[pve-devel] [PATCH manager/proxmox-acme/pwt 0/3] fix #3536 add http proxy support for acme

[pve-devel] [PATCH manager/proxmox-acme/pwt 0/3] fix #3536 add http proxy support for acme

[Stoiko Ivanov]

the individual patches are mostly short and hopefully self-explaining

The change in the gui to reuse the components from proxmox-widget-toolkit is
a result of preparing the series also for pmg and pbs and noticing that this
at least is an area, where reuse seems easy.

Tested on my setup with a publicly exposed powerdns-plugin and let's encrypt
(mostly staging)

proxmox-acme:
Stoiko Ivanov (2):
  add support for proxies
  dns-challenge: add 'use-proxy' property

 src/PVE/ACME.pm              |  6 ++++++
 src/PVE/ACME/DNSChallenge.pm | 10 +++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

proxmox-widget-toolkit:
Stoiko Ivanov (1):
  acmeplugin: add use-proxy checkbox

 src/window/ACMEPluginEdit.js | 8 ++++++++
 1 file changed, 8 insertions(+)

pve-manager:
Stoiko Ivanov (3):
  api: acme: set http_proxy if configured in datacenter.cfg
  api: acme: dns-plugin: conditionally pass proxy to acme.sh wrapper
  gui: use acme plugin editor from proxmox-widget-toolkit

 PVE/API2/ACME.pm                   |  20 +++
 PVE/API2/ACMEAccount.pm            |  17 +++
 www/manager6/Makefile              |   1 -
 www/manager6/dc/ACMEClusterView.js |  13 +-
 www/manager6/dc/ACMEPluginEdit.js  | 223 -----------------------------
 5 files changed, 47 insertions(+), 227 deletions(-)
 delete mode 100644 www/manager6/dc/ACMEPluginEdit.js

-- 
2.30.2

[pve-devel] [PATCH proxmox-acme 1/2] add support for proxies

[Stoiko Ivanov]

by setting the proxy for the LWP::UserAgent

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PVE/ACME.pm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index 57578d7..3f66182 100644
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@@ -113,6 +113,12 @@ sub new($$$) {
     return bless $self, $class;
 }
 
+sub set_proxy($$) {
+    my ($self, $proxy) = @_;
+
+    $self->{ua}->proxy('https', $proxy);
+}
+
 # RS256: PKCS#1 padding, no OAEP, SHA256
 my $configure_key = sub {
     my ($key) = @_;
-- 
2.30.2

[pve-devel] [PATCH proxmox-acme 2/2] dns-challenge: add 'use-proxy' property

[Stoiko Ivanov]

this patch adds an optional 'use-proxy' property to the dns
challenges.

If set to 1 the caller is expected to add the proxy url in the plugin
config, which is then set as 'http_proxy' and 'https_proxy'
environment variable by the plugin caller (and then used by curl)

Tested with the pdns plugin, direct traffic to the pdns server being
dropped, and a configured squid proxy

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PVE/ACME/DNSChallenge.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/PVE/ACME/DNSChallenge.pm b/src/PVE/ACME/DNSChallenge.pm
index 9b28970..c03b3db 100644
--- a/src/PVE/ACME/DNSChallenge.pm
+++ b/src/PVE/ACME/DNSChallenge.pm
@@ -50,7 +50,12 @@ sub properties {
 	    optional => 1,
 	    minimum => 0,
 	    maximum => 2 * 24 * 60 * 60,
-	}
+	},
+	'use-proxy' => {
+	    description => "Flag indicating whether a http proxy should be used.",
+	    type => 'boolean',
+	    optional => 1,
+	},
     };
 }
 
@@ -61,6 +66,7 @@ sub options {
 	nodes => { optional => 1 },
 	disable => { optional => 1 },
 	'validation-delay' => { optional => 1 },
+	'use-proxy' => { optional => 1 },
     };
 }
 
@@ -78,6 +84,7 @@ my $proxmox_acme_command = sub {
     my $txtvalue = PVE::ACME::encode(sha256($key_auth));
     my $dnsplugin = $data->{plugin}->{api};
     my $plugin_conf_string = $data->{plugin}->{data};
+    my $proxy = $data->{plugin}->{proxy};
 
     # for security reasons, we execute the command as nobody
     # we can't verify that the code of the DNSPlugins are harmless.
@@ -93,6 +100,7 @@ my $proxmox_acme_command = sub {
     }
     my $input = "$txtvalue\n";
     $input .= "$plugin_conf_string\n" if $plugin_conf_string;
+    $input .= "https_proxy=$proxy\nhttp_proxy=$proxy\n" if $proxy;
 
     PVE::Tools::run_command($cmd, input => $input);
 
-- 
2.30.2

[pve-devel] [PATCH widget-toolkit 1/1] acmeplugin: add use-proxy checkbox

[Stoiko Ivanov]

if set the plugin will use the http_proxy configured on the
node/datacenter.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/window/ACMEPluginEdit.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/window/ACMEPluginEdit.js b/src/window/ACMEPluginEdit.js
index 237b362..406f14e 100644
--- a/src/window/ACMEPluginEdit.js
+++ b/src/window/ACMEPluginEdit.js
@@ -216,6 +216,14 @@ Ext.define('Proxmox.window.ACMEPluginEdit', {
 		    name: 'hint',
 		    hidden: true,
 		},
+		{
+		    xtype: 'proxmoxcheckbox',
+		    fieldLabel: gettext('Use http proxy'),
+		    defaultValue: false,
+		    deleteDefaultValue: true,
+		    labelWidth: 150,
+		    name: 'use-proxy',
+		},
 	    ],
 	},
     ],
-- 
2.30.2

[pve-devel] [PATCH manager 1/3] api: acme: set http_proxy if configured in datacenter.cfg

[Stoiko Ivanov]

partially fixes #3536

If a http_proxy is set in the datacenter config, use it for
communicating with the (usually public) Acme provider.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 PVE/API2/ACME.pm        | 13 +++++++++++++
 PVE/API2/ACMEAccount.pm | 17 +++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/PVE/API2/ACME.pm b/PVE/API2/ACME.pm
index 393e6b01..6e6f44f6 100644
--- a/PVE/API2/ACME.pm
+++ b/PVE/API2/ACME.pm
@@ -6,6 +6,7 @@ use warnings;
 use PVE::ACME;
 use PVE::CertHelpers;
 use PVE::Certificate;
+use PVE::Cluster;
 use PVE::Exception qw(raise raise_param_exc);
 use PVE::JSONSchema qw(get_standard_option);
 use PVE::NodeConfig;
@@ -207,6 +208,10 @@ __PACKAGE__->register_method ({
 		if ! -e $account_file;
 
 	    my $acme = PVE::ACME->new($account_file);
+	    my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
+	    if (my $http_proxy = $dccfg->{http_proxy}) {
+		$acme->set_proxy($http_proxy);
+	    }
 
 	    print "Loading ACME account details\n";
 	    $acme->load();
@@ -284,6 +289,10 @@ __PACKAGE__->register_method ({
 		if ! -e $account_file;
 
 	    my $acme = PVE::ACME->new($account_file);
+	    my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
+	    if (my $http_proxy = $dccfg->{http_proxy}) {
+		$acme->set_proxy($http_proxy);
+	    }
 
 	    print "Loading ACME account details\n";
 	    $acme->load();
@@ -352,6 +361,10 @@ __PACKAGE__->register_method ({
 		if ! -e $account_file;
 
 	    my $acme = PVE::ACME->new($account_file);
+	    my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
+	    if (my $http_proxy = $dccfg->{http_proxy}) {
+		$acme->set_proxy($http_proxy);
+	    }
 
 	    print "Loading ACME account details\n";
 	    $acme->load();
diff --git a/PVE/API2/ACMEAccount.pm b/PVE/API2/ACMEAccount.pm
index b790843a..218b84fe 100644
--- a/PVE/API2/ACMEAccount.pm
+++ b/PVE/API2/ACMEAccount.pm
@@ -5,6 +5,7 @@ use warnings;
 
 use PVE::ACME;
 use PVE::CertHelpers;
+use PVE::Cluster;
 use PVE::Exception qw(raise_param_exc);
 use PVE::JSONSchema qw(get_standard_option);
 use PVE::RPCEnvironment;
@@ -142,6 +143,10 @@ __PACKAGE__->register_method ({
 		    if -e $account_file;
 
 		my $acme = PVE::ACME->new($account_file, $directory);
+		my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
+		if (my $http_proxy = $dccfg->{http_proxy}) {
+		    $acme->set_proxy($http_proxy);
+		}
 		print "Generating ACME account key..\n";
 		$acme->init(4096);
 		print "Registering ACME account..\n";
@@ -177,6 +182,10 @@ my $update_account = sub {
 		if ! -e $account_file;
 
 	    my $acme = PVE::ACME->new($account_file);
+	    my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
+	    if (my $http_proxy = $dccfg->{http_proxy}) {
+		$acme->set_proxy($http_proxy);
+	    }
 	    $acme->load();
 	    $acme->update_account(%info);
 	    if ($info{status} && $info{status} eq 'deactivated') {
@@ -276,6 +285,10 @@ __PACKAGE__->register_method ({
 	    if ! -e $account_file;
 
 	my $acme = PVE::ACME->new($account_file);
+	my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
+	if (my $http_proxy = $dccfg->{http_proxy}) {
+	    $acme->set_proxy($http_proxy);
+	}
 	$acme->load();
 
 	my $res = {};
@@ -334,6 +347,10 @@ __PACKAGE__->register_method ({
 	my $directory = extract_param($param, 'directory') // $acme_default_directory_url;
 
 	my $acme = PVE::ACME->new(undef, $directory);
+	my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
+	if (my $http_proxy = $dccfg->{http_proxy}) {
+	    $acme->set_proxy($http_proxy);
+	}
 	my $meta = $acme->get_meta();
 
 	return $meta ? $meta->{termsOfService} : undef;
-- 
2.30.2

[pve-devel] [PATCH manager 2/3] api: acme: dns-plugin: conditionally pass proxy to acme.sh wrapper

[Stoiko Ivanov]

partially fixes #3536

If an acme (dns) plugin has set the 'use-proxy' flag, pass
the http_proxy configured in datacenter.cfg.

The setting is configurable for each dns-plugin, based on the
assumption that some dns-apis might be 'local' (e.g. a pdns-server in
the internal network) and communication with them must not pass
through the proxy.

The implementation follows the one in PMG

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 PVE/API2/ACME.pm | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/PVE/API2/ACME.pm b/PVE/API2/ACME.pm
index 6e6f44f6..de6068bf 100644
--- a/PVE/API2/ACME.pm
+++ b/PVE/API2/ACME.pm
@@ -74,6 +74,13 @@ my $order_certificate = sub {
 	    die "plugin '$plugin_id' for domain '$domain' not found!\n"
 		if !$plugin_cfg;
 
+	    if ($plugin_cfg->{'use-proxy'}) {
+		my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
+		if (my $http_proxy = $dccfg->{http_proxy}) {
+		    $plugin_cfg->{proxy} = $http_proxy;
+		}
+	    }
+
 	    my $data = {
 		plugin => $plugin_cfg,
 		alias => $domain_config->{alias},
-- 
2.30.2

[pve-devel] [PATCH manager 3/3] gui: use acme plugin editor from proxmox-widget-toolkit

[Stoiko Ivanov]

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 www/manager6/Makefile              |   1 -
 www/manager6/dc/ACMEClusterView.js |  13 +-
 www/manager6/dc/ACMEPluginEdit.js  | 223 -----------------------------
 3 files changed, 10 insertions(+), 227 deletions(-)
 delete mode 100644 www/manager6/dc/ACMEPluginEdit.js

diff --git a/www/manager6/Makefile b/www/manager6/Makefile
index 4011d4e5..302a106d 100644
--- a/www/manager6/Makefile
+++ b/www/manager6/Makefile
@@ -120,7 +120,6 @@ JSSRC= 							\
 	ha/StatusView.js				\
 	dc/ACLView.js					\
 	dc/ACMEClusterView.js				\
-	dc/ACMEPluginEdit.js				\
 	dc/AuthEditBase.js				\
 	dc/AuthEditAD.js				\
 	dc/AuthEditLDAP.js				\
diff --git a/www/manager6/dc/ACMEClusterView.js b/www/manager6/dc/ACMEClusterView.js
index d02aeef0..2237314b 100644
--- a/www/manager6/dc/ACMEClusterView.js
+++ b/www/manager6/dc/ACMEClusterView.js
@@ -130,7 +130,11 @@ Ext.define('PVE.dc.ACMEPluginView', {
 
 	addPlugin: function() {
 	    let me = this;
-	    Ext.create('PVE.dc.ACMEPluginEditor', {
+	    let acmeUrl = '/cluster/acme/';
+	    Ext.create('Proxmox.window.ACMEPluginEdit', {
+		onlineHelp: 'sysadmin_certs_acme_plugins',
+		acmeUrl: acmeUrl,
+		url: `${acmeUrl}/plugins/`,
 		isCreate: true,
 		apiCallDone: function() {
 		    me.reload();
@@ -144,8 +148,11 @@ Ext.define('PVE.dc.ACMEPluginView', {
 	    let selection = view.getSelection();
 	    if (selection.length < 1) return;
 	    let plugin = selection[0].data.plugin;
-	    Ext.create('PVE.dc.ACMEPluginEditor', {
-		url: `/cluster/acme/plugins/${plugin}`,
+	    let acmeUrl = '/cluster/acme/';
+	    Ext.create('Proxmox.window.ACMEPluginEdit', {
+		onlineHelp: 'sysadmin_certs_acme_plugins',
+		acmeUrl: acmeUrl,
+		url: `${acmeUrl}/plugins/${plugin}`,
 		apiCallDone: function() {
 		    me.reload();
 		},
diff --git a/www/manager6/dc/ACMEPluginEdit.js b/www/manager6/dc/ACMEPluginEdit.js
deleted file mode 100644
index 570b4dd2..00000000
--- a/www/manager6/dc/ACMEPluginEdit.js
+++ /dev/null
@@ -1,223 +0,0 @@
-Ext.define('PVE.dc.ACMEPluginEditor', {
-    extend: 'Proxmox.window.Edit',
-    xtype: 'pveACMEPluginEditor',
-    mixins: ['Proxmox.Mixin.CBind'],
-
-    onlineHelp: 'sysadmin_certs_acme_plugins',
-
-    isAdd: true,
-    isCreate: false,
-
-    width: 550,
-    url: '/cluster/acme/plugins/',
-
-    subject: 'ACME DNS Plugin',
-
-    items: [
-	{
-	    xtype: 'inputpanel',
-	    // we dynamically create fields from the given schema
-	    // things we have to do here:
-	    // * save which fields we created to remove them again
-	    // * split the data from the generic 'data' field into the boxes
-	    // * on deletion collect those values again
-	    // * save the original values of the data field
-	    createdFields: {},
-	    createdInitially: false,
-	    originalValues: {},
-	    createSchemaFields: function(schema) {
-		let me = this;
-		// we know where to add because we define it right below
-		let container = me.down('container');
-		let datafield = me.down('field[name=data]');
-		let hintfield = me.down('field[name=hint]');
-		if (!me.createdInitially) {
-		    [me.originalValues] = PVE.Parser.parseACMEPluginData(datafield.getValue());
-		}
-
-		// collect values from custom fields and add it to 'data'',
-		// then remove the custom fields
-		let data = [];
-		for (const [name, field] of Object.entries(me.createdFields)) {
-		    let value = field.getValue();
-		    if (value !== undefined && value !== null && value !== '') {
-			data.push(`${name}=${value}`);
-		    }
-		    container.remove(field);
-		}
-		let datavalue = datafield.getValue();
-		if (datavalue !== undefined && datavalue !== null && datavalue !== '') {
-		    data.push(datavalue);
-		}
-		datafield.setValue(data.join('\n'));
-
-		me.createdFields = {};
-
-		if (typeof schema.fields !== 'object') {
-		    schema.fields = {};
-		}
-		// create custom fields according to schema
-		let gotSchemaField = false;
-		let cmp = (a, b) => a[0].localeCompare(b[0]);
-		for (const [name, definition] of Object.entries(schema.fields).sort(cmp)) {
-		    let xtype;
-		    switch (definition.type) {
-			case 'string':
-			    xtype = 'proxmoxtextfield';
-			    break;
-			case 'integer':
-			    xtype = 'proxmoxintegerfield';
-			    break;
-			case 'number':
-			    xtype = 'numberfield';
-			    break;
-			default:
-			    console.warn(`unknown type '${definition.type}'`);
-			    xtype = 'proxmoxtextfield';
-			    break;
-		    }
-
-		    let label = name;
-		    if (typeof definition.name === "string") {
-			label = definition.name;
-		    }
-
-		    let field = Ext.create({
-			xtype,
-			name: `custom_${name}`,
-			fieldLabel: label,
-			width: '100%',
-			labelWidth: 150,
-			labelSeparator: '=',
-			emptyText: definition.default || '',
-			autoEl: definition.description ? {
-			    tag: 'div',
-			    'data-qtip': definition.description,
-			} : undefined,
-		    });
-
-		    me.createdFields[name] = field;
-		    container.add(field);
-		    gotSchemaField = true;
-		}
-		datafield.setHidden(gotSchemaField); // prefer schema-fields
-
-		if (schema.description) {
-		    hintfield.setValue(schema.description);
-		    hintfield.setHidden(false);
-		} else {
-		    hintfield.setValue('');
-		    hintfield.setHidden(true);
-		}
-
-		// parse data from field and set it to the custom ones
-		let extradata = [];
-		[data, extradata] = PVE.Parser.parseACMEPluginData(datafield.getValue());
-		for (const [key, value] of Object.entries(data)) {
-		    if (me.createdFields[key]) {
-			me.createdFields[key].setValue(value);
-			me.createdFields[key].originalValue = me.originalValues[key];
-		    } else {
-			extradata.push(`${key}=${value}`);
-		    }
-		}
-		datafield.setValue(extradata.join('\n'));
-		if (!me.createdInitially) {
-		    datafield.resetOriginalValue();
-		    me.createdInitially = true; // save that we initally set that
-		}
-	    },
-	    onGetValues: function(values) {
-		let me = this;
-		let win = me.up('pveACMEPluginEditor');
-		if (win.isCreate) {
-		    values.id = values.plugin;
-		    values.type = 'dns'; // the only one for now
-		}
-		delete values.plugin;
-
-		PVE.Utils.delete_if_default(values, 'validation-delay', '30', win.isCreate);
-
-		let data = '';
-		for (const [name, field] of Object.entries(me.createdFields)) {
-		    let value = field.getValue();
-		    if (value !== null && value !== undefined && value !== '') {
-			data += `${name}=${value}\n`;
-		    }
-		    delete values[`custom_${name}`];
-		}
-		values.data = Ext.util.Base64.encode(data + values.data);
-		return values;
-	    },
-	    items: [
-		{
-		    xtype: 'pmxDisplayEditField',
-		    cbind: {
-			editable: (get) => get('isCreate'),
-			submitValue: (get) => get('isCreate'),
-		    },
-		    editConfig: {
-			flex: 1,
-			xtype: 'proxmoxtextfield',
-			allowBlank: false,
-		    },
-		    name: 'plugin',
-		    labelWidth: 150,
-		    fieldLabel: gettext('Plugin ID'),
-		},
-		{
-		    xtype: 'proxmoxintegerfield',
-		    name: 'validation-delay',
-		    labelWidth: 150,
-		    fieldLabel: gettext('Validation Delay'),
-		    emptyText: 30,
-		    cbind: {
-			deleteEmpty: '{!isCreate}',
-		    },
-		    minValue: 0,
-		    maxValue: 48*60*60,
-		},
-		{
-		    xtype: 'pveACMEApiSelector',
-		    name: 'api',
-		    labelWidth: 150,
-		    listeners: {
-			change: function(selector) {
-			    let schema = selector.getSchema();
-			    selector.up('inputpanel').createSchemaFields(schema);
-			},
-		    },
-		},
-		{
-		    xtype: 'textarea',
-		    fieldLabel: gettext('API Data'),
-		    labelWidth: 150,
-		    name: 'data',
-		},
-		{
-		    xtype: 'displayfield',
-		    fieldLabel: gettext('Hint'),
-		    labelWidth: 150,
-		    name: 'hint',
-		    hidden: true,
-		},
-	    ],
-	},
-    ],
-
-    initComponent: function() {
-	var me = this;
-
-	me.callParent();
-
-	if (!me.isCreate) {
-	    me.load({
-		success: function(response, opts) {
-		    me.setValues(response.result.data);
-		},
-	    });
-	} else {
-	    me.method = 'POST';
-	}
-    },
-});
-- 
2.30.2

