From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 031389C49D
 for <pve-devel@lists.proxmox.com>; Tue, 24 Oct 2023 10:32:47 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id D9D3C1CE5C
 for <pve-devel@lists.proxmox.com>; Tue, 24 Oct 2023 10:32:16 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Tue, 24 Oct 2023 10:32:16 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D71A844AF9
 for <pve-devel@lists.proxmox.com>; Tue, 24 Oct 2023 10:32:15 +0200 (CEST)
Date: Tue, 24 Oct 2023 10:32:09 +0200
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20231023131808.172494-1-f.gleumes@proxmox.com>
In-Reply-To: <20231023131808.172494-1-f.gleumes@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid)
Message-Id: <1698136010.p0w6p0jvfp.astroid@yuna.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.062 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [acmeaccount.pm, pvenode.pm, acme.pm, proxmox.com]
Subject: Re: [pve-devel] [PATCH acme/manager 0/5] fix #4497: add external
 account binding support
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2023 08:32:47 -0000

On October 23, 2023 3:18 pm, Folke Gleumes wrote:
> This patch series adds functionality to use acme directiories
> that require the use of external account binding, as specified
> in rfc 8555 section 7.3.4.
>=20
> To avoid code duplication and redundant calls to the CA,
> the `/cluster/acme/tos` endpoint has been deprecated and
> it's function will be covered by the new `/cluster/acme/meta`
> endpoint, which exposes all meta information provided by the CA,
> including the flag indicating that EAB needs to be used.
> The underlying call to the CA remains the same.
>=20
> The CLI interface will only ask for the EAB credentials if needed,
> similar to how it works for the ToS.
>=20
> The patches have been tested to work with and without EAB
> by using pebble [0] as the CA.
>=20
> [0] https://github.com/letsencrypt/pebble

this already looks quite good, some comments on the individual patches,
mainly about the interface change in proxmox-acme and the meta endpoint.

there might be some additional follow-up work needed once a subsequent
version has been applied - in my experience pebble and production CAs
often don't handle all corner cases identical (even pebble and boulder,
where the divergence is often intentional to force client devs to
implement those corner cases right ;)), or commercial CAs requiring some
special attention.

>=20
> acme: Folke Gleumes (1):
>   fix #4497: add support for external account bindings
>=20
>  src/PVE/ACME.pm | 43 +++++++++++++++++++++++++++++++++++--------
>  1 file changed, 35 insertions(+), 8 deletions(-)
>=20
> manager: Folke Gleumes (4):
>   fix #4497: acme: add support for external account bindings
>   fix #4497: api/acme: deprecate tos endpoint in favor of meta
>   fix #4497: cli/acme: detect eab and ask for credentials
>   fix #4497: ui/acme: switch to new meta endpoint

nit: we usually only add the fixes tag to the patch/commit the makes the
fix user-visible. not always clear cut, and having more than one can be
okay. in this case, the tos/meta patches are only indirectly related to
the fix, and not needed to use EAB, so they likely can drop the prefix.

>=20
>  PVE/API2/ACMEAccount.pm   | 73 +++++++++++++++++++++++++++++++++++++--
>  PVE/CLI/pvenode.pm        | 16 +++++++--
>  www/manager6/node/ACME.js | 12 ++++---
>  3 files changed, 93 insertions(+), 8 deletions(-)
>=20
> --=20
> 2.39.2
>=20
>=20
>=20
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>=20
>=20
>=20