From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pdm-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 504A51FF13A
	for <inbox@lore.proxmox.com>; Wed, 01 Apr 2026 16:22:04 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id E1F581FA0C;
	Wed,  1 Apr 2026 16:22:32 +0200 (CEST)
From: Shan Shaji <s.shaji@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [PATCH datacenter-manager v4 0/5] fix #7179: expose ACME commands
 inside admin CLI
Date: Wed,  1 Apr 2026 16:21:38 +0200
Message-ID: <20260401142143.309509-1-s.shaji@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1775053260083
X-SPAM-LEVEL: Spam detection results:  1
	AWL                    -2.987 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_BADIPHTTP               2 Due to the Storm Bot Network,
 IPs in emails is bad
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	NUMERIC_HTTP_ADDR       1.242 Uses a numeric IP address in URL
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED      1 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_RPBL_BLOCKED      1 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_SAFE_BLOCKED      1 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
	WEIRD_PORT              0.001 Uses non-standard port number for HTTP
Message-ID-Hash: IKDB532LV7SXJFEPLX4ZKP5Q7HMGLV4O
X-Message-ID-Hash: IKDB532LV7SXJFEPLX4ZKP5Q7HMGLV4O
X-MailFrom: s.shaji@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Datacenter Manager development discussion
 <pdm-devel.lists.proxmox.com>
List-Help: <mailto:pdm-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pdm-devel-owner@lists.proxmox.com>
List-Post: <mailto:pdm-devel@lists.proxmox.com>
List-Subscribe: <mailto:pdm-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pdm-devel-leave@lists.proxmox.com>

Previously, ACME commands were not exposed through the admin CLI.
Added the necessary functionality to manage ACME settings directly
via the command line. The changes are done by taking reference from
the proxmox-backup codebase.

changes since v3:
- Rebase with master.
- rephrase commit messages.
- retested the changes again.
 
changes since v2: Thanks @Lukas
- revert the use of `tasklog` function to tasklog_pbs.
- revert string from "set-up" to "set up".
- use `matches!` macro instead `&&` operator.
- add seperate patch that uses the `ACME_CONTACT_LIST_SCHEMA` on ACME account
  update endpoint.
- add doc comments for the AcmeRegistrationParams public fields.
- use 1-based indexing to choose the directory endpoints.

changes since v1: Thanks @Lukas
- fixed formating.
- refactor the input prompt into a seperate method - `read_input`.
- defined a new struct ``AcmeRegistrationParams` and update the API
  method signature to accept only one parameter.
- used the API `register_account` method instead of using the
  `proxmox-acme-api::register_account` function.
- added `tasklog` layer to capture worker task logs.
- added `context` method to preserve the error messages.

Testing 
=======

I have verified the following:
- account (deactivate, info, list, update)
- certificate (order, revoke)
- plugin (add, config, list, remove, set)
- Verified external account binding using google's ACME directory 
  url and public CA (GTS). 

### Certifcate Creation 

http-01 challenge:
-----------------

I have tested the http-01 challenge verification using a test
pebble server. 
    
Steps followed to test the changes:

1. Installed the changes inside a PDM VM. 
2. install Pebble from Let's Encrypt [1] on the same VM:

    cd
    apt update
    apt install -y golang git
    git clone https://github.com/letsencrypt/pebble
    cd pebble
    go build ./cmd/pebble

    then, download and trust the Pebble cert:

    wget https://raw.githubusercontent.com/letsencrypt/pebble/main/test/certs/pebble.minica.pem
    cp pebble.minica.pem /usr/local/share/ca-certificates/pebble.minica.crt
    update-ca-certificates

3. We want Pebble to perform HTTP-01 validation against port 80, because
   PDM's standalone plugin will bind port 80. Set httpPort to 80.

    nano ./test/config/pebble-config.json

4. Start the Pebble server in the background:

    ./pebble -config ./test/config/pebble-config.json &

5. Created a Pebble ACME account:

    proxmox-datacenter-manager-admin acme account register default admin@example.com --directory 'https://127.0.0.1:14000/dir'

6. Added a new ACME domain pdm.proxmox.com with HTTP challenge type. Then
   ran the following command.

   proxmox-datacenter-manager admin acme certificate order --force true

7. Checked if the certificate is validated by the pebble CA. 

Ran the revoke command and verified if the certificate is self-signed
after force refresh. 

---

DNS-01 challenge: 
----------------

I tested the changes with my domain using the cloudflare plugin. 

Steps followed to test the changes:

1. Created an ACME account using let's encrypt staging API. 
2. Add a new plugin using the following command

   proxmox-datacenter-manager-admin acme plugin add dns cloudflare --api cf --data ./cf_tokens 
   cf_tokens had the following credentials:

      - CF_Account_ID=""
      - CF_Token=""

3. Added my cloudflare managed domain under ACME Domains using the UI. 
4. Ordered the certificate using the following command. 

    proxmox-datacenter-manager-admin acme certificate order --force true

5. Force refreshed the browser and verified that the new certificate is
   verified by (STAGING) Let's Encrypt

6. Revoked the certificate using the following command. 

	proxmox-datacenter-manager-admin acme certificate revoke

7. Verified the new certificate is self-signed.

[1] - https://github.com/letsencrypt/pebble


Shan Shaji (5):
  cli: admin: initialize worker tasks before calling acme API methods
  api: acme: define API type for ACME registration parameters
  server: api: add contact schema for ACME account update endpoint
  fix #7179: cli: admin: add commands to manage ACME settings
  chore: update proxmox-acme version to 1

 Cargo.toml                    |   2 +-
 cli/admin/Cargo.toml          |   7 +-
 cli/admin/src/acme.rs         | 446 ++++++++++++++++++++++++++++++++++
 cli/admin/src/main.rs         |  62 +++--
 lib/pdm-api-types/src/acme.rs |  65 +++++
 lib/pdm-api-types/src/lib.rs  |   2 +
 server/src/api/config/acme.rs |  51 ++--
 7 files changed, 581 insertions(+), 54 deletions(-)
 create mode 100644 cli/admin/src/acme.rs
 create mode 100644 lib/pdm-api-types/src/acme.rs

-- 
2.47.3