From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 7A4686ACED for ; Mon, 15 Mar 2021 23:02:12 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 76E8A27874 for ; Mon, 15 Mar 2021 23:02:12 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id D88212784B for ; Mon, 15 Mar 2021 23:02:10 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 9B77D463D3 for ; Mon, 15 Mar 2021 23:02:10 +0100 (CET) From: Stoiko Ivanov To: pmg-devel@lists.proxmox.com Date: Mon, 15 Mar 2021 23:01:29 +0100 Message-Id: <20210315220135.25988-1-s.ivanov@proxmox.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.064 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pmg-devel] [PATCH pmg-api 0/6] add mechanism to update certificate fingerprints in cluster X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Mar 2021 22:02:12 -0000 Currently PMG's cluster synchornization relies mostly on rsync+ssh, but does fetch some information via API call. Whenever one of the nodes in a cluster changes its api-certificate the cluster-synchronization breaks (see [0]). This series addresses the issue by adding an api-call (proxied to master), which connects to all nodes defined in the cluster via `ssh` and fetches the current api-certificate fingerprint (by running `openssl x509`) and updating the cluster.conf. All nodes in the cluster sync the config (via rsync) at the beginning of each synchronization and thus will eventually get the updated fingerprint, before trying to connect to another node via API (with pinned certificate fingerprint) the last patch is the addition of that mechanism to the new PMG certificate managment series by Wolfgang. [0] https://forum.proxmox.com/threads/how-to-lets-encrypt-and-pmg.41493/post-207669 Stoiko Ivanov (6): cluster: refactor rsync_command cluster: add helper to get remote cert fingerprint api: cluster: add update-fingerprints call cluster: add trigger_update_fingerprints pmgcm: add trigger-update-fingerprint api: certificates: trigger fingerprint update src/PMG/API2/Certificates.pm | 6 ++++ src/PMG/API2/Cluster.pm | 40 +++++++++++++++++++++++ src/PMG/CLI/pmgcm.pm | 21 +++++++++++++ src/PMG/Cluster.pm | 61 ++++++++++++++++++++++++++++++++++-- 4 files changed, 125 insertions(+), 3 deletions(-) -- 2.20.1