From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 11 Aug 2025 12:53:29 +0000 (+0200)
Subject: MEDIUM: acme: use lowercase for challenge names in configuration
X-Git-Tag: v3.3-dev7~46
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84589a9f48963efe76a4c6dcd21b8dbc71c296e0;p=thirdparty%2Fhaproxy.git

MEDIUM: acme: use lowercase for challenge names in configuration

Both the RFC and the IANA registry refers to challenge names in
lowercase. If we need to implement more challenges, it's better to
use the correct naming.

In order to keep the compatibility with the previous configurations, the
parsing does a strcasecmp() instead of a strcmp().

Also rename every occurence in the code and doc in lowercase.

This was discussed in issue #1864
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 9e8248071..b2d0aba7d 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -30432,8 +30432,8 @@ bits <number>
   but blocking the traffic too long could trigger the watchdog.)
 
 challenge <string>
-  Takes a challenge type as parameter, this must be HTTP-01 or DNS-01. When not
-  used the default is HTTP-01.
+  Takes a challenge type as parameter, this must be http-01 or dns-01. When not
+  used the default is http-01.
 
 contact <string>
   The contact email that will be associated to the account key in the CA.
@@ -30476,7 +30476,7 @@ Example:
       directory https://acme-staging-v02.api.letsencrypt.org/directory
       account-key /etc/haproxy/letsencrypt.account.key
       contact john.doe@example.com
-      challenge HTTP-01
+      challenge http-01
       keytype RSA
       bits 2048
       map virt@acme
@@ -30485,7 +30485,7 @@ Example:
       directory https://acme-staging-v02.api.letsencrypt.org/directory
       account-key /etc/haproxy/letsencrypt.account.key
       contact john.doe@example.com
-      challenge HTTP-01
+      challenge http-01
       keytype ECDSA
       curves P-384
       map virt@acme
diff --git a/src/acme.c b/src/acme.c
index 5cd9b8a15..06b38b27f 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -190,7 +190,7 @@ struct acme_cfg *new_acme_cfg(const char *name)
 	/* 0 on the linenum just mean it was not initialized yet */
 	ret->linenum = 0;
 
-	ret->challenge = strdup("HTTP-01"); /* default value */
+	ret->challenge = strdup("http-01"); /* default value */
 
 	/* The default generated keys are EC-384 */
 	ret->key.type = EVP_PKEY_EC;
@@ -408,8 +408,8 @@ static int cfg_parse_acme_kws(char **args, int section_type, struct proxy *curpx
 			goto out;
 		}
 	} else if (strcmp(args[0], "challenge") == 0) {
-		if ((!*args[1]) ||  (strcmp("HTTP-01", args[1]) != 0 && (strcmp("DNS-01", args[1]) != 0))) {
-			ha_alert("parsing [%s:%d]: keyword '%s' in '%s' section requires a challenge type: HTTP-01 or DNS-01\n", file, linenum, args[0], cursection);
+		if ((!*args[1]) ||  (strcasecmp("http-01", args[1]) != 0 && (strcasecmp("dns-01", args[1]) != 0))) {
+			ha_alert("parsing [%s:%d]: keyword '%s' in '%s' section requires a challenge type: http-01 or dns-01\n", file, linenum, args[0], cursection);
 			err_code |= ERR_ALERT | ERR_FATAL;
 			goto out;
 		}
@@ -892,7 +892,7 @@ error:
 }
 
 /*
- * compute a TXT record for DNS-01 challenge
+ * compute a TXT record for dns-01 challenge
  *  base64url(sha256(token || '.' || base64url(Thumbprint(accountKey))))
  *
  *  https://datatracker.ietf.org/doc/html/rfc8555/#section-8.4
@@ -1580,16 +1580,16 @@ int acme_res_auth(struct task *task, struct acme_ctx *ctx, struct acme_auth *aut
 		}
 
 		/* compute a response for the TXT entry */
-		if (strcasecmp(ctx->cfg->challenge, "DNS-01") == 0) {
+		if (strcasecmp(ctx->cfg->challenge, "dns-01") == 0) {
 			struct sink *dpapi;
 			struct ist line[7];
 
 			if (acme_txt_record(ist(ctx->cfg->account.thumbprint), auth->token, &trash) == 0) {
-				memprintf(errmsg, "couldn't compute the DNS-01 challenge");
+				memprintf(errmsg, "couldn't compute the dns-01 challenge");
 				goto error;
 			}
 
-			send_log(NULL, LOG_NOTICE,"acme: %s: DNS-01 requires to set the \"_acme-challenge.%.*s\" TXT record to \"%.*s\" and use the \"acme challenge_ready\" command over the CLI\n",
+			send_log(NULL, LOG_NOTICE,"acme: %s: dns-01 requires to set the \"_acme-challenge.%.*s\" TXT record to \"%.*s\" and use the \"acme challenge_ready\" command over the CLI\n",
 			                                             ctx->store->path, (int)auth->dns.len, auth->dns.ptr, (int)trash.data, trash.area);
 
 			/* dump to the "dpapi" sink */
@@ -1607,7 +1607,7 @@ int acme_res_auth(struct task *task, struct acme_ctx *ctx, struct acme_auth *aut
 				sink_write(dpapi, LOG_HEADER_NONE, 0, line, 7);
 		}
 
-		/* only useful for HTTP-01 */
+		/* only useful for http-01 */
 		if (acme_add_challenge_map(ctx->cfg->map, auth->token.ptr, ctx->cfg->account.thumbprint, errmsg) != 0) {
 			memprintf(errmsg, "couldn't add the token to the '%s' map: %s", ctx->cfg->map, *errmsg);
 			goto error;
@@ -1757,9 +1757,9 @@ int acme_res_neworder(struct task *task, struct acme_ctx *ctx, char **errmsg)
 			goto error;
 		}
 
-                /* if the challenge is not DNS-01, consider that the challenge
+                /* if the challenge is not dns-01, consider that the challenge
                  * is ready because computed by HAProxy */
-                if (strcasecmp(ctx->cfg->challenge, "DNS-01") != 0)
+                if (strcasecmp(ctx->cfg->challenge, "dns-01") != 0)
 			auth->ready = 1;
 
 		auth->next = ctx->auths;