Bug in issuing wildcard certificate with Proxmox ACME

S

Sprinterfreak

Active Member
Mar 26, 2018
26
3
43
36
So I'd like to issue a valid LE wildcard certificate for my pbs instance. This is especially useful to hide detailed information behind the public scope of the infrastructure in the LE domain log.

I have a working infrastructure for rfc2136 (dns-01) challenge handling through an alias domain. According to proxmox documentation this should be possible to utilize.
Now the issue lies in configuring a wildcard domain.
You can't create a wildcard domain entry under Certificates->ACME in the WebUI as "*.sub.domain.tld" does not meet the regex.
The documentation states to modify /etc/proxmox-backup/node.cfg by hand and add the *.-prefix to the domain.

This of course breaks the WebUI. Now it only displays an error:
> Bad Request (400)
> line 0: parameter verification failed - 'domain': schema validation failed: value does not match the regex pattern

So looks like the documentation is not quiet compatible with the software itself.
Also I've not seen it try to issue the certificate yet. Would it be sufficient to fix the domain regex or is there a deeper problem in wildcard handling?
 
Hi!
this looks like it's an error on our side. We don't allow any '*' in dns names. I'll check it out.
 
Hi,

also filed an issue https://bugzilla.proxmox.com/show_bug.cgi?id=5719
I did manage to pull a wildcard certificate with the suggested patches to the DNS_NAME_FORMAT schema.

There is of course still something weird happening. You need to add two domain entries
- the.domain.tld
- *.the.domain.tld
This works because if it validates '*.the.domain.tld' it accesses, for what ever reason, the config for the.domain.tld. The WebUI handles wildcard domains flawlessly and the wildcard does appear and validate successfully in the certificate then.

The AcmeClient seems to fail loading the configuration if domain contains *. as somewhere in the code the *. prefix is dropped in the identifier and without the domain itself configured, breaks. If just the wildcard is configured it fails with "no config for domain 'the.domain.tld'" (where it should lookup '*.the.domain.tld'. I didn't yet manage to find where the prefix gets lost on the way. This is in src/api2/node/certificates.rs:301
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back