From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id A85F66B458 for ; Tue, 16 Mar 2021 19:19:04 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 908CF266C3 for ; Tue, 16 Mar 2021 19:18:34 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id DADDA26210 for ; Tue, 16 Mar 2021 19:18:32 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 6583D45934 for ; Tue, 16 Mar 2021 19:18:32 +0100 (CET) Message-ID: Date: Tue, 16 Mar 2021 19:18:31 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Thunderbird/87.0 Content-Language: en-US To: Stoiko Ivanov , pmg-devel@lists.proxmox.com References: <20210315220135.25988-1-s.ivanov@proxmox.com> From: Thomas Lamprecht In-Reply-To: <20210315220135.25988-1-s.ivanov@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.047 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [cluster.pm, pmgcm.pm, certificates.pm, proxmox.com] Subject: [pmg-devel] applied-series: [PATCH pmg-api 0/6] add mechanism to update certificate fingerprints in cluster X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Mar 2021 18:19:04 -0000 On 15.03.21 23:01, Stoiko Ivanov wrote: > Currently PMG's cluster synchornization relies mostly on rsync+ssh, but > does fetch some information via API call. > Whenever one of the nodes in a cluster changes its api-certificate the > cluster-synchronization breaks (see [0]). > > This series addresses the issue by adding an api-call (proxied to master), > which connects to all nodes defined in the cluster via `ssh` and fetches > the current api-certificate fingerprint (by running `openssl x509`) and > updating the cluster.conf. > All nodes in the cluster sync the config (via rsync) at the beginning of > each synchronization and thus will eventually get the updated fingerprint, > before trying to connect to another node via API (with pinned certificate > fingerprint) > > the last patch is the addition of that mechanism to the new PMG certificate > managment series by Wolfgang. > > [0] > https://forum.proxmox.com/threads/how-to-lets-encrypt-and-pmg.41493/post-207669 > > Stoiko Ivanov (6): > cluster: refactor rsync_command > cluster: add helper to get remote cert fingerprint > api: cluster: add update-fingerprints call > cluster: add trigger_update_fingerprints > pmgcm: add trigger-update-fingerprint > api: certificates: trigger fingerprint update > > src/PMG/API2/Certificates.pm | 6 ++++ > src/PMG/API2/Cluster.pm | 40 +++++++++++++++++++++++ > src/PMG/CLI/pmgcm.pm | 21 +++++++++++++ > src/PMG/Cluster.pm | 61 ++++++++++++++++++++++++++++++++++-- > 4 files changed, 125 insertions(+), 3 deletions(-) > applied series, much thanks! FYI: I did some small (whitespace/indenation) and some medium followups: * dropped the "trigger-" from the pmgcm "update-fingerprints" comand, two verbs are just sounding a little weird * do not make it an error to call that update method if there's no cluster, just note that nothing will be done * in the api call I used $cid instead of $d->{cid}, which is the same FWICT from checking cluster config parser and basic sanity expectations I have still left; That avoids nested hash access and allows for shorter code.