all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pbs-devel] [PATCH proxmox-backup/proxmox-acme-rs/pwt] acme: add support for http_proxy and wildcard certs
@ 2021-11-09 16:54 Stoiko Ivanov
  2021-11-09 16:54 ` [pbs-devel] [PATCH widget-toolkit 1/1] acmeplugin: add use-proxy checkbox Stoiko Ivanov
                   ` (7 more replies)
  0 siblings, 8 replies; 13+ messages in thread
From: Stoiko Ivanov @ 2021-11-09 16:54 UTC (permalink / raw)
  To: pbs-devel

this series resulted from a fix for #3536 (for PVE), which I then extended to
cover all products (and their respective acme implementations)

additionally Fabian (Gruenbichler) and I discussed a thread in our
community-forum [0], where a user ran into a (unrelated and for us not reproducible issue),
but it made me notice that PBS does not support wildcard certificates.

the individual patches are mostly short and hopefully self-explaining

Tested on my setup with a publicly exposed powerdns-plugin and let's encrypt
(mostly staging)

[0] https://forum.proxmox.com/threads/no-connection-to-proxmox-backup-server-tls_process_server_certificate.97942/

proxmox-widget-toolkit:
Stoiko Ivanov (1):
  acmeplugin: add use-proxy checkbox

 src/window/ACMEPluginEdit.js | 8 ++++++++
 1 file changed, 8 insertions(+)

proxmox-acme-rs:
Stoiko Ivanov (1):
  client: add support for proxies

 src/client.rs | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

proxox-backup:
Stoiko Ivanov (6):
  api: config: acme: rustfmt
  config: acme: plugin: rustfmt
  api: acme: fix typo
  acme: client: read http_proxy from node config
  acme: plugin: add 'use-proxy' property
  acme: add support for wildcard certificates

 pbs-api-types/src/lib.rs      |  5 ++++
 src/acme/client.rs            |  8 +++++-
 src/acme/plugin.rs            | 23 +++++++++++++++++-
 src/api2/config/acme.rs       | 46 ++++++++++++++++++++++++++---------
 src/api2/node/certificates.rs |  2 +-
 src/api2/types/acme.rs        |  4 +--
 src/config/acme/plugin.rs     | 10 +++++++-
 src/config/node.rs            |  9 +++++++
 8 files changed, 90 insertions(+), 17 deletions(-)

--
2.30.2





^ permalink raw reply	[flat|nested] 13+ messages in thread

* [pbs-devel] [PATCH widget-toolkit 1/1] acmeplugin: add use-proxy checkbox
  2021-11-09 16:54 [pbs-devel] [PATCH proxmox-backup/proxmox-acme-rs/pwt] acme: add support for http_proxy and wildcard certs Stoiko Ivanov
@ 2021-11-09 16:54 ` Stoiko Ivanov
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-acme-rs 1/1] client: add support for proxies Stoiko Ivanov
                   ` (6 subsequent siblings)
  7 siblings, 0 replies; 13+ messages in thread
From: Stoiko Ivanov @ 2021-11-09 16:54 UTC (permalink / raw)
  To: pbs-devel

if set the plugin will use the http_proxy configured on the
node/datacenter.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/window/ACMEPluginEdit.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/window/ACMEPluginEdit.js b/src/window/ACMEPluginEdit.js
index 237b362..406f14e 100644
--- a/src/window/ACMEPluginEdit.js
+++ b/src/window/ACMEPluginEdit.js
@@ -216,6 +216,14 @@ Ext.define('Proxmox.window.ACMEPluginEdit', {
 		    name: 'hint',
 		    hidden: true,
 		},
+		{
+		    xtype: 'proxmoxcheckbox',
+		    fieldLabel: gettext('Use http proxy'),
+		    defaultValue: false,
+		    deleteDefaultValue: true,
+		    labelWidth: 150,
+		    name: 'use-proxy',
+		},
 	    ],
 	},
     ],
-- 
2.30.2





^ permalink raw reply	[flat|nested] 13+ messages in thread

* [pbs-devel] [PATCH proxmox-acme-rs 1/1] client: add support for proxies
  2021-11-09 16:54 [pbs-devel] [PATCH proxmox-backup/proxmox-acme-rs/pwt] acme: add support for http_proxy and wildcard certs Stoiko Ivanov
  2021-11-09 16:54 ` [pbs-devel] [PATCH widget-toolkit 1/1] acmeplugin: add use-proxy checkbox Stoiko Ivanov
@ 2021-11-09 16:54 ` Stoiko Ivanov
  2021-11-18 10:15   ` [pbs-devel] applied: " Wolfgang Bumiller
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 1/6] api: config: acme: rustfmt Stoiko Ivanov
                   ` (5 subsequent siblings)
  7 siblings, 1 reply; 13+ messages in thread
From: Stoiko Ivanov @ 2021-11-09 16:54 UTC (permalink / raw)
  To: pbs-devel

by storing the proxy url as string in the struct and setting it on
each invocation of `execute`, since execute calls reset on the
curl::easy::Easy object.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/client.rs | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/client.rs b/src/client.rs
index 8aeff97..9853fb6 100644
--- a/src/client.rs
+++ b/src/client.rs
@@ -91,6 +91,7 @@ impl Headers {
 struct Inner {
     easy: easy::Easy,
     nonce: Option<String>,
+    proxy: Option<String>,
 }
 
 impl Inner {
@@ -98,6 +99,7 @@ impl Inner {
         Self {
             easy: easy::Easy::new(),
             nonce: None,
+            proxy: None,
         }
     }
 
@@ -120,6 +122,10 @@ impl Inner {
 
         self.easy.url(url)?;
 
+        if let Some(p) = &self.proxy {
+            self.easy.proxy(&p)?;
+        }
+
         {
             let mut transfer = self.easy.transfer();
 
@@ -156,6 +162,10 @@ impl Inner {
         })
     }
 
+    pub fn set_proxy(&mut self, proxy: String) {
+            self.proxy = Some(proxy);
+    }
+
     /// Low-level API to run an n API request. This automatically updates the current nonce!
     fn run_request(&mut self, request: Request) -> Result<HttpResponse, Error> {
         self.easy.reset();
@@ -586,6 +596,11 @@ impl Client {
             }
         }
     }
+
+    /// Set a proxy
+    pub fn set_proxy(&mut self, proxy: String) {
+        self.inner.set_proxy(proxy)
+    }
 }
 
 fn parse_header(data: &[u8]) -> Option<(&str, &str)> {
-- 
2.30.2





^ permalink raw reply	[flat|nested] 13+ messages in thread

* [pbs-devel] [PATCH proxmox-backup 1/6] api: config: acme: rustfmt
  2021-11-09 16:54 [pbs-devel] [PATCH proxmox-backup/proxmox-acme-rs/pwt] acme: add support for http_proxy and wildcard certs Stoiko Ivanov
  2021-11-09 16:54 ` [pbs-devel] [PATCH widget-toolkit 1/1] acmeplugin: add use-proxy checkbox Stoiko Ivanov
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-acme-rs 1/1] client: add support for proxies Stoiko Ivanov
@ 2021-11-09 16:54 ` Stoiko Ivanov
  2021-11-18 10:33   ` [pbs-devel] applied: " Wolfgang Bumiller
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 2/6] config: acme: plugin: rustfmt Stoiko Ivanov
                   ` (4 subsequent siblings)
  7 siblings, 1 reply; 13+ messages in thread
From: Stoiko Ivanov @ 2021-11-09 16:54 UTC (permalink / raw)
  To: pbs-devel

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/api2/config/acme.rs | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/src/api2/config/acme.rs b/src/api2/config/acme.rs
index c24c7850..7ed55a75 100644
--- a/src/api2/config/acme.rs
+++ b/src/api2/config/acme.rs
@@ -10,7 +10,7 @@ use serde::{Deserialize, Serialize};
 use serde_json::{json, Value};
 
 use proxmox_router::{
-    http_bail, list_subdirs_api_method, Permission, Router, SubdirMap, RpcEnvironment,
+    http_bail, list_subdirs_api_method, Permission, Router, RpcEnvironment, SubdirMap,
 };
 use proxmox_schema::api;
 
@@ -336,7 +336,8 @@ pub fn deactivate_account(
                     task_warn!(
                         worker,
                         "error deactivating account {}, proceedeing anyway - {}",
-                        name, err,
+                        name,
+                        err,
                     );
                 }
             }
@@ -630,7 +631,7 @@ pub fn delete_plugin(id: String) -> Result<(), Error> {
 
 #[api()]
 #[derive(Serialize, Deserialize)]
-#[serde(rename_all="kebab-case")]
+#[serde(rename_all = "kebab-case")]
 #[allow(non_camel_case_types)]
 /// Deletable property name
 pub enum DeletableProperty {
@@ -709,16 +710,27 @@ pub fn update_plugin(
             if let Some(delete) = delete {
                 for delete_prop in delete {
                     match delete_prop {
-                        DeletableProperty::validation_delay => { plugin.core.validation_delay = None; },
-                        DeletableProperty::disable => { plugin.core.disable = None; },
+                        DeletableProperty::validation_delay => {
+                            plugin.core.validation_delay = None;
+                        }
+                        DeletableProperty::disable => {
+                            plugin.core.disable = None;
+                        }
                     }
                 }
             }
-            if let Some(data) = data { plugin.data = data; }
-            if let Some(api) = update.api { plugin.core.api = api; }
-            if update.validation_delay.is_some() { plugin.core.validation_delay = update.validation_delay; }
-            if update.disable.is_some() { plugin.core.disable = update.disable; }
-
+            if let Some(data) = data {
+                plugin.data = data;
+            }
+            if let Some(api) = update.api {
+                plugin.core.api = api;
+            }
+            if update.validation_delay.is_some() {
+                plugin.core.validation_delay = update.validation_delay;
+            }
+            if update.disable.is_some() {
+                plugin.core.disable = update.disable;
+            }
 
             *entry = serde_json::to_value(plugin)?;
         }
-- 
2.30.2





^ permalink raw reply	[flat|nested] 13+ messages in thread

* [pbs-devel] [PATCH proxmox-backup 2/6] config: acme: plugin: rustfmt
  2021-11-09 16:54 [pbs-devel] [PATCH proxmox-backup/proxmox-acme-rs/pwt] acme: add support for http_proxy and wildcard certs Stoiko Ivanov
                   ` (2 preceding siblings ...)
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 1/6] api: config: acme: rustfmt Stoiko Ivanov
@ 2021-11-09 16:54 ` Stoiko Ivanov
  2021-11-18 10:34   ` [pbs-devel] applied: " Wolfgang Bumiller
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 3/6] api: acme: fix typo Stoiko Ivanov
                   ` (3 subsequent siblings)
  7 siblings, 1 reply; 13+ messages in thread
From: Stoiko Ivanov @ 2021-11-09 16:54 UTC (permalink / raw)
  To: pbs-devel

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/config/acme/plugin.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/config/acme/plugin.rs b/src/config/acme/plugin.rs
index f90de70e..6ba5bcf7 100644
--- a/src/config/acme/plugin.rs
+++ b/src/config/acme/plugin.rs
@@ -6,8 +6,8 @@ use serde_json::Value;
 use proxmox_schema::{api, ApiType, Schema, StringSchema, Updater};
 use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
 
-use pbs_config::{open_backup_lockfile, BackupLockGuard};
 use pbs_api_types::PROXMOX_SAFE_ID_FORMAT;
+use pbs_config::{open_backup_lockfile, BackupLockGuard};
 
 pub const PLUGIN_ID_SCHEMA: Schema = StringSchema::new("ACME Challenge Plugin ID.")
     .format(&PROXMOX_SAFE_ID_FORMAT)
-- 
2.30.2





^ permalink raw reply	[flat|nested] 13+ messages in thread

* [pbs-devel] [PATCH proxmox-backup 3/6] api: acme: fix typo
  2021-11-09 16:54 [pbs-devel] [PATCH proxmox-backup/proxmox-acme-rs/pwt] acme: add support for http_proxy and wildcard certs Stoiko Ivanov
                   ` (3 preceding siblings ...)
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 2/6] config: acme: plugin: rustfmt Stoiko Ivanov
@ 2021-11-09 16:54 ` Stoiko Ivanov
  2021-11-18 10:34   ` [pbs-devel] applied: " Wolfgang Bumiller
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 4/6] acme: client: read http_proxy from node config Stoiko Ivanov
                   ` (2 subsequent siblings)
  7 siblings, 1 reply; 13+ messages in thread
From: Stoiko Ivanov @ 2021-11-09 16:54 UTC (permalink / raw)
  To: pbs-devel

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/api2/config/acme.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/api2/config/acme.rs b/src/api2/config/acme.rs
index 7ed55a75..a37a9358 100644
--- a/src/api2/config/acme.rs
+++ b/src/api2/config/acme.rs
@@ -468,7 +468,7 @@ pub struct PluginConfig {
     ///
     /// Allows to cope with long TTL of DNS records.
     #[serde(skip_serializing_if = "Option::is_none", default)]
-    alidation_delay: Option<u32>,
+    validation_delay: Option<u32>,
 
     /// Flag to disable the config.
     #[serde(skip_serializing_if = "Option::is_none", default)]
-- 
2.30.2





^ permalink raw reply	[flat|nested] 13+ messages in thread

* [pbs-devel] [PATCH proxmox-backup 4/6] acme: client: read http_proxy from node config
  2021-11-09 16:54 [pbs-devel] [PATCH proxmox-backup/proxmox-acme-rs/pwt] acme: add support for http_proxy and wildcard certs Stoiko Ivanov
                   ` (4 preceding siblings ...)
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 3/6] api: acme: fix typo Stoiko Ivanov
@ 2021-11-09 16:54 ` Stoiko Ivanov
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 5/6] acme: plugin: add 'use-proxy' property Stoiko Ivanov
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 6/6] acme: add support for wildcard certificates Stoiko Ivanov
  7 siblings, 0 replies; 13+ messages in thread
From: Stoiko Ivanov @ 2021-11-09 16:54 UTC (permalink / raw)
  To: pbs-devel

If a http_proxy is set in the node config, use it for communicating with
the (usually public) Acme provider.

The code is adapted from src/tools/subscription.rs

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/acme/client.rs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/acme/client.rs b/src/acme/client.rs
index 8d6cf6bd..784d7bac 100644
--- a/src/acme/client.rs
+++ b/src/acme/client.rs
@@ -20,6 +20,7 @@ use proxmox_http::client::SimpleHttp;
 
 use crate::api2::types::AcmeAccountName;
 use crate::config::acme::account_path;
+use crate::config::node;
 use crate::tools::pbs_simple_http;
 
 /// Our on-disk format inherited from PVE's proxmox-acme code.
@@ -65,6 +66,11 @@ pub struct AcmeClient {
 impl AcmeClient {
     /// Create a new ACME client for a given ACME directory URL.
     pub fn new(directory_url: String) -> Self {
+        let proxy_config = if let Ok((node_config, _digest)) = node::config() {
+            node_config.http_proxy()
+        } else {
+            None
+        };
         Self {
             directory_url,
             debug: false,
@@ -73,7 +79,7 @@ impl AcmeClient {
             account: None,
             directory: None,
             nonce: None,
-            http_client: pbs_simple_http(None),
+            http_client: pbs_simple_http(proxy_config),
         }
     }
 
-- 
2.30.2





^ permalink raw reply	[flat|nested] 13+ messages in thread

* [pbs-devel] [PATCH proxmox-backup 5/6] acme: plugin: add 'use-proxy' property
  2021-11-09 16:54 [pbs-devel] [PATCH proxmox-backup/proxmox-acme-rs/pwt] acme: add support for http_proxy and wildcard certs Stoiko Ivanov
                   ` (5 preceding siblings ...)
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 4/6] acme: client: read http_proxy from node config Stoiko Ivanov
@ 2021-11-09 16:54 ` Stoiko Ivanov
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 6/6] acme: add support for wildcard certificates Stoiko Ivanov
  7 siblings, 0 replies; 13+ messages in thread
From: Stoiko Ivanov @ 2021-11-09 16:54 UTC (permalink / raw)
  To: pbs-devel

this patch adds an optional 'use-proxy' property to the dns challenge
plugins.

If set to true and the node has configured an http_proxy the proxy
is set as 'http_proxy' and 'https_proxy' environment variable by the
plugin caller (and then used by curl)

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/acme/plugin.rs        | 21 +++++++++++++++++++++
 src/api2/config/acme.rs   | 12 ++++++++++++
 src/config/acme/plugin.rs |  8 ++++++++
 3 files changed, 41 insertions(+)

diff --git a/src/acme/plugin.rs b/src/acme/plugin.rs
index 65eb60d1..d31c2b8f 100644
--- a/src/acme/plugin.rs
+++ b/src/acme/plugin.rs
@@ -13,6 +13,7 @@ use proxmox_acme_rs::{Authorization, Challenge};
 
 use crate::acme::AcmeClient;
 use crate::api2::types::AcmeDomain;
+use crate::config::node;
 use proxmox_rest_server::WorkerTask;
 
 use crate::config::acme::plugin::{DnsPlugin, PluginData};
@@ -111,6 +112,26 @@ impl DnsPlugin {
             stdin_data.push(b'\n');
         }
 
+        let proxy_config = match self.core.use_proxy {
+            Some(true) => {
+                if let Ok((node_config, _digest)) = node::config() {
+                    node_config.http_proxy()
+                } else {
+                    None
+                }
+            }
+            Some(false) => None,
+            None => None,
+        };
+
+        if let Some(proxy_config) = proxy_config {
+            if let Ok(proxystr) = proxy_config.to_proxy_string() {
+                stdin_data.extend(
+                    format!("http_proxy={}\nhttps_proxy={}\n", proxystr, proxystr).as_bytes(),
+                );
+                stdin_data.push(b'\n');
+            }
+        }
         let mut command = Command::new("/usr/bin/setpriv");
 
         #[rustfmt::skip]
diff --git a/src/api2/config/acme.rs b/src/api2/config/acme.rs
index a37a9358..c52edd57 100644
--- a/src/api2/config/acme.rs
+++ b/src/api2/config/acme.rs
@@ -473,6 +473,10 @@ pub struct PluginConfig {
     /// Flag to disable the config.
     #[serde(skip_serializing_if = "Option::is_none", default)]
     disable: Option<bool>,
+
+    /// Flag indicating if this plugin should use the node-wide proxy setting.
+    #[serde(skip_serializing_if = "Option::is_none", default)]
+    use_proxy: Option<bool>,
 }
 
 // See PMG/PVE's $modify_cfg_for_api sub
@@ -639,6 +643,8 @@ pub enum DeletableProperty {
     disable,
     /// Delete the validation-delay property
     validation_delay,
+    /// Delete the use-proxy property
+    use_proxy,
 }
 
 #[api(
@@ -716,6 +722,9 @@ pub fn update_plugin(
                         DeletableProperty::disable => {
                             plugin.core.disable = None;
                         }
+                        DeletableProperty::use_proxy => {
+                            plugin.core.use_proxy = None;
+                        }
                     }
                 }
             }
@@ -731,6 +740,9 @@ pub fn update_plugin(
             if update.disable.is_some() {
                 plugin.core.disable = update.disable;
             }
+            if update.use_proxy.is_some() {
+                plugin.core.use_proxy = update.use_proxy;
+            }
 
             *entry = serde_json::to_value(plugin)?;
         }
diff --git a/src/config/acme/plugin.rs b/src/config/acme/plugin.rs
index 6ba5bcf7..8eade7c1 100644
--- a/src/config/acme/plugin.rs
+++ b/src/config/acme/plugin.rs
@@ -52,6 +52,10 @@ impl Default for StandalonePlugin {
             minimum: 0,
             maximum: 2 * 24 * 60 * 60,
         },
+        "use-proxy": {
+            optional: true,
+            default: false,
+        },
     },
 )]
 /// DNS ACME Challenge Plugin core data.
@@ -74,6 +78,10 @@ pub struct DnsPluginCore {
     /// Flag to disable the config.
     #[serde(skip_serializing_if = "Option::is_none", default)]
     pub disable: Option<bool>,
+
+    /// Flag indicating if this plugin should use the node-wide proxy setting.
+    #[serde(skip_serializing_if = "Option::is_none", default)]
+    pub use_proxy: Option<bool>,
 }
 
 #[api(
-- 
2.30.2





^ permalink raw reply	[flat|nested] 13+ messages in thread

* [pbs-devel] [PATCH proxmox-backup 6/6] acme: add support for wildcard certificates
  2021-11-09 16:54 [pbs-devel] [PATCH proxmox-backup/proxmox-acme-rs/pwt] acme: add support for http_proxy and wildcard certs Stoiko Ivanov
                   ` (6 preceding siblings ...)
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 5/6] acme: plugin: add 'use-proxy' property Stoiko Ivanov
@ 2021-11-09 16:54 ` Stoiko Ivanov
  7 siblings, 0 replies; 13+ messages in thread
From: Stoiko Ivanov @ 2021-11-09 16:54 UTC (permalink / raw)
  To: pbs-devel

following the implementation in PMG in:
* verifying that a acmedomain with wildcard is not using the standalone
  validation
* the initial '*.' is stripped when searching for the proper domain
  config and when running the validation plugin

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 pbs-api-types/src/lib.rs      | 5 +++++
 src/acme/plugin.rs            | 2 +-
 src/api2/node/certificates.rs | 2 +-
 src/api2/types/acme.rs        | 4 ++--
 src/config/node.rs            | 9 +++++++++
 5 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 96ac657b..73a84ca6 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -82,6 +82,7 @@ pub use zfs::*;
 mod local_macros {
     macro_rules! DNS_LABEL { () => (r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
     macro_rules! DNS_NAME { () => (concat!(r"(?:(?:", DNS_LABEL!() , r"\.)*", DNS_LABEL!(), ")")) }
+    macro_rules! DNS_NAME_OR_WILDCARD { () => (concat!(r"(?:\*\.)?(?:(?:", DNS_LABEL!() , r"\.)*", DNS_LABEL!(), ")")) }
     macro_rules! CIDR_V4_REGEX_STR { () => (concat!(r"(?:", IPV4RE!(), r"/\d{1,2})$")) }
     macro_rules! CIDR_V6_REGEX_STR { () => (concat!(r"(?:", IPV6RE!(), r"/\d{1,3})$")) }
     macro_rules! DNS_ALIAS_LABEL { () => (r"(?:[a-zA-Z0-9_](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
@@ -99,6 +100,7 @@ const_regex! {
     pub CIDR_REGEX =  concat!(r"^(?:", CIDR_V4_REGEX_STR!(), "|",  CIDR_V6_REGEX_STR!(), r")$");
     pub HOSTNAME_REGEX = r"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)$";
     pub DNS_NAME_REGEX =  concat!(r"^", DNS_NAME!(), r"$");
+    pub DNS_NAME_OR_WILDCARD_REGEX =  concat!(r"^", DNS_NAME_OR_WILDCARD!(), r"$");
     pub DNS_ALIAS_REGEX =  concat!(r"^", DNS_ALIAS_NAME!(), r"$");
     pub DNS_NAME_OR_IP_REGEX = concat!(r"^(?:", DNS_NAME!(), "|",  IPRE!(), r")$");
 
@@ -177,6 +179,9 @@ pub const HOSTNAME_SCHEMA: Schema = StringSchema::new("Hostname (as defined in R
 pub const DNS_NAME_FORMAT: ApiStringFormat =
     ApiStringFormat::Pattern(&DNS_NAME_REGEX);
 
+pub const DNS_NAME_OR_WILDCARD_FORMAT: ApiStringFormat =
+    ApiStringFormat::Pattern(&DNS_NAME_OR_WILDCARD_REGEX);
+
 pub const DNS_NAME_OR_IP_FORMAT: ApiStringFormat =
     ApiStringFormat::Pattern(&DNS_NAME_OR_IP_REGEX);
 
diff --git a/src/acme/plugin.rs b/src/acme/plugin.rs
index d31c2b8f..4dedb69b 100644
--- a/src/acme/plugin.rs
+++ b/src/acme/plugin.rs
@@ -145,7 +145,7 @@ impl DnsPlugin {
                 PROXMOX_ACME_SH_PATH,
                 action,
                 &self.core.api,
-                domain.alias.as_deref().unwrap_or(&domain.domain),
+                domain.alias.as_deref().unwrap_or(&domain.domain.trim_start_matches("*.")),
         ]);
 