[pve-devel] applied: [PATCH proxmox-acme 1/2] add support for proxies

[Thomas Lamprecht]

On 09.11.21 17:36, Stoiko Ivanov wrote:
> by setting the proxy for the LWP::UserAgent
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
>  src/PVE/ACME.pm | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
>

applied, thanks!

Re: [pve-devel] [PATCH manager 1/3] api: acme: set http_proxy if configured in datacenter.cfg

[Thomas Lamprecht]

On 09.11.21 17:36, Stoiko Ivanov wrote:
> partially fixes #3536
> 
> If a http_proxy is set in the datacenter config, use it for
> communicating with the (usually public) Acme provider.
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
>  PVE/API2/ACME.pm        | 13 +++++++++++++
>  PVE/API2/ACMEAccount.pm | 17 +++++++++++++++++
>  2 files changed, 30 insertions(+)

for the record, needs versioned dependency bump on libproxmox-acme-perl >> 1.4.0 once
uploaded.

> diff --git a/PVE/API2/ACME.pm b/PVE/API2/ACME.pm
> index 393e6b01..6e6f44f6 100644
> --- a/PVE/API2/ACME.pm
> +++ b/PVE/API2/ACME.pm
> @@ -6,6 +6,7 @@ use warnings;
>  use PVE::ACME;
>  use PVE::CertHelpers;
>  use PVE::Certificate;
> +use PVE::Cluster;
>  use PVE::Exception qw(raise raise_param_exc);
>  use PVE::JSONSchema qw(get_standard_option);
>  use PVE::NodeConfig;
> @@ -207,6 +208,10 @@ __PACKAGE__->register_method ({
>  		if ! -e $account_file;
>  
>  	    my $acme = PVE::ACME->new($account_file);
> +	    my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
> +	    if (my $http_proxy = $dccfg->{http_proxy}) {
> +		$acme->set_proxy($http_proxy);
> +	    }
>  
>  	    print "Loading ACME account details\n";
>  	    $acme->load();
> @@ -284,6 +289,10 @@ __PACKAGE__->register_method ({
>  		if ! -e $account_file;
>  
>  	    my $acme = PVE::ACME->new($account_file);
> +	    my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
> +	    if (my $http_proxy = $dccfg->{http_proxy}) {
> +		$acme->set_proxy($http_proxy);
> +	    }
>  
>  	    print "Loading ACME account details\n";
>  	    $acme->load();
> @@ -352,6 +361,10 @@ __PACKAGE__->register_method ({
>  		if ! -e $account_file;
>  
>  	    my $acme = PVE::ACME->new($account_file);
> +	    my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
> +	    if (my $http_proxy = $dccfg->{http_proxy}) {
> +		$acme->set_proxy($http_proxy);
> +	    }
>  
>  	    print "Loading ACME account details\n";
>  	    $acme->load();
> diff --git a/PVE/API2/ACMEAccount.pm b/PVE/API2/ACMEAccount.pm
> index b790843a..218b84fe 100644
> --- a/PVE/API2/ACMEAccount.pm
> +++ b/PVE/API2/ACMEAccount.pm
> @@ -5,6 +5,7 @@ use warnings;
>  
>  use PVE::ACME;
>  use PVE::CertHelpers;
> +use PVE::Cluster;
>  use PVE::Exception qw(raise_param_exc);
>  use PVE::JSONSchema qw(get_standard_option);
>  use PVE::RPCEnvironment;
> @@ -142,6 +143,10 @@ __PACKAGE__->register_method ({
>  		    if -e $account_file;
>  
>  		my $acme = PVE::ACME->new($account_file, $directory);
> +		my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
> +		if (my $http_proxy = $dccfg->{http_proxy}) {
> +		    $acme->set_proxy($http_proxy);
> +		}
>  		print "Generating ACME account key..\n";
>  		$acme->init(4096);
>  		print "Registering ACME account..\n";
> @@ -177,6 +182,10 @@ my $update_account = sub {
>  		if ! -e $account_file;
>  
>  	    my $acme = PVE::ACME->new($account_file);
> +	    my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
> +	    if (my $http_proxy = $dccfg->{http_proxy}) {
> +		$acme->set_proxy($http_proxy);
> +	    }
>  	    $acme->load();
>  	    $acme->update_account(%info);
>  	    if ($info{status} && $info{status} eq 'deactivated') {
> @@ -276,6 +285,10 @@ __PACKAGE__->register_method ({
>  	    if ! -e $account_file;
>  
>  	my $acme = PVE::ACME->new($account_file);
> +	my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
> +	if (my $http_proxy = $dccfg->{http_proxy}) {
> +	    $acme->set_proxy($http_proxy);
> +	}
>  	$acme->load();
>  
>  	my $res = {};
> @@ -334,6 +347,10 @@ __PACKAGE__->register_method ({
>  	my $directory = extract_param($param, 'directory') // $acme_default_directory_url;
>  
>  	my $acme = PVE::ACME->new(undef, $directory);
> +	my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
> +	if (my $http_proxy = $dccfg->{http_proxy}) {
> +	    $acme->set_proxy($http_proxy);
> +	}
>  	my $meta = $acme->get_meta();
>  
>  	return $meta ? $meta->{termsOfService} : undef;
> 

[pve-devel] applied: [PATCH proxmox-acme 2/2] dns-challenge: add 'use-proxy' property

[Thomas Lamprecht]

On 09.11.21 17:36, Stoiko Ivanov wrote:
> this patch adds an optional 'use-proxy' property to the dns
> challenges.
> 
> If set to 1 the caller is expected to add the proxy url in the plugin
> config, which is then set as 'http_proxy' and 'https_proxy'
> environment variable by the plugin caller (and then used by curl)
> 
> Tested with the pdns plugin, direct traffic to the pdns server being
> dropped, and a configured squid proxy
> 

Maybe we can document that in pve-docs, a separate proxy section somewhere
could be also nice to have..

> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
>  src/PVE/ACME/DNSChallenge.pm | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
>

applied, thanks!