MEDIUM: acme: implement dns-persist-01 challenge

Implements draft DNS-PERSIST-01 challenge based on
https://datatracker.ietf.org/doc/html/draft-ietf-acme-dns-persist

Blog post: https://letsencrypt.org/2026/02/18/dns-persist-01

This challenge is designed to use preprovisioned DNS records,
unlike DNS-01 challenge it doesn't need per provider API integration.

In short instead of validating order by crafting a custom response
based on input recieved from ACME server, like other challenges do
in particular DNS-01, HTTP-01, TLS-ALPN-01, in this challenge you
authorize domain statically, ACME account key functions similar to
a private key and accounturi in the record functions like a public key,
ACME server verifies that account uri matches account key and authorizes
based on that. You only need to write DNS record one time,
accounturi binds to an account key, and will only change if new account
key is created, although it is possible to rotate account key without
changing account uri.

Main benefits of this challenge in contrast to DNS-01:
1. Security, no need to give reverse proxy write access to the DNS.
2. Simplicity, no complex per provider integrations like Lego needed.
3. Robustness, no worrying about DNS record cache each renewal.

It would be used like this:
1. generate an account key ahead of time
2. add required DNS record manually or automatically using IaC tools
3. start HAProxy with the same account key used

Intended way to use this challenge is with a code that will print
and maybe sets DNS records ahead of time. For example that could
be integrated into the IaC provisioning step. This challenge type
is extremely recent though, so those integrations are yet to be written.

It is possible to do this challenge without extra tools too,
with pebble / challtestsrv steps would be as following:

After starting HAProxy it will print required records in the logs.

With challtestsrv you can then set those records like this:

curl -d '{
  "host":"_validation-persist.localhost.",
  "value": "pebble.letsencrypt.org; accounturi=...; policy=wildcard"}
' http://localhost:8055/set-txt

After setting the records run renew with the name of the certificate:

echo "acme renew @cert/localhost.pem" \
  | socat stdio tcp4-connect:127.0.0.1:9999

Or just restart HAProxy.

Unlike with DNS-01 you don't have to worry about DNS records changing,
if there is any problem with DNS records you can just retry.

diff --git a/src/acme.c b/src/acme.c
index 437528c08fd4bbcfaef00b537eba8c7e4325a3de..c436b9979f0c06e6dc118f1907a9bcef83e18007 100644 (file)
--- a/src/acme.c
+++ b/src/acme.c
@@ -2,6 +2,8 @@
 
 /*
  * Implements the ACMEv2 RFC 8555 protocol
+ * Implements the following extensions to the protocol:
+ *   draft-ietf-acme-dns-persist - DNS-PERSIST-01 challenge
  */
 
 #include "haproxy/ticks.h"
@@ -414,8 +416,11 @@ static int cfg_parse_acme_kws(char **args, int section_type, struct proxy *curpx
                        goto out;
                }
        } else if (strcmp(args[0], "challenge") == 0) {
-               if ((!*args[1]) ||  (strcasecmp("http-01", args[1]) != 0 && (strcasecmp("dns-01", args[1]) != 0))) {
-                       ha_alert("parsing [%s:%d]: keyword '%s' in '%s' section requires a challenge type: http-01 or dns-01\n", file, linenum, args[0], cursection);
+               if ((!*args[1]) ||
+                   ((strcasecmp("http-01", args[1]) != 0) &&
+                    (strcasecmp("dns-01", args[1]) != 0) &&
+                    (strcasecmp("dns-persist-01", args[1]) != 0))) {
+                       ha_alert("parsing [%s:%d]: keyword '%s' in '%s' must be one of the following: http-01, dns-01, dns-persist-01\n", file, linenum, args[0], cursection);
                        err_code |= ERR_ALERT | ERR_FATAL;
                        goto out;
                }
@@ -1721,6 +1726,7 @@ int acme_res_auth(struct task *task, struct acme_ctx *ctx, struct acme_auth *aut
        struct buffer *t1 = NULL, *t2 = NULL;
        int ret = 1;
        int i;
+       int wildcard = 0;
 
        hc = ctx->hc;
        if (!hc)
@@ -1826,20 +1832,69 @@ int acme_res_auth(struct task *task, struct acme_ctx *ctx, struct acme_auth *aut
                        goto error;
                }
 
