From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 679A670422 for ; Mon, 13 Jun 2022 15:02:11 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 652CEB4A7 for ; Mon, 13 Jun 2022 15:02:11 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id A47FBB49C for ; Mon, 13 Jun 2022 15:02:10 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 7A9D04391B for ; Mon, 13 Jun 2022 15:02:10 +0200 (CEST) Message-ID: <4295e9f1-5f17-fffc-7283-d6529dc5776b@proxmox.com> Date: Mon, 13 Jun 2022 15:02:09 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0 Content-Language: en-US To: pbs-devel@lists.proxmox.com References: <20220331093655.576942-1-s.sterz@proxmox.com> From: Stefan Sterz In-Reply-To: <20220331093655.576942-1-s.sterz@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.816 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -1.732 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pbs-devel] [PATCH proxmox-backup v2] fix #3867: server/api: send emails on certificate renewal failure X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jun 2022 13:02:11 -0000 On 3/31/22 11:36, Stefan Sterz wrote: > the superuser's email will be used to notify them that certificate > renewal has failed. > > Signed-off-by: Stefan Sterz > --- > src/api2/node/certificates.rs | 22 +++++++++---- > src/server/email_notifications.rs | 54 ++++++++++++++++++++++++++++++- > 2 files changed, 69 insertions(+), 7 deletions(-) > > diff --git a/src/api2/node/certificates.rs b/src/api2/node/certificates.rs > index 9508ea38..1fa1e6fc 100644 > --- a/src/api2/node/certificates.rs > +++ b/src/api2/node/certificates.rs > @@ -13,13 +13,14 @@ use proxmox_router::list_subdirs_api_method; > use proxmox_schema::api; > use proxmox_sys::{task_log, task_warn}; > > -use pbs_api_types::{NODE_SCHEMA, PRIV_SYS_MODIFY}; > +use pbs_api_types::{Notify, NODE_SCHEMA, PRIV_SYS_MODIFY}; > use pbs_buildcfg::configdir; > use pbs_tools::cert; > > use crate::acme::AcmeClient; > use crate::api2::types::AcmeDomain; > use crate::config::node::NodeConfig; > +use crate::server::send_certificate_renewal_mail; > use proxmox_rest_server::WorkerTask; > > pub const ROUTER: Router = Router::new() > @@ -536,11 +537,20 @@ fn spawn_certificate_worker( > let auth_id = rpcenv.get_auth_id().unwrap(); > > WorkerTask::spawn(name, None, auth_id, true, move |worker| async move { > - if let Some(cert) = order_certificate(worker, &node_config).await? { > - crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem)?; > - crate::server::reload_proxy_certificate().await?; > - } > - Ok(()) > + let work = || async { > + if let Some(cert) = order_certificate(worker, &node_config).await? { > + crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem)?; > + crate::server::reload_proxy_certificate().await?; > + } > + > + Ok(()) > + }; > + > + let res = work().await; > + > + send_certificate_renewal_mail(Notify::Error, &res)?; > + > + res > }) > } > > diff --git a/src/server/email_notifications.rs b/src/server/email_notifications.rs > index 4d734368..6fffefd3 100644 > --- a/src/server/email_notifications.rs > +++ b/src/server/email_notifications.rs > @@ -1,4 +1,4 @@ > -use anyhow::Error; > +use anyhow::{bail, Error}; > use serde_json::json; > > use handlebars::{Handlebars, Helper, Context, RenderError, RenderContext, Output, HelperResult, TemplateError}; > @@ -183,6 +183,18 @@ Please visit the web interface for further details: > > "###; > > +const ACME_CERTIFICATE_ERR_RENEWAL: &str = r###" > + > +Proxmox Backup Server was not able to renew a TLS certificate. > + > +Error: {{error}} > + > +Please visit the web interface for further details: > + > + > + > +"###; > + > lazy_static::lazy_static!{ > > static ref HANDLEBARS: Handlebars<'static> = { > @@ -209,6 +221,8 @@ lazy_static::lazy_static!{ > > hb.register_template_string("package_update_template", PACKAGE_UPDATES_TEMPLATE)?; > > + hb.register_template_string("certificate_renewal_err_template", ACME_CERTIFICATE_ERR_RENEWAL)?; > + > Ok(()) > }); > > @@ -543,6 +557,42 @@ pub fn send_updates_available( > Ok(()) > } > > +/// send email on certificate renewal failure. > +/// `notify` currently only accepts `Notify::Error`. > +pub fn send_certificate_renewal_mail( > + notify: Notify, > + result: &Result<(), Error>, > +) -> Result<(), Error> { > + match notify { > + Notify::Error => (), > + _ => bail!("error: renewal notifications currently only supported for 'Notify::Error'!"), > + } > + > + let error: String = match result { > + Err(e) => e.to_string().into(), > + _ => return Ok(()), > + }; > + > + if let Some(email) = lookup_user_email(Userid::root_userid()) { > + let (fqdn, port) = get_server_url(); > + > + let text = HANDLEBARS.render( > + "certificate_renewal_err_template", > + &json!({ > + "fqdn": fqdn, > + "port": port, > + "error": error, > + }), > + )?; > + > + let subject = "Could not renew certificate"; > + > + send_job_status_mail(&email, subject, &text)?; > + } > + > + Ok(()) > +} > + > /// Lookup users email address > pub fn lookup_user_email(userid: &Userid) -> Option { > > @@ -648,4 +698,6 @@ fn test_template_register() { > assert!(HANDLEBARS.has_template("tape_backup_err_template")); > > assert!(HANDLEBARS.has_template("package_update_template")); > + > + assert!(HANDLEBARS.has_template("certificate_renewal_err_template")); > } ping?