From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id E59ED1FF137 for ; Tue, 03 Feb 2026 18:50:49 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 7E8A71B9F; Tue, 3 Feb 2026 18:51:20 +0100 (CET) From: Shan Shaji To: pdm-devel@lists.proxmox.com Subject: [PATCH datacenter-manager v2 0/4] fix #7179: expose ACME commands inside admin CLI Date: Tue, 3 Feb 2026 18:50:57 +0100 Message-ID: <20260203175101.457724-1-s.shaji@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1770140994937 X-SPAM-LEVEL: Spam detection results: 0 AWL -1.513 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_BADIPHTTP 2 Due to the Storm Bot Network, IPs in emails is bad KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NUMERIC_HTTP_ADDR 1.242 Uses a numeric IP address in URL SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record WEIRD_PORT 0.001 Uses non-standard port number for HTTP Message-ID-Hash: NZSOMYPIOIPXHH4XJOHPEQMCA2QWBDDX X-Message-ID-Hash: NZSOMYPIOIPXHH4XJOHPEQMCA2QWBDDX X-MailFrom: s.shaji@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Previously, ACME commands were not exposed through the admin CLI. Added the necessary functionality to manage ACME settings directly via the command line. The changes are done by taking reference from the proxmox-backup codebase. The `tasklog_pbs` function in the `proxmox-log` crate has been renamed in the following patch [1]. To test the changes introduced by this series, it must be applied. **note**: The completions were not working in general. Investigating it seperately. changes since v1: Thanks @Lukas - fixed formating. - refactor the input prompt into a seperate method - `read_input`. - defined a new struct ``AcmeRegistrationParams` and update the API method signature to accept only one parameter. - used the API `register_account` method instead of using the `proxmox-acme-api::register_account` function. - added `tasklog` layer to capture worker task logs. - added `context` method to preserve the error messages. Testing ======= In general i have verified the following commands ie: - account (deactivate, info, list, update) - certificate (order, revoke) - plugin (add, config, list, remove, set) - Verified external account binding using google's ACME directory url and public CA (GTS). ### Certifcate Creation http-01 challenge: ----------------- I have tested the http-01 challenge verification using a test pebble server. Steps followed to test the changes: 1. Installed the changes inside a PDM VM. 2. install Pebble from Let's Encrypt [2] on the same VM: cd apt update apt install -y golang git git clone https://github.com/letsencrypt/pebble cd pebble go build ./cmd/pebble then, download and trust the Pebble cert: wget https://raw.githubusercontent.com/letsencrypt/pebble/main/test/certs/pebble.minica.pem cp pebble.minica.pem /usr/local/share/ca-certificates/pebble.minica.crt update-ca-certificates 3. We want Pebble to perform HTTP-01 validation against port 80, because PDM's standalone plugin will bind port 80. Set httpPort to 80. nano ./test/config/pebble-config.json 4. Start the Pebble server in the background: ./pebble -config ./test/config/pebble-config.json & 5. Created a Pebble ACME account: proxmox-datacenter-manager-admin acme account register default admin@example.com --directory 'https://127.0.0.1:14000/dir' 6. Added a new ACME domain pdm.proxmox.com with HTTP challenge type. Then ran the following command. proxmox-datacenter-manager admin acme certificate order --force true 7. Checked if the certificate is validated by the pebble CA. Ran the revoke command and verified if the certificate is self-signed after force refresh. --- DNS-01 challenge: ---------------- I tested the changes with my domain using the cloudflare plugin. Steps followed to test the changes: 1. Created an ACME account using let's encrypt staging API. 2. Add a new plugin using the following command proxmox-datacenter-manager-admin acme plugin add dns cloudflare --api cf --data ./cf_tokens cf_tokens had the following credentials: - CF_Account_ID="" - CF_Token="" 3. Added my cloudflare managed domain under ACME Domains using the UI. 4. Ordered the certificate using the following command. proxmox-datacenter-manager-admin acme certificate order --force true 5. Force refreshed the browser and verified that the new certificate is verified by (STAGING) Let's Encrypt 6. Revoked the certificate using the following command. proxmox-datacenter-manager-admin acme certificate revoke 7. Verified the new certificate is self-signed. [1] - https://lore.proxmox.com/pdm-devel/20260128135457.245662-2-s.shaji@proxmox.com/ [2] - https://github.com/letsencrypt/pebble Shan Shaji (4): cli: admin: make cli handling async api: acme: define API type for ACME registration parameters fix #7179: cli: admin: expose acme commands chore: update proxmox-acme version to 1 Cargo.toml | 2 +- cli/admin/Cargo.toml | 7 +- cli/admin/src/acme.rs | 445 ++++++++++++++++++++++++++++++++++ cli/admin/src/main.rs | 57 +++-- lib/pdm-api-types/src/acme.rs | 65 +++++ lib/pdm-api-types/src/lib.rs | 2 + server/src/api/config/acme.rs | 48 ++-- 7 files changed, 574 insertions(+), 52 deletions(-) create mode 100644 cli/admin/src/acme.rs create mode 100644 lib/pdm-api-types/src/acme.rs -- 2.47.3