Skip to content

Instantly share code, notes, and snippets.

@rmoriz

rmoriz/acme.patch

Last active December 12, 2024 06:11
Show Gist options
  • Save rmoriz/a0f96c5f2a0cbf0245db5a184de8d767 to your computer and use it in GitHub Desktop.
Save rmoriz/a0f96c5f2a0cbf0245db5a184de8d767 to your computer and use it in GitHub Desktop.
Download ZIP
Proxmox patch to allow ACME request for IP (with step-ca) by user "Tim", see https://bugzilla.proxmox.com/show_bug.cgi?id=4687
Raw
acme.patch
--- /usr/share/perl5/PVE/ACME.pm.old 2024-12-12 06:04:41.692322362 +0100
+++ /usr/share/perl5/PVE/ACME.pm 2024-12-12 06:06:24.804929531 +0100
@@ -14,6 +14,7 @@
use HTTP::Request;
use LWP::UserAgent;
+use Net::IP;
use Crypt::OpenSSL::RSA;
@@ -407,6 +408,13 @@
return $self->update_account();
}
+# Returns whether a domain is a "dns" name or an "ip" address
+# for use in certificates / CSRs.
+sub get_domain_type {
+ my ($domain) = @_;
+ return (new Net::IP($domain)) ? 'ip' : 'dns';
+}
+
# Start a new order for one or more domains
# POST to newOrder endpoint
# Expects a '201 Created' reply
@@ -416,7 +424,7 @@
my $url = $self->_method('newOrder');
my $req = {
- identifiers => [ map { { type => 'dns', value => $_ } } @$domains ],
+ identifiers => [ map { { type => get_domain_type($_), value => $_ } } @$domains ],
};
my $r = $self->do(POST => $url, $req);
--- /usr/share/perl5/PVE/Certificate.pm.old 2024-12-12 06:04:49.417292932 +0100
+++ /usr/share/perl5/PVE/Certificate.pm 2024-12-12 06:06:32.816899007 +0100
@@ -358,11 +358,12 @@
die "Identifiers are required to generate a CSR.\n"
if !defined($identifiers);
- my $san = [ map { $_->{value} } grep { $_->{type} eq 'dns' } @$identifiers ];
+ my $san = [ map { uc($_->{type}) . ":" . $_->{value} } grep { $_->{type} eq 'dns' or $_->{type} eq 'ip' } @$identifiers ];
die "DNS identifiers are required to generate a CSR.\n" if !scalar @$san;
# optional
my $common_name = delete($attr{common_name}) // $san->[0];
+ $common_name =~ s/^(IP|DNS)://;
my $md = eval { Net::SSLeay::EVP_get_digestbyname($dig_alg) };
die "Invalid digest algorithm '$dig_alg'\n" if !$md;
@@ -434,7 +435,7 @@
&Net::SSLeay::NID_key_usage => 'digitalSignature,keyEncipherment',
&Net::SSLeay::NID_basic_constraints => 'CA:FALSE',
&Net::SSLeay::NID_ext_key_usage => 'serverAuth,clientAuth',
- &Net::SSLeay::NID_subject_alt_name => join(',', map { "DNS:$_" } @$san),
+ &Net::SSLeay::NID_subject_alt_name => join(',', @$san),
) or $cleanup->("Failed to add extensions to CSR\n");
$cleanup->("Failed to set public key\n") if !Net::SSLeay::X509_REQ_set_pubkey($req, $pk);
@rmoriz
Copy link
Author

rmoriz commented Dec 12, 2024
edited
Loading

source: https://bugzilla.proxmox.com/show_bug.cgi?id=4687

sudo
cd /
patch -p0 < /path/to/acme.patch
systemctl restart pvedaemon.service

fixes:

Creating CSR
Checking order status
Order is ready, finalizing order
TASK ERROR: Error: POST to https://ca.lab.moriz.net/acme/acme/order/fM4aEZf5xcl0Ajb6MYAV3we580BMq6H4/finalize {"type":"urn:ietf:params:acme:error:serverInternal","detail":"The server experienced an internal error"}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment