* [PATCH datacenter-manager v2 0/4] fix #7179: expose ACME commands inside admin CLI
@ 2026-02-03 17:50 Shan Shaji
2026-02-03 17:50 ` [PATCH datacenter-manager v2 1/4] cli: admin: make cli handling async Shan Shaji
` (4 more replies)
0 siblings, 5 replies; 9+ messages in thread
From: Shan Shaji @ 2026-02-03 17:50 UTC (permalink / raw)
To: pdm-devel
Previously, ACME commands were not exposed through the admin CLI.
Added the necessary functionality to manage ACME settings directly
via the command line. The changes are done by taking reference from
the proxmox-backup codebase.
The `tasklog_pbs` function in the `proxmox-log` crate has been renamed
in the following patch [1]. To test the changes introduced by
this series, it must be applied.
**note**: The completions were not working in general. Investigating it
seperately.
changes since v1: Thanks @Lukas
- fixed formating.
- refactor the input prompt into a seperate method - `read_input`.
- defined a new struct ``AcmeRegistrationParams` and update the API
method signature to accept only one parameter.
- used the API `register_account` method instead of using the
`proxmox-acme-api::register_account` function.
- added `tasklog` layer to capture worker task logs.
- added `context` method to preserve the error messages.
Testing
=======
In general i have verified the following commands ie:
- account (deactivate, info, list, update)
- certificate (order, revoke)
- plugin (add, config, list, remove, set)
- Verified external account binding using google's ACME directory
url and public CA (GTS).
### Certifcate Creation
http-01 challenge:
-----------------
I have tested the http-01 challenge verification using a test
pebble server.
Steps followed to test the changes:
1. Installed the changes inside a PDM VM.
2. install Pebble from Let's Encrypt [2] on the same VM:
cd
apt update
apt install -y golang git
git clone https://github.com/letsencrypt/pebble
cd pebble
go build ./cmd/pebble
then, download and trust the Pebble cert:
wget https://raw.githubusercontent.com/letsencrypt/pebble/main/test/certs/pebble.minica.pem
cp pebble.minica.pem /usr/local/share/ca-certificates/pebble.minica.crt
update-ca-certificates
3. We want Pebble to perform HTTP-01 validation against port 80, because
PDM's standalone plugin will bind port 80. Set httpPort to 80.
nano ./test/config/pebble-config.json
4. Start the Pebble server in the background:
./pebble -config ./test/config/pebble-config.json &
5. Created a Pebble ACME account:
proxmox-datacenter-manager-admin acme account register default admin@example.com --directory 'https://127.0.0.1:14000/dir'
6. Added a new ACME domain pdm.proxmox.com with HTTP challenge type. Then
ran the following command.
proxmox-datacenter-manager admin acme certificate order --force true
7. Checked if the certificate is validated by the pebble CA.
Ran the revoke command and verified if the certificate is self-signed
after force refresh.
---
DNS-01 challenge:
----------------
I tested the changes with my domain using the cloudflare plugin.
Steps followed to test the changes:
1. Created an ACME account using let's encrypt staging API.
2. Add a new plugin using the following command
proxmox-datacenter-manager-admin acme plugin add dns cloudflare --api cf --data ./cf_tokens
cf_tokens had the following credentials:
- CF_Account_ID=""
- CF_Token=""
3. Added my cloudflare managed domain under ACME Domains using the UI.
4. Ordered the certificate using the following command.
proxmox-datacenter-manager-admin acme certificate order --force true
5. Force refreshed the browser and verified that the new certificate is
verified by (STAGING) Let's Encrypt
6. Revoked the certificate using the following command.
proxmox-datacenter-manager-admin acme certificate revoke
7. Verified the new certificate is self-signed.
[1] - https://lore.proxmox.com/pdm-devel/20260128135457.245662-2-s.shaji@proxmox.com/
[2] - https://github.com/letsencrypt/pebble
Shan Shaji (4):
cli: admin: make cli handling async
api: acme: define API type for ACME registration parameters
fix #7179: cli: admin: expose acme commands
chore: update proxmox-acme version to 1
Cargo.toml | 2 +-
cli/admin/Cargo.toml | 7 +-
cli/admin/src/acme.rs | 445 ++++++++++++++++++++++++++++++++++
cli/admin/src/main.rs | 57 +++--
lib/pdm-api-types/src/acme.rs | 65 +++++
lib/pdm-api-types/src/lib.rs | 2 +
server/src/api/config/acme.rs | 48 ++--
7 files changed, 574 insertions(+), 52 deletions(-)
create mode 100644 cli/admin/src/acme.rs
create mode 100644 lib/pdm-api-types/src/acme.rs
--
2.47.3
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH datacenter-manager v2 1/4] cli: admin: make cli handling async
2026-02-03 17:50 [PATCH datacenter-manager v2 0/4] fix #7179: expose ACME commands inside admin CLI Shan Shaji
@ 2026-02-03 17:50 ` Shan Shaji
2026-02-05 14:25 ` Lukas Wagner
2026-02-03 17:50 ` [PATCH datacenter-manager v1 2/4] api: acme: define API type for ACME registration parameters Shan Shaji
` (3 subsequent siblings)
4 siblings, 1 reply; 9+ messages in thread
From: Shan Shaji @ 2026-02-03 17:50 UTC (permalink / raw)
To: pdm-devel
The acme API methods internally create workers to process API requests.
An error was thrown if the methods invoked without initializing the
worker tasks.
Since `init_worker_tasks` needs to be called from an async runtime.
Moved the content of the main function to async `run` function and
wrapped using `proxmox_async::runtime::main`, which creates a Tokio
runtime.
Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
changes since v1:
- use `tasklog` function to capture worker task logs to the tasklog
file.
- add `context` method to preserve the error messages.
cli/admin/Cargo.toml | 3 +++
cli/admin/src/main.rs | 53 ++++++++++++++++++++++++++++---------------
2 files changed, 38 insertions(+), 18 deletions(-)
diff --git a/cli/admin/Cargo.toml b/cli/admin/Cargo.toml
index 0dec423..e566b39 100644
--- a/cli/admin/Cargo.toml
+++ b/cli/admin/Cargo.toml
@@ -19,6 +19,9 @@ proxmox-product-config.workspace = true
proxmox-router = { workspace = true, features = [ "cli" ], default-features = false }
proxmox-schema = { workspace = true, features = [ "api-macro" ] }
proxmox-access-control.workspace = true
+proxmox-rest-server.workspace = true
+proxmox-sys.workspace = true
+proxmox-daemon.workspace = true
pdm-api-types.workspace = true
pdm-config.workspace = true
diff --git a/cli/admin/src/main.rs b/cli/admin/src/main.rs
index f698fa2..02148e3 100644
--- a/cli/admin/src/main.rs
+++ b/cli/admin/src/main.rs
@@ -1,35 +1,33 @@
+use anyhow::{Context, Error};
use serde_json::{json, Value};
use proxmox_router::cli::{
- default_table_format_options, format_and_print_result_full, get_output_format, run_cli_command,
- CliCommand, CliCommandMap, CliEnvironment, ColumnConfig, OUTPUT_FORMAT,
+ default_table_format_options, format_and_print_result_full, get_output_format,
+ run_async_cli_command, CliCommand, CliCommandMap, CliEnvironment, ColumnConfig, OUTPUT_FORMAT,
};
use proxmox_router::RpcEnvironment;
-
use proxmox_schema::api;
+use proxmox_sys::fs::CreateOptions;
mod remotes;
mod support_status;
-fn main() {
- //pbs_tools::setup_libc_malloc_opts(); // TODO: move from PBS to proxmox-sys and uncomment
-
- let api_user = pdm_config::api_user().expect("cannot get api user");
- let priv_user = pdm_config::priv_user().expect("cannot get privileged user");
- proxmox_product_config::init(api_user, priv_user);
+async fn run() -> Result<(), Error> {
+ let api_user = pdm_config::api_user().context("could not get api user")?;
+ let priv_user = pdm_config::priv_user().context("could not get privileged user")?;
+ proxmox_product_config::init(api_user.clone(), priv_user);
proxmox_access_control::init::init(
&pdm_api_types::AccessControlConfig,
pdm_buildcfg::configdir!("/access"),
)
- .expect("failed to setup access control config");
-
+ .context("failed to setup access control config")?;
proxmox_log::Logger::from_env("PDM_LOG", proxmox_log::LevelFilter::INFO)
.stderr()
.init()
- .expect("failed to set up logger");
+ .context("failed to set-up logger")?;
- server::context::init().expect("could not set up server context");
+ server::context::init().context("could not set-up server context")?;
let cmd_def = CliCommandMap::new()
.insert("remote", remotes::cli())
@@ -40,14 +38,33 @@ fn main() {
.insert("support-status", support_status::cli())
.insert("versions", CliCommand::new(&API_METHOD_GET_VERSIONS));
+ let args: Vec<String> = std::env::args().collect();
+ let avoid_init = args.len() >= 2 && (args[1] == "bashcomplete" || args[1] == "printdoc");
+
+ if !avoid_init {
+ let file_opts = CreateOptions::new().owner(api_user.uid).group(api_user.gid);
+ proxmox_rest_server::init_worker_tasks(pdm_buildcfg::PDM_LOG_DIR_M!().into(), file_opts)
+ .context("failed to initialize worker tasks")?;
+
+ let mut command_sock = proxmox_daemon::command_socket::CommandSocket::new(api_user.gid);
+ proxmox_rest_server::register_task_control_commands(&mut command_sock)
+ .context("failed to register task control commands")?;
+ command_sock
+ .spawn(proxmox_rest_server::last_worker_future())
+ .context("failed to activate the socket")?;
+ }
+
let mut rpcenv = CliEnvironment::new();
rpcenv.set_auth_id(Some("root@pam".into()));
- run_cli_command(
- cmd_def,
- rpcenv,
- Some(|future| proxmox_async::runtime::main(future)),
- );
+ run_async_cli_command(cmd_def, rpcenv).await;
+
+ Ok(())
+}
+
+fn main() -> Result<(), Error> {
+ //pbs_tools::setup_libc_malloc_opts(); // TODO: move from PBS to proxmox-sys and uncomment
+ proxmox_async::runtime::main(run())
}
#[api(
--
2.47.3
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH datacenter-manager v1 2/4] api: acme: define API type for ACME registration parameters
2026-02-03 17:50 [PATCH datacenter-manager v2 0/4] fix #7179: expose ACME commands inside admin CLI Shan Shaji
2026-02-03 17:50 ` [PATCH datacenter-manager v2 1/4] cli: admin: make cli handling async Shan Shaji
@ 2026-02-03 17:50 ` Shan Shaji
2026-02-05 14:25 ` Lukas Wagner
2026-02-03 17:51 ` [PATCH datacenter-manager v2 3/4] fix #7179: cli: admin: expose acme commands Shan Shaji
` (2 subsequent siblings)
4 siblings, 1 reply; 9+ messages in thread
From: Shan Shaji @ 2026-02-03 17:50 UTC (permalink / raw)
To: pdm-devel
Earlier, the ACME CLI was using the proxmox-acme-api crate's register
function to register an ACME account. Since it did not create a worker
task internally, the logs were not being recorded in the task log file.
The API handler function accepts a Value type, inorder to pass the
parameters from the CLI it had to be converted into a Value type.
Defined a new struct to create the request parameters. This also makes
sure that even if additional parameters are added later, they
are not forgotten in the CLI tool.
Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
note: This is a new patch.
lib/pdm-api-types/src/acme.rs | 65 +++++++++++++++++++++++++++++++++++
lib/pdm-api-types/src/lib.rs | 2 ++
server/src/api/config/acme.rs | 48 ++++++++------------------
3 files changed, 82 insertions(+), 33 deletions(-)
create mode 100644 lib/pdm-api-types/src/acme.rs
diff --git a/lib/pdm-api-types/src/acme.rs b/lib/pdm-api-types/src/acme.rs
new file mode 100644
index 0000000..e5fc197
--- /dev/null
+++ b/lib/pdm-api-types/src/acme.rs
@@ -0,0 +1,65 @@
+use serde::{Deserialize, Serialize};
+
+use proxmox_acme_api::AcmeAccountName;
+use proxmox_schema::{api, ApiStringFormat, ArraySchema, Schema, StringSchema};
+
+use crate::EMAIL_SCHEMA;
+
+pub const ACME_CONTACT_LIST_SCHEMA: Schema =
+ StringSchema::new("List of email addresses, comma seperated.")
+ .format(&ApiStringFormat::PropertyString(
+ &ArraySchema::new("Contact list.", &EMAIL_SCHEMA).schema(),
+ ))
+ .schema();
+
+#[api(
+ properties: {
+ name: {
+ type: AcmeAccountName,
+ optional: true,
+ },
+ contact: {
+ schema: ACME_CONTACT_LIST_SCHEMA
+ },
+ tos_url: {
+ type: String,
+ description: "URL of CA TermsOfService - setting this indicates agreement.",
+ optional: true,
+ },
+ directory: {
+ type: String,
+ description: "The ACME Directory.",
+ optional: true,
+ },
+ eab_kid: {
+ type: String,
+ description: "Key Identifier for External Account Binding.",
+ optional: true,
+ },
+ eab_hmac_key: {
+ type: String,
+ description: "HMAC Key for External Account Binding.",
+ optional: true,
+ }
+ },
+)]
+#[derive(Serialize, Deserialize)]
+/// ACME account registration properties.
+pub struct AcmeRegistrationParams {
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub name: Option<AcmeAccountName>,
+
+ pub contact: String,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub tos_url: Option<String>,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub directory: Option<String>,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub eab_kid: Option<String>,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub eab_hmac_key: Option<String>,
+}
diff --git a/lib/pdm-api-types/src/lib.rs b/lib/pdm-api-types/src/lib.rs
index 5daaa3f..b69e99f 100644
--- a/lib/pdm-api-types/src/lib.rs
+++ b/lib/pdm-api-types/src/lib.rs
@@ -116,6 +116,8 @@ pub mod sdn;
pub mod views;
+pub mod acme;
+
const_regex! {
// just a rough check - dummy acceptor is used before persisting
pub OPENSSL_CIPHERS_REGEX = r"^[0-9A-Za-z_:, +!\-@=.]+$";
diff --git a/server/src/api/config/acme.rs b/server/src/api/config/acme.rs
index 0c583c4..3c40a27 100644
--- a/server/src/api/config/acme.rs
+++ b/server/src/api/config/acme.rs
@@ -1,5 +1,6 @@
use anyhow::Error;
+use pdm_api_types::acme::AcmeRegistrationParams;
use proxmox_router::list_subdirs_api_method;
use proxmox_router::{Router, RpcEnvironment, SubdirMap};
@@ -79,31 +80,9 @@ pub fn list_accounts() -> Result<Vec<AccountEntry>, Error> {
#[api(
input: {
properties: {
- name: {
- type: AcmeAccountName,
- optional: true,
- },
- contact: {
- description: "List of email addresses.",
- },
- tos_url: {
- description: "URL of CA TermsOfService - setting this indicates agreement.",
- optional: true,
- },
- directory: {
- type: String,
- description: "The ACME Directory.",
- optional: true,
- },
- eab_kid: {
- type: String,
- description: "Key Identifier for External Account Binding.",
- optional: true,
- },
- eab_hmac_key: {
- type: String,
- description: "HMAC Key for External Account Binding.",
- optional: true,
+ params: {
+ type: AcmeRegistrationParams,
+ flatten: true
}
},
},
@@ -116,16 +95,19 @@ pub fn list_accounts() -> Result<Vec<AccountEntry>, Error> {
},
)]
/// Register an ACME account.
-fn register_account(
- name: Option<AcmeAccountName>,
- // Todo: email & email-list schema
- contact: String,
- tos_url: Option<String>,
- directory: Option<String>,
- eab_kid: Option<String>,
- eab_hmac_key: Option<String>,
+pub fn register_account(
+ params: AcmeRegistrationParams,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<String, Error> {
+ let AcmeRegistrationParams {
+ name,
+ contact,
+ tos_url,
+ directory,
+ eab_kid,
+ eab_hmac_key,
+ } = params;
+
let auth_id = rpcenv.get_auth_id().unwrap();
let name = name.unwrap_or_else(|| unsafe {
AcmeAccountName::from_string_unchecked("default".to_string())
--
2.47.3
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH datacenter-manager v2 3/4] fix #7179: cli: admin: expose acme commands
2026-02-03 17:50 [PATCH datacenter-manager v2 0/4] fix #7179: expose ACME commands inside admin CLI Shan Shaji
2026-02-03 17:50 ` [PATCH datacenter-manager v2 1/4] cli: admin: make cli handling async Shan Shaji
2026-02-03 17:50 ` [PATCH datacenter-manager v1 2/4] api: acme: define API type for ACME registration parameters Shan Shaji
@ 2026-02-03 17:51 ` Shan Shaji
2026-02-05 14:26 ` Lukas Wagner
2026-02-03 17:51 ` [PATCH datacenter-manager v2 4/4] chore: update proxmox-acme version to 1 Shan Shaji
2026-02-05 14:25 ` [PATCH datacenter-manager v2 0/4] fix #7179: expose ACME commands inside admin CLI Lukas Wagner
4 siblings, 1 reply; 9+ messages in thread
From: Shan Shaji @ 2026-02-03 17:51 UTC (permalink / raw)
To: pdm-devel
Previously, ACME commands were not exposed through the admin CLI.
Added the necessary functionality to manage ACME settings directly
via the command line.
Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
changes since v1:
- Fix formatting.
- Use API register_account method instead of the proxmox-acme-api
crate's register_account method to register ACME account.
- add `read_input` helper function.
cli/admin/Cargo.toml | 4 +-
cli/admin/src/acme.rs | 445 ++++++++++++++++++++++++++++++++++++++++++
cli/admin/src/main.rs | 6 +
3 files changed, 454 insertions(+), 1 deletion(-)
create mode 100644 cli/admin/src/acme.rs
diff --git a/cli/admin/Cargo.toml b/cli/admin/Cargo.toml
index e566b39..01afc88 100644
--- a/cli/admin/Cargo.toml
+++ b/cli/admin/Cargo.toml
@@ -22,7 +22,9 @@ proxmox-access-control.workspace = true
proxmox-rest-server.workspace = true
proxmox-sys.workspace = true
proxmox-daemon.workspace = true
-
+proxmox-acme.workspace = true
+proxmox-acme-api.workspace = true
+proxmox-base64.workspace = true
pdm-api-types.workspace = true
pdm-config.workspace = true
pdm-buildcfg.workspace = true
diff --git a/cli/admin/src/acme.rs b/cli/admin/src/acme.rs
new file mode 100644
index 0000000..be442cd
--- /dev/null
+++ b/cli/admin/src/acme.rs
@@ -0,0 +1,445 @@
+use std::io::Write;
+
+use anyhow::{bail, Error};
+use serde_json::Value;
+
+use pdm_api_types::acme::AcmeRegistrationParams;
+use proxmox_acme::async_client::AcmeClient;
+use proxmox_acme_api::{completion::*, AcmeAccountName, DnsPluginCore, KNOWN_ACME_DIRECTORIES};
+use proxmox_rest_server::wait_for_local_worker;
+use proxmox_router::{cli::*, ApiHandler, RpcEnvironment};
+use proxmox_schema::api;
+use proxmox_sys::fs::file_get_contents;
+
+use server::api as dc_api;
+
+pub fn acme_mgmt_cli() -> CommandLineInterface {
+ let cmd_def = CliCommandMap::new()
+ .insert("account", account_cli())
+ .insert("plugin", plugin_cli())
+ .insert("certificate", cert_cli());
+
+ cmd_def.into()
+}
+
+#[api(
+ input: {
+ properties: {
+ "output-format": {
+ schema: OUTPUT_FORMAT,
+ optional: true,
+ }
+ }
+ }
+)]
+/// List ACME accounts.
+fn list_accounts(param: Value, rpcenv: &mut dyn RpcEnvironment) -> Result<(), Error> {
+ let output_format = get_output_format(¶m);
+ let info = &dc_api::config::acme::API_METHOD_LIST_ACCOUNTS;
+ let mut data = match info.handler {
+ ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
+ _ => unreachable!(),
+ };
+
+ let options = default_table_format_options();
+ format_and_print_result_full(&mut data, &info.returns, &output_format, &options);
+
+ Ok(())
+}
+
+#[api(
+ input: {
+ properties: {
+ name: { type: AcmeAccountName },
+ "output-format": {
+ schema: OUTPUT_FORMAT,
+ optional: true,
+ },
+ }
+ }
+)]
+/// Show ACME account information.
+async fn get_account(param: Value, rpcenv: &mut dyn RpcEnvironment) -> Result<(), Error> {
+ let output_format = get_output_format(¶m);
+
+ let info = &dc_api::config::acme::API_METHOD_GET_ACCOUNT;
+ let mut data = match info.handler {
+ ApiHandler::Async(handler) => (handler)(param, info, rpcenv).await?,
+ _ => unreachable!(),
+ };
+
+ let options = default_table_format_options()
+ .column(
+ ColumnConfig::new("account")
+ .renderer(|value, _record| Ok(serde_json::to_string_pretty(value)?)),
+ )
+ .column(ColumnConfig::new("directory"))
+ .column(ColumnConfig::new("location"))
+ .column(ColumnConfig::new("tos"));
+ format_and_print_result_full(&mut data, &info.returns, &output_format, &options);
+
+ Ok(())
+}
+
+fn read_input(prompt: &str) -> Result<String, Error> {
+ print!("{}: ", prompt);
+ std::io::stdout().flush()?;
+ let mut input = String::new();
+ std::io::stdin().read_line(&mut input)?;
+ Ok(input)
+}
+
+#[api(
+ input: {
+ properties: {
+ name: { type: AcmeAccountName },
+ contact: {
+ description: "List of email addresses.",
+ type: String,
+ },
+ directory: {
+ type: String,
+ description: "The ACME Directory.",
+ optional: true,
+ },
+ }
+ }
+)]
+///Register an ACME account.
+async fn register_account(
+ name: AcmeAccountName,
+ contact: String,
+ directory: Option<String>,
+ rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+ let (directory_url, custom_directory) = match directory {
+ Some(directory) => (directory, true),
+ None => {
+ println!("Directory endpoints:");
+ for (i, dir) in KNOWN_ACME_DIRECTORIES.iter().enumerate() {
+ println!("{}) {}", i, dir.url);
+ }
+
+ println!("{}) Custom", KNOWN_ACME_DIRECTORIES.len());
+ let mut attempt = 0;
+ loop {
+ let mut input = read_input("Enter selection")?;
+ match input.trim().parse::<usize>() {
+ Ok(n) if n < KNOWN_ACME_DIRECTORIES.len() => {
+ break (KNOWN_ACME_DIRECTORIES[n].url.to_string(), false);
+ }
+ Ok(n) if n == KNOWN_ACME_DIRECTORIES.len() => {
+ input.clear();
+ input = read_input("Enter custom directory URI")?;
+ break (input.trim().to_owned(), true);
+ }
+ _ => eprintln!("Invalid selection."),
+ }
+
+ attempt += 1;
+ if attempt >= 3 {
+ bail!("Aborting.");
+ }
+ }
+ }
+ };
+
+ println!("Attempting to fetch Terms of Service from {directory_url:?}");
+ let mut client = AcmeClient::new(directory_url.clone());
+ let directory = client.directory().await?;
+ let tos_agreed = if let Some(tos_url) = directory.terms_of_service_url() {
+ println!("Terms of Service: {tos_url}");
+ let input = read_input("Do you agree to the above terms? [y|N]")?;
+ input.trim().eq_ignore_ascii_case("y")
+ } else {
+ println!("No Terms of Service found, proceeding.");
+ true
+ };
+
+ let mut eab_enabled = directory.external_account_binding_required();
+ if !eab_enabled && custom_directory {
+ let input = read_input("Do you want to use external account binding? [y|N]")?;
+ eab_enabled = input.trim().eq_ignore_ascii_case("y");
+ } else if eab_enabled {
+ println!("The CA requires external account binding.");
+ }
+
+ let eab_creds = if eab_enabled {
+ println!("You should have received a key id and a key from your CA.");
+ let eab_kid = read_input("Enter EAB key id")?;
+ let eab_hmac_key = read_input("Enter EAB key")?;
+ Some((eab_kid.trim().to_owned(), eab_hmac_key.trim().to_owned()))
+ } else {
+ None
+ };
+
+ let tos_url = tos_agreed
+ .then(|| directory.terms_of_service_url().map(str::to_owned))
+ .flatten();
+
+ let (eab_kid, eab_hmac_key) = eab_creds.unzip();
+ let parameters = AcmeRegistrationParams {
+ name: Some(name),
+ contact: contact,
+ tos_url: tos_url,
+ directory: Some(directory_url),
+ eab_kid: eab_kid,
+ eab_hmac_key: eab_hmac_key,
+ };
+ let param = serde_json::to_value(parameters)?;
+
+ let info = &dc_api::config::acme::API_METHOD_REGISTER_ACCOUNT;
+ let result = match info.handler {
+ ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
+ _ => unreachable!(),
+ };
+
+ wait_for_local_worker(result.as_str().unwrap()).await?;
+
+ Ok(())
+}
+
+#[api(
+ input: {
+ properties: {
+ name: { type: AcmeAccountName },
+ contact: {
+ description: "List of email addresses.",
+ type: String,
+ optional: true,
+ }
+ }
+ }
+)]
+/// Update an ACME Account.
+async fn update_account(param: Value, rpcenv: &mut dyn RpcEnvironment) -> Result<(), Error> {
+ let info = &dc_api::config::acme::API_METHOD_UPDATE_ACCOUNT;
+ let result = match info.handler {
+ ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
+ _ => unreachable!(),
+ };
+
+ wait_for_local_worker(result.as_str().unwrap()).await?;
+
+ Ok(())
+}
+
+#[api(
+ input: {
+ properties: {
+ name: { type: AcmeAccountName },
+ force: {
+ description: "Delete account data even if the server refuses to deactivate the account.",
+ type: Boolean,
+ optional: true,
+ default: true,
+ }
+ }
+ }
+)]
+/// Deactivate an ACME account.
+async fn deactivate_account(param: Value, rpcenv: &mut dyn RpcEnvironment) -> Result<(), Error> {
+ let info = &dc_api::config::acme::API_METHOD_DEACTIVATE_ACCOUNT;
+ let result = match info.handler {
+ ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
+ _ => unreachable!(),
+ };
+
+ wait_for_local_worker(result.as_str().unwrap()).await?;
+
+ Ok(())
+}
+
+fn account_cli() -> CommandLineInterface {
+ let cmd_def = CliCommandMap::new()
+ .insert("list", CliCommand::new(&API_METHOD_LIST_ACCOUNTS))
+ .insert(
+ "register",
+ CliCommand::new(&API_METHOD_REGISTER_ACCOUNT).arg_param(&["name", "contact"]),
+ )
+ .insert(
+ "deactivate",
+ CliCommand::new(&API_METHOD_DEACTIVATE_ACCOUNT)
+ .arg_param(&["name"])
+ .completion_cb("name", complete_acme_account),
+ )
+ .insert(
+ "info",
+ CliCommand::new(&API_METHOD_GET_ACCOUNT)
+ .arg_param(&["name"])
+ .completion_cb("name", complete_acme_account),
+ )
+ .insert(
+ "update",
+ CliCommand::new(&API_METHOD_UPDATE_ACCOUNT)
+ .arg_param(&["name", "contact"])
+ .completion_cb("name", complete_acme_account),
+ );
+
+ cmd_def.into()
+}
+
+#[api(
+ input: {
+ properties: {
+ "output-format": {
+ schema: OUTPUT_FORMAT,
+ optional: true,
+ },
+ }
+ }
+)]
+/// List ACME plugins.
+fn list_plugins(param: Value, rpcenv: &mut dyn RpcEnvironment) -> Result<(), Error> {
+ let output_format = get_output_format(¶m);
+
+ let info = &dc_api::config::acme::API_METHOD_LIST_PLUGINS;
+ let mut data = match info.handler {
+ ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
+ _ => unreachable!(),
+ };
+
+ let options = default_table_format_options();
+ format_and_print_result_full(&mut data, &info.returns, &output_format, &options);
+
+ Ok(())
+}
+
+#[api(
+ input: {
+ properties: {
+ id: {
+ type: String,
+ description: "Plugin ID",
+ },
+ "output-format": {
+ schema: OUTPUT_FORMAT,
+ optional: true,
+ },
+ }
+ }
+)]
+/// Show ACME plugin information.
+fn get_plugin(param: Value, rpcenv: &mut dyn RpcEnvironment) -> Result<(), Error> {
+ let output_format = get_output_format(¶m);
+
+ let info = &dc_api::config::acme::API_METHOD_GET_PLUGIN;
+ let mut data = match info.handler {
+ ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
+ _ => unreachable!(),
+ };
+
+ let options = default_table_format_options();
+ format_and_print_result_full(&mut data, &info.returns, &output_format, &options);
+
+ Ok(())
+}
+
+#[api(input: {
+ properties: {
+ type: {
+ type: String,
+ description: "The ACME challenge plugin type."
+ },
+ core: {
+ type: DnsPluginCore,
+ flatten: true,
+ },
+ data: {
+ type: String,
+ description: "File containing the plugin data."
+ }
+ }
+})]
+/// Add ACME plugin configuration.
+fn add_plugin(r#type: String, core: DnsPluginCore, data: String) -> Result<(), Error> {
+ let data = proxmox_base64::encode(file_get_contents(data)?);
+ dc_api::config::acme::add_plugin(r#type, core, data)?;
+ Ok(())
+}
+
+pub fn plugin_cli() -> CommandLineInterface {
+ let cmd_def = CliCommandMap::new()
+ .insert("list", CliCommand::new(&API_METHOD_LIST_PLUGINS))
+ .insert(
+ "config",
+ CliCommand::new(&API_METHOD_GET_PLUGIN)
+ .arg_param(&["id"])
+ .completion_cb("id", complete_acme_plugin),
+ )
+ .insert(
+ "add",
+ CliCommand::new(&API_METHOD_ADD_PLUGIN)
+ .arg_param(&["type", "id"])
+ .completion_cb("api", complete_acme_api_challenge_type)
+ .completion_cb("type", complete_acme_plugin_type),
+ )
+ .insert(
+ "remove",
+ CliCommand::new(&dc_api::config::acme::API_METHOD_DELETE_PLUGIN)
+ .arg_param(&["id"])
+ .completion_cb("id", complete_acme_plugin),
+ )
+ .insert(
+ "set",
+ CliCommand::new(&dc_api::config::acme::API_METHOD_UPDATE_PLUGIN)
+ .arg_param(&["id"])
+ .completion_cb("id", complete_acme_plugin),
+ );
+
+ cmd_def.into()
+}
+
+#[api(
+ input: {
+ properties: {
+ force: {
+ description: "Force renewal even if the certificate does not expire soon.",
+ type: Boolean,
+ optional: true,
+ default: false,
+ },
+ },
+ },
+)]
+/// Order a new ACME certificate.
+async fn order_acme_cert(param: Value, rpcenv: &mut dyn RpcEnvironment) -> Result<(), Error> {
+ if !param["force"].as_bool().unwrap_or(false)
+ && !dc_api::nodes::certificates::cert_expires_soon()?
+ {
+ println!("Certificate does not expire within the next 30 days, not renewing.");
+ return Ok(());
+ }
+
+ let info = &dc_api::nodes::certificates::API_METHOD_RENEW_ACME_CERT;
+ let result = match info.handler {
+ ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
+ _ => unreachable!(),
+ };
+
+ wait_for_local_worker(result.as_str().unwrap()).await?;
+
+ Ok(())
+}
+
+#[api]
+/// Revoke ACME certificate.
+async fn revoke_acme_cert(param: Value, rpcenv: &mut dyn RpcEnvironment) -> Result<(), Error> {
+ let info = &dc_api::nodes::certificates::API_METHOD_REVOKE_ACME_CERT;
+ let result = match info.handler {
+ ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
+ _ => unreachable!(),
+ };
+
+ wait_for_local_worker(result.as_str().unwrap()).await?;
+
+ Ok(())
+}
+
+pub fn cert_cli() -> CommandLineInterface {
+ let cmd_def = CliCommandMap::new()
+ .insert("order", CliCommand::new(&API_METHOD_ORDER_ACME_CERT))
+ .insert("revoke", CliCommand::new(&API_METHOD_REVOKE_ACME_CERT));
+
+ cmd_def.into()
+}
diff --git a/cli/admin/src/main.rs b/cli/admin/src/main.rs
index 02148e3..3fd3c2f 100644
--- a/cli/admin/src/main.rs
+++ b/cli/admin/src/main.rs
@@ -9,6 +9,7 @@ use proxmox_router::RpcEnvironment;
use proxmox_schema::api;
use proxmox_sys::fs::CreateOptions;
+mod acme;
mod remotes;
mod support_status;
@@ -22,7 +23,11 @@ async fn run() -> Result<(), Error> {
pdm_buildcfg::configdir!("/access"),
)
.context("failed to setup access control config")?;
+ proxmox_acme_api::init(pdm_buildcfg::configdir!("/acme"), false)
+ .context("failed to initialize acme config")?;
+
proxmox_log::Logger::from_env("PDM_LOG", proxmox_log::LevelFilter::INFO)
+ .tasklog()
.stderr()
.init()
.context("failed to set-up logger")?;
@@ -30,6 +35,7 @@ async fn run() -> Result<(), Error> {
server::context::init().context("could not set-up server context")?;
let cmd_def = CliCommandMap::new()
+ .insert("acme", acme::acme_mgmt_cli())
.insert("remote", remotes::cli())
.insert(
"report",
--
2.47.3
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH datacenter-manager v2 4/4] chore: update proxmox-acme version to 1
2026-02-03 17:50 [PATCH datacenter-manager v2 0/4] fix #7179: expose ACME commands inside admin CLI Shan Shaji
` (2 preceding siblings ...)
2026-02-03 17:51 ` [PATCH datacenter-manager v2 3/4] fix #7179: cli: admin: expose acme commands Shan Shaji
@ 2026-02-03 17:51 ` Shan Shaji
2026-02-05 14:25 ` [PATCH datacenter-manager v2 0/4] fix #7179: expose ACME commands inside admin CLI Lukas Wagner
4 siblings, 0 replies; 9+ messages in thread
From: Shan Shaji @ 2026-02-03 17:51 UTC (permalink / raw)
To: pdm-devel
Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
Cargo.toml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Cargo.toml b/Cargo.toml
index ed9ce60..5c2de75 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -68,7 +68,7 @@ proxmox-upgrade-checks = "1"
proxmox-uuid = "1"
# other proxmox crates
-proxmox-acme = "0.5"
+proxmox-acme = "1.0"
proxmox-openid = "1.0.2"
# api implementation creates
--
2.47.3
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH datacenter-manager v2 0/4] fix #7179: expose ACME commands inside admin CLI
2026-02-03 17:50 [PATCH datacenter-manager v2 0/4] fix #7179: expose ACME commands inside admin CLI Shan Shaji
` (3 preceding siblings ...)
2026-02-03 17:51 ` [PATCH datacenter-manager v2 4/4] chore: update proxmox-acme version to 1 Shan Shaji
@ 2026-02-05 14:25 ` Lukas Wagner
4 siblings, 0 replies; 9+ messages in thread
From: Lukas Wagner @ 2026-02-05 14:25 UTC (permalink / raw)
To: Shan Shaji, pdm-devel
On Tue Feb 3, 2026 at 6:50 PM CET, Shan Shaji wrote:
> Previously, ACME commands were not exposed through the admin CLI.
> Added the necessary functionality to manage ACME settings directly
> via the command line. The changes are done by taking reference from
> the proxmox-backup codebase.
>
> The `tasklog_pbs` function in the `proxmox-log` crate has been renamed
> in the following patch [1]. To test the changes introduced by
> this series, it must be applied.
I mentioned it in the patch as well, but actually it would be best to
keep it as `tasklog_pbs` for now, so that we can apply these changes
without awaiting the proxmox-log version bump. See the patch for a more
detailed explanation.
>
> **note**: The completions were not working in general. Investigating it
> seperately.
>
> changes since v1: Thanks @Lukas
> - fixed formating.
> - refactor the input prompt into a seperate method - `read_input`.
> - defined a new struct ``AcmeRegistrationParams` and update the API
> method signature to accept only one parameter.
> - used the API `register_account` method instead of using the
> `proxmox-acme-api::register_account` function.
> - added `tasklog` layer to capture worker task logs.
> - added `context` method to preserve the error messages.
>
> Testing
> =======
>
> In general i have verified the following commands ie:
> - account (deactivate, info, list, update)
> - certificate (order, revoke)
> - plugin (add, config, list, remove, set)
> - Verified external account binding using google's ACME directory
> url and public CA (GTS).
>
> ### Certifcate Creation
>
> http-01 challenge:
> -----------------
>
> I have tested the http-01 challenge verification using a test
> pebble server.
>
> Steps followed to test the changes:
>
> 1. Installed the changes inside a PDM VM.
> 2. install Pebble from Let's Encrypt [2] on the same VM:
>
> cd
> apt update
> apt install -y golang git
> git clone https://github.com/letsencrypt/pebble
> cd pebble
> go build ./cmd/pebble
>
> then, download and trust the Pebble cert:
>
> wget https://raw.githubusercontent.com/letsencrypt/pebble/main/test/certs/pebble.minica.pem
> cp pebble.minica.pem /usr/local/share/ca-certificates/pebble.minica.crt
> update-ca-certificates
>
> 3. We want Pebble to perform HTTP-01 validation against port 80, because
> PDM's standalone plugin will bind port 80. Set httpPort to 80.
>
> nano ./test/config/pebble-config.json
>
> 4. Start the Pebble server in the background:
>
> ./pebble -config ./test/config/pebble-config.json &
>
> 5. Created a Pebble ACME account:
>
> proxmox-datacenter-manager-admin acme account register default admin@example.com --directory 'https://127.0.0.1:14000/dir'
>
> 6. Added a new ACME domain pdm.proxmox.com with HTTP challenge type. Then
> ran the following command.
Seems like there is no way to set ACME domains via the CLI? This could
be a good future addition IMO.
Reviewed and (partially) tested these changes, using the HTTP challenge
using pebble. I did not test anything DNS-related.
Most of my suggestions for v3 are rather trivial, so feel free to
include these trailers:
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Tested-by: Lukas Wagner <l.wagner@proxmox.com>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH datacenter-manager v2 1/4] cli: admin: make cli handling async
2026-02-03 17:50 ` [PATCH datacenter-manager v2 1/4] cli: admin: make cli handling async Shan Shaji
@ 2026-02-05 14:25 ` Lukas Wagner
0 siblings, 0 replies; 9+ messages in thread
From: Lukas Wagner @ 2026-02-05 14:25 UTC (permalink / raw)
To: Shan Shaji, pdm-devel
Hi Shan,
some comments inline.
On Tue Feb 3, 2026 at 6:50 PM CET, Shan Shaji wrote:
> The acme API methods internally create workers to process API requests.
> An error was thrown if the methods invoked without initializing the
> worker tasks.
>
> Since `init_worker_tasks` needs to be called from an async runtime.
> Moved the content of the main function to async `run` function and
> wrapped using `proxmox_async::runtime::main`, which creates a Tokio
> runtime.
>
> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> ---
> changes since v1:
> - use `tasklog` function to capture worker task logs to the tasklog
> file.
> - add `context` method to preserve the error messages.
