From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 76F9A6AFF6 for ; Tue, 16 Mar 2021 11:24:30 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 757472C417 for ; Tue, 16 Mar 2021 11:24:30 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id D2D5C2C3B4 for ; Tue, 16 Mar 2021 11:24:25 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 9ED674621F for ; Tue, 16 Mar 2021 11:24:25 +0100 (CET) From: Wolfgang Bumiller To: pmg-devel@lists.proxmox.com Date: Tue, 16 Mar 2021 11:24:07 +0100 Message-Id: <20210316102424.25885-1-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.031 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pmg-devel] [PATCH v3 api/gui/wtk/acme 0/many] Certificates & ACME X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Mar 2021 10:24:30 -0000 v3 incorporating feedback from v2: * removed 'audit' api access for acme plugins * Added a new patch for pve-common for a CLI arg parsing issue. (This one should be looked at more closely I think) * Regenerate the self-signed cert when deleting the current one. * Add missing $cfg->write() call * fixed 'challengeschema/challenge-schema' path/name issue * added a helper for account name/file extraction (but did keep the error messages for when the file is not there for now as atm it's a nicer error, can be removed in later patches) * replace loadSSHKeyFromFile with loadTextFromFile --- v2 cover letter: v2 incorporating feedback from v1 * api call permission fixups on account methods * consistent locking function implementations (without `die $@ if $@`) * removed unnecessary call to `sort` * cert regex simplification * reload/config update code dedup & consistency * removed superfluous `border: 0` * inlined unnecessary `initComponent` and also contains some PVE-compatibility fixes in the acme domain view: widget toolkit side should now work seamlessly in the PVE UI code as well --- Original Coverletter: These are the pmg-api, pmg-gui and proxmox-widget-toolkit and proxmox-acme parts of the ACME series for PMG. This requires `pmg-rs` package, which replaces the ACME client from `proxmox-acme` and provides the CSR generation and is written in rust. Note that the DNS challenge handling still uses proxmox-acme for now. proxmox-acme: * Just a `use` statement fixup * Still used for the DNS challenge pmg-gui: Just adds the "certificate view", but the real dirt lives in the widget-toolkit. proxmox-widget-toolkits: Gets the Certificate, ACME Account, ACME Plugin and ACME Domain view from PVE adapted to be usable for PMG. Changes to PVE are mainly: * API URLs need to be provided since they differ a bit between PVE and PMG. * some additional buttons/fields specific to pmg generated if the parameters for them are present pmg-api: Simply gets API entry points for the above. These too are mostly copied from PVE and adapted (also the ACME client API from pmg-rs is slightly different/cleaned up, so that's a minor incompatiblity in some otherwise common code, but a `pve-rs` may fix that). But some things could definitely already go to pve-common (especially schema stuff). Note that while I did add the corresponding files to the cluster sync, this still needs testing *and* issuing an API certificate may break cluster functionality currently. (Stoiko is working on that)