         // We could use 1 socketpair, but tokio wraps them all in `File` internally causing `close`
diff --git a/src/api2/node/certificates.rs b/src/api2/node/certificates.rs
index 4d26b29f..f6a7c2d3 100644
--- a/src/api2/node/certificates.rs
+++ b/src/api2/node/certificates.rs
@@ -299,7 +299,7 @@ async fn order_certificate(
     let get_domain_config = |domain: &str| {
         domains
             .iter()
-            .find(|d| d.domain == domain)
+            .find(|d| d.domain.trim_start_matches("*.") == domain)
             .ok_or_else(|| format_err!("no config for domain '{}'", domain))
     };
 
diff --git a/src/api2/types/acme.rs b/src/api2/types/acme.rs
index 21e953bb..7b9de74a 100644
--- a/src/api2/types/acme.rs
+++ b/src/api2/types/acme.rs
@@ -4,12 +4,12 @@ use serde_json::Value;
 use proxmox_schema::{api, ApiType, Schema, StringSchema, ApiStringFormat};
 
 use pbs_api_types::{
-    DNS_ALIAS_FORMAT, DNS_NAME_FORMAT, PROXMOX_SAFE_ID_FORMAT,
+    DNS_ALIAS_FORMAT, DNS_NAME_OR_WILDCARD_FORMAT, PROXMOX_SAFE_ID_FORMAT,
 };
 
 #[api(
     properties: {
-        "domain": { format: &DNS_NAME_FORMAT },
+        "domain": { format: &DNS_NAME_OR_WILDCARD_FORMAT },
         "alias": {
             optional: true,
             format: &DNS_ALIAS_FORMAT,
diff --git a/src/config/node.rs b/src/config/node.rs
index 93444216..fb9b1105 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -163,6 +163,15 @@ impl NodeConfig {
             if !domains.insert(domain.domain.to_lowercase()) {
                 bail!("duplicate domain '{}' in ACME config", domain.domain);
             }
+            if domain.domain.starts_with("*.") {
+                let plugin = domain.plugin.as_deref().unwrap_or("standalone");
+                if plugin == "standalone" {
+                    bail!(
+                        "wildcard domain '{}' needs a dns-01 plugin for validation!",
+                        domain.domain
+                    );
+                }
+            }
         }
 
         Ok(())
-- 
2.30.2





^ permalink raw reply	[flat|nested] 13+ messages in thread

* [pbs-devel] applied: [PATCH proxmox-acme-rs 1/1] client: add support for proxies
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-acme-rs 1/1] client: add support for proxies Stoiko Ivanov
@ 2021-11-18 10:15   ` Wolfgang Bumiller
  0 siblings, 0 replies; 13+ messages in thread
From: Wolfgang Bumiller @ 2021-11-18 10:15 UTC (permalink / raw)
  To: Stoiko Ivanov; +Cc: pbs-devel

applied, thanks

On Tue, Nov 09, 2021 at 04:54:16PM +0000, Stoiko Ivanov wrote:
> by storing the proxy url as string in the struct and setting it on
> each invocation of `execute`, since execute calls reset on the
> curl::easy::Easy object.
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
>  src/client.rs | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
> 
> diff --git a/src/client.rs b/src/client.rs
> index 8aeff97..9853fb6 100644
> --- a/src/client.rs
> +++ b/src/client.rs
> @@ -91,6 +91,7 @@ impl Headers {
>  struct Inner {
>      easy: easy::Easy,
>      nonce: Option<String>,
> +    proxy: Option<String>,
>  }
>  
>  impl Inner {
> @@ -98,6 +99,7 @@ impl Inner {
>          Self {
>              easy: easy::Easy::new(),
>              nonce: None,
> +            proxy: None,
>          }
>      }
>  
> @@ -120,6 +122,10 @@ impl Inner {
>  
>          self.easy.url(url)?;
>  
> +        if let Some(p) = &self.proxy {
> +            self.easy.proxy(&p)?;
> +        }
> +
>          {
>              let mut transfer = self.easy.transfer();
>  
> @@ -156,6 +162,10 @@ impl Inner {
>          })
>      }
>  
> +    pub fn set_proxy(&mut self, proxy: String) {
> +            self.proxy = Some(proxy);
> +    }
> +
>      /// Low-level API to run an n API request. This automatically updates the current nonce!
>      fn run_request(&mut self, request: Request) -> Result<HttpResponse, Error> {
>          self.easy.reset();
> @@ -586,6 +596,11 @@ impl Client {
>              }
>          }
>      }
> +
> +    /// Set a proxy
> +    pub fn set_proxy(&mut self, proxy: String) {
> +        self.inner.set_proxy(proxy)
> +    }
>  }
>  
>  fn parse_header(data: &[u8]) -> Option<(&str, &str)> {
> -- 
> 2.30.2




