Project

General

Profile

Feature #8613

pfSense-pkg-acme: acme_certificates_edit.php - Add support for --challenge-alias acme.sh flag

Added by Kage - 11 months ago. Updated 18 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
ACME
Target version:
-
Start date:
07/02/2018
Due date:
% Done:

0%

Estimated time:

Description

User Story

As a pfSense-pkg-acme user
I want to be able to use the --challenge-alias flag
So that I can use CNAME aliasing of my _acme-challenge subdomain.

Description

As described in references 1 and 2 below, acme.sh supports using DNS aliases (CNAME redirection of the _acme-challenge subdomain), but it requires adding the --challenge-alias flag to the acme.sh call to supply the required Le_ChallengeAlias parameter to the ACME server. Currently there is no way to enable this, thus aliased DNS-01 challenges fail.

Suggested Implementation

acme_certificates_edit.php:

  • Add a checkbox for "Enable DNS alias mode", linking to reference 2 below. For example, after line 382 (end of OCSP Stapling code):
    $section->addInput(new \Form_Checkbox(
        'challengealias',
        'Enable DNS alias mode',
        'Add the --challenge-alias flag to the acme.sh call.',
        $pconfig['challengealias']
    ))->setHelp('More information can be found <a href="https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode" target="_new">here</a>.');
    

acme_sh.inc:

  • Add a class variable such as public $challengealias;
  • In function signCertificate(..), add after line 156 code block (starts with if ($this->ocspstaple == "yes") {):
            if ($this->challengealias == "yes") {
                $cmdparameters .= " --challenge-alias ";
            }
    

acme.inc:

  • In function issue_certificate(..), add after line 973 (after $acmesh->ocspstaple ...):
    $acmesh->challengealias = $certificate['challengealias'];
    

References

  1. http://strugglers.net/~andy/blog/2018/03/19/lets-encrypt-wildcard-certificates-acme-sh-and-automated-dns-verification/
  2. https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode

History

#1 Updated by Pi Ba 9 months ago

Made a PR that 'kinda' incorporates this.. A little different than proposed though. It now supports a different challengealias for each domain.
https://github.com/pfsense/FreeBSD-ports/pull/553

#2 Updated by Jim Pingle 9 months ago

  • Category set to ACME
  • Status changed from New to Feedback

PR merged, should be ready for testing shortly

#3 Updated by Greg M 9 months ago

Hi!

Installed, when I open it:

Fatal error: Uncaught Error: Call to undefined function pfsense_pkg\acme\getarraybyref() in /usr/local/www/acme/acme_certificates.php:34 Stack trace: #0 {main} thrown in /usr/local/www/acme/acme_certificates.php on line 34 PHP ERROR: Type: 1, File: /usr/local/www/acme/acme_certificates.php, Line: 34, Message: Uncaught Error: Call to undefined function pfsense_pkg\acme\getarraybyref() in /usr/local/www/acme/acme_certificates.php:34 Stack trace: #0 {main} thrown

Same error on HAPROXY-devel install, will update that redmine too.

#4 Updated by Renato Botelho 9 months ago

Greg M wrote:

Hi!

Installed, when I open it:

Fatal error: Uncaught Error: Call to undefined function pfsense_pkg\acme\getarraybyref() in /usr/local/www/acme/acme_certificates.php:34 Stack trace: #0 {main} thrown in /usr/local/www/acme/acme_certificates.php on line 34 PHP ERROR: Type: 1, File: /usr/local/www/acme/acme_certificates.php, Line: 34, Message: Uncaught Error: Call to undefined function pfsense_pkg\acme\getarraybyref() in /usr/local/www/acme/acme_certificates.php:34 Stack trace: #0 {main} thrown

Same error on HAPROXY-devel install, will update that redmine too.

You must update your snapshot to a more recent, which will contain getarraybyref() definition

#5 Updated by Greg M 9 months ago

I am on:
2.4.4-DEVELOPMENT (amd64)
built on Wed Aug 29 00:38:57 EDT 2018
FreeBSD 11.2-RELEASE-p2

The system is on the latest version.
Version information updated at Wed Aug 29 11:55:20 CEST 2018

#6 Updated by Renato Botelho 9 months ago

Greg M wrote:

I am on:
2.4.4-DEVELOPMENT (amd64)
built on Wed Aug 29 00:38:57 EDT 2018
FreeBSD 11.2-RELEASE-p2

The system is on the latest version.
Version information updated at Wed Aug 29 11:55:20 CEST 2018

I've made some changes this morning. Can you try the new version of acme package when it's available?

#7 Updated by Markus Barckmann 8 months ago

Thanks for this nifty feature. It works well in most cases.

I've seen an issue with some DNS-Providers which are not allowing
the CNAME to contain an underscore (_acme-challenge). For this case acme.sh supports the "--domain-alias" option.

I tried this with a very simple patch. It works like a charm:

208c208
<                                               $domainstr .= " --challenge-alias " . escapeshellarg($domain->challengealias);
---
>                                               $domainstr .= " --domain-alias " . escapeshellarg($domain->challengealias);

It would be very nice to have a UI option to choose between this two (sub)methods.

#8 Updated by Jesse Norell 4 months ago

Markus Barckmann wrote:

It would be very nice to have a UI option to choose between this two (sub)methods.

We have a different use case (not restricted underscore char), but I'll second the request for a UI option to switch '--challenge-alias' to '--domain-alias'.

#9 Updated by Jim Pingle 4 months ago

I added a checkbox to use challenge-domain instead of challenge-alias in ACME pkg version 0.5.2

#10 Updated by Ale Phos about 2 months ago

Jim Pingle wrote:

I added a checkbox to use challenge-domain instead of challenge-alias in ACME pkg version 0.5.2

Shouldn´t it be "--domain-alias" instead of "--challenge-domain"? See ACME.sh wiki

#11 Updated by Jim Pingle about 1 month ago

You are right. I could swear when I did that it was the other way, but I don't see any history of that being the parameter now. It's fixed in 0.5.5 which is up now.

#12 Updated by Jim Pingle 18 days ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF