--- /dev/null
+-- ACME dns-01 automation via event_hdl callbacks using the Gandi LiveDNS API v5
+--
+-- HAProxy Configuration:
+--
+-- global
+-- expose-experimental-directives
+-- tune.lua.bool-sample-conversion normal
+-- lua-load examples/lua/acme-gandi-livedns.lua
+-- log stderr local0
+--
+-- acme LE
+-- directory https://acme-staging-v02.api.letsencrypt.org/directory
+-- contact foobar@example.com
+-- challenge dns-01
+-- challenge-ready cli,dns
+--
+-- crt-store
+-- load crt foobar.pem acme letsencrypt LE *.foobar.example.com
+--
+-- Start HAProxy with the GANDI_API_KEY variable:
+--
+-- GANDI_API_KEY=fer89wf498w4f98we74f98wwiw787f8we4f8 ./haproxy -W -f haproxy.cfg
+--
+-- Gandi Personal Access Token (https://account.gandi.net -> Security -> Personal Access Tokens).
+-- Set the GANDI_API_KEY environment variable before starting HAProxy.
+local GANDI_API_KEY = os.getenv("GANDI_API_KEY") or error("GANDI_API_KEY environment variable is not set")
+
+-- Gandi LiveDNS API base URL.
+local GANDI_API_URL = "https://api.gandi.net/v5/livedns"
+
+-- ---------------------------------------------------------------------------
+-- Gandi LiveDNS helpers
+-- ---------------------------------------------------------------------------
+
+-- Try to set the _acme-challenge TXT record for <domain> to <txt_value>.
+-- Probes each possible parent zone (longest first) until Gandi accepts one.
+-- Returns the zone and record name on success, or nil on failure.
+local function dns_set_txt(domain, txt_value)
+ local labels = {}
+ for label in domain:gmatch("[^.]+") do
+ labels[#labels + 1] = label
+ end
+
+ for i = 1, #labels - 1 do
+ local zone = table.concat(labels, ".", i + 1)
+ local name = "_acme-challenge." .. table.concat(labels, ".", 1, i)
+ local url = string.format("%s/domains/%s/records/%s/TXT", GANDI_API_URL, zone, name)
+ local body = string.format('{"rrset_values":["%s"],"rrset_ttl":300}', txt_value)
+
+ core.log(core.debug, string.format("acme: trying PUT %s", url))
+
+ -- Remove any stale TXT record first so the new value propagates cleanly.
+ local hc_del = core.httpclient()
+ hc_del:delete({
+ url = url,
+ headers = { ["Authorization"] = { "Bearer " .. GANDI_API_KEY } },
+ })
+
+ local hc = core.httpclient()
+ local res = hc:put({
+ url = url,
+ headers = {
+ ["Authorization"] = { "Bearer " .. GANDI_API_KEY },
+ ["Content-Type"] = { "application/json" },
+ },
+ body = body,
+ })
+
+ if res and (res.status == 200 or res.status == 201) then
+ core.log(core.notice, string.format(
+ "acme: TXT record set: %s in zone %s", name, zone))
+ return zone, name
+ end
+ end
+
+ core.log(core.alert, string.format(
+ "acme: failed to set TXT record for _acme-challenge.%s: no valid zone found", domain))
+ return nil, nil
+end
+
+-- Deletes the TXT record identified by <zone> and <name>.
+local function dns_del_txt(zone, name)
+ local url = string.format("%s/domains/%s/records/%s/TXT", GANDI_API_URL, zone, name)
+
+ core.log(core.notice, string.format("acme: DELETE %s", url))
+
+ local hc = core.httpclient()
+ local res = hc:delete({
+ url = url,
+ headers = {
+ ["Authorization"] = { "Bearer " .. GANDI_API_KEY },
+ },
+ })
+
+ if not res or res.status ~= 204 then
+ local status = res and res.status or "nil"
+ core.log(core.alert, string.format(
+ "acme: Gandi DELETE failed for %s/%s (status=%s)", zone, name, status))
+ return false
+ end
+
+ core.log(core.notice, string.format(
+ "acme: TXT record deleted: %s in zone %s", name, zone))
+ return true
+end
+
+-- ---------------------------------------------------------------------------
+-- Tasks
+-- ---------------------------------------------------------------------------
+
+-- Track deployed TXT records per cert path so they can be cleaned up.
+-- deployed[crt][domain] = { zone = ..., name = ... }
+local deployed = {}
+
+-- Spawn a background task per ACME_DEPLOY event to set the TXT record and
+-- signal challenge readiness. Using register_task keeps HTTP calls in a
+-- plain task context.
+core.event_sub({"ACME_DEPLOY"}, function(event, data, sub, when)
+ local crt = data.crtname
+ local domain = data.domain
+ local record = data.dns_record
+
+ core.register_task(function()
+ local zone, name = dns_set_txt(domain, record)
+ if not zone then
+ core.log(core.alert, string.format(
+ "acme: aborting challenge for crt=%s domain=%s", crt, domain))
+ return
+ end
+
+ -- Remember this record for cleanup on ACME_NEWCERT.
+ if not deployed[crt] then deployed[crt] = {} end
+ deployed[crt][domain] = { zone = zone, name = name }
+
+ -- Signal HAProxy that the dns-01 challenge for this domain is ready.
+ local ok, ret = pcall(ACME.challenge_ready, crt, domain)
+ if not ok then
+ core.log(core.alert, string.format(
+ "acme: challenge_ready error for crt=%s domain=%s: %s", crt, domain, ret))
+ elseif ret == 0 then
+ core.log(core.notice, string.format(
+ "acme: all challenges ready for crt=%s, validation starting", crt))
+ else
+ core.log(core.info, string.format(
+ "acme: crt=%s domain=%s ready, %d challenge(s) still pending",
+ crt, domain, ret))
+ end
+ end)
+end)
+
+-- ACME_NEWCERT: remove the TXT records that were set for this certificate.
+core.event_sub({"ACME_NEWCERT"}, function(event, data, sub, when)
+ local crt = data.crtname
+ if not deployed[crt] then return end
+
+ core.register_task(function()
+ for _, rec in pairs(deployed[crt]) do
+ dns_del_txt(rec.zone, rec.name)
+ end
+ deployed[crt] = nil
+ end)
+end)
projects / thirdparty / haproxy.git / commitdiff
