From de756c8dc52b69efa511c8340aa29af76c407f93 Mon Sep 17 00:00:00 2001
From: "fox.cpp" <fox.cpp@disroot.org>
Date: Mon, 29 May 2023 22:19:01 +0300
Subject: [PATCH] tls/acme: Add support for DNS-01 domain delegation

See #588.
---
 docs/reference/tls-acme.md | 17 ++++++++++++++++-
 internal/tls/acme/acme.go  | 24 ++++++++++++++----------
 2 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/docs/reference/tls-acme.md b/docs/reference/tls-acme.md
index 891795ec..3dc803a5 100644
--- a/docs/reference/tls-acme.md
+++ b/docs/reference/tls-acme.md
@@ -20,7 +20,13 @@ smtp tcp://127.0.0.1:25 {
 You can also use a global `tls` directive to use automatically
 obtained certificates for all endpoints:
 ```
-tls &local_tls
+tls {
+    loader acme {
+        email maddy-acme@example.org
+        agreed
+        challenge dns-01
+    }
+}
 ```
 
 Currently the only supported challenge is dns-01 one therefore
@@ -87,6 +93,15 @@ back to the one configured via 'ca' option.
 
 This avoids rate limit issues with production CA.
 
+**Syntax:** override\_domain _domain_ <br>
+**Default:** not set
+
+Override the domain to set the TXT record on for DNS-01 challenge.
+This is to delegate the challenge to a different domain.
+
+See https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
+for explanation why this might be useful.
+
 **Syntax:** email _str_ <br>
 **Default:** not set
 
diff --git a/internal/tls/acme/acme.go b/internal/tls/acme/acme.go
index 96c4a0f7..70eb05b8 100644
--- a/internal/tls/acme/acme.go
+++ b/internal/tls/acme/acme.go
@@ -39,15 +39,16 @@ func New(_, instName string, _, inlineArgs []string) (module.Module, error) {
 
 func (l *Loader) Init(cfg *config.Map) error {
 	var (
-		hostname   string
-		extraNames []string
-		storePath  string
-		caPath     string
-		testCAPath string
-		email      string
-		agreed     bool
-		challenge  string
-		provider   certmagic.ACMEDNSProvider
+		hostname       string
+		extraNames     []string
+		storePath      string
+		caPath         string
+		testCAPath     string
+		email          string
+		agreed         bool
+		challenge      string
+		overrideDomain string
+		provider       certmagic.ACMEDNSProvider
 	)
 	cfg.Bool("debug", true, false, &l.log.Debug)
 	cfg.String("hostname", true, true, "", &hostname)
@@ -60,6 +61,8 @@ func (l *Loader) Init(cfg *config.Map) error {
 		certmagic.LetsEncryptStagingCA, &testCAPath)
 	cfg.String("email", false, false,
 		"", &email)
+	cfg.String("override_domain", false, false,
+		"", &overrideDomain)
 	cfg.Bool("agreed", false, false, &agreed)
 	cfg.Enum("challenge", false, true,
 		[]string{"dns-01"}, "dns-01", &challenge)
@@ -107,7 +110,8 @@ func (l *Loader) Init(cfg *config.Map) error {
 			return fmt.Errorf("tls.loader.acme: dns-01 challenge requires a configured DNS provider")
 		}
 		mngr.DNS01Solver = &certmagic.DNS01Solver{
-			DNSProvider: provider,
+			DNSProvider:    provider,
+			OverrideDomain: overrideDomain,
 		}
 	default:
 		return fmt.Errorf("tls.loader.acme: challenge not supported")