From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pdm-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id E8E791FF139
	for <inbox@lore.proxmox.com>; Tue, 10 Feb 2026 17:33:02 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id AC15D94F8;
	Tue, 10 Feb 2026 17:33:47 +0100 (CET)
From: Shan Shaji <s.shaji@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [PATCH datacenter-manager v3 0/5] fix #7179: expose ACME commands
 inside admin CLI
Date: Tue, 10 Feb 2026 17:32:45 +0100
Message-ID: <20260210163250.398269-1-s.shaji@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1770741107135
X-SPAM-LEVEL: Spam detection results:  0
	AWL                    -1.513 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_BADIPHTTP               2 Due to the Storm Bot Network,
 IPs in emails is bad
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	NUMERIC_HTTP_ADDR       1.242 Uses a numeric IP address in URL
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_RPBL_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_SAFE_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
	WEIRD_PORT              0.001 Uses non-standard port number for HTTP
Message-ID-Hash: 7TX7DVHHAL4D2PUJI4IB2JGUWJK5VOZ3
X-Message-ID-Hash: 7TX7DVHHAL4D2PUJI4IB2JGUWJK5VOZ3
X-MailFrom: s.shaji@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Datacenter Manager development discussion
 <pdm-devel.lists.proxmox.com>
List-Help: <mailto:pdm-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pdm-devel-owner@lists.proxmox.com>
List-Post: <mailto:pdm-devel@lists.proxmox.com>
List-Subscribe: <mailto:pdm-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pdm-devel-leave@lists.proxmox.com>

Previously, ACME commands were not exposed through the admin CLI.
Added the necessary functionality to manage ACME settings directly
via the command line. The changes are done by taking reference from
the proxmox-backup codebase.

changes since v2: Thanks @Lukas
- revert the use of `tasklog` function to tasklog_pbs.
- revert string from "set-up" to "set up".
- use `matches!` macro instead `&&` operator.
- add seperate patch that uses the `ACME_CONTACT_LIST_SCHEMA` on ACME account
  update endpoint.
- add doc comments for the AcmeRegistrationParams public fields.
- use 1-based indexing to choose the directory endpoints.

changes since v1: Thanks @Lukas
- fixed formating.
- refactor the input prompt into a seperate method - `read_input`.
- defined a new struct ``AcmeRegistrationParams` and update the API
  method signature to accept only one parameter.
- used the API `register_account` method instead of using the
  `proxmox-acme-api::register_account` function.
- added `tasklog` layer to capture worker task logs.
- added `context` method to preserve the error messages.

Lukas suggested some more improvements in v2 which i will send as a
follow-up series, namely:
- allow users to add ACME domains.
- add non-interactive version of the register command.
- move wizard implementation to proxmox-acme-api and use it in both PDM
  and PBS.

Testing 
=======

In general i have verified the following commands ie:
- account (deactivate, info, list, update)
- certificate (order, revoke)
- plugin (add, config, list, remove, set)
- Verified external account binding using google's ACME directory 
  url and public CA (GTS). 

### Certifcate Creation 

http-01 challenge:
-----------------

I have tested the http-01 challenge verification using a test
pebble server. 
    
Steps followed to test the changes:

1. Installed the changes inside a PDM VM. 
2. install Pebble from Let's Encrypt [1] on the same VM:

    cd
    apt update
    apt install -y golang git
    git clone https://github.com/letsencrypt/pebble
    cd pebble
    go build ./cmd/pebble

    then, download and trust the Pebble cert:

    wget https://raw.githubusercontent.com/letsencrypt/pebble/main/test/certs/pebble.minica.pem
    cp pebble.minica.pem /usr/local/share/ca-certificates/pebble.minica.crt
    update-ca-certificates

3. We want Pebble to perform HTTP-01 validation against port 80, because
   PDM's standalone plugin will bind port 80. Set httpPort to 80.

    nano ./test/config/pebble-config.json

4. Start the Pebble server in the background:

    ./pebble -config ./test/config/pebble-config.json &

5. Created a Pebble ACME account:

    proxmox-datacenter-manager-admin acme account register default admin@example.com --directory 'https://127.0.0.1:14000/dir'

6. Added a new ACME domain pdm.proxmox.com with HTTP challenge type. Then
   ran the following command.

   proxmox-datacenter-manager admin acme certificate order --force true

7. Checked if the certificate is validated by the pebble CA. 

Ran the revoke command and verified if the certificate is self-signed
after force refresh. 

---

DNS-01 challenge: 
----------------

I tested the changes with my domain using the cloudflare plugin. 

Steps followed to test the changes:

1. Created an ACME account using let's encrypt staging API. 
2. Add a new plugin using the following command

   proxmox-datacenter-manager-admin acme plugin add dns cloudflare --api cf --data ./cf_tokens 
   cf_tokens had the following credentials:

      - CF_Account_ID=""
      - CF_Token=""

3. Added my cloudflare managed domain under ACME Domains using the UI. 
4. Ordered the certificate using the following command. 

    proxmox-datacenter-manager-admin acme certificate order --force true

5. Force refreshed the browser and verified that the new certificate is
   verified by (STAGING) Let's Encrypt

6. Revoked the certificate using the following command. 

	proxmox-datacenter-manager-admin acme certificate revoke

7. Verified the new certificate is self-signed.

[1] - https://github.com/letsencrypt/pebble


Shan Shaji (5):
  cli: admin: make cli handling async
  api: acme: define API type for ACME registration parameters
  server: api: add contact schema for ACME account update endpoint
  fix #7179: cli: admin: expose acme commands
  chore: update proxmox-acme version to 1

 Cargo.toml                    |   2 +-
 cli/admin/Cargo.toml          |   7 +-
 cli/admin/src/acme.rs         | 446 ++++++++++++++++++++++++++++++++++
 cli/admin/src/main.rs         |  62 +++--
 lib/pdm-api-types/src/acme.rs |  65 +++++
 lib/pdm-api-types/src/lib.rs  |   2 +
 server/src/api/config/acme.rs |  51 ++--
 7 files changed, 581 insertions(+), 54 deletions(-)
 create mode 100644 cli/admin/src/acme.rs
 create mode 100644 lib/pdm-api-types/src/acme.rs

-- 
2.47.3