From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B546C1FF13C for ; Thu, 25 Jun 2026 16:13:46 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E331812FD1; Thu, 25 Jun 2026 16:13:43 +0200 (CEST) From: Manuel Federanko To: pbs-devel@lists.proxmox.com, pdm-devel@lists.proxmox.com Subject: [PATCH proxmox{,-backup,-datacenter-manager} 0/7] acme: fix #6372 implement basic ARI support Date: Thu, 25 Jun 2026 16:13:30 +0200 Message-ID: <20260625141337.181684-1-m.federanko@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 1 AWL -1.935 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy HEADER_FROM_DIFFERENT_DOMAINS 0.249 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RCVD_IN_SBL_CSS 3.335 Received via a relay in Spamhaus SBL-CSS RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox-daily-update.rs,renewal.rs,order.rs,acme.rs,proxmox.com,types.rs,cert.rs,ietf.org,certificates.rs,lib.rs,directory.rs] Message-ID-Hash: CBDAGQFGZ3DUMPIBCHWUMNFFZAIZCYQV X-Message-ID-Hash: CBDAGQFGZ3DUMPIBCHWUMNFFZAIZCYQV X-MailFrom: mfederanko@dev.localdomain X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This series implements basic ACME ARI [0] support for Proxmox Backup Server and Proxmox Datacenter Manager. Currently both projects renew once a fixed time has passed: * Proxmox Backup Manager already considers the life-time of a certificate and starts renewal attemps based on that [1] * Proxmox Datacenter Manager still assumes that a certificate should start to be renewed 30 days before it is invalid. This series changes the behavior to first attempt to get a time renewal window from the server, and if that fails to fall back to the life-time based lead percentages. Importantly it also moves the check for the remaining life-time into the worker. ## Testing The pebble acme server [2] is easy to set up and intended to be used to develop clients against it. Changing the date of the system and the system hosting pebble and then manually triggering a update check is a easy way to test the behavior. ## Further worker We currently only check the certificate with the daily update services. It would be desirable to have a second service for ARI checks which runs more often. There also is currently no handling of Retry-After headers, which are use by the ACME server to indicate when we should check for a new renewal window again. Proxmox Backup Server uses a very similar struct for Certificate Information "CertInfo" which could be replaced by the one provided by the proxmox-acme-api crate "CertificateInfo". [0] https://datatracker.ietf.org/doc/rfc9773/ [1] https://lore.proxmox.com/pbs-devel/20260423134607.105229-2-m.federanko@proxmox.com/ [2] https://github.com/letsencrypt/pebble proxmox: Manuel Federanko (4): acme: client: add methods to fetch renewal information. acme: add retry-after header to renewal information. acme: allow specifying the certificate that is replaced by an order acme: cert: add dedicated ari_id field to the certificate info. proxmox-acme-api/src/certificate_helpers.rs | 60 ++++++++++++++++++- proxmox-acme-api/src/lib.rs | 5 +- proxmox-acme-api/src/types.rs | 4 ++ proxmox-acme/src/async_client.rs | 66 +++++++++++++++++++-- proxmox-acme/src/directory.rs | 8 +++ proxmox-acme/src/lib.rs | 3 + proxmox-acme/src/order.rs | 13 ++++ proxmox-acme/src/renewal.rs | 36 +++++++++++ 8 files changed, 187 insertions(+), 8 deletions(-) create mode 100644 proxmox-acme/src/renewal.rs proxmox-backup: Manuel Federanko (2): acme: add ari_id to cert info. acme: implement ARI renewal information fetching. pbs-tools/Cargo.toml | 1 + pbs-tools/src/cert.rs | 4 + src/api2/node/certificates.rs | 106 +++++++++++++++++++------ src/bin/proxmox-daily-update.rs | 6 -- src/bin/proxmox_backup_manager/acme.rs | 8 -- 5 files changed, 86 insertions(+), 39 deletions(-) proxmox-datacenter-manager: Manuel Federanko (1): acme: certificates: fix #6372 use ARI for renewal if available. cli/admin/src/acme.rs | 7 - server/src/api/nodes/certificates.rs | 129 +++++++++++++++--- ...proxmox-datacenter-manager-daily-update.rs | 5 - 3 files changed, 113 insertions(+), 28 deletions(-) Summary over all repositories: 16 files changed, 386 insertions(+), 75 deletions(-) -- Generated by murpp 0.12.0