security/acme-client: does not deal correctly with Subject Alternate Names and nsupdate

Question

security/acme-client: does not deal correctly with Subject Alternate Names and nsupdate

noseshimself opened this issue 3 months ago · comments

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
I have searched the existing issues, open and closed, and I'm convinced that mine is new.
The title contains the plugin to which this issue belongs

Describe the bug
If you
specify multiple names to be included in a certificate and
you use the RFC update mechanism for DNS updates and
you use CNAMEs for the _acme-challenges

I don't see any valid way to specify the option to add the individual --challenge-alias parameter for every single -d parameter as you would need one per alternative name.

A clear and concise description of what the bug is, including last known working version (if any).

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce
Steps to reproduce the behavior:

Try creating a certificate using DNS-01 verification with several "Alt Names" where every single of the alternative names has another CNAME pointed to for providing the DNS-01 challenge that needs to be provided to a --challenge-alias parameter in the acme.sh call. You will be missing input fields for them.

Expected behavior
Having one input field per name if you use challenge-alias

Frank Wall · Answer 1 · Wed Jun 05 2024 19:50:57 GMT+0800 (China Standard Time)

If I understand this correctly, you want to use DNS alias mode:
https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode

This is already supported:

Services: ACME Client: Certificates
Edit Certificate
scroll to the bottom: DNS Alias Mode

Noses Himself · Answer 2 · Sun Jun 09 2024 23:17:15 GMT+0800 (China Standard Time)

Can you refer to the part of the (ACME plugin) documentation where the necessary handling of input for acme.sh case 4 (see https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode#4-specify-different-aliased-domains-for-each-domain) is shown?

In my specific case the CNAMEs for my challenges have the form

_acme-challenge.FQDN. IN CNAME FQDN.acme-z.one.

and the only way to do so is calling acme.sh as --issue -d x1.example.com --challenge-alias x1.example.com.acme-z.one -d x1.example.net --challenge-alias x1.example.net.acme-z.one; no matter what I'm entering in OPNSense, this is not coming out.

Frank Wall · Answer 3 · Tue Jul 02 2024 23:19:54 GMT+0800 (China Standard Time)

If you enable the previously mentioned DNS Alias Mode option...

...then the acme.sh command will contain the required parameters:

/usr/local/sbin/acme.sh --issue ... --domain 'test.example.org' --challenge-alias 'acme-challenge-alias.example.com' ...