From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 10F556911F for ; Tue, 22 Mar 2022 15:38:14 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 006351EFCE for ; Tue, 22 Mar 2022 15:37:44 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id A274C1EFC1 for ; Tue, 22 Mar 2022 15:37:42 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 736FA46F4A for ; Tue, 22 Mar 2022 15:37:42 +0100 (CET) Message-ID: <3fe4c75f-038b-2115-db94-e57923c835ed@proxmox.com> Date: Tue, 22 Mar 2022 15:37:39 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Thunderbird/99.0 Content-Language: en-US To: Proxmox Backup Server development discussion , Stefan Sterz References: <20220308120214.1479855-1-s.sterz@proxmox.com> From: Thomas Lamprecht In-Reply-To: <20220308120214.1479855-1-s.sterz@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.057 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [node.rs] Subject: Re: [pbs-devel] [PATCH proxmox-backup] fix #3867: server/api: send emails on certificate renewal failure X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2022 14:38:14 -0000 On 08.03.22 13:02, Stefan Sterz wrote: > the superuser's email will be used to notify them that certificate > renewal has failed. also adds support for a notification setting to > `node.cfg` and the api so that emails are sent either always, on > error or never(similar to datastore notifications). > > Signed-off-by: Stefan Sterz > --- > not sure if adding this setting to the gui is usefull and if so, where > should we put it? if we put it next to the acme account setting, users > might be confused as to which email will be used for notifications > (acme vs. superuser's). hmm, on a second thought I'd really prefer to start out as fixed, non-configurable, on-error setting internally, we can always add the config option transparently later on, if really requested. To answer the original question: If we'd add it the gui entry would be useful, most settings without gui are hidden for ~ over 90% of our users. > @@ -536,11 +537,23 @@ fn spawn_certificate_worker( > let auth_id = rpcenv.get_auth_id().unwrap(); > > WorkerTask::spawn(name, None, auth_id, true, move |worker| async move { > - if let Some(cert) = order_certificate(worker, &node_config).await? { > - crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem)?; > - crate::server::reload_proxy_certificate().await?; > - } > - Ok(()) > + let work = || async { > + if let Some(cert) = order_certificate(worker, &node_config).await? { > + crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem)?; > + crate::server::reload_proxy_certificate().await?; > + } > + > + Ok(()) > + }; > + > + let res = work().await; > + > + send_certificate_renewal_mail( > + node_config.renewal_notification.unwrap_or(Notify::Error), > + &res, > + )?; > + > + res > }) > } > > diff --git a/src/config/node.rs b/src/config/node.rs > index 0ba87450..87046ad4 100644 > --- a/src/config/node.rs > +++ b/src/config/node.rs > @@ -210,6 +216,10 @@ pub struct NodeConfig { > /// Default language used in the GUI > #[serde(skip_serializing_if = "Option::is_none")] > pub default_lang: Option, > + > + /// Whether to report certificate renewale on failure, always, never typo: s/renewale/renewal/ > + #[serde(skip_serializing_if = "Option::is_none")] > + pub renewal_notification: Option, IMO an ambiguous option name for the node.cfg, i.e., if I read this in the config I cannot know "what" gets renewed, so iff we'd have such a config it should probably be named "acme_renewal_notify", but as written above, I'd avoid it for now and set on-error > } > > impl NodeConfig { > diff --git a/src/server/email_notifications.rs b/src/server/email_notifications.rs > index 4d734368..347bc25d 100644 > --- a/src/server/email_notifications.rs > +++ b/src/server/email_notifications.rs > + > +const ACME_CERTIFICATE_ERR_RENEWAL: &str = r###" > + > +Proxmox Backup Server was not able to renew a TLS certificate. maybe: s/a/its/ > + > +Encountered an error: {{error}} Just "Error: {{error}}" or "... renew its TLS certificate: {{error}} Please..." but not too hard feelings on that one. > + > +Please visit the web interface for further details: > + > + > + > +"###; > + > lazy_static::lazy_static!{ > > static ref HANDLEBARS: Handlebars<'static> = {