security/acme-client: does not deal correctly with Subject Alternate Names and nsupdate
noseshimself opened this issue · comments
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
- I have searched the existing issues, open and closed, and I'm convinced that mine is new.
- The title contains the plugin to which this issue belongs
Describe the bug
If you
specify multiple names to be included in a certificate and
you use the RFC update mechanism for DNS updates and
you use CNAMEs for the _acme-challenges
I don't see any valid way to specify the option to add the individual --challenge-alias
parameter for every single -d
parameter as you would need one per alternative name.
A clear and concise description of what the bug is, including last known working version (if any).
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce
Steps to reproduce the behavior:
Try creating a certificate using DNS-01 verification with several "Alt Names" where every single of the alternative names has another CNAME pointed to for providing the DNS-01 challenge that needs to be provided to a --challenge-alias parameter in the acme.sh call. You will be missing input fields for them.
Expected behavior
Having one input field per name if you use challenge-alias
If I understand this correctly, you want to use DNS alias mode:
https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode
This is already supported:
- Services: ACME Client: Certificates
- Edit Certificate
- scroll to the bottom: DNS Alias Mode
Can you refer to the part of the (ACME plugin) documentation where the necessary handling of input for acme.sh case 4 (see https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode#4-specify-different-aliased-domains-for-each-domain) is shown?
In my specific case the CNAMEs for my challenges have the form
_acme-challenge.FQDN. IN CNAME FQDN.acme-z.one.
and the only way to do so is calling acme.sh as --issue -d x1.example.com --challenge-alias x1.example.com.acme-z.one -d x1.example.net --challenge-alias x1.example.net.acme-z.one
; no matter what I'm entering in OPNSense, this is not coming out.