Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security/acme-client: Add NSUPDATE_ZONE support to nsupdate DNS-01 Service #1851

Merged
merged 6 commits into from
May 28, 2020
Merged

security/acme-client: Add NSUPDATE_ZONE support to nsupdate DNS-01 Service #1851

merged 6 commits into from
May 28, 2020

Conversation

billgertz
Copy link
Contributor

@billgertz billgertz commented May 25, 2020
edited
Loading

This change is to update nsupdate (RFC 2136) DNS Service for the Let's Encrypt module to support a Zone declaration. As described in PR#1963 for acme.sh:

Some DNS servers for which dns_nsupdate.sh is applicable (such as dyn.com's 'Standard DNS' TSIG update mechanism), require that the zone be set during the nsupdate transaction. Therefore we add a new environment variable NSUPDATE_ZONE which is used to set the zone for the DNS TSIG transaction.

Currently OPNSense is a year and a half behind what acme.sh supports for the nsupdate DNSAPI. See the acme.sh pull request for more detailed information.

@billgertz
Add NSUPDATE_ZONE nsupdate support
f448f60 
Adds new validation.dns_nsudate_zone field to implement support for NSUPDATE_ZONE. See acmesh-official/acme.sh#1963 for more information.
@billgertz
Add NSUPDATE_ZONE nsupdate support
b487178 
Adds dns_nsupdate_zone field to model to support for NSUPDATE_ZONE. See acmesh-official/acme.sh#1963 for more information.
@billgertz billgertz changed the title Add NSUPDATE_ZONE nsupdate support security/acme-client: Add NSUPDATE_ZONE support to nsupdate DNS-01 Service May 25, 2020
@billgertz
Add NSUPDATE_ZONE nsupdate support
aa4466c 
Adds new $proc_env call to process dns_update_zone to implement NSUPDATE_ZONE env variable. See acmesh-official/acme.sh#1963 for more information.
@billgertz
Removed extra <field> tag
4a232b0 
Mistake on my part, caught during review.
@billgertz
Added <field> tag back
20eb528 
Mistake on a mistake <field> tag had bad alignment, it was not an unneeded tag.
@billgertz
Shorten <help>
2b1bab8 
Help took up three lines - shortened so it takes only two.
@billgertz
Copy link
Contributor Author

This has been tested on:

Versions      OPNsense 20.1.7-amd64
              FreeBSD 11.2-RELEASE-p20-HBSD
              OpenSSL 1.1.1g 21 Apr 2020

Using nsupdate DNS Service with nsupdate table something like:

Server (FQDN)    update.dyndns.com
Zone             myzone.tld
Secret Key       key "xxxxxxxxxxxxxxx" {
                    algorithm hmac-md5;
                    secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxx";
                 };

Which resulted in a valid cert issued by Let's Encrypt.

@billgertz
Copy link
Contributor Author

billgertz commented May 25, 2020
edited
Loading

@fraenki

Ready for review and comment. If I've screwed something up - please let me know what and I will correct it straight away.

@billgertz billgertz closed this May 25, 2020
@billgertz billgertz reopened this May 25, 2020
@billgertz billgertz marked this pull request as ready for review May 25, 2020 17:18
fichtner
fichtner approved these changes May 25, 2020
View reviewed changes
Copy link
Member

@fichtner fichtner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good at first glance, thanks ❤️

@fraenki fraenki added the feature Adding new functionality label May 25, 2020
@fraenki fraenki merged commit c46695c into opnsense:master May 28, 2020
@fraenki
Copy link
Member

fraenki commented May 28, 2020

Merged, thanks!

fraenki added a commit that referenced this pull request May 28, 2020
@fraenki
security/acme-client: move optional field to the bottom, refs #1851
2dfe767
@billgertz
Copy link
Contributor Author

@fraenki Glad to be of some small help.

@billgertz billgertz deleted the patch-3 branch May 31, 2020 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fichtner fichtner fichtner approved these changes

Assignees

@fraenki fraenki

Labels
feature Adding new functionality
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@billgertz @fraenki @fichtner