From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 34E8C7B16E for ; Tue, 11 May 2021 15:54:08 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 3317722CAF for ; Tue, 11 May 2021 15:54:08 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id C232A22C9C for ; Tue, 11 May 2021 15:54:05 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 9C12342BE6 for ; Tue, 11 May 2021 15:54:05 +0200 (CEST) From: Wolfgang Bumiller To: pbs-devel@lists.proxmox.com Date: Tue, 11 May 2021 15:54:00 +0200 Message-Id: <20210511135400.32406-8-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210511135400.32406-1-w.bumiller@proxmox.com> References: <20210511135400.32406-1-w.bumiller@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.018 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [certificates.rs, config.rs, server.rs] Subject: [pbs-devel] [PATCH backup 7/7] hot-reload proxy certificate when updating via the API X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 May 2021 13:54:08 -0000 Signed-off-by: Wolfgang Bumiller --- src/api2/node/certificates.rs | 26 +++++++++++++------------- src/config.rs | 17 ++--------------- src/server.rs | 9 +++++++++ 3 files changed, 24 insertions(+), 28 deletions(-) diff --git a/src/api2/node/certificates.rs b/src/api2/node/certificates.rs index e6ad59b3..79df5d0f 100644 --- a/src/api2/node/certificates.rs +++ b/src/api2/node/certificates.rs @@ -175,12 +175,13 @@ pub fn get_info() -> Result, Error> { node: { schema: NODE_SCHEMA }, certificates: { description: "PEM encoded certificate (chain)." }, key: { description: "PEM encoded private key." }, + // FIXME: widget-toolkit should have an option to disable using these 2 parameters... restart: { - description: "Restart proxmox-backup-proxy", + description: "UI compatibility parameter, ignored", + type: Boolean, optional: true, default: false, }, - // FIXME: widget-toolkit should have an option to disable using this parameter... force: { description: "Force replacement of existing files.", type: Boolean, @@ -200,10 +201,9 @@ pub fn get_info() -> Result, Error> { protected: true, )] /// Upload a custom certificate. -pub fn upload_custom_certificate( +pub async fn upload_custom_certificate( certificates: String, key: String, - restart: bool, ) -> Result, Error> { let certificates = X509::stack_from_pem(certificates.as_bytes()) .map_err(|err| format_err!("failed to decode certificate chain: {}", err))?; @@ -223,7 +223,8 @@ pub fn upload_custom_certificate( let key = key.private_key_to_pem_pkcs8()?; - crate::config::set_proxy_certificate(&certificates, &key, restart)?; + crate::config::set_proxy_certificate(&certificates, &key)?; + crate::server::reload_proxy_certificate().await?; get_info() } @@ -233,7 +234,8 @@ pub fn upload_custom_certificate( properties: { node: { schema: NODE_SCHEMA }, restart: { - description: "Restart proxmox-backup-proxy", + description: "UI compatibility parameter, ignored", + type: Boolean, optional: true, default: false, }, @@ -245,7 +247,7 @@ pub fn upload_custom_certificate( protected: true, )] /// Delete the current certificate and regenerate a self signed one. -pub fn delete_custom_certificate(restart: bool) -> Result<(), Error> { +pub async fn delete_custom_certificate() -> Result<(), Error> { let cert_path = configdir!("/proxy.pem"); // Here we fail since if this fails nothing else breaks anyway std::fs::remove_file(&cert_path) @@ -263,10 +265,7 @@ pub fn delete_custom_certificate(restart: bool) -> Result<(), Error> { } crate::config::update_self_signed_cert(true)?; - - if restart { - crate::config::reload_proxy()?; - } + crate::server::reload_proxy_certificate().await?; Ok(()) } @@ -535,7 +534,8 @@ fn spawn_certificate_worker( WorkerTask::spawn(name, None, auth_id, true, move |worker| async move { if let Some(cert) = order_certificate(worker, &node_config).await? { - crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem, true)?; + crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem)?; + crate::server::reload_proxy_certificate().await?; } Ok(()) }) @@ -572,7 +572,7 @@ pub fn revoke_acme_cert(rpcenv: &mut dyn RpcEnvironment) -> Result Result<(), Error> { let x509 = x509.build(); let cert_pem = x509.to_pem()?; - set_proxy_certificate(&cert_pem, &priv_pem, false)?; + set_proxy_certificate(&cert_pem, &priv_pem)?; Ok(()) } -pub(crate) fn set_proxy_certificate( - cert_pem: &[u8], - key_pem: &[u8], - reload: bool, -) -> Result<(), Error> { +pub(crate) fn set_proxy_certificate(cert_pem: &[u8], key_pem: &[u8]) -> Result<(), Error> { let backup_user = crate::backup::backup_user()?; let options = CreateOptions::new() .perm(Mode::from_bits_truncate(0o0640)) @@ -211,14 +207,5 @@ pub(crate) fn set_proxy_certificate( replace_file(&cert_path, &cert_pem, options) .map_err(|err| format_err!("error writing certificate file - {}", err))?; - if reload { - reload_proxy()?; - } - Ok(()) } - -pub(crate) fn reload_proxy() -> Result<(), Error> { - crate::tools::systemd::reload_unit("proxmox-backup-proxy") - .map_err(|err| format_err!("error signaling reload to pbs proxy: {}", err)) -} diff --git a/src/server.rs b/src/server.rs index b6a37b92..ba25617d 100644 --- a/src/server.rs +++ b/src/server.rs @@ -7,6 +7,7 @@ use anyhow::{format_err, Error}; use lazy_static::lazy_static; use nix::unistd::Pid; +use serde_json::Value; use proxmox::sys::linux::procfs::PidStat; @@ -91,3 +92,11 @@ pub use report::*; pub mod ticket; pub mod auth; + +pub(crate) async fn reload_proxy_certificate() -> Result<(), Error> { + let proxy_pid = crate::server::read_pid(buildcfg::PROXMOX_BACKUP_PROXY_PID_FN)?; + let sock = crate::server::ctrl_sock_from_pid(proxy_pid); + let _: Value = crate::server::send_raw_command(sock, "{\"command\":\"reload-certificate\"}\n") + .await?; + Ok(()) +} -- 2.20.1