[RFC datacenter-manager/proxmox{,-backup} 00/10] TLS Certificate Rotation

[Shannon Sterz <s.sterz@proxmox.com>]

this series adds certificate rotation to Proxmox Backup Server and Proxmox
Datacenter Manager. currently, both products issue a certificate that is valid
for almost 1000 years (365000 days). no cryptographic key can reasonably be
considered secure for this amount of time. this series:

- allows specifying the lifetime of the certificate when creating one via
  proxmox-acme-api and reduces the default to 3650 days (almost ten years).
- sends and logs reminders 30 days before a certificate expires (pdm currently
  does not support the notification framework yet, so adding notifications is
  left as future work here).
- refreshes a certificate at the earliest 15 days before it expires, logs
  and notifies when that happens.
- warns on certificates with excessive lifetimes (>3650 days) and documents
  how to manually update them.
- for pdm: exposes cert handling cli methods in proxmox-datacenter-manager-admin.

sending this as an rfc mainly because there are some open questions for me
about the chosen time frames for the lifetime and renewal periods.

## Testing

the easiest way to test this is to manipulate the date of the host with `date
--set` and then manually trigger the daily update binary for each product:

* PBS: `/usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-daily-update`
* PDM: `/usr/libexec/proxmox/proxmox-datacenter-manager-daily-update`

you can then check the logs and the certificate itself to see what happened.
specifying the `PBS_LOG` with the parameter `trace` or `debug` will also enable
debug logging here.

## Open Questions

+ 10 years is still a long time and i'd rather reduce that further down if
  possible. see the first patch for proxmox-acme-api for more info.
+ should we remove pre-existing long lasting certificates by ourselves? imo
  that is too risky at the moment given that an unplanned certificate rotation
  could cause backups to fail.
+ notifying every day for 15 days before the renewal might be excessive, see
  the second commit for pbs.

## Future Work

- pve and pdm should be extended to allow automatically updating allowed
  fingerprints before a new self-signed certificate goes into action. this will
  be handled in a follow-up series. if this series is applied, we have ten years
  to implement such a mechanism before any setups are realistically expected to
  break.
- pdm should send notifications similar to pbs once support for notifications
  is added.


proxmox:

Shannon Sterz (1):
  acme-api: make self-signed certificate expiry configurable

 proxmox-acme-api/src/certificate_helpers.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


backup:

Shannon Sterz (5):
  config: use proxmox_acme_api for generating self-signed certificates
  config: adapt to api change in proxmox_acme_api, add expiry paramter
  config/server/api: add certificate renewal logic including
    notifications
  daily-update/docs: warn on excessive self-signed certificate lifetime
  backup-manager cli: `cert update` can create auth and csrf key

 debian/proxmox-backup-server.install          |  4 +
 docs/certificate-management.rst               | 31 ++++++
 src/api2/node/certificates.rs                 | 44 +++++++++
 src/bin/proxmox-daily-update.rs               | 32 +++++++
 src/bin/proxmox_backup_manager/cert.rs        |  2 +
 src/config/mod.rs                             | 96 ++-----------------
 src/server/notifications/mod.rs               | 50 ++++++++++
 templates/Makefile                            | 62 ++++++------
 templates/default/cert-refresh-body.txt.hbs   |  8 ++
 .../default/cert-refresh-subject.txt.hbs      |  1 +
 .../cert-upcoming-refresh-body.txt.hbs        |  9 ++
 .../cert-upcoming-refresh-subject.txt.hbs     |  1 +
 12 files changed, 225 insertions(+), 115 deletions(-)
 create mode 100644 templates/default/cert-refresh-body.txt.hbs
 create mode 100644 templates/default/cert-refresh-subject.txt.hbs
 create mode 100644 templates/default/cert-upcoming-refresh-body.txt.hbs
 create mode 100644 templates/default/cert-upcoming-refresh-subject.txt.hbs


datacenter-manager:

Shannon Sterz (4):
  certs: adapt to api change in proxmox_acme_api, add expiry paramter
  api/auth/bin: add certificate renewal logic
  cli: expose certificate management endpoints via the cli
  daily-update/docs: warn on excessive tls certificate validity periods

 cli/admin/Cargo.toml                          |  2 +
 cli/admin/src/cert.rs                         | 86 +++++++++++++++++++
 cli/admin/src/main.rs                         |  2 +
 docs/certificate-management.rst               | 31 +++++++
 server/Cargo.toml                             |  1 +
 server/src/api/nodes/certificates.rs          | 48 +++++++++++
 server/src/auth/certs.rs                      |  4 +-
 ...proxmox-datacenter-manager-daily-update.rs | 30 +++++++
 8 files changed, 203 insertions(+), 1 deletion(-)
 create mode 100644 cli/admin/src/cert.rs


Summary over all repositories:
  21 files changed, 430 insertions(+), 117 deletions(-)

-- 
Generated by murpp 0.10.0