Feature #8613
closed
pfSense-pkg-acme: acme_certificates_edit.php - Add support for --challenge-alias acme.sh flag
Added by Kage - over 6 years ago.
Updated over 5 years ago.
Description
User Story
As a pfSense-pkg-acme user
I want to be able to use the --challenge-alias flag
So that I can use CNAME aliasing of my _acme-challenge subdomain.
Description
As described in references 1 and 2 below, acme.sh supports using DNS aliases (CNAME redirection of the _acme-challenge subdomain), but it requires adding the --challenge-alias flag to the acme.sh call to supply the required Le_ChallengeAlias parameter to the ACME server. Currently there is no way to enable this, thus aliased DNS-01 challenges fail.
Suggested Implementation
acme_certificates_edit.php:
- Add a checkbox for "Enable DNS alias mode", linking to reference 2 below. For example, after line 382 (end of OCSP Stapling code):
$section->addInput(new \Form_Checkbox(
'challengealias',
'Enable DNS alias mode',
'Add the --challenge-alias flag to the acme.sh call.',
$pconfig['challengealias']
))->setHelp('More information can be found <a href="https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode" target="_new">here</a>.');
acme_sh.inc:
acme.inc:
References
- http://strugglers.net/~andy/blog/2018/03/19/lets-encrypt-wildcard-certificates-acme-sh-and-automated-dns-verification/
- https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
- Category set to ACME
- Status changed from New to Feedback
PR merged, should be ready for testing shortly
Hi!
Installed, when I open it:
Fatal error: Uncaught Error: Call to undefined function pfsense_pkg\acme\getarraybyref() in /usr/local/www/acme/acme_certificates.php:34 Stack trace: #0 {main} thrown in /usr/local/www/acme/acme_certificates.php on line 34 PHP ERROR: Type: 1, File: /usr/local/www/acme/acme_certificates.php, Line: 34, Message: Uncaught Error: Call to undefined function pfsense_pkg\acme\getarraybyref() in /usr/local/www/acme/acme_certificates.php:34 Stack trace: #0 {main} thrown
Same error on HAPROXY-devel install, will update that redmine too.
Greg M wrote:
Hi!
Installed, when I open it:
Fatal error: Uncaught Error: Call to undefined function pfsense_pkg\acme\getarraybyref() in /usr/local/www/acme/acme_certificates.php:34 Stack trace: #0 {main} thrown in /usr/local/www/acme/acme_certificates.php on line 34 PHP ERROR: Type: 1, File: /usr/local/www/acme/acme_certificates.php, Line: 34, Message: Uncaught Error: Call to undefined function pfsense_pkg\acme\getarraybyref() in /usr/local/www/acme/acme_certificates.php:34 Stack trace: #0 {main} thrown
Same error on HAPROXY-devel install, will update that redmine too.
You must update your snapshot to a more recent, which will contain getarraybyref() definition
I am on:
2.4.4-DEVELOPMENT (amd64)
built on Wed Aug 29 00:38:57 EDT 2018
FreeBSD 11.2-RELEASE-p2
The system is on the latest version.
Version information updated at Wed Aug 29 11:55:20 CEST 2018
Greg M wrote:
I am on:
2.4.4-DEVELOPMENT (amd64)
built on Wed Aug 29 00:38:57 EDT 2018
FreeBSD 11.2-RELEASE-p2
The system is on the latest version.
Version information updated at Wed Aug 29 11:55:20 CEST 2018
I've made some changes this morning. Can you try the new version of acme package when it's available?
Thanks for this nifty feature. It works well in most cases.
I've seen an issue with some DNS-Providers which are not allowing
the CNAME to contain an underscore (_acme-challenge). For this case acme.sh supports the "--domain-alias" option.
I tried this with a very simple patch. It works like a charm:
208c208
< $domainstr .= " --challenge-alias " . escapeshellarg($domain->challengealias);
---
> $domainstr .= " --domain-alias " . escapeshellarg($domain->challengealias);
It would be very nice to have a UI option to choose between this two (sub)methods.
Markus Barckmann wrote:
It would be very nice to have a UI option to choose between this two (sub)methods.
We have a different use case (not restricted underscore char), but I'll second the request for a UI option to switch '--challenge-alias' to '--domain-alias'.
I added a checkbox to use challenge-domain instead of challenge-alias in ACME pkg version 0.5.2
Jim Pingle wrote:
I added a checkbox to use challenge-domain instead of challenge-alias in ACME pkg version 0.5.2
Shouldn´t it be "--domain-alias" instead of "--challenge-domain"? See ACME.sh wiki
You are right. I could swear when I did that it was the other way, but I don't see any history of that being the parameter now. It's fixed in 0.5.5 which is up now.
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by