^ permalink raw reply	[flat|nested] 13+ messages in thread

* [pbs-devel] applied: [PATCH proxmox-backup 1/6] api: config: acme: rustfmt
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 1/6] api: config: acme: rustfmt Stoiko Ivanov
@ 2021-11-18 10:33   ` Wolfgang Bumiller
  0 siblings, 0 replies; 13+ messages in thread
From: Wolfgang Bumiller @ 2021-11-18 10:33 UTC (permalink / raw)
  To: Stoiko Ivanov; +Cc: pbs-devel

applied




^ permalink raw reply	[flat|nested] 13+ messages in thread

* [pbs-devel] applied: [PATCH proxmox-backup 2/6] config: acme: plugin: rustfmt
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 2/6] config: acme: plugin: rustfmt Stoiko Ivanov
@ 2021-11-18 10:34   ` Wolfgang Bumiller
  0 siblings, 0 replies; 13+ messages in thread
From: Wolfgang Bumiller @ 2021-11-18 10:34 UTC (permalink / raw)
  To: Stoiko Ivanov; +Cc: pbs-devel

applied




^ permalink raw reply	[flat|nested] 13+ messages in thread

* [pbs-devel] applied: [PATCH proxmox-backup 3/6] api: acme: fix typo
  2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 3/6] api: acme: fix typo Stoiko Ivanov
@ 2021-11-18 10:34   ` Wolfgang Bumiller
  0 siblings, 0 replies; 13+ messages in thread
From: Wolfgang Bumiller @ 2021-11-18 10:34 UTC (permalink / raw)
  To: Stoiko Ivanov; +Cc: pbs-devel

applied

On Tue, Nov 09, 2021 at 04:54:19PM +0000, Stoiko Ivanov wrote:
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
>  src/api2/config/acme.rs | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/api2/config/acme.rs b/src/api2/config/acme.rs
> index 7ed55a75..a37a9358 100644
> --- a/src/api2/config/acme.rs
> +++ b/src/api2/config/acme.rs
> @@ -468,7 +468,7 @@ pub struct PluginConfig {
>      ///
>      /// Allows to cope with long TTL of DNS records.
>      #[serde(skip_serializing_if = "Option::is_none", default)]
> -    alidation_delay: Option<u32>,
> +    validation_delay: Option<u32>,
>  
>      /// Flag to disable the config.
>      #[serde(skip_serializing_if = "Option::is_none", default)]
> -- 
> 2.30.2




^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2021-11-18 10:35 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-09 16:54 [pbs-devel] [PATCH proxmox-backup/proxmox-acme-rs/pwt] acme: add support for http_proxy and wildcard certs Stoiko Ivanov
2021-11-09 16:54 ` [pbs-devel] [PATCH widget-toolkit 1/1] acmeplugin: add use-proxy checkbox Stoiko Ivanov
2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-acme-rs 1/1] client: add support for proxies Stoiko Ivanov
2021-11-18 10:15   ` [pbs-devel] applied: " Wolfgang Bumiller
2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 1/6] api: config: acme: rustfmt Stoiko Ivanov
2021-11-18 10:33   ` [pbs-devel] applied: " Wolfgang Bumiller
2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 2/6] config: acme: plugin: rustfmt Stoiko Ivanov
2021-11-18 10:34   ` [pbs-devel] applied: " Wolfgang Bumiller
2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 3/6] api: acme: fix typo Stoiko Ivanov
2021-11-18 10:34   ` [pbs-devel] applied: " Wolfgang Bumiller
2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 4/6] acme: client: read http_proxy from node config Stoiko Ivanov
2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 5/6] acme: plugin: add 'use-proxy' property Stoiko Ivanov
2021-11-09 16:54 ` [pbs-devel] [PATCH proxmox-backup 6/6] acme: add support for wildcard certificates Stoiko Ivanov

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal