Feature #8613
closed
pfSense-pkg-acme: acme_certificates_edit.php - Add support for --challenge-alias acme.sh flag
0%
Description
User Story
As a pfSense-pkg-acme user
I want to be able to use the --challenge-alias flag
So that I can use CNAME aliasing of my _acme-challenge subdomain.
Description
As described in references 1 and 2 below, acme.sh supports using DNS aliases (CNAME redirection of the _acme-challenge subdomain), but it requires adding the --challenge-alias flag to the acme.sh call to supply the required Le_ChallengeAlias parameter to the ACME server. Currently there is no way to enable this, thus aliased DNS-01 challenges fail.
Suggested Implementation
acme_certificates_edit.php:
- Add a checkbox for "Enable DNS alias mode", linking to reference 2 below. For example, after line 382 (end of OCSP Stapling code):
$section->addInput(new \Form_Checkbox( 'challengealias', 'Enable DNS alias mode', 'Add the --challenge-alias flag to the acme.sh call.', $pconfig['challengealias'] ))->setHelp('More information can be found <a href="https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode" target="_new">here</a>.');
acme_sh.inc:
- Add a class variable such as
public $challengealias; - In
function signCertificate(..), add after line 156 code block (starts withif ($this->ocspstaple == "yes") {):if ($this->challengealias == "yes") { $cmdparameters .= " --challenge-alias "; }
acme.inc:
- In
function issue_certificate(..), add after line 973 (after$acmesh->ocspstaple ...):$acmesh->challengealias = $certificate['challengealias'];
References
Updated by Pi Ba over 6 years ago
Made a PR that 'kinda' incorporates this.. A little different than proposed though. It now supports a different challengealias for each domain.
https://github.com/pfsense/FreeBSD-ports/pull/553
Updated by Jim Pingle about 6 years ago
- Category set to ACME
- Status changed from New to Feedback
PR merged, should be ready for testing shortly
Updated by Greg M about 6 years ago
Hi!
Installed, when I open it:
Fatal error: Uncaught Error: Call to undefined function pfsense_pkg\acme\getarraybyref() in /usr/local/www/acme/acme_certificates.php:34 Stack trace: #0 {main} thrown in /usr/local/www/acme/acme_certificates.php on line 34 PHP ERROR: Type: 1, File: /usr/local/www/acme/acme_certificates.php, Line: 34, Message: Uncaught Error: Call to undefined function pfsense_pkg\acme\getarraybyref() in /usr/local/www/acme/acme_certificates.php:34 Stack trace: #0 {main} thrown
Same error on HAPROXY-devel install, will update that redmine too.
Updated by Renato Botelho about 6 years ago
Greg M wrote:
Hi!
Installed, when I open it:
Fatal error: Uncaught Error: Call to undefined function pfsense_pkg\acme\getarraybyref() in /usr/local/www/acme/acme_certificates.php:34 Stack trace: #0 {main} thrown in /usr/local/www/acme/acme_certificates.php on line 34 PHP ERROR: Type: 1, File: /usr/local/www/acme/acme_certificates.php, Line: 34, Message: Uncaught Error: Call to undefined function pfsense_pkg\acme\getarraybyref() in /usr/local/www/acme/acme_certificates.php:34 Stack trace: #0 {main} thrown
Same error on HAPROXY-devel install, will update that redmine too.
You must update your snapshot to a more recent, which will contain getarraybyref() definition
Updated by Greg M about 6 years ago
I am on:
2.4.4-DEVELOPMENT (amd64)
built on Wed Aug 29 00:38:57 EDT 2018
FreeBSD 11.2-RELEASE-p2
The system is on the latest version.
Version information updated at Wed Aug 29 11:55:20 CEST 2018
Updated by Renato Botelho about 6 years ago
Greg M wrote:
I am on:
2.4.4-DEVELOPMENT (amd64)
built on Wed Aug 29 00:38:57 EDT 2018
FreeBSD 11.2-RELEASE-p2The system is on the latest version.
Version information updated at Wed Aug 29 11:55:20 CEST 2018
I've made some changes this morning. Can you try the new version of acme package when it's available?
Updated by Markus Barckmann about 6 years ago
Thanks for this nifty feature. It works well in most cases.
I've seen an issue with some DNS-Providers which are not allowing
the CNAME to contain an underscore (_acme-challenge). For this case acme.sh supports the "--domain-alias" option.
I tried this with a very simple patch. It works like a charm:
208c208
< $domainstr .= " --challenge-alias " . escapeshellarg($domain->challengealias);
---
> $domainstr .= " --domain-alias " . escapeshellarg($domain->challengealias);
It would be very nice to have a UI option to choose between this two (sub)methods.
Updated by Jesse Norell almost 6 years ago
Markus Barckmann wrote:
It would be very nice to have a UI option to choose between this two (sub)methods.
We have a different use case (not restricted underscore char), but I'll second the request for a UI option to switch '--challenge-alias' to '--domain-alias'.
Updated by Jim Pingle almost 6 years ago
I added a checkbox to use challenge-domain instead of challenge-alias in ACME pkg version 0.5.2
Updated by Ale Phos over 5 years ago
Jim Pingle wrote:
I added a checkbox to use challenge-domain instead of challenge-alias in ACME pkg version 0.5.2
Shouldn´t it be "--domain-alias" instead of "--challenge-domain"? See ACME.sh wiki
Updated by Jim Pingle over 5 years ago
You are right. I could swear when I did that it was the other way, but I don't see any history of that being the parameter now. It's fixed in 0.5.5 which is up now.
Updated by Jim Pingle over 5 years ago
- Status changed from Feedback to Resolved