>
> cli/admin/Cargo.toml | 3 +++
> cli/admin/src/main.rs | 53 ++++++++++++++++++++++++++++---------------
> 2 files changed, 38 insertions(+), 18 deletions(-)
>
> diff --git a/cli/admin/Cargo.toml b/cli/admin/Cargo.toml
> index 0dec423..e566b39 100644
> --- a/cli/admin/Cargo.toml
> +++ b/cli/admin/Cargo.toml
> @@ -19,6 +19,9 @@ proxmox-product-config.workspace = true
> proxmox-router = { workspace = true, features = [ "cli" ], default-features = false }
> proxmox-schema = { workspace = true, features = [ "api-macro" ] }
> proxmox-access-control.workspace = true
> +proxmox-rest-server.workspace = true
> +proxmox-sys.workspace = true
> +proxmox-daemon.workspace = true
>
> pdm-api-types.workspace = true
> pdm-config.workspace = true
> diff --git a/cli/admin/src/main.rs b/cli/admin/src/main.rs
> index f698fa2..02148e3 100644
> --- a/cli/admin/src/main.rs
> +++ b/cli/admin/src/main.rs
> @@ -1,35 +1,33 @@
> +use anyhow::{Context, Error};
> use serde_json::{json, Value};
>
> use proxmox_router::cli::{
> - default_table_format_options, format_and_print_result_full, get_output_format, run_cli_command,
> - CliCommand, CliCommandMap, CliEnvironment, ColumnConfig, OUTPUT_FORMAT,
> + default_table_format_options, format_and_print_result_full, get_output_format,
> + run_async_cli_command, CliCommand, CliCommandMap, CliEnvironment, ColumnConfig, OUTPUT_FORMAT,
> };
> use proxmox_router::RpcEnvironment;
> -
> use proxmox_schema::api;
> +use proxmox_sys::fs::CreateOptions;
>
> mod remotes;
> mod support_status;
>
> -fn main() {
> - //pbs_tools::setup_libc_malloc_opts(); // TODO: move from PBS to proxmox-sys and uncomment
> -
> - let api_user = pdm_config::api_user().expect("cannot get api user");
> - let priv_user = pdm_config::priv_user().expect("cannot get privileged user");
> - proxmox_product_config::init(api_user, priv_user);
> +async fn run() -> Result<(), Error> {
> + let api_user = pdm_config::api_user().context("could not get api user")?;
> + let priv_user = pdm_config::priv_user().context("could not get privileged user")?;
>
> + proxmox_product_config::init(api_user.clone(), priv_user);
> proxmox_access_control::init::init(
> &pdm_api_types::AccessControlConfig,
> pdm_buildcfg::configdir!("/access"),
> )
> - .expect("failed to setup access control config");
> -
> + .context("failed to setup access control config")?;
> proxmox_log::Logger::from_env("PDM_LOG", proxmox_log::LevelFilter::INFO)
> .stderr()
> .init()
> - .expect("failed to set up logger");
> + .context("failed to set-up logger")?;
The string here changed, the original version seems to be more correct
to me
>
> - server::context::init().expect("could not set up server context");
> + server::context::init().context("could not set-up server context")?;
>
> let cmd_def = CliCommandMap::new()
> .insert("remote", remotes::cli())
> @@ -40,14 +38,33 @@ fn main() {
> .insert("support-status", support_status::cli())
> .insert("versions", CliCommand::new(&API_METHOD_GET_VERSIONS));
>
> + let args: Vec<String> = std::env::args().collect();
> + let avoid_init = args.len() >= 2 && (args[1] == "bashcomplete" || args[1] == "printdoc");
For what it's worth, this could be
let avoid_init = matches!(
args.get(1).map(String::as_str),
Some("bashcomplete") | Some("printdoc")
);
or
let avoid_init = args
.get(1)
.is_some_and(|c| c == "bashcomplete" || c == "printdoc");
It's not really shorter, but I think they would be a bit more idiomatic.
The original version relies on the short-circuit behavior of the &&
operator to avoid the panic when accessing the array element via the
index operator, which is of course correct, but I think this can be
written a bit nicer.
no hard feelings, so just pick whichever version you like most.
> +
> + if !avoid_init {
> + let file_opts = CreateOptions::new().owner(api_user.uid).group(api_user.gid);
> + proxmox_rest_server::init_worker_tasks(pdm_buildcfg::PDM_LOG_DIR_M!().into(), file_opts)
> + .context("failed to initialize worker tasks")?;
> +
> + let mut command_sock = proxmox_daemon::command_socket::CommandSocket::new(api_user.gid);
> + proxmox_rest_server::register_task_control_commands(&mut command_sock)
> + .context("failed to register task control commands")?;
> + command_sock
> + .spawn(proxmox_rest_server::last_worker_future())
> + .context("failed to activate the socket")?;
> + }
> +
> let mut rpcenv = CliEnvironment::new();
> rpcenv.set_auth_id(Some("root@pam".into()));
>
> - run_cli_command(
> - cmd_def,
> - rpcenv,
> - Some(|future| proxmox_async::runtime::main(future)),
> - );
> + run_async_cli_command(cmd_def, rpcenv).await;
> +
> + Ok(())
> +}
> +
> +fn main() -> Result<(), Error> {
> + //pbs_tools::setup_libc_malloc_opts(); // TODO: move from PBS to proxmox-sys and uncomment
> + proxmox_async::runtime::main(run())
> }
>
> #[api(
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH datacenter-manager v1 2/4] api: acme: define API type for ACME registration parameters
2026-02-03 17:50 ` [PATCH datacenter-manager v1 2/4] api: acme: define API type for ACME registration parameters Shan Shaji
@ 2026-02-05 14:25 ` Lukas Wagner
0 siblings, 0 replies; 9+ messages in thread
From: Lukas Wagner @ 2026-02-05 14:25 UTC (permalink / raw)
To: Shan Shaji, pdm-devel
On Tue Feb 3, 2026 at 6:50 PM CET, Shan Shaji wrote:
> Earlier, the ACME CLI was using the proxmox-acme-api crate's register
> function to register an ACME account. Since it did not create a worker
> task internally, the logs were not being recorded in the task log file.
>
> The API handler function accepts a Value type, inorder to pass the
> parameters from the CLI it had to be converted into a Value type.
> Defined a new struct to create the request parameters. This also makes
> sure that even if additional parameters are added later, they
> are not forgotten in the CLI tool.
>
> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> ---
>
> note: This is a new patch.
>
> lib/pdm-api-types/src/acme.rs | 65 +++++++++++++++++++++++++++++++++++
> lib/pdm-api-types/src/lib.rs | 2 ++
> server/src/api/config/acme.rs | 48 ++++++++------------------
> 3 files changed, 82 insertions(+), 33 deletions(-)
> create mode 100644 lib/pdm-api-types/src/acme.rs
>
> diff --git a/lib/pdm-api-types/src/acme.rs b/lib/pdm-api-types/src/acme.rs
> new file mode 100644
> index 0000000..e5fc197
> --- /dev/null
> +++ b/lib/pdm-api-types/src/acme.rs
> @@ -0,0 +1,65 @@
> +use serde::{Deserialize, Serialize};
> +
> +use proxmox_acme_api::AcmeAccountName;
> +use proxmox_schema::{api, ApiStringFormat, ArraySchema, Schema, StringSchema};
> +
> +use crate::EMAIL_SCHEMA;
> +
> +pub const ACME_CONTACT_LIST_SCHEMA: Schema =
> + StringSchema::new("List of email addresses, comma seperated.")
> + .format(&ApiStringFormat::PropertyString(
> + &ArraySchema::new("Contact list.", &EMAIL_SCHEMA).schema(),
> + ))
> + .schema();
I think this new schema could also be used in the update_account API
endpoint. I'd add a separate patch after this one for this.
> +
> +#[api(
> + properties: {
> + name: {
> + type: AcmeAccountName,
> + optional: true,
> + },
> + contact: {
> + schema: ACME_CONTACT_LIST_SCHEMA
> + },
> + tos_url: {
> + type: String,
> + description: "URL of CA TermsOfService - setting this indicates agreement.",
For most 'simple' parameters (ones that do not have a schema or nested
types such as arrays) can have their description provided via a doc
comment (see below). This has the benefit that you get that string in
the API viewer *and* the Rust docs.
In general, we try to have doc comments for all `pub` fields/functions.
> + optional: true,
> + },
> + directory: {
> + type: String,
> + description: "The ACME Directory.",
> + optional: true,
> + },
> + eab_kid: {
> + type: String,
> + description: "Key Identifier for External Account Binding.",
> + optional: true,
> + },
> + eab_hmac_key: {
> + type: String,
> + description: "HMAC Key for External Account Binding.",
> + optional: true,
> + }
> + },
> +)]
> +#[derive(Serialize, Deserialize)]
> +/// ACME account registration properties.
> +pub struct AcmeRegistrationParams {
> + #[serde(skip_serializing_if = "Option::is_none")]
> + pub name: Option<AcmeAccountName>,
> +
> + pub contact: String,
> +
> + #[serde(skip_serializing_if = "Option::is_none")]
e.g. like this
/// URL of CA TermsOfService - setting this indicates agreement.
> + pub tos_url: Option<String>,
> +
> + #[serde(skip_serializing_if = "Option::is_none")]
> + pub directory: Option<String>,
> +
> + #[serde(skip_serializing_if = "Option::is_none")]
> + pub eab_kid: Option<String>,
> +
> + #[serde(skip_serializing_if = "Option::is_none")]
> + pub eab_hmac_key: Option<String>,
> +}
> diff --git a/lib/pdm-api-types/src/lib.rs b/lib/pdm-api-types/src/lib.rs
> index 5daaa3f..b69e99f 100644
> --- a/lib/pdm-api-types/src/lib.rs
> +++ b/lib/pdm-api-types/src/lib.rs
> @@ -116,6 +116,8 @@ pub mod sdn;
>
> pub mod views;
>
> +pub mod acme;
> +
> const_regex! {
> // just a rough check - dummy acceptor is used before persisting
> pub OPENSSL_CIPHERS_REGEX = r"^[0-9A-Za-z_:, +!\-@=.]+$";
> diff --git a/server/src/api/config/acme.rs b/server/src/api/config/acme.rs
> index 0c583c4..3c40a27 100644
> --- a/server/src/api/config/acme.rs
> +++ b/server/src/api/config/acme.rs
> @@ -1,5 +1,6 @@
> use anyhow::Error;
>
> +use pdm_api_types::acme::AcmeRegistrationParams;
> use proxmox_router::list_subdirs_api_method;
> use proxmox_router::{Router, RpcEnvironment, SubdirMap};
>
> @@ -79,31 +80,9 @@ pub fn list_accounts() -> Result<Vec<AccountEntry>, Error> {
> #[api(
> input: {
> properties: {
> - name: {
> - type: AcmeAccountName,
> - optional: true,
> - },
> - contact: {
> - description: "List of email addresses.",
> - },
> - tos_url: {
> - description: "URL of CA TermsOfService - setting this indicates agreement.",
> - optional: true,
> - },
> - directory: {
> - type: String,
> - description: "The ACME Directory.",
> - optional: true,
> - },
> - eab_kid: {
> - type: String,
> - description: "Key Identifier for External Account Binding.",
> - optional: true,
> - },
> - eab_hmac_key: {
> - type: String,
> - description: "HMAC Key for External Account Binding.",
> - optional: true,
> + params: {
> + type: AcmeRegistrationParams,
> + flatten: true
> }
> },
> },
> @@ -116,16 +95,19 @@ pub fn list_accounts() -> Result<Vec<AccountEntry>, Error> {
> },
> )]
> /// Register an ACME account.
> -fn register_account(
> - name: Option<AcmeAccountName>,
> - // Todo: email & email-list schema
> - contact: String,
> - tos_url: Option<String>,
> - directory: Option<String>,
> - eab_kid: Option<String>,
> - eab_hmac_key: Option<String>,
> +pub fn register_account(
> + params: AcmeRegistrationParams,
> rpcenv: &mut dyn RpcEnvironment,
> ) -> Result<String, Error> {
> + let AcmeRegistrationParams {
> + name,
> + contact,
> + tos_url,
> + directory,
> + eab_kid,
> + eab_hmac_key,
> + } = params;
> +
> let auth_id = rpcenv.get_auth_id().unwrap();
> let name = name.unwrap_or_else(|| unsafe {
> AcmeAccountName::from_string_unchecked("default".to_string())
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH datacenter-manager v2 3/4] fix #7179: cli: admin: expose acme commands
2026-02-03 17:51 ` [PATCH datacenter-manager v2 3/4] fix #7179: cli: admin: expose acme commands Shan Shaji
@ 2026-02-05 14:26 ` Lukas Wagner
0 siblings, 0 replies; 9+ messages in thread
From: Lukas Wagner @ 2026-02-05 14:26 UTC (permalink / raw)
To: Shan Shaji, pdm-devel
Hi Shan,
thanks for this updated version of your patch series. Looking good from
what I can, some comments inline.
On Tue Feb 3, 2026 at 6:51 PM CET, Shan Shaji wrote:
> Previously, ACME commands were not exposed through the admin CLI.
> Added the necessary functionality to manage ACME settings directly
> via the command line.
>
> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> ---
>
> changes since v1:
> - Fix formatting.
> - Use API register_account method instead of the proxmox-acme-api
> crate's register_account method to register ACME account.
> - add `read_input` helper function.
>
> cli/admin/Cargo.toml | 4 +-
> cli/admin/src/acme.rs | 445 ++++++++++++++++++++++++++++++++++++++++++
> cli/admin/src/main.rs | 6 +
> 3 files changed, 454 insertions(+), 1 deletion(-)
> create mode 100644 cli/admin/src/acme.rs
>
> diff --git a/cli/admin/Cargo.toml b/cli/admin/Cargo.toml
> index e566b39..01afc88 100644
> --- a/cli/admin/Cargo.toml
> +++ b/cli/admin/Cargo.toml
> @@ -22,7 +22,9 @@ proxmox-access-control.workspace = true
> proxmox-rest-server.workspace = true
> proxmox-sys.workspace = true
> proxmox-daemon.workspace = true
> -
> +proxmox-acme.workspace = true
> +proxmox-acme-api.workspace = true
> +proxmox-base64.workspace = true
> pdm-api-types.workspace = true
> pdm-config.workspace = true
> pdm-buildcfg.workspace = true
> diff --git a/cli/admin/src/acme.rs b/cli/admin/src/acme.rs
> new file mode 100644
> index 0000000..be442cd
> --- /dev/null
> +++ b/cli/admin/src/acme.rs
> @@ -0,0 +1,445 @@
> +use std::io::Write;
> +
> +use anyhow::{bail, Error};
> +use serde_json::Value;
> +
> +use pdm_api_types::acme::AcmeRegistrationParams;
> +use proxmox_acme::async_client::AcmeClient;
> +use proxmox_acme_api::{completion::*, AcmeAccountName, DnsPluginCore, KNOWN_ACME_DIRECTORIES};
> +use proxmox_rest_server::wait_for_local_worker;
> +use proxmox_router::{cli::*, ApiHandler, RpcEnvironment};
> +use proxmox_schema::api;
> +use proxmox_sys::fs::file_get_contents;
> +
> +use server::api as dc_api;
> +
> +pub fn acme_mgmt_cli() -> CommandLineInterface {
> + let cmd_def = CliCommandMap::new()
> + .insert("account", account_cli())
> + .insert("plugin", plugin_cli())
> + .insert("certificate", cert_cli());
> +
> + cmd_def.into()
> +}
> +
> +#[api(
> + input: {
> + properties: {
> + "output-format": {
> + schema: OUTPUT_FORMAT,
> + optional: true,
> + }
> + }
> + }
> +)]
> +/// List ACME accounts.
> +fn list_accounts(param: Value, rpcenv: &mut dyn RpcEnvironment) -> Result<(), Error> {
> + let output_format = get_output_format(¶m);
> + let info = &dc_api::config::acme::API_METHOD_LIST_ACCOUNTS;
> + let mut data = match info.handler {
> + ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
> + _ => unreachable!(),
> + };
> +
> + let options = default_table_format_options();
> + format_and_print_result_full(&mut data, &info.returns, &output_format, &options);
> +
> + Ok(())
> +}
> +
> +#[api(
> + input: {
> + properties: {
> + name: { type: AcmeAccountName },
> + "output-format": {
> + schema: OUTPUT_FORMAT,
> + optional: true,
> + },
> + }
> + }
> +)]
> +/// Show ACME account information.
> +async fn get_account(param: Value, rpcenv: &mut dyn RpcEnvironment) -> Result<(), Error> {
> + let output_format = get_output_format(¶m);
> +
> + let info = &dc_api::config::acme::API_METHOD_GET_ACCOUNT;
> + let mut data = match info.handler {
> + ApiHandler::Async(handler) => (handler)(param, info, rpcenv).await?,
> + _ => unreachable!(),
> + };
> +
> + let options = default_table_format_options()
> + .column(
> + ColumnConfig::new("account")
> + .renderer(|value, _record| Ok(serde_json::to_string_pretty(value)?)),
> + )
> + .column(ColumnConfig::new("directory"))
> + .column(ColumnConfig::new("location"))
> + .column(ColumnConfig::new("tos"));
> + format_and_print_result_full(&mut data, &info.returns, &output_format, &options);
> +
> + Ok(())
> +}
> +
> +fn read_input(prompt: &str) -> Result<String, Error> {
> + print!("{}: ", prompt);
> + std::io::stdout().flush()?;
> + let mut input = String::new();
> + std::io::stdin().read_line(&mut input)?;
> + Ok(input)
> +}
> +
> +#[api(
> + input: {
> + properties: {
> + name: { type: AcmeAccountName },
> + contact: {
> + description: "List of email addresses.",
> + type: String,
> + },
> + directory: {
> + type: String,
> + description: "The ACME Directory.",
> + optional: true,
> + },
> + }
> + }
> +)]
> +///Register an ACME account.
> +async fn register_account(
> + name: AcmeAccountName,
> + contact: String,
> + directory: Option<String>,
> + rpcenv: &mut dyn RpcEnvironment,
> +) -> Result<(), Error> {
> + let (directory_url, custom_directory) = match directory {
> + Some(directory) => (directory, true),
> + None => {
> + println!("Directory endpoints:");
> + for (i, dir) in KNOWN_ACME_DIRECTORIES.iter().enumerate() {
> + println!("{}) {}", i, dir.url);
> + }
> +
> + println!("{}) Custom", KNOWN_ACME_DIRECTORIES.len());
> + let mut attempt = 0;
> + loop {
> + let mut input = read_input("Enter selection")?;
> + match input.trim().parse::<usize>() {
> + Ok(n) if n < KNOWN_ACME_DIRECTORIES.len() => {
> + break (KNOWN_ACME_DIRECTORIES[n].url.to_string(), false);
> + }
> + Ok(n) if n == KNOWN_ACME_DIRECTORIES.len() => {
> + input.clear();
> + input = read_input("Enter custom directory URI")?;
> + break (input.trim().to_owned(), true);
> + }
> + _ => eprintln!("Invalid selection."),
> + }
> +
> + attempt += 1;
> + if attempt >= 3 {
> + bail!("Aborting.");
> + }
> + }
> + }
> + };
> +
> + println!("Attempting to fetch Terms of Service from {directory_url:?}");
> + let mut client = AcmeClient::new(directory_url.clone());
> + let directory = client.directory().await?;
> + let tos_agreed = if let Some(tos_url) = directory.terms_of_service_url() {
> + println!("Terms of Service: {tos_url}");
> + let input = read_input("Do you agree to the above terms? [y|N]")?;
> + input.trim().eq_ignore_ascii_case("y")
> + } else {
> + println!("No Terms of Service found, proceeding.");
> + true
> + };
> +
> + let mut eab_enabled = directory.external_account_binding_required();
> + if !eab_enabled && custom_directory {
> + let input = read_input("Do you want to use external account binding? [y|N]")?;
> + eab_enabled = input.trim().eq_ignore_ascii_case("y");
> + } else if eab_enabled {
> + println!("The CA requires external account binding.");
> + }
> +
> + let eab_creds = if eab_enabled {
> + println!("You should have received a key id and a key from your CA.");
> + let eab_kid = read_input("Enter EAB key id")?;
> + let eab_hmac_key = read_input("Enter EAB key")?;
> + Some((eab_kid.trim().to_owned(), eab_hmac_key.trim().to_owned()))
> + } else {
> + None
> + };
> +
> + let tos_url = tos_agreed
> + .then(|| directory.terms_of_service_url().map(str::to_owned))
> + .flatten();
> +
> + let (eab_kid, eab_hmac_key) = eab_creds.unzip();
> + let parameters = AcmeRegistrationParams {
> + name: Some(name),
> + contact: contact,
> + tos_url: tos_url,
> + directory: Some(directory_url),
> + eab_kid: eab_kid,
> + eab_hmac_key: eab_hmac_key,
> + };
> + let param = serde_json::to_value(parameters)?;
> +
> + let info = &dc_api::config::acme::API_METHOD_REGISTER_ACCOUNT;
> + let result = match info.handler {
> + ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
> + _ => unreachable!(),
> + };
> +
> + wait_for_local_worker(result.as_str().unwrap()).await?;
> +
> + Ok(())
> +}
Two things came to mind when actually trying out this CLI:
- The directory selection is a bit odd to use, since it uses 0-based
indexing, something like
0.) Let's Encrypt
1.) Let's Encrypt Staging
....
1-based indexing probably is a bit nicer for users here.
- Also, I wonder if there should be non-interactive version of this
command as well, one that can be scripted, one where all parameters
that are asked as parameters can be provided as flags.
People can always use the API for this, but maybe it would still be
nice to offer this in the CLI tool as well.
Just thinking out loud, I'm aware that you just copied the approach
from PBS, if we add something like this, this should be done in a
separate series.
- Might be worth moving this 'wizard' implementation to some helper
module in proxmox-acme-api and then use the same implementation from
both PDM and PBS. To avoid scope creep this can always be done in a
follow-up series.
I guess in this case the appropriate place for the new
AcmeRegistrationParams is then also proxmox-acme-api, since the this
would be the type that is returned from such a shared helper.
(sorry, some of these I could have noticed in my earlier, less
thorough review)
All of these can be done in followup-patches, it's just some ideas for
improvement over the status quo that we already have in PBS.
> +
> +#[api(
> + input: {
> + properties: {
> + name: { type: AcmeAccountName },
> + contact: {
> + description: "List of email addresses.",
> + type: String,
> + optional: true,
> + }
> + }
> + }
> +)]
> +/// Update an ACME Account.
> +async fn update_account(param: Value, rpcenv: &mut dyn RpcEnvironment) -> Result<(), Error> {
> + let info = &dc_api::config::acme::API_METHOD_UPDATE_ACCOUNT;
> + let result = match info.handler {
> + ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
> + _ => unreachable!(),
> + };
> +
> + wait_for_local_worker(result.as_str().unwrap()).await?;
> +
> + Ok(())
> +}
> +
[...]
> +
> +pub fn cert_cli() -> CommandLineInterface {
> + let cmd_def = CliCommandMap::new()
> + .insert("order", CliCommand::new(&API_METHOD_ORDER_ACME_CERT))
> + .insert("revoke", CliCommand::new(&API_METHOD_REVOKE_ACME_CERT));
> +
> + cmd_def.into()
> +}
> diff --git a/cli/admin/src/main.rs b/cli/admin/src/main.rs
> index 02148e3..3fd3c2f 100644
> --- a/cli/admin/src/main.rs
> +++ b/cli/admin/src/main.rs
> @@ -9,6 +9,7 @@ use proxmox_router::RpcEnvironment;
> use proxmox_schema::api;
> use proxmox_sys::fs::CreateOptions;
>
> +mod acme;
> mod remotes;
> mod support_status;
>
> @@ -22,7 +23,11 @@ async fn run() -> Result<(), Error> {
> pdm_buildcfg::configdir!("/access"),
> )
> .context("failed to setup access control config")?;
> + proxmox_acme_api::init(pdm_buildcfg::configdir!("/acme"), false)
> + .context("failed to initialize acme config")?;
> +
> proxmox_log::Logger::from_env("PDM_LOG", proxmox_log::LevelFilter::INFO)
> + .tasklog()
I'd use the 'old' tasklog_pbs function here for now, since then we can
apply these patches without bumping proxmox-log first. Changing this to
`tasklog` is trivial and can be done in a followup patch.
We should be getting a deprecation warning when building PDM once
proxmox-log has been bumped, so there should be little chance to forget
it.
> .stderr()
> .init()
> .context("failed to set-up logger")?;
> @@ -30,6 +35,7 @@ async fn run() -> Result<(), Error> {
> server::context::init().context("could not set-up server context")?;
>
> let cmd_def = CliCommandMap::new()
> + .insert("acme", acme::acme_mgmt_cli())
> .insert("remote", remotes::cli())
> .insert(
> "report",
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2026-02-05 14:26 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-02-03 17:50 [PATCH datacenter-manager v2 0/4] fix #7179: expose ACME commands inside admin CLI Shan Shaji
2026-02-03 17:50 ` [PATCH datacenter-manager v2 1/4] cli: admin: make cli handling async Shan Shaji
2026-02-05 14:25 ` Lukas Wagner
2026-02-03 17:50 ` [PATCH datacenter-manager v1 2/4] api: acme: define API type for ACME registration parameters Shan Shaji
2026-02-05 14:25 ` Lukas Wagner
2026-02-03 17:51 ` [PATCH datacenter-manager v2 3/4] fix #7179: cli: admin: expose acme commands Shan Shaji
2026-02-05 14:26 ` Lukas Wagner
2026-02-03 17:51 ` [PATCH datacenter-manager v2 4/4] chore: update proxmox-acme version to 1 Shan Shaji
2026-02-05 14:25 ` [PATCH datacenter-manager v2 0/4] fix #7179: expose ACME commands inside admin CLI Lukas Wagner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox