:** not set

24
internal/tls/acme/acme.go
View file

@ -39,15 +39,16 @@ func New(_, instName string, _, inlineArgs []string) (module.Module, error) {
func (l *Loader) Init(cfg *config.Map) error { func (l *Loader) Init(cfg *config.Map) error {
var ( var (
hostname string hostname string
extraNames []string extraNames []string
storePath string storePath string
caPath string caPath string
testCAPath string testCAPath string
email string email string
agreed bool agreed bool
challenge string challenge string
provider certmagic.ACMEDNSProvider overrideDomain string
provider certmagic.ACMEDNSProvider
) )
cfg.Bool("debug", true, false, &l.log.Debug) cfg.Bool("debug", true, false, &l.log.Debug)
cfg.String("hostname", true, true, "", &hostname) cfg.String("hostname", true, true, "", &hostname)
@ -60,6 +61,8 @@ func (l *Loader) Init(cfg *config.Map) error {
certmagic.LetsEncryptStagingCA, &testCAPath) certmagic.LetsEncryptStagingCA, &testCAPath)
cfg.String("email", false, false, cfg.String("email", false, false,
"", &email) "", &email)
cfg.String("override_domain", false, false,
"", &overrideDomain)
cfg.Bool("agreed", false, false, &agreed) cfg.Bool("agreed", false, false, &agreed)
cfg.Enum("challenge", false, true, cfg.Enum("challenge", false, true,
[]string{"dns-01"}, "dns-01", &challenge) []string{"dns-01"}, "dns-01", &challenge)
@ -107,7 +110,8 @@ func (l *Loader) Init(cfg *config.Map) error {
return fmt.Errorf("tls.loader.acme: dns-01 challenge requires a configured DNS provider") return fmt.Errorf("tls.loader.acme: dns-01 challenge requires a configured DNS provider")
} }
mngr.DNS01Solver = &certmagic.DNS01Solver{ mngr.DNS01Solver = &certmagic.DNS01Solver{
DNSProvider: provider, DNSProvider: provider,
OverrideDomain: overrideDomain,
} }
default: default:
return fmt.Errorf("tls.loader.acme: challenge not supported") return fmt.Errorf("tls.loader.acme: challenge not supported")