From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id B70121FF145 for ; Thu, 05 Feb 2026 15:24:54 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8EAFF12955; Thu, 5 Feb 2026 15:25:23 +0100 (CET) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Thu, 05 Feb 2026 15:25:15 +0100 Message-Id: Subject: Re: [PATCH datacenter-manager v2 0/4] fix #7179: expose ACME commands inside admin CLI From: "Lukas Wagner" To: "Shan Shaji" , X-Mailer: aerc 0.21.0-0-g5549850facc2-dirty References: <20260203175101.457724-1-s.shaji@proxmox.com> In-Reply-To: <20260203175101.457724-1-s.shaji@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1770301437740 X-SPAM-LEVEL: Spam detection results: 0 AWL -1.586 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_BADIPHTTP 2 Due to the Storm Bot Network, IPs in emails is bad KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NUMERIC_HTTP_ADDR 1.242 Uses a numeric IP address in URL RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record WEIRD_PORT 0.001 Uses non-standard port number for HTTP Message-ID-Hash: TNXSARPS42AJXCWA26GUKHAWNH22DLYX X-Message-ID-Hash: TNXSARPS42AJXCWA26GUKHAWNH22DLYX X-MailFrom: l.wagner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue Feb 3, 2026 at 6:50 PM CET, Shan Shaji wrote: > Previously, ACME commands were not exposed through the admin CLI. > Added the necessary functionality to manage ACME settings directly > via the command line. The changes are done by taking reference from=20 > the proxmox-backup codebase.=20 > > The `tasklog_pbs` function in the `proxmox-log` crate has been renamed=20 > in the following patch [1]. To test the changes introduced by=20 > this series, it must be applied. I mentioned it in the patch as well, but actually it would be best to keep it as `tasklog_pbs` for now, so that we can apply these changes without awaiting the proxmox-log version bump. See the patch for a more detailed explanation. > > **note**: The completions were not working in general. Investigating it > seperately.=20 > > changes since v1: Thanks @Lukas > - fixed formating. > - refactor the input prompt into a seperate method - `read_input`.=20 > - defined a new struct ``AcmeRegistrationParams` and update the API > method signature to accept only one parameter. > - used the API `register_account` method instead of using the > `proxmox-acme-api::register_account` function.=20 > - added `tasklog` layer to capture worker task logs.=20 > - added `context` method to preserve the error messages.=20 > > Testing=20 > =3D=3D=3D=3D=3D=3D=3D > > In general i have verified the following commands ie: > - account (deactivate, info, list, update) > - certificate (order, revoke) > - plugin (add, config, list, remove, set) > - Verified external account binding using google's ACME directory=20 > url and public CA (GTS).=20 > > ### Certifcate Creation=20 > > http-01 challenge: > ----------------- > > I have tested the http-01 challenge verification using a test > pebble server.=20 > =20 > Steps followed to test the changes: > > 1. Installed the changes inside a PDM VM.=20 > 2. install Pebble from Let's Encrypt [2] on the same VM: > > cd > apt update > apt install -y golang git > git clone https://github.com/letsencrypt/pebble > cd pebble > go build ./cmd/pebble > > then, download and trust the Pebble cert: > > wget https://raw.githubusercontent.com/letsencrypt/pebble/main/test/c= erts/pebble.minica.pem > cp pebble.minica.pem /usr/local/share/ca-certificates/pebble.minica.c= rt > update-ca-certificates > > 3. We want Pebble to perform HTTP-01 validation against port 80, because > PDM's standalone plugin will bind port 80. Set httpPort to 80. > > nano ./test/config/pebble-config.json > > 4. Start the Pebble server in the background: > > ./pebble -config ./test/config/pebble-config.json & > > 5. Created a Pebble ACME account: > > proxmox-datacenter-manager-admin acme account register default admin@= example.com --directory 'https://127.0.0.1:14000/dir' > > 6. Added a new ACME domain pdm.proxmox.com with HTTP challenge type. Then > ran the following command. Seems like there is no way to set ACME domains via the CLI? This could be a good future addition IMO. Reviewed and (partially) tested these changes, using the HTTP challenge using pebble. I did not test anything DNS-related. Most of my suggestions for v3 are rather trivial, so feel free to include these trailers: Reviewed-by: Lukas Wagner Tested-by: Lukas Wagner