From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 5521E9E3A0 for ; Tue, 31 Oct 2023 10:06:05 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C21701867D for ; Tue, 31 Oct 2023 10:05:34 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 31 Oct 2023 10:05:33 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id BB52F42D42 for ; Tue, 31 Oct 2023 10:05:32 +0100 (CET) From: Folke Gleumes To: pve-devel@lists.proxmox.com Date: Tue, 31 Oct 2023 10:05:09 +0100 Message-Id: <20231031090514.23629-1-f.gleumes@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.028 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [pvenode.pm, acmeaccount.pm, acme.pm] Subject: [pve-devel] [PATCH acme v3 0/5] fix #4497: add support for external account bindings X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Oct 2023 09:06:05 -0000 Changes since v2: * reverted the new_account abi to be non breaking Changes since v1: * fixed nit's * expanded meta endpoint by all return values defined in the rfc * expanded new_account signature by field for eab credentials * allow for eab even if not required This patch series adds functionality to use acme directiories that require the use of external account binding, as specified in rfc 8555 section 7.3.4. To avoid code duplication and redundant calls to the CA, the `/cluster/acme/tos` endpoint has been deprecated and it's function will be covered by the new `/cluster/acme/meta` endpoint, which exposes all meta information provided by the CA, including the flag indicating that EAB needs to be used. The underlying call to the CA remains the same. The CLI interface will only ask for the EAB credentials if needed, similar to how it works for the ToS. The patches have been tested to work with and without EAB by using pebble [0] as the CA. [0] https://github.com/letsencrypt/pebble acme: Folke Gleumes (1): fix #4497: add support for external account bindings src/PVE/ACME.pm | 48 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 42 insertions(+), 6 deletions(-) manager: Folke Gleumes (4): fix #4497: acme: add support for external account bindings api/acme: deprecate tos endpoint in favor of meta fix #4497: cli/acme: detect eab and ask for credentials ui/acme: switch to new meta endpoint PVE/API2/ACMEAccount.pm | 83 ++++++++++++++++++++++++++++++++++++++- PVE/CLI/pvenode.pm | 26 +++++++++++- www/manager6/node/ACME.js | 12 ++++-- 3 files changed, 113 insertions(+), 8 deletions(-) -- 2.39.2