From: Shan Shaji <s.shaji@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [PATCH datacenter-manager 0/4] fix #7179: expose ACME commands inside admin CLI
Date: Tue, 3 Feb 2026 18:44:16 +0100 [thread overview]
Message-ID: <20260203174420.453118-1-s.shaji@proxmox.com> (raw)
Previously, ACME commands were not exposed through the admin CLI.
Added the necessary functionality to manage ACME settings directly
via the command line. The changes are done by taking reference from
the proxmox-backup codebase.
The `tasklog_pbs` function in the `proxmox-log` crate has been renamed
in the following patch [1]. To test the changes introduced by
this series, it must be applied.
**note**: The completions were not working in general. Investigating it
seperately.
changes since v1: Thanks @Lukas
- fixed formating.
- refactor the input prompt into a seperate method - `read_input`.
- defined a new struct ``AcmeRegistrationParams` and update the API
method signature to accept only one parameter.
- used the API `register_account` method instead of using the
`proxmox-acme-api::register_account` function.
- added `tasklog` layer to capture worker task logs.
- added `context` method to preserve the error messages.
Testing
=======
In general i have verified the following commands ie:
- account (deactivate, info, list, update)
- certificate (order, revoke)
- plugin (add, config, list, remove, set)
- Verified external account binding using google's ACME directory
url and public CA (GTS).
### Certifcate Creation
http-01 challenge:
-----------------
I have tested the http-01 challenge verification using a test
pebble server.
Steps followed to test the changes:
1. Installed the changes inside a PDM VM.
2. install Pebble from Let's Encrypt [2] on the same VM:
cd
apt update
apt install -y golang git
git clone https://github.com/letsencrypt/pebble
cd pebble
go build ./cmd/pebble
then, download and trust the Pebble cert:
wget https://raw.githubusercontent.com/letsencrypt/pebble/main/test/certs/pebble.minica.pem
cp pebble.minica.pem /usr/local/share/ca-certificates/pebble.minica.crt
update-ca-certificates
3. We want Pebble to perform HTTP-01 validation against port 80, because
PDM's standalone plugin will bind port 80. Set httpPort to 80.
nano ./test/config/pebble-config.json
4. Start the Pebble server in the background:
./pebble -config ./test/config/pebble-config.json &
5. Created a Pebble ACME account:
proxmox-datacenter-manager-admin acme account register default admin@example.com --directory 'https://127.0.0.1:14000/dir'
6. Added a new ACME domain pdm.proxmox.com with HTTP challenge type. Then
ran the following command.
proxmox-datacenter-manager admin acme certificate order --force true
7. Checked if the certificate is validated by the pebble CA.
Ran the revoke command and verified if the certificate is self-signed
after force refresh.
---
DNS-01 challenge:
----------------
I tested the changes with my domain using the cloudflare plugin.
Steps followed to test the changes:
1. Created an ACME account using let's encrypt staging API.
2. Add a new plugin using the following command
proxmox-datacenter-manager-admin acme plugin add dns cloudflare --api cf --data ./cf_tokens
cf_tokens had the following credentials:
- CF_Account_ID=""
- CF_Token=""
3. Added my cloudflare managed domain under ACME Domains using the UI.
4. Ordered the certificate using the following command.
proxmox-datacenter-manager-admin acme certificate order --force true
5. Force refreshed the browser and verified that the new certificate is
verified by (STAGING) Let's Encrypt
6. Revoked the certificate using the following command.
proxmox-datacenter-manager-admin acme certificate revoke
7. Verified the new certificate is self-signed.
[1] - https://lore.proxmox.com/pdm-devel/20260128135457.245662-2-s.shaji@proxmox.com/
[2] - https://github.com/letsencrypt/pebble
Shan Shaji (4):
cli: admin: make cli handling async
api: acme: define API type for ACME registration parameters
fix #7179: cli: admin: expose acme commands
chore: update proxmox-acme version to 1
Cargo.toml | 2 +-
cli/admin/Cargo.toml | 7 +-
cli/admin/src/acme.rs | 445 ++++++++++++++++++++++++++++++++++
cli/admin/src/main.rs | 57 +++--
lib/pdm-api-types/src/acme.rs | 65 +++++
lib/pdm-api-types/src/lib.rs | 2 +
server/src/api/config/acme.rs | 48 ++--
7 files changed, 574 insertions(+), 52 deletions(-)
create mode 100644 cli/admin/src/acme.rs
create mode 100644 lib/pdm-api-types/src/acme.rs
--
2.47.3
next reply other threads:[~2026-02-03 17:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-03 17:44 Shan Shaji [this message]
2026-02-03 17:44 ` [PATCH datacenter-manager 1/4] cli: admin: make cli handling async Shan Shaji
2026-02-03 17:44 ` [PATCH datacenter-manager 2/4] api: acme: define API type for ACME registration parameters Shan Shaji
2026-02-03 17:44 ` [PATCH datacenter-manager 3/4] fix #7179: cli: admin: expose acme commands Shan Shaji
2026-02-03 17:44 ` [PATCH datacenter-manager 4/4] chore: update proxmox-acme version to 1 Shan Shaji
2026-02-03 17:53 ` [PATCH datacenter-manager 0/4] fix #7179: expose ACME commands inside admin CLI Shan Shaji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260203174420.453118-1-s.shaji@proxmox.com \
--to=s.shaji@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox