From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id AEF771FF13F
	for <inbox@lore.proxmox.com>; Thu, 12 Feb 2026 14:57:53 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id AEB1A10562;
	Thu, 12 Feb 2026 14:58:39 +0100 (CET)
From: Samuel Rufinatscha <s.rufinatscha@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-backup 0/1] fix #7311: bin: init proxmox_acme_api in
 proxmox-daily-update
Date: Thu, 12 Feb 2026 14:58:28 +0100
Message-ID: <20260212135829.313029-1-s.rufinatscha@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1770904711536
X-SPAM-LEVEL: Spam detection results:  0
	AWL                    -1.365 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_BADIPHTTP               2 Due to the Storm Bot Network,
 IPs in emails is bad
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	NUMERIC_HTTP_ADDR       1.242 Uses a numeric IP address in URL
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_RPBL_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_SAFE_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
	WEIRD_PORT              0.001 Uses non-standard port number for HTTP
Message-ID-Hash: LJSLFITJOAIAZ56LSYNXSWHGAAORWDVZ
X-Message-ID-Hash: LJSLFITJOAIAZ56LSYNXSWHGAAORWDVZ
X-MailFrom: s.rufinatscha@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pbs-devel-owner@lists.proxmox.com>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Subscribe: <mailto:pbs-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pbs-devel-leave@lists.proxmox.com>

This patch adds the missing proxmox_acme_api::init() call in
proxmox-daily-update, fixing the regression introduced in
4.1.2-1 where certificate renewal fails [0].

Tested by running:

    /usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-daily-update

which now completes successfully without panicking or hanging.
The command was tested against Pebble [1] for both
HTTP-01 and DNS-01 challenge types.

HTTP-01 Challenge Test

(1) make deb, deployed package
(2) installed Pebble on the same VM:

        cd
        apt update
        apt install -y golang git
        git clone https://github.com/letsencrypt/pebble
        cd pebble
        go build ./cmd/pebble

(3) downloaded and trusted the Pebble cert:

        wget https://raw.githubusercontent.com/letsencrypt/pebble/main/test/certs/pebble.minica.pem
        cp pebble.minica.pem /usr/local/share/ca-certificates/pebble.minica.crt
        update-ca-certificates

(4) set httpPort to 80 in Pebble's config so PBS's standalone plugin
    can handle HTTP-01 validation on port 80:

        nano ./test/config/pebble-config.json

(5) started Pebble:

        ./pebble -config ./test/config/pebble-config.json &

(6) created an ACME account:

        proxmox-backup-manager acme account register default admin@example.com \
            --directory 'https://127.0.0.1:14000/dir'

(7) Created a domain (used my host domain name from /etc/hosts) and ordered
the certificate via proxmox-daily-update.

DNS-01 Challenge Test

Same VM setup as above, additionally:

(1) build and start the challenge test server:

    go build ./cmd/pebble-challtestsrv
    ./pebble-challtestsrv -http01 "" -https01 "" -tlsalpn01 "" \
        -dns01 :8053 -defaultIPv4 127.0.0.1 &

(2) start Pebble with DNS resolver pointing at the challenge test
    server:

    ./pebble -config ./test/config/pebble-config.json \
        -dnsserver 127.0.0.1:8053 &

(3) create and registered a custom DNS plugin script at
    /usr/share/proxmox-acme/dnsapi/dns_pebble.sh.

(4) created an ACME account, changed challenge type of existing domain
to DNS and order the certificate via proxmox-daily-update.

Note: Pebble does not persist account info across restarts. On reboot,
remove the old account from /etc/proxmox-backup/acme/accounts and
create a new one.

*Maintainer notes*
- this fix requires a version bump

[0] https://bugzilla.proxmox.com/show_bug.cgi?id=7311
[1] https://github.com/letsencrypt/pebble

Samuel Rufinatscha (1):
  fix #7311: bin: init proxmox_acme_api in proxmox-daily-update

 src/bin/proxmox-daily-update.rs | 3 +++
 1 file changed, 3 insertions(+)

-- 
2.47.3