-               ret = mjson_get_string(tokptr, toklen, "$.token", trash.area, trash.size);
-               if (ret == -1) {
-                       memprintf(errmsg, "couldn't get a token in challenges[%d] from Authorization URL \"%s\"", i, auth->auth.ptr);
-                       goto error;
-               }
-               trash.data = ret;
-               auth->token = istdup(ist2(trash.area, trash.data));
-               if (!isttest(auth->token)) {
-                       memprintf(errmsg, "out of memory");
-                       goto error;
+               if (strcasecmp(ctx->cfg->challenge, "dns-persist-01") != 0) {
+                       ret = mjson_get_string(tokptr, toklen, "$.token", trash.area, trash.size);
+                       if (ret == -1) {
+                               memprintf(errmsg, "couldn't get a token in challenges[%d] from Authorization URL \"%s\"", i, auth->auth.ptr);
+                               goto error;
+                       }
+                       trash.data = ret;
+                       auth->token = istdup(ist2(trash.area, trash.data));
+                       if (!isttest(auth->token)) {
+                               memprintf(errmsg, "out of memory");
+                               goto error;
+                       }
                }
 
-               /* compute a response for the TXT entry */
-               if (strcasecmp(ctx->cfg->challenge, "dns-01") == 0) {
+               if (strcasecmp(ctx->cfg->challenge, "dns-persist-01") == 0) {
+                       /* Clients MUST consider a challenge malformed if the issuer-domain-names array is empty
+                          or if it contains more than 10 entries, and MUST reject such challenges.
+                          https://datatracker.ietf.org/doc/html/draft-ietf-acme-dns-persist#section-3.1-2.4.4
+                       */
+
+                       struct buffer *record_values = NULL;
+                       int n = 0;
+
+                       record_values = get_trash_chunk();
+
+                       for (n = 0; ; n++) {
+                               char dom_path[] = "$.issuer-domain-names[XXX]";
+
+                               if (snprintf(dom_path, sizeof(dom_path), "$.issuer-domain-names[%d]", n) >= sizeof(dom_path))
+                                       goto error;
+
+                               /* break the loop at the end of the list */
+                               if (mjson_find(tokptr, toklen, dom_path, NULL, NULL) == MJSON_TOK_INVALID)
+                                       break;
+
+                               if (n >= 10) {
+                                       memprintf(errmsg, "more than 10 entries in acme issuer-domain-names");
+                                       goto error;
+                               }
+
+                               ret = mjson_get_string(tokptr, toklen, dom_path, trash.area, trash.size);
+                               if (ret == -1) {
+                                       memprintf(errmsg, "found values other than strings in acme issuer-domain-names");
+                                       goto error;
+                               }
+                               trash.data = ret;
+
+                               /* collect allowed domain names for better reporting */
+                               chunk_appendf(record_values, "%s\"%.*s; accounturi=%.*s%s\"", n == 0 ?  "" : " OR ",
+                                   (int)trash.data, trash.area, (int)ctx->kid.len, ctx->kid.ptr,
+                                   wildcard ? "; policy=wildcard" : "");
+                       }
+
+                       if (n == 0) {
+                               memprintf(errmsg, "0 entries in acme issuer-domain-names");
+                               goto error;
+                       }
+
+                       /* TODO: currently this can log more records than required when wildcards are involved */
+                       send_log(NULL, LOG_INFO, "acme: %s: dns-persist-01 requires to set the \"_validation-persist.%.*s\" TXT record to %.*s\n",
+                           ctx->store->path, (int)auth->dns.len, auth->dns.ptr, (int)record_values->data, record_values->area);
+               }
+               else if (strcasecmp(ctx->cfg->challenge, "dns-01") == 0) {
                        struct sink *dpapi;
                        struct ist line[16];
                        int nmsg = 0;
@@ -1847,6 +1902,7 @@ int acme_res_auth(struct task *task, struct acme_ctx *ctx, struct acme_auth *aut
 
                        dns_record = get_trash_chunk();
 
+                       /* compute a response for the TXT entry */
                        if (acme_txt_record(ist(ctx->cfg->account.thumbprint), auth->token, dns_record) == 0) {
                                memprintf(errmsg, "couldn't compute the dns-01 challenge");
                                goto error;
@@ -1889,13 +1945,18 @@ int acme_res_auth(struct task *task, struct acme_ctx *ctx, struct acme_auth *aut
                        dpapi = sink_find("dpapi");
                        if (dpapi)
                                sink_write(dpapi, LOG_HEADER_NONE, 0, line, nmsg);
-               } else {
+               }
+               else if (strcasecmp(ctx->cfg->challenge, "http-01") == 0) {
                        /* only useful for http-01 */
                        if (acme_add_challenge_map(ctx->cfg->map, auth->token.ptr, ctx->cfg->account.thumbprint, errmsg) != 0) {
                                memprintf(errmsg, "couldn't add the token to the '%s' map: %s", ctx->cfg->map, *errmsg);
                                goto error;
                        }
                }
+               else {
+                       memprintf(errmsg, "impossible acme challenge: %s", ctx->cfg->challenge);
+                       goto error;
+               }
 
                /* we only need one challenge, and iteration is only used to found the right one */
                break;