[pdm-devel] [PATCH datacenter-manager v3 05/23] server: pve api: extend 'scan' so it tls-probes the nodes

Dominik Csapak d.csapak at proxmox.com
Thu Aug 21 10:39:26 CEST 2025 

When getting the node information, also probe the individual nodes
(currently with the hostname only) so we can omit the fingerprint
if the certificate is trusted already.

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 lib/pdm-api-types/src/lib.rs |  2 ++
 server/src/api/pve/mod.rs    | 32 ++++++++++++++++++++------------
 2 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/lib/pdm-api-types/src/lib.rs b/lib/pdm-api-types/src/lib.rs
index 3844907..31420a9 100644
--- a/lib/pdm-api-types/src/lib.rs
+++ b/lib/pdm-api-types/src/lib.rs
@@ -79,6 +79,8 @@ pub use proxmox_dns_api::THIRD_DNS_SERVER_SCHEMA;
 pub use proxmox_config_digest::ConfigDigest;
 pub use proxmox_config_digest::PROXMOX_CONFIG_DIGEST_SCHEMA;
 
+pub use proxmox_acme_api::CertificateInfo;
+
 #[macro_use]
 mod user;
 pub use user::*;
diff --git a/server/src/api/pve/mod.rs b/server/src/api/pve/mod.rs
index c03d352..a881aaa 100644
--- a/server/src/api/pve/mod.rs
+++ b/server/src/api/pve/mod.rs
@@ -359,6 +359,9 @@ async fn probe_tls(
     },
 )]
 /// Scans the given connection info for pve cluster information
+///
+/// For each node that is returned, the TLS connection is probed, to check if using
+/// a fingerprint is necessary.
 pub async fn scan_remote_pve(
     hostname: String,
     fingerprint: Option<String>,
@@ -381,18 +384,23 @@ pub async fn scan_remote_pve(
         .await
         .map_err(|err| format_err!("could not login: {err}"))?;
 
-    let nodes: Vec<_> = client
-        .list_nodes()
-        .await?
-        .into_iter()
-        .map(|node| {
-            let url = NodeUrl {
-                hostname: node.node,
-                fingerprint: node.ssl_fingerprint,
-            };
-            PropertyString::new(url)
-        })
-        .collect();
+    let mut nodes = Vec::new();
+
+    for node in client.list_nodes().await? {
+        // probe without fingerprint to see if the certificate is trusted
+        // TODO: how can we get the fqdn here?, otherwise it'll fail in most scenarios...
+        let fingerprint = match probe_tls_connection(RemoteType::Pve, node.node.clone(), None).await
+        {
+            Ok(TlsProbeOutcome::UntrustedCertificate(cert)) => cert.fingerprint,
+            Ok(TlsProbeOutcome::TrustedCertificate) => None,
+            Err(_) => node.ssl_fingerprint,
+        };
+
+        nodes.push(PropertyString::new(NodeUrl {
+            hostname: node.node,
+            fingerprint,
+        }));
+    }
 
     if nodes.is_empty() {
         bail!("no node list returned");
-- 
2.47.2

More information about the pdm-devel mailing list