[pbs-devel] [PATCH proxmox-backup v3] fix #3867: server/api: send emails on certificate renewal failure
Stefan Sterz
s.sterz at proxmox.com
Tue Jun 14 10:09:45 CEST 2022
the superuser's email will be used to notify them that certificate
renewal has failed.
Signed-off-by: Stefan Sterz <s.sterz at proxmox.com>
---
changes v1 -> v2:
- remove renewal notifications from `node.cfg`
changes v2 -> v3:
- rebase
- remove notify parameter from `send_certificate_renewal_mail()`
completely
src/api2/node/certificates.rs | 20 ++++++++++----
src/server/email_notifications.rs | 44 +++++++++++++++++++++++++++++++
2 files changed, 59 insertions(+), 5 deletions(-)
diff --git a/src/api2/node/certificates.rs b/src/api2/node/certificates.rs
index e303973a..1b9a8850 100644
--- a/src/api2/node/certificates.rs
+++ b/src/api2/node/certificates.rs
@@ -20,6 +20,7 @@ use pbs_tools::cert;
use crate::acme::AcmeClient;
use crate::api2::types::AcmeDomain;
use crate::config::node::NodeConfig;
+use crate::server::send_certificate_renewal_mail;
use proxmox_rest_server::WorkerTask;
pub const ROUTER: Router = Router::new()
@@ -544,11 +545,20 @@ fn spawn_certificate_worker(
let auth_id = rpcenv.get_auth_id().unwrap();
WorkerTask::spawn(name, None, auth_id, true, move |worker| async move {
- if let Some(cert) = order_certificate(worker, &node_config).await? {
- crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem)?;
- crate::server::reload_proxy_certificate().await?;
- }
- Ok(())
+ let work = || async {
+ if let Some(cert) = order_certificate(worker, &node_config).await? {
+ crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem)?;
+ crate::server::reload_proxy_certificate().await?;
+ }
+
+ Ok(())
+ };
+
+ let res = work().await;
+
+ send_certificate_renewal_mail(&res)?;
+
+ res
})
}
diff --git a/src/server/email_notifications.rs b/src/server/email_notifications.rs
index 4534cd38..38d4fb47 100644
--- a/src/server/email_notifications.rs
+++ b/src/server/email_notifications.rs
@@ -183,6 +183,18 @@ Please visit the web interface for further details:
"###;
+const ACME_CERTIFICATE_ERR_RENEWAL: &str = r###"
+
+Proxmox Backup Server was not able to renew a TLS certificate.
+
+Error: {{error}}
+
+Please visit the web interface for further details:
+
+<https://{{fqdn}}:{{port}}/#pbsCertificateConfiguration>
+
+"###;
+
lazy_static::lazy_static! {
static ref HANDLEBARS: Handlebars<'static> = {
@@ -209,6 +221,8 @@ lazy_static::lazy_static! {
hb.register_template_string("package_update_template", PACKAGE_UPDATES_TEMPLATE)?;
+ hb.register_template_string("certificate_renewal_err_template", ACME_CERTIFICATE_ERR_RENEWAL)?;
+
Ok(())
});
@@ -507,6 +521,34 @@ pub fn send_updates_available(updates: &[&APTUpdateInfo]) -> Result<(), Error> {
Ok(())
}
+/// send email on certificate renewal failure.
+/// `notify` currently only accepts `Notify::Error`.
+pub fn send_certificate_renewal_mail(result: &Result<(), Error>) -> Result<(), Error> {
+ let error: String = match result {
+ Err(e) => e.to_string().into(),
+ _ => return Ok(()),
+ };
+
+ if let Some(email) = lookup_user_email(Userid::root_userid()) {
+ let (fqdn, port) = get_server_url();
+
+ let text = HANDLEBARS.render(
+ "certificate_renewal_err_template",
+ &json!({
+ "fqdn": fqdn,
+ "port": port,
+ "error": error,
+ }),
+ )?;
+
+ let subject = "Could not renew certificate";
+
+ send_job_status_mail(&email, subject, &text)?;
+ }
+
+ Ok(())
+}
+
/// Lookup users email address
pub fn lookup_user_email(userid: &Userid) -> Option<String> {
if let Ok(user_config) = pbs_config::user::cached_config() {
@@ -618,4 +660,6 @@ fn test_template_register() {
assert!(HANDLEBARS.has_template("tape_backup_err_template"));
assert!(HANDLEBARS.has_template("package_update_template"));
+
+ assert!(HANDLEBARS.has_template("certificate_renewal_err_template"));
}
--
2.30.2
More information about the pbs-devel
mailing list