From 25ee478417db84c3e8051c1c2626a4ffc005b220 Mon Sep 17 00:00:00 2001 From: Mathieu CARBONNEAUX Date: Tue, 25 Nov 2025 17:28:08 +0100 Subject: [PATCH] add proxy support in acme providers add dns resolver support in acme providers --- command/ca/provisioner/add.go | 49 ++++++++++++++++----------- command/ca/provisioner/provisioner.go | 17 ++++++++++ command/ca/provisioner/update.go | 20 ++++++----- 3 files changed, 59 insertions(+), 27 deletions(-) diff --git a/command/ca/provisioner/add.go b/command/ca/provisioner/add.go index 0c18b50ca..e803e7f3e 100644 --- a/command/ca/provisioner/add.go +++ b/command/ca/provisioner/add.go @@ -44,6 +44,7 @@ ACME **step ca provisioner add** **--type**=ACME [**--force-cn**] [**--require-eab**] [**--challenge**=] +[**--acme-proxy-url**=] [**--acme-disable-proxy**] [**--acme-dns-resolver**=] [**--attestation-format**=] [**--attestation-roots**=] [**--admin-cert**=] [**--admin-key**=] [**--admin-subject**=] [**--admin-provisioner**=] [**--admin-password-file**=] @@ -145,12 +146,15 @@ SCEP // Nebula provisioner flags nebulaRootFlag, - // ACME provisioner flags - requireEABFlag, // ACME - forceCNFlag, // ACME + SCEP - challengeFlag, // ACME + SCEP - attestationFormatFlag, // ACME - attestationRootsFlag, // ACME + // ACME provisioner flags + requireEABFlag, // ACME + forceCNFlag, // ACME + SCEP + challengeFlag, // ACME + SCEP + acmeProxyURLFlag, // ACME networking + acmeDisableProxyFlag, // ACME networking + acmeDNSResolverFlag, // ACME networking + attestationFormatFlag, // ACME + attestationRootsFlag, // ACME // SCEP provisioner flags scepCapabilitiesFlag, @@ -335,19 +339,26 @@ func addAction(ctx *cli.Context) (err error) { return errs.InvalidFlagValue(ctx, "type", ctx.String("type"), "JWK, ACME, OIDC, SSHPOP, K8SSA, NEBULA, SCEP, AWS, GCP, AZURE") } - p := &linkedca.Provisioner{ - Name: args.Get(0), - Type: linkedca.Provisioner_Type(typ), - } - - // Validate challenge flag on scep and acme - if err := validateChallengeFlag(ctx, p.Type); err != nil { - return err - } - // Validate attestation format flag on acme - if err := validateAttestationFormatFlag(ctx, p.Type); err != nil { - return err - } + p := &linkedca.Provisioner{ + Name: args.Get(0), + Type: linkedca.Provisioner_Type(typ), + } + + // Validate challenge flag on scep and acme + if err := validateChallengeFlag(ctx, p.Type); err != nil { + return err + } + // Validate attestation format flag on acme + if err := validateAttestationFormatFlag(ctx, p.Type); err != nil { + return err + } + + // Informative note: networking flags for ACME require server + linkedca support + if p.Type == linkedca.Provisioner_ACME { + if ctx.IsSet("acme-proxy-url") || ctx.IsSet("acme-disable-proxy") || ctx.IsSet("acme-dns-resolver") { + ui.PrintSelected("Notice", "ACME networking flags provided (proxy/DNS). Server support depends on linkedca fields.\nIf your CA version does not yet include these fields, the settings will be ignored.") + } + } // Read x509 template if passed p.X509Template = &linkedca.Template{} diff --git a/command/ca/provisioner/provisioner.go b/command/ca/provisioner/provisioner.go index 54e92217e..5baae40ac 100644 --- a/command/ca/provisioner/provisioner.go +++ b/command/ca/provisioner/provisioner.go @@ -369,6 +369,23 @@ Use the flag multiple times to remove multiple challenges.`, If this flag is set to false, then disable EAB.`, } + // ACME networking flags (provider-level) + acmeProxyURLFlag = cli.StringFlag{ + Name: "acme-proxy-url", + Usage: `Explicit proxy to use for outbound ACME validation requests (e.g. http-01 fetches). +If not set, system or environment proxy configuration will be used unless '--acme-disable-proxy' is set.`, + } + + acmeDisableProxyFlag = cli.BoolFlag{ + Name: "acme-disable-proxy", + Usage: `Disable any HTTP(S) proxy for outbound ACME validation requests, ignoring environment variables.`, + } + + acmeDNSResolverFlag = cli.StringFlag{ + Name: "acme-dns-resolver", + Usage: `Force a DNS resolver (e.g. 8.8.8.8:53) for DNS queries performed during ACME challenges.`, + } + attestationFormatFlag = cli.StringSliceFlag{ Name: "attestation-format", Usage: `Enable an ACME attestation statement in the provisioner. Use the flag diff --git a/command/ca/provisioner/update.go b/command/ca/provisioner/update.go index 98f6cabe0..2bfcb8203 100644 --- a/command/ca/provisioner/update.go +++ b/command/ca/provisioner/update.go @@ -44,6 +44,7 @@ ACME **step ca provisioner update** [**--force-cn**] [**--require-eab**] [**--challenge**=] [**--remove-challenge**=] +[**--acme-proxy-url**=] [**--acme-disable-proxy**] [**--acme-dns-resolver**=] [**--attestation-format**=] [**--remove-attestation-format**=] [**--attestation-roots**=] [**--admin-cert**=] [**--admin-key**=] [**--admin-subject**=] [**--admin-provisioner**=] [**--admin-password-file**=] @@ -141,14 +142,17 @@ SCEP // Nebula provisioner flags nebulaRootFlag, - // ACME provisioner flags - requireEABFlag, // ACME - forceCNFlag, // ACME + SCEP - challengeFlag, // ACME + SCEP - removeChallengeFlag, // ACME - attestationFormatFlag, // ACME - removeAttestationFormatFlag, // ACME - attestationRootsFlag, // ACME + // ACME provisioner flags + requireEABFlag, // ACME + forceCNFlag, // ACME + SCEP + challengeFlag, // ACME + SCEP + removeChallengeFlag, // ACME + acmeProxyURLFlag, // ACME networking + acmeDisableProxyFlag, // ACME networking + acmeDNSResolverFlag, // ACME networking + attestationFormatFlag, // ACME + removeAttestationFormatFlag, // ACME + attestationRootsFlag, // ACME // SCEP flags scepCapabilitiesFlag,