From b2401a695c52ef69690ebbd45461acb3ab926f8a Mon Sep 17 00:00:00 2001
From: sdsys-ch <100968265+sdsys-ch@users.noreply.github.com>
Date: Wed, 24 Sep 2025 08:45:05 +0200
Subject: [PATCH] www/caddy: Add DNS-01 challenge delegation via CNAME (#4950)

* caddy: Add DNS-01 override domain feature

Adds support for DNS-01 CNAME delegation through the dns_challenge_override_domain directive. This enables least-privilege DNS setups where the certificate domain delegates ACME challenges to a target domain managed by the configured DNS provider.

* Review feedback: Remove default defs and align validation string with existing one

---------

Co-authored-by: Christophe Neuerburg <c.neuerburg@sdsys.ch>
---
 .../OPNsense/Caddy/forms/dialogReverseProxy.xml        | 10 ++++++++++
 .../opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml   |  4 ++++
 .../service/templates/OPNsense/Caddy/Caddyfile         |  5 +++++
 3 files changed, 19 insertions(+)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index a2b3d6758..ed431a6db 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -73,6 +73,16 @@
             <formatter>boolean</formatter>
         </grid_view>
     </field>
+    <field>
+        <id>reverse.DnsChallengeOverrideDomain</id>
+        <label>DNS-01 Override Domain</label>
+        <type>text</type>
+        <help><![CDATA[If using CNAME delegation for DNS-01 challenges, enter the target domain here. The DNS provider will manage TXT records at '_acme-challenge.targetdomain' instead of the certificate domain. Your configured DNS Provider must have write access to this target domain. For wildcard certificates, ensure the CNAME delegation covers the _acme-challenge label. This enables least-privilege setups or can be used as a workaround when the primary DNS provider lacks an API. Leave empty if your DNS Provider has a dedicated field for this.]]></help>
+        <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
     <field>
         <id>reverse.DynDns</id>
         <label>Dynamic DNS</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index a8d123495..8a1ffeb46 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -212,6 +212,10 @@
                 </basicauth>
                 <description type="DescriptionField"/>
                 <DnsChallenge type="BooleanField"/>
+                <DnsChallengeOverrideDomain type="HostnameField">
+                    <IpAllowed>N</IpAllowed>
+                    <ValidationMessage>Please enter a valid domain name.</ValidationMessage>
+                </DnsChallengeOverrideDomain>
                 <CustomCertificate type="CertificateField">
                     <BlankDesc>Auto HTTPS</BlankDesc>
                 </CustomCertificate>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index e7c7168e9..8e8e89b95 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -302,6 +302,7 @@ http://{{ domain }} {
 {% macro tls_configuration(
     customCert="",
     dnsChallenge="0",
+    dnsChallengeOverrideDomain="",
     clientAuthTrustPool="",
     clientAuthMode="",
     dnsProvider="",
@@ -316,6 +317,9 @@ http://{{ domain }} {
             {% if not customCert and (dnsChallenge == "1" and dnsProvider) %}
             issuer acme {
                 dns {{ dnsProvider }} {{ dnsApiKey }}
+                {% if dnsChallengeOverrideDomain %}
+                dns_challenge_override_domain {{ dnsChallengeOverrideDomain }}
+                {% endif %}
 
                 {% if tlsDnsPropagationResolvers %}
                 resolvers {{ tlsDnsPropagationResolvers }}
@@ -622,6 +626,7 @@ http://{{ domain }} {
             {{ tls_configuration(
                 customCert=reverse.CustomCertificate|default(""),
                 dnsChallenge=reverse.DnsChallenge|default("0"),
+                dnsChallengeOverrideDomain=reverse.DnsChallengeOverrideDomain|default(""),
                 clientAuthTrustPool=reverse.ClientAuthTrustPool|default(""),
                 clientAuthMode=reverse.ClientAuthMode|default(""),
                 dnsProvider=generalSettings.TlsDnsProvider,