On 4/16/20 7:18 AM, Wolfgang Link wrote: > From Wolfgang Link <w.l...@proxmox.com> # This line is ignored. > From: Wolfgang Link <w.l...@proxmox.com> > Reply-To: > Subject: RFC for ACME DNS Challenge V3 > In-Reply-To: > > The acme_sh project is used as a DNS API plugin system. > So we can reuse the already defiend plugins. > It is used as subplugins. > > The acme.sh script is replaced by proxmox-acme, > which contains the function required to operate the DNSAPI plug-ins. > > The login information is saved in the file plugin.cfg. > The values are encoded in base64 and transferred directly to proxmox-acme. > There they are decoded again > > The DNSAPI plugin credentials are not standardized, so each plugin expects > different parameters. > > These patches are only tested against the OVH API because of missing > alternative possibilities. > > The V3 is mainly based on V2, but has the improvements of Fabian's feedback. > For more information see below. > > Build conflicts arise due to the code movements. > The prerequisite for this series is the installation of Curl. > For this series you have to create the deb packages pve-common, pve-cluster > and proxmox-acme. > Then apply these packages and you can now build and install the pve-manager > package. > > The GUI works at the moment only with the standalone Plugin(HTTP Challenge). > > For the alias mode a CNAME record is needed > _acme-challenge.<host>.<domain>.<TLD> CNAME _acme-challenge.<Alias > Target> > > Steps to test. > > 1.) pvenode acme account register default <mail@example.invalid> > 2.) pvenode acme plugin add <dns|standalone> <plugin_id> --data <login > information> > 3.) pvenode config set --acme > domain=<Domain>,plugin=<plugin_id>[,alias=<alias_domain>] > 4.) pvenode acme cert order >
applied series from Fabians tree with followups and have thrown a few on top of that, among others: * stricter checking on write, else one could write the same domain multiple times but get node config complained (died) then. * check if plugin is defined when setting it for a domain * adding validation-delay for DNS plugins, so that the request for validation can be delayed, e.g., to ensure initial DNS propagation (commit message for details) * reduction of delays between validation request and checking said request * reduction of per-node domains of maximal 5, increasing is way easier than decreasing after all :) * creating of observed files base directory in pve-cluster, as else adding an plugin failed if the /etc/pve/priv/acme directory didn't already exists * fixing various leftover cruft from copying the whole plugin handling over from pve-storage's content API * various smaller and mid-size cleanups here and there Those are the obvious from me coming in my mind, the ones from Fabian are separate, but I cannot bother to search and list them out for now. A plugin CRUD gui should be pretty easy to do, maybe an hour task for Dominik on Monday ;-) The rest would be then pretty straight forward to integrate. A big thanks to Fabian for keeping up initially when I was a bit^W^W totally out of time, and smoothing some rough edges. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
