From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 229461FF15C for ; Fri, 22 Aug 2025 10:54:29 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2346EB4B2; Fri, 22 Aug 2025 10:54:19 +0200 (CEST) From: Dominik Csapak To: pdm-devel@lists.proxmox.com Date: Fri, 22 Aug 2025 10:32:23 +0200 Message-ID: <20250822085409.1139639-6-d.csapak@proxmox.com> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250822085409.1139639-1-d.csapak@proxmox.com> References: <20250822085409.1139639-1-d.csapak@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.022 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pdm-devel] [PATCH datacenter-manager v4 05/23] server: pve api: extend 'scan' so it tls-probes the nodes X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Datacenter Manager development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" When getting the node information, also probe the individual nodes (currently with the hostname only) so we can omit the fingerprint if the certificate is trusted already. Signed-off-by: Dominik Csapak --- lib/pdm-api-types/src/lib.rs | 2 ++ server/src/api/pve/mod.rs | 32 ++++++++++++++++++++------------ 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/lib/pdm-api-types/src/lib.rs b/lib/pdm-api-types/src/lib.rs index 9373725..37da134 100644 --- a/lib/pdm-api-types/src/lib.rs +++ b/lib/pdm-api-types/src/lib.rs @@ -79,6 +79,8 @@ pub use proxmox_dns_api::THIRD_DNS_SERVER_SCHEMA; pub use proxmox_config_digest::ConfigDigest; pub use proxmox_config_digest::PROXMOX_CONFIG_DIGEST_SCHEMA; +pub use proxmox_acme_api::CertificateInfo; + #[macro_use] mod user; pub use user::*; diff --git a/server/src/api/pve/mod.rs b/server/src/api/pve/mod.rs index b1672c2..2cfdc5b 100644 --- a/server/src/api/pve/mod.rs +++ b/server/src/api/pve/mod.rs @@ -359,6 +359,9 @@ async fn probe_tls( }, )] /// Scans the given connection info for pve cluster information +/// +/// For each node that is returned, the TLS connection is probed, to check if using +/// a fingerprint is necessary. pub async fn scan_remote_pve( hostname: String, fingerprint: Option, @@ -381,18 +384,23 @@ pub async fn scan_remote_pve( .await .map_err(|err| format_err!("could not login: {err}"))?; - let nodes: Vec<_> = client - .list_nodes() - .await? - .into_iter() - .map(|node| { - let url = NodeUrl { - hostname: node.node, - fingerprint: node.ssl_fingerprint, - }; - PropertyString::new(url) - }) - .collect(); + let mut nodes = Vec::new(); + + for node in client.list_nodes().await? { + // probe without fingerprint to see if the certificate is trusted + // TODO: how can we get the fqdn here?, otherwise it'll fail in most scenarios... + let fingerprint = match probe_tls_connection(RemoteType::Pve, node.node.clone(), None).await + { + Ok(TlsProbeOutcome::UntrustedCertificate(cert)) => cert.fingerprint, + Ok(TlsProbeOutcome::TrustedCertificate) => None, + Err(_) => node.ssl_fingerprint, + }; + + nodes.push(PropertyString::new(NodeUrl { + hostname: node.node, + fingerprint, + })); + } if nodes.is_empty() { bail!("no node list returned"); -- 2.47.2 _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel