From 3dde7626baa4881ee9addb21dc86f0b4c72f8be1 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Fri, 1 Aug 2025 16:25:57 +0200 Subject: [PATCH] MINOR: acme: emit the DNS-01 challenge details on the dpapi sink This commit adds a new message to the dpapi sink which is emitted during the new authorization request. One message is emitted by challenge to resolve. The certificate name as well as the thumprint of the account key are on the first line of the message. A dump of the JSON response for 1 challenge is dumped, en the message ends with a \0. The agent consuming these messages MUST NOT access the URLs, and SHOULD only uses the thumbprint, dns and token to configure a challenge. Example: $ ( echo "@@1 show events dpapi -w -0"; cat - ) | socat /tmp/master.sock - | cat -e <0>2025-08-01T16:23:14.797733+02:00 acme deploy foobar.pem.rsa thumbprint Gv7pmGKiv_cjo3aZDWkUPz5ZMxctmd-U30P2GeqpnCo$ {$ "status": "pending",$ "identifier": {$ "type": "dns",$ "value": "foobar.com"$ },$ "challenges": [$ {$ "type": "dns-01",$ "url": "https://0.0.0.0:14000/chalZ/1o7sxLnwcVCcmeriH1fbHJhRgn4UBIZ8YCbcrzfREZc",$ "token": "tvAcRXpNjbgX964ScRVpVL2NXPid1_V8cFwDbRWH_4Q",$ "status": "pending"$ },$ {$ "type": "dns-account-01",$ "url": "https://0.0.0.0:14000/chalZ/z2_WzibwTPvE2zzIiP3BF0zNy3fgpU_8Nj-V085equ0",$ "token": "UedIMFsI-6Y9Nq3oXgHcG72vtBFWBTqZx-1snG_0iLs",$ "status": "pending"$ },$ {$ "type": "tls-alpn-01",$ "url": "https://0.0.0.0:14000/chalZ/AHnQcRvZlFw6e7F6rrc7GofUMq7S8aIoeDileByYfEI",$ "token": "QhT4ejBEu6ZLl6pI1HsOQ3jD9piu__N0Hr8PaWaIPyo",$ "status": "pending"$ },$ {$ "type": "http-01",$ "url": "https://0.0.0.0:14000/chalZ/Q_qTTPDW43-hsPW3C60NHpGDm_-5ZtZaRfOYDsK3kY8",$ "token": "g5Y1WID1v-hZeuqhIa6pvdDyae7Q7mVdxG9CfRV2-t4",$ "status": "pending"$ }$ ],$ "expires": "2025-08-01T15:23:14Z"$ }$ ^@ --- src/acme.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/acme.c b/src/acme.c index b93add226..b67240c0e 100644 --- a/src/acme.c +++ b/src/acme.c @@ -1580,9 +1580,27 @@ int acme_res_auth(struct task *task, struct acme_ctx *ctx, struct acme_auth *aut /* compute a response for the TXT entry */ if (strcasecmp(ctx->cfg->challenge, "DNS-01") == 0) { + struct sink *dpapi; + struct ist line[7]; + + trash.data = acme_txt_record(ist(ctx->cfg->account.thumbprint), auth->token, &trash); send_log(NULL, LOG_NOTICE,"acme: %s: DNS-01 requires to set the \"acme-challenge.%.*s\" TXT record to \"%.*s\"\n", ctx->store->path, (int)auth->dns.len, auth->dns.ptr, (int)trash.data, trash.area); + + /* dump to the "dpapi" sink */ + + line[0] = ist("acme deploy "); + line[1] = ist(ctx->store->path); + line[2] = ist(" thumbprint "); + line[3] = ist(ctx->cfg->account.thumbprint); + line[4] = ist("\n"); + line[5] = ist2( hc->res.buf.area, hc->res.buf.data); /* dump the HTTP response */ + line[6] = ist("\n\0"); + + dpapi = sink_find("dpapi"); + if (dpapi) + sink_write(dpapi, LOG_HEADER_NONE, 0, line, 7); } /* only useful for HTTP-01 */ -- 2.47.2