[PATCH proxmox{,-backup,-datacenter-manager} 0/7] acme: fix #6372 implement basic ARI support

[Manuel Federanko <m.federanko@proxmox.com>]

This series implements basic ACME ARI [0] support for Proxmox Backup
Server and Proxmox Datacenter Manager. Currently both projects renew
once a fixed time has passed:

* Proxmox Backup Manager already considers the life-time of a
  certificate and starts renewal attemps based on that [1]
* Proxmox Datacenter Manager still assumes that a certificate should
  start to be renewed 30 days before it is invalid.

This series changes the behavior to first attempt to get a time renewal
window from the server, and if that fails to fall back to the life-time
based lead percentages. Importantly it also moves the check for the
remaining life-time into the worker.

## Testing

The pebble acme server [2] is easy to set up and intended to be used
to develop clients against it. Changing the date of the system and the
system hosting pebble and then manually triggering a update check is a
easy way to test the behavior.

## Further worker

We currently only check the certificate with the daily update services.
It would be desirable to have a second service for ARI checks which runs
more often.
There also is currently no handling of Retry-After headers, which are
use by the ACME server to indicate when we should check for a new
renewal window again.

Proxmox Backup Server uses a very similar struct for Certificate
Information "CertInfo" which could be replaced by the one provided by
the proxmox-acme-api crate "CertificateInfo".

[0] https://datatracker.ietf.org/doc/rfc9773/
[1] https://lore.proxmox.com/pbs-devel/20260423134607.105229-2-m.federanko@proxmox.com/
[2] https://github.com/letsencrypt/pebble

proxmox:

Manuel Federanko (4):
  acme: client: add methods to fetch renewal information.
  acme: add retry-after header to renewal information.
  acme: allow specifying the certificate that is replaced by an order
  acme: cert: add dedicated ari_id field to the certificate info.

 proxmox-acme-api/src/certificate_helpers.rs | 60 ++++++++++++++++++-
 proxmox-acme-api/src/lib.rs                 |  5 +-
 proxmox-acme-api/src/types.rs               |  4 ++
 proxmox-acme/src/async_client.rs            | 66 +++++++++++++++++++--
 proxmox-acme/src/directory.rs               |  8 +++
 proxmox-acme/src/lib.rs                     |  3 +
 proxmox-acme/src/order.rs                   | 13 ++++
 proxmox-acme/src/renewal.rs                 | 36 +++++++++++
 8 files changed, 187 insertions(+), 8 deletions(-)
 create mode 100644 proxmox-acme/src/renewal.rs


proxmox-backup:

Manuel Federanko (2):
  acme: add ari_id to cert info.
  acme: implement ARI renewal information fetching.

 pbs-tools/Cargo.toml                   |   1 +
 pbs-tools/src/cert.rs                  |   4 +
 src/api2/node/certificates.rs          | 106 +++++++++++++++++++------
 src/bin/proxmox-daily-update.rs        |   6 --
 src/bin/proxmox_backup_manager/acme.rs |   8 --
 5 files changed, 86 insertions(+), 39 deletions(-)


proxmox-datacenter-manager:

Manuel Federanko (1):
  acme: certificates: fix #6372 use ARI for renewal if available.

 cli/admin/src/acme.rs                         |   7 -
 server/src/api/nodes/certificates.rs          | 129 +++++++++++++++---
 ...proxmox-datacenter-manager-daily-update.rs |   5 -
 3 files changed, 113 insertions(+), 28 deletions(-)


Summary over all repositories:
  16 files changed, 386 insertions(+), 75 deletions(-)

--
Generated by murpp 0.12.0