this patch series is a rough first draft implementing the following features:
- Certificate utility module (pve-common)
- ACME v9 / Let's Encrypt v2 API client library (pve-common)
- PVE specific Certificate helper utility (pve-manager)
- new per-node configuration file in /etc/pve/nodes/FOO/config and API for
managing (pve-manager)
- API for managing ACME accounts (pve-manager)
- API for managing custom and ACME certificate (pve-manager)
ACME account related API endpoints:
GET /cluster/acme/tos
retrieves TermsOfService from an ACME directory endpoint
POST /cluster/acme/account
register new ACME account (and save in /etc/pve/priv/acme/ under a name)
PUT /cluster/acme/account/{name}
update ACME account with new data
GET /cluster/acme/account/{name}
refresh ACME account information
DELETE /cluster/acme/account/{name}
deactivate ACME account
Node config related API endpoints:
GET /nodes/{node}/config
get node configuration
PUT /nodes/{node}/config
update node configuration
Certificate related API endpoints:
GET /nodes/{node}/certificates/info
retrieve information about self-signed and custom/ACME certificates
POST /nodes/{node}/certificates/custom
upload custom certificate (chain) and key
DELETE /nodes/{node}/certificates/custom
delete custom certificate files and revert to self-signed certificates
POST /nodes/{node}/certificates/acme/certificate
order new certificate from ACME CA (according to node configuration)
PUT /nodes/{node}/certificates/acme/certificate
renew existing ACME certificate (according to node configuration)
DELETE /nodes/{node}/certificates/acme/certificate
revoke existing ACME certificate (according to node configuration)
the /nodes/{node}/certificates/acme/certificate endpoint is intentionally not
just /nodes/{nora}/certificates/acme to reserve some namespace for future
expansion.
TODOs / rough edges in the current RFC state:
- CLI for node configuration and certificate handling ('pvenode' with
subcommands?)
- replace CSR generation via openssl binary with Net::SSLeay and move to
Certificate.pm (no more temp files needed)
- timer/service for periodic checks and auto-renewal
- ACME challenge plugin infrastructure (registry, loading, matching with
challenges)
- GUI
- documentation
- StandAlone challenge 'plugin' uses Simple::HTTP::Server::CGI
- ...
future improvements:
- make key type configurable
- make challenge plugin configurable
- support wildcard certificates (need DNS challenge with Let's Encrypt)
- manage self-signed certificates with same helpers?
- deprecate pvecm updatecerts in favour of new code in pve-manager?
- ...
diffstats:
pve-cluster:
Fabian Grünbichler (1):
cluster: add cfs_lock_acme
data/PVE/Cluster.pm | 8 ++++++++
1 file changed, 8 insertions(+)
pve-common:
Fabian Grünbichler (4):
acme: add ACME library
acme: add challenge plugins
build: install ACME files
add Certificate helper
src/Makefile | 5 +
src/PVE/ACME.pm | 619 +++++++++++++++++++++++++++++++++++++++++++++
src/PVE/ACME/Challenge.pm | 22 ++
src/PVE/ACME/StandAlone.pm | 74 ++++++
src/PVE/Certificate.pm | 120 +++++++++
5 files changed, 840 insertions(+)
create mode 100644 src/PVE/ACME.pm
create mode 100644 src/PVE/ACME/Challenge.pm
create mode 100644 src/PVE/ACME/StandAlone.pm
create mode 100644 src/PVE/Certificate.pm
pve-manager:
Fabian Grünbichler (5):
add CertHelpers utility
add node configuration file and API
add ACME account API endpoints
add ACME certificate API endpoints
add certificates API endpoints
PVE/API2/Makefile | 4 +
PVE/Makefile | 2 +
PVE/API2/ACME.pm | 319 +++++++++++++++++++++++++++++++++++++++++++++++
PVE/API2/ACMEAccount.pm | 278 +++++++++++++++++++++++++++++++++++++++++
PVE/API2/Certificates.pm | 202 ++++++++++++++++++++++++++++++
PVE/API2/Cluster.pm | 7 ++
PVE/API2/NodeConfig.pm | 99 +++++++++++++++
PVE/API2/Nodes.pm | 15 +++
PVE/CertHelpers.pm | 104 +++++++++++++++
PVE/NodeConfig.pm | 205 ++++++++++++++++++++++++++++++
10 files changed, 1235 insertions(+)
create mode 100644 PVE/API2/ACME.pm
create mode 100644 PVE/API2/ACMEAccount.pm
create mode 100644 PVE/API2/Certificates.pm
create mode 100644 PVE/API2/NodeConfig.pm
create mode 100644 PVE/CertHelpers.pm
create mode 100644 PVE/NodeConfig.pm
--
2.14.2
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
