[pmg-devel] [PATCH api 6/8] add certificates api endpoint

Dominik Csapak d.csapak at proxmox.com
Thu Mar 11 12:06:23 CET 2021



On 3/9/21 3:13 PM, Wolfgang Bumiller wrote:
> This adds /nodes/{nodename}/certificates endpoint
> containing:
> 
>    /custom/{type} - update smtp or api certificates manually
>    /acme/{type} - update via acme
> 
> Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> ---
>   src/Makefile                 |   1 +
>   src/PMG/API2/Certificates.pm | 690 +++++++++++++++++++++++++++++++++++
>   src/PMG/API2/Nodes.pm        |   7 +
>   3 files changed, 698 insertions(+)
>   create mode 100644 src/PMG/API2/Certificates.pm
> 
> diff --git a/src/Makefile b/src/Makefile
> index ebc6bd8..e0629b2 100644
> --- a/src/Makefile
> +++ b/src/Makefile
> @@ -155,6 +155,7 @@ LIBSOURCES =				\
>   	PMG/API2/When.pm		\
>   	PMG/API2/What.pm		\
>   	PMG/API2/Action.pm		\
> +	PMG/API2/Certificates.pm	\
>   	PMG/API2/ACME.pm		\
>   	PMG/API2/ACMEPlugin.pm		\
>   	PMG/API2.pm			\
> diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
> new file mode 100644
> index 0000000..d196af6
> --- /dev/null
> +++ b/src/PMG/API2/Certificates.pm
> @@ -0,0 +1,690 @@
> +package PMG::API2::Certificates;
> +
> +use strict;
> +use warnings;
> +
> +use PVE::Certificate;
> +use PVE::Exception qw(raise raise_param_exc);
> +use PVE::JSONSchema qw(get_standard_option);
> +use PVE::Tools qw(extract_param file_get_contents file_set_contents);
> +
> +use PMG::CertHelpers;
> +use PMG::NodeConfig;
> +use PMG::RS::CSR;
> +
> +use PMG::API2::ACMEPlugin;
> +
> +use base qw(PVE::RESTHandler);
> +
> +my $acme_account_dir = PMG::CertHelpers::acme_account_dir();
> +
> +sub first_typed_pem_entry : prototype($$) {
> +    my ($label, $data) = @_;
> +
> +    if ($data =~ /^(-----BEGIN (?<label>\Q$label\E)-----\n.*?\n-----END \g{label}-----)$/ms) {

nit: isn't
$data =~ /^(-----BEGIN \Q$label\E-----\n.*?\n-----END \Q$label\E-----)$/ms

shorter and does the same?


> +	chomp(my $content = $1);

nit: why chomp? the regex does not allow trailing/whitespace newlines in 
$1 ?

> +	return $content;
> +    }
> +    return undef;
> +}
> +
> +sub pem_private_key : prototype($) {
> +    my ($data) = @_;
> +    return first_typed_pem_entry('PRIVATE KEY', $data);
> +}
> +
> +sub pem_certificate : prototype($) {
> +    my ($data) = @_;
> +    return first_typed_pem_entry('CERTIFICATE', $data);
> +}
> +
> +my sub restart_after_cert_update : prototype($) {
> +    my ($type) = @_;
> +
> +    if ($type eq 'api') {
> +	print "Restarting pmgproxy\n";
> +	PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pmgproxy']);
> +    }
> +};
> +
> +my sub update_cert : prototype($$$$) {
> +    my ($type, $cert_path, $certificate, $force) = @_;
> +    my $code = sub {
> +	print "Setting custom certificate file $cert_path\n";
> +	PMG::CertHelpers::set_cert_file($certificate, $cert_path, $force);
> +
> +	restart_after_cert_update($type);
> +    };
> +    PMG::CertHelpers::cert_lock(10, $code);
> +};
> +
> +__PACKAGE__->register_method ({
> +    name => 'index',
> +    path => '',
> +    method => 'GET',
> +    permissions => { user => 'all' },
> +    description => "Node index.",
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    node => get_standard_option('pve-node'),
> +	},
> +    },
> +    returns => {
> +	type => 'array',
> +	items => {
> +	    type => "object",
> +	    properties => {},
> +	},
> +	links => [ { rel => 'child', href => "{name}" } ],
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	return [
> +	    { name => 'acme' },
> +	    { name => 'custom' },
> +	    { name => 'info' },
> +	    { name => 'config' },
> +	];
> +    },
> +});
> +
> +__PACKAGE__->register_method ({
> +    name => 'info',
> +    path => 'info',
> +    method => 'GET',
> +    permissions => { user => 'all' },
> +    proxyto => 'node',
> +    protected => 1,
> +    description => "Get information about the node's certificates.",
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    node => get_standard_option('pve-node'),
> +	},
> +    },
> +    returns => {
> +	type => 'array',
> +	items => get_standard_option('pve-certificate-info'),
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $res = [];
> +	for my $path (&PMG::CertHelpers::API_CERT, &PMG::CertHelpers::SMTP_CERT) {
> +	    eval {
> +		my $info = PVE::Certificate::get_certificate_info($path);
> +		push @$res, $info if $info;
> +	    };
> +	}
> +	return $res;
> +    },
> +});
> +
> +__PACKAGE__->register_method ({
> +    name => 'custom_cert_index',
> +    path => 'custom',
> +    method => 'GET',
> +    permissions => { user => 'all' },
> +    description => "Certificate index.",
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    node => get_standard_option('pve-node'),
> +	},
> +    },
> +    returns => {
> +	type => 'array',
> +	items => {
> +	    type => "object",
> +	    properties => {},
> +	},
> +	links => [ { rel => 'child', href => "{type}" } ],
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	return [
> +	    { type => 'api' },
> +	    { type => 'smtp' },
> +	];
> +    },
> +});
> +
> +__PACKAGE__->register_method ({
> +    name => 'upload_custom_cert',
> +    path => 'custom/{type}',
> +    method => 'POST',
> +    permissions => { check => [ 'admin' ] },
> +    description => 'Upload or update custom certificate chain and key.',
> +    protected => 1,
> +    proxyto => 'node',
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    node => get_standard_option('pve-node'),
> +	    certificates => {
> +		type => 'string',
> +		format => 'pem-certificate-chain',
> +		description => 'PEM encoded certificate (chain).',
> +	    },
> +	    key => {
> +		type => 'string',
> +		description => 'PEM encoded private key.',
> +		format => 'pem-string',
> +		optional => 0,
> +	    },
> +	    type => get_standard_option('pmg-certificate-type'),
> +	    force => {
> +		type => 'boolean',
> +		description => 'Overwrite existing custom or ACME certificate files.',
> +		optional => 1,
> +		default => 0,
> +	    },
> +	    restart => {
> +		type => 'boolean',
> +		description => 'Restart services.',
> +		optional => 1,
> +		default => 0,
> +	    },
> +	},
> +    },
> +    returns => get_standard_option('pve-certificate-info'),
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $type = extract_param($param, 'type'); # also used to know which service to restart
> +	my $cert_path = PMG::CertHelpers::cert_path($type);
> +
> +	my $certs = extract_param($param, 'certificates');
> +	$certs = PVE::Certificate::strip_leading_text($certs);
> +
> +	my $key = extract_param($param, 'key');
> +	if ($key) {
> +	    $key = PVE::Certificate::strip_leading_text($key);
> +	    $certs = "$key\n$certs";
> +	} else {
> +	    my $private_key = pem_private_key($certs);
> +	    if (!defined($private_key)) {
> +		my $old = file_get_contents($cert_path);
> +		$private_key = pem_private_key($old);
> +		if (!defined($private_key)) {
> +		    raise_param_exc({
> +			'key' => "Attempted to upload custom certificate without (existing) key."
> +		    })
> +		}
> +
> +		# copy the old certificate's key:
> +		$certs = "$key\n$certs";
> +	    }
> +	}
> +
> +	my $info;
> +
> +	my $code = sub {
> +	    print "Setting custom certificate file $cert_path\n";
> +	    $info = PMG::CertHelpers::set_cert_file($certs, $cert_path, $param->{force});
> +
> +	    if ($type eq 'api' && $param->{restart}) {
> +		print "Restarting pmgproxy\n";
> +		PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pmgproxy']);

you could reuse the 'restart_after_cert_update' here, no?

> +	    }
> +	};
> +
> +	PMG::CertHelpers::cert_lock(10, $code);
> +	die "$@\n" if $@;
> +
> +	if ($type eq 'smtp') {
> +	    $code = sub {
> +		my $cfg = PMG::Config->new();
> +
> +		print "Rewriting postfix config\n";
> +		$cfg->set('mail', 'tls', 1);
> +		$cfg->rewrite_config_postfix();
> +
> +		if ($param->{restart}) {
> +		    print "Reloading postfix\n";
> +		    PMG::Utils::service_cmd('postfix', 'reload');

also, why couldn't that be handled there too? then we could
combine the two restart/reload calls?

> +		}
> +	    };
> +	    PMG::Config::lock_config($code, "failed to reload postfix");
> +	}
> +
> +	return $info;
> +    }});
> +
> +__PACKAGE__->register_method ({
> +    name => 'remove_custom_cert',
> +    path => 'custom/{type}',
> +    method => 'DELETE',
> +    permissions => { check => [ 'admin' ] },
> +    description => 'DELETE custom certificate chain and key.',
> +    protected => 1,
> +    proxyto => 'node',
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    node => get_standard_option('pve-node'),
> +	    type => get_standard_option('pmg-certificate-type'),
> +	    restart => {
> +		type => 'boolean',
> +		description => 'Restart pmgproxy.',
> +		optional => 1,
> +		default => 0,
> +	    },
> +	},
> +    },
> +    returns => {
> +	type => 'null',
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $type = extract_param($param, 'type');
> +	my $cert_path = PMG::CertHelpers::cert_path($type);
> +
> +	my $code = sub {
> +	    print "Deleting custom certificate files\n";
> +	    unlink $cert_path;
> +
> +	    if ($param->{restart}) {
> +		restart_after_cert_update($type);
> +	    }
> +	};
> +
> +	PMG::CertHelpers::cert_lock(10, $code);
> +	die "$@\n" if $@;
> +
> +	return undef;

don't we need to update the postfix config and reload if the type is 
smtp? or at least error out?

> +    }});
> +
> +__PACKAGE__->register_method ({
> +    name => 'acme_cert_index',
> +    path => 'acme',
> +    method => 'GET',
> +    permissions => { user => 'all' },
> +    description => "ACME Certificate index.",
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    node => get_standard_option('pve-node'),
> +	},
> +    },
> +    returns => {
> +	type => 'array',
> +	items => {
> +	    type => "object",
> +	    properties => {},
> +	},
> +	links => [ { rel => 'child', href => "{type}" } ],
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	return [
> +	    { type => 'api' },
> +	    { type => 'smtp' },
> +	];
> +    },
> +});
> +
> +my $order_certificate = sub {
> +    my ($acme, $acme_node_config) = @_;
> +
> +    my $plugins = PMG::API2::ACMEPlugin::load_config();
> +
> +    print "Placing ACME order\n";
> +    my ($order_url, $order) = $acme->new_order([ keys %{$acme_node_config->{domains}} ]);
> +    print "Order URL: $order_url\n";
> +    for my $auth_url (@{$order->{authorizations}}) {
> +	print "\nGetting authorization details from '$auth_url'\n";
> +	my $auth = $acme->get_authorization($auth_url);
> +
> +	# force lower case, like get_acme_conf does
> +	my $domain = lc($auth->{identifier}->{value});
> +	if ($auth->{status} eq 'valid') {
> +	    print "$domain is already validated!\n";
> +	} else {
> +	    print "The validation for $domain is pending!\n";
> +
> +	    my $domain_config = $acme_node_config->{domains}->{$domain};
> +	    die "no config for domain '$domain'\n" if !$domain_config;
> +
> +	    my $plugin_id = $domain_config->{plugin};
> +
> +	    my $plugin_cfg = $plugins->{ids}->{$plugin_id};
> +	    die "plugin '$plugin_id' for domain '$domain' not found!\n"
> +		if !$plugin_cfg;
> +
> +	    my $data = {
> +		plugin => $plugin_cfg,
> +		alias => $domain_config->{alias},
> +	    };
> +
> +	    my $plugin = PVE::ACME::Challenge->lookup($plugin_cfg->{type});
> +	    $plugin->setup($acme, $auth, $data);
> +
> +	    print "Triggering validation\n";
> +	    eval {
> +		die "no validation URL returned by plugin '$plugin_id' for domain '$domain'\n"
> +		    if !defined($data->{url});
> +
> +		$acme->request_challenge_validation($data->{url});
> +		print "Sleeping for 5 seconds\n";
> +		sleep 5;
> +		while (1) {
> +		    $auth = $acme->get_authorization($auth_url);
> +		    if ($auth->{status} eq 'pending') {
> +			print "Status is still 'pending', trying again in 10 seconds\n";
> +			sleep 10;
> +			next;
> +		    } elsif ($auth->{status} eq 'valid') {
> +			print "Status is 'valid', domain '$domain' OK!\n";
> +			last;
> +		    }
> +		    die "validating challenge '$auth_url' failed - status: $auth->{status}\n";
> +		}
> +	    };
> +	    my $err = $@;
> +	    eval { $plugin->teardown($acme, $auth, $data) };
> +	    warn "$@\n" if $@;
> +	    die $err if $err;
> +	}
> +    }
> +    print "\nAll domains validated!\n";
> +    print "\nCreating CSR\n";
> +    # Currently we only support dns entries, so extract those from the order:
> +    my $san = [
> +	map {
> +	    $_->{value}
> +	} grep {
> +	    $_->{type} eq 'dns'
> +	} $order->{identifiers}->@*
> +    ];
> +    die "DNS identifiers are required to generate a CSR.\n" if !scalar @$san;
> +    my ($csr_der, $key) = PMG::RS::CSR::generate_csr($san, {});
> +
> +    my $finalize_error_cnt = 0;
> +    print "Checking order status\n";
> +    while (1) {
> +	$order = $acme->get_order($order_url);
> +	if ($order->{status} eq 'pending') {
> +	    print "still pending, trying to finalize order\n";
> +	    # FIXME
> +	    # to be compatible with and without the order ready state we try to
> +	    # finalize even at the 'pending' state and give up after 5
> +	    # unsuccessful tries this can be removed when the letsencrypt api
> +	    # definitely has implemented the 'ready' state
> +	    eval {
> +		$acme->finalize_order($order->{finalize}, $csr_der);
> +	    };
> +	    if (my $err = $@) {
> +		die $err if $finalize_error_cnt >= 5;
> +
> +		$finalize_error_cnt++;
> +		warn $err;
> +	    }
> +	    sleep 5;
> +	    next;
> +	} elsif ($order->{status} eq 'ready') {
> +	    print "Order is ready, finalizing order\n";
> +	    $acme->finalize_order($order->{finalize}, $csr_der);
> +	    sleep 5;
> +	    next;
> +	} elsif ($order->{status} eq 'processing') {
> +	    print "still processing, trying again in 30 seconds\n";
> +	    sleep 30;
> +	    next;
> +	} elsif ($order->{status} eq 'valid') {
> +	    print "valid!\n";
> +	    last;
> +	}
> +	die "order status: $order->{status}\n";
> +    }
> +
> +    print "\nDownloading certificate\n";
> +    my $cert = $acme->get_certificate($order->{certificate});
> +
> +    return ($cert, $key);
> +};
> +
> +# Filter domains and raise an error if the list becomes empty.
> +my $filter_domains = sub {
> +    my ($acme_config, $type) = @_;
> +
> +    my $domains = $acme_config->{domains};
> +    foreach my $domain (keys %$domains) {
> +	my $entry = $domains->{$domain};
> +	if (!(grep { $_ eq $type } PVE::Tools::split_list($entry->{usage}))) {
> +	    delete $domains->{$domain};
> +	}
> +    }
> +
> +    if (!%$domains) {
> +	raise("No domains configured for type '$type'\n", 400);
> +    }
> +};
> +
> +__PACKAGE__->register_method ({
> +    name => 'new_acme_cert',
> +    path => 'acme/{type}',
> +    method => 'POST',
> +    permissions => { check => [ 'admin' ] },
> +    description => 'Order a new certificate from ACME-compatible CA.',
> +    protected => 1,
> +    proxyto => 'node',
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    node => get_standard_option('pve-node'),
> +	    type => get_standard_option('pmg-certificate-type'),
> +	    force => {
> +		type => 'boolean',
> +		description => 'Overwrite existing custom certificate.',
> +		optional => 1,
> +		default => 0,
> +	    },
> +	},
> +    },
> +    returns => {
> +	type => 'string',
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $type = extract_param($param, 'type'); # also used to know which service to restart
> +	my $cert_path = PMG::CertHelpers::cert_path($type);
> +	raise_param_exc({'force' => "Custom certificate exists but 'force' is not set."})
> +	    if !$param->{force} && -e $cert_path;
> +
> +	my $node_config = PMG::NodeConfig::load_config();
> +	my $acme_config = PMG::NodeConfig::get_acme_conf($node_config);
> +	raise("ACME domain list in configuration is missing!", 400)
> +	    if !$acme_config || !$acme_config->{domains}->%*;
> +
> +	$filter_domains->($acme_config, $type);
> +
> +	my $rpcenv = PMG::RESTEnvironment->get();
> +	my $authuser = $rpcenv->get_user();
> +
> +	my $realcmd = sub {
> +	    STDOUT->autoflush(1);
> +	    my $account = $acme_config->{account};
> +	    my $account_file = "${acme_account_dir}/${account}";
> +	    die "ACME account config file '$account' does not exist.\n"
> +		if ! -e $account_file;
> +
> +	    print "Loading ACME account details\n";
> +	    my $acme = PMG::RS::Acme->load($account_file);
> +
> +	    my ($cert, $key) = $order_certificate->($acme, $acme_config);
> +	    my $certificate = "$key\n$cert";
> +
> +	    update_cert($type, $cert_path, $certificate, $param->{force});
> +
> +	    if ($type eq 'smtp') {
> +		my $code = sub {
> +		    my $cfg = PMG::Config->new();
> +
> +		    print "Rewriting postfix config\n";
> +		    $cfg->set('mail', 'tls', 1);
> +		    if ($cfg->rewrite_config_postfix()) {
> +			print "Reloading postfix\n";
> +			PMG::Utils::service_cmd('postfix', 'reload');
> +		    }
> +		};
> +		PMG::Config::lock_config($code, "failed to reload postfix");
> +	    }
> +
> +	    die "$@\n" if $@;
> +	};
> +
> +	return $rpcenv->fork_worker("acmenewcert", undef, $authuser, $realcmd);
> +    }});
> +
> +__PACKAGE__->register_method ({
> +    name => 'renew_acme_cert',
> +    path => 'acme/{type}',
> +    method => 'PUT',
> +    permissions => { check => [ 'admin' ] },
> +    description => "Renew existing certificate from CA.",
> +    protected => 1,
> +    proxyto => 'node',
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    node => get_standard_option('pve-node'),
> +	    type => get_standard_option('pmg-certificate-type'),
> +	    force => {
> +		type => 'boolean',
> +		description => 'Force renewal even if expiry is more than 30 days away.',
> +		optional => 1,
> +		default => 0,
> +	    },
> +	},
> +    },
> +    returns => {
> +	type => 'string',
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $type = extract_param($param, 'type'); # also used to know which service to restart
> +	my $cert_path = PMG::CertHelpers::cert_path($type);
> +
> +	raise("No current (custom) certificate found, please order a new certificate!\n")
> +	    if ! -e $cert_path;
> +
> +	my $expires_soon = PVE::Certificate::check_expiry($cert_path, time() + 30*24*60*60);
> +	raise_param_exc({'force' => "Certificate does not expire within the next 30 days, and 'force' is not set."})
> +	    if !$expires_soon && !$param->{force};
> +
> +	my $node_config = PMG::NodeConfig::load_config();
> +	my $acme_config = PMG::NodeConfig::get_acme_conf($node_config);
> +	raise("ACME domain list in configuration is missing!", 400)
> +	    if !$acme_config || !$acme_config->{domains}->%*;
> +
> +	$filter_domains->($acme_config, $type);
> +
> +	my $rpcenv = PMG::RESTEnvironment->get();
> +	my $authuser = $rpcenv->get_user();
> +
> +	my $old_cert = PVE::Tools::file_get_contents($cert_path);
> +
> +	my $realcmd = sub {
> +	    STDOUT->autoflush(1);
> +	    my $account = $acme_config->{account};
> +	    my $account_file = "${acme_account_dir}/${account}";
> +	    die "ACME account config file '$account' does not exist.\n"
> +		if ! -e $account_file;
> +
> +	    print "Loading ACME account details\n";
> +	    my $acme = PMG::RS::Acme->load($account_file);
> +
> +	    my ($cert, $key) = $order_certificate->($acme, $acme_config);
> +	    my $certificate = "$key\n$cert";
> +
> +	    update_cert($type, $cert_path, $certificate, 1);
> +
> +	    if (defined($old_cert)) {
> +		print "Revoking old certificate\n";
> +		eval { $acme->revoke_certificate($old_cert, undef) };
> +		warn "Revoke request to CA failed: $@" if $@;
> +	    }
> +	};
> +
> +	return $rpcenv->fork_worker("acmerenew", undef, $authuser, $realcmd);
> +    }});
> +
> +__PACKAGE__->register_method ({
> +    name => 'revoke_acme_cert',
> +    path => 'acme/{type}',
> +    method => 'DELETE',
> +    permissions => { check => [ 'admin' ] },
> +    description => "Revoke existing certificate from CA.",
> +    protected => 1,
> +    proxyto => 'node',
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    node => get_standard_option('pve-node'),
> +	    type => get_standard_option('pmg-certificate-type'),
> +	},
> +    },
> +    returns => {
> +	type => 'string',
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $type = extract_param($param, 'type'); # also used to know which service to restart
> +	my $cert_path = PMG::CertHelpers::cert_path($type);
> +
> +	my $node_config = PMG::NodeConfig::load_config();
> +	my $acme_config = PMG::NodeConfig::get_acme_conf($node_config);
> +	raise("ACME domain list in configuration is missing!", 400)
> +	    if !$acme_config || !$acme_config->{domains}->%*;
> +
> +	$filter_domains->($acme_config, $type);
> +
> +	my $rpcenv = PMG::RESTEnvironment->get();
> +	my $authuser = $rpcenv->get_user();
> +
> +	my $cert = PVE::Tools::file_get_contents($cert_path);
> +	$cert = pem_certificate($cert)
> +	    or die "no certificate section found in '$cert_path'\n";
> +
> +	my $realcmd = sub {
> +	    STDOUT->autoflush(1);
> +	    my $account = $acme_config->{account};
> +	    my $account_file = "${acme_account_dir}/${account}";
> +	    die "ACME account config file '$account' does not exist.\n"
> +		if ! -e $account_file;
> +
> +	    print "Loading ACME account details\n";
> +	    my $acme = PMG::RS::Acme->load($account_file);
> +
> +	    print "Revoking old certificate\n";
> +	    eval { $acme->revoke_certificate($cert, undef) };
> +	    if (my $err = $@) {
> +		# is there a better check?
> +		die "Revoke request to CA failed: $err" if $err !~ /"Certificate is expired"/;
> +	    }
> +
> +	    my $code = sub {
> +		print "Deleting certificate files\n";
> +		unlink $cert_path;
> +
> +		# FIXME: Regenerate self-signed `api` certificate.
> +		restart_after_cert_update($type);
> +	    };
> +
> +	    PMG::CertHelpers::cert_lock(10, $code);
> +	    die "$@\n" if $@;
> +	};
> +
> +	return $rpcenv->fork_worker("acmerevoke", undef, $authuser, $realcmd);
> +    }});

what happens here with postfix?

> +
> +1;
> diff --git a/src/PMG/API2/Nodes.pm b/src/PMG/API2/Nodes.pm
> index c0f5963..b6f0cd5 100644
> --- a/src/PMG/API2/Nodes.pm
> +++ b/src/PMG/API2/Nodes.pm
> @@ -27,6 +27,7 @@ use PMG::API2::Postfix;
>   use PMG::API2::MailTracker;
>   use PMG::API2::Backup;
>   use PMG::API2::PBS::Job;
> +use PMG::API2::Certificates;
>   
>   use base qw(PVE::RESTHandler);
>   
> @@ -85,6 +86,11 @@ __PACKAGE__->register_method ({
>       path => 'pbs',
>   });
>   
> +__PACKAGE__->register_method ({
> +    subclass => "PMG::API2::Certificates",
> +    path => 'certificates',
> +});
> +
>   __PACKAGE__->register_method ({
>       name => 'index',
>       path => '',
> @@ -126,6 +132,7 @@ __PACKAGE__->register_method ({
>   	    { name => 'subscription' },
>   	    { name => 'termproxy' },
>   	    { name => 'rrddata' },
> +	    { name => 'certificates' },
>   	];
>   
>   	return $result;
> 




More information about the pmg-devel mailing list