From af5ff2bb93acaa14c29e7ef5291b682a341edca4 Mon Sep 17 00:00:00 2001 From: Nils Sandmann Date: Wed, 21 Mar 2018 16:43:42 +0100 Subject: [PATCH 1/3] Modified DNSAPI for PowerDNS to support wildcard certificates --- dnsapi/dns_pdns.sh | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_pdns.sh b/dnsapi/dns_pdns.sh index 3d99e10..40b344c 100755 --- a/dnsapi/dns_pdns.sh +++ b/dnsapi/dns_pdns.sh @@ -88,9 +88,20 @@ set_record() { _info "Adding record" root=$1 full=$2 - txtvalue=$3 + new_challenge=$3 - if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [{\"name\": \"$full.\", \"type\": \"TXT\", \"content\": \"\\\"$txtvalue\\\"\", \"disabled\": false, \"ttl\": $PDNS_Ttl}]}]}"; then + _pdns_rest "GET" "/api/v1/servers/$PDNS_ServerId/zones/$root" + _existing_challenges=($(echo "$response" | _normalizeJson | grep -Po "\"name\":\"$fulldomain\K.*?}]" | grep -Po 'content\":\"\\"\K[^\\]*')) + _record_string="" + _build_record_string $new_challenge + + for i in "${_existing_challenges[@]}" + do + _record_string+=", " + _build_record_string $i + done + + if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}"; then _err "Set txt record error." return 1 fi @@ -185,3 +196,7 @@ _pdns_rest() { return 0 } + +_build_record_string() { + _record_string+="{\"content\": \"\\\"$1\\\"\", \"disabled\": false}" +} From 893917a25dac51a5e0354f8122c5043060ecd573 Mon Sep 17 00:00:00 2001 From: Nils Sandmann Date: Thu, 22 Mar 2018 11:13:46 +0100 Subject: [PATCH 2/3] Fix travis errors --- dnsapi/dns_pdns.sh | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/dnsapi/dns_pdns.sh b/dnsapi/dns_pdns.sh index 40b344c..594f9b2 100755 --- a/dnsapi/dns_pdns.sh +++ b/dnsapi/dns_pdns.sh @@ -91,14 +91,12 @@ set_record() { new_challenge=$3 _pdns_rest "GET" "/api/v1/servers/$PDNS_ServerId/zones/$root" - _existing_challenges=($(echo "$response" | _normalizeJson | grep -Po "\"name\":\"$fulldomain\K.*?}]" | grep -Po 'content\":\"\\"\K[^\\]*')) _record_string="" - _build_record_string $new_challenge - - for i in "${_existing_challenges[@]}" - do - _record_string+=", " - _build_record_string $i + _build_record_string "$new_challenge" + _existing_challenges=$(echo "$response" | _normalizeJson | grep -Po "\"name\":\"$fulldomain\\K.*?}]" | grep -Po 'content\":\"\\"\K[^\\]*') + for oldchallenge in $_existing_challenges; do + _record_string="${_record_string}, " + _build_record_string "$oldchallenge" done if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}"; then @@ -106,10 +104,6 @@ set_record() { return 1 fi - if ! notify_slaves "$root"; then - return 1 - fi - return 0 } @@ -198,5 +192,5 @@ _pdns_rest() { } _build_record_string() { - _record_string+="{\"content\": \"\\\"$1\\\"\", \"disabled\": false}" + _record_string="${_record_string}{\"content\": \"\\\"$1\\\"\", \"disabled\": false}" } From a3f7ff90e300379c1acfbe5788d855a9584b82ae Mon Sep 17 00:00:00 2001 From: Nils Sandmann Date: Sat, 24 Mar 2018 18:46:04 +0100 Subject: [PATCH 3/3] Used e_grep_o instead grep -Po, dns_pdns_rm() now deletes only entry with matching txt value --- dnsapi/dns_pdns.sh | 58 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 47 insertions(+), 11 deletions(-) diff --git a/dnsapi/dns_pdns.sh b/dnsapi/dns_pdns.sh index 594f9b2..8f07e8c 100755 --- a/dnsapi/dns_pdns.sh +++ b/dnsapi/dns_pdns.sh @@ -69,15 +69,21 @@ dns_pdns_add() { #fulldomain dns_pdns_rm() { fulldomain=$1 + txtvalue=$2 + + if [ -z "$PDNS_Ttl" ]; then + PDNS_Ttl="$DEFAULT_PDNS_TTL" + fi _debug "Detect root zone" if ! _get_root "$fulldomain"; then _err "invalid domain" return 1 fi + _debug _domain "$_domain" - if ! rm_record "$_domain" "$fulldomain"; then + if ! rm_record "$_domain" "$fulldomain" "$txtvalue"; then return 1 fi @@ -90,12 +96,10 @@ set_record() { full=$2 new_challenge=$3 - _pdns_rest "GET" "/api/v1/servers/$PDNS_ServerId/zones/$root" _record_string="" _build_record_string "$new_challenge" - _existing_challenges=$(echo "$response" | _normalizeJson | grep -Po "\"name\":\"$fulldomain\\K.*?}]" | grep -Po 'content\":\"\\"\K[^\\]*') + _list_existingchallenges for oldchallenge in $_existing_challenges; do - _record_string="${_record_string}, " _build_record_string "$oldchallenge" done @@ -104,6 +108,10 @@ set_record() { return 1 fi + if ! notify_slaves "$root"; then + return 1 + fi + return 0 } @@ -111,14 +119,37 @@ rm_record() { _info "Remove record" root=$1 full=$2 + txtvalue=$3 - if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"DELETE\", \"name\": \"$full.\", \"type\": \"TXT\"}]}"; then - _err "Delete txt record error." - return 1 - fi + #Enumerate existing acme challenges + _list_existingchallenges - if ! notify_slaves "$root"; then - return 1 + if _contains "$_existing_challenges" "$txtvalue"; then + #Delete all challenges (PowerDNS API does not allow to delete content) + if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"DELETE\", \"name\": \"$full.\", \"type\": \"TXT\"}]}"; then + _err "Delete txt record error." + return 1 + fi + _record_string="" + #If the only existing challenge was the challenge to delete: nothing to do + if ! [ "$_existing_challenges" = "$txtvalue" ]; then + for oldchallenge in $_existing_challenges; do + #Build up the challenges to re-add, ommitting the one what should be deleted + if ! [ "$oldchallenge" = "$txtvalue" ]; then + _build_record_string "$oldchallenge" + fi + done + #Recreate the existing challenges + if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}"; then + _err "Set txt record error." + return 1 + fi + fi + if ! notify_slaves "$root"; then + return 1 + fi + else + _info "Record not found, nothing to remove" fi return 0 @@ -192,5 +223,10 @@ _pdns_rest() { } _build_record_string() { - _record_string="${_record_string}{\"content\": \"\\\"$1\\\"\", \"disabled\": false}" + _record_string="${_record_string:+${_record_string}, }{\"content\": \"\\\"${1}\\\"\", \"disabled\": false}" +} + +_list_existingchallenges() { + _pdns_rest "GET" "/api/v1/servers/$PDNS_ServerId/zones/$root" + _existing_challenges=$(echo "$response" | _normalizeJson | _egrep_o "\"name\":\"${fulldomain}[^]]*}" | _egrep_o 'content\":\"\\"[^\\]*' | sed -n 's/^content":"\\"//p') }