this patch series is implementing the following features: - certificate utility module (pve-common) - ACME v9 / Let's Encrypt v2 API client library (pve-common) - PVE specific Certificate helper utility (pve-manager) - new per-node configuration file in /etc/pve/nodes/FOO/config and API for managing (pve-manager) - API for managing ACME accounts (pve-manager) - API for managing custom and ACME certificate (pve-manager)
high-level changes since v1/RFC: - pve-common: patches are re-ordered (Certificate helper before ACME) - pve-common: CSR generation now via Net::SSLeay - pve-manager: more API annotation / formats / registered options - more error handling - more helper methods - pve-manager/acme: new expiry check for renewal (30 days) - pve-manager/acme: new 'force' parameter to skip expiry check for renewal - pve-manager/acme-account: get now returns local info, empty put refreshes from CA - pve-manager/acme-account: new directories endpoint to return known directories - API return values have changed for some endpoints thanks for the feedback Dominik and Wolfgang! TODOs as follow-ups (in order of importance ;)): - move de-activated account files to allow re-usal of account/file name - CLI including service/timer for renewal - GUI - documentation - refactor config file handling together with LXC and Qemu Configs potential improvements: - make key type configurable - ACME challenge plugin infrastructure - support wildcard certificates (need DNS challenge with Let's Encrypt) - manage self-signed certificates with same helpers? - deprecate pvecm updatecerts in favour of new code in pve-manager? pve-common diff-stat: Fabian Grünbichler (4): add Certificate helper acme: add ACME library acme: add challenge plugins build: install ACME files src/Makefile | 5 + src/PVE/ACME.pm | 531 +++++++++++++++++++++++++++++++++++++++++++++ src/PVE/ACME/Challenge.pm | 22 ++ src/PVE/ACME/StandAlone.pm | 74 +++++++ src/PVE/Certificate.pm | 396 +++++++++++++++++++++++++++++++++ 5 files changed, 1028 insertions(+) create mode 100644 src/PVE/ACME.pm create mode 100644 src/PVE/ACME/Challenge.pm create mode 100644 src/PVE/ACME/StandAlone.pm create mode 100644 src/PVE/Certificate.pm pve-cluster diff-stat: Fabian Grünbichler (1): cluster: add cfs_lock_acme data/PVE/Cluster.pm | 8 ++++++++ 1 file changed, 8 insertions(+) pve-manager diff-stat: Fabian Grünbichler (5): add CertHelpers utility add node configuration file and API add ACME account API endpoints add ACME certificate API endpoints add certificates API endpoints PVE/API2/Makefile | 4 + PVE/Makefile | 2 + PVE/API2/ACME.pm | 325 ++++++++++++++++++++++++++++++++++++++++++++ PVE/API2/ACMEAccount.pm | 347 +++++++++++++++++++++++++++++++++++++++++++++++ PVE/API2/Certificates.pm | 205 ++++++++++++++++++++++++++++ PVE/API2/Cluster.pm | 7 + PVE/API2/NodeConfig.pm | 101 ++++++++++++++ PVE/API2/Nodes.pm | 15 ++ PVE/CertHelpers.pm | 107 +++++++++++++++ PVE/NodeConfig.pm | 205 ++++++++++++++++++++++++++++ 10 files changed, 1318 insertions(+) create mode 100644 PVE/API2/ACME.pm create mode 100644 PVE/API2/ACMEAccount.pm create mode 100644 PVE/API2/Certificates.pm create mode 100644 PVE/API2/NodeConfig.pm create mode 100644 PVE/CertHelpers.pm create mode 100644 PVE/NodeConfig.pm _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel